Snap for 8953554 from 37624b5f129a3999d5f1063ea8eb3b1c26fc7d1c to mainline-tzdata4-release
Change-Id: I5238260e06f2fae86ce57a2834374676299c0cbc
diff --git a/Android.bp b/Android.bp
index 84c70c7..bb3aa0d 100644
--- a/Android.bp
+++ b/Android.bp
@@ -155,6 +155,7 @@
apex_available: [
"//apex_available:platform",
"com.android.adbd",
+ "com.android.adservices",
"com.android.art",
"com.android.art.debug",
"com.android.art.testing",
@@ -243,6 +244,7 @@
apex_available: [
"//apex_available:platform",
"com.android.adbd",
+ "com.android.adservices",
"com.android.art",
"com.android.art.debug",
"com.android.art.testing",
diff --git a/BORINGSSL_REVISION b/BORINGSSL_REVISION
index 26d2c0d..86689d4 100644
--- a/BORINGSSL_REVISION
+++ b/BORINGSSL_REVISION
@@ -1 +1 @@
-c9a7dd687987666df5910f2b35fdc8c3d1e5ed05
+1530333b25589ee4d4d52b10e78ee55dd82f6dcd
diff --git a/BUILD.generated.bzl b/BUILD.generated.bzl
index 5e19592..a1bef2e 100644
--- a/BUILD.generated.bzl
+++ b/BUILD.generated.bzl
@@ -37,17 +37,20 @@
"src/crypto/fipsmodule/cipher/aead.c",
"src/crypto/fipsmodule/cipher/cipher.c",
"src/crypto/fipsmodule/cipher/e_aes.c",
+ "src/crypto/fipsmodule/cipher/e_aesccm.c",
+ "src/crypto/fipsmodule/cmac/cmac.c",
"src/crypto/fipsmodule/dh/check.c",
"src/crypto/fipsmodule/dh/dh.c",
"src/crypto/fipsmodule/digest/digest.c",
"src/crypto/fipsmodule/digest/digests.c",
+ "src/crypto/fipsmodule/digestsign/digestsign.c",
"src/crypto/fipsmodule/ec/ec.c",
"src/crypto/fipsmodule/ec/ec_key.c",
"src/crypto/fipsmodule/ec/ec_montgomery.c",
"src/crypto/fipsmodule/ec/felem.c",
"src/crypto/fipsmodule/ec/oct.c",
"src/crypto/fipsmodule/ec/p224-64.c",
- "src/crypto/fipsmodule/ec/p256-x86_64.c",
+ "src/crypto/fipsmodule/ec/p256-nistz.c",
"src/crypto/fipsmodule/ec/p256.c",
"src/crypto/fipsmodule/ec/scalar.c",
"src/crypto/fipsmodule/ec/simple.c",
@@ -76,6 +79,7 @@
"src/crypto/fipsmodule/rsa/rsa_impl.c",
"src/crypto/fipsmodule/self_check/fips.c",
"src/crypto/fipsmodule/self_check/self_check.c",
+ "src/crypto/fipsmodule/service_indicator/service_indicator.c",
"src/crypto/fipsmodule/sha/sha1-altivec.c",
"src/crypto/fipsmodule/sha/sha1.c",
"src/crypto/fipsmodule/sha/sha256.c",
@@ -192,6 +196,7 @@
"src/include/openssl/ripemd.h",
"src/include/openssl/rsa.h",
"src/include/openssl/safestack.h",
+ "src/include/openssl/service_indicator.h",
"src/include/openssl/sha.h",
"src/include/openssl/siphash.h",
"src/include/openssl/span.h",
@@ -230,8 +235,8 @@
"src/crypto/fipsmodule/digest/internal.h",
"src/crypto/fipsmodule/digest/md32_common.h",
"src/crypto/fipsmodule/ec/internal.h",
- "src/crypto/fipsmodule/ec/p256-x86_64-table.h",
- "src/crypto/fipsmodule/ec/p256-x86_64.h",
+ "src/crypto/fipsmodule/ec/p256-nistz-table.h",
+ "src/crypto/fipsmodule/ec/p256-nistz.h",
"src/crypto/fipsmodule/ec/p256_table.h",
"src/crypto/fipsmodule/ecdsa/internal.h",
"src/crypto/fipsmodule/md5/internal.h",
@@ -240,6 +245,7 @@
"src/crypto/fipsmodule/rand/getrandom_fillin.h",
"src/crypto/fipsmodule/rand/internal.h",
"src/crypto/fipsmodule/rsa/internal.h",
+ "src/crypto/fipsmodule/service_indicator/internal.h",
"src/crypto/fipsmodule/sha/internal.h",
"src/crypto/fipsmodule/tls/internal.h",
"src/crypto/hrss/internal.h",
@@ -314,7 +320,6 @@
"src/crypto/chacha/chacha.c",
"src/crypto/cipher_extra/cipher_extra.c",
"src/crypto/cipher_extra/derive_key.c",
- "src/crypto/cipher_extra/e_aesccm.c",
"src/crypto/cipher_extra/e_aesctrhmac.c",
"src/crypto/cipher_extra/e_aesgcmsiv.c",
"src/crypto/cipher_extra/e_chacha20poly1305.c",
@@ -324,7 +329,6 @@
"src/crypto/cipher_extra/e_rc4.c",
"src/crypto/cipher_extra/e_tls.c",
"src/crypto/cipher_extra/tls_cbc.c",
- "src/crypto/cmac/cmac.c",
"src/crypto/conf/conf.c",
"src/crypto/cpu_aarch64_apple.c",
"src/crypto/cpu_aarch64_fuchsia.c",
@@ -350,7 +354,6 @@
"src/crypto/ecdsa_extra/ecdsa_asn1.c",
"src/crypto/engine/engine.c",
"src/crypto/err/err.c",
- "src/crypto/evp/digestsign.c",
"src/crypto/evp/evp.c",
"src/crypto/evp/evp_asn1.c",
"src/crypto/evp/evp_ctx.c",
@@ -522,10 +525,13 @@
crypto_sources_apple_aarch64 = [
"apple-aarch64/crypto/chacha/chacha-armv8.S",
+ "apple-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S",
"apple-aarch64/crypto/fipsmodule/aesv8-armx64.S",
"apple-aarch64/crypto/fipsmodule/armv8-mont.S",
"apple-aarch64/crypto/fipsmodule/ghash-neon-armv8.S",
"apple-aarch64/crypto/fipsmodule/ghashv8-armx64.S",
+ "apple-aarch64/crypto/fipsmodule/p256-armv8-asm.S",
+ "apple-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S",
"apple-aarch64/crypto/fipsmodule/sha1-armv8.S",
"apple-aarch64/crypto/fipsmodule/sha256-armv8.S",
"apple-aarch64/crypto/fipsmodule/sha512-armv8.S",
@@ -587,10 +593,13 @@
crypto_sources_linux_aarch64 = [
"linux-aarch64/crypto/chacha/chacha-armv8.S",
+ "linux-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S",
"linux-aarch64/crypto/fipsmodule/aesv8-armx64.S",
"linux-aarch64/crypto/fipsmodule/armv8-mont.S",
"linux-aarch64/crypto/fipsmodule/ghash-neon-armv8.S",
"linux-aarch64/crypto/fipsmodule/ghashv8-armx64.S",
+ "linux-aarch64/crypto/fipsmodule/p256-armv8-asm.S",
+ "linux-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S",
"linux-aarch64/crypto/fipsmodule/sha1-armv8.S",
"linux-aarch64/crypto/fipsmodule/sha256-armv8.S",
"linux-aarch64/crypto/fipsmodule/sha512-armv8.S",
@@ -661,10 +670,13 @@
crypto_sources_win_aarch64 = [
"win-aarch64/crypto/chacha/chacha-armv8.S",
+ "win-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S",
"win-aarch64/crypto/fipsmodule/aesv8-armx64.S",
"win-aarch64/crypto/fipsmodule/armv8-mont.S",
"win-aarch64/crypto/fipsmodule/ghash-neon-armv8.S",
"win-aarch64/crypto/fipsmodule/ghashv8-armx64.S",
+ "win-aarch64/crypto/fipsmodule/p256-armv8-asm.S",
+ "win-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S",
"win-aarch64/crypto/fipsmodule/sha1-armv8.S",
"win-aarch64/crypto/fipsmodule/sha256-armv8.S",
"win-aarch64/crypto/fipsmodule/sha512-armv8.S",
diff --git a/BUILD.generated_tests.bzl b/BUILD.generated_tests.bzl
index 51a5ea4..89f730b 100644
--- a/BUILD.generated_tests.bzl
+++ b/BUILD.generated_tests.bzl
@@ -26,8 +26,8 @@
"src/crypto/fipsmodule/digest/internal.h",
"src/crypto/fipsmodule/digest/md32_common.h",
"src/crypto/fipsmodule/ec/internal.h",
- "src/crypto/fipsmodule/ec/p256-x86_64-table.h",
- "src/crypto/fipsmodule/ec/p256-x86_64.h",
+ "src/crypto/fipsmodule/ec/p256-nistz-table.h",
+ "src/crypto/fipsmodule/ec/p256-nistz.h",
"src/crypto/fipsmodule/ec/p256_table.h",
"src/crypto/fipsmodule/ecdsa/internal.h",
"src/crypto/fipsmodule/md5/internal.h",
@@ -36,6 +36,7 @@
"src/crypto/fipsmodule/rand/getrandom_fillin.h",
"src/crypto/fipsmodule/rand/internal.h",
"src/crypto/fipsmodule/rsa/internal.h",
+ "src/crypto/fipsmodule/service_indicator/internal.h",
"src/crypto/fipsmodule/sha/internal.h",
"src/crypto/fipsmodule/tls/internal.h",
"src/crypto/hrss/internal.h",
@@ -86,7 +87,6 @@
"src/crypto/chacha/chacha_test.cc",
"src/crypto/cipher_extra/aead_test.cc",
"src/crypto/cipher_extra/cipher_test.cc",
- "src/crypto/cmac/cmac_test.cc",
"src/crypto/compiler_test.cc",
"src/crypto/conf/conf_test.cc",
"src/crypto/constant_time_test.cc",
@@ -106,13 +106,15 @@
"src/crypto/evp/scrypt_test.cc",
"src/crypto/fipsmodule/aes/aes_test.cc",
"src/crypto/fipsmodule/bn/bn_test.cc",
+ "src/crypto/fipsmodule/cmac/cmac_test.cc",
"src/crypto/fipsmodule/ec/ec_test.cc",
- "src/crypto/fipsmodule/ec/p256-x86_64_test.cc",
+ "src/crypto/fipsmodule/ec/p256-nistz_test.cc",
"src/crypto/fipsmodule/ecdsa/ecdsa_test.cc",
"src/crypto/fipsmodule/md5/md5_test.cc",
"src/crypto/fipsmodule/modes/gcm_test.cc",
"src/crypto/fipsmodule/rand/ctrdrbg_test.cc",
"src/crypto/fipsmodule/rand/fork_detect_test.cc",
+ "src/crypto/fipsmodule/service_indicator/service_indicator_test.cc",
"src/crypto/fipsmodule/sha/sha_test.cc",
"src/crypto/hkdf/hkdf_test.cc",
"src/crypto/hmac_extra/hmac_test.cc",
@@ -183,10 +185,6 @@
"src/crypto/cipher_extra/test/nist_cavp/tdes_cbc.txt",
"src/crypto/cipher_extra/test/nist_cavp/tdes_ecb.txt",
"src/crypto/cipher_extra/test/xchacha20_poly1305_tests.txt",
- "src/crypto/cmac/cavp_3des_cmac_tests.txt",
- "src/crypto/cmac/cavp_aes128_cmac_tests.txt",
- "src/crypto/cmac/cavp_aes192_cmac_tests.txt",
- "src/crypto/cmac/cavp_aes256_cmac_tests.txt",
"src/crypto/curve25519/ed25519_tests.txt",
"src/crypto/ecdh_extra/ecdh_tests.txt",
"src/crypto/evp/evp_tests.txt",
@@ -194,8 +192,12 @@
"src/crypto/fipsmodule/aes/aes_tests.txt",
"src/crypto/fipsmodule/bn/bn_tests.txt",
"src/crypto/fipsmodule/bn/miller_rabin_tests.txt",
+ "src/crypto/fipsmodule/cmac/cavp_3des_cmac_tests.txt",
+ "src/crypto/fipsmodule/cmac/cavp_aes128_cmac_tests.txt",
+ "src/crypto/fipsmodule/cmac/cavp_aes192_cmac_tests.txt",
+ "src/crypto/fipsmodule/cmac/cavp_aes256_cmac_tests.txt",
"src/crypto/fipsmodule/ec/ec_scalar_base_mult_tests.txt",
- "src/crypto/fipsmodule/ec/p256-x86_64_tests.txt",
+ "src/crypto/fipsmodule/ec/p256-nistz_tests.txt",
"src/crypto/fipsmodule/ecdsa/ecdsa_sign_tests.txt",
"src/crypto/fipsmodule/ecdsa/ecdsa_verify_tests.txt",
"src/crypto/fipsmodule/modes/gcm_tests.txt",
diff --git a/LICENSE b/LICENSE
new file mode 120000
index 0000000..da348fc
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1 @@
+src/LICENSE
\ No newline at end of file
diff --git a/android-sources.cmake b/android-sources.cmake
index 294c054..3096686 100644
--- a/android-sources.cmake
+++ b/android-sources.cmake
@@ -70,7 +70,6 @@
${BORINGSSL_ROOT}src/crypto/chacha/chacha.c
${BORINGSSL_ROOT}src/crypto/cipher_extra/cipher_extra.c
${BORINGSSL_ROOT}src/crypto/cipher_extra/derive_key.c
- ${BORINGSSL_ROOT}src/crypto/cipher_extra/e_aesccm.c
${BORINGSSL_ROOT}src/crypto/cipher_extra/e_aesctrhmac.c
${BORINGSSL_ROOT}src/crypto/cipher_extra/e_aesgcmsiv.c
${BORINGSSL_ROOT}src/crypto/cipher_extra/e_chacha20poly1305.c
@@ -80,7 +79,6 @@
${BORINGSSL_ROOT}src/crypto/cipher_extra/e_rc4.c
${BORINGSSL_ROOT}src/crypto/cipher_extra/e_tls.c
${BORINGSSL_ROOT}src/crypto/cipher_extra/tls_cbc.c
- ${BORINGSSL_ROOT}src/crypto/cmac/cmac.c
${BORINGSSL_ROOT}src/crypto/conf/conf.c
${BORINGSSL_ROOT}src/crypto/cpu_aarch64_apple.c
${BORINGSSL_ROOT}src/crypto/cpu_aarch64_fuchsia.c
@@ -106,7 +104,6 @@
${BORINGSSL_ROOT}src/crypto/ecdsa_extra/ecdsa_asn1.c
${BORINGSSL_ROOT}src/crypto/engine/engine.c
${BORINGSSL_ROOT}src/crypto/err/err.c
- ${BORINGSSL_ROOT}src/crypto/evp/digestsign.c
${BORINGSSL_ROOT}src/crypto/evp/evp.c
${BORINGSSL_ROOT}src/crypto/evp/evp_asn1.c
${BORINGSSL_ROOT}src/crypto/evp/evp_ctx.c
@@ -326,7 +323,6 @@
${BORINGSSL_ROOT}src/crypto/chacha/chacha_test.cc
${BORINGSSL_ROOT}src/crypto/cipher_extra/aead_test.cc
${BORINGSSL_ROOT}src/crypto/cipher_extra/cipher_test.cc
- ${BORINGSSL_ROOT}src/crypto/cmac/cmac_test.cc
${BORINGSSL_ROOT}src/crypto/compiler_test.cc
${BORINGSSL_ROOT}src/crypto/conf/conf_test.cc
${BORINGSSL_ROOT}src/crypto/constant_time_test.cc
@@ -346,13 +342,15 @@
${BORINGSSL_ROOT}src/crypto/evp/scrypt_test.cc
${BORINGSSL_ROOT}src/crypto/fipsmodule/aes/aes_test.cc
${BORINGSSL_ROOT}src/crypto/fipsmodule/bn/bn_test.cc
+ ${BORINGSSL_ROOT}src/crypto/fipsmodule/cmac/cmac_test.cc
${BORINGSSL_ROOT}src/crypto/fipsmodule/ec/ec_test.cc
- ${BORINGSSL_ROOT}src/crypto/fipsmodule/ec/p256-x86_64_test.cc
+ ${BORINGSSL_ROOT}src/crypto/fipsmodule/ec/p256-nistz_test.cc
${BORINGSSL_ROOT}src/crypto/fipsmodule/ecdsa/ecdsa_test.cc
${BORINGSSL_ROOT}src/crypto/fipsmodule/md5/md5_test.cc
${BORINGSSL_ROOT}src/crypto/fipsmodule/modes/gcm_test.cc
${BORINGSSL_ROOT}src/crypto/fipsmodule/rand/ctrdrbg_test.cc
${BORINGSSL_ROOT}src/crypto/fipsmodule/rand/fork_detect_test.cc
+ ${BORINGSSL_ROOT}src/crypto/fipsmodule/service_indicator/service_indicator_test.cc
${BORINGSSL_ROOT}src/crypto/fipsmodule/sha/sha_test.cc
${BORINGSSL_ROOT}src/crypto/hkdf/hkdf_test.cc
${BORINGSSL_ROOT}src/crypto/hmac_extra/hmac_test.cc
@@ -391,10 +389,13 @@
)
set(crypto_sources_apple_aarch64
${BORINGSSL_ROOT}apple-aarch64/crypto/chacha/chacha-armv8.S
+ ${BORINGSSL_ROOT}apple-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S
${BORINGSSL_ROOT}apple-aarch64/crypto/fipsmodule/aesv8-armx64.S
${BORINGSSL_ROOT}apple-aarch64/crypto/fipsmodule/armv8-mont.S
${BORINGSSL_ROOT}apple-aarch64/crypto/fipsmodule/ghash-neon-armv8.S
${BORINGSSL_ROOT}apple-aarch64/crypto/fipsmodule/ghashv8-armx64.S
+ ${BORINGSSL_ROOT}apple-aarch64/crypto/fipsmodule/p256-armv8-asm.S
+ ${BORINGSSL_ROOT}apple-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S
${BORINGSSL_ROOT}apple-aarch64/crypto/fipsmodule/sha1-armv8.S
${BORINGSSL_ROOT}apple-aarch64/crypto/fipsmodule/sha256-armv8.S
${BORINGSSL_ROOT}apple-aarch64/crypto/fipsmodule/sha512-armv8.S
@@ -452,10 +453,13 @@
)
set(crypto_sources_linux_aarch64
${BORINGSSL_ROOT}linux-aarch64/crypto/chacha/chacha-armv8.S
+ ${BORINGSSL_ROOT}linux-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S
${BORINGSSL_ROOT}linux-aarch64/crypto/fipsmodule/aesv8-armx64.S
${BORINGSSL_ROOT}linux-aarch64/crypto/fipsmodule/armv8-mont.S
${BORINGSSL_ROOT}linux-aarch64/crypto/fipsmodule/ghash-neon-armv8.S
${BORINGSSL_ROOT}linux-aarch64/crypto/fipsmodule/ghashv8-armx64.S
+ ${BORINGSSL_ROOT}linux-aarch64/crypto/fipsmodule/p256-armv8-asm.S
+ ${BORINGSSL_ROOT}linux-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S
${BORINGSSL_ROOT}linux-aarch64/crypto/fipsmodule/sha1-armv8.S
${BORINGSSL_ROOT}linux-aarch64/crypto/fipsmodule/sha256-armv8.S
${BORINGSSL_ROOT}linux-aarch64/crypto/fipsmodule/sha512-armv8.S
@@ -521,10 +525,13 @@
)
set(crypto_sources_win_aarch64
${BORINGSSL_ROOT}win-aarch64/crypto/chacha/chacha-armv8.S
+ ${BORINGSSL_ROOT}win-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S
${BORINGSSL_ROOT}win-aarch64/crypto/fipsmodule/aesv8-armx64.S
${BORINGSSL_ROOT}win-aarch64/crypto/fipsmodule/armv8-mont.S
${BORINGSSL_ROOT}win-aarch64/crypto/fipsmodule/ghash-neon-armv8.S
${BORINGSSL_ROOT}win-aarch64/crypto/fipsmodule/ghashv8-armx64.S
+ ${BORINGSSL_ROOT}win-aarch64/crypto/fipsmodule/p256-armv8-asm.S
+ ${BORINGSSL_ROOT}win-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S
${BORINGSSL_ROOT}win-aarch64/crypto/fipsmodule/sha1-armv8.S
${BORINGSSL_ROOT}win-aarch64/crypto/fipsmodule/sha256-armv8.S
${BORINGSSL_ROOT}win-aarch64/crypto/fipsmodule/sha512-armv8.S
diff --git a/apple-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S b/apple-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S
new file mode 100644
index 0000000..233910d
--- /dev/null
+++ b/apple-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S
@@ -0,0 +1,3017 @@
+// This file is generated from a similarly-named Perl script in the BoringSSL
+// source tree. Do not edit by hand.
+
+#if !defined(__has_feature)
+#define __has_feature(x) 0
+#endif
+#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM)
+#define OPENSSL_NO_ASM
+#endif
+
+#if !defined(OPENSSL_NO_ASM)
+#if defined(BORINGSSL_PREFIX)
+#include <boringssl_prefix_symbols_asm.h>
+#endif
+#include <openssl/arm_arch.h>
+.section __TEXT,__const
+
+.align 7
+Lchacha20_consts:
+.byte 'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k'
+Linc:
+.long 1,2,3,4
+Lrol8:
+.byte 3,0,1,2, 7,4,5,6, 11,8,9,10, 15,12,13,14
+Lclamp:
+.quad 0x0FFFFFFC0FFFFFFF, 0x0FFFFFFC0FFFFFFC
+
+.text
+
+
+.align 6
+Lpoly_hash_ad_internal:
+.cfi_startproc
+ cbnz x4, Lpoly_hash_intro
+ ret
+
+Lpoly_hash_intro:
+ cmp x4, #16
+ b.lt Lpoly_hash_ad_tail
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ sub x4, x4, #16
+ b Lpoly_hash_ad_internal
+
+Lpoly_hash_ad_tail:
+ cbz x4, Lpoly_hash_ad_ret
+
+ eor v20.16b, v20.16b, v20.16b // Use T0 to load the AAD
+ sub x4, x4, #1
+
+Lpoly_hash_tail_16_compose:
+ ext v20.16b, v20.16b, v20.16b, #15
+ ldrb w11, [x3, x4]
+ mov v20.b[0], w11
+ subs x4, x4, #1
+ b.ge Lpoly_hash_tail_16_compose
+ mov x11, v20.d[0]
+ mov x12, v20.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+
+Lpoly_hash_ad_ret:
+ ret
+.cfi_endproc
+
+
+/////////////////////////////////
+//
+// void chacha20_poly1305_seal(uint8_t *pt, uint8_t *ct, size_t len_in, uint8_t *ad, size_t len_ad, union open_data *seal_data);
+//
+.globl _chacha20_poly1305_seal
+.private_extern _chacha20_poly1305_seal
+
+.align 6
+_chacha20_poly1305_seal:
+ AARCH64_SIGN_LINK_REGISTER
+.cfi_startproc
+ stp x29, x30, [sp, #-80]!
+.cfi_def_cfa_offset 80
+.cfi_offset w30, -72
+.cfi_offset w29, -80
+ mov x29, sp
+# We probably could do .cfi_def_cfa w29, 80 at this point, but since
+# we don't actually use the frame pointer like that, it's probably not
+# worth bothering.
+ stp d8, d9, [sp, #16]
+ stp d10, d11, [sp, #32]
+ stp d12, d13, [sp, #48]
+ stp d14, d15, [sp, #64]
+.cfi_offset b15, -8
+.cfi_offset b14, -16
+.cfi_offset b13, -24
+.cfi_offset b12, -32
+.cfi_offset b11, -40
+.cfi_offset b10, -48
+.cfi_offset b9, -56
+.cfi_offset b8, -64
+
+ adrp x11, Lchacha20_consts@PAGE
+ add x11, x11, Lchacha20_consts@PAGEOFF
+
+ ld1 {v24.16b - v27.16b}, [x11] // Load the CONSTS, INC, ROL8 and CLAMP values
+ ld1 {v28.16b - v30.16b}, [x5]
+
+ mov x15, #1 // Prepare the Poly1305 state
+ mov x8, #0
+ mov x9, #0
+ mov x10, #0
+
+ ldr x12, [x5, #56] // The total cipher text length includes extra_in_len
+ add x12, x12, x2
+ mov v31.d[0], x4 // Store the input and aad lengths
+ mov v31.d[1], x12
+
+ cmp x2, #128
+ b.le Lseal_128 // Optimization for smaller buffers
+
+ // Initially we prepare 5 ChaCha20 blocks. Four to encrypt up to 4 blocks (256 bytes) of plaintext,
+ // and one for the Poly1305 R and S keys. The first four blocks (A0-A3..D0-D3) are computed vertically,
+ // the fifth block (A4-D4) horizontally.
+ ld4r {v0.4s,v1.4s,v2.4s,v3.4s}, [x11]
+ mov v4.16b, v24.16b
+
+ ld4r {v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16
+ mov v9.16b, v28.16b
+
+ ld4r {v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16
+ mov v14.16b, v29.16b
+
+ ld4r {v15.4s,v16.4s,v17.4s,v18.4s}, [x5]
+ add v15.4s, v15.4s, v25.4s
+ mov v19.16b, v30.16b
+
+ sub x5, x5, #32
+
+ mov x6, #10
+
+.align 5
+Lseal_init_rounds:
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ add v3.4s, v3.4s, v8.4s
+ add v4.4s, v4.4s, v9.4s
+
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ eor v18.16b, v18.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+ rev32 v18.8h, v18.8h
+ rev32 v19.8h, v19.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ add v13.4s, v13.4s, v18.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ eor v8.16b, v8.16b, v13.16b
+ eor v9.16b, v9.16b, v14.16b
+
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+ ushr v7.4s, v8.4s, #20
+ sli v7.4s, v8.4s, #12
+ ushr v8.4s, v9.4s, #20
+ sli v8.4s, v9.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ add v3.4s, v3.4s, v7.4s
+ add v4.4s, v4.4s, v8.4s
+
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ eor v18.16b, v18.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+ tbl v18.16b, {v18.16b}, v26.16b
+ tbl v19.16b, {v19.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ add v13.4s, v13.4s, v18.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ eor v7.16b, v7.16b, v13.16b
+ eor v8.16b, v8.16b, v14.16b
+
+ ushr v9.4s, v8.4s, #25
+ sli v9.4s, v8.4s, #7
+ ushr v8.4s, v7.4s, #25
+ sli v8.4s, v7.4s, #7
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v9.16b, v9.16b, v9.16b, #4
+ ext v14.16b, v14.16b, v14.16b, #8
+ ext v19.16b, v19.16b, v19.16b, #12
+ add v0.4s, v0.4s, v6.4s
+ add v1.4s, v1.4s, v7.4s
+ add v2.4s, v2.4s, v8.4s
+ add v3.4s, v3.4s, v5.4s
+ add v4.4s, v4.4s, v9.4s
+
+ eor v18.16b, v18.16b, v0.16b
+ eor v15.16b, v15.16b, v1.16b
+ eor v16.16b, v16.16b, v2.16b
+ eor v17.16b, v17.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ rev32 v18.8h, v18.8h
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+ rev32 v19.8h, v19.8h
+
+ add v12.4s, v12.4s, v18.4s
+ add v13.4s, v13.4s, v15.4s
+ add v10.4s, v10.4s, v16.4s
+ add v11.4s, v11.4s, v17.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v6.16b, v6.16b, v12.16b
+ eor v7.16b, v7.16b, v13.16b
+ eor v8.16b, v8.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v9.16b, v9.16b, v14.16b
+
+ ushr v20.4s, v6.4s, #20
+ sli v20.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+ ushr v7.4s, v8.4s, #20
+ sli v7.4s, v8.4s, #12
+ ushr v8.4s, v5.4s, #20
+ sli v8.4s, v5.4s, #12
+ ushr v5.4s, v9.4s, #20
+ sli v5.4s, v9.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ add v3.4s, v3.4s, v8.4s
+ add v4.4s, v4.4s, v5.4s
+
+ eor v18.16b, v18.16b, v0.16b
+ eor v15.16b, v15.16b, v1.16b
+ eor v16.16b, v16.16b, v2.16b
+ eor v17.16b, v17.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ tbl v18.16b, {v18.16b}, v26.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+ tbl v19.16b, {v19.16b}, v26.16b
+
+ add v12.4s, v12.4s, v18.4s
+ add v13.4s, v13.4s, v15.4s
+ add v10.4s, v10.4s, v16.4s
+ add v11.4s, v11.4s, v17.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v20.16b, v20.16b, v12.16b
+ eor v6.16b, v6.16b, v13.16b
+ eor v7.16b, v7.16b, v10.16b
+ eor v8.16b, v8.16b, v11.16b
+ eor v5.16b, v5.16b, v14.16b
+
+ ushr v9.4s, v5.4s, #25
+ sli v9.4s, v5.4s, #7
+ ushr v5.4s, v8.4s, #25
+ sli v5.4s, v8.4s, #7
+ ushr v8.4s, v7.4s, #25
+ sli v8.4s, v7.4s, #7
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v20.4s, #25
+ sli v6.4s, v20.4s, #7
+
+ ext v9.16b, v9.16b, v9.16b, #12
+ ext v14.16b, v14.16b, v14.16b, #8
+ ext v19.16b, v19.16b, v19.16b, #4
+ subs x6, x6, #1
+ b.hi Lseal_init_rounds
+
+ add v15.4s, v15.4s, v25.4s
+ mov x11, #4
+ dup v20.4s, w11
+ add v25.4s, v25.4s, v20.4s
+
+ zip1 v20.4s, v0.4s, v1.4s
+ zip2 v21.4s, v0.4s, v1.4s
+ zip1 v22.4s, v2.4s, v3.4s
+ zip2 v23.4s, v2.4s, v3.4s
+
+ zip1 v0.2d, v20.2d, v22.2d
+ zip2 v1.2d, v20.2d, v22.2d
+ zip1 v2.2d, v21.2d, v23.2d
+ zip2 v3.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v5.4s, v6.4s
+ zip2 v21.4s, v5.4s, v6.4s
+ zip1 v22.4s, v7.4s, v8.4s
+ zip2 v23.4s, v7.4s, v8.4s
+
+ zip1 v5.2d, v20.2d, v22.2d
+ zip2 v6.2d, v20.2d, v22.2d
+ zip1 v7.2d, v21.2d, v23.2d
+ zip2 v8.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v10.4s, v11.4s
+ zip2 v21.4s, v10.4s, v11.4s
+ zip1 v22.4s, v12.4s, v13.4s
+ zip2 v23.4s, v12.4s, v13.4s
+
+ zip1 v10.2d, v20.2d, v22.2d
+ zip2 v11.2d, v20.2d, v22.2d
+ zip1 v12.2d, v21.2d, v23.2d
+ zip2 v13.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v15.4s, v16.4s
+ zip2 v21.4s, v15.4s, v16.4s
+ zip1 v22.4s, v17.4s, v18.4s
+ zip2 v23.4s, v17.4s, v18.4s
+
+ zip1 v15.2d, v20.2d, v22.2d
+ zip2 v16.2d, v20.2d, v22.2d
+ zip1 v17.2d, v21.2d, v23.2d
+ zip2 v18.2d, v21.2d, v23.2d
+
+ add v4.4s, v4.4s, v24.4s
+ add v9.4s, v9.4s, v28.4s
+ and v4.16b, v4.16b, v27.16b
+
+ add v0.4s, v0.4s, v24.4s
+ add v5.4s, v5.4s, v28.4s
+ add v10.4s, v10.4s, v29.4s
+ add v15.4s, v15.4s, v30.4s
+
+ add v1.4s, v1.4s, v24.4s
+ add v6.4s, v6.4s, v28.4s
+ add v11.4s, v11.4s, v29.4s
+ add v16.4s, v16.4s, v30.4s
+
+ add v2.4s, v2.4s, v24.4s
+ add v7.4s, v7.4s, v28.4s
+ add v12.4s, v12.4s, v29.4s
+ add v17.4s, v17.4s, v30.4s
+
+ add v3.4s, v3.4s, v24.4s
+ add v8.4s, v8.4s, v28.4s
+ add v13.4s, v13.4s, v29.4s
+ add v18.4s, v18.4s, v30.4s
+
+ mov x16, v4.d[0] // Move the R key to GPRs
+ mov x17, v4.d[1]
+ mov v27.16b, v9.16b // Store the S key
+
+ bl Lpoly_hash_ad_internal
+
+ mov x3, x0
+ cmp x2, #256
+ b.le Lseal_tail
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v0.16b
+ eor v21.16b, v21.16b, v5.16b
+ eor v22.16b, v22.16b, v10.16b
+ eor v23.16b, v23.16b, v15.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v1.16b
+ eor v21.16b, v21.16b, v6.16b
+ eor v22.16b, v22.16b, v11.16b
+ eor v23.16b, v23.16b, v16.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v2.16b
+ eor v21.16b, v21.16b, v7.16b
+ eor v22.16b, v22.16b, v12.16b
+ eor v23.16b, v23.16b, v17.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v3.16b
+ eor v21.16b, v21.16b, v8.16b
+ eor v22.16b, v22.16b, v13.16b
+ eor v23.16b, v23.16b, v18.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ sub x2, x2, #256
+
+ mov x6, #4 // In the first run of the loop we need to hash 256 bytes, therefore we hash one block for the first 4 rounds
+ mov x7, #6 // and two blocks for the remaining 6, for a total of (1 * 4 + 2 * 6) * 16 = 256
+
+Lseal_main_loop:
+ adrp x11, Lchacha20_consts@PAGE
+ add x11, x11, Lchacha20_consts@PAGEOFF
+
+ ld4r {v0.4s,v1.4s,v2.4s,v3.4s}, [x11]
+ mov v4.16b, v24.16b
+
+ ld4r {v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16
+ mov v9.16b, v28.16b
+
+ ld4r {v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16
+ mov v14.16b, v29.16b
+
+ ld4r {v15.4s,v16.4s,v17.4s,v18.4s}, [x5]
+ add v15.4s, v15.4s, v25.4s
+ mov v19.16b, v30.16b
+
+ eor v20.16b, v20.16b, v20.16b //zero
+ not v21.16b, v20.16b // -1
+ sub v21.4s, v25.4s, v21.4s // Add +1
+ ext v20.16b, v21.16b, v20.16b, #12 // Get the last element (counter)
+ add v19.4s, v19.4s, v20.4s
+
+ sub x5, x5, #32
+.align 5
+Lseal_main_loop_rounds:
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ add v3.4s, v3.4s, v8.4s
+ add v4.4s, v4.4s, v9.4s
+
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ eor v18.16b, v18.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+ rev32 v18.8h, v18.8h
+ rev32 v19.8h, v19.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ add v13.4s, v13.4s, v18.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ eor v8.16b, v8.16b, v13.16b
+ eor v9.16b, v9.16b, v14.16b
+
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+ ushr v7.4s, v8.4s, #20
+ sli v7.4s, v8.4s, #12
+ ushr v8.4s, v9.4s, #20
+ sli v8.4s, v9.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ add v3.4s, v3.4s, v7.4s
+ add v4.4s, v4.4s, v8.4s
+
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ eor v18.16b, v18.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+ tbl v18.16b, {v18.16b}, v26.16b
+ tbl v19.16b, {v19.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ add v13.4s, v13.4s, v18.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ eor v7.16b, v7.16b, v13.16b
+ eor v8.16b, v8.16b, v14.16b
+
+ ushr v9.4s, v8.4s, #25
+ sli v9.4s, v8.4s, #7
+ ushr v8.4s, v7.4s, #25
+ sli v8.4s, v7.4s, #7
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v9.16b, v9.16b, v9.16b, #4
+ ext v14.16b, v14.16b, v14.16b, #8
+ ext v19.16b, v19.16b, v19.16b, #12
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ add v0.4s, v0.4s, v6.4s
+ add v1.4s, v1.4s, v7.4s
+ add v2.4s, v2.4s, v8.4s
+ add v3.4s, v3.4s, v5.4s
+ add v4.4s, v4.4s, v9.4s
+
+ eor v18.16b, v18.16b, v0.16b
+ eor v15.16b, v15.16b, v1.16b
+ eor v16.16b, v16.16b, v2.16b
+ eor v17.16b, v17.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ rev32 v18.8h, v18.8h
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+ rev32 v19.8h, v19.8h
+
+ add v12.4s, v12.4s, v18.4s
+ add v13.4s, v13.4s, v15.4s
+ add v10.4s, v10.4s, v16.4s
+ add v11.4s, v11.4s, v17.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v6.16b, v6.16b, v12.16b
+ eor v7.16b, v7.16b, v13.16b
+ eor v8.16b, v8.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v9.16b, v9.16b, v14.16b
+
+ ushr v20.4s, v6.4s, #20
+ sli v20.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+ ushr v7.4s, v8.4s, #20
+ sli v7.4s, v8.4s, #12
+ ushr v8.4s, v5.4s, #20
+ sli v8.4s, v5.4s, #12
+ ushr v5.4s, v9.4s, #20
+ sli v5.4s, v9.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ add v3.4s, v3.4s, v8.4s
+ add v4.4s, v4.4s, v5.4s
+
+ eor v18.16b, v18.16b, v0.16b
+ eor v15.16b, v15.16b, v1.16b
+ eor v16.16b, v16.16b, v2.16b
+ eor v17.16b, v17.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ tbl v18.16b, {v18.16b}, v26.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+ tbl v19.16b, {v19.16b}, v26.16b
+
+ add v12.4s, v12.4s, v18.4s
+ add v13.4s, v13.4s, v15.4s
+ add v10.4s, v10.4s, v16.4s
+ add v11.4s, v11.4s, v17.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v20.16b, v20.16b, v12.16b
+ eor v6.16b, v6.16b, v13.16b
+ eor v7.16b, v7.16b, v10.16b
+ eor v8.16b, v8.16b, v11.16b
+ eor v5.16b, v5.16b, v14.16b
+
+ ushr v9.4s, v5.4s, #25
+ sli v9.4s, v5.4s, #7
+ ushr v5.4s, v8.4s, #25
+ sli v5.4s, v8.4s, #7
+ ushr v8.4s, v7.4s, #25
+ sli v8.4s, v7.4s, #7
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v20.4s, #25
+ sli v6.4s, v20.4s, #7
+
+ ext v9.16b, v9.16b, v9.16b, #12
+ ext v14.16b, v14.16b, v14.16b, #8
+ ext v19.16b, v19.16b, v19.16b, #4
+ subs x6, x6, #1
+ b.ge Lseal_main_loop_rounds
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ subs x7, x7, #1
+ b.gt Lseal_main_loop_rounds
+
+ eor v20.16b, v20.16b, v20.16b //zero
+ not v21.16b, v20.16b // -1
+ sub v21.4s, v25.4s, v21.4s // Add +1
+ ext v20.16b, v21.16b, v20.16b, #12 // Get the last element (counter)
+ add v19.4s, v19.4s, v20.4s
+
+ add v15.4s, v15.4s, v25.4s
+ mov x11, #5
+ dup v20.4s, w11
+ add v25.4s, v25.4s, v20.4s
+
+ zip1 v20.4s, v0.4s, v1.4s
+ zip2 v21.4s, v0.4s, v1.4s
+ zip1 v22.4s, v2.4s, v3.4s
+ zip2 v23.4s, v2.4s, v3.4s
+
+ zip1 v0.2d, v20.2d, v22.2d
+ zip2 v1.2d, v20.2d, v22.2d
+ zip1 v2.2d, v21.2d, v23.2d
+ zip2 v3.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v5.4s, v6.4s
+ zip2 v21.4s, v5.4s, v6.4s
+ zip1 v22.4s, v7.4s, v8.4s
+ zip2 v23.4s, v7.4s, v8.4s
+
+ zip1 v5.2d, v20.2d, v22.2d
+ zip2 v6.2d, v20.2d, v22.2d
+ zip1 v7.2d, v21.2d, v23.2d
+ zip2 v8.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v10.4s, v11.4s
+ zip2 v21.4s, v10.4s, v11.4s
+ zip1 v22.4s, v12.4s, v13.4s
+ zip2 v23.4s, v12.4s, v13.4s
+
+ zip1 v10.2d, v20.2d, v22.2d
+ zip2 v11.2d, v20.2d, v22.2d
+ zip1 v12.2d, v21.2d, v23.2d
+ zip2 v13.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v15.4s, v16.4s
+ zip2 v21.4s, v15.4s, v16.4s
+ zip1 v22.4s, v17.4s, v18.4s
+ zip2 v23.4s, v17.4s, v18.4s
+
+ zip1 v15.2d, v20.2d, v22.2d
+ zip2 v16.2d, v20.2d, v22.2d
+ zip1 v17.2d, v21.2d, v23.2d
+ zip2 v18.2d, v21.2d, v23.2d
+
+ add v0.4s, v0.4s, v24.4s
+ add v5.4s, v5.4s, v28.4s
+ add v10.4s, v10.4s, v29.4s
+ add v15.4s, v15.4s, v30.4s
+
+ add v1.4s, v1.4s, v24.4s
+ add v6.4s, v6.4s, v28.4s
+ add v11.4s, v11.4s, v29.4s
+ add v16.4s, v16.4s, v30.4s
+
+ add v2.4s, v2.4s, v24.4s
+ add v7.4s, v7.4s, v28.4s
+ add v12.4s, v12.4s, v29.4s
+ add v17.4s, v17.4s, v30.4s
+
+ add v3.4s, v3.4s, v24.4s
+ add v8.4s, v8.4s, v28.4s
+ add v13.4s, v13.4s, v29.4s
+ add v18.4s, v18.4s, v30.4s
+
+ add v4.4s, v4.4s, v24.4s
+ add v9.4s, v9.4s, v28.4s
+ add v14.4s, v14.4s, v29.4s
+ add v19.4s, v19.4s, v30.4s
+
+ cmp x2, #320
+ b.le Lseal_tail
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v0.16b
+ eor v21.16b, v21.16b, v5.16b
+ eor v22.16b, v22.16b, v10.16b
+ eor v23.16b, v23.16b, v15.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v1.16b
+ eor v21.16b, v21.16b, v6.16b
+ eor v22.16b, v22.16b, v11.16b
+ eor v23.16b, v23.16b, v16.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v2.16b
+ eor v21.16b, v21.16b, v7.16b
+ eor v22.16b, v22.16b, v12.16b
+ eor v23.16b, v23.16b, v17.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v3.16b
+ eor v21.16b, v21.16b, v8.16b
+ eor v22.16b, v22.16b, v13.16b
+ eor v23.16b, v23.16b, v18.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v4.16b
+ eor v21.16b, v21.16b, v9.16b
+ eor v22.16b, v22.16b, v14.16b
+ eor v23.16b, v23.16b, v19.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ sub x2, x2, #320
+
+ mov x6, #0
+ mov x7, #10 // For the remainder of the loop we always hash and encrypt 320 bytes per iteration
+
+ b Lseal_main_loop
+
+Lseal_tail:
+ // This part of the function handles the storage and authentication of the last [0,320) bytes
+ // We assume A0-A4 ... D0-D4 hold at least inl (320 max) bytes of the stream data.
+ cmp x2, #64
+ b.lt Lseal_tail_64
+
+ // Store and authenticate 64B blocks per iteration
+ ld1 {v20.16b - v23.16b}, [x1], #64
+
+ eor v20.16b, v20.16b, v0.16b
+ eor v21.16b, v21.16b, v5.16b
+ eor v22.16b, v22.16b, v10.16b
+ eor v23.16b, v23.16b, v15.16b
+ mov x11, v20.d[0]
+ mov x12, v20.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ mov x11, v21.d[0]
+ mov x12, v21.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ mov x11, v22.d[0]
+ mov x12, v22.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ mov x11, v23.d[0]
+ mov x12, v23.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ st1 {v20.16b - v23.16b}, [x0], #64
+ sub x2, x2, #64
+
+ // Shift the state left by 64 bytes for the next iteration of the loop
+ mov v0.16b, v1.16b
+ mov v5.16b, v6.16b
+ mov v10.16b, v11.16b
+ mov v15.16b, v16.16b
+
+ mov v1.16b, v2.16b
+ mov v6.16b, v7.16b
+ mov v11.16b, v12.16b
+ mov v16.16b, v17.16b
+
+ mov v2.16b, v3.16b
+ mov v7.16b, v8.16b
+ mov v12.16b, v13.16b
+ mov v17.16b, v18.16b
+
+ mov v3.16b, v4.16b
+ mov v8.16b, v9.16b
+ mov v13.16b, v14.16b
+ mov v18.16b, v19.16b
+
+ b Lseal_tail
+
+Lseal_tail_64:
+ ldp x3, x4, [x5, #48] // extra_in_len and extra_in_ptr
+
+ // Here we handle the last [0,64) bytes of plaintext
+ cmp x2, #16
+ b.lt Lseal_tail_16
+ // Each iteration encrypt and authenticate a 16B block
+ ld1 {v20.16b}, [x1], #16
+ eor v20.16b, v20.16b, v0.16b
+ mov x11, v20.d[0]
+ mov x12, v20.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ st1 {v20.16b}, [x0], #16
+
+ sub x2, x2, #16
+
+ // Shift the state left by 16 bytes for the next iteration of the loop
+ mov v0.16b, v5.16b
+ mov v5.16b, v10.16b
+ mov v10.16b, v15.16b
+
+ b Lseal_tail_64
+
+Lseal_tail_16:
+ // Here we handle the last [0,16) bytes of ciphertext that require a padded block
+ cbz x2, Lseal_hash_extra
+
+ eor v20.16b, v20.16b, v20.16b // Use T0 to load the plaintext/extra in
+ eor v21.16b, v21.16b, v21.16b // Use T1 to generate an AND mask that will only mask the ciphertext bytes
+ not v22.16b, v20.16b
+
+ mov x6, x2
+ add x1, x1, x2
+
+ cbz x4, Lseal_tail_16_compose // No extra data to pad with, zero padding
+
+ mov x7, #16 // We need to load some extra_in first for padding
+ sub x7, x7, x2
+ cmp x4, x7
+ csel x7, x4, x7, lt // Load the minimum of extra_in_len and the amount needed to fill the register
+ mov x12, x7
+ add x3, x3, x7
+ sub x4, x4, x7
+
+Lseal_tail16_compose_extra_in:
+ ext v20.16b, v20.16b, v20.16b, #15
+ ldrb w11, [x3, #-1]!
+ mov v20.b[0], w11
+ subs x7, x7, #1
+ b.gt Lseal_tail16_compose_extra_in
+
+ add x3, x3, x12
+
+Lseal_tail_16_compose:
+ ext v20.16b, v20.16b, v20.16b, #15
+ ldrb w11, [x1, #-1]!
+ mov v20.b[0], w11
+ ext v21.16b, v22.16b, v21.16b, #15
+ subs x2, x2, #1
+ b.gt Lseal_tail_16_compose
+
+ and v0.16b, v0.16b, v21.16b
+ eor v20.16b, v20.16b, v0.16b
+ mov v21.16b, v20.16b
+
+Lseal_tail_16_store:
+ umov w11, v20.b[0]
+ strb w11, [x0], #1
+ ext v20.16b, v20.16b, v20.16b, #1
+ subs x6, x6, #1
+ b.gt Lseal_tail_16_store
+
+ // Hash in the final ct block concatenated with extra_in
+ mov x11, v21.d[0]
+ mov x12, v21.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+
+Lseal_hash_extra:
+ cbz x4, Lseal_finalize
+
+Lseal_hash_extra_loop:
+ cmp x4, #16
+ b.lt Lseal_hash_extra_tail
+ ld1 {v20.16b}, [x3], #16
+ mov x11, v20.d[0]
+ mov x12, v20.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ sub x4, x4, #16
+ b Lseal_hash_extra_loop
+
+Lseal_hash_extra_tail:
+ cbz x4, Lseal_finalize
+ eor v20.16b, v20.16b, v20.16b // Use T0 to load the remaining extra ciphertext
+ add x3, x3, x4
+
+Lseal_hash_extra_load:
+ ext v20.16b, v20.16b, v20.16b, #15
+ ldrb w11, [x3, #-1]!
+ mov v20.b[0], w11
+ subs x4, x4, #1
+ b.gt Lseal_hash_extra_load
+
+ // Hash in the final padded extra_in blcok
+ mov x11, v20.d[0]
+ mov x12, v20.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+
+Lseal_finalize:
+ mov x11, v31.d[0]
+ mov x12, v31.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ # Final reduction step
+ sub x12, xzr, x15
+ orr x13, xzr, #3
+ subs x11, x8, #-5
+ sbcs x12, x9, x12
+ sbcs x13, x10, x13
+ csel x8, x11, x8, cs
+ csel x9, x12, x9, cs
+ csel x10, x13, x10, cs
+ mov x11, v27.d[0]
+ mov x12, v27.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+
+ stp x8, x9, [x5]
+
+ ldp d8, d9, [sp, #16]
+ ldp d10, d11, [sp, #32]
+ ldp d12, d13, [sp, #48]
+ ldp d14, d15, [sp, #64]
+.cfi_restore b15
+.cfi_restore b14
+.cfi_restore b13
+.cfi_restore b12
+.cfi_restore b11
+.cfi_restore b10
+.cfi_restore b9
+.cfi_restore b8
+ ldp x29, x30, [sp], 80
+.cfi_restore w29
+.cfi_restore w30
+.cfi_def_cfa_offset 0
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+Lseal_128:
+ // On some architectures preparing 5 blocks for small buffers is wasteful
+ eor v25.16b, v25.16b, v25.16b
+ mov x11, #1
+ mov v25.s[0], w11
+ mov v0.16b, v24.16b
+ mov v1.16b, v24.16b
+ mov v2.16b, v24.16b
+ mov v5.16b, v28.16b
+ mov v6.16b, v28.16b
+ mov v7.16b, v28.16b
+ mov v10.16b, v29.16b
+ mov v11.16b, v29.16b
+ mov v12.16b, v29.16b
+ mov v17.16b, v30.16b
+ add v15.4s, v17.4s, v25.4s
+ add v16.4s, v15.4s, v25.4s
+
+ mov x6, #10
+
+Lseal_128_rounds:
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v5.16b, v5.16b, v5.16b, #4
+ ext v6.16b, v6.16b, v6.16b, #4
+ ext v7.16b, v7.16b, v7.16b, #4
+
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v11.16b, v11.16b, v11.16b, #8
+ ext v12.16b, v12.16b, v12.16b, #8
+
+ ext v15.16b, v15.16b, v15.16b, #12
+ ext v16.16b, v16.16b, v16.16b, #12
+ ext v17.16b, v17.16b, v17.16b, #12
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v5.16b, v5.16b, v5.16b, #12
+ ext v6.16b, v6.16b, v6.16b, #12
+ ext v7.16b, v7.16b, v7.16b, #12
+
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v11.16b, v11.16b, v11.16b, #8
+ ext v12.16b, v12.16b, v12.16b, #8
+
+ ext v15.16b, v15.16b, v15.16b, #4
+ ext v16.16b, v16.16b, v16.16b, #4
+ ext v17.16b, v17.16b, v17.16b, #4
+ subs x6, x6, #1
+ b.hi Lseal_128_rounds
+
+ add v0.4s, v0.4s, v24.4s
+ add v1.4s, v1.4s, v24.4s
+ add v2.4s, v2.4s, v24.4s
+
+ add v5.4s, v5.4s, v28.4s
+ add v6.4s, v6.4s, v28.4s
+ add v7.4s, v7.4s, v28.4s
+
+ // Only the first 32 bytes of the third block (counter = 0) are needed,
+ // so skip updating v12 and v17.
+ add v10.4s, v10.4s, v29.4s
+ add v11.4s, v11.4s, v29.4s
+
+ add v30.4s, v30.4s, v25.4s
+ add v15.4s, v15.4s, v30.4s
+ add v30.4s, v30.4s, v25.4s
+ add v16.4s, v16.4s, v30.4s
+
+ and v2.16b, v2.16b, v27.16b
+ mov x16, v2.d[0] // Move the R key to GPRs
+ mov x17, v2.d[1]
+ mov v27.16b, v7.16b // Store the S key
+
+ bl Lpoly_hash_ad_internal
+ b Lseal_tail
+.cfi_endproc
+
+
+/////////////////////////////////
+//
+// void chacha20_poly1305_open(uint8_t *pt, uint8_t *ct, size_t len_in, uint8_t *ad, size_t len_ad, union open_data *aead_data);
+//
+.globl _chacha20_poly1305_open
+.private_extern _chacha20_poly1305_open
+
+.align 6
+_chacha20_poly1305_open:
+ AARCH64_SIGN_LINK_REGISTER
+.cfi_startproc
+ stp x29, x30, [sp, #-80]!
+.cfi_def_cfa_offset 80
+.cfi_offset w30, -72
+.cfi_offset w29, -80
+ mov x29, sp
+# We probably could do .cfi_def_cfa w29, 80 at this point, but since
+# we don't actually use the frame pointer like that, it's probably not
+# worth bothering.
+ stp d8, d9, [sp, #16]
+ stp d10, d11, [sp, #32]
+ stp d12, d13, [sp, #48]
+ stp d14, d15, [sp, #64]
+.cfi_offset b15, -8
+.cfi_offset b14, -16
+.cfi_offset b13, -24
+.cfi_offset b12, -32
+.cfi_offset b11, -40
+.cfi_offset b10, -48
+.cfi_offset b9, -56
+.cfi_offset b8, -64
+
+ adrp x11, Lchacha20_consts@PAGE
+ add x11, x11, Lchacha20_consts@PAGEOFF
+
+ ld1 {v24.16b - v27.16b}, [x11] // Load the CONSTS, INC, ROL8 and CLAMP values
+ ld1 {v28.16b - v30.16b}, [x5]
+
+ mov x15, #1 // Prepare the Poly1305 state
+ mov x8, #0
+ mov x9, #0
+ mov x10, #0
+
+ mov v31.d[0], x4 // Store the input and aad lengths
+ mov v31.d[1], x2
+
+ cmp x2, #128
+ b.le Lopen_128 // Optimization for smaller buffers
+
+ // Initially we prepare a single ChaCha20 block for the Poly1305 R and S keys
+ mov v0.16b, v24.16b
+ mov v5.16b, v28.16b
+ mov v10.16b, v29.16b
+ mov v15.16b, v30.16b
+
+ mov x6, #10
+
+.align 5
+Lopen_init_rounds:
+ add v0.4s, v0.4s, v5.4s
+ eor v15.16b, v15.16b, v0.16b
+ rev32 v15.8h, v15.8h
+
+ add v10.4s, v10.4s, v15.4s
+ eor v5.16b, v5.16b, v10.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ add v0.4s, v0.4s, v20.4s
+ eor v15.16b, v15.16b, v0.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ eor v20.16b, v20.16b, v10.16b
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+ ext v5.16b, v5.16b, v5.16b, #4
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v15.16b, v15.16b, v15.16b, #12
+ add v0.4s, v0.4s, v5.4s
+ eor v15.16b, v15.16b, v0.16b
+ rev32 v15.8h, v15.8h
+
+ add v10.4s, v10.4s, v15.4s
+ eor v5.16b, v5.16b, v10.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ add v0.4s, v0.4s, v20.4s
+ eor v15.16b, v15.16b, v0.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ eor v20.16b, v20.16b, v10.16b
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+ ext v5.16b, v5.16b, v5.16b, #12
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v15.16b, v15.16b, v15.16b, #4
+ subs x6, x6, #1
+ b.hi Lopen_init_rounds
+
+ add v0.4s, v0.4s, v24.4s
+ add v5.4s, v5.4s, v28.4s
+
+ and v0.16b, v0.16b, v27.16b
+ mov x16, v0.d[0] // Move the R key to GPRs
+ mov x17, v0.d[1]
+ mov v27.16b, v5.16b // Store the S key
+
+ bl Lpoly_hash_ad_internal
+
+Lopen_ad_done:
+ mov x3, x1
+
+// Each iteration of the loop hash 320 bytes, and prepare stream for 320 bytes
+Lopen_main_loop:
+
+ cmp x2, #192
+ b.lt Lopen_tail
+
+ adrp x11, Lchacha20_consts@PAGE
+ add x11, x11, Lchacha20_consts@PAGEOFF
+
+ ld4r {v0.4s,v1.4s,v2.4s,v3.4s}, [x11]
+ mov v4.16b, v24.16b
+
+ ld4r {v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16
+ mov v9.16b, v28.16b
+
+ ld4r {v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16
+ mov v14.16b, v29.16b
+
+ ld4r {v15.4s,v16.4s,v17.4s,v18.4s}, [x5]
+ sub x5, x5, #32
+ add v15.4s, v15.4s, v25.4s
+ mov v19.16b, v30.16b
+
+ eor v20.16b, v20.16b, v20.16b //zero
+ not v21.16b, v20.16b // -1
+ sub v21.4s, v25.4s, v21.4s // Add +1
+ ext v20.16b, v21.16b, v20.16b, #12 // Get the last element (counter)
+ add v19.4s, v19.4s, v20.4s
+
+ lsr x4, x2, #4 // How many whole blocks we have to hash, will always be at least 12
+ sub x4, x4, #10
+
+ mov x7, #10
+ subs x6, x7, x4
+ subs x6, x7, x4 // itr1 can be negative if we have more than 320 bytes to hash
+ csel x7, x7, x4, le // if itr1 is zero or less, itr2 should be 10 to indicate all 10 rounds are full
+
+ cbz x7, Lopen_main_loop_rounds_short
+
+.align 5
+Lopen_main_loop_rounds:
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+Lopen_main_loop_rounds_short:
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ add v3.4s, v3.4s, v8.4s
+ add v4.4s, v4.4s, v9.4s
+
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ eor v18.16b, v18.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+ rev32 v18.8h, v18.8h
+ rev32 v19.8h, v19.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ add v13.4s, v13.4s, v18.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ eor v8.16b, v8.16b, v13.16b
+ eor v9.16b, v9.16b, v14.16b
+
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+ ushr v7.4s, v8.4s, #20
+ sli v7.4s, v8.4s, #12
+ ushr v8.4s, v9.4s, #20
+ sli v8.4s, v9.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ add v3.4s, v3.4s, v7.4s
+ add v4.4s, v4.4s, v8.4s
+
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ eor v18.16b, v18.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+ tbl v18.16b, {v18.16b}, v26.16b
+ tbl v19.16b, {v19.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ add v13.4s, v13.4s, v18.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ eor v7.16b, v7.16b, v13.16b
+ eor v8.16b, v8.16b, v14.16b
+
+ ushr v9.4s, v8.4s, #25
+ sli v9.4s, v8.4s, #7
+ ushr v8.4s, v7.4s, #25
+ sli v8.4s, v7.4s, #7
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v9.16b, v9.16b, v9.16b, #4
+ ext v14.16b, v14.16b, v14.16b, #8
+ ext v19.16b, v19.16b, v19.16b, #12
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ add v0.4s, v0.4s, v6.4s
+ add v1.4s, v1.4s, v7.4s
+ add v2.4s, v2.4s, v8.4s
+ add v3.4s, v3.4s, v5.4s
+ add v4.4s, v4.4s, v9.4s
+
+ eor v18.16b, v18.16b, v0.16b
+ eor v15.16b, v15.16b, v1.16b
+ eor v16.16b, v16.16b, v2.16b
+ eor v17.16b, v17.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ rev32 v18.8h, v18.8h
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+ rev32 v19.8h, v19.8h
+
+ add v12.4s, v12.4s, v18.4s
+ add v13.4s, v13.4s, v15.4s
+ add v10.4s, v10.4s, v16.4s
+ add v11.4s, v11.4s, v17.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v6.16b, v6.16b, v12.16b
+ eor v7.16b, v7.16b, v13.16b
+ eor v8.16b, v8.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v9.16b, v9.16b, v14.16b
+
+ ushr v20.4s, v6.4s, #20
+ sli v20.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+ ushr v7.4s, v8.4s, #20
+ sli v7.4s, v8.4s, #12
+ ushr v8.4s, v5.4s, #20
+ sli v8.4s, v5.4s, #12
+ ushr v5.4s, v9.4s, #20
+ sli v5.4s, v9.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ add v3.4s, v3.4s, v8.4s
+ add v4.4s, v4.4s, v5.4s
+
+ eor v18.16b, v18.16b, v0.16b
+ eor v15.16b, v15.16b, v1.16b
+ eor v16.16b, v16.16b, v2.16b
+ eor v17.16b, v17.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ tbl v18.16b, {v18.16b}, v26.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+ tbl v19.16b, {v19.16b}, v26.16b
+
+ add v12.4s, v12.4s, v18.4s
+ add v13.4s, v13.4s, v15.4s
+ add v10.4s, v10.4s, v16.4s
+ add v11.4s, v11.4s, v17.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v20.16b, v20.16b, v12.16b
+ eor v6.16b, v6.16b, v13.16b
+ eor v7.16b, v7.16b, v10.16b
+ eor v8.16b, v8.16b, v11.16b
+ eor v5.16b, v5.16b, v14.16b
+
+ ushr v9.4s, v5.4s, #25
+ sli v9.4s, v5.4s, #7
+ ushr v5.4s, v8.4s, #25
+ sli v5.4s, v8.4s, #7
+ ushr v8.4s, v7.4s, #25
+ sli v8.4s, v7.4s, #7
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v20.4s, #25
+ sli v6.4s, v20.4s, #7
+
+ ext v9.16b, v9.16b, v9.16b, #12
+ ext v14.16b, v14.16b, v14.16b, #8
+ ext v19.16b, v19.16b, v19.16b, #4
+ subs x7, x7, #1
+ b.gt Lopen_main_loop_rounds
+ subs x6, x6, #1
+ b.ge Lopen_main_loop_rounds_short
+
+ eor v20.16b, v20.16b, v20.16b //zero
+ not v21.16b, v20.16b // -1
+ sub v21.4s, v25.4s, v21.4s // Add +1
+ ext v20.16b, v21.16b, v20.16b, #12 // Get the last element (counter)
+ add v19.4s, v19.4s, v20.4s
+
+ add v15.4s, v15.4s, v25.4s
+ mov x11, #5
+ dup v20.4s, w11
+ add v25.4s, v25.4s, v20.4s
+
+ zip1 v20.4s, v0.4s, v1.4s
+ zip2 v21.4s, v0.4s, v1.4s
+ zip1 v22.4s, v2.4s, v3.4s
+ zip2 v23.4s, v2.4s, v3.4s
+
+ zip1 v0.2d, v20.2d, v22.2d
+ zip2 v1.2d, v20.2d, v22.2d
+ zip1 v2.2d, v21.2d, v23.2d
+ zip2 v3.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v5.4s, v6.4s
+ zip2 v21.4s, v5.4s, v6.4s
+ zip1 v22.4s, v7.4s, v8.4s
+ zip2 v23.4s, v7.4s, v8.4s
+
+ zip1 v5.2d, v20.2d, v22.2d
+ zip2 v6.2d, v20.2d, v22.2d
+ zip1 v7.2d, v21.2d, v23.2d
+ zip2 v8.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v10.4s, v11.4s
+ zip2 v21.4s, v10.4s, v11.4s
+ zip1 v22.4s, v12.4s, v13.4s
+ zip2 v23.4s, v12.4s, v13.4s
+
+ zip1 v10.2d, v20.2d, v22.2d
+ zip2 v11.2d, v20.2d, v22.2d
+ zip1 v12.2d, v21.2d, v23.2d
+ zip2 v13.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v15.4s, v16.4s
+ zip2 v21.4s, v15.4s, v16.4s
+ zip1 v22.4s, v17.4s, v18.4s
+ zip2 v23.4s, v17.4s, v18.4s
+
+ zip1 v15.2d, v20.2d, v22.2d
+ zip2 v16.2d, v20.2d, v22.2d
+ zip1 v17.2d, v21.2d, v23.2d
+ zip2 v18.2d, v21.2d, v23.2d
+
+ add v0.4s, v0.4s, v24.4s
+ add v5.4s, v5.4s, v28.4s
+ add v10.4s, v10.4s, v29.4s
+ add v15.4s, v15.4s, v30.4s
+
+ add v1.4s, v1.4s, v24.4s
+ add v6.4s, v6.4s, v28.4s
+ add v11.4s, v11.4s, v29.4s
+ add v16.4s, v16.4s, v30.4s
+
+ add v2.4s, v2.4s, v24.4s
+ add v7.4s, v7.4s, v28.4s
+ add v12.4s, v12.4s, v29.4s
+ add v17.4s, v17.4s, v30.4s
+
+ add v3.4s, v3.4s, v24.4s
+ add v8.4s, v8.4s, v28.4s
+ add v13.4s, v13.4s, v29.4s
+ add v18.4s, v18.4s, v30.4s
+
+ add v4.4s, v4.4s, v24.4s
+ add v9.4s, v9.4s, v28.4s
+ add v14.4s, v14.4s, v29.4s
+ add v19.4s, v19.4s, v30.4s
+
+ // We can always safely store 192 bytes
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v0.16b
+ eor v21.16b, v21.16b, v5.16b
+ eor v22.16b, v22.16b, v10.16b
+ eor v23.16b, v23.16b, v15.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v1.16b
+ eor v21.16b, v21.16b, v6.16b
+ eor v22.16b, v22.16b, v11.16b
+ eor v23.16b, v23.16b, v16.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v2.16b
+ eor v21.16b, v21.16b, v7.16b
+ eor v22.16b, v22.16b, v12.16b
+ eor v23.16b, v23.16b, v17.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ sub x2, x2, #192
+
+ mov v0.16b, v3.16b
+ mov v5.16b, v8.16b
+ mov v10.16b, v13.16b
+ mov v15.16b, v18.16b
+
+ cmp x2, #64
+ b.lt Lopen_tail_64_store
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v3.16b
+ eor v21.16b, v21.16b, v8.16b
+ eor v22.16b, v22.16b, v13.16b
+ eor v23.16b, v23.16b, v18.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ sub x2, x2, #64
+
+ mov v0.16b, v4.16b
+ mov v5.16b, v9.16b
+ mov v10.16b, v14.16b
+ mov v15.16b, v19.16b
+
+ cmp x2, #64
+ b.lt Lopen_tail_64_store
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v4.16b
+ eor v21.16b, v21.16b, v9.16b
+ eor v22.16b, v22.16b, v14.16b
+ eor v23.16b, v23.16b, v19.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ sub x2, x2, #64
+ b Lopen_main_loop
+
+Lopen_tail:
+
+ cbz x2, Lopen_finalize
+
+ lsr x4, x2, #4 // How many whole blocks we have to hash
+
+ cmp x2, #64
+ b.le Lopen_tail_64
+ cmp x2, #128
+ b.le Lopen_tail_128
+
+Lopen_tail_192:
+ // We need three more blocks
+ mov v0.16b, v24.16b
+ mov v1.16b, v24.16b
+ mov v2.16b, v24.16b
+ mov v5.16b, v28.16b
+ mov v6.16b, v28.16b
+ mov v7.16b, v28.16b
+ mov v10.16b, v29.16b
+ mov v11.16b, v29.16b
+ mov v12.16b, v29.16b
+ mov v15.16b, v30.16b
+ mov v16.16b, v30.16b
+ mov v17.16b, v30.16b
+ eor v23.16b, v23.16b, v23.16b
+ eor v21.16b, v21.16b, v21.16b
+ ins v23.s[0], v25.s[0]
+ ins v21.d[0], x15
+
+ add v22.4s, v23.4s, v21.4s
+ add v21.4s, v22.4s, v21.4s
+
+ add v15.4s, v15.4s, v21.4s
+ add v16.4s, v16.4s, v23.4s
+ add v17.4s, v17.4s, v22.4s
+
+ mov x7, #10
+ subs x6, x7, x4 // itr1 can be negative if we have more than 160 bytes to hash
+ csel x7, x7, x4, le // if itr1 is zero or less, itr2 should be 10 to indicate all 10 rounds are hashing
+ sub x4, x4, x7
+
+ cbz x7, Lopen_tail_192_rounds_no_hash
+
+Lopen_tail_192_rounds:
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+Lopen_tail_192_rounds_no_hash:
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v5.16b, v5.16b, v5.16b, #4
+ ext v6.16b, v6.16b, v6.16b, #4
+ ext v7.16b, v7.16b, v7.16b, #4
+
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v11.16b, v11.16b, v11.16b, #8
+ ext v12.16b, v12.16b, v12.16b, #8
+
+ ext v15.16b, v15.16b, v15.16b, #12
+ ext v16.16b, v16.16b, v16.16b, #12
+ ext v17.16b, v17.16b, v17.16b, #12
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v5.16b, v5.16b, v5.16b, #12
+ ext v6.16b, v6.16b, v6.16b, #12
+ ext v7.16b, v7.16b, v7.16b, #12
+
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v11.16b, v11.16b, v11.16b, #8
+ ext v12.16b, v12.16b, v12.16b, #8
+
+ ext v15.16b, v15.16b, v15.16b, #4
+ ext v16.16b, v16.16b, v16.16b, #4
+ ext v17.16b, v17.16b, v17.16b, #4
+ subs x7, x7, #1
+ b.gt Lopen_tail_192_rounds
+ subs x6, x6, #1
+ b.ge Lopen_tail_192_rounds_no_hash
+
+ // We hashed 160 bytes at most, may still have 32 bytes left
+Lopen_tail_192_hash:
+ cbz x4, Lopen_tail_192_hash_done
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ sub x4, x4, #1
+ b Lopen_tail_192_hash
+
+Lopen_tail_192_hash_done:
+
+ add v0.4s, v0.4s, v24.4s
+ add v1.4s, v1.4s, v24.4s
+ add v2.4s, v2.4s, v24.4s
+ add v5.4s, v5.4s, v28.4s
+ add v6.4s, v6.4s, v28.4s
+ add v7.4s, v7.4s, v28.4s
+ add v10.4s, v10.4s, v29.4s
+ add v11.4s, v11.4s, v29.4s
+ add v12.4s, v12.4s, v29.4s
+ add v15.4s, v15.4s, v30.4s
+ add v16.4s, v16.4s, v30.4s
+ add v17.4s, v17.4s, v30.4s
+
+ add v15.4s, v15.4s, v21.4s
+ add v16.4s, v16.4s, v23.4s
+ add v17.4s, v17.4s, v22.4s
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+
+ eor v20.16b, v20.16b, v1.16b
+ eor v21.16b, v21.16b, v6.16b
+ eor v22.16b, v22.16b, v11.16b
+ eor v23.16b, v23.16b, v16.16b
+
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+
+ eor v20.16b, v20.16b, v2.16b
+ eor v21.16b, v21.16b, v7.16b
+ eor v22.16b, v22.16b, v12.16b
+ eor v23.16b, v23.16b, v17.16b
+
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ sub x2, x2, #128
+ b Lopen_tail_64_store
+
+Lopen_tail_128:
+ // We need two more blocks
+ mov v0.16b, v24.16b
+ mov v1.16b, v24.16b
+ mov v5.16b, v28.16b
+ mov v6.16b, v28.16b
+ mov v10.16b, v29.16b
+ mov v11.16b, v29.16b
+ mov v15.16b, v30.16b
+ mov v16.16b, v30.16b
+ eor v23.16b, v23.16b, v23.16b
+ eor v22.16b, v22.16b, v22.16b
+ ins v23.s[0], v25.s[0]
+ ins v22.d[0], x15
+ add v22.4s, v22.4s, v23.4s
+
+ add v15.4s, v15.4s, v22.4s
+ add v16.4s, v16.4s, v23.4s
+
+ mov x6, #10
+ sub x6, x6, x4
+
+Lopen_tail_128_rounds:
+ add v0.4s, v0.4s, v5.4s
+ eor v15.16b, v15.16b, v0.16b
+ rev32 v15.8h, v15.8h
+
+ add v10.4s, v10.4s, v15.4s
+ eor v5.16b, v5.16b, v10.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ add v0.4s, v0.4s, v20.4s
+ eor v15.16b, v15.16b, v0.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ eor v20.16b, v20.16b, v10.16b
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+ ext v5.16b, v5.16b, v5.16b, #4
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v15.16b, v15.16b, v15.16b, #12
+ add v1.4s, v1.4s, v6.4s
+ eor v16.16b, v16.16b, v1.16b
+ rev32 v16.8h, v16.8h
+
+ add v11.4s, v11.4s, v16.4s
+ eor v6.16b, v6.16b, v11.16b
+ ushr v20.4s, v6.4s, #20
+ sli v20.4s, v6.4s, #12
+ add v1.4s, v1.4s, v20.4s
+ eor v16.16b, v16.16b, v1.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+
+ add v11.4s, v11.4s, v16.4s
+ eor v20.16b, v20.16b, v11.16b
+ ushr v6.4s, v20.4s, #25
+ sli v6.4s, v20.4s, #7
+ ext v6.16b, v6.16b, v6.16b, #4
+ ext v11.16b, v11.16b, v11.16b, #8
+ ext v16.16b, v16.16b, v16.16b, #12
+ add v0.4s, v0.4s, v5.4s
+ eor v15.16b, v15.16b, v0.16b
+ rev32 v15.8h, v15.8h
+
+ add v10.4s, v10.4s, v15.4s
+ eor v5.16b, v5.16b, v10.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ add v0.4s, v0.4s, v20.4s
+ eor v15.16b, v15.16b, v0.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ eor v20.16b, v20.16b, v10.16b
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+ ext v5.16b, v5.16b, v5.16b, #12
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v15.16b, v15.16b, v15.16b, #4
+ add v1.4s, v1.4s, v6.4s
+ eor v16.16b, v16.16b, v1.16b
+ rev32 v16.8h, v16.8h
+
+ add v11.4s, v11.4s, v16.4s
+ eor v6.16b, v6.16b, v11.16b
+ ushr v20.4s, v6.4s, #20
+ sli v20.4s, v6.4s, #12
+ add v1.4s, v1.4s, v20.4s
+ eor v16.16b, v16.16b, v1.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+
+ add v11.4s, v11.4s, v16.4s
+ eor v20.16b, v20.16b, v11.16b
+ ushr v6.4s, v20.4s, #25
+ sli v6.4s, v20.4s, #7
+ ext v6.16b, v6.16b, v6.16b, #12
+ ext v11.16b, v11.16b, v11.16b, #8
+ ext v16.16b, v16.16b, v16.16b, #4
+ subs x6, x6, #1
+ b.gt Lopen_tail_128_rounds
+ cbz x4, Lopen_tail_128_rounds_done
+ subs x4, x4, #1
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ b Lopen_tail_128_rounds
+
+Lopen_tail_128_rounds_done:
+ add v0.4s, v0.4s, v24.4s
+ add v1.4s, v1.4s, v24.4s
+ add v5.4s, v5.4s, v28.4s
+ add v6.4s, v6.4s, v28.4s
+ add v10.4s, v10.4s, v29.4s
+ add v11.4s, v11.4s, v29.4s
+ add v15.4s, v15.4s, v30.4s
+ add v16.4s, v16.4s, v30.4s
+ add v15.4s, v15.4s, v22.4s
+ add v16.4s, v16.4s, v23.4s
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+
+ eor v20.16b, v20.16b, v1.16b
+ eor v21.16b, v21.16b, v6.16b
+ eor v22.16b, v22.16b, v11.16b
+ eor v23.16b, v23.16b, v16.16b
+
+ st1 {v20.16b - v23.16b}, [x0], #64
+ sub x2, x2, #64
+
+ b Lopen_tail_64_store
+
+Lopen_tail_64:
+ // We just need a single block
+ mov v0.16b, v24.16b
+ mov v5.16b, v28.16b
+ mov v10.16b, v29.16b
+ mov v15.16b, v30.16b
+ eor v23.16b, v23.16b, v23.16b
+ ins v23.s[0], v25.s[0]
+ add v15.4s, v15.4s, v23.4s
+
+ mov x6, #10
+ sub x6, x6, x4
+
+Lopen_tail_64_rounds:
+ add v0.4s, v0.4s, v5.4s
+ eor v15.16b, v15.16b, v0.16b
+ rev32 v15.8h, v15.8h
+
+ add v10.4s, v10.4s, v15.4s
+ eor v5.16b, v5.16b, v10.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ add v0.4s, v0.4s, v20.4s
+ eor v15.16b, v15.16b, v0.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ eor v20.16b, v20.16b, v10.16b
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+ ext v5.16b, v5.16b, v5.16b, #4
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v15.16b, v15.16b, v15.16b, #12
+ add v0.4s, v0.4s, v5.4s
+ eor v15.16b, v15.16b, v0.16b
+ rev32 v15.8h, v15.8h
+
+ add v10.4s, v10.4s, v15.4s
+ eor v5.16b, v5.16b, v10.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ add v0.4s, v0.4s, v20.4s
+ eor v15.16b, v15.16b, v0.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ eor v20.16b, v20.16b, v10.16b
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+ ext v5.16b, v5.16b, v5.16b, #12
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v15.16b, v15.16b, v15.16b, #4
+ subs x6, x6, #1
+ b.gt Lopen_tail_64_rounds
+ cbz x4, Lopen_tail_64_rounds_done
+ subs x4, x4, #1
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ b Lopen_tail_64_rounds
+
+Lopen_tail_64_rounds_done:
+ add v0.4s, v0.4s, v24.4s
+ add v5.4s, v5.4s, v28.4s
+ add v10.4s, v10.4s, v29.4s
+ add v15.4s, v15.4s, v30.4s
+ add v15.4s, v15.4s, v23.4s
+
+Lopen_tail_64_store:
+ cmp x2, #16
+ b.lt Lopen_tail_16
+
+ ld1 {v20.16b}, [x1], #16
+ eor v20.16b, v20.16b, v0.16b
+ st1 {v20.16b}, [x0], #16
+ mov v0.16b, v5.16b
+ mov v5.16b, v10.16b
+ mov v10.16b, v15.16b
+ sub x2, x2, #16
+ b Lopen_tail_64_store
+
+Lopen_tail_16:
+ // Here we handle the last [0,16) bytes that require a padded block
+ cbz x2, Lopen_finalize
+
+ eor v20.16b, v20.16b, v20.16b // Use T0 to load the ciphertext
+ eor v21.16b, v21.16b, v21.16b // Use T1 to generate an AND mask
+ not v22.16b, v20.16b
+
+ add x7, x1, x2
+ mov x6, x2
+
+Lopen_tail_16_compose:
+ ext v20.16b, v20.16b, v20.16b, #15
+ ldrb w11, [x7, #-1]!
+ mov v20.b[0], w11
+ ext v21.16b, v22.16b, v21.16b, #15
+ subs x2, x2, #1
+ b.gt Lopen_tail_16_compose
+
+ and v20.16b, v20.16b, v21.16b
+ // Hash in the final padded block
+ mov x11, v20.d[0]
+ mov x12, v20.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ eor v20.16b, v20.16b, v0.16b
+
+Lopen_tail_16_store:
+ umov w11, v20.b[0]
+ strb w11, [x0], #1
+ ext v20.16b, v20.16b, v20.16b, #1
+ subs x6, x6, #1
+ b.gt Lopen_tail_16_store
+
+Lopen_finalize:
+ mov x11, v31.d[0]
+ mov x12, v31.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ # Final reduction step
+ sub x12, xzr, x15
+ orr x13, xzr, #3
+ subs x11, x8, #-5
+ sbcs x12, x9, x12
+ sbcs x13, x10, x13
+ csel x8, x11, x8, cs
+ csel x9, x12, x9, cs
+ csel x10, x13, x10, cs
+ mov x11, v27.d[0]
+ mov x12, v27.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+
+ stp x8, x9, [x5]
+
+ ldp d8, d9, [sp, #16]
+ ldp d10, d11, [sp, #32]
+ ldp d12, d13, [sp, #48]
+ ldp d14, d15, [sp, #64]
+.cfi_restore b15
+.cfi_restore b14
+.cfi_restore b13
+.cfi_restore b12
+.cfi_restore b11
+.cfi_restore b10
+.cfi_restore b9
+.cfi_restore b8
+ ldp x29, x30, [sp], 80
+.cfi_restore w29
+.cfi_restore w30
+.cfi_def_cfa_offset 0
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+Lopen_128:
+ // On some architectures preparing 5 blocks for small buffers is wasteful
+ eor v25.16b, v25.16b, v25.16b
+ mov x11, #1
+ mov v25.s[0], w11
+ mov v0.16b, v24.16b
+ mov v1.16b, v24.16b
+ mov v2.16b, v24.16b
+ mov v5.16b, v28.16b
+ mov v6.16b, v28.16b
+ mov v7.16b, v28.16b
+ mov v10.16b, v29.16b
+ mov v11.16b, v29.16b
+ mov v12.16b, v29.16b
+ mov v17.16b, v30.16b
+ add v15.4s, v17.4s, v25.4s
+ add v16.4s, v15.4s, v25.4s
+
+ mov x6, #10
+
+Lopen_128_rounds:
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v5.16b, v5.16b, v5.16b, #4
+ ext v6.16b, v6.16b, v6.16b, #4
+ ext v7.16b, v7.16b, v7.16b, #4
+
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v11.16b, v11.16b, v11.16b, #8
+ ext v12.16b, v12.16b, v12.16b, #8
+
+ ext v15.16b, v15.16b, v15.16b, #12
+ ext v16.16b, v16.16b, v16.16b, #12
+ ext v17.16b, v17.16b, v17.16b, #12
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v5.16b, v5.16b, v5.16b, #12
+ ext v6.16b, v6.16b, v6.16b, #12
+ ext v7.16b, v7.16b, v7.16b, #12
+
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v11.16b, v11.16b, v11.16b, #8
+ ext v12.16b, v12.16b, v12.16b, #8
+
+ ext v15.16b, v15.16b, v15.16b, #4
+ ext v16.16b, v16.16b, v16.16b, #4
+ ext v17.16b, v17.16b, v17.16b, #4
+ subs x6, x6, #1
+ b.hi Lopen_128_rounds
+
+ add v0.4s, v0.4s, v24.4s
+ add v1.4s, v1.4s, v24.4s
+ add v2.4s, v2.4s, v24.4s
+
+ add v5.4s, v5.4s, v28.4s
+ add v6.4s, v6.4s, v28.4s
+ add v7.4s, v7.4s, v28.4s
+
+ add v10.4s, v10.4s, v29.4s
+ add v11.4s, v11.4s, v29.4s
+
+ add v30.4s, v30.4s, v25.4s
+ add v15.4s, v15.4s, v30.4s
+ add v30.4s, v30.4s, v25.4s
+ add v16.4s, v16.4s, v30.4s
+
+ and v2.16b, v2.16b, v27.16b
+ mov x16, v2.d[0] // Move the R key to GPRs
+ mov x17, v2.d[1]
+ mov v27.16b, v7.16b // Store the S key
+
+ bl Lpoly_hash_ad_internal
+
+Lopen_128_store:
+ cmp x2, #64
+ b.lt Lopen_128_store_64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+
+ mov x11, v20.d[0]
+ mov x12, v20.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ mov x11, v21.d[0]
+ mov x12, v21.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ mov x11, v22.d[0]
+ mov x12, v22.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ mov x11, v23.d[0]
+ mov x12, v23.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+
+ eor v20.16b, v20.16b, v0.16b
+ eor v21.16b, v21.16b, v5.16b
+ eor v22.16b, v22.16b, v10.16b
+ eor v23.16b, v23.16b, v15.16b
+
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ sub x2, x2, #64
+
+ mov v0.16b, v1.16b
+ mov v5.16b, v6.16b
+ mov v10.16b, v11.16b
+ mov v15.16b, v16.16b
+
+Lopen_128_store_64:
+
+ lsr x4, x2, #4
+ mov x3, x1
+
+Lopen_128_hash_64:
+ cbz x4, Lopen_tail_64_store
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ sub x4, x4, #1
+ b Lopen_128_hash_64
+.cfi_endproc
+
+#endif // !OPENSSL_NO_ASM
diff --git a/apple-aarch64/crypto/fipsmodule/p256-armv8-asm.S b/apple-aarch64/crypto/fipsmodule/p256-armv8-asm.S
new file mode 100644
index 0000000..0b655fc
--- /dev/null
+++ b/apple-aarch64/crypto/fipsmodule/p256-armv8-asm.S
@@ -0,0 +1,1762 @@
+// This file is generated from a similarly-named Perl script in the BoringSSL
+// source tree. Do not edit by hand.
+
+#if !defined(__has_feature)
+#define __has_feature(x) 0
+#endif
+#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM)
+#define OPENSSL_NO_ASM
+#endif
+
+#if !defined(OPENSSL_NO_ASM)
+#if defined(BORINGSSL_PREFIX)
+#include <boringssl_prefix_symbols_asm.h>
+#endif
+#include "openssl/arm_arch.h"
+
+.text
+.align 5
+Lpoly:
+.quad 0xffffffffffffffff,0x00000000ffffffff,0x0000000000000000,0xffffffff00000001
+LRR: // 2^512 mod P precomputed for NIST P256 polynomial
+.quad 0x0000000000000003,0xfffffffbffffffff,0xfffffffffffffffe,0x00000004fffffffd
+Lone_mont:
+.quad 0x0000000000000001,0xffffffff00000000,0xffffffffffffffff,0x00000000fffffffe
+Lone:
+.quad 1,0,0,0
+Lord:
+.quad 0xf3b9cac2fc632551,0xbce6faada7179e84,0xffffffffffffffff,0xffffffff00000000
+LordK:
+.quad 0xccd1c8aaee00bc4f
+.byte 69,67,80,95,78,73,83,84,90,50,53,54,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0
+.align 2
+
+// void ecp_nistz256_to_mont(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl _ecp_nistz256_to_mont
+.private_extern _ecp_nistz256_to_mont
+
+.align 6
+_ecp_nistz256_to_mont:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-32]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+
+ ldr x3,LRR // bp[0]
+ ldp x4,x5,[x1]
+ ldp x6,x7,[x1,#16]
+ ldr x12,Lpoly+8
+ ldr x13,Lpoly+24
+ adr x2,LRR // &bp[0]
+
+ bl __ecp_nistz256_mul_mont
+
+ ldp x19,x20,[sp,#16]
+ ldp x29,x30,[sp],#32
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+
+// void ecp_nistz256_from_mont(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl _ecp_nistz256_from_mont
+.private_extern _ecp_nistz256_from_mont
+
+.align 4
+_ecp_nistz256_from_mont:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-32]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+
+ mov x3,#1 // bp[0]
+ ldp x4,x5,[x1]
+ ldp x6,x7,[x1,#16]
+ ldr x12,Lpoly+8
+ ldr x13,Lpoly+24
+ adr x2,Lone // &bp[0]
+
+ bl __ecp_nistz256_mul_mont
+
+ ldp x19,x20,[sp,#16]
+ ldp x29,x30,[sp],#32
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+
+// void ecp_nistz256_mul_mont(BN_ULONG x0[4],const BN_ULONG x1[4],
+// const BN_ULONG x2[4]);
+.globl _ecp_nistz256_mul_mont
+.private_extern _ecp_nistz256_mul_mont
+
+.align 4
+_ecp_nistz256_mul_mont:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-32]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+
+ ldr x3,[x2] // bp[0]
+ ldp x4,x5,[x1]
+ ldp x6,x7,[x1,#16]
+ ldr x12,Lpoly+8
+ ldr x13,Lpoly+24
+
+ bl __ecp_nistz256_mul_mont
+
+ ldp x19,x20,[sp,#16]
+ ldp x29,x30,[sp],#32
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+
+// void ecp_nistz256_sqr_mont(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl _ecp_nistz256_sqr_mont
+.private_extern _ecp_nistz256_sqr_mont
+
+.align 4
+_ecp_nistz256_sqr_mont:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-32]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+
+ ldp x4,x5,[x1]
+ ldp x6,x7,[x1,#16]
+ ldr x12,Lpoly+8
+ ldr x13,Lpoly+24
+
+ bl __ecp_nistz256_sqr_mont
+
+ ldp x19,x20,[sp,#16]
+ ldp x29,x30,[sp],#32
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+
+// void ecp_nistz256_div_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl _ecp_nistz256_div_by_2
+.private_extern _ecp_nistz256_div_by_2
+
+.align 4
+_ecp_nistz256_div_by_2:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+ ldp x14,x15,[x1]
+ ldp x16,x17,[x1,#16]
+ ldr x12,Lpoly+8
+ ldr x13,Lpoly+24
+
+ bl __ecp_nistz256_div_by_2
+
+ ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+
+// void ecp_nistz256_mul_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl _ecp_nistz256_mul_by_2
+.private_extern _ecp_nistz256_mul_by_2
+
+.align 4
+_ecp_nistz256_mul_by_2:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+ ldp x14,x15,[x1]
+ ldp x16,x17,[x1,#16]
+ ldr x12,Lpoly+8
+ ldr x13,Lpoly+24
+ mov x8,x14
+ mov x9,x15
+ mov x10,x16
+ mov x11,x17
+
+ bl __ecp_nistz256_add_to // ret = a+a // 2*a
+
+ ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+
+// void ecp_nistz256_mul_by_3(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl _ecp_nistz256_mul_by_3
+.private_extern _ecp_nistz256_mul_by_3
+
+.align 4
+_ecp_nistz256_mul_by_3:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+ ldp x14,x15,[x1]
+ ldp x16,x17,[x1,#16]
+ ldr x12,Lpoly+8
+ ldr x13,Lpoly+24
+ mov x8,x14
+ mov x9,x15
+ mov x10,x16
+ mov x11,x17
+ mov x4,x14
+ mov x5,x15
+ mov x6,x16
+ mov x7,x17
+
+ bl __ecp_nistz256_add_to // ret = a+a // 2*a
+
+ mov x8,x4
+ mov x9,x5
+ mov x10,x6
+ mov x11,x7
+
+ bl __ecp_nistz256_add_to // ret += a // 2*a+a=3*a
+
+ ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+
+// void ecp_nistz256_sub(BN_ULONG x0[4],const BN_ULONG x1[4],
+// const BN_ULONG x2[4]);
+.globl _ecp_nistz256_sub
+.private_extern _ecp_nistz256_sub
+
+.align 4
+_ecp_nistz256_sub:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+ ldp x14,x15,[x1]
+ ldp x16,x17,[x1,#16]
+ ldr x12,Lpoly+8
+ ldr x13,Lpoly+24
+
+ bl __ecp_nistz256_sub_from
+
+ ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+
+// void ecp_nistz256_neg(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl _ecp_nistz256_neg
+.private_extern _ecp_nistz256_neg
+
+.align 4
+_ecp_nistz256_neg:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+ mov x2,x1
+ mov x14,xzr // a = 0
+ mov x15,xzr
+ mov x16,xzr
+ mov x17,xzr
+ ldr x12,Lpoly+8
+ ldr x13,Lpoly+24
+
+ bl __ecp_nistz256_sub_from
+
+ ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+
+// note that __ecp_nistz256_mul_mont expects a[0-3] input pre-loaded
+// to x4-x7 and b[0] - to x3
+
+.align 4
+__ecp_nistz256_mul_mont:
+ mul x14,x4,x3 // a[0]*b[0]
+ umulh x8,x4,x3
+
+ mul x15,x5,x3 // a[1]*b[0]
+ umulh x9,x5,x3
+
+ mul x16,x6,x3 // a[2]*b[0]
+ umulh x10,x6,x3
+
+ mul x17,x7,x3 // a[3]*b[0]
+ umulh x11,x7,x3
+ ldr x3,[x2,#8] // b[1]
+
+ adds x15,x15,x8 // accumulate high parts of multiplication
+ lsl x8,x14,#32
+ adcs x16,x16,x9
+ lsr x9,x14,#32
+ adcs x17,x17,x10
+ adc x19,xzr,x11
+ mov x20,xzr
+ subs x10,x14,x8 // "*0xffff0001"
+ sbc x11,x14,x9
+ adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0]
+ mul x8,x4,x3 // lo(a[0]*b[i])
+ adcs x15,x16,x9
+ mul x9,x5,x3 // lo(a[1]*b[i])
+ adcs x16,x17,x10 // +=acc[0]*0xffff0001
+ mul x10,x6,x3 // lo(a[2]*b[i])
+ adcs x17,x19,x11
+ mul x11,x7,x3 // lo(a[3]*b[i])
+ adc x19,x20,xzr
+
+ adds x14,x14,x8 // accumulate low parts of multiplication
+ umulh x8,x4,x3 // hi(a[0]*b[i])
+ adcs x15,x15,x9
+ umulh x9,x5,x3 // hi(a[1]*b[i])
+ adcs x16,x16,x10
+ umulh x10,x6,x3 // hi(a[2]*b[i])
+ adcs x17,x17,x11
+ umulh x11,x7,x3 // hi(a[3]*b[i])
+ adc x19,x19,xzr
+ ldr x3,[x2,#8*(1+1)] // b[1+1]
+ adds x15,x15,x8 // accumulate high parts of multiplication
+ lsl x8,x14,#32
+ adcs x16,x16,x9
+ lsr x9,x14,#32
+ adcs x17,x17,x10
+ adcs x19,x19,x11
+ adc x20,xzr,xzr
+ subs x10,x14,x8 // "*0xffff0001"
+ sbc x11,x14,x9
+ adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0]
+ mul x8,x4,x3 // lo(a[0]*b[i])
+ adcs x15,x16,x9
+ mul x9,x5,x3 // lo(a[1]*b[i])
+ adcs x16,x17,x10 // +=acc[0]*0xffff0001
+ mul x10,x6,x3 // lo(a[2]*b[i])
+ adcs x17,x19,x11
+ mul x11,x7,x3 // lo(a[3]*b[i])
+ adc x19,x20,xzr
+
+ adds x14,x14,x8 // accumulate low parts of multiplication
+ umulh x8,x4,x3 // hi(a[0]*b[i])
+ adcs x15,x15,x9
+ umulh x9,x5,x3 // hi(a[1]*b[i])
+ adcs x16,x16,x10
+ umulh x10,x6,x3 // hi(a[2]*b[i])
+ adcs x17,x17,x11
+ umulh x11,x7,x3 // hi(a[3]*b[i])
+ adc x19,x19,xzr
+ ldr x3,[x2,#8*(2+1)] // b[2+1]
+ adds x15,x15,x8 // accumulate high parts of multiplication
+ lsl x8,x14,#32
+ adcs x16,x16,x9
+ lsr x9,x14,#32
+ adcs x17,x17,x10
+ adcs x19,x19,x11
+ adc x20,xzr,xzr
+ subs x10,x14,x8 // "*0xffff0001"
+ sbc x11,x14,x9
+ adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0]
+ mul x8,x4,x3 // lo(a[0]*b[i])
+ adcs x15,x16,x9
+ mul x9,x5,x3 // lo(a[1]*b[i])
+ adcs x16,x17,x10 // +=acc[0]*0xffff0001
+ mul x10,x6,x3 // lo(a[2]*b[i])
+ adcs x17,x19,x11
+ mul x11,x7,x3 // lo(a[3]*b[i])
+ adc x19,x20,xzr
+
+ adds x14,x14,x8 // accumulate low parts of multiplication
+ umulh x8,x4,x3 // hi(a[0]*b[i])
+ adcs x15,x15,x9
+ umulh x9,x5,x3 // hi(a[1]*b[i])
+ adcs x16,x16,x10
+ umulh x10,x6,x3 // hi(a[2]*b[i])
+ adcs x17,x17,x11
+ umulh x11,x7,x3 // hi(a[3]*b[i])
+ adc x19,x19,xzr
+ adds x15,x15,x8 // accumulate high parts of multiplication
+ lsl x8,x14,#32
+ adcs x16,x16,x9
+ lsr x9,x14,#32
+ adcs x17,x17,x10
+ adcs x19,x19,x11
+ adc x20,xzr,xzr
+ // last reduction
+ subs x10,x14,x8 // "*0xffff0001"
+ sbc x11,x14,x9
+ adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0]
+ adcs x15,x16,x9
+ adcs x16,x17,x10 // +=acc[0]*0xffff0001
+ adcs x17,x19,x11
+ adc x19,x20,xzr
+
+ adds x8,x14,#1 // subs x8,x14,#-1 // tmp = ret-modulus
+ sbcs x9,x15,x12
+ sbcs x10,x16,xzr
+ sbcs x11,x17,x13
+ sbcs xzr,x19,xzr // did it borrow?
+
+ csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus
+ csel x15,x15,x9,lo
+ csel x16,x16,x10,lo
+ stp x14,x15,[x0]
+ csel x17,x17,x11,lo
+ stp x16,x17,[x0,#16]
+
+ ret
+
+
+// note that __ecp_nistz256_sqr_mont expects a[0-3] input pre-loaded
+// to x4-x7
+
+.align 4
+__ecp_nistz256_sqr_mont:
+ // | | | | | |a1*a0| |
+ // | | | | |a2*a0| | |
+ // | |a3*a2|a3*a0| | | |
+ // | | | |a2*a1| | | |
+ // | | |a3*a1| | | | |
+ // *| | | | | | | | 2|
+ // +|a3*a3|a2*a2|a1*a1|a0*a0|
+ // |--+--+--+--+--+--+--+--|
+ // |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is , i.e. follow
+ //
+ // "can't overflow" below mark carrying into high part of
+ // multiplication result, which can't overflow, because it
+ // can never be all ones.
+
+ mul x15,x5,x4 // a[1]*a[0]
+ umulh x9,x5,x4
+ mul x16,x6,x4 // a[2]*a[0]
+ umulh x10,x6,x4
+ mul x17,x7,x4 // a[3]*a[0]
+ umulh x19,x7,x4
+
+ adds x16,x16,x9 // accumulate high parts of multiplication
+ mul x8,x6,x5 // a[2]*a[1]
+ umulh x9,x6,x5
+ adcs x17,x17,x10
+ mul x10,x7,x5 // a[3]*a[1]
+ umulh x11,x7,x5
+ adc x19,x19,xzr // can't overflow
+
+ mul x20,x7,x6 // a[3]*a[2]
+ umulh x1,x7,x6
+
+ adds x9,x9,x10 // accumulate high parts of multiplication
+ mul x14,x4,x4 // a[0]*a[0]
+ adc x10,x11,xzr // can't overflow
+
+ adds x17,x17,x8 // accumulate low parts of multiplication
+ umulh x4,x4,x4
+ adcs x19,x19,x9
+ mul x9,x5,x5 // a[1]*a[1]
+ adcs x20,x20,x10
+ umulh x5,x5,x5
+ adc x1,x1,xzr // can't overflow
+
+ adds x15,x15,x15 // acc[1-6]*=2
+ mul x10,x6,x6 // a[2]*a[2]
+ adcs x16,x16,x16
+ umulh x6,x6,x6
+ adcs x17,x17,x17
+ mul x11,x7,x7 // a[3]*a[3]
+ adcs x19,x19,x19
+ umulh x7,x7,x7
+ adcs x20,x20,x20
+ adcs x1,x1,x1
+ adc x2,xzr,xzr
+
+ adds x15,x15,x4 // +a[i]*a[i]
+ adcs x16,x16,x9
+ adcs x17,x17,x5
+ adcs x19,x19,x10
+ adcs x20,x20,x6
+ lsl x8,x14,#32
+ adcs x1,x1,x11
+ lsr x9,x14,#32
+ adc x2,x2,x7
+ subs x10,x14,x8 // "*0xffff0001"
+ sbc x11,x14,x9
+ adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0]
+ adcs x15,x16,x9
+ lsl x8,x14,#32
+ adcs x16,x17,x10 // +=acc[0]*0xffff0001
+ lsr x9,x14,#32
+ adc x17,x11,xzr // can't overflow
+ subs x10,x14,x8 // "*0xffff0001"
+ sbc x11,x14,x9
+ adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0]
+ adcs x15,x16,x9
+ lsl x8,x14,#32
+ adcs x16,x17,x10 // +=acc[0]*0xffff0001
+ lsr x9,x14,#32
+ adc x17,x11,xzr // can't overflow
+ subs x10,x14,x8 // "*0xffff0001"
+ sbc x11,x14,x9
+ adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0]
+ adcs x15,x16,x9
+ lsl x8,x14,#32
+ adcs x16,x17,x10 // +=acc[0]*0xffff0001
+ lsr x9,x14,#32
+ adc x17,x11,xzr // can't overflow
+ subs x10,x14,x8 // "*0xffff0001"
+ sbc x11,x14,x9
+ adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0]
+ adcs x15,x16,x9
+ adcs x16,x17,x10 // +=acc[0]*0xffff0001
+ adc x17,x11,xzr // can't overflow
+
+ adds x14,x14,x19 // accumulate upper half
+ adcs x15,x15,x20
+ adcs x16,x16,x1
+ adcs x17,x17,x2
+ adc x19,xzr,xzr
+
+ adds x8,x14,#1 // subs x8,x14,#-1 // tmp = ret-modulus
+ sbcs x9,x15,x12
+ sbcs x10,x16,xzr
+ sbcs x11,x17,x13
+ sbcs xzr,x19,xzr // did it borrow?
+
+ csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus
+ csel x15,x15,x9,lo
+ csel x16,x16,x10,lo
+ stp x14,x15,[x0]
+ csel x17,x17,x11,lo
+ stp x16,x17,[x0,#16]
+
+ ret
+
+
+// Note that __ecp_nistz256_add_to expects both input vectors pre-loaded to
+// x4-x7 and x8-x11. This is done because it's used in multiple
+// contexts, e.g. in multiplication by 2 and 3...
+
+.align 4
+__ecp_nistz256_add_to:
+ adds x14,x14,x8 // ret = a+b
+ adcs x15,x15,x9
+ adcs x16,x16,x10
+ adcs x17,x17,x11
+ adc x1,xzr,xzr // zap x1
+
+ adds x8,x14,#1 // subs x8,x4,#-1 // tmp = ret-modulus
+ sbcs x9,x15,x12
+ sbcs x10,x16,xzr
+ sbcs x11,x17,x13
+ sbcs xzr,x1,xzr // did subtraction borrow?
+
+ csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus
+ csel x15,x15,x9,lo
+ csel x16,x16,x10,lo
+ stp x14,x15,[x0]
+ csel x17,x17,x11,lo
+ stp x16,x17,[x0,#16]
+
+ ret
+
+
+
+.align 4
+__ecp_nistz256_sub_from:
+ ldp x8,x9,[x2]
+ ldp x10,x11,[x2,#16]
+ subs x14,x14,x8 // ret = a-b
+ sbcs x15,x15,x9
+ sbcs x16,x16,x10
+ sbcs x17,x17,x11
+ sbc x1,xzr,xzr // zap x1
+
+ subs x8,x14,#1 // adds x8,x4,#-1 // tmp = ret+modulus
+ adcs x9,x15,x12
+ adcs x10,x16,xzr
+ adc x11,x17,x13
+ cmp x1,xzr // did subtraction borrow?
+
+ csel x14,x14,x8,eq // ret = borrow ? ret+modulus : ret
+ csel x15,x15,x9,eq
+ csel x16,x16,x10,eq
+ stp x14,x15,[x0]
+ csel x17,x17,x11,eq
+ stp x16,x17,[x0,#16]
+
+ ret
+
+
+
+.align 4
+__ecp_nistz256_sub_morf:
+ ldp x8,x9,[x2]
+ ldp x10,x11,[x2,#16]
+ subs x14,x8,x14 // ret = b-a
+ sbcs x15,x9,x15
+ sbcs x16,x10,x16
+ sbcs x17,x11,x17
+ sbc x1,xzr,xzr // zap x1
+
+ subs x8,x14,#1 // adds x8,x4,#-1 // tmp = ret+modulus
+ adcs x9,x15,x12
+ adcs x10,x16,xzr
+ adc x11,x17,x13
+ cmp x1,xzr // did subtraction borrow?
+
+ csel x14,x14,x8,eq // ret = borrow ? ret+modulus : ret
+ csel x15,x15,x9,eq
+ csel x16,x16,x10,eq
+ stp x14,x15,[x0]
+ csel x17,x17,x11,eq
+ stp x16,x17,[x0,#16]
+
+ ret
+
+
+
+.align 4
+__ecp_nistz256_div_by_2:
+ subs x8,x14,#1 // adds x8,x4,#-1 // tmp = a+modulus
+ adcs x9,x15,x12
+ adcs x10,x16,xzr
+ adcs x11,x17,x13
+ adc x1,xzr,xzr // zap x1
+ tst x14,#1 // is a even?
+
+ csel x14,x14,x8,eq // ret = even ? a : a+modulus
+ csel x15,x15,x9,eq
+ csel x16,x16,x10,eq
+ csel x17,x17,x11,eq
+ csel x1,xzr,x1,eq
+
+ lsr x14,x14,#1 // ret >>= 1
+ orr x14,x14,x15,lsl#63
+ lsr x15,x15,#1
+ orr x15,x15,x16,lsl#63
+ lsr x16,x16,#1
+ orr x16,x16,x17,lsl#63
+ lsr x17,x17,#1
+ stp x14,x15,[x0]
+ orr x17,x17,x1,lsl#63
+ stp x16,x17,[x0,#16]
+
+ ret
+
+.globl _ecp_nistz256_point_double
+.private_extern _ecp_nistz256_point_double
+
+.align 5
+_ecp_nistz256_point_double:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-96]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+ stp x21,x22,[sp,#32]
+ sub sp,sp,#32*4
+
+Ldouble_shortcut:
+ ldp x14,x15,[x1,#32]
+ mov x21,x0
+ ldp x16,x17,[x1,#48]
+ mov x22,x1
+ ldr x12,Lpoly+8
+ mov x8,x14
+ ldr x13,Lpoly+24
+ mov x9,x15
+ ldp x4,x5,[x22,#64] // forward load for p256_sqr_mont
+ mov x10,x16
+ mov x11,x17
+ ldp x6,x7,[x22,#64+16]
+ add x0,sp,#0
+ bl __ecp_nistz256_add_to // p256_mul_by_2(S, in_y);
+
+ add x0,sp,#64
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Zsqr, in_z);
+
+ ldp x8,x9,[x22]
+ ldp x10,x11,[x22,#16]
+ mov x4,x14 // put Zsqr aside for p256_sub
+ mov x5,x15
+ mov x6,x16
+ mov x7,x17
+ add x0,sp,#32
+ bl __ecp_nistz256_add_to // p256_add(M, Zsqr, in_x);
+
+ add x2,x22,#0
+ mov x14,x4 // restore Zsqr
+ mov x15,x5
+ ldp x4,x5,[sp,#0] // forward load for p256_sqr_mont
+ mov x16,x6
+ mov x17,x7
+ ldp x6,x7,[sp,#0+16]
+ add x0,sp,#64
+ bl __ecp_nistz256_sub_morf // p256_sub(Zsqr, in_x, Zsqr);
+
+ add x0,sp,#0
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(S, S);
+
+ ldr x3,[x22,#32]
+ ldp x4,x5,[x22,#64]
+ ldp x6,x7,[x22,#64+16]
+ add x2,x22,#32
+ add x0,sp,#96
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(tmp0, in_z, in_y);
+
+ mov x8,x14
+ mov x9,x15
+ ldp x4,x5,[sp,#0] // forward load for p256_sqr_mont
+ mov x10,x16
+ mov x11,x17
+ ldp x6,x7,[sp,#0+16]
+ add x0,x21,#64
+ bl __ecp_nistz256_add_to // p256_mul_by_2(res_z, tmp0);
+
+ add x0,sp,#96
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(tmp0, S);
+
+ ldr x3,[sp,#64] // forward load for p256_mul_mont
+ ldp x4,x5,[sp,#32]
+ ldp x6,x7,[sp,#32+16]
+ add x0,x21,#32
+ bl __ecp_nistz256_div_by_2 // p256_div_by_2(res_y, tmp0);
+
+ add x2,sp,#64
+ add x0,sp,#32
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(M, M, Zsqr);
+
+ mov x8,x14 // duplicate M
+ mov x9,x15
+ mov x10,x16
+ mov x11,x17
+ mov x4,x14 // put M aside
+ mov x5,x15
+ mov x6,x16
+ mov x7,x17
+ add x0,sp,#32
+ bl __ecp_nistz256_add_to
+ mov x8,x4 // restore M
+ mov x9,x5
+ ldr x3,[x22] // forward load for p256_mul_mont
+ mov x10,x6
+ ldp x4,x5,[sp,#0]
+ mov x11,x7
+ ldp x6,x7,[sp,#0+16]
+ bl __ecp_nistz256_add_to // p256_mul_by_3(M, M);
+
+ add x2,x22,#0
+ add x0,sp,#0
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, in_x);
+
+ mov x8,x14
+ mov x9,x15
+ ldp x4,x5,[sp,#32] // forward load for p256_sqr_mont
+ mov x10,x16
+ mov x11,x17
+ ldp x6,x7,[sp,#32+16]
+ add x0,sp,#96
+ bl __ecp_nistz256_add_to // p256_mul_by_2(tmp0, S);
+
+ add x0,x21,#0
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(res_x, M);
+
+ add x2,sp,#96
+ bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, tmp0);
+
+ add x2,sp,#0
+ add x0,sp,#0
+ bl __ecp_nistz256_sub_morf // p256_sub(S, S, res_x);
+
+ ldr x3,[sp,#32]
+ mov x4,x14 // copy S
+ mov x5,x15
+ mov x6,x16
+ mov x7,x17
+ add x2,sp,#32
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, M);
+
+ add x2,x21,#32
+ add x0,x21,#32
+ bl __ecp_nistz256_sub_from // p256_sub(res_y, S, res_y);
+
+ add sp,x29,#0 // destroy frame
+ ldp x19,x20,[x29,#16]
+ ldp x21,x22,[x29,#32]
+ ldp x29,x30,[sp],#96
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+.globl _ecp_nistz256_point_add
+.private_extern _ecp_nistz256_point_add
+
+.align 5
+_ecp_nistz256_point_add:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-96]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+ stp x21,x22,[sp,#32]
+ stp x23,x24,[sp,#48]
+ stp x25,x26,[sp,#64]
+ stp x27,x28,[sp,#80]
+ sub sp,sp,#32*12
+
+ ldp x4,x5,[x2,#64] // in2_z
+ ldp x6,x7,[x2,#64+16]
+ mov x21,x0
+ mov x22,x1
+ mov x23,x2
+ ldr x12,Lpoly+8
+ ldr x13,Lpoly+24
+ orr x8,x4,x5
+ orr x10,x6,x7
+ orr x25,x8,x10
+ cmp x25,#0
+ csetm x25,ne // ~in2infty
+ add x0,sp,#192
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z2sqr, in2_z);
+
+ ldp x4,x5,[x22,#64] // in1_z
+ ldp x6,x7,[x22,#64+16]
+ orr x8,x4,x5
+ orr x10,x6,x7
+ orr x24,x8,x10
+ cmp x24,#0
+ csetm x24,ne // ~in1infty
+ add x0,sp,#128
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z);
+
+ ldr x3,[x23,#64]
+ ldp x4,x5,[sp,#192]
+ ldp x6,x7,[sp,#192+16]
+ add x2,x23,#64
+ add x0,sp,#320
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, Z2sqr, in2_z);
+
+ ldr x3,[x22,#64]
+ ldp x4,x5,[sp,#128]
+ ldp x6,x7,[sp,#128+16]
+ add x2,x22,#64
+ add x0,sp,#352
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z);
+
+ ldr x3,[x22,#32]
+ ldp x4,x5,[sp,#320]
+ ldp x6,x7,[sp,#320+16]
+ add x2,x22,#32
+ add x0,sp,#320
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, S1, in1_y);
+
+ ldr x3,[x23,#32]
+ ldp x4,x5,[sp,#352]
+ ldp x6,x7,[sp,#352+16]
+ add x2,x23,#32
+ add x0,sp,#352
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y);
+
+ add x2,sp,#320
+ ldr x3,[sp,#192] // forward load for p256_mul_mont
+ ldp x4,x5,[x22]
+ ldp x6,x7,[x22,#16]
+ add x0,sp,#160
+ bl __ecp_nistz256_sub_from // p256_sub(R, S2, S1);
+
+ orr x14,x14,x15 // see if result is zero
+ orr x16,x16,x17
+ orr x26,x14,x16 // ~is_equal(S1,S2)
+
+ add x2,sp,#192
+ add x0,sp,#256
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(U1, in1_x, Z2sqr);
+
+ ldr x3,[sp,#128]
+ ldp x4,x5,[x23]
+ ldp x6,x7,[x23,#16]
+ add x2,sp,#128
+ add x0,sp,#288
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in2_x, Z1sqr);
+
+ add x2,sp,#256
+ ldp x4,x5,[sp,#160] // forward load for p256_sqr_mont
+ ldp x6,x7,[sp,#160+16]
+ add x0,sp,#96
+ bl __ecp_nistz256_sub_from // p256_sub(H, U2, U1);
+
+ orr x14,x14,x15 // see if result is zero
+ orr x16,x16,x17
+ orr x14,x14,x16 // ~is_equal(U1,U2)
+
+ mvn x27,x24 // -1/0 -> 0/-1
+ mvn x28,x25 // -1/0 -> 0/-1
+ orr x14,x14,x27
+ orr x14,x14,x28
+ orr x14,x14,x26
+ cbnz x14,Ladd_proceed // if(~is_equal(U1,U2) | in1infty | in2infty | ~is_equal(S1,S2))
+
+Ladd_double:
+ mov x1,x22
+ mov x0,x21
+ ldp x23,x24,[x29,#48]
+ ldp x25,x26,[x29,#64]
+ ldp x27,x28,[x29,#80]
+ add sp,sp,#256 // #256 is from #32*(12-4). difference in stack frames
+ b Ldouble_shortcut
+
+.align 4
+Ladd_proceed:
+ add x0,sp,#192
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R);
+
+ ldr x3,[x22,#64]
+ ldp x4,x5,[sp,#96]
+ ldp x6,x7,[sp,#96+16]
+ add x2,x22,#64
+ add x0,sp,#64
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z);
+
+ ldp x4,x5,[sp,#96]
+ ldp x6,x7,[sp,#96+16]
+ add x0,sp,#128
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H);
+
+ ldr x3,[x23,#64]
+ ldp x4,x5,[sp,#64]
+ ldp x6,x7,[sp,#64+16]
+ add x2,x23,#64
+ add x0,sp,#64
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, res_z, in2_z);
+
+ ldr x3,[sp,#96]
+ ldp x4,x5,[sp,#128]
+ ldp x6,x7,[sp,#128+16]
+ add x2,sp,#96
+ add x0,sp,#224
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H);
+
+ ldr x3,[sp,#128]
+ ldp x4,x5,[sp,#256]
+ ldp x6,x7,[sp,#256+16]
+ add x2,sp,#128
+ add x0,sp,#288
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, U1, Hsqr);
+
+ mov x8,x14
+ mov x9,x15
+ mov x10,x16
+ mov x11,x17
+ add x0,sp,#128
+ bl __ecp_nistz256_add_to // p256_mul_by_2(Hsqr, U2);
+
+ add x2,sp,#192
+ add x0,sp,#0
+ bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr);
+
+ add x2,sp,#224
+ bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub);
+
+ add x2,sp,#288
+ ldr x3,[sp,#224] // forward load for p256_mul_mont
+ ldp x4,x5,[sp,#320]
+ ldp x6,x7,[sp,#320+16]
+ add x0,sp,#32
+ bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x);
+
+ add x2,sp,#224
+ add x0,sp,#352
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S1, Hcub);
+
+ ldr x3,[sp,#160]
+ ldp x4,x5,[sp,#32]
+ ldp x6,x7,[sp,#32+16]
+ add x2,sp,#160
+ add x0,sp,#32
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R);
+
+ add x2,sp,#352
+ bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2);
+
+ ldp x4,x5,[sp,#0] // res
+ ldp x6,x7,[sp,#0+16]
+ ldp x8,x9,[x23] // in2
+ ldp x10,x11,[x23,#16]
+ ldp x14,x15,[x22,#0] // in1
+ cmp x24,#0 // ~, remember?
+ ldp x16,x17,[x22,#0+16]
+ csel x8,x4,x8,ne
+ csel x9,x5,x9,ne
+ ldp x4,x5,[sp,#0+0+32] // res
+ csel x10,x6,x10,ne
+ csel x11,x7,x11,ne
+ cmp x25,#0 // ~, remember?
+ ldp x6,x7,[sp,#0+0+48]
+ csel x14,x8,x14,ne
+ csel x15,x9,x15,ne
+ ldp x8,x9,[x23,#0+32] // in2
+ csel x16,x10,x16,ne
+ csel x17,x11,x17,ne
+ ldp x10,x11,[x23,#0+48]
+ stp x14,x15,[x21,#0]
+ stp x16,x17,[x21,#0+16]
+ ldp x14,x15,[x22,#32] // in1
+ cmp x24,#0 // ~, remember?
+ ldp x16,x17,[x22,#32+16]
+ csel x8,x4,x8,ne
+ csel x9,x5,x9,ne
+ ldp x4,x5,[sp,#0+32+32] // res
+ csel x10,x6,x10,ne
+ csel x11,x7,x11,ne
+ cmp x25,#0 // ~, remember?
+ ldp x6,x7,[sp,#0+32+48]
+ csel x14,x8,x14,ne
+ csel x15,x9,x15,ne
+ ldp x8,x9,[x23,#32+32] // in2
+ csel x16,x10,x16,ne
+ csel x17,x11,x17,ne
+ ldp x10,x11,[x23,#32+48]
+ stp x14,x15,[x21,#32]
+ stp x16,x17,[x21,#32+16]
+ ldp x14,x15,[x22,#64] // in1
+ cmp x24,#0 // ~, remember?
+ ldp x16,x17,[x22,#64+16]
+ csel x8,x4,x8,ne
+ csel x9,x5,x9,ne
+ csel x10,x6,x10,ne
+ csel x11,x7,x11,ne
+ cmp x25,#0 // ~, remember?
+ csel x14,x8,x14,ne
+ csel x15,x9,x15,ne
+ csel x16,x10,x16,ne
+ csel x17,x11,x17,ne
+ stp x14,x15,[x21,#64]
+ stp x16,x17,[x21,#64+16]
+
+Ladd_done:
+ add sp,x29,#0 // destroy frame
+ ldp x19,x20,[x29,#16]
+ ldp x21,x22,[x29,#32]
+ ldp x23,x24,[x29,#48]
+ ldp x25,x26,[x29,#64]
+ ldp x27,x28,[x29,#80]
+ ldp x29,x30,[sp],#96
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+.globl _ecp_nistz256_point_add_affine
+.private_extern _ecp_nistz256_point_add_affine
+
+.align 5
+_ecp_nistz256_point_add_affine:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-80]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+ stp x21,x22,[sp,#32]
+ stp x23,x24,[sp,#48]
+ stp x25,x26,[sp,#64]
+ sub sp,sp,#32*10
+
+ mov x21,x0
+ mov x22,x1
+ mov x23,x2
+ ldr x12,Lpoly+8
+ ldr x13,Lpoly+24
+
+ ldp x4,x5,[x1,#64] // in1_z
+ ldp x6,x7,[x1,#64+16]
+ orr x8,x4,x5
+ orr x10,x6,x7
+ orr x24,x8,x10
+ cmp x24,#0
+ csetm x24,ne // ~in1infty
+
+ ldp x14,x15,[x2] // in2_x
+ ldp x16,x17,[x2,#16]
+ ldp x8,x9,[x2,#32] // in2_y
+ ldp x10,x11,[x2,#48]
+ orr x14,x14,x15
+ orr x16,x16,x17
+ orr x8,x8,x9
+ orr x10,x10,x11
+ orr x14,x14,x16
+ orr x8,x8,x10
+ orr x25,x14,x8
+ cmp x25,#0
+ csetm x25,ne // ~in2infty
+
+ add x0,sp,#128
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z);
+
+ mov x4,x14
+ mov x5,x15
+ mov x6,x16
+ mov x7,x17
+ ldr x3,[x23]
+ add x2,x23,#0
+ add x0,sp,#96
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, Z1sqr, in2_x);
+
+ add x2,x22,#0
+ ldr x3,[x22,#64] // forward load for p256_mul_mont
+ ldp x4,x5,[sp,#128]
+ ldp x6,x7,[sp,#128+16]
+ add x0,sp,#160
+ bl __ecp_nistz256_sub_from // p256_sub(H, U2, in1_x);
+
+ add x2,x22,#64
+ add x0,sp,#128
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z);
+
+ ldr x3,[x22,#64]
+ ldp x4,x5,[sp,#160]
+ ldp x6,x7,[sp,#160+16]
+ add x2,x22,#64
+ add x0,sp,#64
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z);
+
+ ldr x3,[x23,#32]
+ ldp x4,x5,[sp,#128]
+ ldp x6,x7,[sp,#128+16]
+ add x2,x23,#32
+ add x0,sp,#128
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y);
+
+ add x2,x22,#32
+ ldp x4,x5,[sp,#160] // forward load for p256_sqr_mont
+ ldp x6,x7,[sp,#160+16]
+ add x0,sp,#192
+ bl __ecp_nistz256_sub_from // p256_sub(R, S2, in1_y);
+
+ add x0,sp,#224
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H);
+
+ ldp x4,x5,[sp,#192]
+ ldp x6,x7,[sp,#192+16]
+ add x0,sp,#288
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R);
+
+ ldr x3,[sp,#160]
+ ldp x4,x5,[sp,#224]
+ ldp x6,x7,[sp,#224+16]
+ add x2,sp,#160
+ add x0,sp,#256
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H);
+
+ ldr x3,[x22]
+ ldp x4,x5,[sp,#224]
+ ldp x6,x7,[sp,#224+16]
+ add x2,x22,#0
+ add x0,sp,#96
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in1_x, Hsqr);
+
+ mov x8,x14
+ mov x9,x15
+ mov x10,x16
+ mov x11,x17
+ add x0,sp,#224
+ bl __ecp_nistz256_add_to // p256_mul_by_2(Hsqr, U2);
+
+ add x2,sp,#288
+ add x0,sp,#0
+ bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr);
+
+ add x2,sp,#256
+ bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub);
+
+ add x2,sp,#96
+ ldr x3,[x22,#32] // forward load for p256_mul_mont
+ ldp x4,x5,[sp,#256]
+ ldp x6,x7,[sp,#256+16]
+ add x0,sp,#32
+ bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x);
+
+ add x2,x22,#32
+ add x0,sp,#128
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, in1_y, Hcub);
+
+ ldr x3,[sp,#192]
+ ldp x4,x5,[sp,#32]
+ ldp x6,x7,[sp,#32+16]
+ add x2,sp,#192
+ add x0,sp,#32
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R);
+
+ add x2,sp,#128
+ bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2);
+
+ ldp x4,x5,[sp,#0] // res
+ ldp x6,x7,[sp,#0+16]
+ ldp x8,x9,[x23] // in2
+ ldp x10,x11,[x23,#16]
+ ldp x14,x15,[x22,#0] // in1
+ cmp x24,#0 // ~, remember?
+ ldp x16,x17,[x22,#0+16]
+ csel x8,x4,x8,ne
+ csel x9,x5,x9,ne
+ ldp x4,x5,[sp,#0+0+32] // res
+ csel x10,x6,x10,ne
+ csel x11,x7,x11,ne
+ cmp x25,#0 // ~, remember?
+ ldp x6,x7,[sp,#0+0+48]
+ csel x14,x8,x14,ne
+ csel x15,x9,x15,ne
+ ldp x8,x9,[x23,#0+32] // in2
+ csel x16,x10,x16,ne
+ csel x17,x11,x17,ne
+ ldp x10,x11,[x23,#0+48]
+ stp x14,x15,[x21,#0]
+ stp x16,x17,[x21,#0+16]
+ adr x23,Lone_mont-64
+ ldp x14,x15,[x22,#32] // in1
+ cmp x24,#0 // ~, remember?
+ ldp x16,x17,[x22,#32+16]
+ csel x8,x4,x8,ne
+ csel x9,x5,x9,ne
+ ldp x4,x5,[sp,#0+32+32] // res
+ csel x10,x6,x10,ne
+ csel x11,x7,x11,ne
+ cmp x25,#0 // ~, remember?
+ ldp x6,x7,[sp,#0+32+48]
+ csel x14,x8,x14,ne
+ csel x15,x9,x15,ne
+ ldp x8,x9,[x23,#32+32] // in2
+ csel x16,x10,x16,ne
+ csel x17,x11,x17,ne
+ ldp x10,x11,[x23,#32+48]
+ stp x14,x15,[x21,#32]
+ stp x16,x17,[x21,#32+16]
+ ldp x14,x15,[x22,#64] // in1
+ cmp x24,#0 // ~, remember?
+ ldp x16,x17,[x22,#64+16]
+ csel x8,x4,x8,ne
+ csel x9,x5,x9,ne
+ csel x10,x6,x10,ne
+ csel x11,x7,x11,ne
+ cmp x25,#0 // ~, remember?
+ csel x14,x8,x14,ne
+ csel x15,x9,x15,ne
+ csel x16,x10,x16,ne
+ csel x17,x11,x17,ne
+ stp x14,x15,[x21,#64]
+ stp x16,x17,[x21,#64+16]
+
+ add sp,x29,#0 // destroy frame
+ ldp x19,x20,[x29,#16]
+ ldp x21,x22,[x29,#32]
+ ldp x23,x24,[x29,#48]
+ ldp x25,x26,[x29,#64]
+ ldp x29,x30,[sp],#80
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+////////////////////////////////////////////////////////////////////////
+// void ecp_nistz256_ord_mul_mont(uint64_t res[4], uint64_t a[4],
+// uint64_t b[4]);
+.globl _ecp_nistz256_ord_mul_mont
+.private_extern _ecp_nistz256_ord_mul_mont
+
+.align 4
+_ecp_nistz256_ord_mul_mont:
+ AARCH64_VALID_CALL_TARGET
+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
+ stp x29,x30,[sp,#-64]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+ stp x21,x22,[sp,#32]
+ stp x23,x24,[sp,#48]
+
+ adr x23,Lord
+ ldr x3,[x2] // bp[0]
+ ldp x4,x5,[x1]
+ ldp x6,x7,[x1,#16]
+
+ ldp x12,x13,[x23,#0]
+ ldp x21,x22,[x23,#16]
+ ldr x23,[x23,#32]
+
+ mul x14,x4,x3 // a[0]*b[0]
+ umulh x8,x4,x3
+
+ mul x15,x5,x3 // a[1]*b[0]
+ umulh x9,x5,x3
+
+ mul x16,x6,x3 // a[2]*b[0]
+ umulh x10,x6,x3
+
+ mul x17,x7,x3 // a[3]*b[0]
+ umulh x19,x7,x3
+
+ mul x24,x14,x23
+
+ adds x15,x15,x8 // accumulate high parts of multiplication
+ adcs x16,x16,x9
+ adcs x17,x17,x10
+ adc x19,x19,xzr
+ mov x20,xzr
+ ldr x3,[x2,#8*1] // b[i]
+
+ lsl x8,x24,#32
+ subs x16,x16,x24
+ lsr x9,x24,#32
+ sbcs x17,x17,x8
+ sbcs x19,x19,x9
+ sbc x20,x20,xzr
+
+ subs xzr,x14,#1
+ umulh x9,x12,x24
+ mul x10,x13,x24
+ umulh x11,x13,x24
+
+ adcs x10,x10,x9
+ mul x8,x4,x3
+ adc x11,x11,xzr
+ mul x9,x5,x3
+
+ adds x14,x15,x10
+ mul x10,x6,x3
+ adcs x15,x16,x11
+ mul x11,x7,x3
+ adcs x16,x17,x24
+ adcs x17,x19,x24
+ adc x19,x20,xzr
+
+ adds x14,x14,x8 // accumulate low parts
+ umulh x8,x4,x3
+ adcs x15,x15,x9
+ umulh x9,x5,x3
+ adcs x16,x16,x10
+ umulh x10,x6,x3
+ adcs x17,x17,x11
+ umulh x11,x7,x3
+ adc x19,x19,xzr
+ mul x24,x14,x23
+ adds x15,x15,x8 // accumulate high parts
+ adcs x16,x16,x9
+ adcs x17,x17,x10
+ adcs x19,x19,x11
+ adc x20,xzr,xzr
+ ldr x3,[x2,#8*2] // b[i]
+
+ lsl x8,x24,#32
+ subs x16,x16,x24
+ lsr x9,x24,#32
+ sbcs x17,x17,x8
+ sbcs x19,x19,x9
+ sbc x20,x20,xzr
+
+ subs xzr,x14,#1
+ umulh x9,x12,x24
+ mul x10,x13,x24
+ umulh x11,x13,x24
+
+ adcs x10,x10,x9
+ mul x8,x4,x3
+ adc x11,x11,xzr
+ mul x9,x5,x3
+
+ adds x14,x15,x10
+ mul x10,x6,x3
+ adcs x15,x16,x11
+ mul x11,x7,x3
+ adcs x16,x17,x24
+ adcs x17,x19,x24
+ adc x19,x20,xzr
+
+ adds x14,x14,x8 // accumulate low parts
+ umulh x8,x4,x3
+ adcs x15,x15,x9
+ umulh x9,x5,x3
+ adcs x16,x16,x10
+ umulh x10,x6,x3
+ adcs x17,x17,x11
+ umulh x11,x7,x3
+ adc x19,x19,xzr
+ mul x24,x14,x23
+ adds x15,x15,x8 // accumulate high parts
+ adcs x16,x16,x9
+ adcs x17,x17,x10
+ adcs x19,x19,x11
+ adc x20,xzr,xzr
+ ldr x3,[x2,#8*3] // b[i]
+
+ lsl x8,x24,#32
+ subs x16,x16,x24
+ lsr x9,x24,#32
+ sbcs x17,x17,x8
+ sbcs x19,x19,x9
+ sbc x20,x20,xzr
+
+ subs xzr,x14,#1
+ umulh x9,x12,x24
+ mul x10,x13,x24
+ umulh x11,x13,x24
+
+ adcs x10,x10,x9
+ mul x8,x4,x3
+ adc x11,x11,xzr
+ mul x9,x5,x3
+
+ adds x14,x15,x10
+ mul x10,x6,x3
+ adcs x15,x16,x11
+ mul x11,x7,x3
+ adcs x16,x17,x24
+ adcs x17,x19,x24
+ adc x19,x20,xzr
+
+ adds x14,x14,x8 // accumulate low parts
+ umulh x8,x4,x3
+ adcs x15,x15,x9
+ umulh x9,x5,x3
+ adcs x16,x16,x10
+ umulh x10,x6,x3
+ adcs x17,x17,x11
+ umulh x11,x7,x3
+ adc x19,x19,xzr
+ mul x24,x14,x23
+ adds x15,x15,x8 // accumulate high parts
+ adcs x16,x16,x9
+ adcs x17,x17,x10
+ adcs x19,x19,x11
+ adc x20,xzr,xzr
+ lsl x8,x24,#32 // last reduction
+ subs x16,x16,x24
+ lsr x9,x24,#32
+ sbcs x17,x17,x8
+ sbcs x19,x19,x9
+ sbc x20,x20,xzr
+
+ subs xzr,x14,#1
+ umulh x9,x12,x24
+ mul x10,x13,x24
+ umulh x11,x13,x24
+
+ adcs x10,x10,x9
+ adc x11,x11,xzr
+
+ adds x14,x15,x10
+ adcs x15,x16,x11
+ adcs x16,x17,x24
+ adcs x17,x19,x24
+ adc x19,x20,xzr
+
+ subs x8,x14,x12 // ret -= modulus
+ sbcs x9,x15,x13
+ sbcs x10,x16,x21
+ sbcs x11,x17,x22
+ sbcs xzr,x19,xzr
+
+ csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus
+ csel x15,x15,x9,lo
+ csel x16,x16,x10,lo
+ stp x14,x15,[x0]
+ csel x17,x17,x11,lo
+ stp x16,x17,[x0,#16]
+
+ ldp x19,x20,[sp,#16]
+ ldp x21,x22,[sp,#32]
+ ldp x23,x24,[sp,#48]
+ ldr x29,[sp],#64
+ ret
+
+
+////////////////////////////////////////////////////////////////////////
+// void ecp_nistz256_ord_sqr_mont(uint64_t res[4], uint64_t a[4],
+// int rep);
+.globl _ecp_nistz256_ord_sqr_mont
+.private_extern _ecp_nistz256_ord_sqr_mont
+
+.align 4
+_ecp_nistz256_ord_sqr_mont:
+ AARCH64_VALID_CALL_TARGET
+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
+ stp x29,x30,[sp,#-64]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+ stp x21,x22,[sp,#32]
+ stp x23,x24,[sp,#48]
+
+ adr x23,Lord
+ ldp x4,x5,[x1]
+ ldp x6,x7,[x1,#16]
+
+ ldp x12,x13,[x23,#0]
+ ldp x21,x22,[x23,#16]
+ ldr x23,[x23,#32]
+ b Loop_ord_sqr
+
+.align 4
+Loop_ord_sqr:
+ sub x2,x2,#1
+ ////////////////////////////////////////////////////////////////
+ // | | | | | |a1*a0| |
+ // | | | | |a2*a0| | |
+ // | |a3*a2|a3*a0| | | |
+ // | | | |a2*a1| | | |
+ // | | |a3*a1| | | | |
+ // *| | | | | | | | 2|
+ // +|a3*a3|a2*a2|a1*a1|a0*a0|
+ // |--+--+--+--+--+--+--+--|
+ // |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is , i.e. follow
+ //
+ // "can't overflow" below mark carrying into high part of
+ // multiplication result, which can't overflow, because it
+ // can never be all ones.
+
+ mul x15,x5,x4 // a[1]*a[0]
+ umulh x9,x5,x4
+ mul x16,x6,x4 // a[2]*a[0]
+ umulh x10,x6,x4
+ mul x17,x7,x4 // a[3]*a[0]
+ umulh x19,x7,x4
+
+ adds x16,x16,x9 // accumulate high parts of multiplication
+ mul x8,x6,x5 // a[2]*a[1]
+ umulh x9,x6,x5
+ adcs x17,x17,x10
+ mul x10,x7,x5 // a[3]*a[1]
+ umulh x11,x7,x5
+ adc x19,x19,xzr // can't overflow
+
+ mul x20,x7,x6 // a[3]*a[2]
+ umulh x1,x7,x6
+
+ adds x9,x9,x10 // accumulate high parts of multiplication
+ mul x14,x4,x4 // a[0]*a[0]
+ adc x10,x11,xzr // can't overflow
+
+ adds x17,x17,x8 // accumulate low parts of multiplication
+ umulh x4,x4,x4
+ adcs x19,x19,x9
+ mul x9,x5,x5 // a[1]*a[1]
+ adcs x20,x20,x10
+ umulh x5,x5,x5
+ adc x1,x1,xzr // can't overflow
+
+ adds x15,x15,x15 // acc[1-6]*=2
+ mul x10,x6,x6 // a[2]*a[2]
+ adcs x16,x16,x16
+ umulh x6,x6,x6
+ adcs x17,x17,x17
+ mul x11,x7,x7 // a[3]*a[3]
+ adcs x19,x19,x19
+ umulh x7,x7,x7
+ adcs x20,x20,x20
+ adcs x1,x1,x1
+ adc x3,xzr,xzr
+
+ adds x15,x15,x4 // +a[i]*a[i]
+ mul x24,x14,x23
+ adcs x16,x16,x9
+ adcs x17,x17,x5
+ adcs x19,x19,x10
+ adcs x20,x20,x6
+ adcs x1,x1,x11
+ adc x3,x3,x7
+ subs xzr,x14,#1
+ umulh x9,x12,x24
+ mul x10,x13,x24
+ umulh x11,x13,x24
+
+ adcs x10,x10,x9
+ adc x11,x11,xzr
+
+ adds x14,x15,x10
+ adcs x15,x16,x11
+ adcs x16,x17,x24
+ adc x17,xzr,x24 // can't overflow
+ mul x11,x14,x23
+ lsl x8,x24,#32
+ subs x15,x15,x24
+ lsr x9,x24,#32
+ sbcs x16,x16,x8
+ sbc x17,x17,x9 // can't borrow
+ subs xzr,x14,#1
+ umulh x9,x12,x11
+ mul x10,x13,x11
+ umulh x24,x13,x11
+
+ adcs x10,x10,x9
+ adc x24,x24,xzr
+
+ adds x14,x15,x10
+ adcs x15,x16,x24
+ adcs x16,x17,x11
+ adc x17,xzr,x11 // can't overflow
+ mul x24,x14,x23
+ lsl x8,x11,#32
+ subs x15,x15,x11
+ lsr x9,x11,#32
+ sbcs x16,x16,x8
+ sbc x17,x17,x9 // can't borrow
+ subs xzr,x14,#1
+ umulh x9,x12,x24
+ mul x10,x13,x24
+ umulh x11,x13,x24
+
+ adcs x10,x10,x9
+ adc x11,x11,xzr
+
+ adds x14,x15,x10
+ adcs x15,x16,x11
+ adcs x16,x17,x24
+ adc x17,xzr,x24 // can't overflow
+ mul x11,x14,x23
+ lsl x8,x24,#32
+ subs x15,x15,x24
+ lsr x9,x24,#32
+ sbcs x16,x16,x8
+ sbc x17,x17,x9 // can't borrow
+ subs xzr,x14,#1
+ umulh x9,x12,x11
+ mul x10,x13,x11
+ umulh x24,x13,x11
+
+ adcs x10,x10,x9
+ adc x24,x24,xzr
+
+ adds x14,x15,x10
+ adcs x15,x16,x24
+ adcs x16,x17,x11
+ adc x17,xzr,x11 // can't overflow
+ lsl x8,x11,#32
+ subs x15,x15,x11
+ lsr x9,x11,#32
+ sbcs x16,x16,x8
+ sbc x17,x17,x9 // can't borrow
+ adds x14,x14,x19 // accumulate upper half
+ adcs x15,x15,x20
+ adcs x16,x16,x1
+ adcs x17,x17,x3
+ adc x19,xzr,xzr
+
+ subs x8,x14,x12 // ret -= modulus
+ sbcs x9,x15,x13
+ sbcs x10,x16,x21
+ sbcs x11,x17,x22
+ sbcs xzr,x19,xzr
+
+ csel x4,x14,x8,lo // ret = borrow ? ret : ret-modulus
+ csel x5,x15,x9,lo
+ csel x6,x16,x10,lo
+ csel x7,x17,x11,lo
+
+ cbnz x2,Loop_ord_sqr
+
+ stp x4,x5,[x0]
+ stp x6,x7,[x0,#16]
+
+ ldp x19,x20,[sp,#16]
+ ldp x21,x22,[sp,#32]
+ ldp x23,x24,[sp,#48]
+ ldr x29,[sp],#64
+ ret
+
+////////////////////////////////////////////////////////////////////////
+// void ecp_nistz256_select_w5(uint64_t *val, uint64_t *in_t, int index);
+.globl _ecp_nistz256_select_w5
+.private_extern _ecp_nistz256_select_w5
+
+.align 4
+_ecp_nistz256_select_w5:
+ AARCH64_VALID_CALL_TARGET
+
+ // x10 := x0
+ // w9 := 0; loop counter and incremented internal index
+ mov x10, x0
+ mov w9, #0
+
+ // [v16-v21] := 0
+ movi v16.16b, #0
+ movi v17.16b, #0
+ movi v18.16b, #0
+ movi v19.16b, #0
+ movi v20.16b, #0
+ movi v21.16b, #0
+
+Lselect_w5_loop:
+ // Loop 16 times.
+
+ // Increment index (loop counter); tested at the end of the loop
+ add w9, w9, #1
+
+ // [v22-v27] := Load a (3*256-bit = 6*128-bit) table entry starting at x1
+ // and advance x1 to point to the next entry
+ ld1 {v22.2d, v23.2d, v24.2d, v25.2d}, [x1],#64
+
+ // x11 := (w9 == w2)? All 1s : All 0s
+ cmp w9, w2
+ csetm x11, eq
+
+ // continue loading ...
+ ld1 {v26.2d, v27.2d}, [x1],#32
+
+ // duplicate mask_64 into Mask (all 0s or all 1s)
+ dup v3.2d, x11
+
+ // [v16-v19] := (Mask == all 1s)? [v22-v25] : [v16-v19]
+ // i.e., values in output registers will remain the same if w9 != w2
+ bit v16.16b, v22.16b, v3.16b
+ bit v17.16b, v23.16b, v3.16b
+
+ bit v18.16b, v24.16b, v3.16b
+ bit v19.16b, v25.16b, v3.16b
+
+ bit v20.16b, v26.16b, v3.16b
+ bit v21.16b, v27.16b, v3.16b
+
+ // If bit #4 is not 0 (i.e. idx_ctr < 16) loop back
+ tbz w9, #4, Lselect_w5_loop
+
+ // Write [v16-v21] to memory at the output pointer
+ st1 {v16.2d, v17.2d, v18.2d, v19.2d}, [x10],#64
+ st1 {v20.2d, v21.2d}, [x10]
+
+ ret
+
+
+
+////////////////////////////////////////////////////////////////////////
+// void ecp_nistz256_select_w7(uint64_t *val, uint64_t *in_t, int index);
+.globl _ecp_nistz256_select_w7
+.private_extern _ecp_nistz256_select_w7
+
+.align 4
+_ecp_nistz256_select_w7:
+ AARCH64_VALID_CALL_TARGET
+
+ // w9 := 0; loop counter and incremented internal index
+ mov w9, #0
+
+ // [v16-v21] := 0
+ movi v16.16b, #0
+ movi v17.16b, #0
+ movi v18.16b, #0
+ movi v19.16b, #0
+
+Lselect_w7_loop:
+ // Loop 64 times.
+
+ // Increment index (loop counter); tested at the end of the loop
+ add w9, w9, #1
+
+ // [v22-v25] := Load a (2*256-bit = 4*128-bit) table entry starting at x1
+ // and advance x1 to point to the next entry
+ ld1 {v22.2d, v23.2d, v24.2d, v25.2d}, [x1],#64
+
+ // x11 := (w9 == w2)? All 1s : All 0s
+ cmp w9, w2
+ csetm x11, eq
+
+ // duplicate mask_64 into Mask (all 0s or all 1s)
+ dup v3.2d, x11
+
+ // [v16-v19] := (Mask == all 1s)? [v22-v25] : [v16-v19]
+ // i.e., values in output registers will remain the same if w9 != w2
+ bit v16.16b, v22.16b, v3.16b
+ bit v17.16b, v23.16b, v3.16b
+
+ bit v18.16b, v24.16b, v3.16b
+ bit v19.16b, v25.16b, v3.16b
+
+ // If bit #6 is not 0 (i.e. idx_ctr < 64) loop back
+ tbz w9, #6, Lselect_w7_loop
+
+ // Write [v16-v19] to memory at the output pointer
+ st1 {v16.2d, v17.2d, v18.2d, v19.2d}, [x0]
+
+ ret
+
+#endif // !OPENSSL_NO_ASM
diff --git a/apple-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S b/apple-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S
new file mode 100644
index 0000000..317b813
--- /dev/null
+++ b/apple-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S
@@ -0,0 +1,317 @@
+// This file is generated from a similarly-named Perl script in the BoringSSL
+// source tree. Do not edit by hand.
+
+#if !defined(__has_feature)
+#define __has_feature(x) 0
+#endif
+#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM)
+#define OPENSSL_NO_ASM
+#endif
+
+#if !defined(OPENSSL_NO_ASM)
+#if defined(BORINGSSL_PREFIX)
+#include <boringssl_prefix_symbols_asm.h>
+#endif
+#include "openssl/arm_arch.h"
+
+.text
+.globl _beeu_mod_inverse_vartime
+.private_extern _beeu_mod_inverse_vartime
+
+.align 4
+_beeu_mod_inverse_vartime:
+ // Reserve enough space for 14 8-byte registers on the stack
+ // in the first stp call for x29, x30.
+ // Then store the remaining callee-saved registers.
+ //
+ // | x29 | x30 | x19 | x20 | ... | x27 | x28 | x0 | x2 |
+ // ^ ^
+ // sp <------------------- 112 bytes ----------------> old sp
+ // x29 (FP)
+ //
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-112]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+ stp x21,x22,[sp,#32]
+ stp x23,x24,[sp,#48]
+ stp x25,x26,[sp,#64]
+ stp x27,x28,[sp,#80]
+ stp x0,x2,[sp,#96]
+
+ // B = b3..b0 := a
+ ldp x25,x26,[x1]
+ ldp x27,x28,[x1,#16]
+
+ // n3..n0 := n
+ // Note: the value of input params are changed in the following.
+ ldp x0,x1,[x2]
+ ldp x2,x30,[x2,#16]
+
+ // A = a3..a0 := n
+ mov x21, x0
+ mov x22, x1
+ mov x23, x2
+ mov x24, x30
+
+ // X = x4..x0 := 1
+ mov x3, #1
+ eor x4, x4, x4
+ eor x5, x5, x5
+ eor x6, x6, x6
+ eor x7, x7, x7
+
+ // Y = y4..y0 := 0
+ eor x8, x8, x8
+ eor x9, x9, x9
+ eor x10, x10, x10
+ eor x11, x11, x11
+ eor x12, x12, x12
+
+Lbeeu_loop:
+ // if B == 0, jump to .Lbeeu_loop_end
+ orr x14, x25, x26
+ orr x14, x14, x27
+
+ // reverse the bit order of x25. This is needed for clz after this macro
+ rbit x15, x25
+
+ orr x14, x14, x28
+ cbz x14,Lbeeu_loop_end
+
+
+ // 0 < B < |n|,
+ // 0 < A <= |n|,
+ // (1) X*a == B (mod |n|),
+ // (2) (-1)*Y*a == A (mod |n|)
+
+ // Now divide B by the maximum possible power of two in the
+ // integers, and divide X by the same value mod |n|.
+ // When we're done, (1) still holds.
+
+ // shift := number of trailing 0s in x25
+ // ( = number of leading 0s in x15; see the "rbit" instruction in TEST_B_ZERO)
+ clz x13, x15
+
+ // If there is no shift, goto shift_A_Y
+ cbz x13, Lbeeu_shift_A_Y
+
+ // Shift B right by "x13" bits
+ neg x14, x13
+ lsr x25, x25, x13
+ lsl x15, x26, x14
+
+ lsr x26, x26, x13
+ lsl x19, x27, x14
+
+ orr x25, x25, x15
+
+ lsr x27, x27, x13
+ lsl x20, x28, x14
+
+ orr x26, x26, x19
+
+ lsr x28, x28, x13
+
+ orr x27, x27, x20
+
+
+ // Shift X right by "x13" bits, adding n whenever X becomes odd.
+ // x13--;
+ // x14 := 0; needed in the addition to the most significant word in SHIFT1
+ eor x14, x14, x14
+Lbeeu_shift_loop_X:
+ tbz x3, #0, Lshift1_0
+ adds x3, x3, x0
+ adcs x4, x4, x1
+ adcs x5, x5, x2
+ adcs x6, x6, x30
+ adc x7, x7, x14
+Lshift1_0:
+ // var0 := [var1|var0]<64..1>;
+ // i.e. concatenate var1 and var0,
+ // extract bits <64..1> from the resulting 128-bit value
+ // and put them in var0
+ extr x3, x4, x3, #1
+ extr x4, x5, x4, #1
+ extr x5, x6, x5, #1
+ extr x6, x7, x6, #1
+ lsr x7, x7, #1
+
+ subs x13, x13, #1
+ bne Lbeeu_shift_loop_X
+
+ // Note: the steps above perform the same sequence as in p256_beeu-x86_64-asm.pl
+ // with the following differences:
+ // - "x13" is set directly to the number of trailing 0s in B
+ // (using rbit and clz instructions)
+ // - The loop is only used to call SHIFT1(X)
+ // and x13 is decreased while executing the X loop.
+ // - SHIFT256(B, x13) is performed before right-shifting X; they are independent
+
+Lbeeu_shift_A_Y:
+ // Same for A and Y.
+ // Afterwards, (2) still holds.
+ // Reverse the bit order of x21
+ // x13 := number of trailing 0s in x21 (= number of leading 0s in x15)
+ rbit x15, x21
+ clz x13, x15
+
+ // If there is no shift, goto |B-A|, X+Y update
+ cbz x13, Lbeeu_update_B_X_or_A_Y
+
+ // Shift A right by "x13" bits
+ neg x14, x13
+ lsr x21, x21, x13
+ lsl x15, x22, x14
+
+ lsr x22, x22, x13
+ lsl x19, x23, x14
+
+ orr x21, x21, x15
+
+ lsr x23, x23, x13
+ lsl x20, x24, x14
+
+ orr x22, x22, x19
+
+ lsr x24, x24, x13
+
+ orr x23, x23, x20
+
+
+ // Shift Y right by "x13" bits, adding n whenever Y becomes odd.
+ // x13--;
+ // x14 := 0; needed in the addition to the most significant word in SHIFT1
+ eor x14, x14, x14
+Lbeeu_shift_loop_Y:
+ tbz x8, #0, Lshift1_1
+ adds x8, x8, x0
+ adcs x9, x9, x1
+ adcs x10, x10, x2
+ adcs x11, x11, x30
+ adc x12, x12, x14
+Lshift1_1:
+ // var0 := [var1|var0]<64..1>;
+ // i.e. concatenate var1 and var0,
+ // extract bits <64..1> from the resulting 128-bit value
+ // and put them in var0
+ extr x8, x9, x8, #1
+ extr x9, x10, x9, #1
+ extr x10, x11, x10, #1
+ extr x11, x12, x11, #1
+ lsr x12, x12, #1
+
+ subs x13, x13, #1
+ bne Lbeeu_shift_loop_Y
+
+Lbeeu_update_B_X_or_A_Y:
+ // Try T := B - A; if cs, continue with B > A (cs: carry set = no borrow)
+ // Note: this is a case of unsigned arithmetic, where T fits in 4 64-bit words
+ // without taking a sign bit if generated. The lack of a carry would
+ // indicate a negative result. See, for example,
+ // https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/condition-codes-1-condition-flags-and-codes
+ subs x14, x25, x21
+ sbcs x15, x26, x22
+ sbcs x19, x27, x23
+ sbcs x20, x28, x24
+ bcs Lbeeu_B_greater_than_A
+
+ // Else A > B =>
+ // A := A - B; Y := Y + X; goto beginning of the loop
+ subs x21, x21, x25
+ sbcs x22, x22, x26
+ sbcs x23, x23, x27
+ sbcs x24, x24, x28
+
+ adds x8, x8, x3
+ adcs x9, x9, x4
+ adcs x10, x10, x5
+ adcs x11, x11, x6
+ adc x12, x12, x7
+ b Lbeeu_loop
+
+Lbeeu_B_greater_than_A:
+ // Continue with B > A =>
+ // B := B - A; X := X + Y; goto beginning of the loop
+ mov x25, x14
+ mov x26, x15
+ mov x27, x19
+ mov x28, x20
+
+ adds x3, x3, x8
+ adcs x4, x4, x9
+ adcs x5, x5, x10
+ adcs x6, x6, x11
+ adc x7, x7, x12
+ b Lbeeu_loop
+
+Lbeeu_loop_end:
+ // The Euclid's algorithm loop ends when A == gcd(a,n);
+ // this would be 1, when a and n are co-prime (i.e. do not have a common factor).
+ // Since (-1)*Y*a == A (mod |n|), Y>0
+ // then out = -Y mod n
+
+ // Verify that A = 1 ==> (-1)*Y*a = A = 1 (mod |n|)
+ // Is A-1 == 0?
+ // If not, fail.
+ sub x14, x21, #1
+ orr x14, x14, x22
+ orr x14, x14, x23
+ orr x14, x14, x24
+ cbnz x14, Lbeeu_err
+
+ // If Y>n ==> Y:=Y-n
+Lbeeu_reduction_loop:
+ // x_i := y_i - n_i (X is no longer needed, use it as temp)
+ // (x14 = 0 from above)
+ subs x3, x8, x0
+ sbcs x4, x9, x1
+ sbcs x5, x10, x2
+ sbcs x6, x11, x30
+ sbcs x7, x12, x14
+
+ // If result is non-negative (i.e., cs = carry set = no borrow),
+ // y_i := x_i; goto reduce again
+ // else
+ // y_i := y_i; continue
+ csel x8, x3, x8, cs
+ csel x9, x4, x9, cs
+ csel x10, x5, x10, cs
+ csel x11, x6, x11, cs
+ csel x12, x7, x12, cs
+ bcs Lbeeu_reduction_loop
+
+ // Now Y < n (Y cannot be equal to n, since the inverse cannot be 0)
+ // out = -Y = n-Y
+ subs x8, x0, x8
+ sbcs x9, x1, x9
+ sbcs x10, x2, x10
+ sbcs x11, x30, x11
+
+ // Save Y in output (out (x0) was saved on the stack)
+ ldr x3, [sp,#96]
+ stp x8, x9, [x3]
+ stp x10, x11, [x3,#16]
+ // return 1 (success)
+ mov x0, #1
+ b Lbeeu_finish
+
+Lbeeu_err:
+ // return 0 (error)
+ eor x0, x0, x0
+
+Lbeeu_finish:
+ // Restore callee-saved registers, except x0, x2
+ add sp,x29,#0
+ ldp x19,x20,[sp,#16]
+ ldp x21,x22,[sp,#32]
+ ldp x23,x24,[sp,#48]
+ ldp x25,x26,[sp,#64]
+ ldp x27,x28,[sp,#80]
+ ldp x29,x30,[sp],#112
+
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+#endif // !OPENSSL_NO_ASM
diff --git a/apple-x86_64/crypto/fipsmodule/x86_64-mont5.S b/apple-x86_64/crypto/fipsmodule/x86_64-mont5.S
index e1fd9c9..3a1768f 100644
--- a/apple-x86_64/crypto/fipsmodule/x86_64-mont5.S
+++ b/apple-x86_64/crypto/fipsmodule/x86_64-mont5.S
@@ -2066,187 +2066,6 @@
.byte 0xf3,0xc3
-.globl _bn_from_montgomery
-.private_extern _bn_from_montgomery
-
-.p2align 5
-_bn_from_montgomery:
-
- testl $7,%r9d
- jz bn_from_mont8x
- xorl %eax,%eax
- .byte 0xf3,0xc3
-
-
-
-
-.p2align 5
-bn_from_mont8x:
-
-.byte 0x67
- movq %rsp,%rax
-
- pushq %rbx
-
- pushq %rbp
-
- pushq %r12
-
- pushq %r13
-
- pushq %r14
-
- pushq %r15
-
-L$from_prologue:
-
- shll $3,%r9d
- leaq (%r9,%r9,2),%r10
- negq %r9
- movq (%r8),%r8
-
-
-
-
-
-
-
-
- leaq -320(%rsp,%r9,2),%r11
- movq %rsp,%rbp
- subq %rdi,%r11
- andq $4095,%r11
- cmpq %r11,%r10
- jb L$from_sp_alt
- subq %r11,%rbp
- leaq -320(%rbp,%r9,2),%rbp
- jmp L$from_sp_done
-
-.p2align 5
-L$from_sp_alt:
- leaq 4096-320(,%r9,2),%r10
- leaq -320(%rbp,%r9,2),%rbp
- subq %r10,%r11
- movq $0,%r10
- cmovcq %r10,%r11
- subq %r11,%rbp
-L$from_sp_done:
- andq $-64,%rbp
- movq %rsp,%r11
- subq %rbp,%r11
- andq $-4096,%r11
- leaq (%r11,%rbp,1),%rsp
- movq (%rsp),%r10
- cmpq %rbp,%rsp
- ja L$from_page_walk
- jmp L$from_page_walk_done
-
-L$from_page_walk:
- leaq -4096(%rsp),%rsp
- movq (%rsp),%r10
- cmpq %rbp,%rsp
- ja L$from_page_walk
-L$from_page_walk_done:
-
- movq %r9,%r10
- negq %r9
-
-
-
-
-
-
-
-
-
-
- movq %r8,32(%rsp)
- movq %rax,40(%rsp)
-
-L$from_body:
- movq %r9,%r11
- leaq 48(%rsp),%rax
- pxor %xmm0,%xmm0
- jmp L$mul_by_1
-
-.p2align 5
-L$mul_by_1:
- movdqu (%rsi),%xmm1
- movdqu 16(%rsi),%xmm2
- movdqu 32(%rsi),%xmm3
- movdqa %xmm0,(%rax,%r9,1)
- movdqu 48(%rsi),%xmm4
- movdqa %xmm0,16(%rax,%r9,1)
-.byte 0x48,0x8d,0xb6,0x40,0x00,0x00,0x00
- movdqa %xmm1,(%rax)
- movdqa %xmm0,32(%rax,%r9,1)
- movdqa %xmm2,16(%rax)
- movdqa %xmm0,48(%rax,%r9,1)
- movdqa %xmm3,32(%rax)
- movdqa %xmm4,48(%rax)
- leaq 64(%rax),%rax
- subq $64,%r11
- jnz L$mul_by_1
-
-.byte 102,72,15,110,207
-.byte 102,72,15,110,209
-.byte 0x67
- movq %rcx,%rbp
-.byte 102,73,15,110,218
- leaq _OPENSSL_ia32cap_P(%rip),%r11
- movl 8(%r11),%r11d
- andl $0x80108,%r11d
- cmpl $0x80108,%r11d
- jne L$from_mont_nox
-
- leaq (%rax,%r9,1),%rdi
- call __bn_sqrx8x_reduction
- call __bn_postx4x_internal
-
- pxor %xmm0,%xmm0
- leaq 48(%rsp),%rax
- jmp L$from_mont_zero
-
-.p2align 5
-L$from_mont_nox:
- call __bn_sqr8x_reduction
- call __bn_post4x_internal
-
- pxor %xmm0,%xmm0
- leaq 48(%rsp),%rax
- jmp L$from_mont_zero
-
-.p2align 5
-L$from_mont_zero:
- movq 40(%rsp),%rsi
-
- movdqa %xmm0,0(%rax)
- movdqa %xmm0,16(%rax)
- movdqa %xmm0,32(%rax)
- movdqa %xmm0,48(%rax)
- leaq 64(%rax),%rax
- subq $32,%r9
- jnz L$from_mont_zero
-
- movq $1,%rax
- movq -48(%rsi),%r15
-
- movq -40(%rsi),%r14
-
- movq -32(%rsi),%r13
-
- movq -24(%rsi),%r12
-
- movq -16(%rsi),%rbp
-
- movq -8(%rsi),%rbx
-
- leaq (%rsi),%rsp
-
-L$from_epilogue:
- .byte 0xf3,0xc3
-
-
.p2align 5
bn_mulx4x_mont_gather5:
diff --git a/crypto_test_data.cc b/crypto_test_data.cc
index 67371ed..be2e235 100644
--- a/crypto_test_data.cc
+++ b/crypto_test_data.cc
@@ -46,18 +46,18 @@
* crypto/cipher_extra/test/nist_cavp/tdes_cbc.txt \
* crypto/cipher_extra/test/nist_cavp/tdes_ecb.txt \
* crypto/curve25519/ed25519_tests.txt \
- * crypto/cmac/cavp_3des_cmac_tests.txt \
- * crypto/cmac/cavp_aes128_cmac_tests.txt \
- * crypto/cmac/cavp_aes192_cmac_tests.txt \
- * crypto/cmac/cavp_aes256_cmac_tests.txt \
* crypto/ecdh_extra/ecdh_tests.txt \
* crypto/evp/evp_tests.txt \
* crypto/evp/scrypt_tests.txt \
* crypto/fipsmodule/aes/aes_tests.txt \
* crypto/fipsmodule/bn/bn_tests.txt \
* crypto/fipsmodule/bn/miller_rabin_tests.txt \
+ * crypto/fipsmodule/cmac/cavp_3des_cmac_tests.txt \
+ * crypto/fipsmodule/cmac/cavp_aes128_cmac_tests.txt \
+ * crypto/fipsmodule/cmac/cavp_aes192_cmac_tests.txt \
+ * crypto/fipsmodule/cmac/cavp_aes256_cmac_tests.txt \
* crypto/fipsmodule/ec/ec_scalar_base_mult_tests.txt \
- * crypto/fipsmodule/ec/p256-x86_64_tests.txt \
+ * crypto/fipsmodule/ec/p256-nistz_tests.txt \
* crypto/fipsmodule/ecdsa/ecdsa_sign_tests.txt \
* crypto/fipsmodule/ecdsa/ecdsa_verify_tests.txt \
* crypto/fipsmodule/modes/gcm_tests.txt \
@@ -2330,55 +2330,9 @@
"28bb92e9a0edec8951ce2009a88ee1b64d9b9e89f69051203384210a102a44d2d6703173b68507dceadd3bf6510df2a5cefd9c80e4f385b2f9e6215813ed32\nSIG: 9da60cc4a64d07dee1346bd3d3010995ce2738208ab35b34c2a8fd1787ae3a1e207fe784525154fae4f5794cd8503045fea85cf77fd92f6a70cd0c5a52c0810e\n\nPRIV: 1126496a582ce58d3d618dd8a3933547aa7a8a30fb54063b8dfdd31671c6c73de10229c623fa8ad8982c3e4c36ff52df0f219b57915b6e980e5fe72ea0962e22\nPUB: e10229c623fa8ad8982c3e4c36ff52df0f219b57915b6e980e5fe72ea0962e22\nMESSAGE: 6a4b52d730ddab829b2a179590cbd4c372498e9f439977c0a10dc13c0ae1736eaaff063371434fd0da80360ec5890607d2fae1c9a2e1ab0b7f3d667f5b1b9c418f18b10c9e6fd669d3ebec168efef44163e577a2ebd0f2cb768f80c23188e86069e4d10f410306cedd7a341a61e0f4f3bc25041bc2f922ed073e1e2f1b709c579d10630f33071754d707894a1c62190de18882c564dc4c01dc545dd8966404ed78fa3267a9469f63b6120abb65f9b3ba3eee28d79c2eb4e7020cc6987dfc5c29672f8c0fa3e690d584fe000c64f352610179621bfd5ff3eb30d18f1a0250416db93b1c1e93cf8a3646517560d1cc8fff822b51ef27b200e987b592390753453ef138bd3d29db7cb1b5f45e4795b89c53f49704192752237c6ab274849f9594ee9777f6efe70483129d067f97199d9ae36090703864f7ca4750a6f3b6ff83824c910484394d1e2eceba18446fe4e994ce07433a740ddd05f0e396d482894e6f14acf7b97bae6c7eb88703039fa785d60a3af78b13243a4f88dde1d998617f2e3fa7eafc2f435dd4ac1ea9c238407aa09b4eea8ed434927b406674ac270458cfb3bf29c347f94559613179b9502192321b88e9af0a90e9a4ab9eddaae382e3734d1415ebe32499c34e6fdeaf15b0d9787985e08dfe495460c54f6743d81ff16881e5e30c51f4b092373783f12423c3e1ae8591130a269980caa1cb5c\nSIG: b30eb56ca9b120bf849a3a9d56af033de8a590c9e1240c1e36dbc6cf0a71b78a11ec143fb9959a8f25b57711d6a90a67e01be3a4da2b69394869bb8d64b87e0f\n\nPRIV: 9c167aff3b1b788f133d422de8ca9a64316409f9e35bfe22032ec417ae9abc6defb534f0d47c068e77b28a906d95ad8d213a4d4fc1c70542f01e596d57b5f019\nPUB: efb534f0d47c068e77b28a906d95ad8d213a4d4fc1c70542f01e596d57b5f019\nMESSAGE: 68ac0fc2b607ba38e377fae845c808c8f9fa614eb1f31158a9620a937d3e301e85acaa69144bc349a39dfb582041c4a197ae99b4d4d59b7a2ca3d16228b5591cbf57c18a781efd19193c47b16c6023a3a8ba3d668f05a37f1e83b0d7febdd10f63e48ef7a20e015b1c6725d4c300a986c60e3a115469c8e52ba05b51c05d0af40d89fd9ed76f36950aee3c7819898a903cfe0361a91c69100b495141e86ee79d63d17403fb1a1629ef63cb7e9d2720cbfff0002b190bcdc26794124dd38d42bcaa7175405eb0bbcf8e37d65d05a37195b479371fa2bbbb167d91cee88235dd72ea88fc73ce3ce43d33b715f25f192ec215dac124899c5e7586e86340d8cbe53735defbe02e4cc9fde69fb9794d1db72b98c0f19766ee5138bbfa78909aa299b4913c499deaf54b4841d5044829984936700dcf92f36542b2fc7e86441b9925f5d0b78c17a85cfcfcb20b0fd751349c27463abde4d27df74265288713f96dea013b945521808b4996b1b2dc0338b6d236efd6d2b27dafda46ec5fa32b965e8bb5e8bb61bd966edeb774681e0ea8c17b8c99fa7d660f0f66c9bc6d95cbd7dc094724098eb05191b53a3df6566b9c90e0d7dff2943848b61a20d48c22b6d3c958e293d709c8f48110230ff51918562877daf6d920c85a82e07c451fe7ae9759c0a77e97bb298b5d0592a41d08f67a4ed5a1bb41e937b6a68aeb38fd5be9\nSIG: c9ae67fd6415dcbab292fab394ca6c3b7d90ca244dc6a7764e74fd202bf4b2905bd2030e6beb914c3c238db371b1cba6d9261aa392ec871a4b8b12fe9c1c970e\n\nPRIV: e9948805eb341b2867479c668fd3532c309941c0ad4cb2e54231756e6a1bdecb5447a8e34d6a640002d8d60bcf1ddc711e4c465c94c34b50bdef358960ff81f1\nPUB: 5447a8e34d6a640002d8d60bcf1ddc711e4c465c94c34b50bdef358960ff81f1\nMESSAGE: 91cffd7eb1cf6bd4756bce6a30af9dfba26ddd1cce0394c194a3e39cc3d1cbc221b7eb70bea18d29c267457176a3c9e53c18e47d10a67c464505197702e6b2470d38869db5174b158f9992e4435d02246f540258dedd3ce33df582555a681fb76ecaccb1c2989b177e3b7e454aaa529de59bf5a03123d571df2e7f7cb830805c58b74a653bac0e5a888e08dc2236d6cd496aa06d0d67cf3b335e218c49dedad82fc1be9ef20cac61905c30eb132d739b16ca8a8c906619c0e0d8b33985327e36f3d4b8fda387c186cc50443104db761f7ff9301270204a713e58902101fad000ce931647c577fdec148dca95cdc08918ebed037c60332fadf088f036083ebc92e173b7ddcc30c493f27e69cd17a20d30b78f83a72e4f5a747d86d96c5e1bb7a438166204013e2164d6aabc0d562f54015c365c80445607145e5692ee34f6353077fab7452d88ce3eb01d2b3797dc91b341a3a726301516baae18e851f74dfbdf0866bb2376867de55231e362c472c52116544cd4f81e93571c4ec820e7e653f4e21be0a942576c9de91e7d1251683d859de448f822dcf3d2cf55ede2f9c71b6063d1373061f8f5936b698d1384e65459ea2bc26ec96775ef425207432dda0ac1fe28526c5e4559349c3d8df9918230f4044683cc2c1b858d141ab8d0805bb9336067522aa89c810f3eaa7ac2d8dd28c3751225a19ecec8bcca52439946\nSIG: d3dc62d6ce9c766f2abaf9a7fbe09d6bdb07a4747b56080db09beb4a4e804a70d7ddf4119475c7be834f31956f4a71dad029cdf2363dd0365ce22dc27f078003\n\nPRIV: b01753efa73bb3de7aa778be7afcbff66a5d3e2c2f8b5aa2b048844050996965d0cc6cf109c999fbf6d16f471fafd0232b0a68d4c46406ec7545dbaba8194158\nPUB: d0cc6cf109c999fbf6d16f471fafd0232b0a68d4c46406ec7545dbaba8194158\nMESSAGE: 684e612f27eead0d34844cc81ba911c28aaf6d66e71229e8cc3462f7c7a050daa30cb74471150f07dad459b5a91358476c0598255d8a642dd7c0802811bd88e4cac597efe41ebd96cd0f3b5ce72db4be1a3dbd6b84f5446e3da600d3b1d2b460a009bd31cacd98a91518ce33e9a703d404288736ccc43103fc69e67974f31652fa3dadef3337f6c897a3d201303c8f03597b4a87c98f291ccd58a3f1e898332aa5993b47fcb5ddaa1c0868b643742d0e4a4b9cd427038b3b74999bc89ac3484c0ca13f25aae8e78ae1ccee6218accab81a4f694f5324a347629d49b55e4037504a9acc8df58c6841dddcd4fc4347f7b6f1fd9de0564577e6f329ed951a0a6b9124ff63e22eb36d3a8863bc1bf69cea24c605967e7d8948953f27d5c4c75f0849f872a3e3d16d422fa5a11e1b9a74df6f38b90f277d81fce8437a14d99d2bef189d7cac83ddc61377ed348b3c4fc09ec2b9005925d04a71e26d641667bdf549294331c6ea01cd5c0bd1b6a7ecfda20b0f1929582b74697cb262c3927d6b223f4b5f3043aa6eb4571a78e9da11c2b36f64552580caa7b5fa6b90f929e0162e608d1240d7242cd2f47025c03debe059b1dc94770232bc6765148480bb1d9f50da1ee6448cf9c88b19dd459932c06ed811c4a64a12d5938bd1c757bcfaeaee8933fe5fff21763de740482bcf1ba59afdc8fcf873c3d507bb394e32e45f736519\nSIG: 16b7421227ae09130685cbb1a0c60aa57a5e1afe1bbe6bacea0c281bcc8998e6824a772c3208a6b6b4d236695505c9be82700cf93a783985a39e16e377a7410e\n\nPRIV: 4f4b20d899366f2f23ee628f229b236cf80f43ba183177c97ee34829546f1742c94576641f4a893cdfcee7b39fc21929b86b349976d7b0a46d39a588bcfe4357\nPUB: c94576641f4a893cdfcee7b39fc21929b86b349976d7b0a46d39a588bcfe4357\nMESSAGE: db8ef02e3033e6b96a56cab05082fb4695f4a1c916250dd75173f430a10c9468817709d37623346ae8245b42bda0da6b60462ccfdfc75a9ab994e66c9ab9fecdd8599610910affe4f10215cb280bf8f9f2700a444796dae93e06c6bea7d8b4fe1301baa79ccec769368feb2442c7de84f095e6b3bff63d388cbafb2b9809dc38e9b12ebd039c0a57f4d522e91ec8d1f2b8d23a4a0ae059af85393bb0a15f749110f6774a1fd731a6ec213e4ff435daab546d31ed9ec3b6d8cc2edacebf4facc5566556eea92e5b3f2542239b25e28012dd4ef40072eebf83ed2a255181f3a442189d68c6c609f4dfdf3db7d67d087a2fcd6d2dc50bbfed8bfbbfcb74d3c41f02a87865b13b8efcf5c3581257be0aa913f60c370527bde11a475c136a17c5eefeb03f5bff28693ed841e8ed1f7c29102f5599dd444009bcea6a92d5574152458e0caf8a36aa72b5dc4908a6461c9b741453005c8fbcc68113ae184208ee14b835480c6efafed18a76000b38e5858290f4d51f52f096cbe490e1eb5cacb226ec495a55a7fa457843d57fab67f8be7e209334785bdd665d7b63e4daf57b6e78928b603c8c0f9bc85464733b61273ef9e2b8a0cd7c3bf8ee0a6872e34d5a27a625e35eaf7ff5440b8b141af704df70c9c18623bd11209513192505105cd7bcfa5f0d919da706948fbe1f761f315846aa3b4813dd9ba3d81b9204e5409c0382b6eb\nSIG: 0f80ff5d17488fe26f93c543b04ed959b5f0643fc61c7f2c3bc60132ba9c6210c8b250ea5e84d07b01de68bc174414eeeb31fdc2ba6823e231e312a91ededd02\n\n\n# Additional test vectors from RFC 8032\n\nPRIV: f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e\nPUB: 278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e\nMESSAGE: 08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc27",
"32e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0\nSIG: 0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03\n\nPRIV: 833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf\nPUB: ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf\nMESSAGE: ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f\nSIG: dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b58909351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704\n",
};
-static const size_t kLen32 = 41961;
+static const size_t kLen32 = 58307;
static const char *kData32[] = {
- "# This file has been modified to remove the 65536-byte long inputs.\r\n\r\n# CAVS 11.0\r\n# CMACVer information \r\n# Algorithms tested:Alg = TDES KeySize = 3 Mode = Verify \r\n# Generated on Tue Mar 15 08:40:47 2011\r\n\r\n\r\nCount = 0\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 3bb96170d5df4cce\r\nKey2 = 25d5daa22a982f08\r\nKey3 = 52f4a110dcdc9e45\r\nMsg = 00\r\nMac = 96\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 1\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 9413d38685688f58\r\nKey2 = dc38b6b3cef125f1\r\nKey3 = 5b61f4f7a1c46ed6\r\nMsg = 00\r\nMac = fc\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 2\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 101a2f13fbb69473\r\nKey2 = 76fb98f24073f4d5\r\nKey3 = 2ca2706d76d00b67\r\nMsg = 00\r\nMac = 53\r\nResult = P\r\n\r\nCount = 3\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 2f8a238552c1e367\r\nKey2 = f8131f1c26ab3289\r\nKey3 = 83d5b6ba253bea31\r\nMsg = 00\r\nMac = 95\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 4\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = c1bafb5dc7100758\r\nKey2 = e9ef047a58b5ba89\r\nKey3 = 76cb4fb55ebcc1c7\r\nMsg = 00\r\nMac = f4\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 5\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = c82c29f1cb5851b6\r\nKey2 = 8b5b45dcbf0d8079\r\nKey3 = e6407057ae34ec0b\r\nMsg = 00\r\nMac = 03\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 6\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 6b455116f4f883d5\r\nKey2 = a81a206d25152aab\r\nKey3 = 86dc07b607202abc\r\nMsg = 00\r\nMac = 75\r\nResult = P\r\n\r\nCount = 7\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = c873d5bc4598d0b0\r\nKey2 = 1c1523cb4f794c8a\r\nKey3 = cedf6797d523dcab\r\nMsg = 00\r\nMac = 2e\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 8\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 45ce943bd31fe9b5\r\nKey2 = 677cc47c13c24923\r\nKey3 = 6b2086f14934838a\r\nMsg = 00\r\nMac = 01\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 9\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 804f9ef7baf7dfc7\r\nKey2 = 9bb6494cb60b8c07\r\nKey3 = 2080fe52e0d3943d\r\nMsg = 00\r\nMac = c3\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 10\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 73c10b833e1043ab\r\nKey2 = 16dcd343645d5207\r\nKey3 = 6426f7f88c3473c8\r\nMsg = 00\r\nMac = 8b\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 11\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 310d54d96bc73452\r\nKey2 = bae34f158ceafb04\r\nKey3 = 4651c1b53de3da26\r\nMsg = 00\r\nMac = ce\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 12\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 0e3d49d0e692f20e\r\nKey2 = a9cd384a3b688c0e\r\nKey3 = 584ae5f794f8fe7f\r\nMsg = 00\r\nMac = 4b\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 13\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = b0fda857ea402f0b\r\nKey2 = d567e9f48568f1e0\r\nKey3 = 0ec2ad452a547a91\r\nMsg = 00\r\nMac = 04\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 14\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 1ac1543b1591f270\r\nKey2 = dcda0e9870b9d949\r\nKey3 = 68ea9b1c4380ae9e\r\nMsg = 00\r\nMac = 43\r\nResult = P\r\n\r\nCount = 15\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = d0b008aea4454551\r\nKey2 = 9234a7731ab610b5\r\nKey3 = 2fb97a8ffbaedae6\r\nMsg = 00\r\nMac = 4c\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 16\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 04793b0b0e976d0b\r\nKey2 = bf493e58fb73681f\r\nKey3 = 1f54a262d649b985\r\nMsg = 00\r\nMac = 77\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 17\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 043b759b578ae570\r\nKey2 = 5e522f19cb9de092\r\nKey3 = 2af2e90eb6dcc1fd\r\nMsg = 00\r\nMac = 77\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 18\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = e58520088910513d\r\nKey2 = 7c10196e1a310dd5\r\nKey3 = 5b043b2a1ab97f85\r\nMsg = 00\r\nMac = 1c\r\nResult = P\r\n\r\nCount = 19\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = f27fd0f189452c15\r\nKey2 = 04681651014916ab\r\nKey3 = 204046aeeffecd15\r\nMsg = 00\r\nMac = 0b\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 20\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 860864a710ab0475\r\nKey2 = b9205751bfd91f7f\r\nKey3 = 3bf72abf13d97640\r\nMsg = 00\r\nMac = e890abe6ea126215\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 21\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = a7a1d57aabf1137c\r\nKey2 = fd0df2e35b8cdf2a\r\nKey3 = b386755bc2ab3d9d\r\nMsg = 00\r\nMac = f475587c2101eff2\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 22\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = c2c28a4c7698804c\r\nKey2 = ab25b53783dc0419\r\nKey3 = ab16341f4cead054\r\nMsg = 00\r\nMac = d335575aa3a4d8af\r\nResult = P\r\n\r\nCount = 23\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 7594a7aed3e986ba\r\nKey2 = 52a280e662d9e9da\r\nKey3 = 7649d3ad6838f2c2\r\nMsg = 00\r\nMac = 0e109f43557f250f\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 24\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 0798d9ef158cd698\r\nKey2 = fff4ade09b169762\r\nKey3 = 5b6e6849ec2c238a\r\nMsg = 00\r\nMac = 05af623529b168a9\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 25\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 254991cb4af76dc8\r\nKey2 = 2cf2e915918a025b\r\nKey3 = 2c61bfaee69b2676\r\nMsg = 00\r\nMac = 725ab7a770762894\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 26\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 9f68cbbf3bb5b3da\r\nKey2 = 31adb5a46e2cc8e3\r\nKey3 = f86ed9eaabb625da\r\nMsg = 00\r\nMac = 0422d94f874dda7e\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 27\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 1fd51f70a77ac8e9\r\nKey2 = 5dd9986e974c08ec\r\nKey3 = fd61ce34a75279f7\r\nMsg = 00\r\nMac = a163a5d269b3cc3e\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 28\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 078c57d6df9ba1d5\r\nKey2 = 08d94ac1b3d3c183\r\nKey3 = e90bf4fe7973c2c7\r\nMsg = 00\r\nMac = 9af3f01e20dc7c1e\r\nResult = P\r\n\r\nCount = 29\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 08df322f040e7c01\r\nKey2 = e92343e69d83eac7\r\nKey3 = fe94c1ec0da22c1a\r\nMsg = 00\r\nMac = 3d88c20a4f828c5b\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 30\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = b2ecf41c8692c2b0\r\nKey2 = 8ff18c1f1f296454\r\nKey3 = 383dcbc4a28c7629\r\nMsg = 00\r\nMac = 17241dc726fa4c56\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 31\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 07d99d58f2ec1fd5\r\nKey2 = ea46c73bf4b60ed0\r\nKey3 = f20ec149c831aecb\r\nMsg = 00\r\nMac = f6a8a0b536fd97d3\r\nResult = P\r\n\r\nCount = 32\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 3dfdc19426fbd56d\r\nKey2 = b03b7985b32af857\r\nKey3 = a807c7b3621ffdda\r\nMsg = 00\r\nMac = 3ef9b263ae1df460\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 33\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = fbc79bab46b97923\r\nKey2 = ece6da4c40f1e6e9\r\nKey3 = eaa76770ef517a40\r\nMsg = 00\r\nMac = b2da3efa7fc64abe\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 34\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 5ba4a1d5a80db5ef\r\nKey2 = 7ce6aeb9261cb00b\r\nKey3 = 8a5df23ea445e0c8\r\nMsg = 00\r\nMac = 51b2e75334d90889\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 35\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = e9c494e001027c86\r\nKey2 = c4649e58ea251904\r\nKey3 = 8025343dec34409e\r\nMsg = 00\r\nMac = 166123f1c59132a3\r\nResult = P\r\n\r\nCount = 36\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 6bce61e646452a46\r\nKey2 = 54ba8a020d0876fb\r\nKey3 = 34ea2f6149bad664\r\nMsg = 00\r\nMac = b0d0f625f06f2a3a\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 37\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 2f38f79bc8e0ea4a\r\nKey2 = d09876f22ca43e10\r\nKey3 = 3b8fab02299d328c\r\nMsg = 00\r\nMac = b26d377a504b8985\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 38\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 51febf790815f1d0\r\nKey2 = 9152d5e32f6713fb\r\nKey3 = 4a40c2c8fdb9f2b5\r\nMsg = 00\r\nMac = a27978e62026743b\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 39\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 10ba8fd6256ee9a4\r\nKey2 = fa8332a46ead52ab\r\nKey3 = b0e06e1fef04abb5\r\nMsg = 00\r\nMac = e1b0a228c142555c\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 40\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = f2fbab6734769e9b\r\nKey2 = ab45910e5775ab0d\r\nKey3 = 5bd5ea0db015a89e\r\nMsg = 7efeb7d4d14b3f2b3df4b8a276b18b49\r\nMac = 5c\r\nResult = P\r\n\r\nCount = 41\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = 5bc776ba64adf4ea\r\nKey2 = 195e04987c62a4f2\r\nKey3 = c1642fdc1a31705d\r\nMsg = d1fb4f35914404af9df3bf5c368c0e69\r\nMac = 4d\r\nResult = F (1 - Message changed)\r\n\r\nCount = 42\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = b67c57f770202c6e\r\nKey2 = e91f4fb361bcae37\r\nKey3 = ada8d3df4fbcf4b9\r\nMsg = 9800db878187c87ea05bf92054b0e3e3\r\nMac = 8b\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 43\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = ce0bc48002fe7602\r\nKey2 = e702abe31c7a2313\r\nKey3 = d61964867f2579da\r\nMsg = 704e4e75be1623b21332c14555bf5edc\r\nMac = b0\r\nResult = F (2 - Key or Key2 changed",
- ")\r\n\r\nCount = 44\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = ad75e32cc11980f2\r\nKey2 = d0570429680e9486\r\nKey3 = c2379207f862dcfd\r\nMsg = 197de855b3962b1fdad687f9c4f1efd6\r\nMac = 44\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 45\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = 9db504803d29f126\r\nKey2 = 07fe58b3da765bad\r\nKey3 = 6dc489516e9bb5f8\r\nMsg = 8f296b265fa575d146799f9e39d52965\r\nMac = 14\r\nResult = P\r\n\r\nCount = 46\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = 991f0ed04079293d\r\nKey2 = 57077ff1baecd907\r\nKey3 = dcc7a719c4372967\r\nMsg = d9cfcc67520c5b2ceeb622c694a8e3fe\r\nMac = a3\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 47\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = eca815d6b0371cf1\r\nKey2 = 597980cdb6c892df\r\nKey3 = 3dba0ed3ba16ae1c\r\nMsg = a03636db2fdc84722aeb9d98a6ed70d0\r\nMac = 78\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 48\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = ea80a43d5886dfef\r\nKey2 = 08bf4f76a8893732\r\nKey3 = 4557a13752d6730d\r\nMsg = 0371a63ad722523ef297d8399b124593\r\nMac = be\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 49\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = e9fe73e640808c02\r\nKey2 = 9be6986446012091\r\nKey3 = 707023615462a40e\r\nMsg = 83bcb484dca73d49ac234ece3a5d2ad3\r\nMac = d6\r\nResult = F (1 - Message changed)\r\n\r\nCount = 50\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = 1fe9800ecb0dd9f1\r\nKey2 = dbbc6bc72c794c23\r\nKey3 = 899b08469b6bc8b5\r\nMsg = 95f4a41c4c64cd7310fba748aa267a14\r\nMac = 59\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 51\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = 34546261a21c1c43\r\nKey2 = 0449eaeca4f29725\r\nKey3 = 4cc4e6525186802f\r\nMsg = d204de1e671d3e43670dd67fee114402\r\nMac = 6e\r\nResult = F (1 - Message changed)\r\n\r\nCount = 52\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = 048aa8701fb5fe26\r\nKey2 = d56bd53d83e60bd9\r\nKey3 = 6707d6523ebc32f4\r\nMsg = f4e9f92fd2c9313fb61a889eaa4ff283\r\nMac = d5\r\nResult = P\r\n\r\nCount = 53\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = 6ec19b02976e5ba2\r\nKey2 = 13540732d997c2b6\r\nKey3 = 7f4068926183251c\r\nMsg = 963363ab7c82b634974954bd0fe2c307\r\nMac = d7\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 54\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = f4ecea5d32e32c6e\r\nKey2 = 385710cd3eb0fe51\r\nKey3 = 5d4c8f7ccdf10154\r\nMsg = a298857dc60ad2f0a8fa878607b50c18\r\nMac = 4c\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 55\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = b31ff49dd970f8e9\r\nKey2 = 164aefb00efb5461\r\nKey3 = 981629757f4532dc\r\nMsg = fc3957b2ed0558bce61d478be615b774\r\nMac = 90\r\nResult = P\r\n\r\nCount = 56\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = 85384543d3aef157\r\nKey2 = 57ea916d9b2fd0c8\r\nKey3 = 1a85830473fbe6c4\r\nMsg = 87db0d9d69bc0cf69cabeb92570e482b\r\nMac = 53\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 57\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = 9bf8fb0b464070f8\r\nKey2 = 10ea23c7e5a19bcb\r\nKey3 = 408c236e10863e2a\r\nMsg = f9c98cd8a7d27553da946427b8276349\r\nMac = 53\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 58\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = 91b083e9c8e9803b\r\nKey2 = 76d0341cd54c38e5\r\nKey3 = 07bca7f44a3e76bc\r\nMsg = 7e5b64dc6bcbae6bb4496fc033947343\r\nMac = de\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 59\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = e6795b1ffe8f3e38\r\nKey2 = 4fdcea8c73c76e75\r\nKey3 = df0726ae4c079461\r\nMsg = 5265fb6a796d99a6beec6f71ba267b5d\r\nMac = e0\r\nResult = F (1 - Message changed)\r\n\r\nCount = 60\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = 375710c76202bff1\r\nKey2 = 3bb96170d5df4cce\r\nKey3 = 23d5daa22a982f08\r\nMsg = 52f5a110dddc9f44f8a534eef9df0b22\r\nMac = b1b9e11939228900\r\nResult = P\r\n\r\nCount = 61\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = b59b855dce76adf4\r\nKey2 = be9bae10fe34fb1c\r\nKey3 = 0d49159bf804a4ea\r\nMsg = 869f3b62ee78bfeb5287168eacf69ccb\r\nMac = 169a389352793c8b\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 62\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = 615d792a7038fd89\r\nKey2 = 98ce972f016e75a8\r\nKey3 = c470255783b32f01\r\nMsg = e5aed6715aa4291f9c32baf6b8449b53\r\nMac = 73ac2da999bfdf5d\r\nResult = F (1 - Message changed)\r\n\r\nCount = 63\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = 1fb09443a1074564\r\nKey2 = 3d1aa82c086eba13\r\nKey3 = c137d0f4ea54d604\r\nMsg = 16f02efd285381d7657ca5cd99d9e25b\r\nMac = 38126d16957893ce\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 64\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = 2e5d163461fea761\r\nKey2 = 9173bf75372fb640\r\nKey3 = 9e3d1c3dcdbfbc31\r\nMsg = b10fcb03443302ae929ff95a17b025fa\r\nMac = b70f2d761ca643c9\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 65\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = b9e5861c1c4013d3\r\nKey2 = d554806efd3801a1\r\nKey3 = 64d9bc3d646e76dc\r\nMsg = 0e6c9fced82669cffe7b5a6f09dceec8\r\nMac = 78ce4635e486635a\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 66\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = ad2376516b974c70\r\nKey2 = cd3b5870c2312929\r\nKey3 = 1a731a7feacbf783\r\nMsg = 88eb7a0379da9d113343dc1fe0f3e6f7\r\nMac = 0c949483e7fa7d0c\r\nResult = F (1 - Message changed)\r\n\r\nCount = 67\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = 9ada194c100eeacb\r\nKey2 = da23ad9825c194d0\r\nKey3 = 3ef1f4c438dce031\r\nMsg = 0f9703a3454c25c0b1053de62b0ffc5b\r\nMac = c78a4ca3662527e5\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 68\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = e375f870f4d55b02\r\nKey2 = 1b015791e3e337b3\r\nKey3 = 370dc45b15671c5b\r\nMsg = 5ad9dd3b112ea4cee1654d2dfabab01e\r\nMac = 22becbbe7bfcade5\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 69\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = d61f4aeff4b5f2f8\r\nKey2 = 0486b53de3ecc297\r\nKey3 = 807fe92fc2fed376\r\nMsg = d094cf77a709c0fa5d6b4b7e9e86a2c2\r\nMac = 947d024d9d5359a8\r\nResult = P\r\n\r\nCount = 70\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = c2c28a4c7698804c\r\nKey2 = ab25b53783dc0419\r\nKey3 = ab16341f4cead054\r\nMsg = 7295a7aed3e987baef19ad68c33ba5a5\r\nMac = 58de82acc10d556f\r\nResult = P\r\n\r\nCount = 71\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = f1ce4992c851e3a8\r\nKey2 = 835ec1abef97f2c8\r\nKey3 = 5b92384f20dcc2ad\r\nMsg = 9094935fcd7c389dd17b5b121cddadf9\r\nMac = 319c70370c172de3\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 72\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = c16ebcc1165d6892\r\nKey2 = 75268c4602f8c8bf\r\nKey3 = dab97f79544cf1cd\r\nMsg = b7ba1c66282cb6092ba601407ff9578a\r\nMac = d73c26311bd44a32\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 73\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = fe4a796720a46dbc\r\nKey2 = 98f45289e9f8b080\r\nKey3 = e05def5b25520d43\r\nMsg = 31c9eed491bb0cda9b8c0eb5afa31019\r\nMac = 8c2ce22633c62751\r\nResult = F (1 - Message changed)\r\n\r\nCount = 74\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = eefb40c715c4546d\r\nKey2 = 5b2325c8d9daa48a\r\nKey3 = d5ec4a6bc82a7a62\r\nMsg = 5a97259dfa081f040d3893da2f231ca3\r\nMac = a64113544f509be8\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 75\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = 0d0851311ca45db0\r\nKey2 = 3d7c458957c8c408\r\nKey3 = 98d37c9d51ab2f25\r\nMsg = 8be16380af3e2dbc6cf678c2e3331335\r\nMac = 8817baeaa909e33a\r\nResult = P\r\n\r\nCount = 76\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = b7239438d61cd626\r\nKey2 = 082c6404cb3897b5\r\nKey3 = c4c732cdd5e043c2\r\nMsg = 7120f19169e7cbb913c7d1f0ceb006c0\r\nMac = 32841ad7621cc0fc\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 77\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = 73f449ef83df75e9\r\nKey2 = 5f3d2016bfd0703b\r\nKey3 = 31abc16b58b64af4\r\nMsg = 83ecbfcff3bc37f1305d83bc0290350c\r\nMac = 8f8ba8bfc74203fa\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 78\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = 9b6ea461c7b9abe6\r\nKey2 = 4a08dcdc5b9e01fe\r\nKey3 = 6b850e9b6ebae9d6\r\nMsg = c538416fba487fac5c94449d0757f3e9\r\nMac = c13f372e9a061db8\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 79\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = c7aeeacb156dfbfb\r\nKey2 = ba43ef516232a7d3\r\nKey3 = 2c572aea62808c68\r\nMsg = a1bc9950759d0df4cffaf29345dfb340\r\nMac = d7dad4519b56a1eb\r\nResult = F (1 - Message changed)\r\n\r\nCount = 80\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = cda4d34370234946\r\nKey2 = c408ea6bec07c78c\r\nKey3 = 19eff7f798fd6808\r\nMsg = d1fb0b68176269cf9fda18bf13efc054f0c24fd042b9e2ecaf75e86cb60484f6\r\nMac = d8\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 81\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 02100be5627686a8\r\nKey2 = 7f0b38ec073e75ef\r\nKey3 = 373b1a64ba5416d9\r\nMsg = c60be37fb0bda4f46894690b3344643c772fbd2237db348adaa407ca2eae1654\r\nMac = fb\r\nResult = F (1 - Message changed)\r\n\r\nCount = 82\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 7597571a6e7c6bc8\r\nKey2 = c143a2a461626b1a\r\nKey3 = 6b1307d910434cc7\r\nMsg = 49cb128641f7952dfdf34f338da268b2ef1482557b593e",
- "c57f930164264ff83e\r\nMac = 90\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 83\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = ae89ad615201546b\r\nKey2 = ae20765745458fce\r\nKey3 = efd0867fba43dcb0\r\nMsg = e47d8659c9ad94971adedd6bce744206e1cfb65d042b942d93c4363cc73ec3e3\r\nMac = 95\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 84\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = b65886f13d6e8c4a\r\nKey2 = 0708e0b0730473a8\r\nKey3 = d04f2a86dc0b9e7a\r\nMsg = b97c12251d91512fe7b3a349a982409c7412f39494d970e77acbe9d3fac3dca7\r\nMac = 05\r\nResult = P\r\n\r\nCount = 85\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 3197a4a26261588a\r\nKey2 = 0dc4a75ec8b99b58\r\nKey3 = efb93e7620205289\r\nMsg = 65f4b3a00c1c1ef39445a69b2150b034705410140ff9dad0ce21740271cef04a\r\nMac = 57\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 86\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 62c4a16e946b4313\r\nKey2 = d09ea80e7fb33449\r\nKey3 = 164fdc04c2d5f116\r\nMsg = 898e824fdc89f21779156a9e58564c4b99004b95226c2ebb8aebd0b5365a6c6a\r\nMac = 93\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 87\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 6eeff20d3d5d5223\r\nKey2 = 258076b313611c1c\r\nKey3 = b013b957f70d9e62\r\nMsg = 2d7fec1a1e9ee85cf960e5dc4e239619ed85f4b14d32cbd42dfa79f77a27f2cd\r\nMac = 0a\r\nResult = F (1 - Message changed)\r\n\r\nCount = 88\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 193e23e6fd8aa185\r\nKey2 = 1910cbdc549da804\r\nKey3 = 6b769b4923523425\r\nMsg = bd65798a1d02ab164e2d31b1387e505874779539046820bd429043c617854c36\r\nMac = d3\r\nResult = P\r\n\r\nCount = 89\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 150789ab37ef2ce9\r\nKey2 = 10cdf45dad9ed9e5\r\nKey3 = f475fd3e153898fe\r\nMsg = 044dd73a7d1ef37a437c09e9268708c82ebad189dc1e989ab3bd8d7ff75abc23\r\nMac = e4\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 90\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 48d9d08a6bdcc4f8\r\nKey2 = 1383641c08735d0e\r\nKey3 = 374a89c8cb73a7f4\r\nMsg = d62fb84f2a2442b52acf817d7f067edca031970bea092c35f29f9a931aa06dd6\r\nMac = 26\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 91\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 68f4620da8b00201\r\nKey2 = df1c8362345180d3\r\nKey3 = 26abda897f89d90d\r\nMsg = 0ac3f7f22d24b64aa584845d3a990bb69e5d2d4650640056c16c17c0b636045f\r\nMac = f9\r\nResult = P\r\n\r\nCount = 92\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 1c259df7492361b6\r\nKey2 = cd4acdb65b3e5b1c\r\nKey3 = 3b01addc2579ef64\r\nMsg = 607f4730a5ea9dabfbcd8586f680c3021c7ebc858e73354beb975d58713b0eb1\r\nMac = fa\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 93\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = f18a9dba9db5dff1\r\nKey2 = d5987013a4b69e38\r\nKey3 = dc16e0ce1351e3f4\r\nMsg = bfe99e184a7d7bf0b4ade8f402f2c49aa4948e74b2d5c905756ba5d32934dbbd\r\nMac = e4\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 94\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 8361bac48afb1091\r\nKey2 = da85400d107fbf8f\r\nKey3 = 31ec732cc29d7045\r\nMsg = 3a1ee70d4607325c13bff68e402e0a72742f6a63ae972c6dda74b6b2a3922f0c\r\nMac = 0e\r\nResult = F (1 - Message changed)\r\n\r\nCount = 95\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = d0df1adf1cf72032\r\nKey2 = 1504d564ec1aea61\r\nKey3 = c42fada45d80a43e\r\nMsg = 3a53d9c7ae59e7811699fb0973e43256ed92162267c7ca4b57f5887ad5a24e02\r\nMac = 8a\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 96\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 973bfe5b3be573da\r\nKey2 = 94b3ec7f343e46ab\r\nKey3 = dcaeabc8df405db6\r\nMsg = c8437dba76591a9031b3aa3b59fec0562d4eac439ca8efca57c3f2022b0ff775\r\nMac = 53\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 97\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = bc89867c43a74640\r\nKey2 = df347fb319464c80\r\nKey3 = fd92108a266bcdcd\r\nMsg = 1c9898ede16139560519e808ee9ddaf710a5bab30f54ed98230d1a44c189ea4f\r\nMac = f6\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 98\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = fde925e301897f67\r\nKey2 = 54b3ab80f815df15\r\nKey3 = dc58928aa286c8e5\r\nMsg = b34f898d98a3aa0fa022b1b1d76953a5b3ecc88d60f2c79b59e1b1f636bc0d60\r\nMac = 0f\r\nResult = F (1 - Message changed)\r\n\r\nCount = 99\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 8a704ffe43e951f8\r\nKey2 = 2346dc8501202a40\r\nKey3 = d67afed616230113\r\nMsg = b2b4cb5e90ebf4bd265093b7f5efd4d62dc60e29737aa496e14929724e40c74f\r\nMac = df\r\nResult = P\r\n\r\nCount = 100\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = 8c1f29f440f7f8b5\r\nKey2 = 5b45fe8f1f688661\r\nKey3 = ba40f43d9e7cc86b\r\nMsg = 220817144a15a0a654fc1beaabce60270aa72df83591754ee7a5fbb40b7420d7\r\nMac = 80ac51c2ef7bd5d7\r\nResult = P\r\n\r\nCount = 101\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = d66e76d97f94ea16\r\nKey2 = f15e3ed06dd94598\r\nKey3 = ae073d1a6e5bc819\r\nMsg = 233d547ab33790859ab0dbc7a93f3bbebb610bed9acbfbce1fff580e9a1e8ef9\r\nMac = 4cb8ce681e4bc7c8\r\nResult = F (1 - Message changed)\r\n\r\nCount = 102\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = 0437836df770e943\r\nKey2 = c96e2c43bffd5298\r\nKey3 = 8552fbc16215e0c4\r\nMsg = 4f87d730bdfc7a7c72525c6b26ee9cae9a219b30d9575fedbd913a07b615a616\r\nMac = ea79cbc28f4264db\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 103\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = d849ba8570b6ef9d\r\nKey2 = f1405732aeb61f92\r\nKey3 = 73c8e51ff167f857\r\nMsg = fd03202d0bd109b6e4299c7390c1407cd21ffb110013e6381185dea8f8707de6\r\nMac = 71070b17d05dabef\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 104\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = 914cef7ab6d998dc\r\nKey2 = a767abc18cf485e9\r\nKey3 = a2624ff20b2a408a\r\nMsg = bc5ce4c0bf3ad1a93e5306c9d7dbb620dde8708efe84e78c2200f41a958cdef8\r\nMac = 3cf4aaf3d337c9c8\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 105\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = 757f52e626eabce0\r\nKey2 = 700d91f14554bcb0\r\nKey3 = 548640d0dfaec2ab\r\nMsg = 22a4cf581584346095783be0982744c6201ff040760f868ab63895058d1edb88\r\nMac = b008b1150535ef11\r\nResult = F (1 - Message changed)\r\n\r\nCount = 106\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = d65d0e58d3133b34\r\nKey2 = 289e58704994a249\r\nKey3 = e3df20ae3d585e2f\r\nMsg = 94c8414cbbec52e2d73bb8f02ef687c91432495c0c744666317d02e6d46706d2\r\nMac = b1292e1c7074dcfc\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 107\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = d77a4989f4a17f2a\r\nKey2 = 409d91d51fa4d045\r\nKey3 = 6bb652ea1526fd4f\r\nMsg = 7a08ce579ae7af8004421cff72715e0b137da81f47d8f84da34c3ed53c32c0f6\r\nMac = 8b3cb70477ca7ca8\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 108\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = e670c17519d9c2f2\r\nKey2 = dcc8a132629b462f\r\nKey3 = 58c1d52543ad570d\r\nMsg = a6dbad96ad23ff61479df39b99f0673a09f2a7eaebbd34b95d05c4146fa989f2\r\nMac = c470ec40599a0a11\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 109\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = 290d292a15b6268a\r\nKey2 = 2638d9ad83ad1f34\r\nKey3 = a7d9ba62735dc2d3\r\nMsg = ef995cbfc49b0ebccdbd37d9f40a431c385d33d4b8234d7f0d6211eaddfb709a\r\nMac = 67ae62fb8142bd8b\r\nResult = P\r\n\r\nCount = 110\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = 4faba73bcd5b5dfe\r\nKey2 = 1c97ea85207a97a7\r\nKey3 = 19eff116100dc82f\r\nMsg = c48e53c6956432460584c7ee1577c1c38b7fae2ff288199be25bf64081154139\r\nMac = d68a4558e95a67e4\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 111\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = d37c3dbc2f68baba\r\nKey2 = 918cb5e39237e016\r\nKey3 = f286b0739d38c4fb\r\nMsg = 2533361761ac80578fa262a50462045e3ec6e4d5d25c6e99a5c4ccf75f5affc0\r\nMac = c20f36e67732f864\r\nResult = P\r\n\r\nCount = 112\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = a0baa71c38d6d064\r\nKey2 = 8f58ba45cb494ab9\r\nKey3 = 853decc431f7b3cd\r\nMsg = 20e394c7cc90bdfa6186fc1ba6fff158dfc690e24ba4c9fbf11b68519d573a8a\r\nMac = 4ba956b98a99d7bf\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 113\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = b69752407c68b6bf\r\nKey2 = 8fceb05201ec4320\r\nKey3 = 2a755e372373ef26\r\nMsg = e884d65c87411584a56956d5b27ca9725b473c205b64cff09400671f5ee0473a\r\nMac = 9f3de5e8cddc374d\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 114\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = 8c04e0f27f83b0ec\r\nKey2 = 042cfb6883348fe6\r\nKey3 = 404f5dfe587ab591\r\nMsg = 8a34cd562b111fe04fa0bf5e004faedaef99d0bab9344d966c8b3847486e6f40\r\nMac = 6c530215fb25015b\r\nResult = F (1 - Message changed)\r\n\r\nCount = 115\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = 429401ea49cd97b0\r\nKey2 = a8f1b6b63101cee0\r\nKey3 = 20bcd08c5d16e049\r\nMsg = 591d88123fc9a786b247e8d5ce155f136d6fe4084117c41f2056b67f9e3e1077\r\nMac = 6c414640b424cf56\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 116\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = c470255783b32f01\r\nKey2 = e3aed6705ba4291f\r\nKey3 = 7319100e54f432d3\r\nMsg = 01acc3282fe41b62f95f5dbfb7e7bfef694c5fe34ca87d31abe7e7bbf887b48c\r",
- "\nMac = cd99df4814667454\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 117\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = 73c10b833e1043ab\r\nKey2 = 18dcd343645d5207\r\nKey3 = 6426f7f88c3473c8\r\nMsg = 068e4a0b1a62dd64198f1b9ece814c2feeeee50ba814b70d7d42659952991b80\r\nMac = 1fc90834b7dd090b\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 118\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = 37eae98ff42afb25\r\nKey2 = f2231c028c29da9d\r\nKey3 = ef3da8d0c77fbf45\r\nMsg = f266cec01c5fc08c0bdabc9537bd1aa2df9f2b8ffbe5cc94722a3bca8de529ea\r\nMac = b3809c8b0eb9dd8d\r\nResult = P\r\n\r\nCount = 119\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = 1358fb67155e0145\r\nKey2 = d02c54a1206b5d7f\r\nKey3 = 1c04ba46c74a5d49\r\nMsg = e38b4c3e7a82643beb3192426555ad9c9b2620d677373fc40c9ddbc4cd531347\r\nMac = b000e2ea1ef48a8f\r\nResult = F (1 - Message changed)\r\n\r\nCount = 120\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = f6b9a81067255b58\r\nKey2 = 927cfbc4cdec9285\r\nKey3 = dcd62345bfe03b92\r\nMsg = 246b66b10696adc45840\r\nMac = b4\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 121\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = fea186dc73d3807f\r\nKey2 = b8fec7387a197962\r\nKey3 = 4c91abe60db64ff1\r\nMsg = 8ba298364af144a8d5f3\r\nMac = a6\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 122\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = f264da8607ea439e\r\nKey2 = fdb9daa41fd34958\r\nKey3 = f85d6b859b9892bf\r\nMsg = 402006f6b18dbd11dcd1\r\nMac = 28\r\nResult = P\r\n\r\nCount = 123\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = 191c461adc4f7f4f\r\nKey2 = 75b932e68cb98cfd\r\nKey3 = cb2943857a1c9438\r\nMsg = 391deef3a9a41394d14a\r\nMac = 3c\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 124\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = a2c2f713430ece92\r\nKey2 = df081ae9627a1351\r\nKey3 = c1ec469ba8c73b67\r\nMsg = 37a49535684637f67573\r\nMac = 40\r\nResult = F (1 - Message changed)\r\n\r\nCount = 125\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = 7b61dac238ba3e83\r\nKey2 = d05e9ed34fc410ce\r\nKey3 = 98da194c100eeacb\r\nMsg = da22ad9825c195d1e297\r\nMac = 43\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 126\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = 13aec10d13fd37c7\r\nKey2 = 89198c3bcd38b951\r\nKey3 = ecf843cdef7397cb\r\nMsg = b7625aa78d2961c0fee6\r\nMac = f1\r\nResult = F (1 - Message changed)\r\n\r\nCount = 127\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = d94a68ec329d914a\r\nKey2 = 394a8acea420e952\r\nKey3 = ec04c8cb8602aec8\r\nMsg = e043f30a405c41938914\r\nMac = 6f\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 128\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = d5cb7579582fb6a8\r\nKey2 = e67f3ba11383d61f\r\nKey3 = da370852e9b9c2a1\r\nMsg = 7d32f440151a7069fd73\r\nMac = b7\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 129\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = 92402f6eb54526b3\r\nKey2 = 924515d92ad5a1d0\r\nKey3 = 9ead2adfb025f81a\r\nMsg = fd44d8d0fea5cfdf3321\r\nMac = 2f\r\nResult = P\r\n\r\nCount = 130\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = a9daad97ad23fe61\r\nKey2 = 32e5988a37987a38\r\nKey3 = 31626d16a780c825\r\nMsg = d6cf17192f8ad745ab5b\r\nMac = 8f\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 131\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = 52c457d9d5d5ab94\r\nKey2 = 9d3875ba6d75fdba\r\nKey3 = 4fb91a863d15ce52\r\nMsg = 4effbf732e67af7203b3\r\nMac = 04\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 132\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = 7304b65492fd0402\r\nKey2 = 62a4cb7c23708057\r\nKey3 = f2f7bf13839e01e5\r\nMsg = a630c0f362eef35b6a58\r\nMac = aa\r\nResult = P\r\n\r\nCount = 133\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = 51b33425a1349792\r\nKey2 = dc5b8ca440eae6ad\r\nKey3 = 70adf49dd0a8f119\r\nMsg = af246a8a810cca5e657b\r\nMac = 0b\r\nResult = F (1 - Message changed)\r\n\r\nCount = 134\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = f22029ce51619e0d\r\nKey2 = 9d51bcc2089785e0\r\nKey3 = 689d62621abab3b0\r\nMsg = a9c9fb632423d367b3eb\r\nMac = 0c\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 135\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = 1ca226d0dc8c328a\r\nKey2 = f18a9dc176621f51\r\nKey3 = 3d765d20e03b4cea\r\nMsg = f9d9fb44919e47cdeaf8\r\nMac = b0\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 136\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = f3ce4992c851e3a8\r\nKey2 = 835ec1abef97f2c8\r\nKey3 = 5b92384f20dcc2ad\r\nMsg = 9094935fcd7c389dd17b\r\nMac = 3c\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 137\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = bfd929cdd9c2089d\r\nKey2 = 8e49988abcfbf458\r\nKey3 = da73d986894fce4c\r\nMsg = 88018424fdb76c908bd6\r\nMac = 94\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 138\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = 57bf2ca4e3629797\r\nKey2 = ef7f675443402546\r\nKey3 = 6e4f924038f8bc92\r\nMsg = dd4f0a872f4b7089d697\r\nMac = 5b\r\nResult = F (1 - Message changed)\r\n\r\nCount = 139\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = ba86924908df08b3\r\nKey2 = 26b954ba52df2c98\r\nKey3 = bf38cb0e89b9f4cd\r\nMsg = a682e6fd64df4b9f4fe8\r\nMac = ea\r\nResult = P\r\n\r\nCount = 140\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = 52859849a4b6c1d5\r\nKey2 = 380e73c7aefb0168\r\nKey3 = c479fef80eb6260d\r\nMsg = ee6857533675b5ed8d43\r\nMac = 43fd25f696cb0693\r\nResult = F (1 - Message changed)\r\n\r\nCount = 141\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = 97ae01315d13ec52\r\nKey2 = c7674cc1ab0bbab3\r\nKey3 = b68fb99797b33b79\r\nMsg = ce9127f649bfff849826\r\nMac = 2dfe01d9bc07646b\r\nResult = P\r\n\r\nCount = 142\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = 2b257032b0d9b0b3\r\nKey2 = 49f7c10e8a9bcd37\r\nKey3 = 20f4fb4679106ddc\r\nMsg = b2c62d03902c44253368\r\nMac = 14c5ccf5f9433a0f\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 143\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = 0b988c3d380e5b80\r\nKey2 = b86be99162029b54\r\nKey3 = e0bc9775838a58ea\r\nMsg = 61ababff3763183c348d\r\nMac = 28a2de26aa6b4074\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 144\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = 26e9abbf201fe5b9\r\nKey2 = 7062a82f800d5183\r\nKey3 = cd45e654bf5d205e\r\nMsg = 020683e1f0392f4cac54\r\nMac = 6f1522d3c8186217\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 145\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = 3443f4016dadcd86\r\nKey2 = 235dec80323e5838\r\nKey3 = fd583285e6efbc51\r\nMsg = e64eeb89828b4297601a\r\nMac = 5575a40dba5bc4c6\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 146\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = 76c7616785916470\r\nKey2 = 5b3d1f10e5252fda\r\nKey3 = 75a2d632a46ea18c\r\nMsg = ac7d701597f0ba879055\r\nMac = 06b98e161e6a6754\r\nResult = P\r\n\r\nCount = 147\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = f12367b568a758b5\r\nKey2 = 7b2f9770924f2c0d\r\nKey3 = 1f8ad9e9b97a088a\r\nMsg = b99de8168e8c13ea4aef\r\nMac = db534a059f930ee0\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 148\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = f1adb67986923d8c\r\nKey2 = 02671957dcf75808\r\nKey3 = 52732ae970467019\r\nMsg = f759c3033d4ed34948d7\r\nMac = 2d9caabf50999ac6\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 149\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = 792f9770924f2c0d\r\nKey2 = 1f8ad9e9b97a088a\r\nKey3 = b99de9168f8c13ea\r\nMsg = 8bae64015d62f68565d1\r\nMac = a42f89527f5cb219\r\nResult = F (1 - Message changed)\r\n\r\nCount = 150\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = 31ec790d4a8a131c\r\nKey2 = 562c8cdc07e331d3\r\nKey3 = f4a7467043924c4f\r\nMsg = 1798286c37c1504fc0d7\r\nMac = f0d6e2f7edce6349\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 151\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = adb692e376a12585\r\nKey2 = 8c8c4362ea97f810\r\nKey3 = 528f204c19f21a31\r\nMsg = 6543e675d34639a7f7eb\r\nMac = fac96e6804526535\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 152\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = 62984a64ec7c4a92\r\nKey2 = feda64dfd9a24f9b\r\nKey3 = cbb04f7a1f26df31\r\nMsg = adb555fd5f5c6bdd9c4e\r\nMac = e8dee8714b285a00\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 153\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = ef0d58b55ddae95d\r\nKey2 = 80e07ca4aebcfd34\r\nKey3 = bf947ff4ab2904e5\r\nMsg = 1fe87a2f431f3718665a\r\nMac = 44a869aee76d79db\r\nResult = P\r\n\r\nCount = 154\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = aef4ceb55e3d37fe\r\nKey2 = bc0bb9d05bad972c\r\nKey3 = e0a29b2c7940ce9b\r\nMsg = 78ad5f3718acf9e8cc7c\r\nMac = dcc1d44200caf6f7\r\nResult = F (1 - Message changed)\r\n\r\nCount = 155\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = a4403438f8fb254f\r\nKey2 = bac752cd83a170b5\r\nKey3 = 6bf71654f1854589\r\nMsg = 349566b6716e5f831d69\r\nMac = 7c08cc43ff4d8e07\r\nResult = F (1 - Message changed)\r\n\r\nCount = 156\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = 2fc7f4c1ce042f73\r\nKey2 = 8346bf7a80b38640\r\nKey3 = 2ff74abfc197a732\r\nMsg = 43a32b8ab9b7ce4bbd1b\r\nMac = 8000a2612215014a\r\nResult = P\r\n\r\nCount = 157\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = c40ddc9e29ce041a\r\nKey2 = 583d6bc4c1a2abf2\r\nKey3 = 9b018fd5a4084a64\r\nMsg = 228",
- "6a1eddd80737a724c\r\nMac = 0ff14761c982f890\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 158\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = bc327a0bcb2575df\r\nKey2 = 6b9483e6e0755d2a\r\nKey3 = 622cdc5b2916ab89\r\nMsg = e1be89af98ffd7d9257a\r\nMac = d6f4c8d96b3e2180\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 159\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = 9e517cd616a48ada\r\nKey2 = 6d266192d5387a97\r\nKey3 = 8a081fda97c86b94\r\nMsg = 9e9fb0b2b77be6eeaae8\r\nMac = ba0b73fbffc0ab0b\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 160\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = e0b9a826a85efe94\r\nKey2 = 4f615bce7cc1ba68\r\nKey3 = 3bb56d3d9816103e\r\nMsg = cfe9ee956cb1f5a60aa6ec79a3e454224b456879\r\nMac = 64\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 161\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 1e08a794a175b69e\r\nKey2 = f7d3ab46aeb9073e\r\nKey3 = 3e7cf8cea19d0891\r\nMsg = eb4f5b04517ee93e2c900e01948ac81ca56b2b26\r\nMac = 79\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 162\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 8f26700dc140570b\r\nKey2 = 8325e3a889c823ad\r\nKey3 = 6b048aa73decf83b\r\nMsg = cefb55151933a488e2b3d421dea9720727188106\r\nMac = 85\r\nResult = P\r\n\r\nCount = 163\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 3443f4016dadcd86\r\nKey2 = 255dec80323e5838\r\nKey3 = fd583285e6efbc51\r\nMsg = e64eeb89828b4297601a5b3fcde60075fc2424ae\r\nMac = c0\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 164\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 91a401cbb6460b16\r\nKey2 = 85438675f15b6e73\r\nKey3 = b09140318a767038\r\nMsg = 8c65cde13149d9d54a5bccc17747f1d5f3e807e3\r\nMac = 56\r\nResult = F (1 - Message changed)\r\n\r\nCount = 165\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = b78a16fb9b075d3b\r\nKey2 = dcabbf7a07150261\r\nKey3 = f7644a01d5dcea46\r\nMsg = abe2fd996bb6804ed3286c057df9cea6836a2dad\r\nMac = 09\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 166\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = ce8a467534cd679e\r\nKey2 = cb9ee6fb70a42f4f\r\nKey3 = 16c1e5c1459e4ac8\r\nMsg = 3c56ccfbe92023109983e740d6a53488b813ee87\r\nMac = c8\r\nResult = F (1 - Message changed)\r\n\r\nCount = 167\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 401f0de0efd6dfa8\r\nKey2 = 16ae7c3bbc6e5b86\r\nKey3 = 4ffebf790815f1d0\r\nMsg = 9052d5e22e6712fab88e8dfaa928b6e015ca589c\r\nMac = 61\r\nResult = P\r\n\r\nCount = 168\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = d357bf5bef2cfba7\r\nKey2 = b757d3abf49b4ac2\r\nKey3 = 16388051da8a04a7\r\nMsg = b04e8f6d20924be8e4e2c6767f87b74377bdf90c\r\nMac = 72\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 169\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = f8ea68aba1bcd9e6\r\nKey2 = 4abaa4260d864573\r\nKey3 = a49840ab737af7b0\r\nMsg = 1fc99e586f87932445930a300eb28191d9c6215b\r\nMac = 19\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 170\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 94ec086d8c0110cd\r\nKey2 = 4ea11f327f70c245\r\nKey3 = c8d07adf7c7c5eb9\r\nMsg = 812dbc453a1fda59f73aceea3bc84d2c7a437dfc\r\nMac = b2\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 171\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 9d575d582a9723c1\r\nKey2 = 294af47a54b051fe\r\nKey3 = 5131bff85bf12608\r\nMsg = 266e5305b96f497a956ae82b20367ebac0b14215\r\nMac = a9\r\nResult = F (1 - Message changed)\r\n\r\nCount = 172\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 913d800ecd0dc762\r\nKey2 = 7f6ec476b6b07c15\r\nKey3 = 973262ab7c83b634\r\nMsg = 4670a266bebcdf95c62d36cda33d50e6650fcdcd\r\nMac = 4f\r\nResult = P\r\n\r\nCount = 173\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = b97ffe79d068ece5\r\nKey2 = 4a75fe2f67dae392\r\nKey3 = 45a4d9f17a9d70f8\r\nMsg = b53017500c100dea0511845597214484fc5f7f34\r\nMac = 6d\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 174\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 7e1af10bcd86c283\r\nKey2 = 51cd37540e19021a\r\nKey3 = 988fd3c7250e2a6d\r\nMsg = da1919d4a2a7fcc34c88fb2065e52bf9dbc50731\r\nMac = 22\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 175\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 8c0dc16eb9c80775\r\nKey2 = 6eeff20d3d5d5223\r\nKey3 = 258076b313611c1c\r\nMsg = b212b857f70c9f63d0c9d2ccd253c28d1534631f\r\nMac = 2e\r\nResult = F (1 - Message changed)\r\n\r\nCount = 176\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 92c29eb0bf3e73a4\r\nKey2 = c6ecfbe6cd49bf4f\r\nKey3 = ef19d9d06d7a5e7f\r\nMsg = 969304e651ca62039088f8123085ac3263796b67\r\nMac = 57\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 177\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = a4432f52975e4316\r\nKey2 = 7f2086da04fddf4f\r\nKey3 = 8302139e79684329\r\nMsg = 5c9bcd197ea59e1b58b3da707b253491cc5a5ef8\r\nMac = ea\r\nResult = P\r\n\r\nCount = 178\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 5ae0b6d6c2855b7a\r\nKey2 = ec675d3e73bfd685\r\nKey3 = d3406b868fd3ae0e\r\nMsg = 89b9ecfef6f10e81f7956dbc7ca4a335047535a8\r\nMac = 70\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 179\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 8f7f85649d5e08a4\r\nKey2 = ceda75687308e07a\r\nKey3 = 9215c4c19bdc0d46\r\nMsg = e53101e6eabcda32c13d7b1dd1d88e7c2ca3ddc2\r\nMac = 14\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 180\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 7061b5f46b98d394\r\nKey2 = 58c2ce3807623475\r\nKey3 = 0df8e3c432da8a37\r\nMsg = 1086953d352e94a51a6d4c59a2295e8fff5b311e\r\nMac = 554d4df88228eba3\r\nResult = P\r\n\r\nCount = 181\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 347a25a1ec433b52\r\nKey2 = ec75d97046152c10\r\nKey3 = 86b937b6ad1ccbf8\r\nMsg = 4fe6bd43c28143ea5d40919cb5330a7e674f5bd8\r\nMac = 3d0d841895fb7c65\r\nResult = F (1 - Message changed)\r\n\r\nCount = 182\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = b3701aa7da61512c\r\nKey2 = 46dacba40740e3c1\r\nKey3 = 8f79a4dcadbc315e\r\nMsg = 4612fb4586d7518d0d648894347ae7d49d043f29\r\nMac = e5dd4392afbeabe7\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 183\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = b5b57acb2c7fd6cb\r\nKey2 = 70b02c9d8651c889\r\nKey3 = 07f485f7b00e45d9\r\nMsg = 9011231ec382ecaaae57f34de1ac6bbb50741014\r\nMac = d34581ad5a3e9e57\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 184\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 88985bdfd9852604\r\nKey2 = f7f829aec8a208b3\r\nKey3 = d5ba012ce6754554\r\nMsg = 6cad7f3b9f196839bbc5a7f755c09aa8e17c83d9\r\nMac = fc7c93552aa14ca2\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 185\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = cd0815194319d552\r\nKey2 = 346bb634027668d9\r\nKey3 = c17f2a26257afbad\r\nMsg = e31b3d97ba6ee6f2e18f084215ca0a5ca0d816d7\r\nMac = af5772396bb63d20\r\nResult = F (1 - Message changed)\r\n\r\nCount = 186\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 236e5201dfc1081a\r\nKey2 = c81526bc85c7a2ce\r\nKey3 = ab91d0aee0d68931\r\nMsg = 1f36b9cbf3d4d4dfcc4ba7fafa7c229f0a9253f4\r\nMac = 27586cf856a41e82\r\nResult = P\r\n\r\nCount = 187\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 2e01198faeb6986e\r\nKey2 = 7cb564801f15bc5d\r\nKey3 = f2d3ef0d4fec61c1\r\nMsg = 27c8c90c9e46e14b8cbb0b7559bb166d65f58aeb\r\nMac = eaa7b4a171e449ef\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 188\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = df575b851331b016\r\nKey2 = 33ec7326e9ef31e5\r\nKey3 = 1686c1ec8a3ea16d\r\nMsg = 1e4e01d38ff65d05646d544b52a6df49b897eacc\r\nMac = 45789bd32147c0ae\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 189\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 43b68c1f29ef5b94\r\nKey2 = a7dfa1cbe9ea3df1\r\nKey3 = 83d3c286e973ada1\r\nMsg = 0ca9b0f6465db0e101f8c14b2e73859d9c355b0a\r\nMac = da439a51157ff0d5\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 190\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = bf91d679268c85ce\r\nKey2 = 46b9f7bf4aa1a2c2\r\nKey3 = f7fd15fda2cd6408\r\nMsg = 0c2933e39d7e601ee6f2519eaf01294853664262\r\nMac = 455cd46d3b452a55\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 191\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 0dad9d451f890b38\r\nKey2 = 3416e3c240a16ee6\r\nKey3 = 5b80d6aefd4ab5a4\r\nMsg = b6e1de9abef7525c5dabbdc85746958781d50139\r\nMac = 3445a869cca839fb\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 192\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 96858f8f2ab56df2\r\nKey2 = 5edc3b04b94ca7cd\r\nKey3 = bf10614ce0491645\r\nMsg = ec9aa18b3e7da99dcbd7de7617a79130abe3348a\r\nMac = c744a1392fc656c2\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 193\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 46ad6ebad9644a67\r\nKey2 = da684aa48f23d619\r\nKey3 = 43a2316b40a46e25\r\nMsg = cf97c2abe3d0fc89e05538b50147a3f405391219\r\nMac = 7ac08967edc5730b\r\nResult = P\r\n\r\nCount = 194\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 68647694efb32023\r\nKey2 = 0d2938c8fe1a4057\r\nKey3 = f479f16e7552942f\r\nMsg = 33a9c750bb532d2d37ec86fa851aeb3cad1eaad8\r\nMac = 3873ae02210eb5fc\r\nResult = F (1 - Message changed)\r\n\r\nCount = 195\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 58d62fd92af7437f\r\nKey2 = 89dfb51fc807cd6d\r\nKey3 = 024fd04f40d5d0e3\r",
- "\nMsg = cc293c9e1780b401d2e7fceef6f69edcf0f70b86\r\nMac = 6574bfceaf04b4e1\r\nResult = F (1 - Message changed)\r\n\r\nCount = 196\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 4b377f98df0b7598\r\nKey2 = bf73f4c2cb074001\r\nKey3 = dc9857f47fe6101f\r\nMsg = 9ba5dbe7a8ecfbedadd7889cd7f1ae073e01ee3b\r\nMac = aaaeb7223578bbad\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 197\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 91c8851934cdecc2\r\nKey2 = 582562aef1205e32\r\nKey3 = a12a70eacbad310e\r\nMsg = aa390a0ae33751b0bd8de5723df91d999aa70358\r\nMac = 67f76912ed61eaab\r\nResult = P\r\n\r\nCount = 198\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = dcc2bacbea0dcd10\r\nKey2 = c18ca45ed57f8f97\r\nKey3 = 5d58157a677f1951\r\nMsg = a7573e5b7dd7f4ce9e4480f603c14145a27f7c7a\r\nMac = 2b6af968464ac63f\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 199\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = fe6d49702f044f40\r\nKey2 = 33321613da401004\r\nKey3 = 8c3438f74cc2680d\r\nMsg = b15a118b3132c20c31e6c9d09acdee0e15fcc59d\r\nMac = 9f28413a00da00ab\r\nResult = F (2 - Key or Key2 changed)\r\n",
-};
-static const size_t kLen33 = 53587;
-
-static const char *kData33[] = {
- "# CAVS 11.0\r\n# CMACVer information \r\n# Algorithms tested:Alg = AES KeySize = 128 Mode = Verify \r\n# Generated on Tue Mar 15 08:40:37 2011\r\n\r\n\r\nCount = 0\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 27b5686c79b3d242f96d3892c6135b26\r\nMsg = 00\r\nMac = c98d11822b9b4d7a\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 1\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = b4542a22baa348ee2d11ef62d44cebab\r\nMsg = 00\r\nMac = f7a2a3f519fc462f\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 2\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 7256e344f68b3e7f9dd6e04c5c65135c\r\nMsg = 00\r\nMac = d4d7fcc5f979230f\r\nResult = P\r\n\r\nCount = 3\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 7a2116595c5cf6482199d3312498006d\r\nMsg = 00\r\nMac = c3c4fa28709060b0\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 4\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 0341551d6c7e7c57f678068f0b41d1fe\r\nMsg = 00\r\nMac = 821030d4b7889fcf\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 5\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = b67ba2aa4e9ea9871c3def87e2dd77f4\r\nMsg = 00\r\nMac = ea896182698ac145\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 6\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 0091d39f3478d2c59bf874b96db9ce0f\r\nMsg = 00\r\nMac = fb12c5971b0f2f18\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 7\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 46a2e6bd3fd5336abf02eace3cd1e1f6\r\nMsg = 00\r\nMac = 9c6b46ef046ae1d1\r\nResult = P\r\n\r\nCount = 8\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 4b0fbd5e6f9298e5ced5ebdc60fc18a7\r\nMsg = 00\r\nMac = 221857badcbcd2be\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 9\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = fb20547da671acd4c6df37f6568a6428\r\nMsg = 00\r\nMac = ba0c9bfd3d9c0c95\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 10\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = b787def50aaf446bf15c562434844562\r\nMsg = 00\r\nMac = ba60bdae64068330\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 11\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 67d77f50727c7cd5b38e0b175a888c88\r\nMsg = 00\r\nMac = 555923e6b5fbc504\r\nResult = P\r\n\r\nCount = 12\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 6f552ef7d309bb98597b91cecc21e158\r\nMsg = 00\r\nMac = c2aa402c0443dfbd\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 13\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 411871267919a145532cc401e753ebff\r\nMsg = 00\r\nMac = 167a31913228f45f\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 14\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = abfe32efdf0464cb2eaafca8eac30d9b\r\nMsg = 00\r\nMac = 8edbc729b1923e10\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 15\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 85504d59a12f3e17edfb0b6337d4a081\r\nMsg = 00\r\nMac = 9045fd77cb26dcb2\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 16\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 55f7565826b0e2ccc1368f4de32022de\r\nMsg = 00\r\nMac = f82395416a8dc209\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 17\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 43c8f984390debb0f26c6b9c2df8518c\r\nMsg = 00\r\nMac = b5d732086bf8feab\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 18\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = da288d2014616f16a2abf5923dea49ad\r\nMsg = 00\r\nMac = e03b67b53fc7863f\r\nResult = P\r\n\r\nCount = 19\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = e2f962d076df051c2d291b47a902ea0c\r\nMsg = 00\r\nMac = df1456a7edeb4e42\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 20\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 191b53e0c7d90161e5e2014e9b8aea31\r\nMsg = 00\r\nMac = 1e210cff3c90bd2e2a27a78ef7662f61\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 21\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 54666bdf6db300ee10982d14dac828bc\r\nMsg = 00\r\nMac = 9fef67209b8da28049b80efe98f85f13\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 22\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 9a143c21cc6c9528b9ddd7e4405682e1\r\nMsg = 00\r\nMac = 1c3c3b6d1d86ac5787234f8f6d707acc\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 23\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 802047ee1309e548ae81e93a17bff9e7\r\nMsg = 00\r\nMac = 1472aecaa0a09e45893a14090ed9a17f\r\nResult = P\r\n\r\nCount = 24\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = ab79ce74c0959aea0fd0b28ea5d0afe2\r\nMsg = 00\r\nMac = fde8a95536cc334f7fc8881a187afc61\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 25\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 644ac6fdc1e713ecb7ff1e0bd5729a57\r\nMsg = 00\r\nMac = 95a93bb50703521e6c1a8be1aab6a646\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 26\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = b4571e56f66a857daffbdc99370ceddd\r\nMsg = 00\r\nMac = d2742ea62f1d6513c4eb0e533922f251\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 27\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = abff2b097d688293701ff2c49ba48eb3\r\nMsg = 00\r\nMac = 17e724f66d4a9ef5dfc0cf903f8ff04a\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 28\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 9d45f6d97d1573de3cb3488befaf5b7f\r\nMsg = 00\r\nMac = 96ec3cf234d6704483a93885bd67e6dc\r\nResult = P\r\n\r\nCount = 29\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 00d385629e5df815a5300e6635351934\r\nMsg = 00\r\nMac = cb23bb449ac26e2186b02f7428fa022b\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 30\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 2f9109e7eea21b2615c81c03182ce603\r\nMsg = 00\r\nMac = 4532211f48124a9eacd795ea4313adaf\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 31\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 9f3830f5cd40a2396b6093b358cef1e9\r\nMsg = 00\r\nMac = f5ea59ec909a8ec2d8b11f5f276201fd\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 32\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 17378e17c41586b88523a6b6af738dc4\r\nMsg = 00\r\nMac = 40cc8b388be6789aca584659acc7aa06\r\nResult = P\r\n\r\nCount = 33\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 064e8c88a0a0766186d75867b5ca3acd\r\nMsg = 00\r\nMac = b2f94222a68fcf803868b00404ad170f\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 34\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 1e39f1cba97dac4e4d4f3bce7fda72e5\r\nMsg = 00\r\nMac = 60763815c1075c31078a9b44fe4b8427\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 35\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 06f0e4618e0ea8fa5443b50ea005b672\r\nMsg = 00\r\nMac = 295c6cd08b1d668d9fa85ef851b1e029\r\nResult = P\r\n\r\nCount = 36\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 648d77b57770b67ecda1ce7951eaaeea\r\nMsg = 00\r\nMac = 2f3fbc6edf5827fce440b9a7ff8535b4\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 37\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 6f3938932b5c1280311e892280d8a822\r\nMsg = 00\r\nMac = df02edfb316350c81dbee385d6e1d8e4\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 38\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = f909903451d1f9f45ffcb93a407ffb50\r\nMsg = 00\r\nMac = d176620722c5327270ef30956d7ac02f\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 39\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 181d92c7df1ebb0924719e066e08b95e\r\nMsg = 00\r\nMac = 144f688fa0d29faf787c48cd0765eecd\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 40\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 0c5b763b1e97b4f4dfc7059e4896ba58\r\nMsg = a0b3c6944b35f7208dfb40b4c4ba134a14dac928b679950793b3b6751221f178\r\nMac = d922ea85b3992a67\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 41\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 461d7d629778c8b05a688bee4fc01e9f\r\nMsg = 07571a6c9bcb6f97d626796bc74e551d1c45cce38afed761706f6264b7e751d3\r\nMac = 794b224a85396a27\r\nResult = P\r\n\r\nCount = 42\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = b91c6b09bf5a0487a9b5ea2fe0c1f3d2\r\nMsg = d31fd388e97727ba0a35d34ae05d9980e5974f6b3d86e2d4dd569b70f394a159\r\nMac = 2665ff2785bcb606\r\nResult = F (1 - Message changed)\r\n\r\nCount = 43\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 0737836cf771e842a70f3eeed7206799\r\nMsg = fce631a9eb130178018ca88cec966ae53ecc83a51d0a73173c8a9af10b4d04d6\r\nMac = 1eee822e37dd1e84\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 44\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 120132c315bfc9c4fb93023f5d3500d7\r\nMsg = c2576ed3189eff3205f5e01dd8fe7c64f12dc73c807c22918f607f9e43fcc5ba\r\nMac = ddca15c8b5a80cb2\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 45\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 5363bd7d867a9f9f0592dd9940a791e8\r\nMsg = f34e86b8803d386573b81045df945df8319a93b613de4c41904c8e1879844cee\r\nMac = 109dd7c920ebbf41\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 46\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 3fa1c7cffaa167557b250634e8052fa0\r\nMsg = 4255f8af18df7237e0abe98421aec9634443561752d893aaffe76380e829ef32\r\nMac = 0eceab8d28dd4a2a\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 47\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 6583a4ff27b6e109046d11b977c8293d\r\nMsg = b63be320f92",
- "e01260fba37312224494a2764dfc928287c75dc1cafee7b698d48\r\nMac = fa0cced22e896b40\r\nResult = F (1 - Message changed)\r\n\r\nCount = 48\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 5949378fd3135dd02ee1929014000411\r\nMsg = 65c16f4e66b10c7c153be7ba2dbe3a6d4eed3b04fec44188edc229747d52f8c8\r\nMac = 9ef023345848680b\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 49\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 0e80fa889b1d96a0d23d236d4d642a27\r\nMsg = f6f094e46cdb2e45fe49b18aff1427ebdac9710fa7f47f75fc9ec7140613ef3e\r\nMac = a09774009934c9d4\r\nResult = P\r\n\r\nCount = 50\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 1f88dfd4f5c52c22b1db47f9f4fb6e2f\r\nMsg = de433ebd1cdabeac46b94cc00d984f172923535ca8fdfeeb860546357dd8e266\r\nMac = bb17b3983faee0db\r\nResult = P\r\n\r\nCount = 51\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = ab0ab9e79ee53a6946a31ea807258dbb\r\nMsg = 89ddbb042aa2aea5207b312c9831fb48138aca90626ef7c5ce474d5797ae1b2b\r\nMac = 72f316d5bfcfcf6f\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 52\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 1eb19542a0064564e096e5d7d60acaa6\r\nMsg = ca25504f3f5559aa0e88199ce1551c9240b5c76f55b83bdbf2777cded54ad3af\r\nMac = d936b1fca0a96aec\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 53\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 33f11aa36d8ab0fc53486839a576b31e\r\nMsg = a58524e37c2504468f77a9c21b0e6d1a6b5e06fa051d5b8025ef97fa69417cf2\r\nMac = fd64f7cb283adce1\r\nResult = F (1 - Message changed)\r\n\r\nCount = 54\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = a7b81d8245129aa451dcb7229de415e5\r\nMsg = 2b2ec02aba10aee056443cf90585caa2510b3b835454a99f1324567b0dcbe682\r\nMac = f4cd48f32c9dc66b\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 55\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 3c1baf0d915e5aec92bb62babad0ba2c\r\nMsg = f8f2424c2dc0d0f3821af7244038da0832c547be4ff0850b98c04d4d44a716b1\r\nMac = e17ea6862129d6b9\r\nResult = P\r\n\r\nCount = 56\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 943a49073db6ae94a88844ed895f8fd9\r\nMsg = 8a15e5be479d3a39a459ca7b50457472cbf44f6a8324ee3d4096e2c3bf1d8190\r\nMac = adcce0ea2c8b11d9\r\nResult = F (1 - Message changed)\r\n\r\nCount = 57\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = ebf8935f53dfb3bd40453c31f627c73e\r\nMsg = 7edddb03d861dc9796f8e069bde434681620f604db436f34b7a6a3beeec925b3\r\nMac = e8ea88729d49bea4\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 58\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = f18e8feed77d1b80c31483fe69073d56\r\nMsg = 37c6206e23163c39a13f19de48cc25dc26e6f83cb376e8d2048ad7c141fa503d\r\nMac = 0d4f5cdb2a49b471\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 59\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = b4e41c7bfb8fcaa5236f656185c1496b\r\nMsg = 32758ae47884fcef766dd1fee1a7f55ca6f6691574e2ea097a68cd4072ef2e7d\r\nMac = bad08badb66c8e5f\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 60\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = 708484fba04972b815256c5dab12d5d4\r\nMsg = 97751b4893a83cfe6b760e10da795682e9668749c09036f9bfadce9dcbdd85e6\r\nMac = fa74b33267c5ffeca75e5e16978bd7b0\r\nResult = F (1 - Message changed)\r\n\r\nCount = 61\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = d0df1bdf1df6203241722fb9c9c1cf74\r\nMsg = 0e41361ebfbe4e6580fb5751e58e98de8ee5d9849fe875026fdab15a85804c1d\r\nMac = de4992c9d33659620cc203848e42a279\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 62\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = 7c0b7db9811f10d00e476c7a0d92f6e0\r\nMsg = 1ee0ec466d46fd849b40c066b4fbbd22a20a4d80a008ac9af17e4fdfd106785e\r\nMac = baecdc91e9a1fc3572adf1e4232ae285\r\nResult = P\r\n\r\nCount = 63\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = 7b4c800f5071521119e4cc6deee8729f\r\nMsg = 775946f3014523b6ea37804585cadd35e74e9382ebc1022579fbebe407281b6e\r\nMac = 2f6697f5d067aecdb3ff5a09d9169b3b\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 64\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = 7618d222630138cc14246e8fddcf98cf\r\nMsg = 432e3575a966958434da38dda3606f1f69adeaca536a7bf66c8b1e451edc3716\r\nMac = d7d78aac615ffc1bb32dfea41f2b8771\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 65\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = c8804fef18ef263c010c8a205e14516e\r\nMsg = f2d23bc605181e3894f61fa63d61ed4a610123ab7d3531c0b7579a58b74161ba\r\nMac = bfe5e2c10a5cecccd3de2529f340cf6b\r\nResult = F (1 - Message changed)\r\n\r\nCount = 66\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = f98ac86ecb742c188852980b5150d100\r\nMsg = 4e6fd4fa7669ce9552154bd796644961b51067dc02303430150aacf671280031\r\nMac = 73df5f4d3ab9240d4fb2be775188adc0\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 67\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = 638d7d95ff5f57571261e23ffa081189\r\nMsg = 5f5bc4e32764bb00085667b7f1b15433f09c1f6fa48689f8f50dcaf5021f2864\r\nMac = 96b270629b2bfbf721f1a70eccf9abe0\r\nResult = P\r\n\r\nCount = 68\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = a5a20d8139472a4cb38993c5711ac2ca\r\nMsg = 73e1e75538f9a63e49a068189e3b0a1a1e65ca5d1295589bdafa3136deaa287c\r\nMac = 320647d53ccdf2335a9c9a3452c1cee5\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 69\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = 57656be54860414e8a62223381ca4405\r\nMsg = 3447e82ecec6c8b6fe1e44ed91f933e4a70c431911eb86eefe222d5ad78193df\r\nMac = 47c6b5a28d723129648aef418b74daa8\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 70\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = e7b665600a2aa413e117c53816cbed34\r\nMsg = 5e4d49ab796025157add6d42258b9c506d9ce82bdd85c604360db0ff5aa4262c\r\nMac = e741166cfa2a58003dcae357d7a199b8\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 71\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = 693cbb46bc8366086ec7cd7776f2c563\r\nMsg = 5a908ae85ff721ffc5096aeeda5ee83bddcf639e7be68d109394e5253c22dc9b\r\nMac = 9d56b03ef83082f601a9cc8730b0de42\r\nResult = F (1 - Message changed)\r\n\r\nCount = 72\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = b4190e3462e07fca26496adcb877724f\r\nMsg = 02097035a312cb02ea7f09fc1accc230a205e4a208e64a8f204291f581a12756\r\nMac = eb9604ec71aac0cacb63e0b369ae7664\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 73\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = 4ae06c3b2940819e58eb24122a2988c9\r\nMsg = a2e7be3314238d7e4f604e134790bb15a87c09356c091b1aacb9f605b67475b5\r\nMac = 14b4507ae4b50cfe4989b544bede756c\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 74\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = 8d560de2e310ea69389221ce2e850625\r\nMsg = 04d9db45e4df19db757b9b95c25be43e822b8372ed148d49ce824a36da2b2f2e\r\nMac = 647f2874a083e82fa804b6c58c7b5c90\r\nResult = P\r\n\r\nCount = 75\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = 0e1a79c5d734118c19eaba700f5da238\r\nMsg = 026470d57dad9893dc037b80978bf70c2e552fe46c8fe8c3ebf8338bda984d94\r\nMac = b936ff3bb8afb9e42351a2a3ad49d70a\r\nResult = F (1 - Message changed)\r\n\r\nCount = 76\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = c88b1bc0050e19780ab53efbea175634\r\nMsg = 7207aa8fa87283f1f57019bf1c89645ff8fc36ab1102704e6d577671a9f7e098\r\nMac = c1dbd79e31c3b0bb824f16f735ccdfe6\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 77\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = d87df10a53eb3ea24c003d2a65e44921\r\nMsg = fedd5813146a8c2af398d6066956829833b75e44b6e010e4f025ac0fad6f869b\r\nMac = 9dd7cbb34445bfb351d01e8cdb21d695\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 78\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = 4d436a4a5c02b22ad49548b97216f277\r\nMsg = 2d73204f0b2d35806a8227206922ac9c18eff6ebddc73809179d67a702cf3e21\r\nMac = d2654d9bd6396075296cbe918d90670f\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 79\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = 8af7b74e35eb38f4086343bc329ab465\r\nMsg = ada1fa439c653d0cc88c0d129ba252e86c7d20a3087be93e920bf13d8e6f0391\r\nMac = 0fc9b177c874ea909b6beb1db1b802b4\r\nResult = P\r\n\r\nCount = 80\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 91ce6c87860aa84053f42e1abc16f489\r\nMsg = 4c287bc16196698d762d5fb428e801975fdaa29026b7b78dba968bfee0f534f27cfec57c6009c55c6261e0dbb14bddf76944d0c0648b910254df6c240e8a1a50\r\nMac = c1ce12f51aa823d0\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 81\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = b7b774e5c9e2f6926660c48b8df52354\r\nMsg = 937273c7355e7b88a630d15be875234cacaa44e815f31997bf10b52c008cc3bb6d3724aaa0d7da0b391b252923d0eb6119575d346857d89af6af099883af5514\r\nMac = ff845eb2d77aa5a7\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 82\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = d7572ed0e37261efa02f8c83e695efdc\r\nMsg = 85a327b0c7a31a4116e7fae0c0971e1578ab6fbdf90124b9ecacd0e70c909f51882cdca5a8b6b7e6b46d4660122bc9e1ae3932269f68e594075dbc293a2d4eb1\r\nMac = b8b3b7526419e069\r\nResult = P\r\n\r\nCount = 83\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 259129eb760f8a770410c160e4e13a6b\r\nMsg = 77d9c30",
- "6aa257379053cf1f2043c388a301dac2a9e2bb89eb8bab6eb3f150fe391b7a3f628be6b4b649c5c108a108f0e0c55a0800b9954251ab07e94450a23d0\r\nMac = f9376f11cbec0ec0\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 84\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 6ccd61ed20f16ca7a78192f5b6ab5528\r\nMsg = 9211231ec382ecaaae57f34de1ac6bbb50741014a978160ce59c60491e64f30da0b8aa1442e42bc0f7e31973a0dd8c3c24eebeb7c329072ea7dd0b04bc163254\r\nMac = 94c275e6a4675d8a\r\nResult = F (1 - Message changed)\r\n\r\nCount = 85\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 1cdc44c40efc3c0ed6fb84b0c2f78aec\r\nMsg = 818c636772036761af037c23aa8cb63e424f0ba0375b645de2f8f5af23d3ca3b9a5ca3951a6d02075a2c828eee326a2676ed8247164226b0267798632a519bf1\r\nMac = 74355397c7a29bb1\r\nResult = P\r\n\r\nCount = 86\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 2e523e9d8a5532127ec63b220838f11b\r\nMsg = e6d067907610109b8789e1ad00542539991677b9efc97a98d8bfcb50f3e334d0844323207fcb5a47e353e76d49dd573dbd17278dcc287b41dea8126cc7f07ab9\r\nMac = 7bd6745c6f73d92e\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 87\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 0eee5bc8994b723a580f67d45ccb194a\r\nMsg = 1dc4fcbc73dab4e73ed9d7606acdcd42b74972460c640fe50f028abdf255d9368fa3bc65b849ac31c8000eb47e5fade40ca167726aa927f2f043133d24ad0613\r\nMac = 486721355fff9cbc\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 88\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 388468d10bf0b770cc125f8b7d359261\r\nMsg = b9aaadfb3f60e48f1b421a9450129d75af2ce811ab0b1661680e9d5b147c38167ac7252ed40d916ae1e4519c3857d2c9dc2c538a106951b26d16433131438839\r\nMac = e13cef9392f4a80b\r\nResult = F (1 - Message changed)\r\n\r\nCount = 89\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = edfe2e15edf0b0c28875651d4becfca5\r\nMsg = 70b1e2e4cf260b108f5a52d0d8234838ffd6ffe7b4acd78d7d6b95aa6342b598eaf402cb47396358ce61f8b4aa3a65bed0346e0036c3c5323f051f007aa58d0e\r\nMac = 7b70730219907d18\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 90\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 6876df1a77e11165331a5ce2e0e6bea6\r\nMsg = 34b73ba208bbe1df06da768b0321243815df4ece555974dee2bf5732295f5ea9631939425e13c47681ae2ecb0bb85aa69be38560f5752a9d034222d91ad71044\r\nMac = 80e00df873439fe7\r\nResult = F (1 - Message changed)\r\n\r\nCount = 91\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = e65d5fd5f446b4eab63d56b0a5eb1d29\r\nMsg = 554395f9b113c0f2a1f155de171d6c0a805c838beb90c3756e8b864dc52517c03d8cb894d1dceae092f0e8784c7775ac664ad7320afd246086b3bc9ef237171c\r\nMac = c60f8ced2efd52fe\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 92\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 5bdbd06f4df6e15d644f3a635d7bb14f\r\nMsg = 4fcc7c2763a8dd5bfe74e34f512be8042af9ba1c73a944edfb616ad47a8d34cbcf192f3e8be3101bb3709b29c2dec39aee1913e3ac524ccb76ad50c2cc3a3e75\r\nMac = af33d5a2746bfa5c\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 93\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 13bf2f72211cc8e16ac1986a22e19f60\r\nMsg = 8ee212ed4bd110ca6a91b37bca59e19ba842e3a1b50619bc6b07ec02a09303ca5c66ba56e870d0b627d95fe829431244fe4f9218c862418f14a92bd76b5a3a82\r\nMac = 18e8cd5bd42c75ea\r\nResult = P\r\n\r\nCount = 94\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = e9b913c2f0630562eb1c16b3b1ed8409\r\nMsg = 031105ff01daa66ff95834e47b6f5c683994084d0fcb84c140d1dfa2039a95933efe6a4f91af993d966e2e45677eb1e36159047928a38eeaeb5c9a64ea59f97d\r\nMac = f00a17da0fb9e6b6\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 95\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 6fa5a5991315702cba3beb33867c7bca\r\nMsg = bb0fabffbcc6935ca35755fd4bfbd192b6812cf75c4dc95bc3a175a1501be2065d7f57058cb7a5785a185dfff7e740a5551cf7c17e65051b2c6ef9509360e878\r\nMac = dcfd143f86442183\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 96\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 3f8c6d21ec05bc439bf82774f1812bd2\r\nMsg = d726deb8537bcd671ddbaff8fcc6968f951b71aa82dfc802a53aadb2bcc2ef9a35fd90064320798b311d6d32f7dd3cd90bca39d57991eddc36260d23b108aac3\r\nMac = 449e20567875d56f\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 97\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 8ed1a4873bb37fafd4f8c2ee417443cf\r\nMsg = 1652c9539bff4b6e9f303f3e6b5d4b9ff7e85aa2a401ee8c2dc7b722dbaf6424f92ab9188882e2483405070e8666204f5a600b46949cdb830fd57433d63a55a1\r\nMac = 601eb06acc5a4e0a\r\nResult = P\r\n\r\nCount = 98\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 83a4669cb9961448cf418cb83a16098b\r\nMsg = 26d97c3e28460d46216da39e043e024ed08e387b1e5fcfd3f962472cf1bac4676b03039b3b93927075ff41c87fe1d4a56bd9fa4784d283942787cdbdd5457f1f\r\nMac = 01a42494a10691ce\r\nResult = F (1 - Message changed)\r\n\r\nCount = 99\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = c9e6d0b3dcd8ab50ba5ff31d9c1bd95d\r\nMsg = 0d32c1cd73569ab2b10c67c167875fe22625358ed3469b424c5e052d4e49af2c97dfe1f947c972a08c938b327e01adbc48a7f57a89b49f49fa0fca5b50a57a2e\r\nMac = 476add8ee51b5e3e\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 100\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = 17281acb525b13653000ab45d86e7010\r\nMsg = 225750ca982e5b34fc62e277eaaa0f248532abf374933e572b0278566cc7cf980df26abefb493ef57f8477cac0bd19408a22e71f4ded84906996d8e7a846b5c0\r\nMac = 0f2aa7f2dffcf7df34c84d101aa9bab5\r\nResult = P\r\n\r\nCount = 101\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = d3624653ad0ed144667df0e0e355c29e\r\nMsg = 39dd298acc45cb597f0733572677f7102536c0dd86fcfcc44895d29af92a5b6a87c20f1b53087d4c874f4083aad32e877142d20ad87b1d8b7295587bfd235d9f\r\nMac = 795da5a50f5b7df40317616b5a470c02\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 102\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = 813b3d579664cebe50a8e7050a0b4e65\r\nMsg = 78ad6517a09b99c1113d175f3129aade4d4a2516ebe054f15bc833d08ffe5e2a2d60c976e1b4b14cf8edd2c72baadb2db8001fd2b8798d39ac5ce27d592f1def\r\nMac = 20f40553bedb6496233e0b53143b6d10\r\nResult = F (1 - Message changed)\r\n\r\nCount = 103\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = 21095cdbe94afa27d84bcd68276993f3\r\nMsg = 10525eb2794d03409faeab22a6d4cc4ebc0421daacb0e865b0f94eb387722897c827e31676debec9d49c36837b6bc234a95bc10ddcc7b1e5a0d9a1dca550e93e\r\nMac = c0b806ce5eaceb51b53b028e6efea9c7\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 104\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = 6c769a4822523525bb36c02518475549\r\nMsg = 4af38908fa44b46873535b39f432d9b3e677f6d06d8719af3d15b936afe515fc13d62566481fd0108bd95f6e8dbe32b3c830b1f1127d868273610aa834ccfc70\r\nMac = c1934b9c74127cfd515521df330c0333\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 105\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = 6b454930925ca09d39e1e39a2e78fbfc\r\nMsg = 2bc884394ab7050c14d66fb8901cac109c0126668d918a4419bfcc5d75fb6bc2ba07f6598d06cf8cffd62f3eb29f6a033eac7490d27aa4701f0fb9f9718d1b7f\r\nMac = db19b8ef218018e5a53abcc39b7c514a\r\nResult = F (1 - Message changed)\r\n\r\nCount = 106\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = 5df295be7c44d59c44fead3f1988356f\r\nMsg = 3d7370cc2d61af35bf7b2ba50a143b23bfa0d1eff66c5ace2d8de5a28d17883d708fff7721a2977ee2164b6e34022c22523a0649ff0e40bc8134040fee02a065\r\nMac = 81b3181acbc2d6d2960ec57441ff3c40\r\nResult = P\r\n\r\nCount = 107\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = 387fc73be9f019913f2222d98053f95b\r\nMsg = 944daaa76249bd9d3bd517d01b074920b7d4434d1a2618af902e0228c3fca658244d990f8ca42208239c42d4827cf114140cabebc2a72bb3cf9277ef008c1c81\r\nMac = 5de79be9ff9c3c9d64f9cce35b188648\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 108\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = 7424990dee834ad05f4218861ab21eae\r\nMsg = 49fd56dec210e903f6c703332637f9c267eab9333e2701a16c74ce5e0b5a16d9da68b9c5d67bb6770a3c9a90a7e93fdd5759b27bcf3a753fa39ee7545fb60026\r\nMac = 38b66049ee8ed81f3f8ce2b45a4001ad\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 109\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = 232407986ad4a8e438990fd04ffa35bf\r\nMsg = 9d88a7970d4c58cecc20ed1811298a5b37297419ca49c74fe216679dafc938a656cb92bafb78efb31f24e71c2d5b5f994f6dfd82862adfd2faeb8c408fd22aab\r\nMac = 313d46dda3ccb75f497f9069c9478b3a\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 110\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = d9bd6ac153cb0bc4e19e59c45cfe0d6f\r\nMsg = c68094c26c7f017b79f126dc26b3bbcb95f97535ca412da5f7853e15fcb52f042e6492c857c22b26ffca5520eabca20ee2cec2f0b71ea60383ece49232065e0f\r\nMac = 3b17778955990ae58e03feda7fc43998\r\nResult = P\r\n\r\nCount = 111\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = 857fa35c6f70f637a9a5e6f215c694fd\r\nMsg = a1fc1307757ed91665980e2d3cf9778d8bffc9a84cce6bd5c5a07e47af5c1b409869db8286c49d07dd5083f1826e3ec441ce8cd36c85fef8c55fff889e761286\r\nMac = e1ddd63db51d3035adfd309ddc186238\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 112\r\nKlen = 16 \r\nMlen",
- " = 64\r\nTlen = 16\r\nKey = 501f5c58355d1800f155f272dd09afee\r\nMsg = fd3564848ceb5d8cddfd50732956d18b4af433efc2e2a914ff66aba1de7b9b816d81a936f534f47038dbf1def7c11144b7e99ecec5fee6a478899cbeb6677bfa\r\nMac = d995f9bae6150996cd9b798fcbc623c2\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 113\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = c1d636989dfbcb0edc9f014cc82da6b5\r\nMsg = 20ef1bbf8a719497797f1f1bc4617179ea682a24a92f0831cd215a01473bb8207e13f26dea1a467bde1ed638a51359ccd11210c4d0a2fb70c0374e8984f81f17\r\nMac = e4972a59db04f78da1728cab051faa98\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 114\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = b4bc5a4d40716fb06a359ef9537726b7\r\nMsg = 36594fae7b487798d62c2c95ccbf51c984df5ca6343465b2dd147c8b36a34028e53fae61f51b36b28529143cbd3edd0c077158a07bc490a79a06270940f7ed27\r\nMac = cfb3fce039ee2bb94b6961ff86688237\r\nResult = F (1 - Message changed)\r\n\r\nCount = 115\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = dc796e5d9b712c798922eef315cb4728\r\nMsg = d5755c40f52364343d2613420441afe9da9a5329d3c1e5a123ee49f5eb8ad47253f104f5d9776e08e9a9f74fadd5472326cc7b7c7ce61a1492474bc9de614543\r\nMac = 315f0ce76352448bbd8a5012a9907a23\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 116\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = b82fd283922e730a07f7ddb87484f66f\r\nMsg = 94e47b82b728d639777d5d5843de2a5c364956cb4b21cabdced2529b10b3f4275f307fbc352866d7b094cfd7426ae801aac17ac72335c04adb8d791da69b3c4c\r\nMac = 86e6a8485b43f1b258eb59688af91fbb\r\nResult = F (1 - Message changed)\r\n\r\nCount = 117\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = f6db7efdfe73dcb4a26b8448842b55e8\r\nMsg = a1fa1fcd5f095b2768e32cd733365a136a108e7493f212aaef27d86da253beb6154f103099344ee94db6304e41b4e856db0ca7fd7ab462f45a07d697b85cca1f\r\nMac = f998bba6c5d3efd78af9ef57e7a38f7b\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 118\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = 3c1ba92d096fba134dfb4ef412b2568d\r\nMsg = ba7725d74465f5d92454bff794e0be51c4d0af7d88f729834d57312c528d0a7d15694a7e0bdc334093173f1d2df1fd42e7891c6b192dc5ee527b2ffb92c66d22\r\nMac = cfe6022ad29a54627ae7c4f907ef4da1\r\nResult = P\r\n\r\nCount = 119\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = 4a92337f017a85b136ba6766444bbe84\r\nMsg = b0a3a8aa5d4bdfbb4c5c52acdcc60405c379f752b077eed42f2d7777cc0329047b322b9837d5f655ea445b578d9dc7e990a3c6f97cccc6cad7951ee948194e62\r\nMac = 153eff3c035db2fdc752ebd22302adae\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 120\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = 305ec69b23e4490e0f8a5241cb9c8c85\r\nMsg = c641cf589020b94026ae\r\nMac = 3bc054afa9771970\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 121\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = 28929286bd1391468ac75f5c03689f74\r\nMsg = 3813592f268a7a863c3b\r\nMac = bf1b514d2f899620\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 122\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = 1b3163e2d3a471b9823525abc7543c4c\r\nMsg = cada03e8c967f9732a81\r\nMac = 53702fa98e6f9a19\r\nResult = P\r\n\r\nCount = 123\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = be1ed49e2cb0caf6b6a0940c58453b93\r\nMsg = 4a348c5ec996f7a97ef0\r\nMac = 3358d143dff4adfa\r\nResult = F (1 - Message changed)\r\n\r\nCount = 124\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = f18be18df045ba31b80f3283cee6a681\r\nMsg = 93006a06d7e6df775b19\r\nMac = f3252f061dce32f6\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 125\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = b9dafe18a904ba761762ec3fe0e4120b\r\nMsg = 173887316279a47fc699\r\nMac = 884f5b21d478d60b\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 126\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = 31fee08df80cc1009e661230e25939fd\r\nMsg = aa54ff7466923b265fb5\r\nMac = 03dd2a9616f653a7\r\nResult = P\r\n\r\nCount = 127\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = 65a28d970b2bc7afafb4069c26d264a4\r\nMsg = 1aa5a3a4e6c5e5394e50\r\nMac = e0423589b192caab\r\nResult = F (1 - Message changed)\r\n\r\nCount = 128\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = 6dc38e37d1379732df4dd535db88d17a\r\nMsg = 0093c6d94aed50b398ad\r\nMac = 19b08e65d391c491\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 129\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = c5329fd99848e1cdcfa406ec09745ae2\r\nMsg = 6d83d0ad7cc7efd0d2ca\r\nMac = 8ec2709e1466f8d3\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 130\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = e608914a930b9c300b677afcb8689d63\r\nMsg = 146629e70b37d8b83ee8\r\nMac = db78a639bb15c84c\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 131\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = 0a998d3d390f5a80ad398b2070489984\r\nMsg = a91c1a8d9d268ad153bb\r\nMac = 5643a8c99b99d944\r\nResult = P\r\n\r\nCount = 132\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = 2b6f78ceace47509a43ceb6b761e7866\r\nMsg = 3c0a41a78240c9d2fc22\r\nMac = 811acef50d6c1913\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 133\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = ca481f557306f9ce386edd0cfde375a5\r\nMsg = 9f3488736ef6e2c3a51b\r\nMac = 57e8a0e5965399c0\r\nResult = F (1 - Message changed)\r\n\r\nCount = 134\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = c0dd1cfb3add04cd67a8e59be7ac8dcf\r\nMsg = a7c559c82776f429ac31\r\nMac = 7e43a2b43d030ff4\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 135\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = d3130d9e5ef516b6bf172953a37913a1\r\nMsg = cbe97e14c3100c9fc564\r\nMac = db9f674a2d0e9ed9\r\nResult = F (1 - Message changed)\r\n\r\nCount = 136\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = 9ec8661a880ebfd15fd8b04f2ae09dbd\r\nMsg = eff803e0fc809cc48587\r\nMac = febec8d41b6bdc1f\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 137\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = 6c2b091433833a0ed915354dcb70d982\r\nMsg = 90f1416768fca7dd48d0\r\nMac = f6ada24319e502ab\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 138\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = bc79d444dff9d9e722effab07b068cb7\r\nMsg = 07d5a925b724e2443936\r\nMac = f964302c270af24c\r\nResult = P\r\n\r\nCount = 139\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = 1a15b24ba5d9648358f2c39c9da8512b\r\nMsg = 15b94910853a8f23dfb8\r\nMac = 8cdfbc13239e6aa1\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 140\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 618fb69c8fb670250c306b3225687d17\r\nMsg = 7f54845a57d916866eff\r\nMac = c0d4db73891bb1efa232593407856808\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 141\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 8000aa080c127cbabfdfa5d9d9728c7b\r\nMsg = e53101e6eabcda32c13d\r\nMac = 5671badc409d4b170d4c861a0b3e1fec\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 142\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = b05b5557ab145cec2f00706dbc6a3c23\r\nMsg = 5e2f601395ec406fcf96\r\nMac = d00243508d25804548c4b4b512cb1906\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 143\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = e8b13346b61daedc1f9e3b49df8d1cd6\r\nMsg = 0593365419e0f75b6323\r\nMac = 871eb97850a776e7ad498467064484f9\r\nResult = P\r\n\r\nCount = 144\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = bc498326755503ff25d02805eb351722\r\nMsg = 9ece4c82fe9d38ef64ac\r\nMac = b5e88af50d1cff3d2b6d304edf042c43\r\nResult = F (1 - Message changed)\r\n\r\nCount = 145\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 4d248e73886a0e36b3ce7c6113477f4d\r\nMsg = 8de6fe3b24fd6c202ef0\r\nMac = c1a4f6d0ff7330171cfe570e900ce2c8\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 146\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = b1b9fd78e3f8eaf4e8c91da62b2da534\r\nMsg = 482ea6f652067e8b791c\r\nMac = 63c6994c98bda91723f832020fa7d223\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 147\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 85e4e63341658144a99fbd17d94e3177\r\nMsg = 21ff834bec4ec6384522\r\nMac = 580c1e549a2ceca4743256a9cc972e84\r\nResult = P\r\n\r\nCount = 148\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 88b5448372548e6aab1b262630a28a47\r\nMsg = 36dbbff560ef04ea731b\r\nMac = 5fd17fd704baaf1ae6b3330ef2989dae\r\nResult = F (1 - Message changed)\r\n\r\nCount = 149\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 8cc76730ca47620d0b437112a2c93fd0\r\nMsg = c73be9f019913f2222d9\r\nMac = 2c73e2b5b84d8f4f3db1fc92831a03bf\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 150\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 7b657c640f155f1ff461c83cd656614d\r\nMsg = be9c5e77bf1b9dcbd4f1\r\nMac = b660ec36c0c0b4d987439505f1bf57e8\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 151\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = d5044e9f10bd274aad4f7e605bb828f2\r\nMsg = d0be84df789c98dd125b\r\nMac = a26e513b09f184caf8d76d76961d1466\r\nResult = F (1 - Message changed)\r\n\r\nCount = 152\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 24d6d4bdc9fc4cd05b2867e9123acf18\r\nMsg = 0f9703a3454c25c0b105\r\nMac = 41676ddadb7b960e0269c8a59a6d9b91\r\nResult = F (4 - Key or Key1 chan",
- "ged)\r\n\r\nCount = 153\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 6aa049d06bf66d2e2b65541eaa3730d8\r\nMsg = c562ab24ae5cdb7654df\r\nMac = 0d4d1196158fec46bfa754a526ba4a25\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 154\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = cf3727509577f1932bd7a92589c11e67\r\nMsg = 831188efc5d1f6dc9bb8\r\nMac = b5d162c885d7d4f6f65f4188d6582240\r\nResult = P\r\n\r\nCount = 155\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 0bc2fdd890c19882640f8d4188b88b9d\r\nMsg = 296828cbee50f41d19b1\r\nMac = e583d77645a603d841eaafa8860bfa91\r\nResult = F (1 - Message changed)\r\n\r\nCount = 156\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 5bab8051e2520b75673068b9cda93cba\r\nMsg = f16cba03402f9924daa3\r\nMac = 97f7eab25dc3ab017a9affc0e400dcc3\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 157\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 7ac46e3249ca28e1ef0531d80fd37c12\r\nMsg = 3e9ddb8121760bffb7c6\r\nMac = c6eb13d5087d05b4eba2e74b283b7fe3\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 158\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 40f78f7ad3eede36e13bce222c6a4bc7\r\nMsg = 4fa8ad212ef73d37d48e\r\nMac = 3831419e62b51b7ced0d9117e48fabf6\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 159\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = a1f82c9924411e98e6f93fa0d07559e2\r\nMsg = 7d4748147575bc0113ab\r\nMac = c23dbc58fe22b34f7b007590558a3080\r\nResult = P\r\n\r\nCount = 160\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 84760f98ec565d281496b1295b25150e\r\nMsg = 9ce942ec81f8226506d48788e3acf49fcab6da22\r\nMac = 606c2f459a9ce198\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 161\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 3b6dd5169350b230774b02b9b44f06bc\r\nMsg = adb1ad81dac0ebc650d48f7a9329755a83f293d0\r\nMac = d7ceaa858508c476\r\nResult = F (1 - Message changed)\r\n\r\nCount = 162\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = f98d00755bcb45e6822121fe7cb03c8e\r\nMsg = 7064a2491f716f4a2969815e4a281a54690ced9f\r\nMac = e14634c400b9f561\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 163\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 5d27cb435e7724a246f158576fdbac68\r\nMsg = ee8ed4c12b0cf7c03bf91fba31a6a7b2d64c36c4\r\nMac = c10b474c0077a39a\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 164\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 098c12058a0bc5951fc092aba322e1a0\r\nMsg = a2b76835229017bd0e8167a40ea1e2e18cc5db0a\r\nMac = 1d44128c3db0f7b9\r\nResult = P\r\n\r\nCount = 165\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 74f7f6516a17d5386c289756240241ed\r\nMsg = 8eafce9ba466fd53eb87f499d7c76bd486db0e90\r\nMac = acd978e0065375b6\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 166\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 013bba67d26c7e52ae48dda3b67c9c96\r\nMsg = 48c0d53b85e6fa4928d3e9953afb9b451bc91a48\r\nMac = ef41ce0d30baece9\r\nResult = F (1 - Message changed)\r\n\r\nCount = 167\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 14cea4c46d837c9439b088fba0e9d85d\r\nMsg = 3477384c396a9e9efb3e169722cba779fef240c4\r\nMac = 902158426696c229\r\nResult = P\r\n\r\nCount = 168\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 24f7b08fc2e6af6402243e22ca0626f9\r\nMsg = 914cf55a3fc739b5f87ac7518cc4171b4499d951\r\nMac = b775a3c1dc11d074\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 169\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 35b5428d440503773f30748ff843be68\r\nMsg = a5e5804cfdded4d610d1b05b7313ece84f369ccc\r\nMac = 6dac0947366be803\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 170\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = c8afe4e5b1d019c2efdbeda65d874ba9\r\nMsg = f739e632436470b5a1db9fa9796ed384c0523f40\r\nMac = 04c8aceaa8f8c3a1\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 171\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 05a7910edcd7252b37e6d3d080a9ee90\r\nMsg = 702db7761abb9b5de41a86c8659270570be9d52d\r\nMac = 889a990539cbc30a\r\nResult = F (1 - Message changed)\r\n\r\nCount = 172\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 4c8b0850eab7b212ad96dc7a032f8855\r\nMsg = 2de32ff6ca41b4c97424b121b8ad4edb133c00ea\r\nMac = f5ce7f46d457ec37\r\nResult = P\r\n\r\nCount = 173\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 687bcb63755f2b5c7daf4a154e8525a8\r\nMsg = 02778ca34db1cb5df76cb1a7619448f67d63b26d\r\nMac = 49d48bb0a684c6f2\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 174\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = f8c4e562fde4379b08e512b0132766a4\r\nMsg = 627868b46ba546252f4eaa1c25205ccff72902d7\r\nMac = 5459c0ac5bb6701a\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 175\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = dd235b05c15479dfe0326ba206ac784e\r\nMsg = e044ec24ddc0605bca89925a4ebc0234811e2a0b\r\nMac = 5ed0a03da09555b3\r\nResult = P\r\n\r\nCount = 176\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 665c2d7d6e69c2ce8f0d06b41038b83c\r\nMsg = 4fcd7541000cfc223fe9da6a030c681d0fb926cf\r\nMac = 1f022feb38ae6131\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 177\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 2efb7cd914a59b6ad63b7d1812f254db\r\nMsg = 67c9fe3e163787705a20f2fc8c468c4f771991fe\r\nMac = a866d6a31c0b42e6\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 178\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 74f6fd37ccb4b7702bb3a03b7322c0d5\r\nMsg = 011ecbe98c5cb7734476dedbb852e2474a5ad594\r\nMac = 707ec713b9bce5d5\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 179\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = e673b3a954a00082cb7516ca9a54d9a1\r\nMsg = a6fbd41a838bdf0fab3e7b56c27a8c18dc4bf970\r\nMac = ad4dfde057b54a27\r\nResult = F (1 - Message changed)\r\n\r\nCount = 180\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = ce5bf070678cb07e963263b1562ff793\r\nMsg = 2bd10c4397a19fc79a307116a0847e0aaaefe813\r\nMac = 299e5910f128a1f091dfb6b70f6a60ea\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 181\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = bf144c9bb974729aaa1188ceefdf85e1\r\nMsg = 5e1ef2ad86ceaf5439fe87d2ec9bc41b52e5ba01\r\nMac = 58b4a32ae55966e42712721363ac9eda\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 182\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = a0cd07b684bb9e0e6692e320cec4510c\r\nMsg = 6e1e490a30f0c9e3d3b79f1c36aab742bd67c585\r\nMac = 24dd518ffffc1070f13d50d0bca42711\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 183\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = e3ceb929b52a6eec02b99b13bf30721b\r\nMsg = d2e8a3e86ae0b9edc7cc3116d929a16f13ee3643\r\nMac = 10f3d29e89e4039b85e16438b2b2a470\r\nResult = P\r\n\r\nCount = 184\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = 4073251950e3331d03d67a2399576d28\r\nMsg = d5dfd0321b26e578fe987456ff061dc1cdaa4161\r\nMac = ed2823fb8fcae918064cef6211646e50\r\nResult = F (1 - Message changed)\r\n\r\nCount = 185\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = b08f47101365111133d974e8f0206507\r\nMsg = cefe484955fae117649ec158416a7439f29a596b\r\nMac = 3317717c6c0b138275090ea961c8d58f\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 186\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = 166fb8d0e110124c09013e05688605ee\r\nMsg = 24c65f715742da7d06046c783a35b2648180b4f2\r\nMac = d27901a86dbf0ed8bde0d69203646b7a\r\nResult = F (1 - Message changed)\r\n\r\nCount = 187\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = 20f6f56117758ba47a08dadf93a59056\r\nMsg = 7514e0f402e73d9c0b0576782011b2e6b2080a6a\r\nMac = 11cda489b6dc0ab48d111ee6cb26a829\r\nResult = P\r\n\r\nCount = 188\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = 7fa6ef35ad594a09cb74daf27e50a6b3\r\nMsg = ac0d616ed7dd3c3e86b3507d9f2bdc3a807d490e\r\nMac = fbad2fc6c9d0e5d21b25445f499eee10\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 189\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = 815871a8300471dc325f8289d0d37211\r\nMsg = a8ff31e90556236cb4df078943c1f2528b42a7ce\r\nMac = 5544c93de980bcf653354ce08aa9dc3b\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 190\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = 06aa3f6fc20f867b42ec234a1bcb8665\r\nMsg = 25df5cc617e6e68be181694721a2a112a1bfb7c6\r\nMac = 2eeb7ab470caea3317a6336f5eee24a6\r\nResult = F (1 - Message changed)\r\n\r\nCount = 191\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = 860f8fdb021b1974d40e3d4bc41fa967\r\nMsg = 6c982a616510db422cc2f1beb955c3e7a88b6097\r\nMac = d2280a55cd0bcd18846b4e30db6322bb\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 192\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = 15105c6285a9015d0edd414d6a806bd7\r\nMsg = f1cc55636836e67909ed3a581de20630226dd5af\r\nMac = e9cc5799a630c6f26087c1bd3b6f1791\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 193\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = b47aa890b03a8ac0dbc8f96c30fdf7db\r\nMsg = 58b06c99e0d0256cb1c556ec3b48a3bce73450a0\r\nMac = 3376cacc247686832736cea7e67e13af\r\nResult = P\r\n\r\nCount = 194\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = dd057368033252d9bb2081a0b1a0229e\r\nMsg = 81de8f50fbe35f7ed95430e74d28666c885b6100\r\nMac = faa08c5a3a4ffdce81ca31873197d0",
- "35\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 195\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = baf5afafd7d0c8ad42a44e4e0a90fd2c\r\nMsg = cc5a4209a6a60dcf12621e17150b4576b918732e\r\nMac = 5a43002d9144a1d5e48c2dc8dc167a52\r\nResult = P\r\n\r\nCount = 196\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = fa6405355bfb5065dc81e764d20277bb\r\nMsg = 5dd1febed8e94d4715e772c3295b48eaf471daee\r\nMac = 29e96ce5ba930134670b3c68b5c512f3\r\nResult = F (1 - Message changed)\r\n\r\nCount = 197\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = ad2e3d3af6195e74b3e43296b1f618d3\r\nMsg = ca776f79b8581014ae58a4d533b60483fd1fbbd0\r\nMac = b32ce1f493b126fccb9829d4dbe76382\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 198\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = 04ae7190f0cabd117d30a359f80b720c\r\nMsg = b885e5e147f967032ab2552829a6e09210c44a45\r\nMac = 9386d73a01960ab399bb7d290674b21f\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 199\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = 51fdc65f6bb0d20a3c08ac1493ddddb2\r\nMsg = 1f0a56fb615b594d938bb8a27f4b2f5463ee9a61\r\nMac = 8506fb1b74806381e2654c8764464d8d\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 200\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = cfb7e930b838dc3644f6c06f2ad0c8d1\r\nMsg = 611db4c194dbb54d80a4f4fa731cd9a6a330eaca734d3351f2cfebaba4bd541d86b3e35b4c1fa158edb0d15d610cd359a9c24878117f77f6b284f0363a576e0ef0\r\nMac = e9589a711f5d4a5a\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 201\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = d179dfeead9d765d000462785459b1e2\r\nMsg = 795ee78ffdf302f3f1f2b31629ae918409cb42979afe3752dd14968d603678520e6b55884b5ebcce416248aa74b3cfe39dfedc2bb5246001503ca4d62cd7826f0a\r\nMac = f16ea84f554dfb54\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 202\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = 22b7eb25e688672ab0e17206623094b0\r\nMsg = d830b16fa236a1dbe60f6db8d7e81a3ddb5f658c9f446e94639cae3699ec2ea6afb4fb152939d58df287271cf4b73c34e66eaf5265a623de47b135522c7aaf9f55\r\nMac = 16229efcb7523025\r\nResult = F (1 - Message changed)\r\n\r\nCount = 203\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = a64fa98b4662d801159f61eefd1c8bc5\r\nMsg = d5982c462ad40458660cd7b120ce07fce9afe812caedcebdee536ac19b5d561d679dee8ea85d62552c86093a2ac1f8d179dbd4fc006ee4b16ebe6afd2be134498e\r\nMac = 2f9a2fbcb96461fd\r\nResult = P\r\n\r\nCount = 204\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = e4fb10325d18666c382e6cc2442381e1\r\nMsg = dc28484ebfd293d62ac759d5754bdf502423e4d419fa79020805134b2ce3dff738c7556c91d810adbad8dd210f041296b73c2185d4646c97fc0a5b69ed49ac8c7c\r\nMac = 8f771ffe0c8d3445\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 205\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = fdcd3459061c36c9a0daa0dcab2b967f\r\nMsg = 1cfa3342540d03ec3fcc8378c021443ba3321fbc26dad7c5b859faba004a082a21d6d7a43d2836cc3820d1adbe4c55518714d48fd9346a254f702107da8212f605\r\nMac = 6635f9e17949a14e\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 206\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = fc593384e6eebc508d181fc49ee10e56\r\nMsg = a6c891c9dd1fcc982c35bc74cfe71651bae424602519672b466d80e160af51eefccc5fcf76467a25bce1a10853a0209d9beffbeb53228fea5f1e77ddc956ade207\r\nMac = 7a6fd94e3928d2a0\r\nResult = F (1 - Message changed)\r\n\r\nCount = 207\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = 4e4ff248f591ca27665960d9357a8de1\r\nMsg = 198d5c9c4aa35d12b62e8c4bf6f3f141e6ebefd8ab396c71f55e32bc82b094cde409547383bcc4c5e5cd2cfd2d616c8ae273e260f2c98e93f7267424b8c2421bf3\r\nMac = 9140f91a0cf70762\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 208\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = f20826990acdf225d9451a3d22f89747\r\nMsg = 03d340904ace1cd52d4b72a96d96afd77aee68ac3936415005ed0d56f46036915b1e5f2994ad49effe7bf3ee46170642e5a16f2eea804e68fa520fb79529d6c09a\r\nMac = f30b668f16bfe6c4\r\nResult = P\r\n\r\nCount = 209\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = c231ea8b75c65de68c49b76e7a3128de\r\nMsg = 5b50879191a6debdb96c0bfaf9086b7dc6e25594416b08d2c75fe16cc347d2e3c7410fe3dc030a6c161ea22f6b80973bc43d42d8558f83b32a1bfa3c03757a4d62\r\nMac = 65ba53ef4711e807\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 210\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = 8ef18639bc8c831dc0b4aeeca25eff4f\r\nMsg = 094c4d9baead7c5acd7dc58f3b4b4f57f1406b4e6af81a034d90cfa94c01760f4cacb4d2c63671d16d9594e1116b0dc2c39319523afac10175b1a485a240f7cf3f\r\nMac = d84f89e16c3b1633\r\nResult = P\r\n\r\nCount = 211\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = bab9d79aae4a1b282d8c5aa35d5c0876\r\nMsg = 02815f53c2be5f7246d4794895b4b15b6c3944819dfd3051b371f6d7d52d9f8ced84fd84095c33ea013c78aa5aa7176d6aa9bacabdafe9bab89cce4d7c183b9c0d\r\nMac = a01f976031bc8140\r\nResult = F (1 - Message changed)\r\n\r\nCount = 212\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = 42b97f583f64d88358885c66add5d03a\r\nMsg = 187fe16a764c0987a28088f5cfcf55a6b9591b6395d2d41043e09932cbc4b8ae073d08d39da9799b316eef2ed89851a8cfc4dc1c6d3cbed95663e0ecf25403e61d\r\nMac = 0820b1ca0cd34e5f\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 213\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = 4fd555bd3a5253a90b68b5d4d46bd050\r\nMsg = 1ef253c61ac8ac66734ea80eefc1dc077edd660dc3518b5ecf709f10302925a72a3938e7449f2ae707506a67022dab63113242e9dff0d027aa3d22c8462a558165\r\nMac = 3770a6cc988a28eb\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 214\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = d3a8eb3f9e5fb264ff098d85c28dd763\r\nMsg = e97a0986bf75e0e821f5adda80778863d9d479bd8ac3e7fe64a053f8016c465d581487278ef6923610a1463bdedcded62aeb22fb210dde9a0949947f8c6a6e7753\r\nMac = 4947e6e28dbba216\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 215\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = 3043857fc40be37fb0bda4f46894690b\r\nMsg = 14874a8b59b0178c5ec89cd7316d909371969c1a1a1bc8a29f78341d39ce085e7e2aad7c350a3e7b691d3929bc4b7b47fef56be9fe7e7520a00abad5308505f8f6\r\nMac = 1a8c82e9109a68a5\r\nResult = F (1 - Message changed)\r\n\r\nCount = 216\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = b325d425c810d22deb3209f29c5c1377\r\nMsg = e44c4202499440c12109296a35dfb1f669f97e7f415cd251a5e36943e134a548f0f2e841fa3541151b374c04665053382a24b99d731b99f3d411aa22644f66cd07\r\nMac = 84faaeb5a9756a27\r\nResult = P\r\n\r\nCount = 217\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = 7cb6a84e99f5573c1eb27c0078f2127b\r\nMsg = d7fa7be9c10252d6e41bc1a08195a344ef77b81785cea6b4ba453d398bf6ffb31d80e0d6a45a4af283676422b5ca94c76bfb4334f61ae0abe884278976a5a3bd21\r\nMac = 64fa7f9284c24f14\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 218\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = 00341fb81209c2abdfe3a9d607b98277\r\nMsg = 74f6fd37ccb4b7702bb3a03b7322c0d5fcc657cb2c3f1361488d853589d2d6207359b65d62d896ed66f217395000c2fa0d11f956332f2d4bdae55251adfe903b41\r\nMac = 4cf05b6e583c70f9\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 219\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = 647a5be8a66c83b4b238975388e15d00\r\nMsg = 0db33eda4188a9165147e24e40f79fee1985eb68d51627287e9c4ec995a77d89b27fb2fa6a6fd3fb7563f3e710b6d20ca145a25f9ac8116d9f628395eb769f75f0\r\nMac = e8ef4f3cd7442246\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 220\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = c98fc3416457d9eed0fa7ab1dc1b8a6a\r\nMsg = 190ae57ab8bb70464e4a10c112a54c646438301b5662f3536c26d754a02451d1a9c76abd7dbf656115b2a2ac702ec2cadae30cf86e0f0f96da39897d6222889428\r\nMac = 1bea94a457b2886e9098bf3ded932a3a\r\nResult = P\r\n\r\nCount = 221\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = 87428d5a53f750abdb335f70ee13b5d1\r\nMsg = 7bb0c2ecfd141e7e93a897b259732b6153af3542eb7289b1a18dc0aefeb4d129c9e0e27d7ef25d3afc9945277e75cb87cc7d1c9cb39e7e6ab2a49bbdf65e1c6d89\r\nMac = a854d2da46afb77a787f0606a69cf467\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 222\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = c725d9ef0dc6cfca84865cf5cc91d403\r\nMsg = d3208eb695e84c7a9250378e18be2f231ca3ebe72ba68e3ea4ff7bcf25206b43439bbd497e400dde738507cb542c7d6f961fb8bee99f0c8a6d9daf022368cc78a2\r\nMac = 35d57445a5f10fd567595fc668293e95\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 223\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = 13e3fe7856cd680593a85cda3d6ff873\r\nMsg = b208e5a1a852caef0795150cf8313ee0cff06e3d28d438c2351484005661cbdcea6d8a3466aef0c6a460da4d7dc902ec99c073d086704112085a76dab0994fcab0\r\nMac = efb2bef5aae555463ebbeebe69791459\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 224\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = 9b8112c1fb29fba2c8b0d8f16481b993\r\nMsg = f54105a04a4a02a1a07e020a6a4f4176e9c92bf40018ccac434988c650550c87625b84bd232d0e5ec20e6f6c46ba061b22a7fe36098bc7bf031ec6d6c1214bdb2d\r\nMac = 673281bc0effe92adfac4fef49477ee2\r\nResult = F (1 - Message changed)\r\n\r\nCount = 225\r\nKlen = 16 \r",
- "\nMlen = 65\r\nTlen = 16\r\nKey = 82e71e3ad1bc9a12a46e460a05ad9c05\r\nMsg = 41fb3dd6df78fe267175297e208ac753d50aaabd9edbf5e45385dfb47988b3d966f31be7a6329fd89e2869bc6f7e4bac1e3a0300f193bdc21c03d9629c9fefaa64\r\nMac = 36f7df58abb54a053988cae066110ecb\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 226\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = b46e219217ab73c34904e24c6d995b72\r\nMsg = 887d6576572a3d8f6a1649394248c4d09d15026ffa930c0659508bac4243e7360802af084f363c2bcc4c91a04c6e86f4f8b22615d7915564949ab60b8267cb91dd\r\nMac = 10c1d8054ac549ad24ae4af2d8de97e2\r\nResult = F (1 - Message changed)\r\n\r\nCount = 227\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = b66edcc59dc9d8e34bea3baf4bfc0d5e\r\nMsg = 57caadbb1a56cc5b8a5cf9584552e17e7af9542ba13e9c54695e0dc8f24eddb93d5a3678e10c8a80ff4f27b677d40bef5cb5f9b3a659cc4127970cd2c11ebf22d5\r\nMac = 0c5864eefc04a6cac4f053ab2f65f851\r\nResult = P\r\n\r\nCount = 228\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = c607f631d792499ea43586b81fa3e2f2\r\nMsg = 21ed22abc7bbb62fb2d51d1fb8830ca95b16213f56291af976274934ab0d43805f71d9b906c44973f7d4b59b7a94d35c2220e7405dfcee98499c1c1dc92a89d7d9\r\nMac = 4e65b3d58492a0eebb66928a8214498f\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 229\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = d9e9136339d361949242e4d8a0cd6917\r\nMsg = 419b9c9b093052577837862900e7de29273eb0678bf6238223b59176c78430b6f382f27bc8d9a95b53f26f1d12e545ccb434fa0a21b84fa7badb5872e208254fbd\r\nMac = 6c81094aded51ccd4da38d0412e7ca67\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 230\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = 6f349dd8b69dd41c6f246a1685115772\r\nMsg = a5a3c8afe5b84e0c3ba4f708a87b596d1b7c8694dbe691d7240e4e4815ad5aa4ca7e5b82c50989d092b96e80aa35e97f99ed79e75cf3b8750d0d263dc208289cb2\r\nMac = cbf41299c35e65fa4e2626430f95051e\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 231\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = c15e4e552c9197184b3eb0a74f5fffe0\r\nMsg = 7c4699a7d9e2d9f31410f20029676f3c97f5793f6732f95f6d33fd7ecc205d27b8e89eda803316a3cb9951f12111b4a6aeac606b43835a469eede86eebf63e5e8b\r\nMac = 77e77de5c5600900e5b928d4be3d5f8c\r\nResult = F (1 - Message changed)\r\n\r\nCount = 232\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = 2eda9b2c6d7ad95b644a8739580ab4a4\r\nMsg = beadccddcf392ee56a8913f057da183ab06ec538e581b52c027ff7f63574b32d8bc4116efa1c56f4a4a851695a87f5fc5f7c47b46fe67b0400f2599fc80fe68d7f\r\nMac = 948e63657b8b6e2d130f6f25369d6160\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 233\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = 233088b67b741f07859d122a6a406d89\r\nMsg = 5717ed57ca0b6921f04dcacad34e0f6210c36673dc9f4d92493ff733c6e5f1c2e56805ef622a5f496049ee0ef51a0d41e9d363febb87070be558e8af61e86dc76c\r\nMac = c778152b00760fcd85bced0f58861d13\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 234\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = b7471a8b2e50fb319f198a09cdaeb319\r\nMsg = 385f9fb139dbf88561b7a500b0c7b835fe57e2698c6d9f76de4fae6dcd45c47fd8a0811ebbfba35f43c17aa360f09c767c1cd9b70bb671fa638e852ace97cc73de\r\nMac = 1a8b81be875a4814e3f988c274784a63\r\nResult = P\r\n\r\nCount = 235\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = adf072ebb71e3400a2175c96fb0007a3\r\nMsg = a49840ab727bf6b03015eaca3f15a2bb64fd27b51b27fe7a2e0559c287ac8fdd4294ca990799ff66974624b8a4539dade66cf7f06b35d8dd2f8a36e6ec0bc83533\r\nMac = ceac74b3af8750467e3b3c51624d96d1\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 236\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = 1b1d471add4e7f4fe197e3a4a44d06ab\r\nMsg = da06bd1405028d93fefa3c037b5ad551879451a28314bae86a7591b359f56e4b4e26e6fb2fe7b1af0f930cc2ae785d113e8b16546d59dbae9f41e7827be1ac89aa\r\nMac = 16d0021b1f9c00b37fefb60af3358d87\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 237\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = af5d4991c189dada2cb552c3c52d599d\r\nMsg = 1bb1e0efa2d6811d2370a039a0c47c59683befbd46c04257f86a468ae25ba03304e865e62afae77a62b3cec7b3556aae0c60475a7bfb02c69f955c7f60cc8dacdd\r\nMac = d7056fe01f0ed1b20adbe05cbccc544b\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 238\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = d149441e667b245d4640e04c53ca6f51\r\nMsg = cbb34794bc8bfdf93d3c8d9f87ec1482b516b48b1e8a89b5e3b5df70c423a243384215b4bc69c76c6b18c497cf82088af74839a8c98895869a16294dfc094360d7\r\nMac = 64f5e8dce5c3e0f9cc224e306de70b87\r\nResult = P\r\n\r\nCount = 239\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = c2f5d4837f9f75fb440c3bccad7c2e69\r\nMsg = 6a84594c4b3865f047c96038060b5b413db0d4e081c62e405b815ecd9e3be651f8b9075dc8b032eb2f87c1416a5fe4195f51defe75f671f9a92d966ddf18724075\r\nMac = df8c8c61e8d604e24c7e3d0115dbe898\r\nResult = F (1 - Message changed)\r\n",
-};
-static const size_t kLen34 = 69750;
-
-static const char *kData34[] = {
- "# This file has been modified to remove the 65536-byte long inputs.\r\n\r\n# CAVS 11.0\r\n# CMACVer information \r\n# Algorithms tested:Alg = AES KeySize = 192 Mode = Verify \r\n# Generated on Tue Mar 15 08:40:38 2011\r\n\r\n\r\nCount = 0\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 771887708683bcb3577fbd0e6c13cad39955eafdc226d17b\r\nMsg = 00\r\nMac = a0db9bb6e8891e92\r\nResult = P\r\n\r\nCount = 1\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 733fd349c56d1086794eb20ed59ddc89b065bb8533b968c6\r\nMsg = 00\r\nMac = c76f82937b457105\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 2\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 761d74be5fae170a1bdfa16081b44c1e49972e15ce0818df\r\nMsg = 00\r\nMac = c65feb3d5336dffa\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 3\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 40f4a2261f154280a311f5b172c7ae34243cf2c59b98d37e\r\nMsg = 00\r\nMac = 05d920e78520839e\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 4\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = e27150ee958b998c8a7e8b9324ead937d15580d09d6ffc3a\r\nMsg = 00\r\nMac = cf60783b5defbe3f\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 5\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = d9bf5efb694089b2de533b1a65c12ae96d8c5bd75bd67fa5\r\nMsg = 00\r\nMac = ccde2029fb26c8ff\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 6\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = bcc658b2e53d51ed00c567ded2a124f8d1f85fc72dce5f80\r\nMsg = 00\r\nMac = 35d0d9ccab5b0f41\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 7\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = e31fdf3891c9068f621430315fb1daf418c328baf5e6da97\r\nMsg = 00\r\nMac = 8802047c11abcf2a\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 8\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 16a10208e91807fc479607cbaa39fa9c7273d89ce403b796\r\nMsg = 00\r\nMac = fcedadeca37381c1\r\nResult = P\r\n\r\nCount = 9\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 50fec559910391abc23eb7f5eddbc26a1031c0abd0a29ad6\r\nMsg = 00\r\nMac = cdc41e9b491092ce\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 10\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 6e9e0ae953b1b486ecd6b766d7b961ab79bcdfe2ffe95e94\r\nMsg = 00\r\nMac = 5096b9fc700929c6\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 11\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 48043c405ef221c281d1e88246b6e1dda77e072f9d10353d\r\nMsg = 00\r\nMac = cab96cfcaad5cc20\r\nResult = P\r\n\r\nCount = 12\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 10c361934fd6ff77a5051879ff228b08d841660d48b4067e\r\nMsg = 00\r\nMac = 167e7227d59d65e1\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 13\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 867ab71470f2dc3f5f11f8bfa7272dfc9c888e8e03323103\r\nMsg = 00\r\nMac = 96d9e7b084448004\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 14\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 5b10c228b447968267293ede9131d9345daa18c11d71eff4\r\nMsg = 00\r\nMac = f7055fcd9e8a8fd0\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 15\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 997b712cd9295dc43cc19b40679f218c27af3e8c638d2e5d\r\nMsg = 00\r\nMac = 79a13778151aaaba\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 16\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 465b9364b3f06f3c28da12707673fecb4b8071de06b6e0a3\r\nMsg = 00\r\nMac = 945198b568ed3db3\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 17\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = d233ef50e0ce1924abd315510464ce22de377026529085ce\r\nMsg = 00\r\nMac = 240698cd0183f002\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 18\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = eb6e828e01930a4b0afc8bda63160942ce32df7b2c38a8c9\r\nMsg = 00\r\nMac = c68fc388f0633ecf\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 19\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 471b8a2e5cb08c21d87e9eb7ecff1d6e6fc2335581769dc4\r\nMsg = 00\r\nMac = ab5e7c91c35a0e91\r\nResult = P\r\n\r\nCount = 20\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 8b404993b4c3f62a57e4aef272788206c8076acc32cf3a1d\r\nMsg = 00\r\nMac = 6a3beff4d1d0e84ea4d4\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 21\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 7cccb84fa5c1c795bc05a05ea5bc6497acd2de2d193fba72\r\nMsg = 00\r\nMac = 557b8efe4ca9c4e603f7\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 22\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = f1d434dac8cefca05ba120a34840531bf1542c8fd03b1ff9\r\nMsg = 00\r\nMac = e2c299a2c5159eb777cb\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 23\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 7fac8beb476b470e13a404ded315db1b15a85c2783eb3017\r\nMsg = 00\r\nMac = 50faaf26afd61c5f616c\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 24\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = f5b4c2a9f096e13ab426dd8654fc7b8ae6a4a8d3daa16b9c\r\nMsg = 00\r\nMac = 535cde3d2c32788bf167\r\nResult = P\r\n\r\nCount = 25\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = f72879cc3446de9a0a43ae1cf08935b8c83f9265b8cb2258\r\nMsg = 00\r\nMac = 4eeea4a1847f2a30010c\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 26\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 7021eaab074be980543cc70c809186d93652d7674c10ddd9\r\nMsg = 00\r\nMac = d98c93f4e0228ff68cad\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 27\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 7fd546397a9a0129861fb6815d419a307f90d259d55f3503\r\nMsg = 00\r\nMac = 13597bb97e38f400e686\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 28\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 563cfb49f1af034cd38d2112685a52ebce8dca93e84ca10f\r\nMsg = 00\r\nMac = 866bc21135b11ea1bc24\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 29\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 17e9555b9b4f89cb63f2e90aca95c27ead6a099bc41c4c05\r\nMsg = 00\r\nMac = b04b3bd1719d35e80e2d\r\nResult = P\r\n\r\nCount = 30\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = a65d24bd1ab92d8d294d654423412860e113c976f12ed76b\r\nMsg = 00\r\nMac = 83c1c0f3e89f6584bdd1\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 31\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 35555c801a2e7c68cd0c347e0f006be00fcce70fdd8d60ae\r\nMsg = 00\r\nMac = 7e3670cab617e79b3f57\r\nResult = P\r\n\r\nCount = 32\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 138b3db9baca13bc66e893efee2b767ce6a912b172c2cda7\r\nMsg = 00\r\nMac = 4686805681afa38cb7c4\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 33\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 1bc05440ee3e34d0f25e90ca1ecbb555d0fb92b311621d17\r\nMsg = 00\r\nMac = 1e9f80432b39f7318433\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 34\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 5776d94b577ed26820fb13c00ab0e2d1a1c3589bfdc45cbd\r\nMsg = 00\r\nMac = 4d5f56d3543abed97233\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 35\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 22e493c1f2e27c9be7bb07fc00fdd51089582d139b0a9f68\r\nMsg = 00\r\nMac = efe1c6493542a8412118\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 36\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = d52f030107a2becde77331fff0c24cd72ef62c0f46ae3e6b\r\nMsg = 00\r\nMac = d1b9c7f13b189cd828c7\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 37\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = be31363e5144d9ff49ee67efebeef6d9a97e22f8a3ceb209\r\nMsg = 00\r\nMac = 03228a1a80d5f3d87b56\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 38\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 6a46492ab7ae5f3dbf16ee7b8876e0b4f0449f3b4f8cd89a\r\nMsg = 00\r\nMac = f016af853140edf22d31\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 39\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 89ef2284d8245d87f88919d4d2f71a2df05ee21d85b7d689\r\nMsg = 00\r\nMac = acdbd54bfb1f20bb65cf\r\nResult = P\r\n\r\nCount = 40\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = f4e74acdeb91d0f0ab143823102d5baed1ffe168fdb5587a\r\nMsg = 00\r\nMac = 9c15bfd3c766f88190e54d395e5387\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 41\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = d9aa4efa5d75195a400018bd38f7d8cd53fdffe88df1837f\r\nMsg = 00\r\nMac = 4a11b22e871b051ea74db3f763f140\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 42\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = 13439fb32b1514d48de6002f5d12e19e1ced4caf35042602\r\nMsg = 00\r\nMac = 1412aad5e6b7f0d924700b438e0aaa\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 43\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = ffead92a4a5dc1eec6d2e441de9a9e1b7a88c607c9a79079\r\nMsg = 00\r\nMac = 6fb18d51e9a30fe6b7a6f405b3d3b4\r\nResult = P\r\n\r\nCount = 44\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = 176ad1686a81992e042d6497a305038ba0cabf74c6ecd8eb\r\nMsg = 00\r\nMac = f676bdc753ffdad36628b1724b967e\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 45\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = acd58261bcb2eb6345af7290b1d216c3016af6697bf5ab88\r\nMsg = 00\r\nMac = a6ae95e5a23b5f5a2dd8c8a520b9a4\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 46\r\nKlen = 24 \r\n",
- "Mlen = 0\r\nTlen = 15\r\nKey = 0b5eb52135dc6d9c1f56a2571c1389852482e7aa3edc245a\r\nMsg = 00\r\nMac = a46221058177012b073c6ebc6aff1c\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 47\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = 7bd398d1b9b45f7a024e70e71c1ee7132795fbaa2d63306d\r\nMsg = 00\r\nMac = 119bc07d7f3da0be3a87844b425c0d\r\nResult = P\r\n\r\nCount = 48\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = 47575b64fd4797cda8d67e9cf115ae850d7998c39d2f8709\r\nMsg = 00\r\nMac = 3f2010bdcb2fd70241475db9381570\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 49\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = 68627d802cfc43bb1a987e1ef4401fa84e8a7b2b43759f50\r\nMsg = 00\r\nMac = 1e0e3333ca5790a7e7df0d6d4bf860\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 50\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = 7f16b90a18deec135d32c836063cde963fc4e6daa1555476\r\nMsg = 00\r\nMac = 013e1d0bfc7a7a6c838ac98ce0da2e\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 51\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = 3c89c59ab30eba6e5be8f69f597adc534cb52e94259780f6\r\nMsg = 00\r\nMac = 7f9f1bdba93d26cc3c1f022244bff6\r\nResult = P\r\n\r\nCount = 52\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = fdcf28931c91b4b79c8f8332b4eeb3f995eb1ed2fb1e8ab9\r\nMsg = 00\r\nMac = ad7f8852f1bfd65dfbce3bb39db59b\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 53\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = 8f570ddd0963a80abec82caf8883eaddfd63cee9f375fa7a\r\nMsg = 00\r\nMac = 82b16380d804b8eef855afb5eb839d\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 54\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = cc1d70d3050f022442093e3210f5b45f1b610dc0f12fef74\r\nMsg = 00\r\nMac = d1dc61c2ef7e2cd1a4e43dc34c0ba5\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 55\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = a8a1cf9547543045fa2f00edf79bd85436bc1ae1d746790b\r\nMsg = 00\r\nMac = 48fc14782a351553ea453a3ec2538f\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 56\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = 123ff732cccb535ec7a1c47a6b0ead68df31094d896709a1\r\nMsg = 00\r\nMac = 8f29dcec0a5d026d6fe4dc64cd1d4a\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 57\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = ed06bd049d772cb6cc5a705faa734e87321dc8f2a4ea366a\r\nMsg = 00\r\nMac = e3fcf2590fa9ffe093bbfe8d3d7b0b\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 58\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = fa18c0b348aad167b7050c0ef6e7caf0436750873c7e4929\r\nMsg = 00\r\nMac = 630915919b6108770f5c3deaece1af\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 59\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = f66296bf67b6e91d8ad629c1b260cb5ca1985273925e73fb\r\nMsg = 00\r\nMac = 729f983d3b49b2ebf24eb04368a851\r\nResult = P\r\n\r\nCount = 60\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 2f4a6501d8fe7b65f607757ddff6ed87ae0681b98b53331d\r\nMsg = 2361d2ed837c14b6c231daf0acf2623779e0d952e98e14149308807f79145c30\r\nMac = 9a8ad7bb37d79321\r\nResult = P\r\n\r\nCount = 61\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = e2d592cb412e65f9044257d78e7491f9f80c8b08102c2d5d\r\nMsg = 4163b7ad671761a3f27394776970b413e35a2c43ca85560cdd3c9b407bfadb4f\r\nMac = ab85ac3a4f92ee2c\r\nResult = F (1 - Message changed)\r\n\r\nCount = 62\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 1534e69565cbc541bfde6901bd6e598e41a7a703091c2240\r\nMsg = 85b78269899a4712eaa9c3de041f5a74766ec27dd5265da8a117c6f277baaa24\r\nMac = 6b177203b17cc7c2\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 63\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = f0302d9a197a285909657d611ce12458b8d24652e91ffe8c\r\nMsg = 3fd6b98961f31c7b7fff0baf1cbb5884a9290ea7b5ee49915efb4b510b6ccd8c\r\nMac = d2d84fac8ecb665d\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 64\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 2081442435626f7ce377132c46385510d9febfdd90c3f104\r\nMsg = c4185eb75fc23adff60d6380006a1c20fa2ff466ffddf67e99a421bfd729188b\r\nMac = 7373df1900b7a3df\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 65\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 715fb6fb464513f3650a9d0c3687980ab9caa9876d69dfeb\r\nMsg = d60b3402ad9f5f09375862ae7a370f0c744ffaf5001c80e3fd150730ab848689\r\nMac = ba39c81c18821872\r\nResult = F (1 - Message changed)\r\n\r\nCount = 66\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = a4d9f94e644fbcd97e0d993cb0af507eed259fbcf8fd7083\r\nMsg = 677acb68500d6cbbf77a3f34f58840f0c16044827641dc43d6767ce98f85dd5c\r\nMac = b129c1785acf17ba\r\nResult = P\r\n\r\nCount = 67\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 94b911cdc3137a6f7f32651b788eb82975660aea52b2c03b\r\nMsg = 549aa84bb182312dd016e3107f3b1f9c5b6a89b543561a450ccf713c76e66ad5\r\nMac = 7b92156f8b36d5eb\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 68\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = d3fff7b6f08dc4256239fc112890429fa00393e84e9b294f\r\nMsg = 15d1522654bcdce344b5d9753a0a6f31c859d547edf520478a8b5ae41506d5f7\r\nMac = 2d778849023fc9e9\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 69\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 77bbda69ec034d73e02b06f0af30e2dab60ac80cb7822eb1\r\nMsg = 1e6ee96598bd014c95e9540f5cadfe6885cd094e04048e81633d1d634f065f09\r\nMac = d35f3c169f67b597\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 70\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 544a757bc50658d7e73b25688e7fef86fb1f9f08ffb33a70\r\nMsg = e473fe5656713b3b0e4fd12c640e8c542950577f446b01d09cbc41b6393ef81c\r\nMac = e1dad03ab8d2f432\r\nResult = F (1 - Message changed)\r\n\r\nCount = 71\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 1bebfde2d5468ba0a3031bde629b11fd4094afcb205393fa\r\nMsg = cf27b30423bd7e40d6b3aeb4b1bc01b40aec081aa00f2e3bc63ff61ac4b684dc\r\nMac = 617fdf927d0e4e42\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 72\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = ab83567833d2f3461b5fbecc0e366694bb5ea00933b2b3e7\r\nMsg = 58d43b9f1581c590daab1a5c56d6fbcff749e489acc3ed51ee6aeeac0104e6ae\r\nMac = b29232e882dcb8ef\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 73\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 0e0fece7b6b659b642668e8ba3dca330523e70279155f485\r\nMsg = d8c35129ca5a84e2e6723332217f0fd2e19fd06eb27d84a93b75276270f97335\r\nMac = d7ea4755260630e2\r\nResult = P\r\n\r\nCount = 74\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = b15763294afa61bc27e0785500ab5739136f51bc78b65562\r\nMsg = 8e8271b2758964fa71520f26aab6f870fa76ea4aa220475b3b379ec4ef8e80a7\r\nMac = 6357fb64482d171c\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 75\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 6dd6efd6f6caa63b729aa8186e308bc1bda06307c05a2c0a\r\nMsg = d2c9c1300f5a7520614550f9d23dcba6b41be6733426616f32912f155045282c\r\nMac = a12adaf849719778\r\nResult = P\r\n\r\nCount = 76\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 35631c844313ac335aa0d590fec472d805521f0905d44ca4\r\nMsg = 766f9ac761a06f4e006f405f7b3398aecad253f5cb8653e091e17427ff0fc1f9\r\nMac = 49090265af87c220\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 77\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 35008ef5baf263ae233758ca237dec1a51d67fcd3573094c\r\nMsg = a8f1b7b73100cfe1a03003331d9d55b75fb0d2596ede723fae9240581967ba38\r\nMac = af6c2ebe004c6d71\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 78\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 6f383f798df8f4b9f0a99206cff82709c367340c7b3b0401\r\nMsg = 9668a011e5a3a613ddfd149b0e529e9e66665006f98e730400adb4a8226283af\r\nMac = f97fcc39e240b547\r\nResult = F (1 - Message changed)\r\n\r\nCount = 79\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 9071be7a11dcf7a062d582dd5932f047396fd9eb71982bcd\r\nMsg = a8a6703044010f8301ea33bd9a808ca35838c9f58683ae3925ab67b9e1fe1ccf\r\nMac = 9065cbc5249ff8b3\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 80\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 36ad69f192ae4dcab771aeeacf01bbd32609bcbbea8ff9df\r\nMsg = 6e60fac7c027aed4632444a95824e61e2c50aa3ecdaf09ed9cec92cec35adf63\r\nMac = b6bf70e67b315c256f41\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 81\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 0cbb1d567bce009d1dc5bdb8115607213ed9a516389f728f\r\nMsg = 634efdf89ce2a9fcbd38bdc0b4cece54dfd7532880e0b4ce6eb3a4010b7cb1e7\r\nMac = 4f0af4ff9a9c9e844fe6\r\nResult = F (1 - Message changed)\r\n\r\nCount = 82\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = ec65afd2d72bf477c7fdd9fbe3f1694c328088cb5f39d9a2\r\nMsg = 10d0e88b0db8d515bdff3a791c830b28e4e3ff4fa63f45b31a3f73dfb457bf82\r\nMac = 7172095284694f5ccdf5\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 83\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = a76b981540ce229e73064af4474a7ca4a042d03a6e6bdcbf\r\nMsg = 740d4b25ca7221d0826057701a6bfd66c50a82f010a57be8c5efa0af0f761764\r\nMac = 94b657fb57cb2fd6ed3c\r\nResult = P\r\n\r\nCount = 84\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 36bf85bf63b28093d2dae511990a0bbd75184044b033c66d\r\nMsg = c1fbbae61b81ae",
- "bacf151f1bccfb1584f3a211fe797996938c03e806392e14c1\r\nMac = 71796cf452f61db7f540\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 85\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 67b79d9ef1a47867c7d21f19f99ed1085f17a9f092fac689\r\nMsg = d354c54151c9dcdf0d0fd8c51413c2645efafb2bf6b680b25ad76d3825a4c04f\r\nMac = e324e8d377447b40629f\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 86\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = eafa8699695431ab3cfa1e87ffeae4b822a391653d2e9d78\r\nMsg = bd647990f7afec76c8f726d1de806ca0cae6f708b5024b514f11c4320913724e\r\nMac = b0da9d38a1e821ef1f39\r\nResult = P\r\n\r\nCount = 87\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 1fc4fcbc73dab4e73ed9d7606acdcd42b74972460c640fe5\r\nMsg = c86553a60da69bec1924788fc3ab985158a2d4788f33c01abead80974d26dd67\r\nMac = 992fd0b735b9fa9255c1\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 88\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 618041501dfcfdd2b60d71c04d635f6357ad8b0643af77aa\r\nMsg = e7e6b57e74ce7afbde3697e2a69d61ca615aa3dfd32fe31f5521e6ca79877613\r\nMac = c183b8f21cb2aac7201a\r\nResult = F (1 - Message changed)\r\n\r\nCount = 89\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 53bcc9e9244e2fa1752c61e65aa5c592138447ef9287fdcb\r\nMsg = 92e962f0086591b6f61c2ce5af62480722ba6a640c3f53806c421de438358721\r\nMac = 105d286777da3f2a03a5\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 90\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 6d2429921f90a22893cb65c4530e56068e9944d0b0f61fa7\r\nMsg = ea2ad7b7d3f80793391af0328fbb594d79898e1047210628bbc7441e135bfbe3\r\nMac = 482a75ec0ecf1ea59f5c\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 91\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 3100d3c70e823fee9a1bf486ec1c56771acae35246535de1\r\nMsg = 4e6ddae0d805afcd10a055bce584c848d050fb29fe8f1c64b18e1abfe46b6578\r\nMac = b0deaf1bb6d0425d1810\r\nResult = P\r\n\r\nCount = 92\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 79aa6c03dde4bc5949921563264b440ebef71b3298da67b9\r\nMsg = 879954f977e945cd4db33d20e6749a6832677adbdd9c7e262e4acf632f665f45\r\nMac = 9863fe041d191777067d\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 93\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 85467aa82c22ab019f9243c203b4371c95604dccee5d81ef\r\nMsg = b86edcc59dc9d8e34bea3baf4bfc0d5e117482a48e522c1b02a370e9124b379e\r\nMac = 54b2f4664eca96639f7a\r\nResult = F (1 - Message changed)\r\n\r\nCount = 94\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = d37e7aa9215cb5c2c2fe81834f200192ada3dd0f4ccb9d69\r\nMsg = 064f85a23e049529c74c4f8267abbbe685b6a838841a9e304fdf14b835eee396\r\nMac = 536701771f51d2ec354f\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 95\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 72e8c7d74cec3e248fe938a1159d8d969928e6da26b8cf96\r\nMsg = 58019989445d5ee855e0ffcf84e76f3383ae09cfad74276a3edaf05cbf8d714f\r\nMac = 182d3bf14cc391aef27b\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 96\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 5f847950d2a5d44137110594d3c0afa995b36422ab36d044\r\nMsg = 70523bc397417e09d791a4976960e02636ca7144a5681cf7b116daa33eface2d\r\nMac = 5f0b325fbfaede23de5c\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 97\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = b01e84220a7d514060a79088b754ac0beacb60e5b3a47020\r\nMsg = 036137cfed567fc5e234f18d6c2b8c7e9ae0f3fa526d6596e9a9ee7bf1abdf0d\r\nMac = dbe49af18c1e1bc99b73\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 98\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = d90ba47d7c9107b103cf167041dbd7b41d96016d93961917\r\nMsg = 2d53836a0437ccf27cdfe2bf2ad53f3082100a9f045cebe6b3031d21c9a6c5b6\r\nMac = 7252ee3b5eb76abeec9a\r\nResult = F (1 - Message changed)\r\n\r\nCount = 99\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 02e5a1306f612bdec098458cff3e691d93f050ba11ba6273\r\nMsg = 4bef96da992ab9386a3463213773f3ca7164813a15e014ab819f153386fa04a3\r\nMac = 5fac9c1a1636b66e2f55\r\nResult = P\r\n\r\nCount = 100\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = 4c99ce359b8b82b67ee990529a10f2ecceadad456925a57d\r\nMsg = 89ed296a3ac03fbfb71422b9211799150b9d766a8116bebd48bd0a5068132dbc\r\nMac = e0e9583d784f87e0b7dd8fd7494a81\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 101\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = f085fb257ab64013b43a59150864a31e76c9ae94913a56ef\r\nMsg = b90ef6b773f250d4dac6fb9e62babad69ab424c96a8c0625987c030a91d27d64\r\nMac = 96f1dc9a1c668bb203428181c016ec\r\nResult = P\r\n\r\nCount = 102\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = 8109f3208d5cda0f12141e40c85959b72eff1a937dae7f4c\r\nMsg = 49ab30d5c01e91bf113764342cb8ad32e6af945341a9c6a0ee2319a910416fd6\r\nMac = d13777a33f9520793eb8cbcec047cd\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 103\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = 1eba29062320df7275a51aa090ab489571057e64f0ff6a52\r\nMsg = 754f03c2e298a699568d10c3e40390e0f8c398283ce1c35dbc4916fe479b87be\r\nMac = 87dcee48dfaa43e8223a2b338b220f\r\nResult = F (1 - Message changed)\r\n\r\nCount = 104\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = a04b976fa01411bcc9a3863cec91f486944fdca6e8754615\r\nMsg = abf45f39904a8f5766763fe80fa189ed9c6c15bb1a7a8fa0ae3058c9e5b87c63\r\nMac = 577aa39884335a4f66dce2a612515b\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 105\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = c6f0a3692c9280c48393b0dd763e5d0b90477f34ad69f192\r\nMsg = 737bab64c8a0fd6a07329bd729d2ec88685cb5404bd13a40e095a61846dbacbc\r\nMac = d61ad5f6d8aecb7b3fc1ddb1aff64d\r\nResult = F (1 - Message changed)\r\n\r\nCount = 106\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = 095eb52135dc6d9c1f56a2571c1389852482e7aa3edc245a\r\nMsg = 47c577d1a7e69828b5c3264738dd334be8d7678ec77bf1ccb5fec3843f85ffa1\r\nMac = 4fd309a62435edd9b1ac8861f904c1\r\nResult = P\r\n\r\nCount = 107\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = 2f853c1ddb31694985ea5e47322bfc8567fd7a74a46b0597\r\nMsg = 5719e671686e87e931c2c0e5842e907bf584d226e040645eaebb896b53a28c7a\r\nMac = 75ed56da2db0ffa101578118e3f620\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 108\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = 67f5adc0842d7e1a4f8591d678334c95ac83df95c4341c30\r\nMsg = 6c8aaf2f91ba87b61814ed689331264c7bf98c2223c426a4ebbf7b0db692a8d8\r\nMac = b7c591522e9a5a4f3af3aea24121b6\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 109\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = 8702cfd1ff87a749ceb0a7192f5a872740b7fc600845df4f\r\nMsg = d29b6a2d421abd00a59b756af34bd72a42f5557a2ed40f8a7ea59b2e05ff01d3\r\nMac = 33b597665d375c95464af2ad56465c\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 110\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = 64ec1fd6af554485856b7bb3c0ad16fcd9c4ec690914a09f\r\nMsg = 0418a0afc13d6215c7bd68b12a327587eb63c145120ea626fce59c16f7d66717\r\nMac = 80a85e77efe4f47d8938dd9c55d67e\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 111\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = f2991112c2cbd3038ae37b772a5090690006009f0c1965dc\r\nMsg = 231d72c9325f8c17aef4efc94855803eb2fc1eea601c84a98e8f7053840f0591\r\nMac = 14269c545a0e3d56ac9cb195cb6197\r\nResult = F (1 - Message changed)\r\n\r\nCount = 112\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = 2c6d7fb9e92d98a1dd92e96f6b4013954ce1aaa5de242e6f\r\nMsg = 87ec7423f1ebfc37ee83c85938d58259efd16e3c8e55fb871e9998baa9cac81a\r\nMac = 782b7ebbada87c3572a3918a03305f\r\nResult = P\r\n\r\nCount = 113\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = d95a1b24964bfea5dd5a65f5a1398c6f9d43b26d98b47816\r\nMsg = 92f9cf56188322d18cb41d723847e6d419cd163e2be71b78e7b8dbdd099a99b2\r\nMac = 2498787836840fe1411a17f153c546\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 114\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = 62f2490ba0c658848859fcbea8cc6774e24c9de979dd29d0\r\nMsg = 0822e3e6ba982091d532cd5271fbde25305d1f6e71880f81c618f267a9f122e0\r\nMac = ffb6c2a6c73245138ce06e458cf914\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 115\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = 1841161a3752de1491b2b2f519d8447636e149437478d2ff\r\nMsg = 238e36b73b474de88226d4298121393ac9162f1736040bcd717b6e8db85125ff\r\nMac = 4d1656a2c8632260aa55a097451fe7\r\nResult = P\r\n\r\nCount = 116\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = d7d9a5f750078f1a82dffe2c70e6b0016eb42d13e1a8aad1\r\nMsg = 28a107d22fcd0499e0ea5aceda6dbc288a5f1d9da003c626bfb9a6c27922e9bd\r\nMac = b67bc2e20c422f9c7c27a84ba0bcfe\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 117\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = dc3ca30782c9c0a7fe8923d4b8d31aaf21e63895f51fb2f1\r\nMsg = 8716298bc17ed51aa273711873e2c2863e7a5021e46a183e6c6c81f99c02918e\r\nMac = f41b1896a22db30dac50b6b3e5e2b8\r\nResult = F (1 - Message changed)\r\n\r\nCount = 118\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = 0b6b36339122610178c4bb72eb558abf15e5ed9ea0077a5c\r\nMsg = 52839f2f0853a30df14ec897a1914c685c1ac21470d00654c8c37",
- "663bfb65fa7\r\nMac = 665f05a489f8ad0feea290401b4bf2\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 119\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = e200414db0255ca3faa7f6b17a62523f2c75d99f6ae162e0\r\nMsg = e749041b314f8719e17a8cb26162e2c910b31116dd769083149238d67792f991\r\nMac = 713fb4d0c95743ee7da970cac7f771\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 120\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = ea77165284ada4599f0bc0a41db787310f53a1588282b866\r\nMsg = f3a1a6dc2092ae7099bda65f8af32aa19796254a13fd9e0e7319d50402598faad6ccae2a028604db0d44690ba3530bfc8bad062cd96635d9654647c57bb81537\r\nMac = 9c7c379b5f8ee87f\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 121\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = 18e2baabdcebcd25958eb53d1bd2a95ffb9b51a3c1d92a9f\r\nMsg = 1df7392e915726847822817cb542df6b14df16d7d3d3ea8d615fe9ee651c938a0234bef059d139c350d6b01192cecfe1d821aa0b668e5d4dd8d5ef9a1eb47db5\r\nMac = db521506073b8c9e\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 122\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = d39f12a9c6b63c17f116bc003f4def172943350e29d60258\r\nMsg = 75225a26d63e91281fb37ace46354f81de99dedfde8b770ea47f08503aea87d8d7b190dda9e150ecd1a2a182b06676da61667a04864ff4374838ee6899d8961b\r\nMac = 65aa057a01b390ec\r\nResult = P\r\n\r\nCount = 123\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = b2212ca369c611b725eccc3daa58df412787a3475f418d82\r\nMsg = 3727bac9706f482f55bda86dc052aa6810e2c1137b97fc93a65838a2724a9531199726517b6fed53b24d062eec7c22227ad9379b24da7658c0cf7ecc0368cfc5\r\nMac = b869a9e06994fb39\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 124\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = 25e5fd5c39e684696e71a6f81f843a196dcd030ce2c07afc\r\nMsg = 899b48338d5ec3bb4a681f76ef37b6e25357b50e9578d85204c3753d3b6ebccf908e3de8b02dab01839ddf1a560b1ff33857a17fa4244b96612bbdeaa7d4913c\r\nMac = cfb0650c7566dc49\r\nResult = F (1 - Message changed)\r\n\r\nCount = 125\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = 49bc9d3bcf3c22daa8cf55c1b59d4bffddc2412d60518e98\r\nMsg = 980026395d0544975dffaaa2c56db1df5816cd80cde513dc76f6f81d21f15c383c97c7233c9af2423fb28922efed2f69aa47c30de17ae1c5be17acbd0ad6cb8e\r\nMac = a7ed2a35c89130ad\r\nResult = F (1 - Message changed)\r\n\r\nCount = 126\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = c53f21f1ce3a1792a2de14277eb97664d4c561b3fd4b0e32\r\nMsg = 66e15206c23751497bc2c8d734aa1136aec08bd4e80fe3408bb3929a84efa749f379c7eb441872929b71872d761e0b448e0126e9fed86eeba611694cd2df4cf5\r\nMac = 1b86a912a0ec9f94\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 127\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = 6286e3e53ffb9bb143fcae724b45f86a23bbd74c42518144\r\nMsg = 62766e9acd41285eeed9b4007340dbb611699624274ad1179e327076135d907638c60f0c773c4ea8d9b8352027ee78ea4f22198f083d2f5cb920e55b9738c582\r\nMac = 3c56ff841dca9662\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 128\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = 9c5d43c1a1269cde199509a1eff67cc83a1759b71c9e7a6e\r\nMsg = d576565a938782fc7e9b095db6213002bf5bbfdcd761fd6d876adb2c7947702b8930a5f71ec332bfbb4ac9b9d13d90c2d808d5459d0dfe5ddeedbe3e14038fd1\r\nMac = cc7b2038ead10d8e\r\nResult = P\r\n\r\nCount = 129\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = 512a23489b8d6b62b63e9188c0ee5016f20448c082eefe82\r\nMsg = 1fdbfff7941ba22dd8e1dd13a05a3bd8f2c8096894266536c40a983929d0a6340af5233bbec1477363294519d3f3d9c6d41b20f18f76adb54495d9d43bec5afd\r\nMac = b81c76829839cd43\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 130\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = 20d22c3b6ab38c5995e22b341f359be25616b2b8c7269510\r\nMsg = a1c041d1d4e7cd6a953f2e4837e3e676ed48633a2f15828f5f3551d5ad2a19c838a49caf75529bd5d5f89b3da2c2e9922ad8dc5d20325a7b3fae9dcd305f3731\r\nMac = aac4d4f4172e1f05\r\nResult = P\r\n\r\nCount = 131\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = 22e29aa7547e5ed3a64611e04f1d55f7a397c1619669879c\r\nMsg = 773b577b95e29d36fb30779d2ea23e2ffed9e1b46aede42bbe03a904fe22ef8f874298b5f4a6afe63f6ca9522863eb5cdb1c8d4bcd445e43e7302875e6ba3592\r\nMac = 16bf98c7a5deff18\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 132\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = b320edb777d317af6c933a6530d9f5cb78d2d3104ac02120\r\nMsg = b31d3f55909bb660628de9eb95b75df776455f2f535f461edcfdf8a0cffdb096d573fedea7400f8374e62e30879a8beb259b3bffb4c3813a235b4c59853400c1\r\nMac = a0d9a7da024326ea\r\nResult = F (1 - Message changed)\r\n\r\nCount = 133\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = b9bcd0ae7100f991f4365ba0683b6d461979ffe86d0ecc24\r\nMsg = 19d0077952eba12a01db1d137050bd7e9102a31242eb38a5cfb3cf51b86c86cab57f6deef8e6eb9eb29c5dcdd852ffd627641013660b31abebd40fab60514159\r\nMac = 972119a55b125e0f\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 134\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = 00af010f462ad40a38eefb788b648e1cc292cd4bb08ebeff\r\nMsg = 573db0961531873316e87090f79e84f040c8358f8ca78fd9ea1ebeda82c1cff67c2ebbda1da0a1b233c1539cb4c0145da2a4a05431e06dac2c2731d59581a434\r\nMac = 92a67a99c128e173\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 135\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = e12f98507d6514c3b551d240595346bc9e9b6a987033b3c5\r\nMsg = 3927bac9706f482f55bda86dc052aa6810e2c1137b97fc93a65838a2724a9531199726517b6fed53b24d062eec7c22227ad9379b24da7658c0cf7ecc0368cfc5\r\nMac = ef48edc762db1d47\r\nResult = F (1 - Message changed)\r\n\r\nCount = 136\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = 66fe8076d4e8538e18b84f965255d143f1c7d377e099c1c2\r\nMsg = b3fe18cbe086955384226c11c62c1dd14e7eabda573450d005b46fd9f9eccaff24dbf5d6d8530b5e25fd9f2a629df5c20a977247cab35255d71d992d85b04c14\r\nMac = cb67f0c1819ae458\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 137\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = 82233a224ed122d7306bd6717a80fa1986964f9db41bd40b\r\nMsg = 65c46382a278490b9825d4f1907f3b9f196e136906067020b6b94ee398cb2f39ed07055dd0b151d974bb8d56ae3bc8b3b31d9054221514bd45d88a5f948ccfb1\r\nMac = 27e94d22e8961f92\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 138\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = d3e3bd80f45140cfc2f857a913a89f0c7dec86790feda4f9\r\nMsg = ff26ab66c6a10ef910f5b94589b24a7b6fae8e4396faa552b014603fcb5eee921bcfb81ffae989922debf24a6947ed6b1556c02e524b247c3966a7bc636a4fe9\r\nMac = d2d326c999095b39\r\nResult = P\r\n\r\nCount = 139\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = 466fa94c2158c1cd84b83fb2f15ccfce804f611ad0fbc4fd\r\nMsg = 5ea068d4f363dc7f1badf97b77ec85412a06dc8d8e3f4364265c7956d4088f014c78fad6c94be720ffb4ce4150da4a3f427f288031e0bdd241dd7daf975acabe\r\nMac = d6023f6ffd3c788f\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 140\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 6f5a146524457615d81a605b38a5ff03edbc5c426ec7d551\r\nMsg = 9be3a736e7e72560bea45e9c8ee8bf37c279bf5b2ef16483adcc093208c05ee51a4db04632946ba2b96cdd9d15b33c25cce2eba4ede4f97aac29ebaa4cf6bbd3\r\nMac = af8fd676ee05154b82c3\r\nResult = P\r\n\r\nCount = 141\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = c62e6eb86b8daa37936086dd2c346e3b14be5054cdc2f3a4\r\nMsg = 559407bb6930d5adbdf19a7e285ba1dee5caa03ef54e3a3fc1b8c86a02f55921de9bf7d553c22d7ad915c6384329d664e70dffaefe22ed9c4e2c233706aafa04\r\nMac = e297ad7830c79d387ac2\r\nResult = F (1 - Message changed)\r\n\r\nCount = 142\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 225557b0faca3d6cbaedec5c39c98f0ba0723f4070f2278c\r\nMsg = eb1383e84d4bfc5a9dad25374055b81eec74316b18f6e001b0623d470c027b7023456000fc61538b663cb7c0e98d77a7fc3ee2277816bacb4d9487c6741e3134\r\nMac = f07332a3b01d0e8026ce\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 143\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = c36acf733d310e3b9842b3006aa637ab092faf4a580043b5\r\nMsg = 1d674eb5d85945a6c7842042adebe549d4fe515501c06c1ba72961ee5bc98d8588afd6fd64893e21220db7ea6a973a420613130dde1d7f6a26677836d65bd0d3\r\nMac = d629ef50a784db860de4\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 144\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 332e30ab63b197e79b86e4da732bad9250c0a5c9976a6c67\r\nMsg = fb41304f9f5b0f696ddb0e2f0f57bb091f8a31b5324d3cdf15c3bdf256d3502d06db2df9bea24c7ae08fcd641f199610427f3ecf24b92a7e00aef55aeba71516\r\nMac = 983e453f602db30e1f85\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 145\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = b311796b0519a45c176f3ff458d4d818668093e82fb871f4\r\nMsg = ec1a1e9ee85cf960e5dc4e239619ed85f4b14d32cbd42dfa79f77a27f2cd740d08730de2eaeb91d0eacb8c498336e99b9a0c57c4045ef18749251dbfa733b4f4\r\nMac = cb2be0fd09f10deac5cc\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 146\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 6311e7f0a7bcc11176fb411fe719d4e0782c8935524776f3\r\nMsg = 85f647d940a6d1acb6b7851912f807063515631eaabaa019dcfb993",
- "e86f408266cace4c24940eda0083d8569364dc1afb816c0e5b95f3bafe7745e5ddfccd6b1\r\nMac = 776b9642c47fabd7e9c8\r\nResult = P\r\n\r\nCount = 147\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 6d120cbf74df2efffe98397ee303ead4e91c5e7839b82885\r\nMsg = 27ea9ff8359463a7742cd9c9c269ee678f4ab22091fdaf29b9007a92658687cbd71c4166e68c5a1ef30160191f6d926abb28f1da01da9ae8019a520edd576346\r\nMac = 5a902959d73ac97ea071\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 148\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 8e09d421e09dac1d9d966f02a3a520972c6aed2003d907dc\r\nMsg = cb32cb87ed59ee959c011211ae7cd475c3b5feb21cbafdd0b17796d47dc4d4e61da345b399c2661182485be13dcee33a9eaa8cc4b9742361f4c36f1361381f1a\r\nMac = 1b2bc5956223b8801456\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 149\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 3eeb143d4a3c08ecd9f7df8eba42789b517dfe99e07958ed\r\nMsg = 3292b8548a35fe34136457bcff52b469eafdb1b86b6cc88bed35c4cfba43785c59d6b01c1acb6870ef1e3ccf7dad20b1733f51ab1bc48cdb2fdf7d86eda17a00\r\nMac = 3a85ae8fd368cf9846bc\r\nResult = F (1 - Message changed)\r\n\r\nCount = 150\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 606452c62290b43559a588bb03356f846cecb0ccaf0bdaf6\r\nMsg = 3cfbc77b8897b6a5613f62f6b1c89b0d68f272c6c19b9e0ec6331ef616702006e64322d3460a57d3a5074c719811cb5dd78900268890da0ac177b40d48773548\r\nMac = 325aa552529e66a13904\r\nResult = P\r\n\r\nCount = 151\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = eac3a1a6eb8efe983c6b37b6c2709f5a8851ab72cb23a66e\r\nMsg = 2801a813dfc3f1c753f4f342a113c09b8e9a7ac16483c31bfd0b746b1db692f805937eec44c16bfbd132154557afb17ed01c1f4c55fe67f0343a6329441fb955\r\nMac = 5b0b383c4870af31a9a1\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 152\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = e2d592cb412e65f9044257d78e7491f9f80c8b08102c2d5d\r\nMsg = 3f63b7ad671761a3f27394776970b413e35a2c43ca85560cdd3c9b407bfadb4f1edd0e6026572ca0d8274bdaa6870749b0a727aa8c5b7e9442100e0c9b057455\r\nMac = 0380cb126c63bb48bdb7\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 153\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = b7b86dff6746145aa7d5bba73ed6a46da5b1200bd3520357\r\nMsg = 8e7f7e7e3ac2286bef6822ef47f5f73f2ff512e599df17c3723f7a55d4144a367c774de67e7e52ca3760c37484da7a2531d1d590b5380de11c34c3fe447edc0d\r\nMac = e7aaf6f82894d8825d80\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 154\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 70a26d985e6b99bd3a37575f011f2b84ed84bebf99a52760\r\nMsg = a2cfbcfdcd90e0962f233d7fb70668c8c36cd5e195e2ef5c043268f47187cecffdd36000f96e1f509f00283effa040443b3db15cf73d55c30c65f0fd7cf9c219\r\nMac = 96d09f0a799cb52575d0\r\nResult = F (1 - Message changed)\r\n\r\nCount = 155\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 5d678acdb2e6cc03537411ae2e95da120161ecb6c92d5e23\r\nMsg = 91dee0cd1d17d9342f4d346cee19f5f42e0c3b0498447ec4043c15bb2ae8fb8a7a02d2da489f28932c05fa4ea9c0760e0cf3052a97ed898edffce3247386b98c\r\nMac = 4a40b4f63330413918a7\r\nResult = P\r\n\r\nCount = 156\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 795846f9dbf36415640276642cccf87e3dbdf6519c5b2db8\r\nMsg = 4fc989f327e1a1cc7b8af618ee6ae6d25f78e2b76b681455336945655f13fd5a639bec3a004a88ad0e2df8547a0d315b8ba15f5269038638df6169d960f5ab5b\r\nMac = cc5efa5ef19f6cc63f83\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 157\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 61eab54142fe7e16787fd2d54829cd3c4bbd793e72f9ef9e\r\nMsg = 13f079b004d1fdf02121564f0a96b057f120899ce920169561d5e3aaeb16bb8e4347c7cf8c86f9acdc25ac26fb5d845a68409c0d9df0e089940fb7a88a76e62e\r\nMac = 920de91f34eabfc31648\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 158\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = b64d00f3a4df754fa4ee6376922fb67ccce0c6209f677397\r\nMsg = 8003586af34bdd0acae4f5547394245027c2ffcdc9d1335311acc859e9a2a7b817755a601dad14495d32f1ad811a7e751ac07cf18716e1cb193c203e7551aa83\r\nMac = 79e8a0ca036d7b0bd2c0\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 159\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 98f4596970e6515b5357f6c6396aac182d126decaddf567d\r\nMsg = 65737b65927aebcf6cefc7ca107fda8447e8bebf1f08a280d53a4b07f8e35904cc48cc08eda3c63a3475924bde1de6acebaa65fec5ee68ca22d3fe722bf33267\r\nMac = 05c51c2507108a3f8293\r\nResult = F (1 - Message changed)\r\n\r\nCount = 160\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = f0409b050346fbd319c8630e4bc9dd6d055355fbb961f018\r\nMsg = 731db98bd990b2ea19f848fda3519b32bc1d2fcb2f4d42e13f655da8e1dc2af428c185fc01a5d55e20b49d643a254e8675d560301d2ea0c5984ecce39c655de9\r\nMac = d37deaceea7ea3b50aeb02636e5095\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 161\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = f266cec01c5fc08c0bdabc9537bd1aa2df9f2b8ffbe5cc94\r\nMsg = e19cbaa489a0f65681c983cfee3a4b699339ccb096df06bc871398be9eb926d84426fd32d5d7fa4aa563a88b41afa822f761560d9897a9747cd85b3dc74b4adb\r\nMac = 8690d4f8153e56e3ab80c7e918679a\r\nResult = P\r\n\r\nCount = 162\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = 6e12c112720ef346bbbe7d1c19483721b1c52c438dad40e3\r\nMsg = ab8b36f46d1749cde7dd9936df95cdc8e0b359b8963bff4e7bd59599b32408623354a15e29f287a79801866d434a0ee9cdf37f931e53a39509057c7f2b3b413c\r\nMac = be9e70fdd15f96a8b7457cb727caf6\r\nResult = F (1 - Message changed)\r\n\r\nCount = 163\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = e9ed05813262fbe769c1104d8ba5c836dbd229a22a681de3\r\nMsg = 606452c62290b43559a588bb03356f846cecb0ccaf0bdaf67a18abd811d4315a966e2f3f87f6c2428814446563fa71864d97c8336b0e34bf9466ec95598398cd\r\nMac = 4b3ac19f4dfa04108283b0e2e3a8e6\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 164\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = 0c84328951c66e0f5341b741d2c2796d3524ef732c69e779\r\nMsg = 9071c45a99cb987aa79596a2014f54e6fe400a6bbd5de96e156cae87cf69762f1329d481213d213d42191312fd76911d8df4c6ad9304754909058cf477adfbaf\r\nMac = 1e1003ce7546009a3ba7f59dec236d\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 165\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = 3aa8ec246323db7a3953737928061c79757de2e921c27643\r\nMsg = 84e9cc9bb7f4fb62ae7396859fcf33da5ca6c80c311eb392107afeddebebe0d662a887879e4014187d2fe8feefb01e6fa0d35819d7cfbf139e99451423b62ee3\r\nMac = 4259d5f983a287fbd987e3badafb33\r\nResult = P\r\n\r\nCount = 166\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = 66c07634c94dedb5d4c6f19e7cdeb954692ccf51fa242abc\r\nMsg = 4bbc9d3bcf3c22daa8cf55c1b59d4bffddc2412d60518e986899d6a3e2a781668b0c6b9b4ee0ddbbcd06bd643eb201fe7829699e4dc86e2a1b4876bf9e40494f\r\nMac = c40f872ea2f1a1b45ab5737c2e4f33\r\nResult = F (1 - Message changed)\r\n\r\nCount = 167\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = 3b9d6b0652836457ec4f701f0dc0e5aed73d16585d61cb1b\r\nMsg = df7b23a4e4456e0152b24853fe0d5de4179974b2b9d4a1cdbefcbc01d8d311b5dda059136176ea698ab82acf20dd490be47130b1235cb48f8a6710473cfc923e\r\nMac = 602941735206bbe57ce1c2e3b9509d\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 168\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = 7253ef10bbc302f01aecf315f9a4122ba805dc4048c30ac1\r\nMsg = e12f98507d6514c3b551d240595346bc9e9b6a987033b3c50940442dc385634e2a28292856b97d5a78704388b2b6d0ff2ce7a19c64574deac593b98a7ce98bd8\r\nMac = 9e62a5b8851d3a0fcddf06fe116ac2\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 169\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = d718af395ba3f5f4c6d15c24475ec7f0f74f3238c81d42d7\r\nMsg = 0c0d3d7ff5d1b707be9648f263b8f013fa439978e959efef57d471cae02dc8e08d9d58d40381169afa039936f1f773c72003c1c5af03018725ab2408236ee4ea\r\nMac = 75749ed44b76d7ac16c98d8b6bc18f\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 170\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = ec98ec44f5a86715014783172e667a748f162c5c26a8b34a\r\nMsg = c0947efb86d54644087247f9fd95133a94075faf6250a2cc9f20df5393edbe1a4bdee20e90e877781a370a7f00cf9eee7373fc38acc54aba23b0df3f020356c9\r\nMac = d994553290066d778369b54ae06668\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 171\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = 9fab32caed6e1cb27d2115cc641779127d4aa57db0955bd6\r\nMsg = 6e3e25db29da2c787bb37755ee770e2402fb8208da23389d36030439a143f971ecc880dfda90a8231ddebd2881981ca968ed45f3763a32ec8d2fe854fc2e4b4b\r\nMac = 4d3cbf9b68da0c5b49ab3b0913a2b1\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 172\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = aae24266e5981b2ed14213a29f961cbbf7f02f63a33c987e\r\nMsg = 8244cb416b3d09521ac2fd28c29084ff3d64761d46617b59e8b221de36702c2d3dc62e61375357b702cf8d4dd0f2bf2a1f91777fec0baf2c23e3e6865bae7358\r\nMac = ab8e9df7128f4857e0a1c24fbce473\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 173\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = b9bec4e88775777ff1eb3df671fe8ac03a693a1c26ea254f\r\nMsg = 8eaed4810702df8caa",
- "12fe7e26e7ebbca11aa2de9f3169a8262c0e3c205a708f0071401aa8de09d28a5a6e590ebeb476341880c37bfee1a501229081eb27772d\r\nMac = 273b0d874010eac97ceda34232f7ee\r\nResult = P\r\n\r\nCount = 174\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = 15120ac9468fa30c92ad87e7aba41ef552814e4ecbcb9350\r\nMsg = e3de6c6119d7db471136285d10b47a450221b16978569190ef6a22b055295603c9c1ed5da3bf96bdb43a5722cf4e2ea087cdf9b23b3093d250d44047be634b3f\r\nMac = 9a166994de85e5d60b154d49a867f4\r\nResult = F (1 - Message changed)\r\n\r\nCount = 175\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = f9b9633f12967f1841161a3752de1491b2b2f519d8447636\r\nMsg = fa14d3656f7f7610f3a629bce14648a593250c6f309c02c6c552bb42984ac58db920dbc7d98f59295f37f3e9b99da55ef074ed65801b390366669b4c7aa1c483\r\nMac = 2c9f3650866b97ecc5ed66929f41dd\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 176\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = e87275bc62ad067b121b83f220d4ee2b4245541283dfadcd\r\nMsg = 6475757f30dd0a96ad64bde5c2605a9d2ca82a7223a9ba4c39b6dd3f86a0f4bd02876d0a32ef8af1071664b603862f4b9de6bfc6e7154b136e7a72e661957bf4\r\nMac = d0bd2d3d35a22f37bf113090cebecd\r\nResult = F (1 - Message changed)\r\n\r\nCount = 177\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = 8b63d3c794e5ba0e09e5d5a5c56670bc0e289b30171ccfa4\r\nMsg = 44da1657e4be60d887a097e29d03bdbf5920bb0504e654bd963f58c487951a72e395237a9d32281125ed3a533c543de208c99bd063853abf79ddab4692c3a497\r\nMac = 29d04b97ac302fefa80f71ea378e7e\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 178\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = 17039577fa27ef5ac3bf97572d9de5f8eac0aa58ff29b990\r\nMsg = b0329a0978e5a2d1bc85bdca333e7d0d1e9950217ee9547a84e76d3f49999451bf787288e8d12d40456c8214926c14e9b076032fe315c1633d5d21d85acfb1b8\r\nMac = 51b4bc8b479dbd60e5de94ba8b9d0f\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 179\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = cf6b5edc515882f8a7954a5d8517b1a85e9559858527d0db\r\nMsg = fde631afc6c042d77b579dab9298862d943be673cea59eab4a0c1b5cfddc2aef42590e6d8786d18a4646d7e338c2b984c50a50adbeff0fd64e7096f02e8385ee\r\nMac = 5ee3547a06661661c46c3778b0823d\r\nResult = P\r\n\r\nCount = 180\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 7b6f4f158422f33543ca90dd0a76cbb23c0dbef26ee140aa\r\nMsg = 6704dc39a259152d2dc3f08b8799ffecf4e1bc38\r\nMac = 5c12ff63244c64bd\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 181\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 7a381f75058b85680061eeaa0242d3a16a64a5ca50cb61fe\r\nMsg = 18b31ed5ba1c3ac562ff3ef274424b86c0815c26\r\nMac = eb8f3d508c9edb8b\r\nResult = P\r\n\r\nCount = 182\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 3662d7b7c93211535c862ef3dc2724c492cc1e53a58f23a3\r\nMsg = 8ac860504258c134c6835d4cfaabdb316c36d99e\r\nMac = bc1b870eab5bea9d\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 183\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 9eac76976750b7937b3bbc6986b4c726f0d0a63310db85d7\r\nMsg = 5de2265292780222349ac793eaa17c5a22902344\r\nMac = a69594e569230df0\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 184\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = ed1531500f319e09227d6bd181786b3b446f081abff2e697\r\nMsg = 7a734243e53cee654be988f5c735b19bb11f3389\r\nMac = 9f2cc2a8c3d0a34f\r\nResult = F (1 - Message changed)\r\n\r\nCount = 185\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 85d0d04cd3fd2fb34dc18fd55e645f7492d5280657577008\r\nMsg = df899dd6b99cc28d66604ca92431fa7f442a4927\r\nMac = 18fc40b25fb9c138\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 186\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 90b0c8b542c91c1b2dfdebb589a7eced6c9b7b43a7729840\r\nMsg = 38d1a87296529595acce251cb232db8ede65581b\r\nMac = 077570fd0efa770b\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 187\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = eceacd807db82378e9bd7c79054878f09dcb5087c2e1c349\r\nMsg = 09bf4f77a9883733590a3cc7ee97f3c9b70f4db2\r\nMac = 58af901fe0fb5d29\r\nResult = P\r\n\r\nCount = 188\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 16227835305b7586a3106d93da8bd70aa0025df69a0e85dc\r\nMsg = 1a223362dccc99472b2cd1d712ec6dadd60ef972\r\nMac = c26f3980d17f6c36\r\nResult = F (1 - Message changed)\r\n\r\nCount = 189\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = d18cf5dbf5b2094dd6ad85d975449e2dda35b184633235ca\r\nMsg = 7f557e74f53c344daf7495526d1270dfa8fd24ad\r\nMac = 5b7cf33ec05b1576\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 190\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = f1681287bc931a0d8f296e13b3584d6efcb6ca76aa90cc02\r\nMsg = 08c62ff9bd7bcf189f530d5065f8764532d2692f\r\nMac = d646e2ec15afb14d\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 191\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 116f4855121d6aa53e8b8b43a2e23d468c8568c744f49de5\r\nMsg = ab91d1aa072947d22f0dc322355a022fe7f0747f\r\nMac = 489068c07931ee9d\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 192\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 0a23972e036d62199ec327b25a3cf4e14c29279c6449d3b8\r\nMsg = 2df3e80fb6ddc1fcc7615330b24fbaa4981441c8\r\nMac = 7842f16a0cc7bd6d\r\nResult = F (1 - Message changed)\r\n\r\nCount = 193\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = becfa1c96686b04153fae144c187f034dac3ee6ed70d867c\r\nMsg = a3a114679ce30c8472149da9bf3a42b1ffb07e66\r\nMac = 74fe19b5183ed3a1\r\nResult = P\r\n\r\nCount = 194\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 866b43c8fe3769ec0aeefd4dd02210488a354d67e82a81d7\r\nMsg = d9bd6ac153cb0bc4e19e59c45cfe0d6f4c9d20a3\r\nMac = a3a2ef83eba2a6f3\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 195\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 7e00aa080c127cbabfdfa5d9d9728c7b25358aecd26f5850\r\nMsg = ce1a38cd75b9e955483ab53fe59649d087ecd1d6\r\nMac = 8375c666d09bf259\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 196\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 4bbf4c9cb6758329b2d5a53c4fbfe2d3df4fb50e57b3699b\r\nMsg = 6429ea2cc8fdaf58100347d21da64375b3ab2058\r\nMac = 77e417a60bca9a9d\r\nResult = P\r\n\r\nCount = 197\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 274b394da9402d3eafdf733994ec58ab22d71829a9839957\r\nMsg = 2b3d7949805afd73234cd327a62951b32c51df2f\r\nMac = 8f9ce09fee15516d\r\nResult = F (1 - Message changed)\r\n\r\nCount = 198\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = d4140d988448d557454c3434fd77f8597e6420566845e316\r\nMsg = b53017500c100dea0511845597214484fc5f7f34\r\nMac = b9e85ce9178b81c7\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 199\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 43d0d326c511e3bcf4f52660fc3c706a6a95c0ab550615f6\r\nMsg = 7c880698ef372304a663f0f02944500393585d42\r\nMac = 843f71e93b22f1e4\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 200\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 273cc5013785baeb5abc79c8bde73af71085d7018e7be92a\r\nMsg = 086e6e3a21787acf7293446516b5f54da95a2988\r\nMac = 658a112d7a9e7a08c024\r\nResult = F (1 - Message changed)\r\n\r\nCount = 201\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 492bf7946bce1d3c6f168f4475e5bb3a67d5df2fa01e64bc\r\nMsg = f7b577f1396b23c27eb637e53d3d92460270b001\r\nMac = f2dffabed6871cca2e41\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 202\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 8e7d8a44244daa7df2b340993e32dac50e05d7b2e103be98\r\nMsg = 2c3c3582e026a3f29ffd21a92a8e1ee70f3a4147\r\nMac = 1bb40d091dde1903ac0a\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 203\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = d2069266b0f180cb319e30ded7535bbe52d24be151de4bb5\r\nMsg = 392d567f0b8045359dedd1591517ded0171fdcda\r\nMac = c1ca2813ad38fd7f0f58\r\nResult = P\r\n\r\nCount = 204\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = f35c46bca9236830ff4bb057cd5764f02720ccb03b253937\r\nMsg = d4586dbdd5655cf659891f5b6015da524548dbbe\r\nMac = 4b6dcc78f6e0e9b7e35a\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 205\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 509f1e38591e03a30a7409bc7e18595848253308c15edf40\r\nMsg = fd2109cac9f42fbb093a8675e5cd962c4c31df2f\r\nMac = 35387ef3967eed5b579b\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 206\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 0e9cf0ec43ca3fb7fb9a2b1999ae635d5041bf42f1b0bea1\r\nMsg = 65960c7fd43891ebdc7bf862b28d4822a8488270\r\nMac = 93c33247ca546a8c3fba\r\nResult = P\r\n\r\nCount = 207\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 51597a4c68cd228371e86c179fe04492642ad9b888405067\r\nMsg = cd8799124d94064f47d7eec59aff543b81ac66f4\r\nMac = 0eed36a27b40560b89db\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 208\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = f9f049328f5db22c41a501088e5759ef4d04db0c4b4f6d3f\r\nMsg = 7bdc26b5b4df58af539d91eb2ea10263a3e58b07\r\nMac = 68c45551f1367c989a9d\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 209\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 5343dacb05a29b3119d6f19bdfbcd6674950e710fc70180a\r\nMsg = 057c2d386fb1693b845bef585e76e0fc",
- "4971ffb3\r\nMac = 372a801d1cd33d1059ba\r\nResult = F (1 - Message changed)\r\n\r\nCount = 210\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 5987fcfe8a1ee76afaef54cb22d8b2a20b116f72bfc7117f\r\nMsg = 8abbdf380c668c6ff34a4f128567bfaf256570db\r\nMac = 5a8089b3d9f6c72fc858\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 211\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 301e0712ce74a1ad02079aeb0ce35edacc33f9a5d907cf70\r\nMsg = b2d894833daef4070b764361685fc94a780a7292\r\nMac = 57a225eca09fb227f79e\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 212\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 144840494d15b2b31ad63ee05bf579a5e9fb98f534a6309c\r\nMsg = 71bf573cf63b0022d8143780fc2d9c7dbd0505ac\r\nMac = d1b2baf05cdd5fecd1cb\r\nResult = P\r\n\r\nCount = 213\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = b4bc602dc860108aaff5b3befb948a561ac495a22af9085b\r\nMsg = 3fa85ca50cc4c4817e951b5a95ac006973324c2f\r\nMac = daa1246b82d2e14e3056\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 214\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = ff48804c82414ff67f9b917a4d5d062d439454aad8eb4b0f\r\nMsg = 6def37d9b73fed0390f260491f582d2215369811\r\nMac = d7712f7d5f0da5dec6b6\r\nResult = F (1 - Message changed)\r\n\r\nCount = 215\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 0273e421ee670be6322675f26f9014c040a76f0c869698f0\r\nMsg = d9de46934cb56e58899a31fd14ca64509131dc27\r\nMac = b3e79909c16c561eb7ca\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 216\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 27eb9812d3f7816fb6a1cfe474496e80750b1ed3959ec7f5\r\nMsg = 776ba7990086731ef7504947be74b3c455bfde5f\r\nMac = fc0f2dcf4e6fa041830d\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 217\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = c56f710e39deed799ffde6d10e8aebfa2bab5e5e073d78e2\r\nMsg = f6fe0f16403182d012f8b6e02539c386075b4585\r\nMac = 6bcc4c1b06099220e9c0\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 218\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 0236ce1fd3ef645a64b4ee7048dd35942e6a09e8099884a8\r\nMsg = dbf06366f766e2811ecd5d4384d6d08336adc37e\r\nMac = 1de717c402baf964e817\r\nResult = P\r\n\r\nCount = 219\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 5cf781067bc1ef948e929b7287279c71cae5143631ca57d6\r\nMsg = a7f3fb7ed1342862247fb4b1993788837cc87041\r\nMac = ee867d4c0f910e9d9288\r\nResult = F (1 - Message changed)\r\n\r\nCount = 220\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 3e19b6f3f3fa3c2551466c9e09f0391350682495426fbb08\r\nMsg = c7496322ede893ae368884a91f80c3bac3505c0d\r\nMac = 55b25da032db8f3b4293a4865df77e\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 221\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 5717ed57ca0b6921f04dcacad34e0f6210c36673dc9f4d92\r\nMsg = 5e3ed45f07a6b3c225ba73d04d867f9c5b4aa703\r\nMac = 1b642dcc4fa08cbd36d109d55a8501\r\nResult = P\r\n\r\nCount = 222\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 8eca0fb8033e63e24a54a3e63bcf8e4ec331b04ddedfeeff\r\nMsg = e3807f6d8c6471ffe188df67d952a7d67021bf41\r\nMac = 9a37eda1e3331bf86d208b2c0338c9\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 223\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 633f44dad6995a6af0302692142a47430491ae7b54f8b00c\r\nMsg = 3caa9b8b24097d29bd24b913692acf96cc78b998\r\nMac = a6665b3b158f37f587dfa0bde7f300\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 224\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 14ef8096666ddf28e0ac5f3458b52f3e0c601deae57fffc9\r\nMsg = 11d5cef384474f33c2d313e6e1050d8c7ae5b019\r\nMac = 2643bb3e1c01f406d90104c4437189\r\nResult = F (1 - Message changed)\r\n\r\nCount = 225\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 0c2e1951eeba1a9b6592202b1b8547f43fd755fbd844a874\r\nMsg = 9ad62bff38e28f75302b6527c1c107543f798817\r\nMac = f42ff7aa728c2d815ac7c701b59627\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 226\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 1ee2df7aa80e3a131e2aad9c17bcbf546d8b25e5a849db31\r\nMsg = c4e8594cd09be010b6934157e0557686310e8dbe\r\nMac = 34496d184bbdc0c9a57916ff64dc3c\r\nResult = F (1 - Message changed)\r\n\r\nCount = 227\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 75650ce366757618af20205b69af7e5d4e82c398c00101e2\r\nMsg = 42a71eb81ad1c97ac53b88831b2d15f3c57e7cf8\r\nMac = 4c03394a98bb43e6197074abe63070\r\nResult = P\r\n\r\nCount = 228\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 386c659bc45d0a88acd54ef7eeaa3e140e1cafb1b01474a0\r\nMsg = f4fc5acff75d404849675b813cf7adcaeb8f3d56\r\nMac = 5cfb2fc8869304428fc012a14b616e\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 229\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = ac192759625f4e42d1d1fa73dc0f62199142155615478f88\r\nMsg = d33f716df06e9047f8d718ab1faa06ec7b773bb7\r\nMac = bbf5b7207faa5b004216fa5caf3f93\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 230\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = efb497fb9b85d472e7c9d061aff501f7b1e3a311a86cfc69\r\nMsg = 1fd425560816aa21d6572150d1161cfb3bd61e6b\r\nMac = 2b7e14864d29437647cc1b27a8a0ad\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 231\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 344fbbeaf82ede8a401df7cc121ed3da43be9bcadeeb5614\r\nMsg = 93febc9e16003cc8d6490ba5a6e64dd673a0f887\r\nMac = d34ef878392bc226f7ce1519f3bc23\r\nResult = F (1 - Message changed)\r\n\r\nCount = 232\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 4b6c6b6be3c04985bff49719c4e11be97d7757801dafadc3\r\nMsg = 754336f8cf27f4bcc7af5207ff02a662232d9a62\r\nMac = 5389c533cf43ca0332574802c2ace3\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 233\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = fe5ddb0645387cc6535e5b7991e6428c4157a76bb41084fe\r\nMsg = 216d9eb896edc693520f99ac91f34cb54e76d719\r\nMac = b43388ba7859f803655d914b60ce90\r\nResult = P\r\n\r\nCount = 234\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = ed14373671cd8041e00874b5d098ea225eaf9c68bb51cecb\r\nMsg = 0569c6be9ddcfbb82618fdcfcab3dd60c20c49f5\r\nMac = c2c11297111a92a484868179c5931d\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 235\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = f2faab6735779e9ac49716e7fcd3faac939366a7249f4f0a\r\nMsg = e7292269b07683acf5bea0b300782749074e2313\r\nMac = e10f324c19d79ed83256f15e302699\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 236\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 2bddd90daa1251a42a0e2fd2858568887f85e6d96d57daff\r\nMsg = 0f8b828c0e59effbdecc30abb6cae0d9af9c7636\r\nMac = 1aab0530749ac4c6432157730ee3ee\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 237\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 586233e492b76ade095e8f5ffc6df4bf6caad2a675953b2b\r\nMsg = 92af89c950d6221473a358dd0f280277bde7ab0c\r\nMac = 2a79121e68ea6b841e175ab5066388\r\nResult = F (1 - Message changed)\r\n\r\nCount = 238\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 5aea45c0995e950f333e29f4db82ea4c4c080ff82fe32bd6\r\nMsg = d9ff1c84bdb03114ebd5f471247a579311f4672b\r\nMac = dc58e7582cb555ea784036a8ba4b8b\r\nResult = P\r\n\r\nCount = 239\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 900c8283c7d50d6da79cc07d3dc7b76c2ef76100fa3ae2df\r\nMsg = 3f8c6d21ec05bc439bf82774f1812bd2dfe0d3c4\r\nMac = ec1fa18916f991d7276428b9c93c70\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 240\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = abbb803150cd7fdb9f3d571bc749debe72c825e45568aa5e\r\nMsg = bb5fd7f4fb020d38c13df3003a9bb852a86948f406c51624eaf81989b006\r\nMac = 799d598f32ebd9cc\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 241\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = 2fa619eed51bccdd2ce63580ebf85467ac9136f79256bf1b\r\nMsg = f92d1a6731f3bdd811fde1ed936de907ebbc4179670857859aafe788b91c\r\nMac = 6477feb7dd4c818a\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 242\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = d0115f369d0f74073a46e3b9625660847dd7ac7571e40814\r\nMsg = 97da5d1f669dc60b6c6fe4369e01f3fbb9af30b483b23d885497c684d6ef\r\nMac = 3d7f0acc627b785b\r\nResult = P\r\n\r\nCount = 243\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = 045c4b86eed865cd989f035afe8c257c400c11b1f72548c6\r\nMsg = 5a6233e492b76ade095e8f5ffc6df4bf6caad2a675953b2bdfa8513df1dd\r\nMac = b5a44479b0be31ce\r\nResult = F (1 - Message changed)\r\n\r\nCount = 244\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = 4a83bf338fc0125ee1966df46d46a0d0b41e51569b3fa957\r\nMsg = 794a86f5b20d344ad86fd5523d08f1864737be57731440c29aa6b4257457\r\nMac = b45939cc01918eab\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 245\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = d9ccd93317441e9d6ccc358f31e7e2ccef8c921b23d74299\r\nMsg = 48754401bb69bed2cce8689e47210435878c7ce184d911f60d26b4aa5174\r\nMac = e0d1b6a530944550\r\nResult = P\r\n\r\nCount = 246\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = 1e50fae752ac3a6e2b1755475e84441947e9f4b1d29546f4\r\nMsg = 34245df514f6c273d252271a980929e50a7cb0e77b05c7d46092abc30493\r\nMac = a0fd99f1405b027e\r\nResult = F (1 - Message changed)\r\n\r\nCount ",
- "= 247\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = 4f98838899bb47fd3b0fd5efcf55403996567a0fbe1abdda\r\nMsg = 0c8cc752ae8d487c621be129326513a5ccb4141e324d21aab399148c1a83\r\nMac = 1aef1b7bc7856c6e\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 248\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = c98a22a667aafab0c94047e03837d51b11490693d5c57ea2\r\nMsg = e4fb1612e50607457dee8087ec41e57fcd7fc550497eaf1c8b0d47c773d8\r\nMac = 2c467fe37fee5342\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 249\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = bc6d4c46476ac1ea902be391b8a3f04e102aecead167f0e4\r\nMsg = 93b3314baf20e28a39e89592012c35adfaa3ee6d3d8e494051ee9944aaf4\r\nMac = 7f10757d2d36a55d\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 250\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = 5783548205826853ae740d35d6d69ab524c38fdfc5c51eb1\r\nMsg = 11c90809f9c53d2f77b56af0a42287ac6920e3d2921cceb824d496caf1a7\r\nMac = 07630c2fc52a24b2\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 251\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = 9cac76976750b7937b3bbc6986b4c726f0d0a63310db85d7\r\nMsg = 5de2265292780222349ac793eaa17c5a22902344063f497aabb9dc038ce2\r\nMac = fd092bab159861c0\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 252\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = 616de0b0f868eec923bf9edebbbaa51d3faaa3f86b2a5687\r\nMsg = 38013d62558647bc21d293830aa3ba80ff3fb84a8e0938754c5213077771\r\nMac = b4e782780989dc11\r\nResult = F (1 - Message changed)\r\n\r\nCount = 253\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = 5df77b26f3d34eba49d287addf0a38d20514e2b7e6059935\r\nMsg = 1930a8b428334df9fa1ac16890f3a6a93fcf9d6855d00b06ff831d8f6a70\r\nMac = a8ad975046cd7571\r\nResult = P\r\n\r\nCount = 254\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = c56f710e39deed799ffde6d10e8aebfa2bab5e5e073d78e2\r\nMsg = f6fe0f16403182d012f8b6e02539c386075b4585be5b18d6ae1c5f9ebdff\r\nMac = d0df47dda012655d\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 255\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = fef8982f7342f1b953658453cd5ea413700eff00f1ee7d6f\r\nMsg = 269b6c1c95bc079398bb31e285a887c1832202d6ec257a2cf62468e29358\r\nMac = d2c90040bf66b2a6\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 256\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = a34dfa24847c365291ce1b54bcf8d9a75d861e5133cc3a74\r\nMsg = 105d2b82676bf67ca9575ffd31d7d114e709826fccb6a5c3d3d7e26ff258\r\nMac = 5e60278f98b3135c\r\nResult = F (1 - Message changed)\r\n\r\nCount = 257\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = 520fe80cc4a3a5ad9c31f7010504923b7a7fd88292a64f98\r\nMsg = 2e1e0712ce74a1ad02079aeb0ce35edacc33f9a5d907cf70d0548d84ec3c\r\nMac = daf839ef84f1c81d\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 258\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = da4775b8f7d654bc4cf2eb75ecf4831411bbc9a960ea2df0\r\nMsg = bfaccce3a9e66f45e454090ffedc348306dc2807951ce0bf100178612703\r\nMac = 3e2eb7f029e687be\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 259\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = 15e3b3c5794fececd703ac58ccb22a78e15bbd55c579416b\r\nMsg = c6c3457ffcb6e66c085ecb69492deaa704e25aeeabb7b7795fdcc807b325\r\nMac = afd75cdc02222e65\r\nResult = P\r\n\r\nCount = 260\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = e0f2cdfb64bda8f02ab90620fc5a1943c4b536a99f3f8820\r\nMsg = fd0365ff6061e5f55c0e382f5861aad99c135f9511f33ace4bdcfe48c6e4\r\nMac = a1046d4b29fc50ed94a4\r\nResult = F (1 - Message changed)\r\n\r\nCount = 261\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = c7aafe7d3b419fa4ea06143897054846ac4b25e4744b62ba\r\nMsg = f1baf3be69f69611fcd47256e43830a1b3fd8bd3952eb26ed679eda7a4e0\r\nMac = dbc419e1ddd5cfdc63a7\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 262\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = 58c219f2bc8ef2ed7a82cf70e4af4747e36a30809a5a6222\r\nMsg = 622642aa69b3efe14abe0a1d2ba20f3f76efddf62e6cafe2845c4dfaa501\r\nMac = 4e496c3d2d84d11923c2\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 263\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = abccee975feb10f635d548a8502f7c8b6adbd2be74117257\r\nMsg = 4f37a460d180a12789779fc335326c983ad6b18295b47f1715b82b2dc704\r\nMac = 41b234e0173770c469b9\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 264\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = 0218eb619dbbde2e846218339aee4383792856496eb3b85c\r\nMsg = 28d3510a37d5f8481e7f22941c1fb1d6c70686fbad9747a23c9d5f18dfe2\r\nMac = 3cede44c942387d91767\r\nResult = P\r\n\r\nCount = 265\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = 88b2514f368d51db283039efcde1891652a77daf68feec43\r\nMsg = 067a3a0434e92cac02710221fbb6dfcb7ef0264e2994905491317c8c3697\r\nMac = 128e652ce0a8f1a6194d\r\nResult = F (1 - Message changed)\r\n\r\nCount = 266\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = f2a78c449621278e9e927fcd50742d042d98d5142380fd3d\r\nMsg = df899dd6b99cc28d66604ca92431fa7f442a4927d03b392e707b548b8ebf\r\nMac = 2eca3c42b5e5d0f3b9e4\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 267\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = 01fbfbde7dfdd6f0a0c5244cf6c36eece4d6dedd8baa463b\r\nMsg = 485ef613bdab5473763bb269a0d8c7a4bf4850bba072a96f8fc39a31cbd0\r\nMac = 333eb331d6a0d46fa279\r\nResult = P\r\n\r\nCount = 268\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = 6ce99c231d2ef0fd48c2375dca93f8bb0df97d4a44e835cf\r\nMsg = 32d71e59634126ac6c6156a80a0dfa0175b29e9f40a3169680b1c15830fc\r\nMac = 3e90350e115c425ba466\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 269\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = f7a93aab5707ca3d2362c5669198e0218493acc3cb7b02d3\r\nMsg = aeec40ca8964fd6a67d3dc871ebf1bfb72f52907f1d6ad441bf2cadcc6d8\r\nMac = 7381d65aa138c86713b5\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 270\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = 84f39f5207afcfd677a7544579f2b888a1eabdee4e835924\r\nMsg = b8d21e9c70bf63f04be311d50f84aad7e1bd2b0e517434ab978d68d01c5d\r\nMac = 4ab61c537f8b15f824cd\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 271\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = d488bdda400932de56a9f105f0e74ee79c2ed869faaadc31\r\nMsg = e64949ed85de6359595f286e29014c26daa7759aee56e4194ee958774606\r\nMac = 2752bc490802b9dd8686\r\nResult = F (1 - Message changed)\r\n\r\nCount = 272\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = 76ddfb075fce4be8854185c6899a88d06e24854506b31237\r\nMsg = 9d86ae7d70e839078babf7fd60480a4351690867c6a8af837d9ad465220c\r\nMac = 2522efecaa1ba11c0260\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 273\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = 618041501dfcfdd2b60d71c04d635f6357ad8b0643af77aa\r\nMsg = e5e6b57e74ce7afbde3697e2a69d61ca615aa3dfd32fe31f5521e6ca7987\r\nMac = d958753757a11eacc848\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 274\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = dff6b9493de80447ee18ea7311fc9b8d74f77ac1ab21ce84\r\nMsg = d70aef3532bdc5293a3ebb11589ac1f801c9f93ea0d656e1d04068facf9f\r\nMac = 9a761e0e54767e414cf2\r\nResult = P\r\n\r\nCount = 275\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = d7780ba2dc5cc584472b64bc9f6246bedb27c70aca22c0a3\r\nMsg = 14691c1b47ff1547c1d2151913c2d1862d8f54782291ea202caa3d8ef07a\r\nMac = 78a2bf3a5fc87a14e090\r\nResult = P\r\n\r\nCount = 276\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = 3bc5dba883e2e3b81df06760cc32f11009cf5a5503cbe864\r\nMsg = 9d043e368b41acb5eebb99197e15adbc3d19175a0bfcc97275e3e5efcfa5\r\nMac = f457293acf683c873add\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 277\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = 7b3fba25c5ef410ecec62276b105ecc01c325dc2530e8364\r\nMsg = fda4bede287c57eea4448af5e99d41c7d307d1f202af7f387f874342a29c\r\nMac = 0cfb78ede5f4c185c33b\r\nResult = F (1 - Message changed)\r\n\r\nCount = 278\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = 38efdbbc5645f65414b9cb81d2f9e4f190cf6e6e05eaedbe\r\nMsg = 50422c5e6a0fb8231b3bb6e2f89607019be6ad92a4dae8e0fe3f9e486476\r\nMac = 0c1acd8e8527e2663486\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 279\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = 94ea5b0aa6c8b07e379122006042c920077bd61610df6b4b\r\nMsg = 1d52f401f01058356d8c4c630f64c5322caa6063d6365ebf0040ec4ee12e\r\nMac = 2dec0d3bca617209b07a\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 280\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 5584994f80640233ac8eb4d2f873e8c997499095250b48b3\r\nMsg = 91febca4f1ae7e27501400c44ce8681ec90f5a5637c962db142c9284b1d1\r\nMac = f0b3135c1748e823aed10c4694fc60\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 281\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 57e99653fdcab10135a2ee3bf45c1be69e9ed57bd74dfbad\r\nMsg = 51c88fd98a7d82043a1500fc3d8a66ba7ab7760467c7fd89cfeeb22dd257\r\nMac = c588ee1d4f330e51872065c02cae61\r\nResult = F (1 - Message changed)\r\n\r\nCount = 282\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = f622d736124641bb7d53706bf2a69db2fc31461fb92818be\r\nMsg = f09569906",
- "381138cc49e3fc2384c5d33c34abd3d617c487b52ec6ee7b510\r\nMac = 610e1c1f9ab35059580061b8662a81\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 283\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 9662baae49c26e5452f3304ceed3b78326d2020a99a63f69\r\nMsg = 1d93aca4e2e31f5ebb84fad580fe74f5b6d1d86ab30cd0c8031be4090be1\r\nMac = 3c5a4eb51ec58ef3468bb00e7cae8c\r\nResult = P\r\n\r\nCount = 284\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = f2100615431349aba5c4f5a7f358fe7be579f4cb9e8f33d2\r\nMsg = aaf26bff7ad4116969c15d9206de6c737b7dda87619e3575d9b6b2efd8b0\r\nMac = 7396deeb4316fc6d84d3af119656f3\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 285\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = a5993acbea8c55d7eb55d60596f83e1d9f2cf636d06240da\r\nMsg = 0bc1fede6a6ed9e1deda82612fbaa6e60f0b2461fd5d131e6a7206f41a07\r\nMac = 2f6b0a9f2a972d299bfa5892f8ea83\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 286\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 775846f9dbf36415640276642cccf87e3dbdf6519c5b2db8\r\nMsg = 4fc989f327e1a1cc7b8af618ee6ae6d25f78e2b76b681455336945655f13\r\nMac = 8b3cf3171912096763a2ebe5ea9e41\r\nResult = P\r\n\r\nCount = 287\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = b214b16bbac27ccc9773d3c8dd31275da4876c039740ca8d\r\nMsg = 7786a3e30acffd6dde375bd859dd6be2c9221b979d0c66d1d5ed6e00b73f\r\nMac = 1a73acbf4e9250610b74c727b9c42c\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 288\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 032b4cfce8a1acd89de5f6f78794e2813bbcdb89959dafec\r\nMsg = 3f0bf0141dd3ace0fabeace61811eac5ec801deb7ffe3b0514d43db90bf0\r\nMac = c24066cbc00cb5c28e48141b627411\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 289\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = a053255875ed4b5193bd9c5fa4172a1f660ecfd2a394c2a5\r\nMsg = 14666eb960c6b4f8b6ccc49f79a039b12c02e0972c300f1e9d0a38c0a474\r\nMac = abce3abc224772a43c058016bf25bc\r\nResult = F (1 - Message changed)\r\n\r\nCount = 290\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 0ee87b40abaa99f598fba22c3e677a85ca3ec95c3a51aca8\r\nMsg = 1bff19aacb9c7d0a44a15ce686a2469e3934d086365d36f449484498353d\r\nMac = 4d565c2e12901845e77ed8b02746ca\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 291\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 3384f8563cfd0fc8019bacc9b691c9ba4ae6dc8cf4c00629\r\nMsg = d31e959cf7842db351db407266ddae0b36e37f34270576724083e9989764\r\nMac = 96d0dbf51d96b532321da593383964\r\nResult = P\r\n\r\nCount = 292\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 375904fb9fcafb7f19877b145b0284cef61ac7a3d88f537c\r\nMsg = 441bd4db5e80c7db1b575a19b7bad021a719658a2c818566291d3cdd32fd\r\nMac = 3b8dac029f6658e44e5f5bb8f8ee40\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 293\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 3c1ca347a7d3d8db8f704410c493d7a65718cb7bffec2dff\r\nMsg = 555fd02fad4f44484133f9472c050f9da27390fa2a3e48cb0be0d7020171\r\nMac = 32be39d874c15a0fffc7111f76bbc4\r\nResult = F (1 - Message changed)\r\n\r\nCount = 294\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 8bed296a3ac03fbfb71422b9211799150b9d766a8116bebd\r\nMsg = 6df3de543cdb6d1adb6ca7df6b5a4510fc8379a4f2c87497ad1c2b9a69da\r\nMac = f24ff3218e7905d81c3e99c84bfd26\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 295\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 9530bb291d38f6bed10318081dde8fd178f02eb0e8b7d022\r\nMsg = 5f48624302d1acf7750994d45f0999ecd89a3861cd0268d5a51e672124b1\r\nMac = 0afed54c577e550eba7ac94a2d82d8\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 296\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = f5400b86ace6e3da5f090befb96fc05d0409bf41fc77b4e0\r\nMsg = 1c79b055fded54af5ad2f3253f93a090ec003863d9458d3ff718c4c13937\r\nMac = 59f94d4b13539a5f0a8672e4599bad\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 297\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = c033e4a512297caecdbead892b11a9f7007af9a74bcab89e\r\nMsg = 3ce965d58856663d54269af4791ec57ef98227ea387d525769c23ab74674\r\nMac = 0dc19e37a255dabb61957f7f89ab06\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 298\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 2459f951d1255d093b72144b83b05ea3185d5123d1ca864d\r\nMsg = 661c6ff41af91a6d828a4d5d507f8a9130abe91412070950c5fa4c75c8d7\r\nMac = ac8e75b4465a52b3a7da3746f9875a\r\nResult = F (1 - Message changed)\r\n\r\nCount = 299\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 3b63415210361822e23cccf0faae88cd7642f44cec45fe37\r\nMsg = d7f78e950d2ab520a6f1e82ec6f206b2e8c71131c85234bd80500527f131\r\nMac = 15e59760acd3dd74155d6d3739c189\r\nResult = P\r\n",
-};
-static const size_t kLen35 = 61387;
-
-static const char *kData35[] = {
- "# CAVS 11.0\r\n# CMACVer information \r\n# Algorithms tested:Alg = AES KeySize = 256 Mode = Verify \r\n# Generated on Tue Mar 15 08:40:45 2011\r\n\r\n\r\nCount = 0\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 45b74171271e1fdc19f9beadda58010d843af69dc2f4ad003dd74b9b570d5a98\r\nMsg = 00\r\nMac = dc0ee796\r\nResult = P\r\n\r\nCount = 1\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 2cb4239fffd13762fb5391f5a4760d12d96ea12666a793b4d651e9f4891c22c1\r\nMsg = 00\r\nMac = 2e19d6cf\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 2\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = d88586da8b605a6fd5a45d316b89fea15e27ff4d92238397718e68b8e00ad605\r\nMsg = 00\r\nMac = 8ad78885\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 3\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 136ffda3359fee8c81e6dac131256f4bffc0d3c3e74f8aaf2f979a0fa5b8ed32\r\nMsg = 00\r\nMac = e430d0da\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 4\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = e1a7867476bee9928b7237ab7a3d502fbe3d2d45b6e4c41aa9f12b79099f019d\r\nMsg = 00\r\nMac = b6f00f90\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 5\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 5b4d945d55dea22e37821ec396476a4bfb617d2f392ad93afe67bcfda9cd9b72\r\nMsg = 00\r\nMac = 5076ef43\r\nResult = P\r\n\r\nCount = 6\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 23df62a79fd5866425427d0ccabf05b16590e8452ee22e028b51910926ad314a\r\nMsg = 00\r\nMac = 7bd29398\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 7\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = ce9da814595f76a7e52a1222c7c9a6579b3cc2e393ba51580ff6cc9b6ea2ad8a\r\nMsg = 00\r\nMac = ce872fd7\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 8\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 507c4f32246d637fe08e454c638b014438109e1fca31f724d40ac6ec1aa20268\r\nMsg = 00\r\nMac = 282a7ec2\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 9\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 537dfe9fc000468dde29800549b1cfaae67ad89d22c8264d7eadcd914ac54ef4\r\nMsg = 00\r\nMac = 7936b7d5\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 10\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 1f57959cecbd377374477e33b34979814f260f77867392ed645998f73a3b06ae\r\nMsg = 00\r\nMac = b4b63264\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 11\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 3d272b4a1a1031369aff514e2df98d580f972b5abeacc05cb1288e6e473c0fed\r\nMsg = 00\r\nMac = 18b35edb\r\nResult = P\r\n\r\nCount = 12\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 8774d1acf96362215a3d1e51e1a52a980685dec4f3afd2d438c03c00c04a79f9\r\nMsg = 00\r\nMac = 80eb7a84\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 13\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = f37155beb5eed8899d9ed4b5fa21b60b40af289f090a355d5bb1aee52957cd99\r\nMsg = 00\r\nMac = 6827f73d\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 14\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = fcb52c44379ae8083bdc7b827383df93cb1a7ecc21574730f9fe003b7302de23\r\nMsg = 00\r\nMac = ccad16d9\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 15\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 83e231ecf8913ebce00e62b8f00c1abbaad710142fdb912c54664169f7af0e51\r\nMsg = 00\r\nMac = 8e393f56\r\nResult = P\r\n\r\nCount = 16\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 7d35e77450e2adf8805d5ad67de5835b2c5dccafe8440865c7e7a1501ed53a98\r\nMsg = 00\r\nMac = c6899710\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 17\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 87143071241bb65261fe7afcc102416e59b9e46ee0c9007308f0eec10e45f6d6\r\nMsg = 00\r\nMac = a1a4449e\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 18\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = d30d2d1670553c71ff0264ab861574dd03a103d954226d1b540f18fc47b3fc29\r\nMsg = 00\r\nMac = 217ac763\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 19\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = d6983226b2c3a431abcceb77c8ec6b9bae80199115b28c5d7c56561e1b12944c\r\nMsg = 00\r\nMac = 26c717ce\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 20\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 0cf53b4aae3e0a209e58385dd32d9cc6163265241332c332af4de4b99b4022fa\r\nMsg = 00\r\nMac = 1bfd19f6e1070186\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 21\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 5f988f38410d26d293ef32d74eaa81acca82545e767ab59dcc750a09849cebad\r\nMsg = 00\r\nMac = 7e52911c0d7987a2\r\nResult = P\r\n\r\nCount = 22\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = d8fd6e1dfcca8f656705aed7e356a576baf8907c8d10d54c833d62a8a6703624\r\nMsg = 00\r\nMac = 31b478b4b4adaae0\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 23\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 49fd56dec210e903f6c703332637f9c267eab9333e2701a16c74ce5e0b5a16d9\r\nMsg = 00\r\nMac = c8be2b36c93684f3\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 24\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = fa282e1f3276a3e0c769f2ba25ce830591e860300cc03ab57abdb14c0374d060\r\nMsg = 00\r\nMac = 27b8111c3d9f14f1\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 25\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 1c6942e914218135496e0d7910abe67b9f7f29bb09029bb37021865d7543c4f6\r\nMsg = 00\r\nMac = 466b7077bec98b7b\r\nResult = P\r\n\r\nCount = 26\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 08f199a8d7e3ea821dd3106e8947cd2e9d485342b25a64713db2b8a650a49ffd\r\nMsg = 00\r\nMac = 796deae0d06b1bf4\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 27\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = febacddf3448c7464297ae53166793e2ed962de0d0947c5e5e17abe3cc103b07\r\nMsg = 00\r\nMac = 5e2d21aa3351a2a0\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 28\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 59b9fb83b6a85f017bde6c0ff3ced955b9f343cc71b680c6b591302f52759412\r\nMsg = 00\r\nMac = 3e5428eca10808b6\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 29\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = f07e6655424125462a96390e02bfee9d89cb271bd9bbf22a9de45f6b7e949343\r\nMsg = 00\r\nMac = eed5aed01096226b\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 30\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = a04f84bd79406c138d02698f003276d0449120bef4578d78fecabe8e070e1171\r\nMsg = 00\r\nMac = 18553226e5f9788a\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 31\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 1673a52494e9af02472c1777232aa3813c7c162593eca7112f34b3807009af5e\r\nMsg = 00\r\nMac = c5907fff58c68ee7\r\nResult = P\r\n\r\nCount = 32\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 1e4ffbed2d5a7bcda5e24a66048660629d57567f83307087a846db8246ff332a\r\nMsg = 00\r\nMac = 29599bc212927246\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 33\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 8b80c24ab4a3c24ced82ca8c69924553a37a139bfa2541c59e15188ab0fa5a34\r\nMsg = 00\r\nMac = 299746d93b0b4881\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 34\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = a00ebf59768f6437b48a91923f5effcf31c745b980f79f2edde9ed18dcf2ffa0\r\nMsg = 00\r\nMac = 61950ed83db6bf74\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 35\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 319d3f58fd7257901ff364fa68b86b1ba27c11962b2c5be8e33eb95548444322\r\nMsg = 00\r\nMac = 26793e8f8d5eb7c2\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 36\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 015a9d1f2df2c31f14cfbdc0bd68725fe8113a024f2a43312d963207fd6f0d88\r\nMsg = 00\r\nMac = b19fc2680b8b82b7\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 37\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 003cff344c4e1932ac628440d819eaaafcc3ebe7c525cb7abb7a6716d2b76e05\r\nMsg = 00\r\nMac = 48a98dbf16257142\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 38\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 1a581f36e1816d346f7bcc6df78316aa353111e447fee6f0bd05d562f30626ab\r\nMsg = 00\r\nMac = 587155c18ebbf8b8\r\nResult = P\r\n\r\nCount = 39\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = ebab54c4a22a16f7d9546bbf682b995a6ce944e949f1920eee058db95ab9c93f\r\nMsg = 00\r\nMac = 067927f063adfaac\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 40\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = 58405ef8fb69e88221edc10a92c01cc44255aa7083096adb79bec3a8cec6d050\r\nMsg = b4aaf9ad1bde60a8d7e7cb16c1cf6b713df17d1507b028973068a95963a5ad5b\r\nMac = 42ffe65f\r\nResult = P\r\n\r\nCount = 41\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = ca0f404e3389e9527135f53eb58bca7726266b8086d33fb512e8143daad7633a\r\nMsg = 8f2a6b2185f73372ccaeaa7f93d30d1ca80a451ee0e46ccbbaf98c8f3f37aaf1\r\nMac = f2b311b4\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 42\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = 67b896b88f07962e08471634ab7e522144d716a2969bde55a05c3c931f747a8d\r\nMsg = 0218eb619dbbde2e846218339aee4383792856496eb3b85cc43fa81446fedc5d\r\nMac = 69db1949\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 43\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = 422994df8766f7a6a7ebfa2ca57ed6189d9e9e8455c8715c14f3f407b75dff4a\r\nMsg =",
- " 12f0c45d06a138a964fb11b2d450620a2977bcd2952afe371cad6e3d48b009bc\r\nMac = fc5f1ccc\r\nResult = F (1 - Message changed)\r\n\r\nCount = 44\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = 3291be3aecd2e06cd2ee61a14d723450043d450567cbb0bf88ba32972d86dca3\r\nMsg = 343d5a4ad39acf81adcf24e9807618932abcb3bc076734f179174c77c8cb89e9\r\nMac = 3593d615\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 45\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = a1885ce431cedbb60f7b3d96a06cbc60a964df156ea4b4191abc5a9f60a0c361\r\nMsg = eedd0d767a25b24ee25fe747718256af51d7b4bfe900adc069381a71a2dc7aad\r\nMac = c558f768\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 46\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = 039188ec58fa55acde53c337fcfd0013f0c6efa55c60ce470112159bcaada11e\r\nMsg = 009f47f180e085776be6644aeac0070be64c289f84a7ba3dece7cdc54f0db354\r\nMac = 20d3639b\r\nResult = P\r\n\r\nCount = 47\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = f7d946f66e1cc4e5a79dfb5559cbea5a128545eac38e17ee7f3bac9a806faefa\r\nMsg = f250c49f9882f10db247adfdb2112c2589e1011f77c48e0f219dbf85e326f8a5\r\nMac = 90b4bfcb\r\nResult = F (1 - Message changed)\r\n\r\nCount = 48\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = a61f586ddbbe0219187f8f446d4b172f5e9bf855d1d5d6592ad8e03eb4d555d6\r\nMsg = 71c8eb0079559a306e236c49b7ce1b6cfe26c7888733eb7ec07690831a72c0c5\r\nMac = 78ce0135\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 49\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = 7774802fd82fe96c05431acd40b49b1160d403c0db09b10f23d0bd0435022edc\r\nMsg = e75b6ca1b87e775b33536979422a1cf743f58c71b1599adb00050972c843cdf2\r\nMac = d885703e\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 50\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = c4261ebb87a76aaa82a00392ee2e2318f0b52d5f2724e374847ad9ea5c8929c1\r\nMsg = a41bb1f256228302cd0548ae2148ff42774d18c2d6d3e38b36bc4938da13bac3\r\nMac = 857d8909\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 51\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = 6219c19233c1b91d7785fde3b65df3bd2e1d74331ba62e4d365947a77cd243c4\r\nMsg = 68f17b9f57734784144112c79bf360ee324d37f9a7718137d954b15e796fa9db\r\nMac = 0e85de57\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 52\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = 7e8cae1374d3a21bf2dd3786754668f17aa63dd5e3654cff9dd18041806d1968\r\nMsg = 2d335be62ecfed45183f5a04014c1a52afb7b918b9cc1f2be93b15c6e5240537\r\nMac = b56ee72c\r\nResult = P\r\n\r\nCount = 53\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = c2425ed20cd28fda67a2bcc0ab342a49d79d6b4eb196266cb0d116fc18895545\r\nMsg = b5f24c00cd15e377f444ae55e02b335379e7ae14e7c9bd05f0575d8981941553\r\nMac = 2e44c573\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 54\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = 1f7871680bfa59a8a178604dc513b51a3d4c682cc4c421de594512e9dd062ad0\r\nMsg = fcb43224bf8989e1809d90481ba043328febaf4b6c1c05d18800ed98f4b71c52\r\nMac = bee03b92\r\nResult = F (1 - Message changed)\r\n\r\nCount = 55\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = d8a27558d070214d3f765cf969b2b8f09c0b14ebc492cb2539072b04db9f29fc\r\nMsg = fc69a1f0d0ba8eca9e7c0570cec9c76b511c74b2d8b65928444189675eb42fbc\r\nMac = fab3b2f6\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 56\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = 72354b455230b72a6dbfa5cf6c3726d7f8e65ca773f9d469e99d165743657b36\r\nMsg = aac60835c309d837aacc635931af95702a4784c214283ebbfb43c4e29973560b\r\nMac = 69519d9e\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 57\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = ca92b095173076a40e24522297be27fd3a765c8d417f24c71a9f03b3fe3d8e20\r\nMsg = a96c4d5c89a364263c97a453308b9360bc0ed868602b9ff54fe13f162ad31ab2\r\nMac = c59a1a39\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 58\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = aa56f98e03f559eea02ad958e125f2312ff97bc3310079ce437b383f247a9b3f\r\nMsg = 01bf2aa8dc66ca44d16d4567f1adddd4461f78706ff15cf68ad937eb57aa62d5\r\nMac = 31171cfc\r\nResult = P\r\n\r\nCount = 59\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = a0e317b790870e6703e6077dfb8ea327c12e29a17107284cb89d5effddb2d9a1\r\nMsg = eb4ea6b72dfc6657e835bf82054796183330c02a8db3c5b179abe37fd0a05675\r\nMac = 05d54199\r\nResult = F (1 - Message changed)\r\n\r\nCount = 60\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = e3de27949ff64066131c81bfee172b308f9bb0b31710678ec394837b79434605\r\nMsg = e41557341e8dae33568524f3f64b23426044c9db3526463ad16786af14f611b2\r\nMac = 975ad1d2fcff6a85\r\nResult = F (1 - Message changed)\r\n\r\nCount = 61\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = 492dacdcb4a35fc438a6eaa35e26d2f683a1e85e92df28f213dfe1da6511161a\r\nMsg = 0515ad7b8576258645d37b7ac771745620e2e9e009cd778f34ed77a7dc5c30a6\r\nMac = 9f43dba2aad2f539\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 62\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = d71c50d55850d432cd8c8ff4ea427b3f19cbe14c785a7704202fcbcead0de5a5\r\nMsg = 7ffbc4a09583029cbb0acb6b13f08a189033da22c2ecf921f01d79ac68a9397b\r\nMac = 5d00ffc5f8cf1ddd\r\nResult = P\r\n\r\nCount = 63\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = 557eb2e709d58915a8bada6433f2e5660247e0cb1588ea84a9d24028090eb396\r\nMsg = 003132645e3026f6a2b9d0644c16e5e4d1bf8b53a51f0e1b999bd45a67d19341\r\nMac = 6f3d9f50d09476ef\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 64\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = 351d779277148ab4474843cc798942cacbe863eb1c1c9338dc25e251c12fda68\r\nMsg = 34bcdd3d0469c01d0d95a85ca705d887385bfde20596a90b47d902db826dbc8d\r\nMac = 79ded259f93456bc\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 65\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = e1c17ce3d3c61468a7652a95128bc0f6c33d9ccc46e7490327f15f645a94040c\r\nMsg = 97829c60ca9a71c23eaf1c4b4fbd72043037ef0cd356b68e0db0d4f0f50cc54d\r\nMac = a93f0d16499f63ec\r\nResult = F (1 - Message changed)\r\n\r\nCount = 66\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = a9a86a4407b7ecebc89434baa65ef173e88bd2dad9899b717ca578867c2d916f\r\nMsg = 25a152850b4b80b19d8f0b504b2a8a241824b3a1fca8d85c8713b2c0c84b5e02\r\nMac = fe84ce3defe00f67\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 67\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = ed14373671cd8041e00874b5d098ea225eaf9c68bb51cecbe8083149bdda062a\r\nMsg = 38106cdc72b1ddd0fe11f23819096dd7479e95ee9730940c28f51e28eca653ed\r\nMac = 470404ed731640a7\r\nResult = P\r\n\r\nCount = 68\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = 009f47f180e085776be6644aeac0070be64c289f84a7ba3dece7cdc54f0db354\r\nMsg = 2eced43c084a86f89f61e7237425137c167aac29e4cac4071afafd3f0c9dee1a\r\nMac = f67d432e5b6fc5e4\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 69\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = f250c49f9882f10db247adfdb2112c2589e1011f77c48e0f219dbf85e326f8a5\r\nMsg = ce61d6d8de1b299c9b063d1e1cb1faf7a616faa7c6673d7f9c0a1ebe7ae285fa\r\nMac = e1d950593abc14e4\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 70\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = 001150b2dd572288b6fde466ec2c2a64c75a9d516b7096f7082bec9f52c20ad8\r\nMsg = 6dc38e37d1379732df4dd535db88d17aa59d7cf9e8d60ae695b4047b90d899f7\r\nMac = 2de6700fc1562ad3\r\nResult = P\r\n\r\nCount = 71\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = 68e00d394855b6697da8213a120dc2213b3a8a1e88c9b93f5edef465a809974a\r\nMsg = d21aed2073e8ae9c0560f9dc1adb961d4f959fa12c0384a44c675192bea13477\r\nMac = 9594f10d5ce5e616\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 72\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = be0f6052baf658a3607d999b81401edf7e2afac2b143e1b908c8ea0ff38193d9\r\nMsg = e502f0b4710bfe517e783c4bbb85055c8471b04e12dd6776f276367fb5d36369\r\nMac = d409a879dccca77d\r\nResult = F (1 - Message changed)\r\n\r\nCount = 73\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = 7147b3c5ffb2660c45cd8d78a6fd44bdd5ba75349642b32ec88f6688a287297f\r\nMsg = cebe84df789c98dd125bf43cd993e2f089611b98d10be04904e2468d116dd2ab\r\nMac = 21cfc1e6c1c38df8\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 74\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = 205e751926038ef940c6599d84a9e1b4737bc826e9fcde544d43f2a10b5de931\r\nMsg = 86ffd5bd3bd1cae10706a61d247b2257b165f37cb53ff21761077a2295a9111b\r\nMac = 73d66ea826b84fc0\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 75\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = 8c8a502eafcfbb813dd1ea907b1660a41fcaa3f905aa93c22320f96ebfaf632a\r\nMsg = 626aed82974ef29a1ba0a6c6fefcbf34ca982e6214835183502f6a24ea2e500f\r\nMac = ca3d007ecd99be83\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 76\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = 596db502a357e102566291b916b32b8a09e99d3739f5e6543a2cd8fb0c9a1cc2\r\nMsg = 22bade59214fa4b933cb5e3dc5f096e239af4c2f44f582b095c7fea6b8914bfd\r\nMac = ff4ec21d89d4762c\r\nResult = P\r\n\r\nCount = 77\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = f51f2fb4b3fd8045b70d34b600a2697cbf7503be0d8cfb5cdc60f9312e3e269",
- "5\r\nMsg = 4d43702be4f0530319555d7f1a3356160f6cae48051f12e22a153d7e405c1149\r\nMac = 3d615ee77043d8b4\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 78\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = 80a4b14f951490618ce53d39abd3d786b425d4f76b26a25052d98ebdb7e9e666\r\nMsg = 0b2a77b0175ffafee40cf83bd19e785dc7ec4319786c49b3e7a741142aea901d\r\nMac = aedcaa2e26d2f5a7\r\nResult = F (1 - Message changed)\r\n\r\nCount = 79\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = 39fb57fadff7cd9e1cfdba154422b71d693d08807d86da46ba63c929417ea549\r\nMsg = 567c7400f190d06e682b3dac5f751639a9007362b1a2a8b618800fbb9f6c08df\r\nMac = e29461fe8c6b3767\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 80\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 535ed61510eb268100be032b7a258e84bdb32448269d3000a76444ca74b4695c\r\nMsg = f7f28df82f910badc5f4b3860af28cbb6a1c7af3fafa6dae5398d8e0a14165def78be77ee6948f7a4d8a64167271ed0352203082368de1cd874bd3b2e351b281\r\nMac = 4a0fd541\r\nResult = F (1 - Message changed)\r\n\r\nCount = 81\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 713fd349c56d1086794eb20ed59ddc89b065bb8533b968c6dfa60bddd16646fd\r\nMsg = 4f3b91aeaaabfc7d4dd6821549d4eee2ea17f59aa196c67b422be2d46f3a2ec65494464c969b157985a6a30199a72dfb1c0b7be524e16ee9c43fd95e83e19192\r\nMac = bd4eab1e\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 82\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 1f89d9ee93294aeaf3503d15a6dbef48708de48897a72b3545b9e3852eb7fe31\r\nMsg = ea0608b19f47676f0f342cc2742e003a6a74fa2850f41e0cf162235163887a3830dd8b13b45842b3c686ca239bdb9897e646ac9f440713a0d8c5b18532db3db2\r\nMac = 8bddd404\r\nResult = P\r\n\r\nCount = 83\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 2b50dbe8a5ed0c7cb69aa60a38d10cfa4553c73d58c0ce84b26504b0fd55038a\r\nMsg = 2586563b0102f662b5a8f9bfb0c1d107a4c27569d27bc066889213e3e830427ceafaae1ca543aecaca7f34c671fbadd518cc28d9e806bba43b2e220e5cf1aa45\r\nMac = 987514d4\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 84\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 29a7ed3aa55c7eb7e5bf343ca0efbf8b2062ce67b086255551a8efa0ae16569f\r\nMsg = 2e6f2d21aa133a5061622f08ac64c6b3a3dc8154862033055c27c3a3d9e42dc885d2c9f91bd1d0212f301c3e140b2f5bfdd777be623bd162a6214ba8f60e2e49\r\nMac = 1bf45457\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 85\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982\r\nMsg = 65916ae3d88ab2add5c0c6910ea993d385cbd35c5077ea0d9db30e53f378abfcbb1e0649fe14204470d4dd53ae16650ec444cb4ef22fed86b0009b57ef71fb5e\r\nMac = 578f80b2\r\nResult = F (1 - Message changed)\r\n\r\nCount = 86\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 47e49e5b57fbb834932fa32107697471119f1be3c3a6e71a8c474d4b1596e539\r\nMsg = b3cec7ad75e2bf6c87029a67365aa83cf797ae2f4d42e720ed4c48ba21ea08ee6aa3609f69a6909fff6222dbb45172d255146e4ce1c59b48a7895936a8646766\r\nMac = e6e64597\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 87\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = f0b0aaacc25a791c236aed0e9b537fad00a15efa9c89b5068ac52c64639fb1de\r\nMsg = 9a5a9560baed3b8e0e90b92655d4e5f33889e5d7253d9f6c5aff71ea4069224cfbdd19ae3f0ecdfa65c27dc3bed721712784a09fdde243c193ab6a0ac2417e8d\r\nMac = 990bb31e\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 88\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 14db1ffc1c87117fc72981706c0f90404acc98aabe950839baeb6f0b727bd6d4\r\nMsg = 3d736aeca5720f5c7bbb16df61f6d785facfa070aaa89c2d9e8af9450d62490ebd6a29c7c8e521e4a00fcca7515439f006c09056cfb7f976a1e6b98b9f799e40\r\nMac = a6786e52\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 89\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = c6f0a3692c9280c48393b0dd763e5d0b90477f34ad69f192ae4dcab771aeeacf\r\nMsg = 8439ff717e1e15161119494d368d7f3812601588265bbefbc6d48e22cc8a51688dd021500cee38fe6ec402f9aeb0762f92b2a73adece96e1c7b24be2aa9924ef\r\nMac = 70126cfa\r\nResult = P\r\n\r\nCount = 90\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 75225a26d63e91281fb37ace46354f81de99dedfde8b770ea47f08503aea87d8\r\nMsg = d729d8cd1631aacfe485b1f408a4fb60256e7a8ed6e5b53afc34be7e57f1643b549fa9ba2677779318688ece225cc149babd6259ec37fbb4adc03e8f6dd63f03\r\nMac = 5112f762\r\nResult = P\r\n\r\nCount = 91\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = ab72eef2aba30205c986e2052d6e2c67881d24ae5fceaa8fa77969539152527e\r\nMsg = 5251a0aadbc92b76705eb053d09b25b5ad38eebabfe1980d143ac90aa81f7723353059824c8d9befa5ded6f5b4973f407c7a1f4aa85d8337d82d34fd3933e9c7\r\nMac = 52f7a014\r\nResult = F (1 - Message changed)\r\n\r\nCount = 92\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 6906d6533fbc33f56e38e6a639798005daa228ebd2fc8f93803d26fef30b8e95\r\nMsg = 6341370e126097f9721a13c977eb4875cf1286e15c3adfa4e7597e0e13d93b6a8ff66c809067fd5e7f40c358ee170d4ed1657c2deb3015b886e79589678e0452\r\nMac = 1b6a021e\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 93\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = cd9072aeffebbdfcce95b569c34158d0e130ef24dc99e3f98a4dd246949be269\r\nMsg = f882339f93ff114bfead78044aab1c7fe109dbf1bb2d968ad476403fdd2034cd3168ccfb0cf02f1ff7646ae3875ec349478749edf300b08be7005cc0d6bebc15\r\nMac = d16bcdc7\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 94\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 3005c0100dff59e5e4b0e3b95abbbc79749dc49ba29a79b1fcf7613ecb6aa9c8\r\nMsg = 4c2c670f3ac1c4e33a8d43063c8983e20f1ce6a73299fef1e70a42a5882c061b1ebaaa8330ee1181d946541b1d84b8d57df8de1ac9013ade36d2c682b172f8f8\r\nMac = e5689100\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 95\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = f32eefb301356fb1cad6dfa94864542b5f8cd8e98438bdbfbbb431f0c10f12b3\r\nMsg = dae6db62842a8a25123e50041b701ad17e2f63a0496443c3d905a9f943e6e4e2f3d369b693ddd0372ff11fe496af4b700378fc72fcc9915e7bc864b44c1d4f77\r\nMac = 280624c3\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 96\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = b0212ca369c611b725eccc3daa58df412787a3475f418d820971af46773382c0\r\nMsg = 13ca022396285bf7b82a600b560208c54ee14f8496bce684895029027e6451a09f4eeb0af9b889dacfa4b7b934ae30c7d991523e23edd0528048a75bfc525335\r\nMac = 8e9759db\r\nResult = F (1 - Message changed)\r\n\r\nCount = 97\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 57a9d1ea216c69c6e360221f8c858a9d356598a8b253e2cf67f1116b5df5927f\r\nMsg = 77772e91be674abb0f496b47dbd632e5616177a0d16a8c11b271c2d381082f379b2cae385dd526b189cc10cdebbd33bf3d8db2b449ed49064d30d4b3a359110d\r\nMac = 41022947\r\nResult = P\r\n\r\nCount = 98\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 749f2fb720d321757473afc5d3a377a0eaacb425e5591026e3a1bae6a785b921\r\nMsg = 2e4f5149d67c955c409b63b04d95538808da6202e69a50ed4d3846da52fcbc76c7089a17758d9d94a63efd5ae7054dbc0bf5a28b7381f7e78debd0549bff1e11\r\nMac = 67b34b0a\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 99\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = f8ebad761b9e73c77faae3fd9390093fef595e77e6d7f6b35e2dfccbde925c44\r\nMsg = 18430f34d5b5fddbd228a910cab9c48e1ba2b5f57819eacbde756cc0c993b736a778c8008d37776a2915077af8ecfc76b8cd2ca621e9195bd0b27e31843d2890\r\nMac = 7a446398\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 100\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 5bb9fb83b6a85f017bde6c0ff3ced955b9f343cc71b680c6b591302f52759412\r\nMsg = ee7e6655424125462a96390e02bfee9d89cb271bd9bbf22a9de45f6b7e949343def818dfc93d777528f609cd38be0a013b1eef816eb1f9593a850bb7aec5b9a7\r\nMac = 5e1fa5b9c9dcd90e\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 101\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 57a9d1ea216c69c6e360221f8c858a9d356598a8b253e2cf67f1116b5df5927f\r\nMsg = 77772e91be674abb0f496b47dbd632e5616177a0d16a8c11b271c2d381082f379b2cae385dd526b189cc10cdebbd33bf3d8db2b449ed49064d30d4b3a359110d\r\nMac = 430229471a1cf1b5\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 102\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 749f2fb720d321757473afc5d3a377a0eaacb425e5591026e3a1bae6a785b921\r\nMsg = 304f5149d67c955c409b63b04d95538808da6202e69a50ed4d3846da52fcbc76c7089a17758d9d94a63efd5ae7054dbc0bf5a28b7381f7e78debd0549bff1e11\r\nMac = 65b34b0ace2fc6bc\r\nResult = F (1 - Message changed)\r\n\r\nCount = 103\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = f8ebad761b9e73c77faae3fd9390093fef595e77e6d7f6b35e2dfccbde925c44\r\nMsg = 18430f34d5b5fddbd228a910cab9c48e1ba2b5f57819eacbde756cc0c993b736a778c8008d37776a2915077af8ecfc76b8cd2ca621e9195bd0b27e31843d2890\r\nMac = 7a446398a5c59ec6\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 104\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445\r\nMsg = c66d322247ebf272e6a353f9940b00847cf78e27f2bc0c81a696db411e47c0e9630137d3fa860a71158e23d80b699e8006e52345fb7273b2e084407f19394258\r\nMac = 129",
- "e40ed97c02ff9\r\nResult = P\r\n\r\nCount = 105\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 8ea05a5033ab8b009664fa2800c24e217488ce6888cad14774ad75b2696e9470\r\nMsg = b3f09d990c2f41c8707368bba007803621ecd76540cdb8705435d74f4300eee04710a936f241c034709e625b0dd5dae1f6e86d034426819c365a05f5be420cdf\r\nMac = 08e5d5b3facd3b01\r\nResult = P\r\n\r\nCount = 106\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 016b5537198ed152670c5fcfb70ade276de97ce0cb771c5f6f66fcfe1dfd945e\r\nMsg = 7ad591e67c6a3ce3c9f871e328fc4ce3b6e7048e80691da551efdfa4c96b06a3af53bb7a88ecc32869c8f776098df4d71af91393da239c24e50436e04d35a2d9\r\nMac = 36df9931a14dca9b\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 107\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 22d5d4c3a3aa8d2fd5f25c08b83cea60e94058e8235ddd050646b02617f82854\r\nMsg = e86dd3216500273d0b6150227cf03adc20c8a5fed4a2799fdff759a327657a3ca554b6af16d9dc5cf3db4bf9a474bf1ef1996a06b9fe4794e634ab94a0141d44\r\nMac = f0246b4959d2fa89\r\nResult = F (1 - Message changed)\r\n\r\nCount = 108\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = c892b095173076a40e24522297be27fd3a765c8d417f24c71a9f03b3fe3d8e20\r\nMsg = a96c4d5c89a364263c97a453308b9360bc0ed868602b9ff54fe13f162ad31ab20f3fc51bd2346ae68a006afb50e846e8431dbf7bd0eb3c8f30326d26311a2eb8\r\nMac = 1d943a8b0c470221\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 109\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 2c87c0d64806fe303c5e97bccf48360f89374b6119319bfaf8defbe74adf58f1\r\nMsg = 37c6206e23163c39a13f19de48cc25dc26e6f83cb376e8d2048ad7c141fa503d594bd395f4d36c70aa1e8a5672910f735d4da49884574f833ef54760975b0790\r\nMac = 58cb614230d590f4\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 110\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 028600eebf6b3eb04d8fac18399965aa8fb5f3954d3a657e188ba17f2e3bfc70\r\nMsg = 5b80d1cf745b14cb71cbc8dfe0bc7c7358f721c00099b3e250c41c2e1c9455c5ce55ce69f3f31090f9b1a1b7361e27f92d46d1e00d25f37b7b61f0b191385dd4\r\nMac = 02587102e6450de1\r\nResult = P\r\n\r\nCount = 111\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = ea1a626b623e9440e3f6f5c0b8b63b9967374ee82c1957fca5cd195ccfb2840b\r\nMsg = d082b2aad7058c3142021457d47d51d8ebaab62ab452f6039e771a1b0f3bd03355fe0656dfc7b75fade505bb05d689706867e75ec41da5c5ebd43d0844a670b1\r\nMac = c874df0a8aa87c5f\r\nResult = F (1 - Message changed)\r\n\r\nCount = 112\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = d1155265fe296f374366dbd11f14466df1ea210cc88b0d1876509347e64815c2\r\nMsg = 3e3d3a464b2e6030be877f8db4c1c42bd2b8247adcf792ee833675a57f21594ade5be4399cc30ce373f68874f41584b4d7c8992b9082fc892307f645382c9483\r\nMac = 6bfdc96378f0c8f2\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 113\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 9bcf914f787fd3cf62c6315a12feee358eaacf1f63ac802932b933c86b098a29\r\nMsg = 02c8b892b13f04d99b875b8aaa32136d19dd6b9c2a10d8871c66993a57ee91e3ebd0568e38348634ee5f5af4391f7da0356a1e7ba8424441f0db61683a002ba6\r\nMac = 365da451a2787193\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 114\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 35d5df6d714e2ba5b307c4d1908e108bc6fece682a23aa35e2de0e80d4cb3c5b\r\nMsg = 963ef1899cff6e0a6dcd80a27b63c20fdb8e9fa1ee3e14ed40ddb7c6b0dff969d29ba8f89159b82a19ac4240f402cd3b7279cd4c4ff4698c906f81edae8ff070\r\nMac = 33995a3d9c470cf4\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 115\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 511ab5e28b6fda481fa5a0fb3709b249fbf29be56346378a4d3f67e1cd6f09a5\r\nMsg = e4cbbf14f27490843b0f9a17b4520d4bb2c89726f4c788cae4a3344a1a2198bc222e41907fd16a20ef5f6587f1ee3cb7850b97c633b0e0894e70a6647af53f60\r\nMac = 3b4aacb52525b58b\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 116\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 5e79f14d5f687ce62b82f856695af9f7dd350543ec763de75b593f1859e44c2a\r\nMsg = c0dfcb62fbc3a67ceb792b3428d040ed5e50999296702472b709a44f4c0b9bb1876f6e80866cc4d2d6ee2f0236440e029d18b2f27ea5bff14a24d53337877053\r\nMac = af30acca71feba3c\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 117\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = cf8a477434cc679e52dc3f3f3520eb108239dad5bb363034bf0768c790343e70\r\nMsg = b891b1ab5a6919e0b99013e40fa7c910e55a480bd043d3d85b0b7d1342d3f777e1d2a6a4eb3ff81f5f71f99bb845217765c0708778f5be17a2294c2d5f369e0f\r\nMac = dc10e268f5f73bbc\r\nResult = F (1 - Message changed)\r\n\r\nCount = 118\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 67d77f50727c7cd5b38e0b175a888c88687c97f2ccaa3daecc519116a7c5683c\r\nMsg = 02c5c55e7677c84a199d6e534772123c4e5c933622cfa8ef536e74cb3d745b717f53138aae9bfec54a1cb71ff04feb61d2f26aea65f37dae598f7b7fcebb978c\r\nMac = 885050ec166faef6\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 119\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 0091d39f3478d2c59bf874b96db9ce0f7e8b85a9b805e07dc96b219819d51663\r\nMsg = 7207aa8fa87283f1f57019bf1c89645ff8fc36ab1102704e6d577671a9f7e098482573c64ab24fe8007c697020353c411566bccb98b38c7784607045e61405b3\r\nMac = 96f639a86a2d698e\r\nResult = P\r\n\r\nCount = 120\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 0e6d99ee5137c8f6b9bb45a961be8a29358a91189cf9974f5bcf20d3b64c3b04\r\nMsg = 543ef4638f1322131402172d193bd304b34e3745ecedb9db16f35c0f5fa6\r\nMac = 33f10660\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 121\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 82421ddaaa5767a496f2b78f816cd1e1e6699f6e9e6576c34c909ba5f8dc06ba\r\nMsg = 4e2f0f91990b855a00d27fbb2e8db7184cd82909de361b52e7a75b16547d\r\nMac = 3f5ed151\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 122\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 134f20cb62084a98601f0e69d257fd2064beb47248caa79720a71d461ed07ce0\r\nMsg = c248fa87a6e48cdfafd1e5ac00f95fb1dfda861465747265796654dcff54\r\nMac = e7b21645\r\nResult = P\r\n\r\nCount = 123\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 98505229c1927d13001b53850d0b7d56f49087afc6c2351190cc1b998e4d6883\r\nMsg = 9bee2e347f763c5c506876bb514b5ba1248abc6b3d17cd4c96537d4ea432\r\nMac = 2c212c7d\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 124\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = cad710b48ea0bce4a897482a535aeeaeabebb42619578a9d1296927301b3bfa6\r\nMsg = c1db23e776272765a0fee49edcce28ff7702b9ff9b6e31a4c3ed0c497248\r\nMac = 7f27420d\r\nResult = F (1 - Message changed)\r\n\r\nCount = 125\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 0bbf4f77a9883733590a3cc7ee97f3c9b70f4db255620e88cd5080badc73684c\r\nMsg = 7ff9ca86f820e4d57995d450611009ffaa726e6fbe4ce1558ca1e775daed\r\nMac = b2e5a268\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 126\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 6efabed650ce05ff22b67768e3bcc88c7746952106ecea92a38707af2b8a64a4\r\nMsg = 9cbce402511b890c8c9fa215b59c813b3e51b5dce01e776327f145623002\r\nMac = 03728e46\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 127\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = ca2843847a1c9539917206d344161dc40b379fd45dfa6a73ba6fa14defc40920\r\nMsg = d9365304c4363fba73feaa69d4cbb343a76eb2d29de6782ebb34d873006b\r\nMac = a94841ee\r\nResult = F (1 - Message changed)\r\n\r\nCount = 128\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = e5a1108da9cf587bcbdf051e216231bc27f0e6c1e97729b324d23768a89e0e77\r\nMsg = 536d4b6182a698d456e1fd9d522aab38cf05656f41a5e02cbd5e6f8cb85d\r\nMac = f52a4ba3\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 129\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 008ee06bf9b19536190e87820af9cdddb40aac44b0c3b1e50074fc29fe5cdff2\r\nMsg = c1eb4c800c631d9f387d2e8e431677b7fc8f65235ad0cf9b118d2b0d67c8\r\nMac = ba255bd7\r\nResult = P\r\n\r\nCount = 130\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = ba0bfda3b03c736c121cf9a257db55060b621be5168619ec4182f13ef6a408c4\r\nMsg = 69be384eb107340d953753e6a860ea2710e662e8953de8eff8f465d086f3\r\nMac = 9f650d24\r\nResult = P\r\n\r\nCount = 131\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 7a88524accb59f1c6307a1719a011eff211df24645086c67710ef539f5d3f29a\r\nMsg = bebe346356681f27bc62f0b838a25268e3b04194b865bf83eef2c8928625\r\nMac = b2566e6a\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 132\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 9c956d7bbe2028739d73a2f0a80af5f2f180de923d5571e65bee0b25b5dd890b\r\nMsg = e0d2ea49e3e4a5823efd1b229c705ec3bb5048a7658f10fba2671c5d2cf9\r\nMac = 480a14ab\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 133\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 2090b970a71ce2cf399a0d9e1d3d72c4eb500004abcba1303b24bf9af16707cc\r\nMsg = 0e0ef2cd18533bee01f19870f2fb22176c7e04748db4dcb98f7a65cc9104\r\nMac = ddb6f30c\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 134\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 66921951731e95bbd45c014af5cf623933350dd9a90d1a36465716f8239bf887\r\nMsg = 0de1e090eb47dd4fca966e5f8fa5616618701164370d8a43fae2eeaf3016\r\nMac = b91b3131\r\nResult = F (1 - Message cha",
- "nged)\r\n\r\nCount = 135\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 43c1142877d9f450e12d7b6db47a85baca7eea7fde595393fb394c1f34369aa4\r\nMsg = 77772e91be674abb0f496b47dbd632e5616177a0d16a8c11b271c2d38108\r\nMac = b2de16cc\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 136\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = db4b6206d001af121051cec70195055fc1fd0dc06ccc74549bc440152aded5e7\r\nMsg = 94394feda0528fcc67124dd1d77f0ec0b911f08c3e01e0c0dbc40c1d57d2\r\nMac = 5f72de94\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 137\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 4d658be9cfcdb19f79abc78f4d7f986d02b43a03098b37c8ca56ebb331e62d51\r\nMsg = e28660f57b044a44a19ca40ff7b6469a41523e8d1cef22f4edaba58917ab\r\nMac = 11fa4d1e\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 138\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 70b4cf3883fea8c6cd852a4293c7e5cb0586a6cd71294883b760cdbbfd07aeda\r\nMsg = 4cb9aa069475e54b25e5688a52dd4acd134169c858105f01a0a1b134c72d\r\nMac = b6b60815\r\nResult = F (1 - Message changed)\r\n\r\nCount = 139\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = f75bb63d52c35137448c58383afe47e026d536f67e3afdff87f29b10d3d6d9e0\r\nMsg = 4259e4fdf10acd8da40accd6354f4baef4859a2f5ebada0d2c5b1b26905f\r\nMac = 336ee1e8\r\nResult = P\r\n\r\nCount = 140\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = c938f6bcdeca02939fef931c969a25edcc3daf338d8286016e3c7ee78f9d52c7\r\nMsg = 47179ddaa9d7ef6b9a53c646325c80db69128c6fc4f92ccd345078383b9e\r\nMac = 5cbd65df0ca36898\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 141\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = 9540e4bdd8c7ab99f0b76dd9de24c340a60f7706f680448509d5dc35cb5930da\r\nMsg = 4715a9a66d10b2dc1869d90fcf9b7fa99e91b40abcb8fc356b5853c92024\r\nMac = dcbd4dae7cc60d46\r\nResult = P\r\n\r\nCount = 142\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = d5c396fc1ee960215e57cfeeea1e792fab9334f2c45dd93e74cc47023e6daa4c\r\nMsg = ce188965b4d347a6c36a6fa5a47296b32ff0fa27311266b16b1d56ebdda7\r\nMac = 1684fadaea17bc79\r\nResult = F (1 - Message changed)\r\n\r\nCount = 143\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = 897193cbbccbead9957876b8b42a77b404aed32a3f63bb9ab5f08cfe4936f35a\r\nMsg = 87767f13bb4904d0df0d64eb22c9ddb65e81b5739baad86ad5e2c239ffde\r\nMac = 84ef6f59b770d42a\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 144\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = 86aa015253a7114e1770b6a48fdb3ef22e9d5abac25fdc145315c09f4e8b69bd\r\nMsg = 2595cb8d4d6aaa148596e8502ec80a030d82195f9e1d9a26ab0ec0101e67\r\nMac = 63e67c44ecc05dab\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 145\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = a082c12e97bddeb0c74c13aa4ba788f8a127c44fbac6682050271dbf7ad6cbc4\r\nMsg = 7fc97a698d7b0eed7d7602a5d13e956a538c71c4b45978a47439c05601ea\r\nMac = 3e1fe077fc7e903b\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 146\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = 18716638a2f6b4fb8dd2849fa9aab80b8dc846ee7e6b3cb0926101a814d8dd8f\r\nMsg = 6593194b9970545c5a910b2b4fcd46f0ddc7aa0bf873f0a339d5958d310c\r\nMac = c4556a75b754f6c9\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 147\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = 6237aa30f1e3df239c96e7e50b69496da9305951024fb83a6fd01e96f6b2578c\r\nMsg = 0c5b7d1ba68654cd24871964f1b31ef7900dabc025baa02d37b55b35b4c4\r\nMac = 22c74fc64489ca5e\r\nResult = P\r\n\r\nCount = 148\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = 32f60011bec76a79d2e837c611fad1cad486ee6f2aeeb74f1ea32a7e3899bdaa\r\nMsg = cf772bac3e767534b13efd381119b66f8a99b91aa52c8d3ab5f0a60073c9\r\nMac = 08d02ce41d4964b9\r\nResult = F (1 - Message changed)\r\n\r\nCount = 149\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = cb6cee5ba7b799f16254a17b1870cdb85fe0ef3f42110c138742bd7734f0d504\r\nMsg = 40d3c65a00d9204b76e013975ffd729b351698105d47448da285a84de281\r\nMac = 4cc6718396dbe247\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 150\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = 9b8cdf91e848eeded2598ccdf084bf591ec2eb668236f555ca61a9d6b49959fd\r\nMsg = 7b3cc6f18a27047f4cdc35404e44eb8e51b1855d4bcd54ccafd1fcfaeef7\r\nMac = faf72c383b56a4ef\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 151\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = e6fdbe9a1efe081bbcfeb25b844734fe60aa6b80a5b5f611982de1a331b88041\r\nMsg = 59a0f85349c3f378d56c509a0a45a1512b5072474b297f9c1a8c24890016\r\nMac = 020354f33df66723\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 152\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = da360852e8b8c3a1b65af9e8630ee5481aa91dce414166f8f3dacb75b142f12d\r\nMsg = 61d908e9663fb195afc259529fc229b14e87995f8d3591b125fcce816090\r\nMac = f8963157ef7c1ba3\r\nResult = P\r\n\r\nCount = 153\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = c9bf0e7e470d0ffc88593796c4cf9a61c6db81d343305ee06a0f0563bcc618c0\r\nMsg = 19378e17c41586b88523a6b6af738dc47e63ea64b4b83fa283f1e502add5\r\nMac = 550523c0347fbcf1\r\nResult = F (1 - Message changed)\r\n\r\nCount = 154\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = 7129ca274190400720bba27651f1ee0d5aa79116af9929418e198f9928a715b7\r\nMsg = 891e73a81d7574ce6f73e09e08cbaa0b9db242963f4469cdd2234512c061\r\nMac = 9982a14d261a4060\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 155\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = dfaa73c82a978548c99c0f1c34e1edc2c4edd42b73613511e4e6648ba364f9df\r\nMsg = 18044ac51ea97341061ae7d5bce017fd5cfb1554a384a75aa3919a74ba59\r\nMac = fd3a17e8c51a004f\r\nResult = P\r\n\r\nCount = 156\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = 6f0be1905d1b5b607574ad93a1e7b4a536020fc6798acae862253916a0562707\r\nMsg = 8e502d5af4701025787e5b251121676182a0b26cdf52847f4d56d2ca0983\r\nMac = 73d76950066c77d0\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 157\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = b9fe826b0138de8184a3002d8bb59d228862e4a14f8556f88282d8494d29068c\r\nMsg = c97ca1930b65064b70d12fc46af4d5e220e6009e729a28a13b0f9a11d3ca\r\nMac = b8bccd70bb90084f\r\nResult = F (1 - Message changed)\r\n\r\nCount = 158\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = 99c8f69fb91b17299461fd8d633bd516dcdb172760695ec476a5775377cdb7a4\r\nMsg = ef589e3b4ad9a7ba390574a2db5330baea64894f8f881cd67b842dd23393\r\nMac = 38e11613e67e0416\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 159\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = a86e8b43a1e81dce7b26420c0409628d145445d1c512e1c3df3270839475c668\r\nMsg = c71a0d1e20a7dc8e7adea91a408ecf3d512bcb15a6d8fc1435c6a7f915bd\r\nMac = 101c06c22819404a\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 160\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = c5a850167a5bfdf56636ce9e56e2952855504e35cc4f5d24ee5e168853be82d8\r\nMsg = d4794f6f563d5f6445450b59c1ff95d24eadc9c02b68eaa5df64edf81475e5cba8d2bfab021a2fc8\r\nMac = bf99dc0b\r\nResult = P\r\n\r\nCount = 161\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = 551e188cbb7c7d1ff33b4bd5bb6c60da184b18f44d68d5c30704df47d8be6fa2\r\nMsg = 2b421be47d07dcb12a0706f7490d05024fce8f433079e18ec78f4c8678f5f1551448c9a0fc70e8b9\r\nMac = 32aeb3d7\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 162\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = 000da8307f0e6112f0b8a8b1f927f62e8a9e5aefc0d37995088dd32e867148ac\r\nMsg = b89266f3a33e5b6883206e44f8e8e0cb01275039c304960e8630f0aa011c5c19d769443061a060d9\r\nMac = 1b5e30f0\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 163\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = f4ae2113ce96435b27369fd4571ae2841a965c8ddbfe61023219eff9abd490e2\r\nMsg = 433ea4e1923267fe443e1e89d2472834b72ef97323ad6d82f3825ca9e1d06fbff8c232ed4c716ab4\r\nMac = 05b3c894\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 164\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = e7c78ef4c4b959ee00cb1a09d71221a43892ef8ad705edd27ed85d03a377907c\r\nMsg = 4da25d1e7064bc4b4903a77452952885a06ba0712544210d30c0182533182fcac90b71e9f71caf22\r\nMac = c15acf48\r\nResult = F (1 - Message changed)\r\n\r\nCount = 165\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = 6f48b3bf240525adcb02985900fa29747e4b1265e5a8899abb0ee51cb0f90367\r\nMsg = 98bf67b6e342dd94c948e76aabb69e7d091d24fba54ae233e4181404768988963915a2495b42a4eb\r\nMac = 71bb5873\r\nResult = F (1 - Message changed)\r\n\r\nCount = 166\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = cb6cee5ba7b799f16254a17b1870cdb85fe0ef3f42110c138742bd7734f0d504\r\nMsg = 40d3c65a00d9204b76e013975ffd729b351698105d47448da285a84de281bc3307cfd80b39488213\r\nMac = 592e54d4\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 167\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = bbab624862e268765e9e6a13df55cf7a2267520e4e66042ba0b4905dc554c3d0\r\nMsg = d43b841f174335f1347834590b0984a2cb35f7a00a0ee993157d2d4f8487489a12ceddd6ac5b69e0\r\nMac = 3480805a\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 168\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = 2fc9e8f409cc6c0156ccf9f00686ac7abba6cbe08982a737fa08c7035",
- "6f54208\r\nMsg = c1cd63e24e41f69a146b448cee0a2107817c8105732745aed817541eede8ee6809e73ddbd0742d84\r\nMac = 91623558\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 169\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = c49dc812061fa4995aa7c160ed7cdf769dd1ef570d8fc9c7f8552101c5bdb711\r\nMsg = 74ec6f53d188be3bdb647f37619fa5848076c66d21bac164c381a4517b1dcd2a384a4fc44cab97e9\r\nMac = 07471b07\r\nResult = P\r\n\r\nCount = 170\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = 84b6cd1c6618c42ba74e746075dc28700333578131ca6fde6971d2f0c6e31e6a\r\nMsg = dc79743d2360cc52cee202b9bde9abc7c09d9d0311d89c3722da36c7993feb42992e913744d2f74a\r\nMac = 3acba1e8\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 171\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = dd472b0bf50519020a182f122239d161d9659773b4df454eb378fedc250eb490\r\nMsg = bdf56403d5ff8df4ffca92eb40d54a79b5595abcd67b9e2ffcc5cbc621d7523be75a87a2dc360244\r\nMac = 3bb0894f\r\nResult = P\r\n\r\nCount = 172\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = 00ebd245e8c0e0b60847da5c8f7a1f33604932b9cd47a845a1a44599645b62ba\r\nMsg = a238e542f1c22621aebbe331e71123ed7f2591e4192180ae378c2c24a31c42d10fcba3a3f82c65e6\r\nMac = 1d17d6ab\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 173\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = 2ecddb226ae668315eecf107c344926330b94077e029ac3bb67e6a077ee05361\r\nMsg = 38ee97f0dc635c7416a024e3af5c95dd1d496db8a5a5c3bcc20b9093ca906dfbcf0b9ebec3b450e4\r\nMac = 08834104\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 174\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = 0a2978b5f20d3b5e5ed7ed5a78a093a51d5aa6e728077346f429c27f1c79b635\r\nMsg = 28313dfdc449628f4e2d6c895381844559067823cebb56cd41493ac0d29d6408e7d78d4a21637b08\r\nMac = b2635d7b\r\nResult = F (1 - Message changed)\r\n\r\nCount = 175\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = 7f2286d42b4f9eefed1087f3eb3dc814145be4a110c0e74176f83e7d4068cb7e\r\nMsg = 6c1aa088d1a6086d0e72636744a6840c80ab8223409c61b733f7ef6a4199ed0ccbe96f6c3453866e\r\nMac = 10bf9789\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 176\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = bb0fabffbcc6935ca35755fd4bfbd192b6812cf75c4dc95bc3a175a1501be206\r\nMsg = 9801da81a6d9861f26900401aeaec89a74e3d5aec0a5d612a11b6bb4e03ac1db322e65afb1fb5afb\r\nMac = 9ad23631\r\nResult = P\r\n\r\nCount = 177\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = ed1d11cc4876f58feefc463b52d8d36e69c4c2c9227b32fe356d1e2a1bb88466\r\nMsg = b16e6c44f429efdc06a892cede56296e12bf185d4b3c6953f7d31b1c3d59bce136d93aa95a3af61f\r\nMac = 29b26a75\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 178\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = a6fd8382447181bd300ec1ef039d3f353446d01fde490509c3ef52a992bf6fe4\r\nMsg = d41f8fbb6f968dda0c1b2cadbec04a6c72124eb5dc40b8d2b180fd3b17af915b5a374597e036d38d\r\nMac = 2b343893\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 179\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = df0821c9ea6ab329c626d11b4bc1ba7351ca934ece6aae483e3d0bef48601f78\r\nMsg = 84b9c150a1df00ba29386197d79d29a2ceb42fe6390c9e763169f75fe15c55dbe817f5c7fe80f557\r\nMac = 3a5026ef\r\nResult = F (1 - Message changed)\r\n\r\nCount = 180\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 0f1b73e54f4571b2d42aa5ab673f3e99b44f6c37a07a5d4edc7d6b1fba349401\r\nMsg = 3918467effb5d5dc009aaefce84d8cb4fe8f80eb608f4c678f5d0de02ea11e59078d38b04f10de73\r\nMac = 1c207499e0877bb2\r\nResult = F (1 - Message changed)\r\n\r\nCount = 181\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 25a152850b4b80b19d8f0b504b2a8a241824b3a1fca8d85c8713b2c0c84b5e02\r\nMsg = b06f6b3f197bae7d8cde9daf38530e25bc51b68f9aa23ec0e95199b14bca96c91f3db15bf8432f71\r\nMac = b860013252ae83a4\r\nResult = P\r\n\r\nCount = 182\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 849d861aa5a37c6389f7bc2fc3b4860fac9d2277fa5e1a1f9415a6aaa5106886\r\nMsg = 191b53e0c7d90161e5e2014e9b8aea315b4bddf5750aba4be69c944d71896361f210f961ee6b38f9\r\nMac = c9dc7e167c2e442b\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 183\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 29dd1ee0ffa12de3a1f2cb8e4e24d2e548794a5e7e372f946bfd733f3c564764\r\nMsg = 891c806e0700f6df72befe47ff088d917cc30763866810a2fcaa9f38b45953156c860b7303e8b15f\r\nMac = 2f7355b3994f45d9\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 184\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 6cd7349d96feffbcf6e95a96eacbbe8ddab702ef70052b7804f78518589df3f7\r\nMsg = bbe054fbef86db3ce7ad796e6d0add15455b9cff57fb787610b4e1ba05d5bcaed98564d16157ee70\r\nMac = 8a421387c53702d3\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 185\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = a32e186c29f6f1852b483a37b50c02defeb2ce81488198bc082c17fd47a741f4\r\nMsg = e687143dc4d98dcc6a2dfe6ee0f85d565d1f46bb0fafe62a17d01720d6f4ccd86754b0626c9d0af5\r\nMac = d44d78445c5ed8de\r\nResult = F (1 - Message changed)\r\n\r\nCount = 186\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 338f8054d58c26c49360c3e87af56523acf6d89d03e56ff2f868002bc3e431ed\r\nMsg = d42b10d3a688c39edf543ae7330466eeb9e3b678ef073967ff83038d40ded1c200c4f03481fc5aff\r\nMac = b25bf6993f18d503\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 187\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 96e04382027fffcaf779c984be80da16f8437db0e39a7123d9048ff71954acb7\r\nMsg = 494c8f931029a4919e2dcbc16512a8bfe275382e7d29c9abb1d14a006caec59ab9b52a3e9ce54ef7\r\nMac = 5a94a03591ee9cc7\r\nResult = P\r\n\r\nCount = 188\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 682f8bc1eafd4d369df384841a88db7b7fb96c9dd9abd6dedc9290a8d8d17d22\r\nMsg = 87b937b1d36e8a9ab33a1d3eed617030923acaabc7e620dfcb3c388936030fc67f647729c19e040b\r\nMac = 89347722a73d8bf9\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 189\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 954222a9cabaa5a0a91100b158a3aeb655c4473d0b00afe6a7a78e0d278a01a9\r\nMsg = b9197eb50c8168d16b8a12bd261d553ffcc521d979b26fee820376252e452213d736c21471cf0179\r\nMac = e5d175fa24cf0fd6\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 190\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 18349be2894d49290339b97f4db28c92b3e112ffac77100abbf9c093935b1a46\r\nMsg = 4b02fd5a46ac681a42424ac9723911af4e389ac73829f36f60916563e51cb2ec3d7d9b55d674a59f\r\nMac = 18c98fd13595f857\r\nResult = P\r\n\r\nCount = 191\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = f1f9fdfa9ae3ba8bc6fcdb2e15ae2c47e6292c2acb091fe03e325f298ffff3bd\r\nMsg = 75965cfbf66b0ba13274fce6537fd7aa4efa5d75195a400018bd38f7d8cd53fdffe88df1837fa06f\r\nMac = 935e4d4367aef07e\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 192\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 4652bacedb47faee1be641ebf433157f416b4c7d9e8c7c6f7b17b47e70156993\r\nMsg = 17e6acda3c05c9549eadad55d8918f4870aec63a18802fa33175cf838fa2b9b17cb43270ff2a1444\r\nMac = 7ce4adc343a4498a\r\nResult = F (1 - Message changed)\r\n\r\nCount = 193\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 200e4929c275557d9caab0ba3b0a153dd8010ff8f11ebc1f336dd0249d01dce6\r\nMsg = bd05d26ebfcb5f6e102e79976fbd038e02da6a64a6be90bb84bd092be5cb8ae447409e94afd89b8b\r\nMac = 5484fd10e83798c2\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 194\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 8c6a6e77534976b4d74a0972742989dbc0f753281a5ff10a862e9048b813b4a9\r\nMsg = 869c482db2b0825cd09d295749359b99fde85240e5ddaebef642f4d249e096b77af2b59b4e37e452\r\nMac = 9e640a86d55be78d\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 195\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = be3db75687360fc31c27752a5f32125cf04f8bbab694339ebcb57ff63fc7ba32\r\nMsg = 33dfb223c009001a7b3b81916bb094390c42c24a47884fc8a0410f05b2f57b67d8d9046b2ef4a8ea\r\nMac = c7666f25d2329fb6\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 196\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 29e7acc4facc2618f242ec9260a8ec36c4c9dabb89bb8092f00855234b0c505a\r\nMsg = 09bf4f77a9883733590a3cc7ee97f3c9b70f4db255620e88cd5080badc73684c8b80393302ca8803\r\nMac = 424535e20d082087\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 197\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 23f0d00daef3177fbcda6e9953a5a37d5da395204d8af5fb05c74e03f71343da\r\nMsg = 2222135e545f2af53be42d7a463719447e0a6a305fbe8e43e6279a91eb8f3c5db1fdf081bcb77711\r\nMac = 52c42541e2e93f3e\r\nResult = P\r\n\r\nCount = 198\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 6746d9a90e0e763679d5469a1bcffcc4f18f35f50c7714d14c7329b76ce7984e\r\nMsg = 68530f15423071410a349872c559669301096c827333adc4df9da477387c89870942d12513b7f475\r\nMac = 2bf36912e1139629\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 199\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 6b1d94bc0c6e45fc905c509ea667853e4b2c5a8848dd914efcef14d95b12247d\r\nMsg = 207b649c46c1963723624d8428d4b64c08cd4091cc055175223d3758f880614149a9cf7f3725c790\r\nMac = 34f46b361bddf55c\r\nResult = F (1 - Message changed)\r\n\r\nCount = 200\r\nKlen =",
- " 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 5c77fe134af3fef72fcd16006097dc7dbc45ca10339ae3bc85e0993e4cdcefa1\r\nMsg = fab52c44379ae8083bdc7b827383df93cb1a7ecc21574730f9fe003b7302de237bed535d40832763e7a2cab5806de91d39aa3f38d167ae3250e48ed1f6ad45b5\r\nMac = 03f36c5a\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 201\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 997c6b4b513bbdeaf701867bbe81bdee63de0d0d18c870bcc1e9ff7f627f093e\r\nMsg = 4c23d92665e88a4f6f732de384034d493d5df37b767a8260557de05688e8d60dcd0eba9cb8cc4bceb174dcbd3c0ab5a37db3b6ecfb6a3d90a4f54a9f1117e11e\r\nMac = 9e798c73\r\nResult = F (1 - Message changed)\r\n\r\nCount = 202\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 64e390edd97c0af1ba5165900828e0630606f83d4df5240e1b05c307ee9153ff\r\nMsg = 1ae71094fc1b304adfa3378c4efa8fb290526bb314714c9613beca2a709c91f7e3f6aa74561bfc7b8fcd12f910941eea3b593e85ba2fffb31e7420c6c6199868\r\nMac = 1977347f\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 203\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 44e2f6d41e04b75f541e724c6f6325f27d7475b3676fa0247f28b36e58b6fdf5\r\nMsg = b9ac624288352617e4d375f33953b431cbf8f03f9ecbda9893330ff2d3c59db8705dc3ba4a6ef924309630ac48765b10b1c02ec0669126d76602c95012fa2f77\r\nMac = 2cba4713\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 204\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 8e0f75b7029d4afc2a86adb4a088b89ef9783965027c1176497ada0fdfd0cd99\r\nMsg = 21cd3ff946e2b3c1c61932205899502852b1333d1c79a3d4e5b6617996ffba17041e5b746ab967fb1632c7be62cbc2bbe60ecd5eec6ca4482424994f9a662cc6\r\nMac = b651d356\r\nResult = P\r\n\r\nCount = 205\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 35b1106d174acce103ecf5801b03d3c10d579c4ee491ebad25fb6f1f1787e0c8\r\nMsg = 960026395d0544975dffaaa2c56db1df5816cd80cde513dc76f6f81d21f15c383c97c7233c9af2423fb28922efed2f69aa47c30de17ae1c5be17acbd0ad6cb8e\r\nMac = 8a8f65a8\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 206\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 71efa75961dfd60ad533082a8cfe111214eb02573adc4591c5d0e961640a3ab2\r\nMsg = 6bafbd22b75e21e1fa5444af283e69d53ac2f0412f717a2153f74eb1c195fc5127d240dbc96d2833c9957920a55c505a016a05e4a7ee549bccdbbf1095502e93\r\nMac = 88fea081\r\nResult = F (1 - Message changed)\r\n\r\nCount = 207\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 11752eb8aeffa364c9947092c1612461cc19b6c3a3ddd1817b5e6f7f3745a942\r\nMsg = 2d9109e7eea21b2615c81c03182ce6033c93783b13d698624392bd2a8a202bd0ffc860f29b31afa2f71c2bb85752c66ce8dbba244671288a4135ffe2e1a0209b\r\nMac = b5a26c1c\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 208\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 279a6c226f6a48f3128626012baaa309d99065a59dc0a4c003a6e94d85e61638\r\nMsg = 9bff96ba07a52d9ea2415283321395cf57cb37c610fad7a482c74de9f5e3d7f520bf73d4a6fc8b5be023d774dd9680b6a7c68139c8a753a80d61c9978a493917\r\nMac = 5e281941\r\nResult = P\r\n\r\nCount = 209\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 0bcdcaa87ddf8bbe6db8411d14bb9064e4a121286cc8a6e97fce1844935f436b\r\nMsg = 3ec0aa8d30d5ed825b77dc7095f421b1e608158797a377ff8bed641bd387832f7c14818cabf9bd5ced6044cdc883ff7296272be693660ab234b2d870ba170131\r\nMac = 1da79d07\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 210\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 1b41d148e3c202d419ce16385139da196dede5be63987e6940a2bae86d62e567\r\nMsg = 13ecd70e2d76dd53a19b2e5fc0afe0c0793577ba8948b7d4ef3ab797a07a37927dbb33a18252b96f40e0f73a8d3298d67a6551f5854eb6a51019531a122ff8ae\r\nMac = 91bd49b2\r\nResult = F (1 - Message changed)\r\n\r\nCount = 211\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = a1ccc9c992c8a307ad39504854456696f8eafd7c8da0c0c53b3a4485570e985e\r\nMsg = f68b0c3b4556c7f8866b3fa873ed2014418d6421d3f224512e5dae8c2d8dd92175e09508acbcc66ae62d536260cf790671ef66a1bded0343ace4117c1b8d7764\r\nMac = b9317feb\r\nResult = P\r\n\r\nCount = 212\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 4d8d0264ae6d8f7a7440dd760e0ded25a3a94cb0491fe81e7b55221ac8ed24f7\r\nMsg = 5faaf6b8ee8ed5b56bfc1a7f886f9f91a6566ceb99c39462ab675a3ae3be98f68787626fdf77e6243c2e96d1396a8a43417b1f6a51f7e5b0ffaeb889bce02c4b\r\nMac = 3f610010\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 213\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = bcf95051ae2ae84ac32a763d5477ccc4659a9ed3e25de5932939826dc90e2464\r\nMsg = fce924dd27db3e07837694c34f576c16084e5b0a254ca3af0582bf6026c73b47973ac924b02992490032cae987a887932539d3fa53cdfff711b03bd11ff464bb\r\nMac = 7b7e89ef\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 214\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 45ce953ad31ee9b53a9c948883bc86f4bbe0f0744085a9943cbad1066cd7b4f3\r\nMsg = edb1aaa7e8ac37bca99ff8eff5516464aa33fc2bebef8a727d43abf971108bc604aef019c3837aa2f3d429f22fda1f305319a70d99ed77f902663298f855316f\r\nMac = cbf4addd\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 215\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = d60841cd71d7227ab56e767817760edba9ce2290f8da504b341ee2c1910b5018\r\nMsg = 365fea641559759d1e5b5581218486318b1c776de812b1aca6a9ba6b1c6e39c5cb6d5a44e3a474f709b8eac457e74f00a43ecd3d060cc7639696bd03730c70e7\r\nMac = 7406f935\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 216\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = d172f991eb697ffdefc57349dadbe51066d2744c39041cd55ca75024eead495d\r\nMsg = 6a91da64812b9bb41a026e727b4f77c384813da2948caed5a9846420c86a26b89f46b2fa6975b95d12452ca69bbfb65bc1c48a79d95c5e69ff4ab7316fe468e8\r\nMac = 6bd82bcc\r\nResult = F (1 - Message changed)\r\n\r\nCount = 217\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 3725c7905bfaca415908c617b78f8deeeff286e0c2bba268d0de92c7664238a7\r\nMsg = fc4bbe329a86089ebe2a2f3320dad55a9bdac1133dd28ddc9ace9ed665885a2341ea9492d4cf4b7e1d0a95f308a9d613407b35b845cf515bbe7f2f35102d78a3\r\nMac = c8e11823\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 218\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = bb3087d1b5b0f6f14a532c3604c82874fb15e97a4b3883dfc50e71ffe5752d40\r\nMsg = 979a9f96112d1ea95eec2cdfdf48c55114472360aa7de24bb53761013af96b33f02b17ae470fece8aaf649d801b4040b7b5152f58a01e7852f565efc77b5dafe\r\nMac = 66466425\r\nResult = P\r\n\r\nCount = 219\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = eeb983439a03ee6a315ebf941e9368f90bb6845b03b31839d72a1946c17d2f19\r\nMsg = 6d5573c9279897d7d1602d8a95c04bb5ca3fad2dbe89a024b3651eb227e73bb559e7c0db08b215fd7efe64afcd24fb155989f2f8965d0e181389e6c4b8e244a9\r\nMac = 7f77d596\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 220\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 6f0353a0ad95df6d3190a251435f62c30ed6b9cc0dd024c3c316565cad83d2e1\r\nMsg = 83011a83db0524628b55589ba0165523ce7c916465eaf185805b97ec7f00fc01b82a3e356a6bbb44f2f8deb6425239ac8e26d4d94871c5cf4fe7017c649672f4\r\nMac = 9e56e4574dd01fe8\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 221\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 777a22c5fa2f864a9233587e3e9634172ce25006daacbba97b68e7429c8266a8\r\nMsg = 1f7d58d65c36142620172fda3197d3c629bc7bc584e1aaa0f8b6dd320588becaccc39ad124b515adeb941de49ac31c851c5172c4e1c322e42e13cb5ab7f8db2f\r\nMac = 498dafe2807ba34e\r\nResult = P\r\n\r\nCount = 222\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = e17736560b1a13aa8e536500ea6cdb9a6757309aadf25a6a9189055a309c3f8b\r\nMsg = 1a6b80d506147c3c02c89f50892bd1f04d34f9f21e8307140df43835d17495c56a13be7a045be5441de01d84ea19d579f76e9ffa0f92376b5b13c0eacd3050c9\r\nMac = 52d3fbc6e5821f1d\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 223\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = f31f2fb4b3fd8045b70d34b600a2697cbf7503be0d8cfb5cdc60f9312e3e2695\r\nMsg = 4f43702be4f0530319555d7f1a3356160f6cae48051f12e22a153d7e405c11494c31e6098e24225eb676094755c6d7e992ec0c8c1e2608e76a72d79d173a4e07\r\nMac = 71239a4c38fa04b3\r\nResult = F (1 - Message changed)\r\n\r\nCount = 224\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 10a678f591b4d87280f42d77a91635575e2e82ef610a7c9105c3a9418f932c24\r\nMsg = f7b577f1396b23c27eb637e53d3d92460270b001cc612fd3b4d68bcdd09c2d50571ea4350636324cc2428a087e7bd8785f8202791e3c2d2bafe084a1204e34dd\r\nMac = 5b11c1407904c15e\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 225\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = b8728441226558fa9764824597fe254bf8c2623789541feaf6c007efeb0dd2b1\r\nMsg = 80a2be15809f12738f305be3a210ba0c933599c4b24b48257c60e8e3aae189dc6ec58ff1f9085a15405b26a3001a2ff5ff7e1932961490676c6d2cda8417979b\r\nMac = e73ed6c4f81b0ecd\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 226\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 22a877d974cdf4d65bbd77958b2b77fc5ddb33a221aca3ecb6d5ae76596f9db4\r\nMsg = ce2ce41f76ca7477972d38a3e8fad1122db34ee80c379fa01f884cf648d1670445a8bfab8490563438c21537ac2dbfbcd7bb24a132d6973cc62ba14089adf7e5\r\nMac = 0ff91813a56b98dd\r\nResult = F (1 - Message",
- " changed)\r\n\r\nCount = 227\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 03fa02c4df99b8295f502e3145e2edd3ff16722b87092e708bc8d126cc1ec894\r\nMsg = ec9a9babb68e09c38617c9b16e8a2d92e711030bcda4b9e0ab35c4c2392b41692312dde30c91f32cd39cf5fe15ea0deaf3aa04a8157262acee78d7f94204d93a\r\nMac = e50d9a04f79cf9b4\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 228\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 0e12df1bf17e9645c5507bc2069ca4611dc0488c9996231dbcee1c73393b26c4\r\nMsg = 86814ce4a867f80ce9b618c6aecce37c89851508bbb095c8f7c055f569c47a30f79abe5ec75f12b601298718d6f96ea1c1ebbe7c0cb0b7fb973ec5e6d5c6a713\r\nMac = 05338bce9ed8f495\r\nResult = P\r\n\r\nCount = 229\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 51c88fd98a7d82043a1500fc3d8a66ba7ab7760467c7fd89cfeeb22dd25762a2\r\nMsg = 0e403cff47adee3ec5bb6b178dabfc7d53b60a04eaad33a2fedd9db705358a4c73ab2d982ddbbdc941f1c701d4cac89e5c56fbbe0f4170029ad25e931713ba63\r\nMac = 38c34175627b07e8\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 230\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 0feb23c7e4a19bcbd70bd300d76ec9045d696f8c9687f49ec4154400e231d2f0\r\nMsg = 0330ed97e44e8b15a49f29c72a7997d05d398a9d45dae41a6cc635258beb824362124691e86cb7fea46e4ab85bdf79e4eb30c492770bf6f0c42ea9bde37a0c01\r\nMac = 271a7c2e687d84c5\r\nResult = P\r\n\r\nCount = 231\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 5d649799771f9074d18a2477ccd4d9e136e01451c1eb2e8bb370cb79e0486770\r\nMsg = d715bc0520dbb86543e76fede49dc6be2cce59d3c0db133ff31efcb63a85514fe080da88fa1e788b9e73feb0503c4142bdc67386ac0bacf9311ecada23ca7be8\r\nMac = 42de9f52567b4506\r\nResult = F (1 - Message changed)\r\n\r\nCount = 232\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 4c96d520d8d5a54eb73f8f558e328d1b3e5ba360161fb8444739a40a97a58a1b\r\nMsg = ee409b050346fbd319c8630e4bc9dd6d055355fbb961f018d3fda0c1eea6f61248f43709737fb18d4efc4faf34a96c2f73ece54200367292692e36870a0c94c5\r\nMac = 28610f524d88e727\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 233\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = b186b9273d8cd77d68c05ec5389b2f6e2f267fe6cd6e7cb35a3233c0dfe0b1f4\r\nMsg = 0df3fc6396f851785fca9aa5ffb0cd98bdecf8bbae4c82641efcb34d319e7643ca9c5e22acbde800e0f700a95685c64ccf399173f9123438dc1181b676490cbf\r\nMac = 8d2f69b44614485a\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 234\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 1b1374648d93aadb186326e4ca2b82fd37f7234712816fe4feb339a3a16880df\r\nMsg = 9a661677f1e07153e1c9c661c91901757f5b4d9938031f01a802773d6a9863b2a169c44be0d4546c4780e828ef37f3b389f84c1a41473131e9c88bcd530c7334\r\nMac = 72838b59593c011c\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 235\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = f70b8a4eee3518bba071af55f25f7b698a5b7dc8865cdaca6d1c7993657acc95\r\nMsg = 795ee1af7504621aac329f5081912de545fa11174f3979b14f11aa30df813a235b467fd8f3a14734fe5ac9e39105dcb25184673885cd19bc70ee5a53dd4e8149\r\nMac = 93542734d6cd43de\r\nResult = P\r\n\r\nCount = 236\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 0c456d199abae4758734f506c4e9ccdb767e4fd156d5a4085726f3938a516d74\r\nMsg = 78f3bf568f1c3f2866eff8a246a70cf0faee4c3078f3fb27c4bdd53312bf50812bac2280118c0396e610b4110a22406084c18283a30ce7c0e49c769817170df9\r\nMac = c4c5be3c94fb7b9c\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 237\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 0a8725bd8c8eab9ed52ca47835837b9f00a6c8d834ab17105b01eb4eb30402e7\r\nMsg = d7867ff428c37836161a534d1d697fba43e86b0096c49b63d50afaf06ec772bda86eba7222796f087c5367d1547642b974d041cb496c5cf7984e8e126c9f741e\r\nMac = b5d40f8633965c33\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 238\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = ce9ea80e7fb235486b5f1d0321c68a0e44cd5f15e21f27c402754a2f7c138772\r\nMsg = c246453f5d0f4957e6418b4d17b748f5c30e7ee672b4af2e4e41e145400be94056f4e94768871849fb44c1ee65378fce32d007e0c7ee5635453d4de6b0c2aa4b\r\nMac = 33ae4c66895989ee\r\nResult = F (1 - Message changed)\r\n\r\nCount = 239\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = f26fad377bf7d6b35d8ea2e0621b678dad85826fadd3ee684d9215086b77e555\r\nMsg = 63539f949990883ac4f3ef9158b382a30254023c301de9fcd3cd4faa638a0ecb241a2573a9555a5c96da2435aa02c73cfc12c10f84b565bfdea9c6274bb8d67c\r\nMac = 8cda222f03f92913\r\nResult = F (2 - Key or Key2 changed)\r\n",
-};
-static const size_t kLen36 = 58307;
-
-static const char *kData36[] = {
"# Tests from NIST CAVP SP 800-56A ECCCDH Primitive Test Vectors.\n# http://csrc.nist.gov/groups/STM/cavp/documents/components/ecccdhtestvectors.zip\n#\n# P-521 test vectors were fixed to have the right length.\n\nCurve = P-224\nPrivate = 8346a60fc6f293ca5a0d2af68ba71d1dd389e5e40837942df3e43cbd\nX = 8de2e26adf72c582d6568ef638c4fd59b18da171bdf501f1d929e048\nY = 4a68a1c2b0fb22930d120555c1ece50ea98dea8407f71be36efac0de\nPeerX = af33cd0629bc7e996320a3f40368f74de8704fa37b8fab69abaae280\nPeerY = 882092ccbba7930f419a8a4f9bb16978bbc3838729992559a6f2e2d7\nZ = 7d96f9a3bd3c05cf5cc37feb8b9d5209d5c2597464dec3e9983743e8\n\nCurve = P-224\nPrivate = 043cb216f4b72cdf7629d63720a54aee0c99eb32d74477dac0c2f73d\nX = 2f90f5c8eac9c7decdbb97b6c2f715ab725e4fe40fe6d746efbf4e1b\nY = 66897351454f927a309b269c5a6d31338be4c19a5acfc32cf656f45c\nPeerX = 13bfcd4f8e9442393cab8fb46b9f0566c226b22b37076976f0617a46\nPeerY = eeb2427529b288c63c2f8963c1e473df2fca6caa90d52e2f8db56dd4\nZ = ee93ce06b89ff72009e858c68eb708e7bc79ee0300f73bed69bbca09\n\nCurve = P-224\nPrivate = 5ad0dd6dbabb4f3c2ea5fe32e561b2ca55081486df2c7c15c9622b08\nX = 005bca45d793e7fe99a843704ed838315ab14a5f6277507e9bc37531\nY = 43e9d421e1486ae5893bfd23c210e5c140d7c6b1ada59d842c9a98de\nPeerX = 756dd806b9d9c34d899691ecb45b771af468ec004486a0fdd283411e\nPeerY = 4d02c2ca617bb2c5d9613f25dd72413d229fd2901513aa29504eeefb\nZ = 3fcc01e34d4449da2a974b23fc36f9566754259d39149790cfa1ebd3\n\nCurve = P-224\nPrivate = 0aa6ff55a5d820efcb4e7d10b845ea3c9f9bc5dff86106db85318e22\nX = 2f96754131e0968198aa78fbe8c201dc5f3581c792de487340d32448\nY = 61e8a5cd79615203b6d89e9496f9e236fe3b6be8731e743d615519c6\nPeerX = 0f537bf1c1122c55656d25e8aa8417e0b44b1526ae0523144f9921c4\nPeerY = f79b26d30e491a773696cc2c79b4f0596bc5b9eebaf394d162fb8684\nZ = 49129628b23afcef48139a3f6f59ff5e9811aa746aa4ff33c24bb940\n\nCurve = P-224\nPrivate = efe6e6e25affaf54c98d002abbc6328da159405a1b752e32dc23950a\nX = 355e962920bde043695f6bffb4b355c63da6f5de665ed46f2ec817e2\nY = 748e095368f62e1d364edd461719793b404adbdaacbcadd88922ff37\nPeerX = 2b3631d2b06179b3174a100f7f57131eeea8947be0786c3dc64b2239\nPeerY = 83de29ae3dad31adc0236c6de7f14561ca2ea083c5270c78a2e6cbc0\nZ = fcdc69a40501d308a6839653a8f04309ec00233949522902ffa5eac6\n\nCurve = P-224\nPrivate = 61cb2932524001e5e9eeed6df7d9c8935ee3322029edd7aa8acbfd51\nX = d50e4adabfd989d7dbc7cf4052546cc7c447a97630436997ad4b9536\nY = 5bea503473c5eaef9552d42c40b1f2f7ca292733b255b9bbe1b12337\nPeerX = 4511403de29059f69a475c5a6a5f6cabed5d9f014436a8cb70a02338\nPeerY = 7d2d1b62aa046df9340f9c37a087a06b32cf7f08a223f992812a828b\nZ = 827e9025cb62e0e837c596063f3b9b5a0f7afd8d8783200086d61ec1\n\nCurve = P-224\nPrivate = 8c7ace347171f92def98d845475fc82e1d1496da81ee58f505b985fa\nX = b1a8dcac89aca2799320b451df1c7ff4d97567abb68141c0d95fc2aa\nY = 3524950902b1510bdc987d860afc27ad871ceaea66935abd3c0a99a8\nPeerX = 314a0b26dd31c248845d7cc17b61cad4608259bed85a58d1f1ffd378\nPeerY = 66e4b350352e119eecada382907f3619fd748ea73ae4899dfd496302\nZ = 335ba51228d94acbed851ca7821c801d5cb1c7975d7aa90a7159f8fa\n\nCurve = P-224\nPrivate = 382feb9b9ba10f189d99e71a89cdfe44cb554cec13a212840977fb68\nX = abb6f1e3773ff8fc73aea2a0b107809ce70adcefed6e41fc5cb43045\nY = a963897ae906c10a055eeadb97ffdd6f748d3e5621e5fff304e48ba7\nPeerX = abe6843beec2fd9e5fb64730d0be4d165438ce922ed75dd80b4603e5\nPeerY = 6afe8673a96c4ba9900ad85995e631e436c6cc88a2c2b47b7c4886b8\nZ = 8c2e627594206b34f7356d3426eb3d79f518ef843fbe94014cceace3\n\nCurve = P-224\nPrivate = e0d62035101ef487c485c60fb4500eebe6a32ec64dbe97dbe0232c46\nX = 88537735e9b23e3e0e076f135a82d33f9bffb465f3abce8322a62a62\nY = b4c8c123673197875c0bd14ed097606d330fba2b9200ef65a44764d3\nPeerX = 13cf9d6d2c9aae8274c27d446afd0c888ffdd52ae299a35984d4f527\nPeerY = dcbee75b515751f8ee2ae355e8afd5de21c62a939a6507b538cbc4af\nZ = 632abb662728dbc994508873d5c527ca5ef923c0d31fa6c47ef4c825\n\nCurve = P-224\nPrivate = b96ade5b73ba72aa8b6e4d74d7bf9c58e962ff78eb542287c7b44ba2\nX = 37682926a54f70a4c1748f54d50d5b00138a055f924f2c65e5b0bbe4\nY = 596afefcdd640d29635015b89bdddd1f8c2723686d332e7a06ca8799\nPeerX = 965b637c0dfbc0cf954035686d70f7ec30929e664e521dbaa2280659\nPeerY = 82a58ff61bc90019bbcbb5875d3863db0bc2a1fa34b0ad4de1a83f99\nZ = 34641141aab05ef58bd376d609345901fb8f63477c6be9097f037f1f\n\nCurve = P-224\nPrivate = a40d7e12049c71e6522c7ff2384224061c3a457058b310557655b854\nX = 399801243bfe0c2da9b0a53c8ca57f2eee87aaa94a8e4d5e029f42ca\nY = aa49e6d4b47cee7a5c4ab71d5a67da84e0b9b425ce3e70da68c889e7\nPeerX = 73cc645372ca2e71637cda943d8148f3382ab6dd0f2e1a49da94e134\nPeerY = df5c355c23e6e232ebc3bee2ab1873ee0d83e3382f8e6fe613f6343c\nZ = 4f74ac8507501a32bfc5a78d8271c200e835966e187e8d00011a8c75\n\nCurve = P-224\nPrivate = ad2519bc724d484e02a69f05149bb047714bf0f5986fac2e222cd946\nX = df9c1e0ef15e53b9f626e2be1cbe893639c06f3e0439ee95d7d4b1e3\nY = 7a52a7386adda243efdf8941085c84e31239cab92b8017336748965e\nPeerX = 546578216250354e449e21546dd11cd1c5174236739acad9ce0f4512\nPeerY = d2a22fcd66d1abedc767668327c5cb9c599043276239cf3c8516af24\nZ = ad09c9ae4d2324ea81bb555b200d3c003e22a6870ee03b52df49e4de\n\nCurve = P-224\nPrivate = 3d312a9b9d8ed09140900bbac1e095527ebc9e3c6493bcf3666e3a29\nX = b4a0198dc8810e884425b750928b0c960c31f7a99663400b01a179df\nY = 812b601bfc0738242c6f86f830f27acd632ca618a0b5280c9d5769f7\nPeerX = 1d46b1dc3a28123cb51346e67baec56404868678faf7d0e8b2afa22a\nPeerY = 0ec9e65ec97e218373e7fc115c2274d5b829a60d93f71e01d58136c3\nZ = ef029c28c68064b8abd2965a38c404fb5e944ace57e8638daba9d3cd\n\nCurve = P-224\nPrivate = 8ce0822dc24c153995755ac350737ef506641c7d752b4f9300c612ed\nX = 00dfc7ec137690cd6d12fdb2fd0b8c5314582108769c2b722ffb3958\nY = 5eef3da4ba458127346bb64023868bddb7558a2ecfc813645f4ce9fe\nPeerX = 266d038cc7a4fe21f6c976318e827b82bb5b8f7443a55298136506e0\nPeerY = df123d98a7a20bbdf3943df2e3563422f8c0cf74d53aaabdd7c973ba\nZ = f83c16661dfcbad021cc3b5a5af51d9a18db4653866b3ff90787ce3e\n\nCurve = P-224\nPrivate = 0ff9b485325ab77f29e7bc379fed74bfac859482da0dee7528c19db2\nX = 7e603e6976db83c36011508fa695d1b515249e2e54b48fcbcfb90247\nY = 0179a600ce86adfca9b1b931fa5173d618da09e841803d19b0264286\nPeerX = eb0a09f7a1c236a61f595809ec5670efd92e4598d5e613e092cdfdca\nPeerY = 50787ae2f2f15b88bc10f7b5f0aee1418373f16153aebd1fba54288d\nZ = f51258c63f232e55a66aa25ebd597b2018d1052c02eeb63866758005\n\nCurve = P-224\nPrivate = 19cf5ff6306467f28b9fe0675a43c0582552c8c12e59ce7c38f292b1\nX = fc20e906e609c112cfc2e0fea6303882c5db94e87e022373ab2c082a\nY = aecdf1daa71782bc5a26bbbd8d7e8a76490e26abc17dffc774bd7341\nPeerX = 6b2f6b18a587f562ffc61bd9b0047322286986a78f1fd139b84f7c24\nPeerY = 7096908e4615266be59a53cd655515056ff92370a6271a5d3823d704\nZ = 7fdc969a186ff18429f2a276dac43beea21182d82ce2e5a0876552b1\n\nCurve = P-224\nPrivate = 90a15368e3532c0b1e51e55d139447c2c89bc160719d697291ea7c14\nX = c6837d506e976da7db3ad1267c359dff2ea6fb0b7f7f8e77024c59e9\nY = 67eb491d2fc8a530c46525d2a8b2d7c1df5fba1ae740a4649c683ee6\nPeerX = 328101ba826acd75ff9f34d5574ce0dbc92f709bad8d7a33c47940c1\nPeerY = df39f1ea88488c55d5538160878b9ced18a887ea261dd712d14024ff\nZ = 3d60ab6db2b3ffe2d29ccff46d056e54230cf34982e241556ed2920c\n\nCurve = P-224\nPrivate = 8e0838e05e1721491067e1cabc2e8051b290e2616eec427b7121897d\nX = e9150f770075626019e18f95473b71e6828041791d3f08d3faeeaa2b\nY = 475f70735eaae52308a3b763dc88efe18ab590ebafa035f6e08b001c\nPeerX = 0081e34270871e2ebbd94183f617b4ae15f0416dd634fe6e934cf3c0\nPeerY = 3a1e9f38a7b90b7317d26b9f6311063ab58b268cf489b2e50386d5d6\nZ = 9116d72786f4db5df7a8b43078c6ab9160d423513d35ea5e2559306d\n\nCurve = P-224\nPrivate = 38106e93f16a381adb1d72cee3da66ae462ad4bbfea9ecdf35d0814e\nX = 7be6c4c917829ab657dd79e8637d7aefd2f81f0de7654d957e97658d\nY = 430d22d9e8438310f61e0d43f25fa3e34585f432baad27db3021bf0d\nPeerX = 2623632fdf0bd856805a69aa186d4133ef5904e1f655a972d66cce07\nPeerY = 2cef9728dd06fb8b50150f529b695076d4507983912585c89bd0682e\nZ = 207c53dcefac789aaa0276d9200b3a940ce5f2296f4cb2e81a185d3d\n\nCurve = P-224\nPrivate = e5d1718431cf50f6cbd1bc8019fa16762dfa12c989e5999977fb4ea2\nX = 2ea4966e7f92ed7f5cc61fde792045f63b731d6e7d0de2577f2d8ece\nY = 1c4a7b1ede6f839162292df424be78e8176fb6f942a3c02391700f31\nPeerX = 8ee4d1dcc31dee4bf6fe21ca8a587721d910acfb122c16c2a77a8152\nPeerY = 4ebf323fff04eb477069a0ac68b345f6b1ae134efc31940e513cb99f\nZ = 10e467da34f48ad7072005bccd6da1b2ba3f71eafa1c393842f91d74\n\nCurve = P-224\nPrivate = 3d635691b62a9a927c633951c9369c8862bd2119d30970c2644727d6\nX =",
" 438bbb980517afb20be1d674e3ac2b31cef07a9b23fb8f6e38e0d6c0\nY = 0be5f1c47d58d21b6ed28423b32f5a94750da47edcef33ea79942afd\nPeerX = 97dcbe6d28335882a6d193cc54a1063dd0775dc328565300bb99e691\nPeerY = dad11dd5ece8cfd9f97c9a526e4a1506e6355969ee87826fc38bcd24\nZ = 82fd2f9c60c4f999ac00bbe64bfc11da8ff8cda2e499fced65230bb1\n\nCurve = P-224\nPrivate = acf3c85bbdc379f02f5ea36e7f0f53095a9e7046a28685a8659bf798\nX = ff7511215c71d796bd646e8474be4416b91684ce0d269ef6f422013b\nY = b7bf5e79b5a9393bb9ea42c0bdb2d3c2dc806e1a7306aa58e4fdbea5\nPeerX = ce9126dd53972dea1de1d11efef900de34b661859c4648c5c0e534f7\nPeerY = e113b6f2c1659d07f2716e64a83c18bbce344dd2121fe85168eae085\nZ = 530f7e7fc932613b29c981f261cb036cba3f1df3864e0e1cba2685a2\n\nCurve = P-224\nPrivate = cffd62cb00a0e3163fbf2c397fadc9618210f86b4f54a675287305f0\nX = 04bf4d948f4430d18b4ed6c96dbaf981fa11a403ed16887f06754981\nY = 7c1326a9cef51f79d4e78303d6064b459f612584ac2fdf593d7d5d84\nPeerX = 84419967d6cfad41e75a02b6da605a97949a183a97c306c4b46e66a5\nPeerY = 5cc9b259718b1bc8b144fde633a894616ffd59a3a6d5d8e942c7cbb7\nZ = 49f6fd0139248ef4df2db05d1319bd5b1489e249827a45a8a5f12427\n\nCurve = P-224\nPrivate = 85f903e43943d13c68932e710e80de52cbc0b8f1a1418ea4da079299\nX = 970a4a7e01d4188497ceb46955eb1b842d9085819a9b925c84529d3d\nY = dfa2526480f833ea0edbd204e4e365fef3472888fe7d9691c3ebc09f\nPeerX = 7c9cac35768063c2827f60a7f51388f2a8f4b7f8cd736bd6bc337477\nPeerY = 29ee6b849c6025d577dbcc55fbd17018f4edbc2ef105b004d6257bcd\nZ = 8f7e34e597ae8093b98270a74a8dfcdbed457f42f43df487c5487161\n\nCurve = P-224\nPrivate = cce64891a3d0129fee0d4a96cfbe7ac470b85e967529057cfa31a1d9\nX = a6b29632db94da2125dc1cf80e03702687b2acc1122022fa2174765a\nY = 61723edd73e10daed73775278f1958ba56f1fc9d085ebc2b64c84fe5\nPeerX = 085a7642ad8e59b1a3e8726a7547afbecffdac1dab7e57230c6a9df4\nPeerY = f91c36d881fe9b8047a3530713554a1af4c25c5a8e654dcdcf689f2e\nZ = 71954e2261e8510be1a060733671d2e9d0a2d012eb4e09556d697d2a\n\nCurve = P-256\nPrivate = 7d7dc5f71eb29ddaf80d6214632eeae03d9058af1fb6d22ed80badb62bc1a534\nX = ead218590119e8876b29146ff89ca61770c4edbbf97d38ce385ed281d8a6b230\nY = 28af61281fd35e2fa7002523acc85a429cb06ee6648325389f59edfce1405141\nPeerX = 700c48f77f56584c5cc632ca65640db91b6bacce3a4df6b42ce7cc838833d287\nPeerY = db71e509e3fd9b060ddb20ba5c51dcc5948d46fbf640dfe0441782cab85fa4ac\nZ = 46fc62106420ff012e54a434fbdd2d25ccc5852060561e68040dd7778997bd7b\n\nCurve = P-256\nPrivate = 38f65d6dce47676044d58ce5139582d568f64bb16098d179dbab07741dd5caf5\nX = 119f2f047902782ab0c9e27a54aff5eb9b964829ca99c06b02ddba95b0a3f6d0\nY = 8f52b726664cac366fc98ac7a012b2682cbd962e5acb544671d41b9445704d1d\nPeerX = 809f04289c64348c01515eb03d5ce7ac1a8cb9498f5caa50197e58d43a86a7ae\nPeerY = b29d84e811197f25eba8f5194092cb6ff440e26d4421011372461f579271cda3\nZ = 057d636096cb80b67a8c038c890e887d1adfa4195e9b3ce241c8a778c59cda67\n\nCurve = P-256\nPrivate = 1accfaf1b97712b85a6f54b148985a1bdc4c9bec0bd258cad4b3d603f49f32c8\nX = d9f2b79c172845bfdb560bbb01447ca5ecc0470a09513b6126902c6b4f8d1051\nY = f815ef5ec32128d3487834764678702e64e164ff7315185e23aff5facd96d7bc\nPeerX = a2339c12d4a03c33546de533268b4ad667debf458b464d77443636440ee7fec3\nPeerY = ef48a3ab26e20220bcda2c1851076839dae88eae962869a497bf73cb66faf536\nZ = 2d457b78b4614132477618a5b077965ec90730a8c81a1c75d6d4ec68005d67ec\n\nCurve = P-256\nPrivate = 207c43a79bfee03db6f4b944f53d2fb76cc49ef1c9c4d34d51b6c65c4db6932d\nX = 24277c33f450462dcb3d4801d57b9ced05188f16c28eda873258048cd1607e0d\nY = c4789753e2b1f63b32ff014ec42cd6a69fac81dfe6d0d6fd4af372ae27c46f88\nPeerX = df3989b9fa55495719b3cf46dccd28b5153f7808191dd518eff0c3cff2b705ed\nPeerY = 422294ff46003429d739a33206c8752552c8ba54a270defc06e221e0feaf6ac4\nZ = 96441259534b80f6aee3d287a6bb17b5094dd4277d9e294f8fe73e48bf2a0024\n\nCurve = P-256\nPrivate = 59137e38152350b195c9718d39673d519838055ad908dd4757152fd8255c09bf\nX = a8c5fdce8b62c5ada598f141adb3b26cf254c280b2857a63d2ad783a73115f6b\nY = 806e1aafec4af80a0d786b3de45375b517a7e5b51ffb2c356537c9e6ef227d4a\nPeerX = 41192d2813e79561e6a1d6f53c8bc1a433a199c835e141b05a74a97b0faeb922\nPeerY = 1af98cc45e98a7e041b01cf35f462b7562281351c8ebf3ffa02e33a0722a1328\nZ = 19d44c8d63e8e8dd12c22a87b8cd4ece27acdde04dbf47f7f27537a6999a8e62\n\nCurve = P-256\nPrivate = f5f8e0174610a661277979b58ce5c90fee6c9b3bb346a90a7196255e40b132ef\nX = 7b861dcd2844a5a8363f6b8ef8d493640f55879217189d80326aad9480dfc149\nY = c4675b45eeb306405f6c33c38bc69eb2bdec9b75ad5af4706aab84543b9cc63a\nPeerX = 33e82092a0f1fb38f5649d5867fba28b503172b7035574bf8e5b7100a3052792\nPeerY = f2cf6b601e0a05945e335550bf648d782f46186c772c0f20d3cd0d6b8ca14b2f\nZ = 664e45d5bba4ac931cd65d52017e4be9b19a515f669bea4703542a2c525cd3d3\n\nCurve = P-256\nPrivate = 3b589af7db03459c23068b64f63f28d3c3c6bc25b5bf76ac05f35482888b5190\nX = 9fb38e2d58ea1baf7622e96720101cae3cde4ba6c1e9fa26d9b1de0899102863\nY = d5561b900406edf50802dd7d73e89395f8aed72fba0e1d1b61fe1d22302260f0\nPeerX = 6a9e0c3f916e4e315c91147be571686d90464e8bf981d34a90b6353bca6eeba7\nPeerY = 40f9bead39c2f2bcc2602f75b8a73ec7bdffcbcead159d0174c6c4d3c5357f05\nZ = ca342daa50dc09d61be7c196c85e60a80c5cb04931746820be548cdde055679d\n\nCurve = P-256\nPrivate = d8bf929a20ea7436b2461b541a11c80e61d826c0a4c9d322b31dd54e7f58b9c8\nX = 20f07631e4a6512a89ad487c4e9d63039e579cb0d7a556cb9e661cd59c1e7fa4\nY = 6de91846b3eee8a5ec09c2ab1f41e21bd83620ccdd1bdce3ab7ea6e02dd274f5\nPeerX = a9c0acade55c2a73ead1a86fb0a9713223c82475791cd0e210b046412ce224bb\nPeerY = f6de0afa20e93e078467c053d241903edad734c6b403ba758c2b5ff04c9d4229\nZ = 35aa9b52536a461bfde4e85fc756be928c7de97923f0416c7a3ac8f88b3d4489\n\nCurve = P-256\nPrivate = 0f9883ba0ef32ee75ded0d8bda39a5146a29f1f2507b3bd458dbea0b2bb05b4d\nX = abb61b423be5d6c26e21c605832c9142dc1dfe5a5fff28726737936e6fbf516d\nY = 733d2513ef58beab202090586fac91bf0fee31e80ab33473ab23a2d89e58fad6\nPeerX = 94e94f16a98255fff2b9ac0c9598aac35487b3232d3231bd93b7db7df36f9eb9\nPeerY = d8049a43579cfa90b8093a94416cbefbf93386f15b3f6e190b6e3455fedfe69a\nZ = 605c16178a9bc875dcbff54d63fe00df699c03e8a888e9e94dfbab90b25f39b4\n\nCurve = P-256\nPrivate = 2beedb04b05c6988f6a67500bb813faf2cae0d580c9253b6339e4a3337bb6c08\nX = 3d63e429cb5fa895a9247129bf4e48e89f35d7b11de8158efeb3e106a2a87395\nY = 0cae9e477ef41e7c8c1064379bb7b554ddcbcae79f9814281f1e50f0403c61f3\nPeerX = e099bf2a4d557460b5544430bbf6da11004d127cb5d67f64ab07c94fcdf5274f\nPeerY = d9c50dbe70d714edb5e221f4e020610eeb6270517e688ca64fb0e98c7ef8c1c5\nZ = f96e40a1b72840854bb62bc13c40cc2795e373d4e715980b261476835a092e0b\n\nCurve = P-256\nPrivate = 77c15dcf44610e41696bab758943eff1409333e4d5a11bbe72c8f6c395e9f848\nX = ad5d13c3db508ddcd38457e5991434a251bed49cf5ddcb59cdee73865f138c9f\nY = 62cec1e70588aa4fdfc7b9a09daa678081c04e1208b9d662b8a2214bf8e81a21\nPeerX = f75a5fe56bda34f3c1396296626ef012dc07e4825838778a645c8248cff01658\nPeerY = 33bbdf1b1772d8059df568b061f3f1122f28a8d819167c97be448e3dc3fb0c3c\nZ = 8388fa79c4babdca02a8e8a34f9e43554976e420a4ad273c81b26e4228e9d3a3\n\nCurve = P-256\nPrivate = 42a83b985011d12303db1a800f2610f74aa71cdf19c67d54ce6c9ed951e9093e\nX = ab48caa61ea35f13f8ed07ffa6a13e8db224dfecfae1a7df8b1bb6ebaf0cb97d\nY = 1274530ca2c385a3218bddfbcbf0b4024c9badd5243bff834ebff24a8618dccb\nPeerX = 2db4540d50230756158abf61d9835712b6486c74312183ccefcaef2797b7674d\nPeerY = 62f57f314e3f3495dc4e099012f5e0ba71770f9660a1eada54104cdfde77243e\nZ = 72877cea33ccc4715038d4bcbdfe0e43f42a9e2c0c3b017fc2370f4b9acbda4a\n\nCurve = P-256\nPrivate = ceed35507b5c93ead5989119b9ba342cfe38e6e638ba6eea343a55475de2800b\nX = 9a8cd9bd72e71752df91440f77c547509a84df98114e7de4f26cdb39234a625d\nY = d07cfc84c8e144fab2839f5189bb1d7c88631d579bbc58012ed9a2327da52f62\nPeerX = cd94fc9497e8990750309e9a8534fd114b0a6e54da89c4796101897041d14ecb\nPeerY = c3def4b5fe04faee0a11932229fff563637bfdee0e79c6deeaf449f85401c5c4\nZ = e4e7408d85ff0e0e9c838003f28cdbd5247cdce31f32f62494b70e5f1bc36307\n\nCurve = P-256\nPrivate = 43e0e9d95af4dc36483cdd1968d2b7eeb8611fcce77f3a4e7d059ae43e509604\nX = f989cf8ee956a82e7ebd9881cdbfb2fd946189b08db53559bc8cfdd48071eb14\nY = 5eff28f1a18a616b04b7d337868679f6dd84f9a7b3d7b6f8af276c19611a541d\nPeerX = 15b9e467af4d290c417402e040426fe4cf236bae72baa392ed89780dfccdb471\nPeerY = cdf4e9170fb904302b8fd93a820ba8cc7ed4efd3a6f2d6b05b80b2ff2aee4e77\nZ = ed56bcf695b734142c24ecb1fc1bb64d08f175eb243a31f37b3d9bb4407f3b96\n\nCurve = P-256\nPrivate = b2f3600df3368ef8a0bb85ab22f41fc0e5f4fdd54be8167a5c3cd4b08db04903\nX = 69c627",
"625b36a429c398b45c38677cb35d8beb1cf78a571e40e99fe4eac1cd4e\nY = 81690112b0a88f20f7136b28d7d47e5fbc2ada3c8edd87589bc19ec9590637bd\nPeerX = 49c503ba6c4fa605182e186b5e81113f075bc11dcfd51c932fb21e951eee2fa1\nPeerY = 8af706ff0922d87b3f0c5e4e31d8b259aeb260a9269643ed520a13bb25da5924\nZ = bc5c7055089fc9d6c89f83c1ea1ada879d9934b2ea28fcf4e4a7e984b28ad2cf\n\nCurve = P-256\nPrivate = 4002534307f8b62a9bf67ff641ddc60fef593b17c3341239e95bdb3e579bfdc8\nX = 5fe964671315a18aa68a2a6e3dd1fde7e23b8ce7181471cfac43c99e1ae80262\nY = d5827be282e62c84de531b963884ba832db5d6b2c3a256f0e604fe7e6b8a7f72\nPeerX = 19b38de39fdd2f70f7091631a4f75d1993740ba9429162c2a45312401636b29c\nPeerY = 09aed7232b28e060941741b6828bcdfa2bc49cc844f3773611504f82a390a5ae\nZ = 9a4e8e657f6b0e097f47954a63c75d74fcba71a30d83651e3e5a91aa7ccd8343\n\nCurve = P-256\nPrivate = 4dfa12defc60319021b681b3ff84a10a511958c850939ed45635934ba4979147\nX = c9b2b8496f1440bd4a2d1e52752fd372835b364885e154a7dac49295f281ec7c\nY = fbe6b926a8a4de26ccc83b802b1212400754be25d9f3eeaf008b09870ae76321\nPeerX = 2c91c61f33adfe9311c942fdbff6ba47020feff416b7bb63cec13faf9b099954\nPeerY = 6cab31b06419e5221fca014fb84ec870622a1b12bab5ae43682aa7ea73ea08d0\nZ = 3ca1fc7ad858fb1a6aba232542f3e2a749ffc7203a2374a3f3d3267f1fc97b78\n\nCurve = P-256\nPrivate = 1331f6d874a4ed3bc4a2c6e9c74331d3039796314beee3b7152fcdba5556304e\nX = 59e1e101521046ad9cf1d082e9d2ec7dd22530cce064991f1e55c5bcf5fcb591\nY = 482f4f673176c8fdaa0bb6e59b15a3e47454e3a04297d3863c9338d98add1f37\nPeerX = a28a2edf58025668f724aaf83a50956b7ac1cfbbff79b08c3bf87dfd2828d767\nPeerY = dfa7bfffd4c766b86abeaf5c99b6e50cb9ccc9d9d00b7ffc7804b0491b67bc03\nZ = 1aaabe7ee6e4a6fa732291202433a237df1b49bc53866bfbe00db96a0f58224f\n\nCurve = P-256\nPrivate = dd5e9f70ae740073ca0204df60763fb6036c45709bf4a7bb4e671412fad65da3\nX = 30b9db2e2e977bcdc98cb87dd736cbd8e78552121925cf16e1933657c2fb2314\nY = 6a45028800b81291bce5c2e1fed7ded650620ebbe6050c6f3a7f0dfb4673ab5c\nPeerX = a2ef857a081f9d6eb206a81c4cf78a802bdf598ae380c8886ecd85fdc1ed7644\nPeerY = 563c4c20419f07bc17d0539fade1855e34839515b892c0f5d26561f97fa04d1a\nZ = 430e6a4fba4449d700d2733e557f66a3bf3d50517c1271b1ddae1161b7ac798c\n\nCurve = P-256\nPrivate = 5ae026cfc060d55600717e55b8a12e116d1d0df34af831979057607c2d9c2f76\nX = 46c9ebd1a4a3c8c0b6d572b5dcfba12467603208a9cb5d2acfbb733c40cf6391\nY = 46c913a27d044185d38b467ace011e04d4d9bbbb8cb9ae25fa92aaf15a595e86\nPeerX = ccd8a2d86bc92f2e01bce4d6922cf7fe1626aed044685e95e2eebd464505f01f\nPeerY = e9ddd583a9635a667777d5b8a8f31b0f79eba12c75023410b54b8567dddc0f38\nZ = 1ce9e6740529499f98d1f1d71329147a33df1d05e4765b539b11cf615d6974d3\n\nCurve = P-256\nPrivate = b601ac425d5dbf9e1735c5e2d5bdb79ca98b3d5be4a2cfd6f2273f150e064d9d\nX = 7c9e950841d26c8dde8994398b8f5d475a022bc63de7773fcf8d552e01f1ba0a\nY = cc42b9885c9b3bee0f8d8c57d3a8f6355016c019c4062fa22cff2f209b5cc2e1\nPeerX = c188ffc8947f7301fb7b53e36746097c2134bf9cc981ba74b4e9c4361f595e4e\nPeerY = bf7d2f2056e72421ef393f0c0f2b0e00130e3cac4abbcc00286168e85ec55051\nZ = 4690e3743c07d643f1bc183636ab2a9cb936a60a802113c49bb1b3f2d0661660\n\nCurve = P-256\nPrivate = fefb1dda1845312b5fce6b81b2be205af2f3a274f5a212f66c0d9fc33d7ae535\nX = 38b54db85500cb20c61056edd3d88b6a9dc26780a047f213a6e1b900f76596eb\nY = 6387e4e5781571e4eb8ae62991a33b5dc33301c5bc7e125d53794a39160d8fd0\nPeerX = 317e1020ff53fccef18bf47bb7f2dd7707fb7b7a7578e04f35b3beed222a0eb6\nPeerY = 09420ce5a19d77c6fe1ee587e6a49fbaf8f280e8df033d75403302e5a27db2ae\nZ = 30c2261bd0004e61feda2c16aa5e21ffa8d7e7f7dbf6ec379a43b48e4b36aeb0\n\nCurve = P-256\nPrivate = 334ae0c4693d23935a7e8e043ebbde21e168a7cba3fa507c9be41d7681e049ce\nX = 3f2bf1589abf3047bf3e54ac9a95379bff95f8f55405f64eca36a7eebe8ffca7\nY = 5212a94e66c5ae9a8991872f66a72723d80ec5b2e925745c456f5371943b3a06\nPeerX = 45fb02b2ceb9d7c79d9c2fa93e9c7967c2fa4df5789f9640b24264b1e524fcb1\nPeerY = 5c6e8ecf1f7d3023893b7b1ca1e4d178972ee2a230757ddc564ffe37f5c5a321\nZ = 2adae4a138a239dcd93c243a3803c3e4cf96e37fe14e6a9b717be9599959b11c\n\nCurve = P-256\nPrivate = 2c4bde40214fcc3bfc47d4cf434b629acbe9157f8fd0282540331de7942cf09d\nX = 29c0807f10cbc42fb45c9989da50681eead716daa7b9e91fd32e062f5eb92ca0\nY = ff1d6d1955d7376b2da24fe1163a271659136341bc2eb1195fc706dc62e7f34d\nPeerX = a19ef7bff98ada781842fbfc51a47aff39b5935a1c7d9625c8d323d511c92de6\nPeerY = e9c184df75c955e02e02e400ffe45f78f339e1afe6d056fb3245f4700ce606ef\nZ = 2e277ec30f5ea07d6ce513149b9479b96e07f4b6913b1b5c11305c1444a1bc0b\n\nCurve = P-256\nPrivate = 85a268f9d7772f990c36b42b0a331adc92b5941de0b862d5d89a347cbf8faab0\nX = 9cf4b98581ca1779453cc816ff28b4100af56cf1bf2e5bc312d83b6b1b21d333\nY = 7a5504fcac5231a0d12d658218284868229c844a04a3450d6c7381abe080bf3b\nPeerX = 356c5a444c049a52fee0adeb7e5d82ae5aa83030bfff31bbf8ce2096cf161c4b\nPeerY = 57d128de8b2a57a094d1a001e572173f96e8866ae352bf29cddaf92fc85b2f92\nZ = 1e51373bd2c6044c129c436e742a55be2a668a85ae08441b6756445df5493857\n\nCurve = P-384\nPrivate = 3cc3122a68f0d95027ad38c067916ba0eb8c38894d22e1b15618b6818a661774ad463b205da88cf699ab4d43c9cf98a1\nX = 9803807f2f6d2fd966cdd0290bd410c0190352fbec7ff6247de1302df86f25d34fe4a97bef60cff548355c015dbb3e5f\nY = ba26ca69ec2f5b5d9dad20cc9da711383a9dbe34ea3fa5a2af75b46502629ad54dd8b7d73a8abb06a3a3be47d650cc99\nPeerX = a7c76b970c3b5fe8b05d2838ae04ab47697b9eaf52e764592efda27fe7513272734466b400091adbf2d68c58e0c50066\nPeerY = ac68f19f2e1cb879aed43a9969b91a0839c4c38a49749b661efedf243451915ed0905a32b060992b468c64766fc8437a\nZ = 5f9d29dc5e31a163060356213669c8ce132e22f57c9a04f40ba7fcead493b457e5621e766c40a2e3d4d6a04b25e533f1\n\nCurve = P-384\nPrivate = 92860c21bde06165f8e900c687f8ef0a05d14f290b3f07d8b3a8cc6404366e5d5119cd6d03fb12dc58e89f13df9cd783\nX = ea4018f5a307c379180bf6a62fd2ceceebeeb7d4df063a66fb838aa35243419791f7e2c9d4803c9319aa0eb03c416b66\nY = 68835a91484f05ef028284df6436fb88ffebabcdd69ab0133e6735a1bcfb37203d10d340a8328a7b68770ca75878a1a6\nPeerX = 30f43fcf2b6b00de53f624f1543090681839717d53c7c955d1d69efaf0349b7363acb447240101cbb3af6641ce4b88e0\nPeerY = 25e46c0c54f0162a77efcc27b6ea792002ae2ba82714299c860857a68153ab62e525ec0530d81b5aa15897981e858757\nZ = a23742a2c267d7425fda94b93f93bbcc24791ac51cd8fd501a238d40812f4cbfc59aac9520d758cf789c76300c69d2ff\n\nCurve = P-384\nPrivate = 12cf6a223a72352543830f3f18530d5cb37f26880a0b294482c8a8ef8afad09aa78b7dc2f2789a78c66af5d1cc553853\nX = fcfcea085e8cf74d0dced1620ba8423694f903a219bbf901b0b59d6ac81baad316a242ba32bde85cb248119b852fab66\nY = 972e3c68c7ab402c5836f2a16ed451a33120a7750a6039f3ff15388ee622b7065f7122bf6d51aefbc29b37b03404581b\nPeerX = 1aefbfa2c6c8c855a1a216774550b79a24cda37607bb1f7cc906650ee4b3816d68f6a9c75da6e4242cebfb6652f65180\nPeerY = 419d28b723ebadb7658fcebb9ad9b7adea674f1da3dc6b6397b55da0f61a3eddacb4acdb14441cb214b04a0844c02fa3\nZ = 3d2e640f350805eed1ff43b40a72b2abed0a518bcebe8f2d15b111b6773223da3c3489121db173d414b5bd5ad7153435\n\nCurve = P-384\nPrivate = 8dd48063a3a058c334b5cc7a4ce07d02e5ee6d8f1f3c51a1600962cbab462690ae3cd974fb39e40b0e843daa0fd32de1\nX = e38c9846248123c3421861ea4d32669a7b5c3c08376ad28104399494c84ff5efa3894adb2c6cbe8c3c913ef2eec5bd3c\nY = 9fa84024a1028796df84021f7b6c9d02f0f4bd1a612a03cbf75a0beea43fef8ae84b48c60172aadf09c1ad016d0bf3ce\nPeerX = 8bc089326ec55b9cf59b34f0eb754d93596ca290fcb3444c83d4de3a5607037ec397683f8cef07eab2fe357eae36c449\nPeerY = d9d16ce8ac85b3f1e94568521aae534e67139e310ec72693526aa2e927b5b322c95a1a033c229cb6770c957cd3148dd7\nZ = 6a42cfc392aba0bfd3d17b7ccf062b91fc09bbf3417612d02a90bdde62ae40c54bb2e56e167d6b70db670097eb8db854\n\nCurve = P-384\nPrivate = 84ece6cc3429309bd5b23e959793ed2b111ec5cb43b6c18085fcaea9efa0685d98a6262ee0d330ee250bc8a67d0e733f\nX = 3222063a2997b302ee60ee1961108ff4c7acf1c0ef1d5fb0d164b84bce71c431705cb9aea9a45f5d73806655a058bee3\nY = e61fa9e7fbe7cd43abf99596a3d3a039e99fa9dc93b0bdd9cad81966d17eeaf557068afa7c78466bb5b22032d1100fa6\nPeerX = eb952e2d9ac0c20c6cc48fb225c2ad154f53c8750b003fd3b4ed8ed1dc0defac61bcdde02a2bcfee7067d75d342ed2b0\nPeerY = f1828205baece82d1b267d0d7ff2f9c9e15b69a72df47058a97f3891005d1fb38858f5603de840e591dfa4f6e7d489e1\nZ = ce7ba454d4412729a32bb833a2d1fd2ae612d4667c3a900e069214818613447df8c611de66da200db7c375cf913e4405\n\nCurve = P-384\nPrivate = 68fce2121dc3a1e37b10f1dde309f9e2e18fac47cd1770951451c3484cdb77cb136d00e731260597cc2859601c01a25b\nX = 868be0e694841830e424d913d8e7d86b84ee1021d82b0ecf523f09fe89a76c0c95c49f2dfbcf829c1e39709d55efbb3b\nY = 9195eb183675b40fd",
@@ -2388,9 +2342,9 @@
"fd3e0faceb636b34ed17e044a9f249dae8fc132e937e2d9349cd2ed77bb1049ceb692a2ec5b17ad61502a64c\nY = 001ec91d3058573fa6c0564a02a1a010160c313bc7c73510dc983e5461682b5be00dbce7e2c682ad73f29ca822cdc111f68fabe33a7b384a648342c3cdb9f050bcdb\nPeerX = 017200b3f16a68cbaed2bf78ba8cddfb6cffac262bba00fbc25f9dc72a07ce59372904899f364c44cb264c097b647d4412bee3e519892d534d9129f8a28f7500fee7\nPeerY = 00baba8d672a4f4a3b63de48b96f56e18df5d68f7d70d5109833f43770d6732e06b39ad60d93e5b43db8789f1ec0aba47286a39ea584235acea757dbf13d53b58364\nZ = 0101e462e9d9159968f6440e956f11dcf2227ae4aea81667122b6af9239a291eb5d6cf5a4087f358525fcacfa46bb2db01a75af1ba519b2d31da33eda87a9d565748\n\nCurve = P-521\nPrivate = 005bacfff268acf6553c3c583b464ea36a1d35e2b257a5d49eb3419d5a095087c2fb4d15cf5bf5af816d0f3ff7586490ccd3ddc1a98b39ce63749c6288ce0dbdac7d\nX = 0036e488da7581472a9d8e628c58d6ad727311b7e6a3f6ae33a8544f34b09280249020be7196916fafd90e2ec54b66b5468d2361b99b56fa00d7ac37abb8c6f16653\nY = 011edb9fb8adb6a43f4f5f5fdc1421c9fe04fc8ba46c9b66334e3af927c8befb4307104f299acec4e30f812d9345c9720d19869dbfffd4ca3e7d2713eb5fc3f42615\nPeerX = 004efd5dbd2f979e3831ce98f82355d6ca14a5757842875882990ab85ab9b7352dd6b9b2f4ea9a1e95c3880d65d1f3602f9ca653dc346fac858658d75626f4d4fb08\nPeerY = 0061cf15dbdaa7f31589c98400373da284506d70c89f074ed262a9e28140796b7236c2eef99016085e71552ff488c72b7339fefb7915c38459cb20ab85aec4e45052\nZ = 0141d6a4b719ab67eaf04a92c0a41e2dda78f4354fb90bdc35202cc7699b9b04d49616f82255debf7bbec045ae58f982a66905fcfae69d689785e38c868eb4a27e7b\n\nCurve = P-521\nPrivate = 008e2c93c5423876223a637cad367c8589da69a2d0fc68612f31923ae50219df2452e7cc92615b67f17b57ffd2f52b19154bb40d7715336420fde2e89fee244f59dc\nX = 00fa3b35118d6c422570f724a26f90b2833b19239174cea081c53133f64db60d6940ea1261299c04c1f4587cdb0c4c39616479c1bb0c146799a118032dcf98f899c0\nY = 0069f040229006151fa32b51f679c8816f7c17506b403809dc77cd58a2aec430d94d13b6c916de99f355aa45fcfbc6853d686c71be496a067d24bfaea4818fc51f75\nPeerX = 0129891de0cf3cf82e8c2cf1bf90bb296fe00ab08ca45bb7892e0e227a504fdd05d2381a4448b68adff9c4153c87eacb78330d8bd52515f9f9a0b58e85f446bb4e10\nPeerY = 009edd679696d3d1d0ef327f200383253f6413683d9e4fcc87bb35f112c2f110098d15e5701d7ceee416291ff5fed85e687f727388b9afe26a4f6feed560b218e6bb\nZ = 00345e26e0abb1aac12b75f3a9cf41efe1c336396dffa4a067a4c2cfeb878c68b2b045faa4e5b4e6fa4678f5b603c351903b14bf9a6a70c439257199a640890b61d1\n\nCurve = P-521\nPrivate = 0004d49d39d40d8111bf16d28c5936554326b197353eebbcf47545393bc8d3aaf98f14f5be7074bfb38e6cc97b989754074daddb3045f4e4ce745669fdb3ec0d5fa8\nX = 012ec226d050ce07c79b3df4d0f0891f9f7adf462e8c98dbc1a2a14f5e53a3f5ad894433587cc429a8be9ea1d84fa33b1803690dae04da7218d30026157fc995cf52\nY = 004837dfbf3426f57b5c793269130abb9a38f618532211931154db4eeb9aede88e57290f842ea0f2ea9a5f74c6203a3920fe4e305f6118f676b154e1d75b9cb5eb88\nPeerX = 01a3c20240e59f5b7a3e17c275d2314ba1741210ad58b71036f8c83cc1f6b0f409dfdd9113e94b67ec39c3291426c23ffcc447054670d2908ff8fe67dc2306034c5c\nPeerY = 01d2825bfd3af8b1e13205780c137fe938f84fde40188e61ea02cead81badfdb425c29f7d7fb0324debadc10bbb93de68f62c35069268283f5265865db57a79f7bf7\nZ = 006fe9de6fb8e672e7fd150fdc5e617fabb0d43906354ccfd224757c7276f7a1010091b17ed072074f8d10a5ec971eb35a5cb7076603b7bc38d432cbc059f80f9488\n\nCurve = P-521\nPrivate = 011a5d1cc79cd2bf73ea106f0e60a5ace220813b53e27b739864334a07c03367efda7a4619fa6eef3a9746492283b3c445610a023a9cc49bf4591140384fca5c8bb5\nX = 00eb07c7332eedb7d3036059d35f7d2288d4377d5f42337ad3964079fb120ccd4c8bd384b585621055217023acd9a94fcb3b965bfb394675e788ade41a1de73e620c\nY = 00491a835de2e6e7deb7e090f4a11f2c460c0b1f3d5e94ee8d751014dc720784fd3b54500c86ebaef18429f09e8e876d5d1538968a030d7715dde99f0d8f06e29d59\nPeerX = 007e2d138f2832e345ae8ff65957e40e5ec7163f016bdf6d24a2243daa631d878a4a16783990c722382130f9e51f0c1bd6ff5ac96780e48b68f5dec95f42e6144bb5\nPeerY = 00b0de5c896791f52886b0f09913e26e78dd0b69798fc4df6d95e3ca708ecbcbcce1c1895f5561bbabaae372e9e67e6e1a3be60e19b470cdf673ec1fc393d3426e20\nZ = 01e4e759ecedce1013baf73e6fcc0b92451d03bdd50489b78871c333114990c9ba6a9b2fc7b1a2d9a1794c1b60d9279af6f146f0bbfb0683140403bfa4ccdb524a29\n\nCurve = P-521\nPrivate = 010c908caf1be74c616b625fc8c1f514446a6aec83b5937141d6afbb0a8c7666a7746fa1f7a6664a2123e8cdf6cd8bf836c56d3c0ebdcc980e43a186f938f3a78ae7\nX = 0031890f4c7abec3f723362285d77d2636f876817db3bbc88b01e773597b969ff6f013ea470c854ab4a7739004eb8cbea69b82ddf36acadd406871798ecb2ac3aa7f\nY = 00d8b429ae3250266b9643c0c765a60dc10155bc2531cf8627296f4978b6640a9e600e19d0037d58503fa80799546a814d7478a550aa90e5ebeb052527faaeae5d08\nPeerX = 00118c36022209b1af8ebad1a12b566fc48744576e1199fe80de1cdf851cdf03e5b9091a8f7e079e83b7f827259b691d0c22ee29d6bdf73ec7bbfd746f2cd97a357d\nPeerY = 00da5ff4904548a342e2e7ba6a1f4ee5f840411a96cf63e6fe622f22c13e614e0a847c11a1ab3f1d12cc850c32e095614ca8f7e2721477b486e9ff40372977c3f65c\nZ = 0163c9191d651039a5fe985a0eea1eba018a40ab1937fcd2b61220820ee8f2302e9799f6edfc3f5174f369d672d377ea8954a8d0c8b851e81a56fda95212a6578f0e\n\nCurve = P-521\nPrivate = 01b37d6b7288de671360425d3e5ac1ccb21815079d8d73431e9b74a6f0e7ae004a357575b11ad66642ce8b775593eba9d98bf25c75ef0b4d3a2098bbc641f59a2b77\nX = 00189a5ee34de7e35aefeaeef9220c18071b4c29a4c3bd9d954458bd3e82a7a34da34cff5579b8101c065b1f2f527cf4581501e28ef5671873e65267733d003520af\nY = 01eb4bc50a7b4d4599d7e3fa773ddb9eb252c9b3422872e544bdf75c7bf60f5166ddc11eb08fa7c30822dabaee373ab468eb2d922e484e2a527fff2ebb804b7d9a37\nPeerX = 01780edff1ca1c03cfbe593edc6c049bcb2860294a92c355489d9afb2e702075ade1c953895a456230a0cde905de4a3f38573dbfcccd67ad6e7e93f0b5581e926a5d\nPeerY = 00a5481962c9162962e7f0ebdec936935d0eaa813e8226d40d7f6119bfd940602380c86721e61db1830f51e139f210000bcec0d8edd39e54d73a9a129f95cd5fa979\nZ = 015d613e267a36342e0d125cdad643d80d97ed0600afb9e6b9545c9e64a98cc6da7c5aaa3a8da0bdd9dd3b97e9788218a80abafc106ef065c8f1c4e1119ef58d298b\n\nCurve = P-521\nPrivate = 00f2661ac762f60c5fff23be5d969ccd4ec6f98e4e72618d12bdcdb9b4102162333788c0bae59f91cdfc172c7a1681ee44d96ab2135a6e5f3415ebbcd55165b1afb0\nX = 00a8e25a6902d687b4787cdc94c364ac7cecc5c495483ed363dc0aa95ee2bd739c4c4d46b17006c728b076350d7d7e54c6822f52f47162a25109aaaba690cab696ec\nY = 0168d2f08fe19e4dc9ee7a195b03c9f7fe6676f9f520b6270557504e72ca4394a2c6918625e15ac0c51b8f95cd560123653fb8e8ee6db961e2c4c62cc54e92e2a2a9\nPeerX = 016dacffa183e5303083a334f765de724ec5ec9402026d4797884a9828a0d321a8cfac74ab737fe20a7d6befcfc73b6a35c1c7b01d373e31abc192d48a4241a35803\nPeerY = 011e5327cac22d305e7156e559176e19bee7e4f2f59e86f1a9d0b6603b6a7df1069bde6387feb71587b8ffce5b266e1bae86de29378a34e5c74b6724c4d40a719923\nZ = 014d6082a3b5ced1ab8ca265a8106f302146c4acb8c30bb14a4c991e3c82a9731288bdb91e0e85bda313912d06384fc44f2153fb13506fa9cf43c9aab5750988c943\n\nCurve = P-521\nPrivate = 00f430ca1261f09681a9282e9e970a9234227b1d5e58d558c3cc6eff44d1bdf53de16ad5ee2b18b92d62fc79586116b0efc15f79340fb7eaf5ce6c44341dcf8dde27\nX = 006c1d9b5eca87de1fb871a0a32f807c725adccde9b3967453a71347d608f0c030cd09e338cdecbf4a02015bc8a6e8d3e2595fe773ffc2fc4e4a55d0b1a2cc00323b\nY = 01141b2109e7f4981c952aa818a2b9f6f5c41feccdb7a7a45b9b4b672937771b008cae5f934dfe3fed10d383ab1f38769c92ce88d9be5414817ecb073a31ab368ccb\nPeerX = 00a091421d3703e3b341e9f1e7d58f8cf7bdbd1798d001967b801d1cec27e605c580b2387c1cb464f55ce7ac80334102ab03cfb86d88af76c9f4129c01bedd3bbfc4\nPeerY = 008c9c577a8e6fc446815e9d40baa66025f15dae285f19eb668ee60ae9c98e7ecdbf2b2a68e22928059f67db188007161d3ecf397e0883f0c4eb7eaf7827a62205cc\nZ = 0020c00747cb8d492fd497e0fec54644bf027d418ab686381f109712a99cabe328b9743d2225836f9ad66e5d7fed1de247e0da92f60d5b31f9e47672e57f710598f4\n\nCurve = P-521\nPrivate = 005dc33aeda03c2eb233014ee468dff753b72f73b00991043ea353828ae69d4cd0fadeda7bb278b535d7c57406ff2e6e473a5a4ff98e90f90d6dadd25100e8d85666\nX = 00c825ba307373cec8dd2498eef82e21fd9862168dbfeb83593980ca9f82875333899fe94f137daf1c4189eb502937c3a367ea7951ed8b0f3377fcdf2922021d46a5\nY = 016b8a2540d5e65493888bc337249e67c0a68774f3e8d81e3b4574a0125165f0bd58b8af9de74b35832539f95c3cd9f1b759408560aa6851ae3ac7555347b0d3b13b\nPeerX = 004f38816681771289ce0cb83a5e29a1ab06fc91f786994b23708ff08a08a0f675b809ae99e9f9967eb1a49f196057d69e50d6dedb4dd2d9a81c02bdcc8f7f518460\nPeerY = 009efb244c8b91087de1eed766500f0e81530752d469256ef79f6b965d8a2232a0c2dbc4e8e1d09214bab38485be6e357c4200d073b52f04e4a16fc6f5247187aecb\nZ = 00c2bfafcd7fbd3e2fd1c",
"750fdea61e70bd4787a7e68468c574ee99ebc47eedef064e8944a73bcb7913dbab5d93dca660d216c553622362794f7a2acc71022bdb16f\n\nCurve = P-521\nPrivate = 00df14b1f1432a7b0fb053965fd8643afee26b2451ecb6a8a53a655d5fbe16e4c64ce8647225eb11e7fdcb23627471dffc5c2523bd2ae89957cba3a57a23933e5a78\nX = 004e8583bbbb2ecd93f0714c332dff5ab3bc6396e62f3c560229664329baa5138c3bb1c36428abd4e23d17fcb7a2cfcc224b2e734c8941f6f121722d7b6b94154576\nY = 01cf0874f204b0363f020864672fadbf87c8811eb147758b254b74b14fae742159f0f671a018212bbf25b8519e126d4cad778cfff50d288fd39ceb0cac635b175ec0\nPeerX = 01a32099b02c0bd85371f60b0dd20890e6c7af048c8179890fda308b359dbbc2b7a832bb8c6526c4af99a7ea3f0b3cb96ae1eb7684132795c478ad6f962e4a6f446d\nPeerY = 017627357b39e9d7632a1370b3e93c1afb5c851b910eb4ead0c9d387df67cde85003e0e427552f1cd09059aad0262e235cce5fba8cedc4fdc1463da76dcd4b6d1a46\nZ = 01aaf24e5d47e4080c18c55ea35581cd8da30f1a079565045d2008d51b12d0abb4411cda7a0785b15d149ed301a3697062f42da237aa7f07e0af3fd00eb1800d9c41\n",
};
-static const size_t kLen37 = 136462;
+static const size_t kLen33 = 136462;
-static const char *kData37[] = {
+static const char *kData33[] = {
"# Public key algorithm tests\n\n# Keys used for PKEY operations.\n\n# RSA 2048 bit key.\nPrivateKey = RSA-2048\nType = RSA\nInput = 308204bc020100300d06092a864886f70d0101010500048204a6308204a20201000282010100cd0081ea7b2ae1ea06d59f7c73d9ffb94a09615c2e4ba7c636cef08dd3533ec3185525b015c769b99a77d6725bf9c3532a9b6e5f6627d5fb85160768d3dda9cbd35974511717dc3d309d2fc47ee41f97e32adb7f9dd864a1c4767a666ecd71bc1aacf5e7517f4b38594fea9b05e42d5ada9912008013e45316a4d9bb8ed086b88d28758bacaf922d46a868b485d239c9baeb0e2b64592710f42b2d1ea0a4b4802c0becab328f8a68b0073bdb546feea9809d2849912b390c1532bc7e29c7658f8175fae46f34332ff87bcab3e40649b98577869da0ea718353f0722754886913648760d122be676e0fc483dd20ffc31bda96a31966c9aa2e75ad03de47e1c44f02030100010282010060297ac7991b167a06d6b24758b8cbe208beb9b2d9ec9738bd80f90a2e35005dd7ce292d9e29ba885bd316fef1f20913bc0ac90d6b0808b2414d82104441d8624a33ce0233c8f780a48b375aff02d76712228a702484db3f9ebecccfbbee1709dba182800d949e9e4216e0bff3558388f8bd90da373a1d82743ec3fbdd1427fd16825a657a316912e8695365117ca2f845c909405fcac55f895fc15d20386c26ee78c9e99075029a178a6c1e4cf0c200e8a9cfb27e9d156f86e6c2adc22b1a84a1cd5ca5b2790875d79407c84b352395cb81cc3fed5bb043b69ede0c07204550025cee8c5f440170b6120bb48e0f747bcd8f522110850df043c428dfd187053102818100f6f961b47cbc035d3aedebc7de850a956b65ecdb9cf60764063f15aa48553c58d972fe6675056e35ddfdc37bf3b9f2f622ee271337256849c9bef2176fe8f7c3f8bb91ba374dd53baf3dec814d2bdec10c1fdc88cdd16876f26b1edfa3f094197edf4d42ff1fb2971103b898ca859c427287086a842ab410bb69cf2d35af6be302818100d47e724a7ff41048b270c2524a4101878b73159bb73d3dbc187b220e635b3534f96e243a184d93f860b6bfbb6b71c1ed9a1e1f458583023c301e96a692c1a08b53d0ec9ca910100d80451e3b7dc6a01bac4aecef8df798846bc235a08cbba2cf4c06804cc11219e95608c714e3f1430d491fadbba32a5751a04f97745834c9a502818021f2452bb9b95dfd028c914bf799f1ca77e89a95d50d3c16d384f8455f8bd7af9eb3dfa3d591d9842def235f7630a8e48c088ff6642e101794535a933e1e976fa8509fc728b2da0c4a1a08d7fcf37abaae1ff3001aca1dc1bbb05d9dffbaa1a09f7fb1eef38237d9ebccc722b9338436dde7119112798c26809c1a8dec4320610281801f7510aa62c2d8de4a3c53282781f41e02d0e8b402ae78432e449c48110161a11403f02d01880a8dcc938152d79721a4711a607ac4471ebf964810f95be47a45e60499e29f4c9773c83773404f606637728c2d0351bb03c326c8bb73a721e7fa5440ea2172bba1465fcc30dcb0d9f89930e815aa1f7f9729a857e00e0338dd590281804d1f0d756fe77e01099a652f50a88b7b685dc5bf00981d5d2376fd0c6fe29cd5b638734479305a73ad3c1599d39eae3bae035fbd6fed07c28de705933879a06e48e6a603686ed8e2560a5f6af1f2c24faf4aa960e382186f15eedce9a2491ae730680dd4cf778b70faa86826ab3223477cc91377b19a6d5a2eaea219760beed5\nExpectNoRawPrivate\nExpectNoRawPublic\n\n# The public half of the same key encoded as a SubjectPublicKeyInfo.\nPublicKey = RSA-2048-SPKI\nType = RSA\nInput = 30820122300d06092a864886f70d01010105000382010f003082010a0282010100cd0081ea7b2ae1ea06d59f7c73d9ffb94a09615c2e4ba7c636cef08dd3533ec3185525b015c769b99a77d6725bf9c3532a9b6e5f6627d5fb85160768d3dda9cbd35974511717dc3d309d2fc47ee41f97e32adb7f9dd864a1c4767a666ecd71bc1aacf5e7517f4b38594fea9b05e42d5ada9912008013e45316a4d9bb8ed086b88d28758bacaf922d46a868b485d239c9baeb0e2b64592710f42b2d1ea0a4b4802c0becab328f8a68b0073bdb546feea9809d2849912b390c1532bc7e29c7658f8175fae46f34332ff87bcab3e40649b98577869da0ea718353f0722754886913648760d122be676e0fc483dd20ffc31bda96a31966c9aa2e75ad03de47e1c44f0203010001\nExpectNoRawPrivate\nExpectNoRawPublic\n\n# The same key but with a negative RSA modulus.\nPublicKey = RSA-2048-SPKI-Negative\nInput = 30820121300d06092a864886f70d01010105000382010e003082010902820100cd0081ea7b2ae1ea06d59f7c73d9ffb94a09615c2e4ba7c636cef08dd3533ec3185525b015c769b99a77d6725bf9c3532a9b6e5f6627d5fb85160768d3dda9cbd35974511717dc3d309d2fc47ee41f97e32adb7f9dd864a1c4767a666ecd71bc1aacf5e7517f4b38594fea9b05e42d5ada9912008013e45316a4d9bb8ed086b88d28758bacaf922d46a868b485d239c9baeb0e2b64592710f42b2d1ea0a4b4802c0becab328f8a68b0073bdb546feea9809d2849912b390c1532bc7e29c7658f8175fae46f34332ff87bcab3e40649b98577869da0ea718353f0722754886913648760d122be676e0fc483dd20ffc31bda96a31966c9aa2e75ad03de47e1c44f0203010001\nError = NEGATIVE_NUMBER\n\n# The same key but with missing parameters rather than a NULL.\nPublicKey = RSA-2048-SPKI-Invalid\nInput = 30820120300b06092a864886f70d0101010382010f003082010a0282010100cd0081ea7b2ae1ea06d59f7c73d9ffb94a09615c2e4ba7c636cef08dd3533ec3185525b015c769b99a77d6725bf9c3532a9b6e5f6627d5fb85160768d3dda9cbd35974511717dc3d309d2fc47ee41f97e32adb7f9dd864a1c4767a666ecd71bc1aacf5e7517f4b38594fea9b05e42d5ada9912008013e45316a4d9bb8ed086b88d28758bacaf922d46a868b485d239c9baeb0e2b64592710f42b2d1ea0a4b4802c0becab328f8a68b0073bdb546feea9809d2849912b390c1532bc7e29c7658f8175fae46f34332ff87bcab3e40649b98577869da0ea718353f0722754886913648760d122be676e0fc483dd20ffc31bda96a31966c9aa2e75ad03de47e1c44f0203010001\nError = DECODE_ERROR\n\n# The same key but with an incorrectly-encoded length prefix.\nPublicKey = RSA-2048-SPKI-Invalid2\nInput = 3083000122300d06092a864886f70d01010105000382010f003082010a0282010100cd0081ea7b2ae1ea06d59f7c73d9ffb94a09615c2e4ba7c636cef08dd3533ec3185525b015c769b99a77d6725bf9c3532a9b6e5f6627d5fb85160768d3dda9cbd35974511717dc3d309d2fc47ee41f97e32adb7f9dd864a1c4767a666ecd71bc1aacf5e7517f4b38594fea9b05e42d5ada9912008013e45316a4d9bb8ed086b88d28758bacaf922d46a868b485d239c9baeb0e2b64592710f42b2d1ea0a4b4802c0becab328f8a68b0073bdb546feea9809d2849912b390c1532bc7e29c7658f8175fae46f34332ff87bcab3e40649b98577869da0ea718353f0722754886913648760d122be676e0fc483dd20ffc31bda96a31966c9aa2e75ad03de47e1c44f0203010001\nError = DECODE_ERROR\n\n# RSA 512 bit key.\nPrivateKey = RSA-512\nType = RSA\nInput = 30820154020100300d06092a864886f70d01010105000482013e3082013a020100024100dd20403d976a38c9d79152d87b5c8e9f05033eadd7b7de709bf5b0c4a5182a97d18483526b02362b992e154a9f37faa396ca2685cdab8fec09877ebe705f4dd70203010001024055bebcca655d7e39de8a6eaa9d636db682161907064039544755c53eeb99ec618c03a210dbc61471eaba10c5c365c9726d6b7a96f54d455f7d168d49367270e1022100f21a05d9fd6817301ce49ce10448f9bdd44f5ef5b7557cd7d83155db46382ae7022100e9d1f7157783db2feab1936954ddc4e83aa365695868144cda1be6813b61d791022100d6001eb0040920860ce41fafdf23ca6dfbdf74e6e9f98cf3164cf5c16f9e727d02206f6f73f4b52b10517be6f9bc5f87fa0a3bb817e2e711636b651f9af1c85d4f21022063eff2e57f5b4ca20342cfe793e25526624e3692f192461f9e1ce7f13f2d72c8\nExpectNoRawPrivate\nExpectNoRawPublic\n\n# RSA 515 bit key.\nPrivateKey = RSA-515\nType = RSA\nInput = 30820157020100300d06092a864886f70d0101010500048201413082013d0201000241054fa166e205e658bbe8a2dc35311c0c2b75b7e4569fd9642c8bae809279271fc824f26baa1166ea46298ca63379ea76adbada2b61e5066820a35beaec1aca227f020301000102410266c972be0d30e53ac2acb1aa13b4bd0401cccf212452a66b4615f7e943831f67b4ca48560582d0ca886044aaaaf87945252a848c1947944186e6eb83969bf91102210309e631761842cc8a2ccfd372c20a9cba21de1a199c30ab440bc6b51079f4e825022101bf715c1db432627ca7c29a293b9210f2eff1e92d12f306ebaa5334f8ee03dcd30221018ac58a765f2b8f37d434081fe5ff92b81735ead2f263f4968ccf63d61fbe3d0d0221015b247a1159a2d5a25d0db049593c6405f77f3a278c521d066e290c2a2d8fb59d0221026224aa31fd95c14d24fd03b8a195bba4cc88df7c37f5370a5ab19f882f1404d6\nExpectNoRawPrivate\nExpectNoRawPublic\n\n# EC P-256 key\nPrivateKey = P-256\nType = EC\nInput = 308187020100301306072a8648ce3d020106082a8648ce3d030107046d306b02010104208a872fb62893c4d1ffc5b9f0f91758069f8352e08fa05a49f8db926cb5728725a144034200042c150f429ce70f216c252cf5e062ce1f639cd5d165c7f89424072c27197d78b33b920e95cdb664e990dcf0cfea0d94e2a8e6af9d0e58056e653104925b9fe6c9\nExpectNoRawPrivate\nExpectNoRawPublic\n\n# The same key as above with the optional public key omitted.\nPrivateKey = P-256-MissingPublic\nType = EC\nInput = 3041020100301306072a8648ce3d020106082a8648ce3d0301070427302502010104208a872fb62893c4d1ffc5b9f0f91758069f8352e08fa05a49f8db926cb5728725\nExpectNoRawPrivate\nExpectNoRawPublic\n\n# The same key as above with redundant parameters.\nPrivateKey = P-256-ExtraParameters\nType = EC\nInput = 308193020100301306072a8648ce3d020106082a8648ce3d0301070479307702010104208a872fb62893c4d1ffc5b9f0f91758069f8352e08fa05a49f8db926cb5728725a00a06082a8648ce3d030107a144034200042c150f429ce70f216c252cf5e062ce1f639cd5d165c7f89424072c27197d78b33b920e95cdb664e990dcf0cfea0d94e2a8e6af9d0e58056e653104925b9fe6c9\n# The key re-encodes with the parameters removed.\nOutput = 308187020100301306072a8648c",
"e3d020106082a8648ce3d030107046d306b02010104208a872fb62893c4d1ffc5b9f0f91758069f8352e08fa05a49f8db926cb5728725a144034200042c150f429ce70f216c252cf5e062ce1f639cd5d165c7f89424072c27197d78b33b920e95cdb664e990dcf0cfea0d94e2a8e6af9d0e58056e653104925b9fe6c9\nExpectNoRawPrivate\nExpectNoRawPublic\n\n# The same key, but with the redundant parameters in the ECPrivateKey mismatched.\nPrivateKey = P-256-BadInnerParameters\nInput = 308190020100301306072a8648ce3d020106082a8648ce3d0301070476307402010104208a872fb62893c4d1ffc5b9f0f91758069f8352e08fa05a49f8db926cb5728725a00706052b81040022a144034200042c150f429ce70f216c252cf5e062ce1f639cd5d165c7f89424072c27197d78b33b920e95cdb664e990dcf0cfea0d94e2a8e6af9d0e58056e653104925b9fe6c9\nError = GROUP_MISMATCH\n\n# The same key, but with the curve spelled explicitly.\nPrivateKey = P-256-ExplicitParameters\nType = EC\nInput = 308201610201003081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020101046d306b02010104208a872fb62893c4d1ffc5b9f0f91758069f8352e08fa05a49f8db926cb5728725a144034200042c150f429ce70f216c252cf5e062ce1f639cd5d165c7f89424072c27197d78b33b920e95cdb664e990dcf0cfea0d94e2a8e6af9d0e58056e653104925b9fe6c9\nOutput = 308187020100301306072a8648ce3d020106082a8648ce3d030107046d306b02010104208a872fb62893c4d1ffc5b9f0f91758069f8352e08fa05a49f8db926cb5728725a144034200042c150f429ce70f216c252cf5e062ce1f639cd5d165c7f89424072c27197d78b33b920e95cdb664e990dcf0cfea0d94e2a8e6af9d0e58056e653104925b9fe6c9\nExpectNoRawPrivate\nExpectNoRawPublic\n\n# The same as above, but with the optional cofactor omitted.\nPrivateKey = P-256-ExplicitParameters-NoCofactor\nType = EC\nInput = 3082015e0201003081e906072a8648ce3d02013081dd020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551046d306b02010104208a872fb62893c4d1ffc5b9f0f91758069f8352e08fa05a49f8db926cb5728725a144034200042c150f429ce70f216c252cf5e062ce1f639cd5d165c7f89424072c27197d78b33b920e95cdb664e990dcf0cfea0d94e2a8e6af9d0e58056e653104925b9fe6c9\nOutput = 308187020100301306072a8648ce3d020106082a8648ce3d030107046d306b02010104208a872fb62893c4d1ffc5b9f0f91758069f8352e08fa05a49f8db926cb5728725a144034200042c150f429ce70f216c252cf5e062ce1f639cd5d165c7f89424072c27197d78b33b920e95cdb664e990dcf0cfea0d94e2a8e6af9d0e58056e653104925b9fe6c9\nExpectNoRawPrivate\nExpectNoRawPublic\n\n# The same as above, but the cofactor is zero instead of one.\nPrivateKey = P-256-ExplicitParameters-CofactorZero\nInput = 308201610201003081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020100046d306b02010104208a872fb62893c4d1ffc5b9f0f91758069f8352e08fa05a49f8db926cb5728725a144034200042c150f429ce70f216c252cf5e062ce1f639cd5d165c7f89424072c27197d78b33b920e95cdb664e990dcf0cfea0d94e2a8e6af9d0e58056e653104925b9fe6c9\nError = UNKNOWN_GROUP\n\n# The same as above, but the cofactor is two instead of one.\nPrivateKey = P-256-ExplicitParameters-CofactorTwo\nInput = 308201610201003081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020102046d306b02010104208a872fb62893c4d1ffc5b9f0f91758069f8352e08fa05a49f8db926cb5728725a144034200042c150f429ce70f216c252cf5e062ce1f639cd5d165c7f89424072c27197d78b33b920e95cdb664e990dcf0cfea0d94e2a8e6af9d0e58056e653104925b9fe6c9\nError = UNKNOWN_GROUP\n\n# The public half of the same key encoded as a PublicKey.\nPublicKey = P-256-SPKI\nType = EC\nInput = 3059301306072a8648ce3d020106082a8648ce3d030107034200042c150f429ce70f216c252cf5e062ce1f639cd5d165c7f89424072c27197d78b33b920e95cdb664e990dcf0cfea0d94e2a8e6af9d0e58056e653104925b9fe6c9\nExpectNoRawPrivate\nExpectNoRawPublic\n\n# The same as above, but with the curve explicitly spelled out.\nPublicKey = P-256-SPKI\nInput = 3082014b3082010306072a8648ce3d02013081f7020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff305b0420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b031500c49d360886e704936a6678e1139d26b7819f7e900441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020101034200042c150f429ce70f216c252cf5e062ce1f639cd5d165c7f89424072c27197d78b33b920e95cdb664e990dcf0cfea0d94e2a8e6af9d0e58056e653104925b9fe6c9\nError = DECODE_ERROR\n\n# The same as above, but with trailing data after the curve name.\nPublicKey = P-256-SPKI\nInput = 305b301506072a8648ce3d020106082a8648ce3d0301070500034200042c150f429ce70f216c252cf5e062ce1f639cd5d165c7f89424072c27197d78b33b920e95cdb664e990dcf0cfea0d94e2a8e6af9d0e58056e653104925b9fe6c9\nError = DECODE_ERROR\n\n# A DSA private key.\nPrivateKey = DSA-1024\nType = DSA\nInput = 308202650201003082023906072a8648ce3804013082022c02820101009e12fab3de12213501dd82aa10ca2d101d2d4ebfef4d2a3f8daa0fe0cedad8d6af85616aa2f3252c0a2b5a6db09e6f14900e0ddb8311876dd8f9669525f99ed65949e184d5064793271169a228680b95ec12f59a8e20b21f2b58eb2a2012d35bde2ee351822fe8f32d0a330565dcce5c672b7259c14b2433d0b5b2ca2b2db0ab626e8f13f47fe0345d904e7294bb038e9ce21a9e580b83356278706cfe768436c69de149ccff98b4aab8cb4f6385c9f102ce59346eaeef27e0ad222d53d6e89cc8cde5776dd00057b03f2d88ab3cedbafd7b585f0b7f7835e17a3728bbf25ea62572f245dc111f3ce39cb6ffacc31b0a2790e7bde90224ea9b09315362af3d2b022100f381dcf53ebf724f8b2e5ca82c010fb4b5eda9358d0fd88ed278589488b54fc3028201000c402a725dcc3a62e02bf4cf43cd17f4a493591220223669cf4193edab423ad08dfb552e308a6a57a5ffbc7cd0fb2087f81f8df0cb08ab2133287d2b6968714a94f633c940845a48a3e16708dde761cc6a8eab2d84db21b6ea5b07681493cc9c31fbc368b243f6ddf8c932a8b4038f44e7b15ca876344a147859f2b43b39458668ad5e0a1a9a669546dd2812e3b3617a0aef99d58e3bb4cc87fd94225e01d2dcc469a77268146c51918f18e8b4d70aa1f0c7623bcc52cf3731d38641b2d2830b7eecb2f09552ff137d046e494e7f33c3590002b16d1b97d936fda28f90c3ed3ca35338168ac16f77c3c57adc2e8f7c6c2256e41a5f65450590dbb5bcf06d66610423022100b0c768702743bc51242993a971a52889795444f7c6452203d0ce84fe6117d46e\nExpectNoRawPrivate\nExpectNoRawPublic\n\n# A DSA public key.\nPublicKey = DSA-1024-SPKI\nType = DSA\nInput = 308201b73082012c06072a8648ce3804013082011f02818100b3429b8b128c9079f9b72e86857e98d265e5d91661ed8b5f4cc56e5eed1e571da30186983a9dd76297eab73ee13a1db841f8800d04a7cab478af6cde2ea4a2868531af169a24858c6268efa39ceb7ed0d4227eb5bbb01124a2a5a26038c7bcfb8cc827f68f5202345166e4718596799b65c9def82828ce44e62e38e41a0d24b1021500c5a56c81ddd87f47e676546c56d05706421624cf0281810094de40d27314fe929e47ff9b1ac65cfc73ef38c4d381c890be6217b15039ae18190e6b421af8c0bda35a5cfd050f58ae2644adce83e68c8e5ba11729df56bbb21e227a60b816cc033fa799a38fe1ba5b4aa1801b6f841ce3df99feb3b4fb96950c960af13fa2ce920aabc12dd24ad2044a35063ea0e25f67f560f4cfbdc55983",
"03818400028180258c30ebbb7f34fdc873ce679f6cea373c7886d75d4421b90920db034daedd292c64d8edd8cdbdd7f3ad23d74cfa2135247d0cef6ecf2e14f99e19d22a8c1266bd8fb8719c0e5667c716c45c7adbdabe548085bdad2dfee636f8d52fd6adb2193df6c4f0520fbd171b91882e0e4f321f8250ffecf4dbea00e114427d3ef96c1a\nExpectNoRawPrivate\nExpectNoRawPublic\n\n# The same key as above, but without the parameters.\nPublicKey = DSA-1024-SPKI-No-Params\nType = DSA\nInput = 308192300906072a8648ce38040103818400028180258c30ebbb7f34fdc873ce679f6cea373c7886d75d4421b90920db034daedd292c64d8edd8cdbdd7f3ad23d74cfa2135247d0cef6ecf2e14f99e19d22a8c1266bd8fb8719c0e5667c716c45c7adbdabe548085bdad2dfee636f8d52fd6adb2193df6c4f0520fbd171b91882e0e4f321f8250ffecf4dbea00e114427d3ef96c1a\nExpectNoRawPrivate\nExpectNoRawPublic\n\n# Private keys from RFC 8032.\nPrivateKey = Ed25519\nType = Ed25519\nInput = 302e020100300506032b6570042204209d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60\nExpectRawPrivate = 9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60\nExpectRawPublic = d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a\n\nPrivateKey = Ed25519-2\nType = Ed25519\nInput = 302e020100300506032b6570042204204ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb\nExpectRawPrivate = 4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb\nExpectRawPublic = 3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c\n\nPrivateKey = Ed25519-3\nType = Ed25519\nInput = 302e020100300506032b657004220420c5aa8df43f9f837bedb7442f31dcb7b166d38535076f094b85ce3a2e0b4458f7\nExpectRawPrivate = c5aa8df43f9f837bedb7442f31dcb7b166d38535076f094b85ce3a2e0b4458f7\nExpectRawPublic = fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025\n\nPrivateKey = Ed25519-4\nType = Ed25519\nInput = 302e020100300506032b657004220420f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5\nExpectRawPrivate = f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5\nExpectRawPublic = 278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e\n\nPrivateKey = Ed25519-5\nType = Ed25519\nInput = 302e020100300506032b657004220420833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42\nExpectRawPrivate = 833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42\nExpectRawPublic = ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf\n\n# Public keys from RFC 8032.\nPublicKey = Ed25519-SPKI\nType = Ed25519\nInput = 302a300506032b6570032100d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a\nExpectNoRawPrivate\nExpectRawPublic = d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a\n\nPublicKey = Ed25519-SPKI-2\nType = Ed25519\nInput = 302a300506032b65700321003d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c\nExpectNoRawPrivate\nExpectRawPublic = 3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c\n\nPublicKey = Ed25519-SPKI-3\nType = Ed25519\nInput = 302a300506032b6570032100fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025\nExpectNoRawPrivate\nExpectRawPublic = fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025\n\nPublicKey = Ed25519-SPKI-4\nType = Ed25519\nInput = 302a300506032b6570032100278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e\nExpectNoRawPrivate\nExpectRawPublic = 278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e\n\nPublicKey = Ed25519-SPKI-5\nType = Ed25519\nInput = 302a300506032b6570032100ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf\nExpectNoRawPrivate\nExpectRawPublic = ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf\n\n# The first key, private and public, with invalid NULL parameters.\nPrivateKey = Ed25519-NULL\nInput = 3030020100300706032b65700500042204209d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60\nError = DECODE_ERROR\n\nPublicKey = Ed25519-SPKI-NULL\nInput = 302c300706032b65700500032100d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a\nError = DECODE_ERROR\n\n# Sample public key from RFC 8410.\nPublicKey = Ed25519-SPKI-Spec\nType = Ed25519\nInput = 302a300506032b657003210019bf44096984cdfe8541bac167dc3b96c85086aa30b6b6cb0c5c38ad703166e1\n\n# Sample private key from RFC 8410.\nPrivateKey = Ed25519-Spec\nType = Ed25519\nInput = 302e020100300506032b657004220420d4ee72dbf913584ad5b6d8f1f769f8ad3afe7c28cbf1d4fbe097a88f44755842\n\n\n# RSA tests\n\nSign = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad\n\nVerify = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad\n\nVerify = RSA-2048-SPKI\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad\n\n# Digest too long\nSign = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF12345\"\nError = INVALID_MESSAGE_LENGTH\n\nVerify = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF12345\"\nOutput = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad\nError = INVALID_MESSAGE_LENGTH\n\n# Digest too short\nSign = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF123\"\nError = INVALID_MESSAGE_LENGTH\n\nVerify = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF123\"\nOutput = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad\nError = INVALID_MESSAGE_LENGTH\n\n# Digest too large for key.\nSign = RSA-512\nDigest = SHA512\nInput = \"0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF\"\nError = DIGEST_TOO_BIG_FOR_RSA_KEY\n\n# Mismatched digest\nVerify = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF1233\"\nOutput = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99",
@@ -2409,19 +2363,19 @@
"d88a1d7ba50cee5ef7e701b3a589adc09a752a974a6805956f4a1a0582f66309a1e02e9fb6b10d2c820fe98bb2eb04f435bc8a649cc9ab6c5a4c03e83800d1\n\nVerifyMessage = RSA-2048-SPKI\nDigest = SHA256\nInput = \"Hello world\"\nOutput = 301894798b49d6ec55d32dcc74314f04230591a515781f3eb4492f5324b56046836c4bc3e25942af341e88558cb4c3814a849207575d343189147989b16e296b5138dbbc717116dc416f201dfa35943d15060493953cda1f04a13ff89845cf7fd69e1a78d5d38522a77bb234e5d0ba2ae17ada6e22fdae27a4052fdb8ac267507dfe06ed7a865e61a52b530bbbf65c7caa89739613df10ae3b0e62ff6831ee0770086aad39c329462aede9f1b29a501bc3d09e0fe4034aa5d6831d44491d508111d88a1d7ba50cee5ef7e701b3a589adc09a752a974a6805956f4a1a0582f66309a1e02e9fb6b10d2c820fe98bb2eb04f435bc8a649cc9ab6c5a4c03e83800d1\n\nVerifyMessage = P-256\nDigest = SHA256\nInput = \"Hello world\"\nOutput = 304502204c66004635c267394bd6857c1e0b53b22a2bab1ca7dff9d5c1b42143858b3ea7022100ae81228510e03cd49a8863d2ebd1c05fe0c87eacd1150433132b909994cd0dbd\n\n# Digest can't be omitted in many algorithms.\nSignMessage = RSA-2048\nInput = \"Hello world\"\nError = NO_DEFAULT_DIGEST\n\nVerifyMessage = RSA-2048\nInput = \"Hello world\"\nOutput = 301894798b49d6ec55d32dcc74314f04230591a515781f3eb4492f5324b56046836c4bc3e25942af341e88558cb4c3814a849207575d343189147989b16e296b5138dbbc717116dc416f201dfa35943d15060493953cda1f04a13ff89845cf7fd69e1a78d5d38522a77bb234e5d0ba2ae17ada6e22fdae27a4052fdb8ac267507dfe06ed7a865e61a52b530bbbf65c7caa89739613df10ae3b0e62ff6831ee0770086aad39c329462aede9f1b29a501bc3d09e0fe4034aa5d6831d44491d508111d88a1d7ba50cee5ef7e701b3a589adc09a752a974a6805956f4a1a0582f66309a1e02e9fb6b10d2c820fe98bb2eb04f435bc8a649cc9ab6c5a4c03e83800d1\nError = NO_DEFAULT_DIGEST\n\n# Signing test vectors from RFC 8032.\nSignMessage = Ed25519\nInput = \"\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b\n\nSignMessage = Ed25519-2\nInput = 72\nOutput = 92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00\n\nSignMessage = Ed25519-3\nInput = af82\nOutput = 6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40a\n\nSignMessage = Ed25519-4\nInput = 08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0\nOutput = 0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03\n\nSignMessage = Ed25519-5\nInput = ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f\nOutput = dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b58909351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704\n\n# Signing with public keys is not allowed.\nSignMessage = Ed25519-SPKI\nInput = \"\"\nError = NOT_A_PRIVATE_KEY\n\n# Verify test vectors from RFC 8032. Test verifying with both the public and\n# private key.\nVerifyMessage = Ed25519\nInput = \"\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b\n\nVerifyMessage = Ed25519-SPKI\nInput = \"\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b\n\nVerifyMessage = Ed25519-2\nInput = 72\nOutput = 92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00\n\nVerifyMessage = Ed25519-SPKI-2\nInput = 72\nOutput = 92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00\n\nVerifyMessage = Ed25519-3\nInput = af82\nOutput = 6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40a\n\nVerifyMessage = Ed25519-SPKI-3\nInput = af82\nOutput = 6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40a\n\nVerifyMessage = Ed25519-4\nInput = 08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0\nOutput = 0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681",
"e30a6ac00a9704a188a03\n\nVerifyMessage = Ed25519-SPKI-4\nInput = 08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0\nOutput = 0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03\n\nVerifyMessage = Ed25519-5\nInput = ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f\nOutput = dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b58909351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704\n\nVerifyMessage = Ed25519-SPKI-5\nInput = ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f\nOutput = dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b58909351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704\n\n# Length is wrong.\nVerifyMessage = Ed25519-SPKI\nInput = \"\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a10\nError = INVALID_SIGNATURE\n\n# Message is wrong.\nVerifyMessage = Ed25519-SPKI\nInput = \"Hello world\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b\nError = INVALID_SIGNATURE\n\n# Ed25519 does not support configuring a digest.\nSignMessage = Ed25519\nInput = \"\"\nDigest = SHA256\nError = COMMAND_NOT_SUPPORTED\n\n# Ed25519 does not support signing a pre-hashed value.\nSign = Ed25519\nInput = \"0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef\"\nError = OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE\n\nVerify = Ed25519\nInput = \"0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b\nError = OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE\n\n\n# Derive tests.\n\nPrivateKey = ECDH-P256-Private\nType = EC\nInput = 3041020100301306072a8648ce3d020106082a8648ce3d0301070427302502010104207d7dc5f71eb29ddaf80d6214632eeae03d9058af1fb6d22ed80badb62bc1a534\n\nPublicKey = ECDH-P256-Peer\nType = EC\nInput = 3059301306072a8648ce3d020106082a8648ce3d03010703420004700c48f77f56584c5cc632ca65640db91b6bacce3a4df6b42ce7cc838833d287db71e509e3fd9b060ddb20ba5c51dcc5948d46fbf640dfe0441782cab85fa4ac\n\nDerive = ECDH-P256-Private\nDerivePeer = ECDH-P256-Peer\nOutput = 46fc62106420ff012e54a434fbdd2d25ccc5852060561e68040dd7778997bd7b\nSmallBufferTruncates\n\nPrivateKey = X25519-Private\nType = X25519\nInput = 302e020100300506032b656e04220420a546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4\nExpectRawPrivate = a546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4\n\nPublicKey = X25519-Peer\nType = X25519\nInput = 302a300506032b656e032100e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c\nExpectRawPublic = e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c\n\nPublicKey = X25519-SmallOrderPeer\nType = X25519\nExpectRawPublic = e0eb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b800\nInput = 302a300506032b656e032100e0eb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b800\n\nDerive = X25519-Private\nDerivePeer = X25519-Peer\nOutput = c3da55379de9c6908e94ea4df28d084f32eccf03491c71f754b4075577a28552\n\nDerive = X25519-Private\nDerivePeer = X25519-SmallOrderPeer\nError = INVALID_PEER_KEY\n",
};
-static const size_t kLen38 = 1262;
+static const size_t kLen34 = 1262;
-static const char *kData38[] = {
+static const char *kData34[] = {
"#\n# Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved.\n#\n# Licensed under the OpenSSL license (the \"License\"). You may not use\n# this file except in compliance with the License. You can obtain a copy\n# in the file LICENSE in the source distribution or at\n# https://www.openssl.org/source/license.html\n\nPassword = \"\"\nSalt = \"\"\nN = 16\nr = 1\np = 1\nKey = 77d6576238657b203b19ca42c18a0497f16b4844e3074ae8dfdffa3fede21442fcd0069ded0948f8326a753a0fc81f17e8d3e0fb2e0d3628cf35e20c38d18906\n\nPassword = \"password\"\nSalt = \"NaCl\"\nN = 1024\nr = 8\np = 16\nKey = fdbabe1c9d3472007856e7190d01e9fe7c6ad7cbc8237830e77376634b3731622eaf30d92e22a3886ff109279d9830dac727afb94a83ee6d8360cbdfa2cc0640\n\nPassword = \"pleaseletmein\"\nSalt = \"SodiumChloride\"\nN = 16384\nr = 8\np = 1\nKey = 7023bdcb3afd7348461c06cd81fd38ebfda8fbba904f8e3ea9b543f6545da1f2d5432955613f0fcf62d49705242a9af9e61e85dc0d651e40dfcf017b45575887\n\n# NB: this test requires more than 1GB of memory to run so it is disabled by\n# default. Uncomment it to run.\n# Password = \"pleaseletmein\"\n# Salt = \"SodiumChloride\"\n# N = 1048576\n# r = 8\n# p = 1\n# Key = 2101cb9b6a511aaeaddbbe09cf70f881ec568d574a2ffd4dabe5ee9820adaa478e56fd8f4ba5d09ffa1c6d927c40f4c337304049e8a952fbcbf45c6fa77a41a4\n# MaxMemory = 10000000000\n",
};
-static const size_t kLen39 = 2270;
+static const size_t kLen35 = 2270;
-static const char *kData39[] = {
+static const char *kData35[] = {
"# Test vectors from FIPS-197, Appendix C.\n\nMode = Raw\nKey = 000102030405060708090a0b0c0d0e0f\nPlaintext = 00112233445566778899aabbccddeeff\nCiphertext = 69c4e0d86a7b0430d8cdb78070b4c55a\n\nMode = Raw\nKey = 000102030405060708090a0b0c0d0e0f1011121314151617\nPlaintext = 00112233445566778899aabbccddeeff\nCiphertext = dda97ca4864cdfe06eaf70a0ec0d7191\n\nMode = Raw\nKey = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f\nPlaintext = 00112233445566778899aabbccddeeff\nCiphertext = 8ea2b7ca516745bfeafc49904b496089\n\n\n# Test vectors from\n# http://csrc.nist.gov/groups/ST/toolkit/documents/kms/key-wrap.pdf\n\nMode = KeyWrap\nKey = 000102030405060708090a0b0c0d0e0f\nPlaintext = 00112233445566778899aabbccddeeff\nCiphertext = 1fa68b0a8112b447aef34bd8fb5a7b829d3e862371d2cfe5\n\nMode = KeyWrap\nKey = 000102030405060708090a0b0c0d0e0f1011121314151617\nPlaintext = 00112233445566778899aabbccddeeff\nCiphertext = 96778b25ae6ca435f92b5b97c050aed2468ab8a17ad84e5d\n\nMode = KeyWrap\nKey = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f\nPlaintext = 00112233445566778899aabbccddeeff\nCiphertext = 64e8c3f9ce0f5ba263e9777905818a2a93c8191e7d6e8ae7\n\nMode = KeyWrap\nKey = 000102030405060708090a0b0c0d0e0f1011121314151617\nPlaintext = 00112233445566778899aabbccddeeff0001020304050607\nCiphertext = 031d33264e15d33268f24ec260743edce1c6c7ddee725a936ba814915c6762d2\n\nMode = KeyWrap\nKey = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f\nPlaintext = 00112233445566778899aabbccddeeff0001020304050607\nCiphertext = a8f9bc1612c68b3ff6e6f4fbe30e71e4769c8b80a32cb8958cd5d17d6b254da1\n\nMode = KeyWrap\nKey = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f\nPlaintext = 00112233445566778899aabbccddeeff000102030405060708090a0b0c0d0e0f\nCiphertext = 28c9f404c4b810f4cbccb35cfb87f8263f5786e2d80ed326cbc7f0e71a99f43bfb988b9b7a02dd21\n\n\n# Test vectors from https://tools.ietf.org/html/rfc5649#section-6\n\nMode = KeyWrapWithPadding\nKey = 5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8\nPlaintext = c37b7e6492584340bed12207808941155068f738\nCiphertext = 138bdeaa9b8fa7fc61f97742e72248ee5ae6ae5360d1ae6a5f54f373fa543b6a\n\nMode = KeyWrapWithPadding\nKey = 5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8\nPlaintext = 466f7250617369\nCiphertext = afbeb0f07dfbf5419200f2ccb50bb24f\n",
};
-static const size_t kLen40 = 920103;
+static const size_t kLen36 = 934972;
-static const char *kData40[] = {
+static const char *kData36[] = {
"# Sum tests.\n#\n# These test vectors satisfy A + B = Sum.\n\nSum = 0\nA = 0\nB = 0\n\nSum = c590e57ee64fced3ca84d4bb013bba7d633e68b2ff4e27bf1db43f386dbfcce501f112b7fff6fb9436a576ccfccce12867becf02b91961453ea41f414764407d\nA = c590e57ee64fced3ca84d4bb013bba7d633e68b2ff4e27bf1db43f386dbfcce501f112b7fff6fb9436a576ccfccce12867becf02b91961453ea41f414764407d\nB = 0\n\nSum = -c590e57ee64fced3ca84d4bb013bba7d633e68b2ff4e27bf1db43f386dbfcce501f112b7fff6fb9436a576ccfccce12867becf02b91961453ea41f414764407d\nA = -c590e57ee64fced3ca84d4bb013bba7d633e68b2ff4e27bf1db43f386dbfcce501f112b7fff6fb9436a576ccfccce12867becf02b91961453ea41f414764407d\nB = 0\n\nSum = 0\nA = c590e57ee64fced3ca84d4bb013bba7d633e68b2ff4e27bf1db43f386dbfcce501f112b7fff6fb9436a576ccfccce12867becf02b91961453ea41f414764407d\nB = -c590e57ee64fced3ca84d4bb013bba7d633e68b2ff4e27bf1db43f386dbfcce501f112b7fff6fb9436a576ccfccce12867becf02b91961453ea41f414764407d\n\nSum = c590e57ee64fced3ca84d4bb013bba7d633e68b2ff4e27bf1db43f386dbfcce501f112b7fff6fb9436a576ccfccce12867becf02b91961453ea41f414764407d\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = 23f85668bf4d0fa273d8c7f63c5fee57811062a674111e295a73a58e08dd0fd58eda1f473960559d5b96d1862164e96efded31f756df3f57c\n\nSum = c590e57ee64fceccd54e0bdc52476a756d32e794922dca0acc780d2c6af8852351102b40dfb97009f95e019a5bf38e5d127aa78bc34425edf96f763084a8b09f\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -4b5b16252ba2355e0b87f01baa721783c403607a4c1b5652c09a68e96926c8e314fa580bf0ad3f8f59bd70f14df86a4676661899b54c79a62\n\nSum = -c590e57ee64fcec882fef3ffd015a3fd9024d8f5f6d53eb537d6abdb0ff5e76a8fb08d5feed113fc9e74745d957adf32704a08339ba42efd5746c5d478e3f57b\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = 908007a2f3c551c58958d1059427a0391d4d768f61cb802e4cb062c778354ea3eaa8f0dfbd14ca8203e07ae6d07269b58088a39f7608c5586\n\nSum = -c590e57ee64fceeb242f8a0893eaa0d2ccc3dc57ec40fe917cfde66618fba678ce0c8fffc566d4e8c7944d6443def8014fe8ee410a1b8dfd06cb0b436619e0dd\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -1999301bd9877fe07ca711f308b2f1bc4a704fd194ec4dbc297355d6285340d6ad7e90cb0add1770aea19737a06750c3a7a6fa0b778ca995dc\n\nSum = c590e57ee64fcef321395bba088ca0a867e1e85a1ea77478f8783e6a6cf8f3e582bff83cb2d7d9fd549fcbb40dea22ac140351007030059500bdca81413600e9\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = 219639ed8afc21e052422fff0ae5583231ebca2999404b099628093e6540b1dbc20b9c495aa7229b5965b19a5fcd653b3fa0eccab567c5b5e8\n\nSum = c590e57ee64fce834a00cc6282cb0eef49eac7a8d5b51988cb49253ed85ae261c76f2327a691fc63eceab02614807048b2816cdb9b89ca66a17b6ed1abdab580\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -4e40fea1cc899fb166dbc721a6639a28be4164ef92545307ed934796afcb9401d75c18d23352471709fbd049c50740ffeebe5590fa2d959581\n\nSum = -c590e57ee64fce1a17609c61ce02f1020c6eb6e241e3fdd01546ce7247725589de32db95f36718d410f9ce9a94fecc8fb205e876fde75ce83f4d01e1bd5d818d\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = b7739ed1cd3e67cf541943326cf76b4476f767465ee53b94c57c83de417ebee5673809b3bed1c8bac2fc4bce29a4e36d6d2083fdea1c12c974\n\nSum = -c590e57ee64fd03e2d08c3d8e5110d08e3d36557d82e0e49b408337a8c9d4298802ae5f0145a9587531a70d2f8af932b8262245428b5c549817d333f2dfaeeec\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -16ca20955a9d8a64cb2be217c089edecc02a75a1ea95fef584925742c18a234974c0a16ee7991e80bd8d4106db385eafaf421ac3373548aa3eb\n\nSum = c590e57ee64fd1bcac71b5b055e5934ba15dd7f56370063369c36e57a6b753269e085d0f4d38bfb711d5579dd1d89d07f266e727b232a497d5b0d9bfbc02d8a5\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = 2eb21724781497ad2f57babeea62a20c3ec5d1559867a0968d74351a337db12c17bc8d1d5446b1115b5441530870f67da4275dfd9f3e2928da4\n\nSum = c590e57ee64fc7860b0be6ce861bc2f099db7fb623912b7b0729c019a8183c669c73efe02b195483a4cd2c78244cd59678ac4d62f6887fe686a3eed37ed460ff\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -74b7ff38760864efd658bd6699915be16cc058454b78495ade8be42c9f7470ca9b7a43655e1427ab1bc35a5693dac424a6ed92d10f85a9bea02\n\nSum = -c590e57ee64fc3126776e79d9fca06233bd2ef5570a65e4521183627bdbdbc555e9118508cf63f519bc0caedbffd5b1a913ee8c3603804820a9ce54b1207bdef\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = bbf238886916ca0ba32e9def9f9c8a8e401eb95dea96ef02df9fc25a186e52fbee9ad42b76ba6ca2c381d12cddd4292c5d355341a80c7688d12\n\nSum = -c590e57ee64fe6dfd728dfbe45aee52380b5a00cf1e05e9f09ac582e2714bb589caf2ad038111c5b1b5573a45706ab1f6fd5d5a1ee7ef4a9bf186dca8a9ede12\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -180e4c29718f394424cd5b03b6bdb8911c57fcfe435cfa66d10941f870f8c5eb1e1fd251f14af03f23ccc1841f014bb42a545f476dfeb12e9311\n\nSum = c590e57ee65004b3e18a5820de4a6d25e7c3d310003e0b8716bbfd51d5f0f3e87fdf8e00599d713397255281e66ef419a9d9bb228e8f052764f5f861ccca656f\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = 35e2568ae9f1d1dfaccfc211e9c0c6eec9400a0de880a94309992528d428e77772f84e21d0287fa76cc6fb880481ebc43ad20524f895f35a1a6e\n\nSum = c590e57ee64f84896a5f11f575d34b6001f27d4b4d6e7cd9485260629f8f7f1c6ca6f6115b98d776774295dde4d59cdbbceccad097a0a054b501bfb47d81e85c\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -4a4820a05c39969774f623bf6c03ebe0c56dc45bb46e8d1e6b32ee0fc3c6168d26c4d1c0ec7b81f1ea76f164ebd00b2a2a00aacf40175bee62a5\n\nSum = -c590e57ee64edf1b2b57b4cbb92d778ea6b9d9878a0374d4ea81691b09811b105bb6dbf23a57d89264f0e6c83f8d00fe00681644feed56e15fc81103ab9b7dd6\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = efb65fa7b963533d48c77ef80fc7af4bcd72222cabb6232ccf3efeffdde537ce25a8e4129b91273a8654ade9a05ba3dd73740008eec82dd4cd2b\n\nSum = -c590e57ee650e25da7b60146e014f472bfff9809aa8f519db7943f69d9ad09ee75a3427c6127cce7bd27f224b9dec03111fb066956b4903f9f9740cce1aa4ba7\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -1138c1cb69317d3aa341c9a4daeba71400f56aae62a98acff1f9f1aec88a4ef01ceac74246fcb531738de63a94fc8b3e9c5ea3fc64101083a00a6\n\nSum = c590e57ee653af8752322840ed720f628f9674c81073b58372e49ef26d4a2a9d46a0391bc170336614b27849de98709a4b321da4ddfb978e9f10df29154edb9f\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = 3e0b5c732ba11e1074f0c69e48b78d724733c66368a21409c404debe97f444f4a352acbaef5f077d0e9479ce067043b30cd393f3fdf5d3bde909e\n\nSum = c590e57ee64bc13634cbd149aae35ee47bde6ea3663f74ff300cfdb2d845f902f017586c6d4f83f08c3b4f0c035055d13fc9d340b7b9ed164432aed44e8f4d7c\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -40d9b56339ce561876171a9d37aabd30fcd47dca1171e5467f14c6a9f616b04d67a4abcc8334d637731816e87e35feb10dd3f1b9e50f78ae0fd85\n\nSum = -c590e57ee6477eb692705f8da1357e71591336907a5e0a6e39715088d53b2610882765357563fd101bcf05ca545a0c718f52879fdf4f80cb9a12cf108eca60ed\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0f",
"fcbd9704b01\nB = 8501af88f0ea16b3541e4cc9eb2bebef137d8d33cc4485772c43ed28f54a1fcc2012b2d347c8f126d7ae11eff2f00c37b4989c5be30bb4aa5ea14\n\nSum = -c590e57ee669b662e37f5abf13d00d2f0c1c9a8b99ec546361aad255f375bc2742a3487c351c5ba00efef09c77331577460a47c57125c620b643e9eaf36a146b\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -19e791587fec9007654cd8e66ab13c609d121c54fcbd84c6c7d1d7e7ec8ea4c2f65d64c5fb6e43106b8e2497b89124ce5afbcb5672ea1f19f9c96a\n\nSum = c590e57ee681dcbf1554f22c0b1ffead917dd414299cb37ce6967ffec9c333931e70358729843c8130ac95aba47fa1fa5da74000eff25eecae176f093a4effca\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = 320ded8a5583fcfeb53e576bcbeac4f04d7135d9e86b2d9d154943c3b97bafb75e3e45e7a913523db81aa7af5589604d2794974e466f3d60deb4c9\n\nSum = c590e57ee5e505ae4a2e1f25a1ae9b7b4d17dd2cccc09f2416d964e55af6d0d31fe259c160f87646a72e6732d5110256b3b35425225d622b81418435c9dd8cc4\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -6ac92340d14f096abc24dad89a0c226c8ea322f5d4afebd1b7197c3ad46016112d87f4a1d51b2691b684fbfa9e627b806d6829de8f7b960f92be3d\n\nSum = -c590e57ee58c3ef1582bf7a516e36f92b60f5a587e2c8cb071d1d52ff215854e52de1519fd5204fa52292dfdc397d8d76b78005941358b63a3e6ca41b0eb09b7\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = c38fe032d37689f58750c36fa28ef6bb22b5969adc3fa13a98650107d8a4bd74d3f940f6da545ba32fae7b42d9b64761953ef1bbea358a2885414a\n\nSum = -c590e57ee80262967da4038a143f8ff2e78646108f25ff7183444ba507d76f9b05a34c8310e682c05495d0863ceff264964dbfa7c064adf6d26d2dca6e22ab13\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -1b293c4f2a4955b07d4cf9cc1d45cc155d6bd2a769636d3db29854baaec92ab9ec084850b924e2cd6286b11e7fc09071d99e3a1729c2dfe94b26012\n\nSum = c590e57ee85427f08e8c89ffebfcc05c73370ad4cb77696c2b2f3878e6f6df341d4d931b5097aba49f14ac0312e7da1c843d6fd08119822e75e6e7a8c7bcb7b0\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = 204591f038d1bd0df9200064d852185922827251e8123a7ba48f4e4c296d943de71ad69561129a9ac2052c9d5ebb92fde4eb7d91615e7dcee4c6caf\n\nSum = c590e57ee051ca1a363c47a4cc016c3de7f7e17985009b545528289e9fbc9086f4b42a73826eca0c278b0d1b4ef6d74b9a0bfcb7855d40fdb201fbad1074b927\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -5fe04b754c3268a406954183dba07d5b44ea6f2b785ec328cf159c866028f63efb7342f2178753e17d0b0071445b9e91d6d8957adcf041ec8fb91da\n\nSum = -c590e57edcd6e9ef06fe33f3817ba3d0c50c8122b77615c4b8fa50c5514f113d7ba53ce057d487bcbc373c4384d07b29a527b7ef785ca609474879b42a9a4c3a\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = 978e4e284013a3b8aef1c8560a5682c81d92c8253b3c40bdb5ed911df117cf71a51767e8ccc4615e1f70c290929feb12a6e244c18888617aed5fec7\n\nSum = -c590e57f0436bdceb586a093522eb1630e0fc08f8790957aba1875a42b7676f9ca936e8f6f3478d6ef5cd590bf6ded0700440dcd769496822af8015f0a6ba2b6\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -1de6eefd2a87326445c3f10ce85dd7404e415333ad6a60d2fec88caa6fdcb4b7fd0e7a9ba659533758a665b451f2572cd3c9cc2ccb27019330fb57b5\n\nSum = c590e57f1df3f004d5e49f49fa28603b26659f1fd35e0d8d7a2753591dbc12c51e6b588427dbe3faba2f0c1f2f0a2aea9ba1fcb2fe71c6ff40555058d23c8661\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = 37a421334ae5311aedbd9fe500b3b5d09a0ecb466d793e87f10e2875c3b49eacb5b5e5bf712b89c5c842a397ed5046125ba6fca9e084508cf8cc3b60\n\nSum = c590e57e9a4abf4572fa7c4c9f73e9d3fd1227646fd6d15b51924bd7a5d417b01fe6b4273eaa6ece387422b81c8116f29702d7d66d2f6e8c3454807b3b7d413c\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -4c050f8c1804f1e26cf6d682289fc1eac97870ebbb1bc8f986d9d29f3ad005b0337b8f6d108f5fa14a467060174edeca359b5bc92b7c7f509df309c5\n\nSum = -c590e57e64216c306f17017ac9dd7085113e16c83168664dbb77c7ad3ddfc79b09f9ea0c474a0b497ca15e7fb258eed9666fd009f691a3b2d691c2c6b22ba3b3\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = 822e62a11be86cb4428d4fd11473d28707e6dbf951364d23eece22b450bccfcb2adbf2f1cc6223d9b46e987947e1e696ac3926a2893f3d052744a74e\n\nSum = -c590e5806ab4d09773c4f94a4aac09f6ed7609eec1d0bafecb09e30f032f706e9adadc191ff9e6d7dccc821f7a8666a590e521749d24912c5a5ffeff246f7c85\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -1846501c5e8c58b1b3e4149a0c7c4209f888178b7be5bce3dd681861f40242241add3e89c93c8ffc613bedf52e2936ad3fa59c6d6fa8eff334aff3184\n\nSum = c590e58248cbf5dd61ec57994fc862ab479dc6cda51cc17356c45cef66bbfdd12f5cc421940a561581c123fb17483beb7a1cce2596fa9ca76e722a6f4621eae9\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = 3627c270bd6ece96a435da25521ebdd7e6bcd7f2c4a16481e3a0e1381d4a60a4a21e457da38bda1a1b080b498cbcb1784f42fd2520ea12aa36cb19fe8\n\nSum = c590e5771a85bdb1f26c0386ce837bec4b0af5656496efdf4f134d875f066dd6d477ca8f87ffb275da07da4dd1bed4232849a526836b47f2d69f2d53b6b3e2f1\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -7cbca111f98936aa83de74469daa6f3e9d4b85267bd9ac749cda77c78863eef47ea264bc56efba80b9508b32f8608117a1f5f82628931d27822bc6810\n\nSum = -c590e571c76afad23439f904e8a80fc28dcabb6cb732e361ed3eef471be6fa755e3fe746edbfe448c1f289ffed7dfc01fe9066d780564f57f93abbca9b9a995a\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = d1ee4d3ff56c5752a23c2b09397e72de2821c5ee51f6f258a10c6efd9fc76d290846619f28710f85979498b50afc14fc922747afd669644013dd5b1a7\n\nSum = -c590e598cd5d4a59ff5d6c97c6370fb517f1d492a7776f90063b0ddd6702e37c60fc78bb12857911cea37b7263584d7dc815676de6b8880200acea154b59b08b\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -19e70d7b88745dfe68b9cc4f5ef23feb436e282d48f98cf90c3a54f92d0645bee3a05f7ad6859ff918fc90c62b19c3b0cd43edbdaca0dbea4971e9658a\n\nSum = c590e5b5829e6fceb77830fbe999a98127b50302fd0f6a86ea4aea27b846747a07e6fcf5457676e6446137d6bdd8ff4fb7ca747b650b066d65d7dc1e172488e7\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = 369c4ea0fd2c78c2ccdd2ee92b020319b3c3c0283fdd9cd5568b988a2aad30431dd35078aafb5db57d571177fd0978bddac2403c180606dc523db43de6\n\nSum = c590e52a3ab5d5c458634254e2f672a322000750741e969d2f6cd12d172480ad1455300e3a0575b068b85d50b58f9737be13073188d0f03b71494bd0fd2fea16\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -54ab99f90d329c2bda29744db303b1e1fec530aba9dd4143a4158969a2466189c93820888ae04b2508b137f01af03eaf6f19f9da19ee87b3fadc4060eb\n\nSum = -c590e4880579ef7241bde94e8c7847badc705f53828751f9975f0e66371d2ddff8740b143f32e88be8e686e2bf5a3ce03d864d7699a813b1777b9239af242c7d\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = f6e0d5df5f494184e07ff2789b494189fbb6c7f04d754f066af590bc6f6242aec332f315af601cfb76a76d4a7270cb692a0922b6a3e8556d922a4c1e84\n\nSum = -c590e6dbe54098694155509e38c61d503ab7e5237d2cdfc2b87fb57e3a8420fe37fe50a0dad4f0eae3d38fad6198e4ecaeae183a12078f53d09ac8099c715242\nA = -c590e5",
"7ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -15cfef0c997b655e26f2c5b5cfa1505fbd443dd9d7babd1a0ad0dd636aedd4796c968aef2af9ad00d53fad15d9a005c61996f3cc4fe70c9c83dc3010741\n\nSum = c590e906254d013be2021ad591e76e26706a6815b8c484b6528fec65416e1066957002713e1183f1005f565983aad7aa031e549e6fc57094ca3e4383e7fdbc15\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = 3873efd326a5702aca6857cadd04ab87ec67f75426f45e1d79414c026173ab94899cbeb85b5b75bd4001ce3505754cc9dfdccfaa63f6a6d43b80e8d7114\n\nSum = c590e0e0079190d7afd80acd6326fe93cc00903318608df31ee4493d11271dac7291bd142cca0e5dd7dda59dabd460a69b7855d9c2acb5f062de76665e07cbd7\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -49edebe3df9db276361a943c1c259b1591c20eeb453edc9cb941b86cca2e824fcc3455befdd7125dcbbbaf326ac12d960c6e01e1464fcf289657b687f2a\n\nSum = -c590d9ae456d66c1b132d844eb223867ba4560b36f53c42a616cf8cc657e6d252f813847fb9fc50127227684e5c0f5cd890eceb341d21e788e42f843e9b64080\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = bd0a0e2680fd9cc95ea214887ee6b6c889bc9fb7e1cab411c04c72f7d2a2b35818f7686393a21e10bd4810691852542e7ed60f8abdcd18e0787efba0a81\n\nSum = -c5910498291472fe1d0047d5bdd9e46deb3f26000e943fce8d83d700d9ae233ab3a28849bbb346803da142db6a471e9f79cd49571f40dbc46f7b727a4bb3016a\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -1f1942c4a42c9200d9a6b16f2417c58d3cb0d544fd8780d5c22fad0038eb58ebce72498d4844f49dc082037f974ccb7b92b67c76116f0faa72ae7242b669\n\nSum = c59112d841ea109440e78563d9eefef201c81e86ae967083f8b7db80d1eaf58551d30519ca6dd79164fe69a29cf1ba22446cb2999f73292241005bf17b37528e\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = 2d595b9a41c2b5e81734cd843e9bdc16353775472e3cec09c6afa53d0b35f71c4b425847d9561bfae749362a32cf961afbf8fca85ecce12f5c25a1c7078d\n\nSum = c590671f890ca06c74ac6d2c4d75aabeaaa55312e85a5e1ea9cef0e08e154e2b090eaba869e9f6e4a47ae10b9c1eb0f6ae4fb3ef12b3121d96066c6c8e592b6e\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -7e5f5d432e6516530102bef515977b0c963c50f4e42862df23f09e989c2451a80e2f083c0756a488a14dcaa8d65c000202b19017b837c9ca935f4b171f93\n\nSum = -c58ff0ae92ab03072154949a7143d45278ef77a0ba71a785d5a370e0d30a9b4b4f7e96a395d13e6afeebbd717365d471ee56ba11c472a63c0532558104bedfc5\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = f4d053a4cbca69aad9949b26ec03acc271ae7edd9ac1370aa3f059a34f040b382333dc54bfd04a17c4e7f361b2e0bffafc8ede5824195a9eaa4ad4b16b3c\n\nSum = -c5927a5fcc3b31abeca3998ad99c07626112288a6ad95b24929fed581040757fdce73881c48b02daf09986ea436a3f5ceb6833c31fa2e1691567601a26c7a6c9\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -194e0e5eb62da61a42b5bcd31470c3b603f3b318a18dd85f1d886e3928b3082307eaa5265049fa7960490dca2b80a3d167d227cd81713b596604e4d575bc8\n\nSum = c59395e94d495451e3fea153f3e4361a088004a7d5426c1b94aec44108ad6f5cecc3a80dda0cea9f51b882747258137e171bf021b4fc59f4dcf0106d4ba952fa\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = 2b06a66f9858058ff3324e77975c3e2ce1b589bf329d48800af6fdbff850d920cee3667e6ec6408b5001b0b908c2b68ca398112318f9f7d1f10a1723907f9\n\nSum = c58bdb26c0fd6766f3affea389cbe7db25c06d5d56356d3d945347775bddf479ffc9e279e7d1ee88eddb239906749815ae4502fbbc6fe978a001ccdafd89cb10\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -50a582552676a974f6f8b829ed87afff17bf1e319d509785acd59d0cff5d55aecd75d8a540fb25b285ec06052ef3d000cb3a4e65ae0dcbfcf32f0dbe67ff1\n\nSum = -c581afe9b7ae86d4b7053f19649beea6cb935799a553f035f9b9a7fba6d5559e4ecdcd1637c73c8052c6cc52ee1c28d1e5aed9db7261b7356afd6e3dbc213684\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = f35952ea147fcd3fa2f15a7ced1af5a1e91b593fb521112f46cd585d894b10be8ecc13a5ec1baf63cb60678ab5e80c8a2dcc53069131ff4d3918e1d4f147d\n\nSum = -c5a19f36a65a6a8d52a53a63f99a1b957d6e376b7010ad14695d78d67b0d7c86881006188bd27bbf205c8c9c200dc8f5c08ab6b97dcd512f6cb93ed9a361ff9f\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -10b9b7c00a9bbbc7a5cc34ed2f5b3f57bc4e1c36c16acd5caf64054e5f92372d594c4119ac7d83d7590a42b94641a312390018db0286da0ce83f0dc9f1b49e\n\nSum = c5cd0e5da24b67a894402b0eee5dd586ab70e5beb0693e263a54995193663a9b770141379c1f097a49d1a889bbf0c348c6f40ed50bd7bdc11a7869c6106c6d80\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = 3c28debbfb98d70940bcdfe1f3153085befc6f7719fbdf2da6848066b8504c1c4a876029f90b3f00ce263055293bf618a25834690cf36bbaa769fa36fc227f\n\nSum = c54e2c560a00226701b76cf03d5de27a8c69b38a6b85dad9f7c903d2e87f9a7d247522e72491460f6a529e5ca2aaaf690cb238b873ffb49d9fb0ecacfedd4e90\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -42b928dc4fac6a8948013ecf0cdddb994835c4cdc9676d14e510fe442e4fd2364196f04d94b82bdeb0e3fcc41cd7e9a19f7de82ecb15b7c020131eda92fc71\n\nSum = -c4bfb037f6e6e861efb090ee610c33e7568790259f747dc6e55d442aadd68c0cc93c7617f83980e8813c0fb7dd28c8aaca6ad8fdde5d2bfec9ae096faa9ef54e\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = d13546ef68e66f9b4edd40ab5e8c6ecf2a592999dac4802750d0a67ed75e42917a43bf79ec7d52c7c772a1899ebea7e3e6dda2c46d9e569622f65c2ed155b3\n\nSum = -c6aa2af8c9ae8be4aada83f66b7f31a8bce5e92c67d8938424a1405903e5502bffc4ee1e333da4bcfd0cb383b19a566372f877a8344b66dbceabc9786dd0e4f2\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -1194579e35ebd131fdb15c75f1471529733ffdd2e89513d17f32b87d73765dca50e3446c117a681b409312a4ad2cf10c4a6c10791809c866edac9ac946099f1\n\nSum = c8aff66c9bdaa49eafac0f65d3ddff223b7a5471f7400431ca3a54615d600fc4a163f8fb648bddb5fd6915db1991611805040e0f86f152c8fd3333ef70d632e4\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = 31f10edb58ad5cd24aca136c7733ecc15c86b22bdf0c1eabd8c3f9030b2257546ad3f23f265df7ab4659381b2c9d9c556b2576ee42688739d6234239765e7e3\n\nSum = be1b6eb768e2cef388eebe31f9b21e51b38b351cc8175eba06d49eef04c2936f32167174dcb82297fd4180d0afb5da2c455d158c7a5bf01bdef8c295a4f20390\nA = c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -77576c77d6cffde0210affd12b8a2047226b4327137e38d05d975e227eb56e028a04862956ddba34bc20188b711ad2668f4a114286eda3980d83d36347e4771\n\nSum = -ba32fca1d5cc5f31ecaf5407f376d3aef9f4abc04fd4c6893721d3e50e9141abf356eb2ff6f7a4f9b42983148670d2918e1dff7aa7ae33a6e9dadcb708b4f9dc\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = b5de8dd10836f9f9e501a2718f3eca72bbd3d8ee97a7bbdd58c40ec1e1ca8a3675fcea77b2e594194d9ff44e056b4c12033b725fb1c96ae75f62314d0bb5125\n\nSum = -e388afbf17c495f86aa7298a45f848eb57e5baaee42b1f7de8c2311bfbb8f74549712c05fd3bd11ab8874fb55abb22a37ba3512e733ecd5c472842e8e6f7b179\nA = -c590e57ee64fced18aff6e2f0c6ac05625b1e94f394f42470cae14d12cadea4f5ab6b9d77225fe3b4903825966c78752ae51b6a0a2caca555fd0ffcbd9704b01\nB = -1df7ca403174c726dfa7bb5b398d88953233d15faadbdd36dc141c",
@@ -2526,23 +2480,71 @@
"4532f53729ba22efb2221432fab1dbb70853d6a1159b42fd19fc949965c709b209de106a652aa422d88922ce51dae47f7f6deaf0055202e13db79ee84fc3d3c6f4c003ef96597c49d6895fa53c22ac9e4819f7048146b5272f6279424fdb389819a0b251c823c76f4bebf4f1246de455aafe82a0d34454f5039e90839\nE = 9f43dcb641f3ecf4dbc97450f2bdf3b7ec6a2f3e8e96bb1df2bf34b8d2d78e1a9018d04d960ffd0e932cfc60d3b9b923e3f9f29b3f3d61cae3a9f7245078143475c7fcb896ff200f7d94c4f2708bb42750e37c185a31c876814e4f06a00771707654e1da2fb69c16b6500b16385e3b933e2276ad3569977473f699b1c7926c3b\nM = cd607549668469b792f495c141e500871880b0611c8004293a561ec7f9ab6561f8a9b90872742386adafb5cd1890e8204ae12aec529cca0a9e382c96439137f09de9973b12c8492c62847e107deabb7dd946ffbb9d0ac73b462c481092bd65326a17f21d8d6527c47a5dba50aaa20c7048b8788a49eb3ea5f29bd5cfce24eb3b\n\nModExp = 1\nA = a8558e7f455b27c0c46d7d0862eb409cdefbeca945e0284b5bf425b7ac0f3d316bc365594cc1639decffc621214d61479bc75135120d4ac09ea8b742ad7ec1822091b62b1c6f564fe5e2f4f5b7def92cbaaa9a898549207ab01b91c2324fbd306a87f7d6379b6fb6493c5fca76729767f136120da9c90bdc7d364f7d242d5acc\nE = 0\nM = 88f3c87ac5e3272a21b8a858da640d6939fb8113a95412c38663a0f352686d69a5d7927e60b484b9fcb8ef12978fe25ff2ebc9b61c5450e04222ef20ba3cbbdc5ec45581ce0f58e10be7bb9de7fa08752303a7a1db23b2ac9c6692ec63bf09ecd6639e06c5491ba568ea886620d71da32d329615f0e1443a75d09ae35b8a2d7f\n\nModExp = 0\nA = 0\nE = a5524b41dfc6b570df1d8f6633ac7777c1131abe3a99c6166b0d29d3b8883c41b00a0c53cdd6f42820bf05c810b6ec53e77a8c1b9344ea0c91d4f410a2f204c369f3db33bf8c88217fc2cf802a9d9bce8119242d8e781875b85431be170076498c0963574ee423551aec9557e2fc672ab1ab5d0cbb1c400535df9481e7934d8f\nM = 88f3c87ac5e3272a21b8a858da640d6939fb8113a95412c38663a0f352686d69a5d7927e60b484b9fcb8ef12978fe25ff2ebc9b61c5450e04222ef20ba3cbbdc5ec45581ce0f58e10be7bb9de7fa08752303a7a1db23b2ac9c6692ec63bf09ecd6639e06c5491ba568ea886620d71da32d329615f0e1443a75d09ae35b8a2d7f\n\nModExp = 292f0b39ca0f1c850b1a00cffd2d54924fcd5fc7e7504c9d593e6c0ff74760b1f4bdd81679fe06c50248336f3108c593fa111072ee87d0fcc89a63243a1dc89044503663eee9bc18f51c3e0193d9108303e12ac90ff78f6ec752a4386af09c42db524a7cbe9a3d4fcccd56c34d283bcc9debc17158b5fe8df0c1888a9841bf8f\nA = b4fde2908745ff92cc5826a27dcfdda09e8fffee681844fa4c7f1354d946d5d84e0e0c7a4a4cb20943d9c73dd707ca47d796945d6f6b55933b615e2c522f5dfc33e0652917b4809bab86f4fa56b32b746c177764895492d0a6a699812b2827fe701d40ef7effd78ea8efe1cac15ff74a295a09614bf04cae1a5017872ba22efe\nE = a5524b41dfc6b570df1d8f6633ac7777c1131abe3a99c6166b0d29d3b8883c41b00a0c53cdd6f42820bf05c810b6ec53e77a8c1b9344ea0c91d4f410a2f204c369f3db33bf8c88217fc2cf802a9d9bce8119242d8e781875b85431be170076498c0963574ee423551aec9557e2fc672ab1ab5d0cbb1c400535df9481e7934d8f\nM = 88f3c87ac5e3272a21b8a858da640d6939fb8113a95412c38663a0f352686d69a5d7927e60b484b9fcb8ef12978fe25ff2ebc9b61c5450e04222ef20ba3cbbdc5ec45581ce0f58e10be7bb9de7fa08752303a7a1db23b2ac9c6692ec63bf09ecd6639e06c5491ba568ea886620d71da32d329615f0e1443a75d09ae35b8a2d7f\n\nModExp = 1\nA = e2845c572b46496ac158a731f612fd40ef626fa7134755c25b1b7614f4d7b29164e6142ddb7985e4c7ebc575855ff901e95927fe98a5aea2ad3a4720c75782323bea1518b2c57790f44efd9411be4e95b3896bad1e73c59658290b309e5a7eb5ef8be08125063e57336b80f17eacee88966d12bbaaa15a25929c82e027cf696f\nE = 0\nM = cf0dee80177869a532f0c6c3a0bda3aad79bdb6b70b6c227b32d75c26e394a90c1f2a6c2bb841ba9f6556b15654a79d8b1dd0c90709a093497bf40be0807cdbb378a74de5893c25067224d3ea8d37387ed6c4a981138853cb89caa9ce6cd0f6a1e95de24d558e90960f93844db4d01e372650350d45a9d34a36042b4d4b9e78d\n\nModExp = 0\nA = 0\nE = a55703a72ca3f6074b939ed3d748196a684a3c8e411c2b39a9beb98993b6eb7ea3fa16f41bc5b5c3710b91c0fc74a8072793052f872f61695db3a2df872eaa427a110f1a8d568c85d58bd350d0df8eced7a10be80f7567360c1a8047b9c44aa2967cd0d9dd2caea2c1492358c2db4f0214da343fdf2e34272865dc5c63be2ae4\nM = cf0dee80177869a532f0c6c3a0bda3aad79bdb6b70b6c227b32d75c26e394a90c1f2a6c2bb841ba9f6556b15654a79d8b1dd0c90709a093497bf40be0807cdbb378a74de5893c25067224d3ea8d37387ed6c4a981138853cb89caa9ce6cd0f6a1e95de24d558e90960f93844db4d01e372650350d45a9d34a36042b4d4b9e78d\n\nModExp = c90e4c69df92e26549b016950b59080947f5403430698e128477782480dd70be96bed2b9042dd8c708eb432e02710555b97af11ce6fa9b53395022851c32d1f53f04237fb0763563b440ca6e81a50d909d907d9c26b7d3c420dbf88f7dadd488666848135f8cdc608dcfb0691989289fb54379c2e84c262f9765f68c012ca1b9\nA = 882ea1b9b6c79a3b1bdfd284658cb6227ad825e0178cab713c7413c2ec34f03cfaec470c4f5c521f5e9899a2123878ff0f5b36a4196c08ad1b04d03746c4bfb5d126f5eefbfe172627d6732710a8ac8890cedbd4fdef69a19f2b3253a5aa0e5dd5484f72d59b17bdd1dad3db209a3ab839368ed3975069685911d7b35e41a9e6\nE = a55703a72ca3f6074b939ed3d748196a684a3c8e411c2b39a9beb98993b6eb7ea3fa16f41bc5b5c3710b91c0fc74a8072793052f872f61695db3a2df872eaa427a110f1a8d568c85d58bd350d0df8eced7a10be80f7567360c1a8047b9c44aa2967cd0d9dd2caea2c1492358c2db4f0214da343fdf2e34272865dc5c63be2ae4\nM = cf0dee80177869a532f0c6c3a0bda3aad79bdb6b70b6c227b32d75c26e394a90c1f2a6c2bb841ba9f6556b15654a79d8b1dd0c90709a093497bf40be0807cdbb378a74de5893c25067224d3ea8d37387ed6c4a981138853cb89caa9ce6cd0f6a1e95de24d558e90960f93844db4d01e372650350d45a9d34a36042b4d4b9e78d\n\nModExp = 1\nA = d7a99e65b8af86b1c51d851f0447e43cd4f343cb0ada7236283e69aa7ebd383826acc9809e5dbc4002d0f2430022cb026458189db3805ce2de1142a31ba71a6c064ab51f0059eb4b931b8bcbaef023c38d57aa5f3e14f5df77e547fc028702071b58bd57338be1e1e4f98d3553484e4de359cefa29c5f58d3fa5d823f389dbef\nE = 0\nM = 8315dacf124bd473c578946347e83d1b20c750a7d9533d6215591be40bc78bcca77821f8c8f95375bbd6372515ada63d22bed2fa49bd6fabb0040c538d08db25b09d2fda02a93ab086cd1c27df93c37ee9c6a0527d089179b8f92b5dc3acf5ef1c75906fb80b03f5c2442a7a4088640f66376575ecfa4c697c1a571397ee5a0d\n\nModExp = 0\nA = 0\nE = 95793fe33696f53e37498b2b65aaf27079e27acf1da97dda2c3e0803e8a02139f574e04ee03f7d1ddd029f528e3f3644515ad6f10f0beac2767f23d9cd8a8b9b6c6e376e36b64a0ae2711d7d31a5a75011641935b503110edbefe9f0ff2da27b5c5f6bb8cc151fdc86f67191bb99160c6cacc86ca368d5bdfafd3f3ff5161b1e\nM = 8315dacf124bd473c578946347e83d1b20c750a7d9533d6215591be40bc78bcca77821f8c8f95375bbd6372515ada63d22bed2fa49bd6fabb0040c538d08db25b09d2fda02a93ab086cd1c27df93c37ee9c6a0527d089179b8f92b5dc3acf5ef1c75906fb80b03f5c2442a7a4088640f66376575ecfa4c697c1a571397ee5a0d\n\nModExp = 186c50ae259aa0fd31859cbcfea534e626a254de33956d5d719334bb32e7cf37cf199a21f079a5b90497228994d05efe19ccd8c769cd81f896286e8ae557cacd1630a928c629ecdfece29ab3697794aa707734e007318fa7029b050bb09ebbe6986187c6ca843f55266d275620b3f0fec0ad5f847ce8b314d929d128b33a249e\nA = 9d5e345793faddca9867f23eeddf6816c1e837f7a2cf96fa077212514acb6be87ac01a237d8f2f1d07d27a8ddd1b0ae0d97e1bda4f205a89435017284cdedea3e407b1b940d6f52112b6359b3e86e4c83074b17c210ae2c8856b42b169b4a7a6dfa65b368a7959496cf9bb1ee93d019dbd79101830e3f5ed08604ab90890b914\nE = 95793fe33696f53e37498b2b65aaf27079e27acf1da97dda2c3e0803e8a02139f574e04ee03f7d1ddd029f528e3f3644515ad6f10f0beac2767f23d9cd8a8b9b6c6e376e36b64a0ae2711d7d31a5a75011641935b503110edbefe9f0ff2da27b5c5f6bb8cc151fdc86f67191bb99160c6cacc86ca368d5bdfafd3f3ff5161b1e\nM = 8315dacf124bd473c578946347e83d1b20c750a7d9533d6215591be40bc78bcca77821f8c8f95375bbd6372515ada63d22bed2fa49bd6fabb0040c538d08db25b09d2fda02a93ab086cd1c27df93c37ee9c6a0527d089179b8f92b5dc3acf5ef1c75906fb80b03f5c2442a7a4088640f66376575ecfa4c697c1a571397ee5a0d\n\nModExp = 1\nA = e6a079bdf7b0638d50b183475e9ddfd5cbdebfb29f5fae8e9be402a0bd36085737b556492ea7fb4b1000ae9ce59db66098129b757cfb29224275fdaa46b8b7eb18a93ca7d3e446dc38c734b683d7ba7927b008d993aab01f44239d3c76be76d1503908e9b5e73b36c43ae0771368b01f39c042693bd92c4fc50810f059e1b332\nE = 0\nM = 81dd561d5d5327fc5ed7c9236b5fb21ef713c6d5e36264ba65ccc801b8eb107b714aad65bb503bb1f4721c0a6f97e5ab89300f049f42a4616ae43d29c089c286687484d18629c1be1b5befbdd0b3cfc86b1d28add89df4cc5e68dac3f56f2490a9068ca9c634ec258c030ec5023baa9133fd2af32fd1112895f9da549d410247\n\nModExp = 0\nA = 0\nE = f0460c5ca9b3a5c2d1b93c201d020dc43e1c81d1daba432e2cd310902da23eb81a5172b0b357484eb8fa2c04c270893b8198c8ad35453405dadaf05195b3aeb5ec0ccacecb4b6227ca43b27b97e240a4148a472670ed60f304302f757495fd4a91af0fe09800db0c3043a6ae213bee6703ad80523ca433d99ca0eab1e0b7c929\nM = 81dd561d5d5327fc5ed7c9236b5fb21ef713c6d5e36264ba65ccc801b8eb107b714aad65bb503bb1f4721c0a6f97e5ab89300f049f42a4616ae43d29c089c286687484d18629c1be1b5befbdd0b3cfc86b1d28add89df4cc5e68dac3f56f2490a9068ca9c634ec2",
"58c030ec5023baa9133fd2af32fd1112895f9da549d410247\n\nModExp = 60719701a2dc0bcde281a93ce0b8421d1a718adee43c1b5d9fe9e697a48ab3db4f9f33c73cff305ab6b6c300c149b05c6b289dce4580860dc56bc59de81ac074ecebdc65aa3ca040b44e5b3c80ddba1658d78b9abbc4c77e5f171f5582e70ab4438a8e1e2f062d618c4ad09c70c73b5b5fbc9f8f0bbdf1d530a933b705f85af8\nA = e1b400cd3b1f2f1c6b437adfdb970d2c8108f1b39bdbb13582179552011c6c97cba6bff2c463212b7f62776aa3e3aff9f175990e79395e819c144350b0a23d61638d500ecc97726b098e1af334aece23a851c718612442c04eb7b3805a24cc8f5b90042145eb5e5d6a408092832b6bbeb8a621419a9282fb5c075f41c7f1fdc1\nE = f0460c5ca9b3a5c2d1b93c201d020dc43e1c81d1daba432e2cd310902da23eb81a5172b0b357484eb8fa2c04c270893b8198c8ad35453405dadaf05195b3aeb5ec0ccacecb4b6227ca43b27b97e240a4148a472670ed60f304302f757495fd4a91af0fe09800db0c3043a6ae213bee6703ad80523ca433d99ca0eab1e0b7c929\nM = 81dd561d5d5327fc5ed7c9236b5fb21ef713c6d5e36264ba65ccc801b8eb107b714aad65bb503bb1f4721c0a6f97e5ab89300f049f42a4616ae43d29c089c286687484d18629c1be1b5befbdd0b3cfc86b1d28add89df4cc5e68dac3f56f2490a9068ca9c634ec258c030ec5023baa9133fd2af32fd1112895f9da549d410247\n\nModExp = 1\nA = 9dd1e6f2d3ff24096b54e0ebf0f10e283e484a1cbafc0431adda1296ed97692f3ba99440fd4f67c96dd8bab850e1123361c99362df9ea205ff8e90d1b329459f54730992d5a360e46fcc5f5a909e691abb9a06613d6991bd7c2aa609f0d7b441d7ded0c07b8c394327672d38a905efb2d76aa3be5bb14d0c002aa37e287aee79\nE = 0\nM = fda6f9d8588e3614f5a68ce867a5619f6ddbb8d64450ff402e1c4f1a08b518f79dca21e5983c207c5b7324c16895a1e9f1282fc6cf60b0645f6b02b652ed5b129e67c939e854ab492dec30ea878c3edde10a4b7d1d14c57100c6cbcc5fc085a0d7308715ed132fb917251919c727487fedb66500d5610b0014a43419acfbb92f\n\nModExp = 0\nA = 0\nE = 8622c37631e428402343dccf8ed09d47b3f4201e95058910289a62707c3ce0b7113c390056cc4796cc9893e471b12cb3f63f900f3356ffd25c8b2fed6f6a7fba2c684eb241ca706c76cecbf72473d8a58c02338e40714b5610465cc319f0a529a7aa3898d9e638b247abd1380c6e8f7fa210c9f1a1a2164db6db83a6bba79436\nM = fda6f9d8588e3614f5a68ce867a5619f6ddbb8d64450ff402e1c4f1a08b518f79dca21e5983c207c5b7324c16895a1e9f1282fc6cf60b0645f6b02b652ed5b129e67c939e854ab492dec30ea878c3edde10a4b7d1d14c57100c6cbcc5fc085a0d7308715ed132fb917251919c727487fedb66500d5610b0014a43419acfbb92f\n\nModExp = 86fb0b8dc161c41de2adb0f3ddcc8ad49c1efd729a52793a3ac987d4011c9c1dadb18657dca718df75c8ddcc49d60f152c46ab85ae9076ee7bfd405679a7da3a5195a1bbfd7d2b998c7b135ea91f8c445cbafe1276fa502c2a85477716829a2e0d24ba02623405a3654bed8f355bc7ccdb67c3f9a01e249e358b60d7699498a9\nA = 816610e6018ca47074d55750dd16a281019dbf95dc752605794cbb8ea8d75775317ce685737859728320b529fb3b4414b40bf3a93d08d8994a21ae54682cc1c357eb529837a7b0129a0843eebd9341c9bee3a8ae30475bdbff517e885a0c9f2b6a680643bd981efb53bf9dd49f3dc3cb757e117895fb34b1b4336d9bf8384558\nE = 8622c37631e428402343dccf8ed09d47b3f4201e95058910289a62707c3ce0b7113c390056cc4796cc9893e471b12cb3f63f900f3356ffd25c8b2fed6f6a7fba2c684eb241ca706c76cecbf72473d8a58c02338e40714b5610465cc319f0a529a7aa3898d9e638b247abd1380c6e8f7fa210c9f1a1a2164db6db83a6bba79436\nM = fda6f9d8588e3614f5a68ce867a5619f6ddbb8d64450ff402e1c4f1a08b518f79dca21e5983c207c5b7324c16895a1e9f1282fc6cf60b0645f6b02b652ed5b129e67c939e854ab492dec30ea878c3edde10a4b7d1d14c57100c6cbcc5fc085a0d7308715ed132fb917251919c727487fedb66500d5610b0014a43419acfbb92f\n\nModExp = 1\nA = 9edfce4691f46eadaa2043c7b1092b831ed50f3429f0bca02f985c0b77c686d951be84d772ae4b55f08935bed6e3206c8441574f215736b5c1c1b7595b3b789b55cf56db83741b10144d6767ba2b97b23a5e83504c60e06ab22834b0145655aa0463108317a379cbfc8a93de8a66925a999b8b02bf88dd85fb9898cefe9c95c8\nE = 0\nM = dcb68f6aa530ae9b31d078e2e82670adcc98228e7cf1aa59f81e66426ef14b1591b833d889463564c75b5fd5551ea295a0da581dd80f62c7008ff0f26a1c9f4f756431d48198af157149be8698336b306b0a8b8635d3fc2c4c2194ecc4d2af31ca1892917cc2e621d702eaaeed0d9a0c3dca575451eb8bc5487e313988cae745\n\nModExp = 0\nA = 0\nE = a3be10ef04535fca6784e5dbf3733d677dedd50fabbc3a860496628950b4747a328c2ce0d903cbe1e700f0af30f59fb917202257815097a2b516df5d0a82642faeffdfc3b7883766c78fc4be5901ebef891a9ca27f3bcf00960729e659bb3fddd54a19ce628e95ab86e4c7a168588bc9f67b05dd21a583acd8dc36e615945648\nM = dcb68f6aa530ae9b31d078e2e82670adcc98228e7cf1aa59f81e66426ef14b1591b833d889463564c75b5fd5551ea295a0da581dd80f62c7008ff0f26a1c9f4f756431d48198af157149be8698336b306b0a8b8635d3fc2c4c2194ecc4d2af31ca1892917cc2e621d702eaaeed0d9a0c3dca575451eb8bc5487e313988cae745\n\nModExp = 442866609915aa6f1bae9dfb59e721e1b63f42c0f75fbf0a88344120fbbd7aacf15208fb7c9d8bb8477d553cbd826d7e685ad764a8423e81c2131c040ee83a03cab8d5ce50866a941b48c78e9f1330794d908562d4141cfbf26e8c80c69551339eec41e37e2b37b54330f7bd75748f8d26d56ab9eb3b0c127540484c6445a7fa\nA = 8ff65e2cbcbcd8697cc3ce9a26855d6422ac7eb4e66500648c08be697e005cc3c854a54cfab91d43489cd60be8b516a9b3c9688e5e009a1689c6b164a133859a5464ef422c86344fef42cc477c9df27768377c126a066d1b62f593b7f6d6e906feaee16addb7cfbfc043d741b7dc81a87c17f167b7b8ef1b1fb3dfd1eb14102d\nE = a3be10ef04535fca6784e5dbf3733d677dedd50fabbc3a860496628950b4747a328c2ce0d903cbe1e700f0af30f59fb917202257815097a2b516df5d0a82642faeffdfc3b7883766c78fc4be5901ebef891a9ca27f3bcf00960729e659bb3fddd54a19ce628e95ab86e4c7a168588bc9f67b05dd21a583acd8dc36e615945648\nM = dcb68f6aa530ae9b31d078e2e82670adcc98228e7cf1aa59f81e66426ef14b1591b833d889463564c75b5fd5551ea295a0da581dd80f62c7008ff0f26a1c9f4f756431d48198af157149be8698336b306b0a8b8635d3fc2c4c2194ecc4d2af31ca1892917cc2e621d702eaaeed0d9a0c3dca575451eb8bc5487e313988cae745\n\nModExp = 1\nA = fe9f77f7d0475e00ec964c0effb9b8e079c32e376ce77a9c40ce4018c3df44a77b4f294d9565502b2b79accb30cb58dda6d15e1543b6d4a53296543ed11c7f51baab60283ef03fae37dfeacb431392487ec2839551a933895c4dbf18844f7b375d3e6f558d3c39993cea1bbf7fb743a6a07bd3753c03eb7298811476d7f3ff1d\nE = 0\nM = e7a96cf6fa930f73c8bdc2726bbba246001a9d27f39cc2b978c99dc6f15af0e8aaf26b565302f1112e607e2df4066948baba931b89cd9bbdea2072e05b9a4968fdf282c43d997987c3a3a0434e925a679ac81f316b7a7b724b79be3d6888b66f4512759bf66cfaaa88b9513dd27a44aaea75437268a014c4eb50ba2e50093511\n\nModExp = 0\nA = 0\nE = a0bc148ed50a9b54036bb8fa1f214979052ebd47db8b347af3bb03b806bb457b468ba34781f8a25f289a7a90af4903dc14809a166df2f4c3527de2ea6911cb1afb9071a4afbb522a7d50634d66fd584c73f32d05217dc9f7f16394c68a692a953492ca85f89cc11da95fd8cac6231647923ced48a1b3b0ee68c010286d452836\nM = e7a96cf6fa930f73c8bdc2726bbba246001a9d27f39cc2b978c99dc6f15af0e8aaf26b565302f1112e607e2df4066948baba931b89cd9bbdea2072e05b9a4968fdf282c43d997987c3a3a0434e925a679ac81f316b7a7b724b79be3d6888b66f4512759bf66cfaaa88b9513dd27a44aaea75437268a014c4eb50ba2e50093511\n\nModExp = 91fd879d02f95a9f40fcd1037726f73892caf84e9b43b4aa4126d9062a0d22c464e7af2fbd91aa849612d99d9519b724a7fb1cb018fffdcff321d883ab2519953c9f174f09dd8f13ac87339887385966eb4a94842276637b2c36c0a5036b1d3bbea438bc6efd4b4851c7ec06879d60694df894717569bcd31c4b13d80df6cbca\nA = cdec5edc1cb3ea974342b85aabc0f9385cf877ca328747d40dd4d297623ad69ab6582653faeed5aef225208305135cfbee32e066cb43e18afacea3a32acc8aabbc49617ac33e741651924ae56dd6aa044a12a1ea50fef573b5befb2f4b21b9cf83ab2aaa6fd153580a0761666ade8fb94f202a3c3dc4f33297eabb4564374168\nE = a0bc148ed50a9b54036bb8fa1f214979052ebd47db8b347af3bb03b806bb457b468ba34781f8a25f289a7a90af4903dc14809a166df2f4c3527de2ea6911cb1afb9071a4afbb522a7d50634d66fd584c73f32d05217dc9f7f16394c68a692a953492ca85f89cc11da95fd8cac6231647923ced48a1b3b0ee68c010286d452836\nM = e7a96cf6fa930f73c8bdc2726bbba246001a9d27f39cc2b978c99dc6f15af0e8aaf26b565302f1112e607e2df4066948baba931b89cd9bbdea2072e05b9a4968fdf282c43d997987c3a3a0434e925a679ac81f316b7a7b724b79be3d6888b66f4512759bf66cfaaa88b9513dd27a44aaea75437268a014c4eb50ba2e50093511\n\n# Craft inputs whose Montgomery representation is 1, i.e., shorter than M, in\n# order to test the const time precomputation scattering/gathering.\n\nModExp = 9442d2eca2905ad796383947b14ddfcc341f5be8fec079135c36f6f0d9b8b2212f43e08bf29c46167ff0fe16b247cd365df4417d96cc31c94db1cf44b73b0ee3ebcc4920d9b0d003b68e49c1df91e61bc7758a8a1d2d6192ff4e1590b1a792f8be3a1b83db3ad9667d14398d873faf5d885ec3a2bef955026fae6dbf64daea2b\nA = 3a4b4c57e62c5e9d1a9065191f8268fed9d5f6f424d071acef66f0662b8210f4c029ed991512e40c9c912043c816d2c4c5b53fa0e5c253e16808aad4225130dafbbb89fd4f30cdfc1c2f2179b636a7ddc4be579795820b4b9377637bd8a21a0ef5a90d0e0f865321eee23d9be2a3b7320b4012d02941b892df2c40bdc85c1898\nE = a2c56ea1362511cac030191",
"8e15a9afe7d37edd438a5c3538d258ea01f0a6df758de07111e868b3ad8fc89b629b4955d78a1b3af902be1806410ddde25ccc6a196ba5949395c1ad5d8725b18815dc1cd5ac1c7dd17773f571e3f2e628255af14476e0494be23a4a4dfd18e23142f33d7a59c236fec61660e360d9676a747c69f\nM = ede35a3a7afac817d413373a2032abbc067b1493f709ae6e1282ee5469743391d891b904938857168802b7872d3cd7ac18ab249a9e540a86f970b1d0f310a4cc29df1cc9d4063d98c554f1a32f4ca5eba3523cdfb142e0fc609907c7a92bb0187009d97ec471db3545f42dd5fd29c07b7816085d09477ba31fcf90084660116d\n\nModExp = a7f5844fa9e7202d4b70ee252c9846e63d3d091b0387768ded872cec53458e19df0d9b4960226e269b8ca5dd4c4eda423a67b6dbb48235c08c12c6c7c78db47287756d3ed9cecb9232f7d18d5d80b9676cb68ba4a290c97e220beb1a069976b5e6022a4c1e5ddbeec86b62dda24ffea1deda37695c9f61a8817218e6370c0679\nA = 7d6d0cc947ceb949cdc4e9e1044f5deca5bb05a491041e0d85bc4b92a0944a57c72845fad91e59010c61ad1712bd2f612d53a846a044632262a9f2e3373b062fde2484e0c165ff947f2469f743ab6e2e5e13c640fc4029b1c9213eb8473c674e7f9e95a4a5c5636d4656c1e696962340d77b322daba47d6fc894f2a2cd9e0afc\nE = b78012afe806e2344d004c739c97324256850980ac97d88c4ed9a838517639ca112e235978d21a176c33f5a68703aba0f2a05501bbe3fc8d49a000fbf530cdb431581dfaf8683cb15a2aee5e239cbc542827100da3b47babf4a16ca7c588aff9912e674abb449e0b767a15e415f4e7f2bbd6380d7131da3df8d49b13bfd35ce3\nM = b72d5c55bd2998472f1965e75a51be6155c1ba04656da8f66bcb34db36a7b1db66a89d1d05b1bde10206acf85be7b474ab689220faf1bb52ab39d8dc00512dd4e26df1179c11b973e1274db85a88c7cc2a17113abdffe58cb930ddc5f3ccc4d68b4e65c913730509f7ce5656e8bbaba9b1be177ab9f766678f018fea05da9cdf\n\nModExp = 465ff295786a88496828fdc763e9292d557957544e9322b7996807b87fdbfa7a11614bffeec557ca831c4824c8e4ca3b1a1c7f3f4f95ec3fd6a86b73bb13d78b73af2b3c7e76954d0cc03bcb0cd606867ebb3765a8b3d0108cbe4f343a14016be9c33f6d200f0dc547e7d6b02bfab1e79dcdf9c9835a814cc6c855a12ebeb66d\nA = 89ad02bea3e9ab839a6e23f20122409daba52c68e1e893034b30d321c0305434a6af940015e3fa5ca9c35230da34beeb1ed4fbce6c1da3a8bfe3f3ae172276c1d1723b47ee61e6f8fcfdafad102d6f7ee2a79f510c7edb93096205a40a6c9e665b88b18f39a979e2e61286d939952a6f02fe8148b7515bb25f4252337cb6e60d\nE = cbd6ac628cc7afa3c61bee9c22a06a395087ec1811fe9681b55216700c435996c815e7cec8aaa90016dd2382d0306a5414630124e14f3d396a4ba02ee17851bf720f1607ff813e4bbddf01338983db12f59bd6371a738eee3eeb716f21051d6174d2d6c77602942b9edaac18d4b3a723096c0d00dd23a8a605c585022f311560\nM = fa7a3e40364c8a8d0f14f0213a3f3e035222ca0ea19d46d10ba41580e5dd2805c8a133f3856d7d5d97f922ea540e5eb0d10ad04dfdbb74f518f58da0099a6fc2b3f3def92985176e07fc78aff2faebccca10a429794e5f15ff92f75fe90f527c60ddea8093a9078c703c372ca09f7aeb27ade02f3595308c61dd9c44e62fd101\n\nModExp = cf08bf00261402102e9fe03f3074471dcf0e9b3c96d4d1503f099f24ec85e1901b023e9e048c1ad042244f5f70b38b25a99f4c0a7b57d5844bb0d0137367f45f4ce2cc7746105b77414768cb97648dc5721149aed2d4c682408cc0d50d26dd0bd77e848911f8625c727cac5f32e63bcb548f41a57d718d772f23983a42f603bd\nA = a419646a6631c2c69b18f7aa65011825eb31692eecaee9d74f92d92203811b68e9764bda31a1585bdf69b6273fc6f9f508c395ac081336506525dad88473512f08a205621ac8b16e9864c7a7c5a4f17435de00d0b32badec6ce4897e3e1076c562b6d9523f63d0b2079eaa416cb090471657763f24931d955d1fa2720c80a9c9\nE = d5a6f4a1842aaee39805356dc8d0d678ee03b2c81277345beccb2742f899132feb43271f95968a01ae68aa8277201851992dc0aa7a71c90aae71b124d873ee264ea400fb131be0fc6c4ce8c04c45f6bdaca89ac743635caf6158983d257e21cef6800d7f990e912ba21bbfb8fb779afa4abd19e07e7e07eee9908493d1ca502c\nM = e739689b6cc6def1d45fb1a2ab551643beeb303f4aaa4da47ee5e4948510f8445b4c40e99ae8354dede60b2ba6694e93bc4d573b7e8adf871b7a9a9636eb7d70f2e49328e2d7978143b177cee8374ef01bd1ee2d95862765883f5e7971668b53ef0ff41b6539faf63c397522b0bdce916388e72e26c8d3d2e58dadeb9eb5d479\n\nModExp = 827e6312ec3b14600203bb83f5b277ded197b2967363630ef673240df05edd3ba8ab2b11c86251a612206569c6c33952b31e264f129909bfe723bd0ee1624b36cfcfaa893a6ec8b5a1f7de79f83e79b459a3350f89f412ad1cfd6bc4c2a7a29272c783d6ecceeb1398fa17041835643f4debef9b5e87b098d104bb8912dddf7c\nA = b8e49c637829021d32db3a39a0c1e58cdd4c6e4eda7e8e9293be379e9c2e2d184f929d278598a81ae231cfedcf69cce4a6e31cda3c8ac14d753a7311f2436e29795f0dfb60259a0f61a997918ff984aa2284b43a9d64c974059e9682adfffd018305835f74eda8c75fe4877d811c1620f654ec9f7f32d1af5ce59115e2f41785\nE = 80e0febf369d234bf1aaad4f82df2e2ff02882c3184781f6ccdf4f7cd93b6887af86830077c84dfb02109ada05b40970b1c65228b0c19030bd6361c3537fee22a8155c03b4e7007ca006c6daa3659518d05bb81ea0079456d0ef6116df248dffdb0c935f321f5a1034deefd5a9414a0652aa6548de33325b474b9e5a8507a082\nM = d5eb1d14af842a9973274f7463d90cf0ccff19c47d710edbae184478d4f29b02693ed7958bd487054327b9e6d8879e24c9af7730b92f323eeac05558da6c1b952e5dbf13de236050a77628bb5325fe0d14cc5773bf73338759d5ab43c212b414581280f1cee250007e53791b800b61c90de0328acd7bc43fbdda48158939392d\n\nModExp = 4a1efd29c7e78549f5cd4deed1454b37462c7810ee6a8a2493b764dfa479be13b314cf9ff98259517d61865567ef499a511630c0038c97914625df181c6fe07892f329f98b344a78d751e9471483eebaa7977371bf97bb25187ae7e93a9227d6c124ccb4644423c961a11ae59c4354f89d5a95164c23d9aa256e289e9cc0858e\nA = bd86c9211fa6a47a06e5016c46cb8a99e34a043a29e22f8c3196fa7197c26b38927b8d9bc0ddc11a5fa4bcc44deb69dbf37cbe7ebc9a2fad6c74e09ab5a9dd929fa04ab4319b6caad1035739be78ba631fb0748d9e53944836d37ccda6e6a62823c696d8f31139ccd7f2f86b22fa026ecf433cfb1271a3539ac4f1c83aaac059\nE = c40b9972006d28a84c2769a86e526a2b274f73afc7c5c6a2742166757f61b5f5fdbb228afa157af62af989ffe966f232bba9e6beef5403d1690ade31a6410f7f349a35bc4267a129afd647993df7d45cc0e1a1ba4678d7f1b6e8a344d8ff7037679e1f4db25a454e4246f6b55c416567fcfa188e8a3865115851d9edf0aa8902\nM = cf424d7af75ce7eef90cad75ae55ca8810cc7b4703fdb5bce701e7bac07e0c371cae06df2aa8facb55a0faa6793e4d2bd9d7969703743b9be170be82792aeea55e2bc0f7ab7617b276486bf474dee2f4556aab595ff3ef115139cfe5e21ccd4ee05c0e1cf901bd85df86cc17195a783b0be836d00bee82ce064077f9191188f9\n\nModExp = 3137a3049fd4ad2e26d870f5c998cf11bfe82101884a82e85e43facd0928cd7434a2e346ca124619769fa141bbe92ad6f36b99231032ddaec3b349a410f82b5ca36f45e56e5fb85dc63d32053dc90805d3f1854ab385281a71a57726bf97158494e7476057214ca7379ab8b70f5bdc15f70bdad3adf33c3a1f9cd1b6bbbad556\nA = 39a1dc6a4c3f14d9c350ee968d5ce139ef725952c967a2d1bedf48ace22091283525be03807e2e263d2640be77f0525247bcd07149bba50568cec5a082c87d72962cf9e43bcb5cdb1e7e9a650fb53e0ec2fad37f09a9f036c0d7dfa528fef846769f80a9a60854910ca1b4ee05dba82ed2ee018348d6b3e52a764b8ffae61e0\nE = deaee3a3f80c9f684ed7110c0653847ccc7be5ff6d982fd4b49f59b5dd35f7210b1077babbcedbc127df35cd469dc6e569a0f84e58149b5605c94b09fd7f0b098d02b4a04631328b3fae39e6c2fce25334225cab71829abdb9507cb903701559660f2c08c3b743336119d1260a0db27054cad3f28bc1b04b2289baa58fb33965\nM = 938388927d06ed3bb1286c0f06d3054cb0ee16dc7a0bbbf13a45293c09a5f40f1d611b2e1a1b0ec2ef109b508e27af4274954905cae52034f8740a744153b4d22059f0dd262ea51785522098ecacced6da07709ee6b5acc8c4e99331379a7c3de7f4e2d1431e43b19570140955b7bcba118dfbaa552cbfa2be531e8f781166ed\n\nModExp = c15ae334455d9f4d1030cd33e734726a27c63624c2afc576238cce5e0498298a4a0c93090a0d19568b41290303c4b558f3d9dd74f9cde8798710f68569ea0d6fd971ce67ec5b54495031de3d8842b8b49288725bee5c9f72b99054d64986ccd4e18d70d5f33943f08cd694eff538f84438ea993ebaba0910c95b3a694f213510\nA = def633b955a917569df3ba8517455eef0655e7a35985edda27097a063e0d82c7c3a76dc36c5d8a71ba9d540790ddd0ea514aaed98925f9a1808eb288d387aaf9605a9ef8a333ebee7ad7057bca012efd619d5867f02266f65976ef4b16da17468426ac4f99b3e8921707e01b4de20f6f9a068e6a19d872079a27f3a44449db83\nE = a465c47b0d15d48e01bb8b1d8e3b3253e11515f6874dbed6c25818adf1a8fd927124d5593beb367f685c11e46f18415be73ccdf16fa2e93a600b728163d21d232849e5278c3749d903edad3f1c4535a2f55a2ab65e7ebc64888bd2a0527e876ecf38cec3ab1980d08138709fad8eb88ae65d960adc3f0f8e92f784fe96fcb693\nM = e43cb9ac1446154356cdc31ec771c79b0e461e22d95185bbe1a279c0945e3af07903a0cb54d553380716fcdcafb4b7cf5dc6da481dc74a8c583d75ff6c1f8e429182d200246ebc473bb56e173787987c1b7fb2dd23f5b2e438a97bc4a1df628bc044fdd1e80c0cf37030adb7b04784dab827d0dcd64f0dbf37c980612570ce11\n\nModExp = 75c3f79ab7c991b98e65505342a8a563cfb08b5d3ccf8664c7db1de50256b1d17ebf7096dc98c7bb5d7f027a894ae5cbb14dee04d5d445e775ad7e239acc82673b0ac2d819a69c83864f34e73d9a636f05de8279619a067b4c90ad038db5910447e03841d2034635018f08cbcd21efa00994247763a249082594128112f95232\nA = 34def7d76f6f158a359fd12759fb889cdf6af0a24830dc3e84283a1ab4e9b2647a6a36b86482f",
- "829b2cdf3e3d6028f9a884b1f64f7262315446bea8b0231828e2f3d990fb103c17f820b39e4b8427c85643ceeca8f5dc8f191d1255768300e859bd7d88c770319ef38269660d221cb3bc061389b6fc0783485ef042b1c7d6fef\nE = c6c46453dd5aac6b37277a446b1d0c69cbe476eeff55b3ac35edb89ba97116b0e7783660f2c7b31b2a2d6c4709d0ab45d01a838100694b0777c9c9c14c959b07c437c73a5eabb7402f1001e802d797a2e7707285834fb6440a1c2f727f7bb84ddb2a49312d32fa0ce620c43872655cb5c394749c9e75d7fa25be00efe50d47d6\nM = fbbab6698a9142095c46b38a732592e4366c1838b84bf40f8c8fc7b630f73380a0d09765562365798f8c8030ed1b6728329d8bb06e882c35a1d59bfe84146a9db2afe42a414014e247390281c782fce806d62adb54778d2bcb49555459429d6ed446af5359657667f6aa19e8e3e0e24ab2bc312b2d90b5cb1ce6f2f15af15d9d\n\nModExp = ba16d7f3f6e162ce248490d164a13c00e7720d8a667e2d3ebeb13f1663e15ef5408d5b56cbc7bc793a8ca787cc50f8e15e0e9d4ee764531d04a9114eea556bb3e206ed7d85267151a056b6e68fbf35e03f2cf829708ffe1de13e95ecfe365aff1eea36340ffcd3892dee659fb1ecbe50f5080e54737c10f9c1ba638b14ef537e\nA = 9025e6183706105e948b1b0edf922f9011b9e11887d70adb00b26f272b9e76a38f3099084d9cccf12d04b1a99c0f654f8b9ed90c6dff9478c60bf05d58d734ab60eaefa14a22230ec60c90dc1f0704b61eef0bef345785ae0e6a9af7db069cf6bd2b4e0fe58a0ade83c7e46a04b9fe1d24cb9b65c6f80de713e61d70eae5b286\nE = d7e6df5d755284929b986cd9b61c9c2c8843f24c711fbdbae1a468edcae159400943725570726cdc92b3ea94f9f206729516fdda83e31d815b0c7720e7598a91d992273e3bd8ac413b441d8f1dfe5aa7c3bf3ef573adc38292676217467731e6cf440a59611b8110af88d3e62f60209b513b01fbb69a097458ad02096b5e38f0\nM = e4e784aa1fa88625a43ba0185a153a929663920be7fe674a4d33c943d3b898cff051482e7050a070cede53be5e89f31515772c7aea637576f99f82708f89d9e244f6ad3a24a02cbe5c0ff7bcf2dad5491f53db7c3f2698a7c41b44f086652f17bb05fe4c5c0a92433c34086b49d7e1825b28bab6c5a9bd0bc95b53d659afa0d7\n\n# See https://github.com/openssl/openssl/commit/e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb.\n# OpenSSL's test vectors do not include the expected value, so ModExp was\n# computed with Python 3.\nModExp = ccb051a34f9e26e381e50445632cbbd4abe56bc912020f3edd2db144aedb470095c4c33e3342d1dc4bb4056ba3078366af4cee507e85bb1b2e499ef25a933810f14faa8b1a9ce5e8d58f2789e27c887a4ff87fa59ff682727a3912a99aae6db8b3b8947d76c8454cffc6fb3f2422dca106c3845b0db68a06e5e9d7b90e552506579d812e7d96bfc6324feec90ea0800463346148f120e7caf403788539f5d87ee45aa5b313c340e0a323029f3a0bdb675510aefec171c01e2a94960cd507e461214028c86ed4e9fce31e7dbdf1a75fd6f973e2aed4a039e53a60a7aa62be8ee1f80a113833ab402d07e17151021cec29fa5b2e628ef9f2d7aa4bc86b6eec8faf\nA = 95564994a96c45954227b845a1e99cb939d5a1da99ee91acc962396ae999a9ee38603790448f2f7694c242a875f0cad0aae658eba085f312d2febbbd128dd2b58f7d1149f03724215d704344d0d62c587ae3c5939cba4b9b5f3dc5e8e911ef9a5ce1a5a749a4989d0d8368f6e1f8cdf3a362a6c97fb02047ff152b480a4ad9852d45efdf0770542992afca6a0590d52930434bba96017afbc9f99e112950a8b1a359473ec376f329bdae6a19f503be6d4be7393c4e43468831234e27e3838680b949390d2e416a3f9759e5349ab4c253f6f29f819a6fe4cbfd27ada34903300eda021f62839f5878a36f1bc3085375b00fd5fa3e68d316c0fdace87a97558465\nE = f95dc0f980fbd22e90caa5a387cc4a369f3f830d50dd321c40db8c09a7e1a241a536e096622d3280c0c1ba849c1f4a79bf490f60006d081e8cf69960189f0d312cd9e17073a3fba7881b21474a13b334116cb2f5dbf3189a6de3515d0840f053c776d3982d391b6d04d642dda5cc6d1640174c09875addb70595658f89efb439dc6fbd55f903aadd307982d3f659207f265e1ec6271b274521b7a5e28e8fd7a55df089292820477802a43cf5b6b94e999e8c9944ddebb0d0e95a60f88cb7e813ba110d20e1024774107dd02949031864923b3cb8c3f7250d6d1287b0a40db6a47bd5a469518eb65aa207ddc47d8c6e5fc8e0c105be8fc1d4b57b2e27540471d5\nM = fef15d5ce4625f1bccfbba49fc8439c72bf8202af039a2259678941b60bb4a8f2987e965d58fd8cf86a856674d519763d0e1211cc9f8596971050d56d9b35db3785866cfbca17cfdbed6060be3629d894f924a89fdc1efc624f80d41a22f19009503fcc3824ef62ccb9208430c26f2d8ceb2c63488ec4c07437aa4c96c43dd8b9289ed00a712ff66ee195dc71f5e4ead02172b63c543d69baf495f5fd63ba7bcc633bd309c016e37736da92129d0b053d4ab28d21ad7d8b6fab2a8bbdc8ee647d2fbcf2cf426cf892e6f5639e0252993965dfb73ccd277407014ea784aaa280cb7b03972bc8b0baa72360bdb44b82415b86b2f260f877791cd33ba8f2d65229b\n\n\n# RSAZ 512-bit.\n#\n# These are regression tests for code which historically reached the RSAZ-512\n# code. That has since been removed, but the test vectors remain. Note that the\n# lengths of the inputs, especially the *bit* length of |M|, matter a lot.\n\n# Control: No relationship between A and M except that A < M and they're the same number of limbs.\nModExp = 7f34c1cd63377bc3abf2bb5b2d1bf5f06454e1e8040fe19a72245ce9731cbee1bf9e84532300776c8021ed4f3a8de508d85b4cf320bd82065a013754857b50c4\nA = 8e4e67da6ff890643d0599387955996ef6f0c2045eb9944576ddb965ca64cdb6247727ce128ef178d4a84e5a56d2e67eb0fe389ecbf691f9244ae80f4c11b364\nE = be99d8f0650e540b9b191e9cf96f74881b902e32ed169ffd8a1776c3f3e80f0ac765aa14615713e1549f250a20fe4ee48c4e0c6176162fc7842a0dd64d640d1\nM = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725491\n\n# Same as above except A is negative.\nModExp = 71fa6a4c8ae75368eda8cc6282c26afa69e2af12a97fb9444f16b7dd6c99e0a5d6034cab4248cae4357346b211039f4a2bc4c5a20a297372094162417af703cd\nA = -8e4e67da6ff890643d0599387955996ef6f0c2045eb9944576ddb965ca64cdb6247727ce128ef178d4a84e5a56d2e67eb0fe389ecbf691f9244ae80f4c11b364\nE = be99d8f0650e540b9b191e9cf96f74881b902e32ed169ffd8a1776c3f3e80f0ac765aa14615713e1549f250a20fe4ee48c4e0c6176162fc7842a0dd64d640d1\nM = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725491\n\n# A == M - 1 == -1 (mod M) and the exponent is odd so A ^ E (mod M) == A.\nModExp = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725490\nA = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725490\nE = be99d8f0650e540b9b191e9cf96f74881b902e32ed169ffd8a1776c3f3e80f0ac765aa14615713e1549f250a20fe4ee48c4e0c6176162fc7842a0dd64d640d1\nM = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725491\n\n# Same inputs as above except A is negative. Note that A mod M with a \"correct top\" isn't the right length for RSAZ.\nModExp = 1\nA = -f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725490\nE = be99d8f0650e540b9b191e9cf96f74881b902e32ed169ffd8a1776c3f3e80f0ac765aa14615713e1549f250a20fe4ee48c4e0c6176162fc7842a0dd64d640d1\nM = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725491\n\n# A == M, so A == 0 (mod M) so A ^ E (mod M) == 0. Note that A mod M with a \"correct top\" isn't the right length for RSAZ.\nModExp = 0\nA = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725491\nE = be99d8f0650e540b9b191e9cf96f74881b902e32ed169ffd8a1776c3f3e80f0ac765aa14615713e1549f250a20fe4ee48c4e0c6176162fc7842a0dd64d640d1\nM = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725491\n\n# A is negative, and A (mod M) is the right length for RSAZ.\nModExp = 8d76eb0f8c7bc3160cc8bb0e0c3590fbed26c5932f5f525b48045c0bd46dda287ba5483f97c851fb7c12c2e858ee7a4a4d1af745cbfb3eb311fa54bea12cde25\nA = -80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\nE = be99d8f0650e540b9b191e9cf96f74881b902e32ed169ffd8a1776c3f3e80f0ac765aa14615713e1549f250a20fe4ee48c4e0c6176162fc7842a0dd64d640d1\nM = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725491\n\n\n# RSAZ 1024-bit.\n# Note that the lengths of the inputs, especially the *bit* length of |M|, matter a lot.\n\n# Control: No relationship between A and M except that A < M and they're the same number of limbs.\nModExp = 8984f8c16044f9c0ad7bd72347af90f58e6e003acda92b76e3c7c4a56ea8e918409d8e9b34884d4c89d0b17cb40fe898f2627c084a0f1698e46beccbf6f48eecc281e11ea9e5135adba460ddae157f2c655b5f589ce29b254d43a960a71cede8a08dbb86be4dac22458",
- "da232fb1ec2470856827302ed772c9ddafa408c931aa7\nA = 21158da5fe20356825e72b3f5384ec57720d22f727b27ce2f945c8ee311db781add73bf8fae96b775c909bd22fca75c44c2b0584284a5bb1c07f8eefcd6b0a44047a02b185df34f897f11d4fb9a86c9eb841b4cb8d0383441fdc5af3ef385b5e8380f605d73ed41bb42eb2c2a5704d6034b3ad058dafffce83dbbfb6295daaf8\nE = ecdebd112b3b5788669449dcddbd479a203ee9ab72a9bb9c406b97623513bf0ab9a22f1f23634d269e16bfd6d3b64202b71fc355057411967b6ac70f8d9cef0a4e06819a9a18cc06bbe438243fa9759303d98be8a65dc1cb13595ee9b99f138554425d50f6fbc025d8ffa3eaea828d6f3b82a3584146bafde34da257995f0575\nM = ff3a3e023db3bba929ca4ededbace13d0d1264387b5ef62734e177eaf47a78af56b58aacc8ac5d46f5b066bafb95d93d4442bb948653613eec76837b4ffb7991cb080b6c8b403fb09bc817d026e283ee47ab2fc9af274b12f626eda2fe02004a8e27b9ed7d3b614e8955c7e7c2c0700edd079455237c4475fbd41857e206e4b7\n\n# Same as above except A is negative.\nModExp = 75b54540dd6ec1e87c4e77bb93fd50477ea463fdadb5cab05119b34585d18f971617fc1194240ffa6bdfb53e4785f0a451e03f8c3c444aa6080a96af5906eaa508862a4de15b2c55c023b6f278cd04c1e24fd0711244afeda8e3444256e51261ed99fe66beedb52c43c825b4c7a1adc7d4b111e2208ecd495df91e175573ca10\nA = -21158da5fe20356825e72b3f5384ec57720d22f727b27ce2f945c8ee311db781add73bf8fae96b775c909bd22fca75c44c2b0584284a5bb1c07f8eefcd6b0a44047a02b185df34f897f11d4fb9a86c9eb841b4cb8d0383441fdc5af3ef385b5e8380f605d73ed41bb42eb2c2a5704d6034b3ad058dafffce83dbbfb6295daaf8\nE = ecdebd112b3b5788669449dcddbd479a203ee9ab72a9bb9c406b97623513bf0ab9a22f1f23634d269e16bfd6d3b64202b71fc355057411967b6ac70f8d9cef0a4e06819a9a18cc06bbe438243fa9759303d98be8a65dc1cb13595ee9b99f138554425d50f6fbc025d8ffa3eaea828d6f3b82a3584146bafde34da257995f0575\nM = ff3a3e023db3bba929ca4ededbace13d0d1264387b5ef62734e177eaf47a78af56b58aacc8ac5d46f5b066bafb95d93d4442bb948653613eec76837b4ffb7991cb080b6c8b403fb09bc817d026e283ee47ab2fc9af274b12f626eda2fe02004a8e27b9ed7d3b614e8955c7e7c2c0700edd079455237c4475fbd41857e206e4b7\n\n# A == M - 1 == -1 (mod M) and the exponent is odd so A ^ E (mod M) == A.\nModExp = b5d257b2c50b050d42f0852eff5cfa2571157c500cd0bd9aa0b2ccdd89c531c9609d520eb81d928fb52b06da25dc713561aa0bd365ee56db9e62ac6787a85936990f44438363560f7af9e0c16f378e5b83f658252390d849401817624da97ec613a1b855fd901847352f434a777e4e32af0cb4033c7547fb6437d067fcd3d964\nA = b5d257b2c50b050d42f0852eff5cfa2571157c500cd0bd9aa0b2ccdd89c531c9609d520eb81d928fb52b06da25dc713561aa0bd365ee56db9e62ac6787a85936990f44438363560f7af9e0c16f378e5b83f658252390d849401817624da97ec613a1b855fd901847352f434a777e4e32af0cb4033c7547fb6437d067fcd3d964\nE = 61803d4973ae68cfb2ba6770dbed70d36760fa42c01a16d1482eacf0d01adf7a917bc86ece58a73b920295c1291b90f49167ef856ecad149330e1fd49ec71392fb62d47270b53e6d4f3c8f044b80a5736753364896932abc6d872c4c5e135d1edb200597a93ceb262ff6c99079177cd10808b9ed20c8cd7352d80ac7f6963103\nM = b5d257b2c50b050d42f0852eff5cfa2571157c500cd0bd9aa0b2ccdd89c531c9609d520eb81d928fb52b06da25dc713561aa0bd365ee56db9e62ac6787a85936990f44438363560f7af9e0c16f378e5b83f658252390d849401817624da97ec613a1b855fd901847352f434a777e4e32af0cb4033c7547fb6437d067fcd3d965\n\n# Same inputs as above except A is negative. Note that A mod M with a \"correct top\" isn't the right length for RSAZ.\nModExp = 1\nA = -b5d257b2c50b050d42f0852eff5cfa2571157c500cd0bd9aa0b2ccdd89c531c9609d520eb81d928fb52b06da25dc713561aa0bd365ee56db9e62ac6787a85936990f44438363560f7af9e0c16f378e5b83f658252390d849401817624da97ec613a1b855fd901847352f434a777e4e32af0cb4033c7547fb6437d067fcd3d964\nE = 61803d4973ae68cfb2ba6770dbed70d36760fa42c01a16d1482eacf0d01adf7a917bc86ece58a73b920295c1291b90f49167ef856ecad149330e1fd49ec71392fb62d47270b53e6d4f3c8f044b80a5736753364896932abc6d872c4c5e135d1edb200597a93ceb262ff6c99079177cd10808b9ed20c8cd7352d80ac7f6963103\nM = b5d257b2c50b050d42f0852eff5cfa2571157c500cd0bd9aa0b2ccdd89c531c9609d520eb81d928fb52b06da25dc713561aa0bd365ee56db9e62ac6787a85936990f44438363560f7af9e0c16f378e5b83f658252390d849401817624da97ec613a1b855fd901847352f434a777e4e32af0cb4033c7547fb6437d067fcd3d965\n\n# A == M, so A == 0 (mod M) so A ^ E (mod M) == 0. Note that A mod M with a \"correct top\" isn't the right length for RSAZ.\nModExp = 0\nA = b5d257b2c50b050d42f0852eff5cfa2571157c500cd0bd9aa0b2ccdd89c531c9609d520eb81d928fb52b06da25dc713561aa0bd365ee56db9e62ac6787a85936990f44438363560f7af9e0c16f378e5b83f658252390d849401817624da97ec613a1b855fd901847352f434a777e4e32af0cb4033c7547fb6437d067fcd3d965\nE = 61803d4973ae68cfb2ba6770dbed70d36760fa42c01a16d1482eacf0d01adf7a917bc86ece58a73b920295c1291b90f49167ef856ecad149330e1fd49ec71392fb62d47270b53e6d4f3c8f044b80a5736753364896932abc6d872c4c5e135d1edb200597a93ceb262ff6c99079177cd10808b9ed20c8cd7352d80ac7f6963103\nM = b5d257b2c50b050d42f0852eff5cfa2571157c500cd0bd9aa0b2ccdd89c531c9609d520eb81d928fb52b06da25dc713561aa0bd365ee56db9e62ac6787a85936990f44438363560f7af9e0c16f378e5b83f658252390d849401817624da97ec613a1b855fd901847352f434a777e4e32af0cb4033c7547fb6437d067fcd3d965\n\n# A is negative, and A (mod M) is the right length for RSAZ.\nModExp = 9cf810b9e89d5cbc4b79ae64e123ea06d92965e2bab077df97a1b906dc2e1ddcf96a9c4ed14e2cd96309b829ea9cc2a74a7d4b43c5f34d792a7c583201427754b8f78b783608070a84b61f18913e3ced7f7f530972de7764667c54e29d756eea38a93cd1703c676a4587231b0ebfeadddf908e2877a7a84b5bfc370ecf0d158d\nA = -8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\nE = 61803d4973ae68cfb2ba6770dbed70d36760fa42c01a16d1482eacf0d01adf7a917bc86ece58a73b920295c1291b90f49167ef856ecad149330e1fd49ec71392fb62d47270b53e6d4f3c8f044b80a5736753364896932abc6d872c4c5e135d1edb200597a93ceb262ff6c99079177cd10808b9ed20c8cd7352d80ac7f6963103\nM = b5d257b2c50b050d42f0852eff5cfa2571157c500cd0bd9aa0b2ccdd89c531c9609d520eb81d928fb52b06da25dc713561aa0bd365ee56db9e62ac6787a85936990f44438363560f7af9e0c16f378e5b83f658252390d849401817624da97ec613a1b855fd901847352f434a777e4e32af0cb4033c7547fb6437d067fcd3d965\n\n# Regression test for CVE-2017-3738.\nModExp = d360792bd8210786607817c3dda64cc38c8d0f25569597cb1f363c7919a0c3587baff01a2283edaeb04fc288ac0ab3f279b2a89ffcb452d8bdf72422a9f9780f4aa702dc964cf033149d3a339883062cab8564aebdbfac0bf68985e522c6fe545b346044690c525ca85d3f4eb3e3c25cdf541545afc84a309e9b1d7807003461\nA = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff2020202020df\nE = 2020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020FF2020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020\nM = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff2020202020ff\n\n# Test vectors for CVE-2019-1551. (We do not carry the assembly file with the\n# bug, but we use the test vectors anyway.)\n\n# Original test vectors by OSS-Fuzz.\nModExp = 9d675d188a07e9bd1b32638cc8cfd5002ef89bd1a9648f806567b87939140a67977dc8da17323b8e4c6bc53875cda8b656df8f54cc32e44fd9c21d122ea3c0d6\nA = dea9b3e0b44ae67b2ac9b7c2b18eeb4dab206b014981a46ac409f195eeb6896f132cf8497c87d1188008ee511054ebb426203355b7d515dce9501cb759ac1373\nE = b01ae745b101e9e45ec05dcff72e7f8fc04c79ffe324301fda0b4f7be81d85c4e875c73fc6c5cb40000000000000000000000000000000000\nM = ffffffff01ffffffffffffffffffffffffffe2000000000000000000000000000010fab8d960706cd4c21818115650cad61d4f10da325dffffffff00ffff00ff\n\nModExp = 651f811b62ee8770e3598c340864dd6b0be9bb6376b6f933ab216fd55538e6ad1000cb2b3c64f54d554e004b6eec8138e6ecff00452d443a42041b72e6cd9ead\nA = 3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e\nE = 3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e09003e3e3e3e3e3e3e3e3e3e3e3e3e3e010900230a01230a2100ffffff0000adf300a58700000000ffffff00\nM = ffffff0b00000000000000000000",
- "000000ffffffff0000ffffffff00000a0000000a00000000000000000000ffffffff000000000000ffffffffffff000000ff\n\n# Test vectors for rsaz_512_sqr bug, with rcx/rbx=1\n\n# between first and second iteration\nModExp = 1\nA = 624e6a171024e6a171024e6a171024e6a171024e6a171024e6a171024e6a171024e6a171024e6a171024e6a171024e6a14ce297f2873536f959d8c3390d973b6\nE = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006e\nM = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006f\n\n# between second and third iteration\nModExp = 1\nA = 11024e6a171024e6a171024e6a171024e6a171024e6a171024e6a171024e6a171024e6a171024e6a14ce297f2873536f959d8c3390d97360800000000000000f\nE = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006e\nM = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006f\n\n# between third and fourth iteration\nModExp = 1\nA = 4171024e6a171024e6a171024e6a171024e6a171024e6a171024e6a171024e6a14ce297f2873536f959d8c3390d9736080000000000000000000000000000039\nE = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006e\nM = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006f\n\n# between fourth and fifth iteration\nModExp = 1\nA = 6a171024e6a171024e6a171024e6a171024e6a171024e6a14ce297f2873536f959d8c3390d97360800000000000000000000000000000000000000000000006\nE = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006e\nM = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006f\n\n# between fifth and sixth iteration\nModExp = 1\nA = 44e6a171024e6a171024e6a171024e6a14ce297f2873536f959d8c3390d97360800000000000000000000000000000000000000000000000000000000000003c\nE = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006e\nM = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006f\n\n# between sixth and seventh iteration\nModExp = 1\nA = 1024e6a171024e6a14ce297f2873536f959d8c3390d973608000000000000000000000000000000000000000000000000000000000000000000000000000000e\nE = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006e\nM = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006f\n\n# between seventh and eighth iteration\nModExp = 1\nA = 626eee5e3c8653be47ed15e84b97cc7f800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000187\nE = c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002f8\nM = c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002f9\n\n# Test vectors for rsaz_512_srq bug, with rcx/rbx=2\n\n# between first and second iteration\nModExp = 1\nA = 3c40939a85c40939a85c40939a85c40939a85c40939a85c40939a85c40939a85c40939a85c40939a85c40939a85c4093995e8efdb195e8efd8caf477ed8caf7c\nE = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006e\nM = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006f\n\n# between second and third iteration\nModExp = 1\nA = 485c40939a85c40939a85c40939a85c40939a85c40939a85c40939a85c40939a85c40939a85c4093995e8efdb195e8efd8caf477ed8caf47800000000000003f\nE = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006e\nM = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006f\n\n# between third and forth iteration\nModExp = 1\nA = 59a85c40939a85c40939a85c40939a85c40939a85c40939a85c40939a85c4093995e8efdb195e8efd8caf477ed8caf478000000000000000000000000000004e\nE = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006e\nM = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006f\n\n# between forth and fifth iteration\nModExp = 1\nA = 2939a85c40939a85c40939a85c40939a85c40939a85c4093995e8efdb195e8efd8caf477ed8caf47800000000000000000000000000000000000000000000024\nE = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006e\nM = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006f\n\n# between fifth and sixth iteration\nModExp = 1\nA = 640939a85c40939a85c40939a85c4093995e8efdb195e8efd8caf477ed8caf478000000000000000000000000000000000000000000000000000000000000057\nE = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006e\nM = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006f\n\n# between sixth and seventh iteration\nModExp = 1\nA = 25c40939a85c4093995e8efdb195e8efd8caf477ed8caf4780000000000000000000000000000000000000000000000000000000000000000000000000000021\nE = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006e\nM = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006f\n\n# between seventh and eighth iteration\nModExp = 1\nA = 7b4919849931b28a14fcace213f2b3884fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff84b6e67b66ce4d9c\nE = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000004c\nM = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000004d\n\n\n# Exp tests.\n#\n# These test vectors satisfy A ^ E = Exp.\n\nExp = aa6d7ac431\nA = d0e07\nE = 2\n\nExp = 12d416b110dbb4e467ff0c89a22122f4da8240\nA = 1a18cf6\nE = 6\n\nExp = 49a3b33e23d84f1ce0d5d83f5dcb651d50cf3920f0143da2310d0512a90a06cd8f38977df8a756c30883de38df092000\nA = 2a3acbd2\nE = d\n\nExp = 5b4a0d5a956f885f275712b194459980f24708bfb6393d71bd37dce852ce455724f5ee5030775fb86b4295edc98afaafc097e4d82a97c0078ec0eac763db16549c5145c4cf2d3124f88cf9a5c71da0625afb99b26801786fe49a778415dc025954021753d08691947a208b613f0be5c1\nA = 54b3ae461\nE = 1a\n\nExp = a0ea5f6a4de49beb8fb7f0dab280d6a32c5a3814c9a5153a7944cec0a9028497846a8a89044348721a0bb5f0c3ded3e980574ea321b0cdb0ead4f4e93841ea7478a7f15d9729b646a8165813a0750e8124f5465dda9b105e1bbeff18fd09c09a2e26610d9176d253b877c3a8908a6be521cbe1e472a7a1b7820e4e890f8f28aacd34609c686e76e15b01bd9324a71290812724ea564d11c874a6765b262c3e57d479da0287a76026a1e8fe53da0b02405da1d379eaa30fc65f\nA = fccec0f6df\nE = 25\n\n\n# ModSqrt tests.\n#\n# These test vectors satisfy ModSqrt * ModSqrt = A (mod P) with P a prime.\n# ModSqrt is in [0, (P-1)/2].\n\nModSqrt = 1\nA = 1\nP = 2\n\nModSqrt = 1\nA = 1\nP = 2\n\nModSqrt = 1\nA = 1\nP = 2\n\nModSqrt = 1\nA = -1\nP = 2\n\nModSqrt = 1\nA = -1\nP = 2\n\nModSqrt = 0\nA = 0\nP = 3\n\nModSqrt = 0\nA = -3\nP = 3\n\nModSqrt = 0\nA = -3\nP = 3\n\nModSqrt = 0\nA = 0\nP = 3\n\nModSqrt = 0\nA = 0\nP = 3\n\nModSqrt = 0\nA = 0\nP = 5\n\nModSqrt = 1\nA = -4\nP = 5\n\nModSqrt = 0\nA = -5\nP = 5\n\nModSqrt = 2\nA = 4\nP = 5\n\nModSqrt = 0\nA = -5\nP = 5\n\nModSqrt = 3\nA = -5\nP = 7\n\nModSqrt = 0\nA = 0\nP = 7\n\nModSqrt = 0\nA = 0\nP = 7\n\nModSqrt = 2\nA = 4\nP = 7\n\nModSqrt = 3\nA = -5\nP = 7\n\nModSqrt = 4\nA = 10\nP = b\n\nModSqrt = 0\nA = 0\nP = b\n\nModSqrt = 3\nA = -2\nP = b\n\nModSqrt = 3\nA = -2\nP = b\n\nModSqrt = 2\nA = 4\nP = b\n\nModSqrt = 2\nA =",
- " 1e\nP = d\n\nModSqrt = 2\nA = 1e\nP = d\n\nModSqrt = 0\nA = -d\nP = d\n\nModSqrt = 0\nA = -d\nP = d\n\nModSqrt = 3\nA = 9\nP = d\n\nModSqrt = 8\nA = d\nP = 11\n\nModSqrt = 6\nA = df\nP = 11\n\nModSqrt = 4\nA = 10\nP = 11\n\nModSqrt = 5\nA = 90\nP = 11\n\nModSqrt = 3\nA = 80\nP = 11\n\nModSqrt = 9\nA = -e\nP = 13\n\nModSqrt = 7\nA = 7d\nP = 13\n\nModSqrt = 6\nA = 37\nP = 13\n\nModSqrt = 1\nA = 1\nP = 13\n\nModSqrt = 8\nA = 1a\nP = 13\n\nModSqrt = 54d4cf0fafe265056a29016778cea6b712bc66a132fb5e6b6865e9b49e4c97ec\nA = 599c10484b22d0b5a115268c7538ca99b3253a311a4ab1ca11c3665b0bec393a1167d1ad94fb84cb2c7ad7e2c933e8f613bdd08fe1f1aa4a9b0b9de0c8a7c9d4\nP = cfc4ccae35458ab5be1a1bc0664188253301f8702af4f8fb19fed12de0c653b1\n\nModSqrt = 38a7365a15365e911286c1be2a7afe76ef390234d76269e04dee17313f6ea54d\nA = 1c4aabb4d8369710131c664ecf2849e963c1bc31d66e0b939bacf99a870c71f24ed71bdddcf566f3908271fee43fc1ebb51eac7e3153efae641b49d2e796a12a\nP = cfc4ccae35458ab5be1a1bc0664188253301f8702af4f8fb19fed12de0c653b1\n\nModSqrt = 35ab18a560dece04725667f640ca61d1d59f14d191f94c79f58531acd097d444\nA = 685168ae855d60eba220d803f5296459b30a289580668db9ed51bca51cc2d453a937e13819ae34f7a9a143ac96d17420c53919167e46279b562b550be1cd9abc\nP = cfc4ccae35458ab5be1a1bc0664188253301f8702af4f8fb19fed12de0c653b1\n\nModSqrt = 288370029e87024175e5bec0eab0929179f42e16995e7f6194eefc61061e54f4\nA = 2a14ab77c045bdc48220ba9c463e1a4b4049cb01edb53be0937767eb2ec19b7d719855052281250a36a0b76d9a5d967d0756e1ded7a052f7056191ad66bcfc9\nP = cfc4ccae35458ab5be1a1bc0664188253301f8702af4f8fb19fed12de0c653b1\n\nModSqrt = 32255cf01dc943577ec2bcb221b98491d7a1130d046d6c68e95fedff643ce3a4\nA = e26f6dd46a513a1dd3fb14b71be1d4c9e9d79eda1cde10ea4d1eb8abfd4d5857572205e247184dd0cbefa37b5c0bf680ba2bd28c5741f725cfe2aae37419baf\nP = cfc4ccae35458ab5be1a1bc0664188253301f8702af4f8fb19fed12de0c653b1\n\nModSqrt = 5172345e801ada63fbc4782e32583cc3b4fea88b9e6dfd542f3542f8538ade66\nA = 40dafa8342b302bb04b1f3ddb3b9015a8fc1b597857c115b40631c7be9e22de89358fca23b331596ee5ff304dad7811e6d8e8822f7aa533c9e7c882634ea550\nP = a6813d316f9aca30f98b4f864b8b4b8f51493af930bd4d3a1b205a710e99add3\n\nModSqrt = 4dcf63c423bf0e39aca2293d57f6792d023db649d6719fe936446904b9f7e60d\nA = 5bcdb514bbe84261e169203e8017909b60c9bb330400c766ee01b0189378e70e61867a164a12643ddc9e94b61e09e5b158cbe85be228a3cc48f95a552958b8f2\nP = a6813d316f9aca30f98b4f864b8b4b8f51493af930bd4d3a1b205a710e99add3\n\nModSqrt = cf77c5c2d12a500b75cbfb1f3e66ee75d886b9365cf4f8b4d1bd18a6be0f387\nA = 4652ddc2ea7b460d8ec3c9059b8f9b5dae6cac55b51f2ad86fcb336b25235737965cc515e2ff0b54835015b7ebeeda6fadd986471d8cb424d309fc353d1e269\nP = a6813d316f9aca30f98b4f864b8b4b8f51493af930bd4d3a1b205a710e99add3\n\nModSqrt = 1e0549e4c5a26023e9d24fd8c67419960746f82b1ecd113bdac66f570a475d87\nA = 5f4a6d450ab1390d96ab1deaa0ba18f897cb63daf0c9e1ef6c08e804c26b5e842f6c08f13db5d4a6e88f07af2a3cb04fa06fc3e59c410b9356f025ed81acc74\nP = a6813d316f9aca30f98b4f864b8b4b8f51493af930bd4d3a1b205a710e99add3\n\nModSqrt = 144481a781d831c1ca046ca9e322d79ad4d2c6dd9f780bea9d1ced9cd20b7b23\nA = 4c254fabca441017132b9eacd4ca40a336db3e5c09715773fa07af095989a91cc968ff07a9ff56ed06b0ce0c5269f7b2ab68564ecab9f4467a7e96b6cc6b21b7\nP = a6813d316f9aca30f98b4f864b8b4b8f51493af930bd4d3a1b205a710e99add3\n\nModSqrt = 216fecc7667f488a3d2d102a38b46b4860ab858300b8638af4f34e1103fd73ba\nA = 17878f8048227573a9d70f53c0e76ff13fe9f56e9c984c92514d3d13dec23c816661f0618d21371b80dfd885cb59551bdf80046f65f22ea9b89c78645a6e455a\nP = bd37c850cf7d702bac879f3c21a51a5a4df2b8eb0935861e0753a6eb62261a95\n\nModSqrt = 458e5e789ccd2417174f7e30bb31914b9656bd8cf2b9f5a9752a8737a67707bc\nA = 5c7d39a4bb04e69201aa519f80ee7e62ea14ca55e13656d1da3f45367e2fb2d061aa2940708d02ac67d35cd2ccf54a1bf95bcbc759779e692cfdcbb3aa1a05b\nP = bd37c850cf7d702bac879f3c21a51a5a4df2b8eb0935861e0753a6eb62261a95\n\nModSqrt = 543125a16c2bb8b8f8a2c39c497e5224ec77533602d7dbe24002e32dcbd2ef1a\nA = 3413afae333b2ad9ff45c7f3c7e5934b3127e8b1a55225958ee6ccf42423e81559bf070ad3f3353b78c0ffd41475af49f59d268ef78bdae879f5155e8d1cc07\nP = bd37c850cf7d702bac879f3c21a51a5a4df2b8eb0935861e0753a6eb62261a95\n\nModSqrt = 10e16859c67bdb2eaab52a7c847dbf37162eda258a9f6262ebacfe4cbbbc1080\nA = 21ce7905894faf220bdf4a82a2d855994ca2dc9feaecaa53c7f146e1f49934215695e9bb46ba370b7005a90c399674caa8969eb442e7914d90f749774d7fd194\nP = bd37c850cf7d702bac879f3c21a51a5a4df2b8eb0935861e0753a6eb62261a95\n\nModSqrt = 32a00586adc6f6cc2b1a04e1be0ab569fde235e1436c38b6af92bc5ebd60bc1c\nA = 350da4fd8cf03c12f7dd6ac6d3ab801a3413964083e374662aaf878d6838b97d4feb9e52cd307a25b113e101661a865463ee2480c626aa4e2ec437d72e7bae4c\nP = bd37c850cf7d702bac879f3c21a51a5a4df2b8eb0935861e0753a6eb62261a95\n\nModSqrt = 971f75bc7afa8b4b50f1d4b05e52deac7d4836a08d30546f29649bf1ca6a247\nA = 655ed4c5d8d0afb4f9360372ee1ef1303898d2423e585108a3303faedb55064d2ef25666ed4c4d71fe6063fea1f3142b435714b0e30b339dd791d347c884654\nP = 9810151ad4bc9c5d68fc326395b509f2625bfebca1c3801ad4da7539fdbaa6f7\n\nModSqrt = 48fa882b7cb6a29de9e3769f72eb67f1efd4d2af56f0c7e410c610efcbce2065\nA = 14f3503f33b243800eac1defaab33e04c01e80163fb3efd03860970cc016832431ca4fc6d1b760f4f40166b0b8b3c40dbebc81460cc10890172243770338f090\nP = 9810151ad4bc9c5d68fc326395b509f2625bfebca1c3801ad4da7539fdbaa6f7\n\nModSqrt = 236fd7e397ea7f8bc2a288eb7236ca41936fa702b7dccca56c8852e147511f7d\nA = 1bbd0980feac854782813bcde4da85e8a054549a1b515e065da4236528035e756882e29e762cf60453e375cca9dc6ff637f9558bf86646e3b928f68f82af7efe\nP = 9810151ad4bc9c5d68fc326395b509f2625bfebca1c3801ad4da7539fdbaa6f7\n\nModSqrt = 693f0cbe8c81b0afde0cd2f83e53795dcae6b0cc4ba930ab5c752400d787f14\nA = 7b20f9664b23907e152ab8c9a907f72e8670c1c38ab4cd1411ea7c2159c09aa131afe068929b8e6ad1409b74c04975180d1cd0a9fa74e923c3fd451e8da2c34\nP = 9810151ad4bc9c5d68fc326395b509f2625bfebca1c3801ad4da7539fdbaa6f7\n\nModSqrt = 4a086c50b0bad576501ddb6280743b2c9d247841eb7f14d90561432ff7dca6f0\nA = 4367431ec0cd0d7626538b93a090c30fe0c97c18ca03b97ddae304b619112b5b4d02bf0f041fa3fd673f9ef2ceb07eb2079d11c56dd903b1a87e8252a97b8079\nP = 9810151ad4bc9c5d68fc326395b509f2625bfebca1c3801ad4da7539fdbaa6f7\n\nModSqrt = 18f8433fa468d8065157708f1f1e53b8e31d39c6011fbc2bad93de1b5548e19c\nA = 739c032bb4139c199c40f548d37234298772e4ccb9d3ba28412b60ad23b4c465b0787e2382f1c5a4a87af2d20eb978b7dcbe73f2112249477d15c8a85e54a79\nP = adcd56924f73836ebe4dccfe006ad3b1e5076562cd11b161642cab7af2284659\n\nModSqrt = 49e3c8eef5e067cabd51a7c01384ce05ab8f4342f655559d8a689eb7b20e0106\nA = 18400c2cc3e06b99b4e39c77b9af5ff0e9c683f1708321afa4cd5b6988d13b36b1d9eb4379b7902d9ceb40c03f814b2b6a01b90509bbb4532f13ab1571c4d04a\nP = adcd56924f73836ebe4dccfe006ad3b1e5076562cd11b161642cab7af2284659\n\nModSqrt = 35548c530745f440329325cc8a5fbd90c16a7f0788879a4869bc4d4f73acda0e\nA = 181a3c5ab02566e7166c4d6d2f2bd4a8ecc25991a98d270bde80cf4332766a7068b14240bf5f5dcd45e90ef252596da3eb05b11d68b2063f7b3a825742593ca9\nP = adcd56924f73836ebe4dccfe006ad3b1e5076562cd11b161642cab7af2284659\n\nModSqrt = 1ab7046e6af061ade5f9719008fa4d989007e2a579a134a5b9f19ec410984096\nA = 1008a03e211fab0d45856377079bc96b0776c2d4c0175661f3493246cea2ab0a02a706c85314fb707ad9906bedb2cfd577d62092ae08ff21d7b949373ea954c7\nP = adcd56924f73836ebe4dccfe006ad3b1e5076562cd11b161642cab7af2284659\n\nModSqrt = 2be9e3e7515960d90f115b89f60dedc173a73ce163b4036e85b7b6a76fd90852\nA = 392053a9f0100540a8e1a0c353e922068a84dad3a4a8e8962fbc0bee2b6a06e20d08ade16eb1409a16acfcac3db5c43c421505e07035ca308b15c4a6db0864c0\nP = adcd56924f73836ebe4dccfe006ad3b1e5076562cd11b161642cab7af2284659\n\nModSqrt = 5b301bb93bdcf050183107e36258b53b4805918114ea1c2227b0911d5b4dc077\nA = 55e55e5f94dc3d7aabc921f6469d85fa2e1e92a87347c57afad5872306ae69f9fb99297d1e3e793dd9e8632244208154de5da7114fd876383bf1422f7ece024\nP = d43280ac150f725f4a2a1dceb1c79bcac57855a4eba72ae93762d09bcb2444fb\n\nModSqrt = 2df9609e2f5a5156c3260461b2ee52eacdef00bd8b091479813143a6c5283f71\nA = 2099325b7f12fe77353ddf3f2b2c5ef77b49671b150af954cf84e9675e3ecde3e057084641a633d19533b4712ab49924c8b5c31d591abcc88291f51253fa2a7\nP = d43280ac150f725f4a2a1dceb1c79bcac57855a4eba72ae93762d09bcb2444fb\n\nModSqrt = dfab751710e9008e25e422d1199d6fbec4dc7fba35b4da9d225a746eb4126a0\nA = c006af53d4737fb293584df6ffe2e4cb3fd8dc77fb7c1f13b97bb9c249e3ee5fb9feff7488265b3093906c08a4946f142ac7b491937d24bfba6413366ce371d\nP = d43280ac150f725f4a2a1dceb1c79bcac57855a4eba72ae93762d09bcb2444fb\n\nModSqrt = 26bc030008d6c60a09fb0e16093a649fc",
- "b40c6c21a8e2da2353ba4b07c4f85d5\nA = 1eaabcfad2ed349ac9356e6f4da0b301266ddde811cb0f817aba8f5c10fb8b8ba9d0ef2dd386b668f16eac296118fdb8cb7afe1b865648c81c2fa3cf21f2711b\nP = d43280ac150f725f4a2a1dceb1c79bcac57855a4eba72ae93762d09bcb2444fb\n\nModSqrt = 35051b1482ec2578f3dc0000a422cb5111e43c37f1ac20b1844d3de2128c4556\nA = 315ff9de178681116f2a5fa78eebf4818e1d680435eacdfaf9d0e5c4fc01fc034b352c82fd52c81ca30d68864952dacc99d08269c9dd7ca99ccf22da98c3840\nP = d43280ac150f725f4a2a1dceb1c79bcac57855a4eba72ae93762d09bcb2444fb\n\nModSqrt = a5474252885cacf004c460a7793ff0b0a2187bb1a9ed700ae3470199faef71f\nA = 19856fc1351c4b02abf573bb2fc6ff92355fa369d62bb8f2260fa772fb1693f509a56cad661930abcac049dd70f4b16bed4a4c172e73e772504c9990ce7f92f\nP = dc315fd52684fba79e577a204de9053b11a5d7a414263fec9eff6ff62188829d\n\nModSqrt = 12daf4722387ecf47de1b0b6b110a062dc5ea2685bc9dbde66b8d15622985029\nA = fb8479787069116abc42abfd7dc0c24d2ad04fe0c04b42a6dff714af715d17e0fd77855f950f264542b06d48e8818de813ddb7975798b7debefcdaa5ff86beb\nP = dc315fd52684fba79e577a204de9053b11a5d7a414263fec9eff6ff62188829d\n\nModSqrt = 397996ed5c0ac6ad32e43c337e9de421b87774cc162bf7ac7bbedf4a9029255e\nA = 5aa04353321bd2de92481be740357f979da464b53aa39111fdbb734cf7af6b3857d1baa08d3a126a3dd34a2fbae2bf2b84e900686c1d31505b390185acef5fe5\nP = dc315fd52684fba79e577a204de9053b11a5d7a414263fec9eff6ff62188829d\n\nModSqrt = 2cf4b844a54ba359dc592ef1b49f43fcfeae84d1087edfefdd0b9174b43c0a3c\nA = 365a8650510bcfd8fa87432f167cf487234c215857403b9270b5eebeafa48cd6da47fd60dc311b94d1d72baad0447c31f0b212d755f46c256e16e5e015e6546e\nP = dc315fd52684fba79e577a204de9053b11a5d7a414263fec9eff6ff62188829d\n\nModSqrt = 9277c73043ff767c3fa606f0cd66b9d854a600c8c18287f191ce277758c3f31\nA = 62cec3901626d03e8df66299a87c54b1f7a55cafc99f0b6bba1b5d51a3d2b7d2171c9135a9d8a5346d436e0136b12e515e703e3cd84ecfe154eb94c6772a6d72\nP = dc315fd52684fba79e577a204de9053b11a5d7a414263fec9eff6ff62188829d\n\nModSqrt = 4189e5a90c1b1abdc1c7c05b3587e6f362e06f927b6cf5f0d271aab3d6f90765\nA = 336b8d0f9dac842c696bc020f49c6aa023842c16f2052eb02f17959006554ca0012042c80c72590f21c6bf5a3714c9cb552aa69730e33db93a56a909b273f39\nP = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f\n\nModSqrt = 36ccd38cb5a6bd8a73bca55936a2227c503664422c2296faf7e2b1c6a375a43a\nA = fecfd60a376befbe48d2c4f6d070d716d2f403cd5daefbce62b720df44deb605162c8f20f49fd7ec30d4f8e70d803d45b3a44b5d912baa3410d991165d7c507\nP = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f\n\nModSqrt = 198fc8569be172dc9b71023ed3d42d2ba94bae4099643f6517ab03f540527fdb\nA = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ec\nP = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f\n\nModSqrt = 21b7f74c30ded681d6138cf8e6fd798f32a049e94138e982f1845df3dc9e686f\nA = 9a30b791c1ba4f394b4e3dcd5837e474237f4fe8987b255c098a47b2c14c598ec69d2beae444dd4fe9c4ede8173d2b187677cc706a3c28f3b81627d8a5fb6fd\nP = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f\n\nModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186\nA = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81\nP = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f\n\n\n# NotModSquare tests.\n#\n# These test vectors are such that NotModSquare is not a square modulo P.\n\nNotModSquare = 03\nP = 07\n\nNotModSquare = 05\nP = 07\n\nNotModSquare = 06\nP = 07\n\nNotModSquare = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951e\nP = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f\n\n\n# ModInv tests.\n#\n# These test vectors satisfy ModInv * A = 1 (mod M) and 0 <= ModInv < M.\n\nModInv = 00\nA = 00\nM = 01\n\nModInv = 00\nA = 01\nM = 01\n\nModInv = 00\nA = 02\nM = 01\n\nModInv = 00\nA = 03\nM = 01\n\nModInv = 64\nA = 54\nM = e3\n\nModInv = 13\nA = 2b\nM = 30\n\nModInv = 2f\nA = 30\nM = 37\n\nModInv = 4\nA = 13\nM = 4b\n\nModInv = 1c47\nA = cd4\nM = 6a21\n\nModInv = 2b97\nA = 8e7\nM = 49c0\n\nModInv = 29b9\nA = fcb\nM = 3092\n\nModInv = a83\nA = 14bf\nM = 41ae\n\nModInv = 18f15fe1\nA = 11b5d53e\nM = 322e92a1\n\nModInv = 32f9453b\nA = 8af6df6\nM = 33d45eb7\n\nModInv = d696369\nA = c5f89dd5\nM = fc09c17c\n\nModInv = 622839d8\nA = 60c2526\nM = 74200493\n\nModInv = fb5a8aee7bbc4ef\nA = 24ebd835a70be4e2\nM = 9c7256574e0c5e93\n\nModInv = 846bc225402419c\nA = 23026003ab1fbdb\nM = 1683cbe32779c59b\n\nModInv = 5ff84f63a78982f9\nA = 4a2420dc733e1a0f\nM = a73c6bfabefa09e6\n\nModInv = 133e74d28ef42b43\nA = 2e9511ae29cdd41\nM = 15234df99f19fcda\n\nModInv = 46ae1fabe9521e4b99b198fc8439609023aa69be2247c0d1e27c2a0ea332f9c5\nA = 6331fec5f01014046788c919ed50dc86ac7a80c085f1b6f645dd179c0f0dc9cd\nM = 8ef409de82318259a8655a39293b1e762fa2cc7e0aeb4c59713a1e1fff6af640\n\nModInv = 444ccea3a7b21677dd294d34de53cc8a5b51e69b37782310a00fc6bcc975709b\nA = 679280bd880994c08322143a4ea8a0825d0466fda1bb6b3eb86fc8e90747512b\nM = e4fecab84b365c63a0dab4244ce3f921a9c87ec64d69a2031939f55782e99a2e\n\nModInv = 1ac7d7a03ceec5f690f567c9d61bf3469c078285bcc5cf00ac944596e887ca17\nA = 1593ef32d9c784f5091bdff952f5c5f592a3aed6ba8ea865efa6d7df87be1805\nM = 1e276882f90c95e0c1976eb079f97af075445b1361c02018d6bd7191162e67b2\n\nModInv = 639108b90dfe946f498be21303058413bbb0e59d0bd6a6115788705abd0666d6\nA = 9258d6238e4923d120b2d1033573ffcac691526ad0842a3b174dccdbb79887bd\nM = ce62909c39371d463aaba3d4b72ea6da49cb9b529e39e1972ef3ccd9a66fe08f\n\nModInv = aebde7654cb17833a106231c4b9e2f519140e85faee1bfb4192830f03f385e773c0f4767e93e874ffdc3b7a6b7e6a710e5619901c739ee8760a26128e8c91ef8cf761d0e505d8b28ae078d17e6071c372893bb7b72538e518ebc57efa70b7615e406756c49729b7c6e74f84aed7a316b6fa748ff4b9f143129d29dad1bff98bb\nA = a29dacaf5487d354280fdd2745b9ace4cd50f2bde41d0ee529bf26a1913244f708085452ff32feab19a7418897990da46a0633f7c8375d583367319091bbbe069b0052c5e48a7daac9fb650db5af768cd2508ec3e2cda7456d4b9ce1c39459627a8b77e038b826cd7e326d0685b0cd0cb50f026f18300dae9f5fd42aa150ee8b\nM = d686f9b86697313251685e995c09b9f1e337ddfaa050bd2df15bf4ca1dc46c5565021314765299c434ea1a6ec42bf92a29a7d1ffff599f4e50b79a82243fb24813060580c770d4c1140aeb2ab2685007e948b6f1f62e8001a0545619477d498132c907774479f6d95899e6251e7136f79ab6d3b7c82e4aca421e7d22fe7db19c\n\nModInv = 1ec872f4f20439e203597ca4de9d1296743f95781b2fe85d5def808558bbadef02a46b8955f47c83e1625f8bb40228eab09cad2a35c9ad62ab77a30e3932872959c5898674162da244a0ec1f68c0ed89f4b0f3572bfdc658ad15bf1b1c6e1176b0784c9935bd3ff1f49bb43753eacee1d8ca1c0b652d39ec727da83984fe3a0f\nA = 2e527b0a1dc32460b2dd94ec446c692989f7b3c7451a5cbeebf69fc0ea9c4871fbe78682d5dc5b66689f7ed889b52161cd9830b589a93d21ab26dbede6c33959f5a0f0d107169e2daaac78bac8cf2d41a1eb1369cb6dc9e865e73bb2e51b886f4e896082db199175e3dde0c4ed826468f238a77bd894245d0918efc9ca84f945\nM = b13133a9ebe0645f987d170c077eea2aa44e85c9ab10386d02867419a590cb182d9826a882306c212dbe75225adde23f80f5b37ca75ed09df20fc277cc7fbbfac8d9ef37a50f6b68ea158f5447283618e64e1426406d26ea85232afb22bf546c75018c1c55cb84c374d58d9d44c0a13ba88ac2e387765cb4c3269e3a983250fa\n\nModInv = 30ffa1876313a69de1e4e6ee132ea1d3a3da32f3b56f5cfb11402b0ad517dce605cf8e91d69fa375dd887fa8507bd8a28b2d5ce745799126e86f416047709f93f07fbd88918a047f13100ea71b1d48f6fc6d12e5c917646df3041b302187af641eaedf4908abc36f12c204e1526a7d80e96e302fb0779c28d7da607243732f26\nA = 31157208bde6b85ebecaa63735947b3b36fa351b5c47e9e1c40c947339b78bf96066e5dbe21bb42629e6fcdb81f5f88db590bfdd5f4c0a6a0c3fc6377e5c1fd8235e46e291c688b6d6ecfb36604891c2a7c9cbcc58c26e44b43beecb9c5044b58bb58e35de3cf1128f3c116534fe4e421a33f83603c3df1ae36ec88092f67f2a\nM = 53408b23d6cb733e6c9bc3d1e2ea2286a5c83cc4e3e7470f8af3a1d9f28727f5b1f8ae348c1678f5d1105dc3edf2de64e65b9c99545c47e64b770b17c8b4ef5cf194b43a0538053e87a6b95ade1439cebf3d34c6aa72a11c1497f58f76011e16c5be087936d88aba7a740113120e939e27bd3ddcb6580c2841aa406566e33c35\n\nModInv = 87355002f305c81ba0dc97ca2234a2bc02528cefde38b94ac5bd95efc7bf4c140899107fff47f0df9e3c6aa70017ebc90610a750f112cd4f475b9c76b204a953444b4e7196ccf17e93fdaed160b7345ca9b397eddf9446e8ea8ee3676102ce70eaafbe9038a34639789e6f2f1e3f352638f2e8a8f5fc56aaea7ec705ee068dd5\nA = 42a25d0bc96f71750f5ac8a51a1605a41b506cca51c9a7ecf80cad713e56f70f1b4b6fa51cbb101f55fd74f318adefb3af04e0c8a7e281055d5a40dd40913c0e1211767c5be915972c73886106dc49325df6c2df49e9eea4536f0343a8e7d332c6159e4f5bdb20d8",
- "9f90e67597c4a2a632c31b2ef2534080a9ac61f52303990d\nM = d3d3f95d50570351528a76ab1e806bae1968bd420899bdb3d87c823fac439a4354c31f6c888c939784f18fe10a95e6d203b1901caa18937ba6f8be033af10c35fc869cf3d16bef479f280f53b3499e645d0387554623207ca4989e5de00bfeaa5e9ab56474fc60dd4967b100e0832eaaf2fcb2ef82a181567057b880b3afef62\n\n\n# GCD tests.\n#\n# These test vectors satisfy gcd(A, B) = GCD and lcm(A, B) = LCM.\n\nGCD = 0\nA = 0\nB = 0\n# Just to appease the syntax-checker.\nLCM = 0\n\nGCD = 1\nA = 92ff140ac8a659b31dd904161f9213706a08a817ae845e522c3af0c9096699e059b47c8c2f16434b1c5766ebb384b79190f2b2a62c2378f45e116890e7bb407a\nB = 2f532c9e5902b0d68cd2ed69b2083bc226e8b04c549212c425a5287bb171c6a47fcb926c70cc0d34b8d6201c617aee66af865d31fdc8a2eeb986c19da8bb0897\nLCM = 1b2c97003e520b0bdd59d8c35a180b4aa36bce14211590435b990ad8f4c034ce3c77899581cb4ee1a022874203459b6d53859ab1d99ff755efa253fc0e5d8487bb000c13c566e8937f0fe90b95b68bc278610d4f232770b08d1f31bee55a03da47f2d0ebb9e7861c4f16cc22168b68593e9efcde00f54104b4c3e1a0b294d7f6\n\nGCD = a\nA = faaffa431343074f5c5d6f5788500d7bc68b86eb37edf166f699b4d75b76dae2cb7c8f6eccae8f18f6d510ef72f0b9633d5740c0bebb934d3be796bd9a53808e\nB = 2f48ec5aa5511283c2935b15725d30f62244185573203b48c7eb135b2e6db5c115c9446ac78b020574665b06a75eb287e0dbeb5da7c193294699b4c2129d2ac4\nLCM = 4a15f305e9622aa19bd8f39e968bfc16d527a47f7a5219d7b02c242c77ef8b608a4a6141f643ca97cedf07c0f1f3e8879d2568b056718aa15c0756899a08ccbe0a658bae67face96fa110edb91757bfa4828e8ff7c5d71b204f36238b12dd26f17be8ba9771f7068d63e41d423671f898f054b1187605754bc5546f2b02c5ac\n\nGCD = 16\nA = cf0b21bde98b41b479ac8071086687a6707e9efaacd4e5299668ce1be8b13290f27fd32ae68df87c292e8583a09d73ec8e8a04a65a487380dcd7dacca3b6e692\nB = 3be3f563f81d5ad5c1211db7eff430aa345e830ce07b4bde7d4d32dba3ac618d2034351e5435fd6c7f077971fb4a1e83a7396a74fdff7fce1267112851db2582\nLCM = 233a2188de2c017235024b182286f17562b2ee5ab9fdfe4efa2f61c4ff99fa44e1ead5bf6cde05bd7502ce78373c83e3f9dbab0c9bb8620a87c2640bce5d12c685af656df789bb3d0ba1edbaa98cf4f0166d422ab17aa6706f8132264d45b72827d6671a00a9186e723379e3a3bb7902d08865f357c74100059f83800241976\n\nGCD = 1\nA = dd7b7597d7c1eb399b1cea9b3042c14bd6022d31b1d2642a8f82fc32de6eadaf012fbbf349eaec4922a8468740ca73c6090833d6a69a380ed947b39c2f9b0b76\nB = 8e0dc8654e70eec55496038a8d3fff3c2086bc6dbfc0e2dbdf5bd7de03c5aef01a3982556ac3fc34fd5f13368be6cdc252c82367b7462e210f940f847d382dd9\nLCM = 7ae667df4bd4dd35bbec28719a9f1b5e1f396a9ab386c086742a6ab3014a3386d39f35b50624d0c5b4e6b206c2635c7de5ea69e2faa85dd616a7e36622962a07632839857aa49332942feccff2aee1c962e2f4e8ccfd738a5da5bf528b4c5a2440409350f5a17a39d234403e8482ccf838e0d2758ccfb8018198a51dbb407506\n\nGCD = 1\nA = 0\nB = 1\nLCM = 0\n\nGCD = 1\nA = 1\nB = 0\nLCM = 0\n\nGCD = 1\nA = 1\nB = 1\nLCM = 1\n\nGCD = 2b2\nA = dfccaa3549c1b59ab3e114fe87dc5d187719abad58c51724e972741eb895ab79a49f385f61d531ec5c88dbb505ae375093fa848165f71a5ed65e7832a42ade191a\nB = fa58a81f43088da45e659fc1117d0f1cd015aa096c8e5377cf1832191baf7cc28b5c24998b93b64f8900a0973faedb9babaaf1854345f011739da8f1175d9684c\nLCM = 5132f7ab7a982b9dc55114bd96800b7637f9742cf8a7a00a0d69d5e4574fc85792c89a1c52bcfc74b9d7f3f6164819466c46b2d622e280ced7ad1211604084a15dc1fd1951a05c8ce37122c0ec15891d818a70d3763670ea3195098de9b1ca50ea89893a9753fb9ea801541058f44801f7f50967124abfc864a2b01c41f94193c\n\nGCD = 8e\nA = 248d96a8a4cab0a1b194e08c1146868b094597cadbc35531f0ed2d77cba9f15cb5cc7c10e64ce054bf93396d25259d750b3de3aba65073db1fd2b852a6454ac1a\nB = 4c7bad8e1844901fd6a2ce2edc82e698d28ec95d6672ca148d85b49ecc78dd0a8b870e202244210bc98592b99ff6abbd20630f9eee7d46b15ccfae8d08b86799de\nLCM = 13b01f9d9c6c13e90c97e3d95bbce5a835c631b3de3bd4ff5df13ad850f5223dbdf71c53912275d0397df9335ef3a3ba8e4684c6b25962bb7b18bc74144cb5edf0196f79863a7ff032619a71646a92281f7baace7f223d254cb4d05ec19bf8d4c8ce4455a9d770daec89c0d3cf338cbdae39cf982b3c4568f5c9def4e1133d28a\n\nGCD = 3e55\nA = 2fa97382f46676b7a4cc2b8153f17b58792d24660e187d33ce55c81cc193ccb6e1e2b89feea1d5fd8faa36e13bf947fb48635e450a4d1488d0978324194a1f43c6\nB = ab08ad074139963bc18e5d87ba68db64ca6f4c279616c64039b02c55f2375b3bc04114e8e05e1ba92fb6470768f61d123845aea36774c18612736a220934561faf\nLCM = 82c7c377ecda2cb9228604cd287df5eff94edd4a539c3eb3b3fdd4b4a79d2f4eaf2b22f8286272d3dad2e370cfcd9ea4d93ebb3f049c52b8fa23b68a5bf79af989822e2cfb978f68c6a5058f47319dffcb455b089b06ae6db9e5c8a2b6e951d6e118bd2b4cd08b6e5733476a446a57387d940d1289ec00e24315821ed3a5daf2\n\nGCD = a7a\nA = 923706dfed67834a1e7e6c8e8e9f93bfbc0b43ca1f324886cf1f1380fb9b77109275d4b50af1b7689802fe9b3623ac46c7ba0e17e908c20278127b07a5c12d86ec\nB = 64473e878a29021fac1c1ce34a63eae1f4f83ee6851333b67213278b9a4a16f005cba0e8cdb410035bb580062f0e486c1a3a01f4a4edf782495f1dc3ebfa837d86\nLCM = 57785ca45b8873032f1709331436995525eed815c55140582ce57fd852116835deac7ca9d95ce9f280e246ea4d4f1b7140ab7e0dd6dc869de87f1b27372098b155ad0a1828fd387dff514acc92eae708609285edaab900583a786caf95153f71e6e6092c8c5ee727346567e6f58d60a5e01c2fa8ebcf86da9ea46876ecc58e914\n\nGCD = 42\nA = 0\nB = 42\nLCM = 0\n\nGCD = 42\nA = 42\nB = 0\nLCM = 0\n\nGCD = 42\nA = 42\nB = 42\nLCM = 42\n\nGCD = f60d\nA = ef7886c3391407529d5cf2e75ed53e5c3f74439ad2e2dc48a79bc1a5322789b4ced2914b97f8ff4b9910d212243b54001eb8b375365b9a87bd022dd3772c78a9fd63\nB = d1d3ec32fa3103911830d4ec9f629c5f75af7039e307e05bc2977d01446cd2cbeeb8a8435b2170cf4d9197d83948c7b8999d901fe47d3ce7e4d30dc1b2de8af0c6e4\nLCM = cc376ed2dc362c38a45a719b2ed48201dab3e5506e3f1314e57af229dc7f3a6a0dad3d21cfb148c23a0bbb0092d667051aa0b35cff5b5cc61a7c52dec4ed72f6783edf181b3bf0500b79f87bb95abc66e4055f259791e4e5eb897d82de0e128ecf8a091119475351d65b7f320272db190898a02d33f45f03e27c36cb1c45208037dc\n\nGCD = 9370\nA = 1ee02fb1c02100d1937f9749f628c65384ff822e638fdb0f42e27b10ee36e380564d6e861fcad0518f4da0f8636c1b9f5124c0bc2beb3ca891004a14cd7b118ddfe0\nB = 67432fd1482d19c4a1c2a4997eab5dbf9c5421977d1de60b739af94c41a5ad384cd339ebfaa43e5ad6441d5b9aaed5a9f7485025f4b4d5014e1e406d5bd838a44e50\nLCM = 159ff177bdb0ffbd09e2aa7d86de266c5de910c12a48cbe61f6fa446f63a2151194777555cd59903d24cb30965973571fb1f89c26f2b760526f73ded7ee8a34ebcecd1a3374a7559bcdb9ac6e78be17a62b830d6bb3982afdf10cf83d61fd0d588eab17d6abef8e6a7a5763fcb766d9a4d86adf5bb904f2dd6b528b9faec603987a0\n\nGCD = c5f\nA = 5a3a2088b5c759420ed0fb9c4c7685da3725b659c132a710ef01e79435e63d009d2931ea0a9ed9432f3d6b8851730c323efb9db686486614332c6e6ba54d597cf98\nB = 1b1eb33b006a98178bb35bbcf09c5bebd92d9ace79fa34c1567efa8d6cf6361547807cd3f8e7b8cd3ddb6209dccbae4b4c16c8c1ec19741a3a57f61571882b7aed7\nLCM = c5cbbbe9532d30d2a7dd7c1c8a6e69fd4fa4828a844d6afb44f3747fef584f7f1f3b835b006f8747d84f7699e88f6267b634e7aef78d6c7584829537d79514eec7d11219721f91015f5cefdc296261d85dba388729438991a8027de4827cd9eb575622e2912b28c9ce26d441e97880d18db025812cef5de01adeaec1322a9c9858\n\nGCD = e052\nA = 67429f79b2ec3847cfc7e662880ab1d94acdf04284260fcfffd67c2862d59704ed45bcc53700c88a5eea023bc09029e9fd114fc94c227fd47a1faa1a5ef117b09bd2\nB = 39faa7cbdeb78f9028c1d50ab34fbe6924c83a1262596f6b85865d4e19cc258b3c3af1ee2898e39e5bee5839e92eac6753bbbb0253bd576d1839a59748b778846a86\nLCM = 1ab071fb733ef142e94def10b26d69982128561669e58b20b80d39cf7c2759d26b4a65d73b7f940c6e8fc417180ef62d7e52ac24678137bd927cd8d004ad52b02affe176a1ecde903dbc26dcc705678f76dd8cd874c0c3fe737474309767507bbe70dd7fb671bbb3694cedf0dcdaa0c716250ddd6dfec525261572fa3e1387f7b906\n\nGCD = 3523\nA = 0\nB = 3523\nLCM = 0\n\nGCD = 3523\nA = 3523\nB = 0\nLCM = 0\n\nGCD = 3523\nA = 3523\nB = 3523\nLCM = 3523\n\nGCD = f035a941\nA = 16cd5745464dfc426726359312398f3c4486ed8aaeea6386a67598b10f744f336c89cdafcb18e643d55c3a62f4ab2c658a0d19ea3967ea1af3aee22e11f12c6df6e886f7\nB = 74df09f309541d26b4b39e0c01152b8ad05ad2dfe9dd2b6706240e9d9f0c530bfb9e4b1cad3d4a94342aab309e66dd42d9df01b47a45173b507e41826f24eb1e8bcc4459\nLCM = b181771d0e9d6b36fdfcbf01d349c7de6b7e305e1485ea2aa32938aa919a3eee9811e1c3c649068a7572f5d251b424308da31400d81ac4078463f9f71d7efd2e681f92b13a6ab3ca5c9063032dcbdf3d3a9940ce65e54786463bbc06544e1280f25bc7579d264f6f1590cf09d1badbf542ce435a14ab04d25d88ddbac7d22e8cae1c91f\n\nGCD = 33ad1b8f\nA = 1af010429a74e1b612c2fc4d7127436f2a5dafda99015ad15385783bd3af8d81798a57d85038bcf09a2a9e99df713b4d6fc1e3926910fbbf1f006133cb27dc5ebb9cca85\nB = 92a4f45a90965a4ef454f1cdd883d20f0f3be34d43588b5914677c39d577a052d1b25a522be1a656860a540970f99cbc8a3adf3e2139770f664b4b7b9379e13daf7d26c\nLCM = 4c715520ed920718c3b2f62821bc75e3f",
- "f9fd184f76c60faf2906ef68d28cd540d3d6c071fa8704edd519709c3b09dfaee12cb02ab01ad0f3af4f5923d5705ce6d18bcab705a97e21896bb5dd8acb36ee8ec98c254a4ddc744297827a33c241f09016a5f109248c83dd41e4cea73ce3eabb28d76678b7e15545b96d22da83c111b6b624\n\nGCD = dc0429aa\nA = ccb423cfb78d7150201a97114b6644e8e0bbbb33cadb0ef5da5d3c521a244ec96e6d1538c64c10c85b2089bdd702d74c505adce9235aa4195068c9077217c0d431de7f96\nB = 710786f3d9022fc3acbf47ac901f62debcfda684a39234644bac630ab2d211111df71c0844b02c969fc5b4c5a15b785c96efd1e403514235dc9356f7faf75a0888de5e5a\nLCM = 6929af911850c55450e2f2c4c9a72adf284fe271cf26e41c66e1a2ee19e30d928ae824f13d4e2a6d7bb12d10411573e04011725d3b6089c28d87738749107d990162b485805f5eedc8f788345bcbb5963641f73c303b2d92f80529902d3c2d7899623958499c8a9133aae49a616c96a2c5482a37947f23af18c3247203ac2d0e760340e6\n\nGCD = 743166058\nA = 16cd476e8031d4624716238a3f85badd97f274cdfd9d53e0bd74de2a6c46d1827cc83057f3889588b6b7ca0640e7d743ed4a6eaf6f9b8df130011ecc72f56ef0af79680\nB = 86eba1fc8d761f22e0f596a03fcb6fe53ad15a03f5b4e37999f60b20966f78ba3280f02d3853f9ace40438ccfaf8faed7ace2f2bf089b2cdd4713f3f293bf602666c39f8\nLCM = 1a7a1b38727324d6ba0290f259b8e2b89c339b2445cada38a5a00ded1468ab069f40678ce76f7f78c7c6f97783cc8a49ef7e2a0c73abbac3abc66d1ce99566ce7f874a8949ca3442051e71967695dc65361184748c1908e1b587dc02ed899a524b34eb30b6f8db302432cfa1a8fbf2c46591e0ab3db7fd32c01b1f86c39832ee9f0c80\n\nGCD = 6612ba2c\nA = 0\nB = 6612ba2c\nLCM = 0\n\nGCD = 6612ba2c\nA = 6612ba2c\nB = 0\nLCM = 0\n\nGCD = 6612ba2c\nA = 6612ba2c\nB = 6612ba2c\nLCM = 6612ba2c\n\nGCD = 2272525aa08ccb20\nA = 11b9e23001e7446f6483fc9977140d91c3d82568dabb1f043a5620544fc3dda233b51009274cdb004fdff3f5c4267d34181d543d913553b6bdb11ce2a9392365fec8f9a3797e1200\nB = 11295529342bfb795f0611d03afb873c70bd16322b2cf9483f357f723b5b19f796a6206cf3ae3982daaeafcd9a68f0ce3355a7eba3fe4e743683709a2dd4b2ff46158bd99ff4d5a0\nLCM = 8d4cbf00d02f6adbaa70484bcd42ea932000843dcb667c69b75142426255f79b6c3b6bf22572597100c06c3277e40bf60c14c1f4a6822d86167812038cf1eefec2b0b19981ad99ad3125ff4a455a4a8344cbc609e1b3a173533db432bd717c72be25e05ed488d3970e7ed17a46353c5e0d91c8428d2fec7a93210759589df042cab028f545e3a00\n\nGCD = 3480bf145713d56f9\nA = 8cf8ef1d4f216c6bcec673208fd93b7561b0eb8303af57113edc5c6ff4e1eeae9ddc3112b943d947653ba2179b7f63505465126d88ad0a0a15b682f5c89aa4a2a51c768cd9fdeaa9\nB = a6fd114023e7d79017c552a9051ca827f3ffa9f31e2ee9d78f8408967064fcdc9466e95cc8fac9a4fa88248987caf7cf57af58400d27abd60d9b79d2fe03fad76b879eceb504d7f\nLCM = 1c05eee73a4f0db210a9007f94a5af88c1cdd2cba456061fd41de1e746d836fa4e0e972812842e0f44f10a61505f5d55760c48ba0d06af78bb6bde7da8b0080b29f82b1161e9c0b5458e05ac090b00f4d78b1cc10cf065124ba610e3acab092a36fe408525e21c0ddc7c9696ed4e48bd2f70423deecfe62cecc865c6088f265da0e5961d3f3a84f\n\nGCD = 917e74ae941fcaae\nA = 652f8a92d96cbf0a309629011d0fbaceb1266bc2e8243d9e494eead4cf7100c661b537a8bea93dec88cfc68597d88a976c125c3b4de19aba38d4ea9578202e59848d42652518348a\nB = 32e07b71979d57e8344e97c39680a61e07d692d824ae26b682156890792d8a766ee29a4968f461aaced5bf049044fba2f4120b1c1f05985676f975d4582e9e82750d73c532cd07b2\nLCM = 23620c7b897dc26c7717e32f3517ac70bf09fbe08f7255ab010cf4cf946f4e96304c425043452c5d5a0e841d3a3cfd9c2d84d9256f3b5974fe3ebfa9255fe20a710d3e6511606c0d85970381101c7f4986d65ad6a73a71507f146b11f903043cfa805cc0b14d4f3072da98bf22282f7762040406c02d5b3ef9e7587f63bab8b29c61d8e30911aa96\n\nGCD = 2b9adc82005b2697\nA = 19764a84f46045ef1bca571d3cbf49b4545998e64d2e564cc343a53bc7a0bcfbe0baa5383f2b346e224eb9ce1137d9a4f79e8e19f946a493ff08c9b423574d56cbe053155177c37\nB = 1bbd489ad2ab825885cdac571a95ab4924e7446ce06c0f77cf29666a1e20ed5d9bc65e4102e11131d824acad1592075e13024e11f12f8210d86ab52aa60deb250b3930aabd960e5a\nLCM = 1032a0c5fffc0425e6478185db0e5985c645dd929c7ebfeb5c1ee12ee3d7b842cfab8c9aa7ff3131ac41d4988fb928c0073103cea6bb2cc39808f1b0ad79a6d080eac5a0fc6e3853d43f903729549e03dba0a4405500e0096b9c8e00510c1852982baec441ed94efb80a78ed28ed526d055ad34751b831b8749b7c19728bf229357cc5e17eb8e1a\n\nGCD = 8d9d4f30773c4edf\nA = 0\nB = 8d9d4f30773c4edf\nLCM = 0\n\nGCD = 8d9d4f30773c4edf\nA = 8d9d4f30773c4edf\nB = 0\nLCM = 0\n\nGCD = 8d9d4f30773c4edf\nA = 8d9d4f30773c4edf\nB = 8d9d4f30773c4edf\nLCM = 8d9d4f30773c4edf\n\nGCD = 6ebd8eafb9a957a6c3d3d5016be604f9624b0debf04d19cdabccf3612bbd59e00\nA = 34dc66a0ffd5b8b5e0ffc858dfc4655753e59247c4f82a4d2543b1f7bb7be0e24d2bbf27bb0b2b7e56ee22b29bbde7baf0d7bfb96331e27ba029de9ffdff7bdb7dc4da836d0e58a0829367ec84ea256833fd4fe1456ad4dd920557a345e12000\nB = 1f3406a20e20ebf96ccb765f898889a19b7636608fd7dc7c212607b641399543f71111d60e42989de01eaa6ff19a86ea8fbde1a3d368c0d86dc899e8e250fc764090f337958ca493119cbb4ad70cbfae7097d06d4f90ec62fbdd3f0a4496e600\nLCM = ee502c50e3667946e9089d0a9a0382e7fd0b75a17db23b56a0eec997a112c4dbd56d188808f76fe90451e5605550c9559ef14a95014c6eb97e9c1c659b98515c41470142843de60f72fb4c235faa55b0a97d943221003d44e2c28928f0b84bf071256254897ed31a7fd8d174fc962bc1311f67900ac3abcad83a28e259812f1ee229511ab1d82d41f5add34693ba7519babd52eb4ec9de31581f5f2e40a000\n\nGCD = ef7399b217fc6a62b90461e58a44b22e5280d480b148ec4e3b4d106583f8e428\nA = 7025e2fe5f00aec73d90f5ad80d99ca873f71997d58e59937423a5e6ddeb5e1925ed2fd2c36a5a9fc560c9023d6332c5d8a4b333d3315ed419d60b2f98ccf28bbf5bf539284fd070d2690aeaac747a3d6384ee6450903a64c3017de33c969c98\nB = df0ac41dbabce1deeb0bceb1b65b1079850052ecf6534d0cff84a5a7fb5e63baee028d240f4419925154b96eaa69e8fbb1aae5102db7916234f290aa60c5d7e69406f02aeea9fe9384afbff7d878c9ac87cd31f7c35dff243b1441e09baff478\nLCM = 687669343f5208a6b2bb2e2efcac41ec467a438fde288cc5ef7157d130139ba65db9eb53e86a30c870bd769c0e0ab15a50f656cd9626621ae68d85eaff491b98da3ea5812062e4145af11ea5e1da457084911961ef2cd2ac45715f885ba94b4082aa76ffd1f32461f47c845b229d350bf36514c5ce3a7c782418746be342eca2721346ade73a59475f178c4f2448e1326110f5d26a0fef1a7a0c9288489e4dc8\n\nGCD = 84b917557acf24dff70cb282a07fc52548b6fbbe96ca8c46d0397c8e44d30573\nA = 81dbb771713342b33912b03f08649fb2506874b96125a1ac712bc94bfd09b679db7327a824f0a5837046f58af3a8365c89e06ff4d48784f60086a99816e0065a5f6f0f49066b0ff4c972a6b837b63373ca4bb04dcc21e5effb6dfe38271cb0fa\nB = 1da91553c0a2217442f1c502a437bb14d8c385aa595db47b23a97b53927b4493dd19f1bc8baf145bc10052394243089a7b88d19b6f106e64a5ab34acad94538ab504d1c8ebf22ac42048bbd1d4b0294a2e12c09fe2a3bd92756ba7578cb34b39\nLCM = 1d0530f8142754d1ee0249b0c3968d0ae7570e37dadbe4824ab966d655abf04cd6de5eb700eba89d8352dec3ae51f2a10267c32fbd39b788c7c5047fe69da3d7ad505435a6212f44899ba7e983bb780f62bcdee6f94b7dba8af7070a4cc008f351ae8be4579bc4a2e5c659ce000ad9c8cdc83723b32c96aeb0f5f4127f6347353d05525f559a8543cd389ad0af6f9d08a75b8c0b32419c097e6efe8746aee92e\n\nGCD = 66091477ea3b37f115038095814605896e845b20259a772f09405a8818f644aa\nA = cedac27069a68edfd49bd5a859173c8e318ba8be65673d9d2ba13c717568754ed9cbc10bb6c32da3b7238cff8c1352d6325668fd21b4e82620c2e75ee0c4b1aff6fb1e9b948bbdb1af83cecdf356299b50543b72f801b6a58444b176e4369e0\nB = 5f64ca1ba481f42c4c9cf1ffa0e515b52aa9d69ceb97c4a2897f2e9fa87f72bae56ee6c5227f354304994c6a5cc742d9f09b2c058521975f69ca5835bce898cf22b28457cd7e28870df14e663bb46c9be8f6662f4ff34d5c4ae17a888eba504e\nLCM = c163cb28642e19a40aa77887c63180c2c49fc10cda98f6f929c8131752ea30b5283a814a81681b69b9d1762e6c1a9db85f480bc17f998d235fd7e64c1caa70ef170c9e816d3e80f516b29f2c80cfb68bf208b4d5082ef078da4314b3f20c7d6c54b0aeb378096b029a7b61c0a4cd14aeddc01004c53915a4f692d2291752e5af46b23d7fa6dd61f2d56c6f4bf8e6119688abac8fd7aba80e846a7764bb3fca0\n\nGCD = bb80bf51757ba696c700fa4e4c0132b3151d2bf9ebff8382f808ded78be67182\nA = 0\nB = bb80bf51757ba696c700fa4e4c0132b3151d2bf9ebff8382f808ded78be67182\nLCM = 0\n\nGCD = bb80bf51757ba696c700fa4e4c0132b3151d2bf9ebff8382f808ded78be67182\nA = bb80bf51757ba696c700fa4e4c0132b3151d2bf9ebff8382f808ded78be67182\nB = 0\nLCM = 0\n\nGCD = bb80bf51757ba696c700fa4e4c0132b3151d2bf9ebff8382f808ded78be67182\nA = bb80bf51757ba696c700fa4e4c0132b3151d2bf9ebff8382f808ded78be67182\nB = bb80bf51757ba696c700fa4e4c0132b3151d2bf9ebff8382f808ded78be67182\nLCM = bb80bf51757ba696c700fa4e4c0132b3151d2bf9ebff8382f808ded78be67182\n\nGCD = 120451d8307219aa0c96f328ad653ccd462e92423ca93ed8a3dde45bf5cb9b13cdaf9800e4d05dd71c4db6a129fb3280ee4ec96ec5297d881c1a8b5efccbd91fef21f5c5bf5fba42a4c8eaa358f620a074b7a17054527bdaa58d5acaa0dfdc48ecba1a10ebf4d57bb4215de406e6be13fed3fe493b1cd1e2d11a8d4ac03c47756\nA = 3f8179a8e1f0b342475a855c3e1bae402dd41424cf24a0",
- "b4d2e263c8efb08bde7d92eae8607fb5e88b1378f0f1bd0733f229a35be6b1383a48d32749d5d6b32427d26323b7ab05bb5781289e96bfbc21971439319b15f6c0fe93fdb35d0b67ec41443c59a081dd3cef047ac797fccb45bece84c0bb0bb7e1797259526d8ec9cc63ba4d32cfc692ccd3d243cb2b53ac216312f3a8e8c0daa09d21b6150d697639a5e52059414a417c607be8ec0eee2e708219cadbaf37a369c4485b01ed87bbc2\nB = 2c474e396a2dd9cd10b9d7313f69d3b4ca123e9fd853edd488339236d14c56453a1381958864a04d2624e81995dabcdd0ccf60db9917813f887de68da075d0ea4440001e18f470e43b38ee3440b49be651d709fbdef980e3e4149913f4ae2681124f54523f4881376ddb533b5219e804cc26f4c2e577be4e02613c4da80ba1215775b0a5178a965ad47bd2befb32493943ded1004ef66347b4983f8d1ba990d4a943505dfce6debcfb322842ed88106cd6dee9aa592ff0d2274bc727a6e1f14c\nLCM = 9c129cf649555bfd2d3d9c64dc6d6f022295e53bca5d2f218adaa66aa60eb4694429b7e83bf81b6df4459c5104023ab9a33f006ffcd8114507baa17e2ef6fe23ebdd4740f66879033da2041f2cb7ba517ad3526ffe75614ea9432c085f71b2d65a736bac7ba42b639e330b82733372083843dcb78b6a273ab20e0d4b7c8998a14048aa15bb20a0a0bd997917107274c89b4cec175fb98043d52e6c555bd9e0036566d052a6d4e7e276d1e8835e1f06e3ca46d47747ba586e95fb1a790d992834b7c3e136141eb8a434e6c12067246ac3c0a81c69e03b1ed28aa0b3173d6eff83d278c2f461a47a416f3f9a5dae3bb410fd18817bd4115e7f1e84b936cc02364\n\nGCD = 95aa569a2c76854300d7660847dd20fe0b8c445fdbcaa98465cee61aee76ad6a438e75a8c573198570ffb62bc07ec3a2be0ae0a1f631670fa88d6f75f3161e8b9a4d44b6801ffc884c7f469c5ed1f27b1edecce9f2977f9e92d1a3b230492fea7e6f2af739dc158a7fbd29856cbedb57b4119e64b27ab09eb1c2df01507d6e7fd\nA = 4c653b5bfec44e9be100c064dffe5d8cd59b0cf4cc56b03eabb4ef87cfda6506c9a756b811907fe9d8b783eb7a0b9e129773bf1da365ddb488d27b16fb983e89345d1ccdb4f06a67a11925c3f266373be5d7b0075189c6f3c2157e2da197058fe0a7bcc50adc34e99e254a29abbe2d5948d3157e1b0c3fca3d641760f7b9862843b63abef0b3d83fd486f4526b30382fda355575da30e9a106718a3921774c4d69f5311f8d737fe618f5236b4763fe1b2ee7f13184db67367d3903c535ff6d7b\nB = 2dcca83c99a28e9fd2f84e78973699baf2f04fd454094730948b22477834a0064817b86e0835e6d7b26e5b0b1dcf4ad91a07ac0780d6522df1fcac758cf5db6c2a5623d7c0f1afefd5718f7b6de639867d07a9ec525991304e9355d1635104bea837f74758d6aa2aab4e4afbb606af1d98de7417505e4710cd0589bdff9a0bf38a857cc59a5f1781043e694fc2337fd84bdeb28b13a222bb09328a81ec409ad586e74236393d27398cc24d412135e34247c589149e134b97f4bd538ac9a3424b\nLCM = 1760c0b0066aa0695767099e87e9388729ea89b8e8c36bddcd04d257591e741613c07b0e69447c0a468c33a745084171e06523d987d8db40a1433bf435325e8a724a0876503b34495170ff3671d42117a2e4f3a75b1d9dd809a34fa0fb26fe50d84f80a9b02e40190e5efb927a5a61a03f13edbce2e666af6c3a2a9bcb84e47e3090008753ff27c4b8cf06480f471379a93f5230923623a83b286b71a555cd5e5347282f664ed90b14b2c4de84a70375e488211a7b3931119ef3bbe029b712389fe784818a0bf29d80733ce9cc940c547aa1eb3f06d492eb676bf37802283c82ce76156dfaab5c2d5107e08062681b5fa169f6eb68e1ab8bd9b2005e90bd4fd\n\nGCD = 244b9b1290cf5b4ba2f810574c050651489f2d3a2b03e702b76ebfaf4e33de9bbe5da24c919e68d3a72eadd35982b3a89c6b18b38ff7082ac65263e52b6ec75a5717b971c98257b194c828bff0216a99536603b41a396ea2fb50f5ea7cf3edf10bb0d039123e78593ae9ffcbbba02e51e038533e83b6bc73c70551d6467f39809\nA = 41a0b1310669500681cdf888836f6c556758750f562d743ac780dd4c0d161856380e44fdbb1f8a2786bf45be6b0e7f1cb2cd85f6b9e50acc72793d92383c7d7fb796fc74d32e8fac8225bdc19ae47546d9c9c75f5f06ca684f07daccaf89ccf2cddeb7ec255d530c7dd1e71daf44cafdc9d30fbcb1cbaefae3480585f79f4177e3834a5bc91845e2e8cd8aeb27f484e5e5b2c3c076dbb6c23e91303f0a0fdde83cd33a8ea6ed1549e727b4d766c1017c169710fd98e1585d60f66e121f9180b3\nB = 251f5aeaa60b3959285f49540cdaf8e21451110bbddb9933bbbcaea3112f4eb45e435a3ba37c52d2ab79ce997a8f6c829b3aa561f2852924b8effb52396d09d2bf257ebb4fb56c7aa25648f69b06d2cd01e876c9f9c0679de9e6fffa79eb7e603723e5af7de46ee405a5a079229577b5b6fffb8d43e391fe6f4eb89638e64d6eff8026249aaa355a91625eb0bfd14caa81e4c3586aaa2e94fde143a44f223a91e226661d12f55dfcdb4215e5a64e14e968005733be6a71c465de312ca109b34a\nLCM = 431f918b274f3e43f446e4e85567883d6536a0332db662cef088f5a36b0f4b68372048174ba10fee94b9f8f1c2e189c974be2e6e8ae8e2ae108445326d40f63e38d8d4e2e46174589a3cbc9583e0036dc8146e79eee9e96f4436313b3f143dd0f5aceab05243def7f915169c360f55ef123977cf623c5ba432c3259c62fb5e37d5adab0f24b825aa4ada99ec4e83e9ca4698399e1ed633091ce5f9844c540a642cd264201116ed4168aa2105a5159f5df064f845830c469140f766c7319052ce59bd1ad7c3f2d8c30e54f147f6aeb5586c70c984302ba18d854a60aec01b394c7d66fa33fe18fe4a8cfb3238df219294e6e42190a30d28b10049a1b75853a4e\n\nGCD = 206695d52bc391a4db61bf8cb6ea96188333a9c78f477ee76976c2346dad682cf56ca6f176d86ef67d41ff5921b6162b0eca52359975872430dd14c45643eacdf028d830770714c033fd150669705851b2f02de932322d271d565d26768530c3f6cb84f0b3356f970b9070b26c050ead0417152c324c8ffe266d4e8b5b7bef3a\nA = 1114eb9f1a9d5947eb1399e57f5c980833489685023ed2fe537fe1276c1e026b9a19e6fff55aa889d6c4e977b6e6f3111e2ad463138637b50f42cf32e57d83f282de9e72f813e5969195159a666d74dcd689bd527c60199ae327f7bd548ac36868fea5fdf6f35d19b921e7c10b6448ca480de6826478cd0642d72f05af3f8e65ce42409fbd49f56e81946e89c8e83962c4edc0ed54600600a305e52d081aed3c351e450e11f8fb0ce5754c92cf765b71393b2b7a89c95df79b9ea1b3cb600862\nB = 1d8f3179ca7b5cc7119360c10de939ffa57c9043da2f2b0ca3009c9bdad9f19ed16e3c2c197bef4b527fa1bf2bbab98b77e26c329911db68bd63d3d0fbfc727a977395b9ad067106de3094d68e097830858c5ccfa505fc25e972bdee6f347e7d1163efacd3d29a791ec2a94ffeed467884ae04896efc5e7e5f43d8d76c147e3c9951a1999173bc4e5767d51268b92cc68487ba1295372143b538711e0a62bf0ac111cc750ca4dd6c318c9cbe106d7fc492261404b86a1ba728e2d25b1976dc42\nLCM = f9570211f694141bfb096560551080cbe02a80271b4505591aaea9e3b99ea1d5ac1c1f2378fd72799e117ac2a73381b1ad26314e39972164d93971479ee3ba21a4d98cef0bd299d540ce5826995dcee0de420dff73d30b23cbf3188c625c7696df517535bc5675d71faa00807efbebdca547933f4a37849d1c014484a77da6df0670c4974bcc91eb5f5fe5faf9dd095ef195ec32ad9eeebf0e63288b4032ed9e70b888afc642f4ff96f0b4c0a68787301c12e4527fe79bdfe72dd3844ab5e094a9295df6616f24d1b9eeebc2116177dacf91969dda73667bc421ef3ccd8d5c23dddc283f5d36568d31f2654926be67f78e181075bdc148f2b39c630b141ae8a\n\nGCD = 3d319c42d872f21131ce5ff3ab8bec94339308e620316dda218e85fedcd511cd62f0b2f3448d5e58fd3520ae8118abd54ead9ad9e8ec3890365c6b2cca2172d4b8839b2d2c5ab02f65180826cb0cd5c9798f5d6261efe6e6ec31dea047da7c486b0590359e6f333557f67ceebf9ea9cd5dd986a999a8c88bdbd0ca21816b2423\nA = 0\nB = 3d319c42d872f21131ce5ff3ab8bec94339308e620316dda218e85fedcd511cd62f0b2f3448d5e58fd3520ae8118abd54ead9ad9e8ec3890365c6b2cca2172d4b8839b2d2c5ab02f65180826cb0cd5c9798f5d6261efe6e6ec31dea047da7c486b0590359e6f333557f67ceebf9ea9cd5dd986a999a8c88bdbd0ca21816b2423\nLCM = 0\n\nGCD = 3d319c42d872f21131ce5ff3ab8bec94339308e620316dda218e85fedcd511cd62f0b2f3448d5e58fd3520ae8118abd54ead9ad9e8ec3890365c6b2cca2172d4b8839b2d2c5ab02f65180826cb0cd5c9798f5d6261efe6e6ec31dea047da7c486b0590359e6f333557f67ceebf9ea9cd5dd986a999a8c88bdbd0ca21816b2423\nA = 3d319c42d872f21131ce5ff3ab8bec94339308e620316dda218e85fedcd511cd62f0b2f3448d5e58fd3520ae8118abd54ead9ad9e8ec3890365c6b2cca2172d4b8839b2d2c5ab02f65180826cb0cd5c9798f5d6261efe6e6ec31dea047da7c486b0590359e6f333557f67ceebf9ea9cd5dd986a999a8c88bdbd0ca21816b2423\nB = 0\nLCM = 0\n\nGCD = 3d319c42d872f21131ce5ff3ab8bec94339308e620316dda218e85fedcd511cd62f0b2f3448d5e58fd3520ae8118abd54ead9ad9e8ec3890365c6b2cca2172d4b8839b2d2c5ab02f65180826cb0cd5c9798f5d6261efe6e6ec31dea047da7c486b0590359e6f333557f67ceebf9ea9cd5dd986a999a8c88bdbd0ca21816b2423\nA = 3d319c42d872f21131ce5ff3ab8bec94339308e620316dda218e85fedcd511cd62f0b2f3448d5e58fd3520ae8118abd54ead9ad9e8ec3890365c6b2cca2172d4b8839b2d2c5ab02f65180826cb0cd5c9798f5d6261efe6e6ec31dea047da7c486b0590359e6f333557f67ceebf9ea9cd5dd986a999a8c88bdbd0ca21816b2423\nB = 3d319c42d872f21131ce5ff3ab8bec94339308e620316dda218e85fedcd511cd62f0b2f3448d5e58fd3520ae8118abd54ead9ad9e8ec3890365c6b2cca2172d4b8839b2d2c5ab02f65180826cb0cd5c9798f5d6261efe6e6ec31dea047da7c486b0590359e6f333557f67ceebf9ea9cd5dd986a999a8c88bdbd0ca21816b2423\nLCM = 3d319c42d872f21131ce5ff3ab8bec94339308e620316dda218e85fedcd511cd62f0b2f3448d5e58fd3520ae8118abd54ead9ad9e8ec3890365c6b2cca2172d4b8839b2d2c5ab02f65180826cb0cd5c9798f5d6261efe6e6ec31dea047da7c486b0590359e6f333557f67ceebf9ea9cd5dd986a999a8c88bdbd0ca21816b2423\n\nGCD = 2\nA = 14e95a85e59ade9ef39e2f400c65db18702fa5fc485b9bba479a5282b2206129160e54f73ef4917983c17b4c5ebff7be112a886de069706eee29ba902515",
- "cb038\nB = ddcfff1d39c90c599f55495bf71c1e7597c6b08b7430707f360c6a6e5137bbc7b403c6d9e2c34f3d2f29d5d32b869346853c2de239cc35381bdfb4a01569211a\nLCM = 90f38564ee72e55d362c04599e7d74f068c75f541b84e97abba2841f1a9f66b06b5c9009f6a4c2e319fced85270588de03ccebddbd9279aaecb13bdc1dbea7f42acaee751cb7da83779b8785cc86f41b94b13b54964208ca287d981634778d1096f20e76ca636c0717fd27e0800c43f599a5eded807421b502eaf9990a8c8ed8\n\nGCD = 4\nA = 3c719c1c363cdeb7b57c2aabb71f425da4c3e6d3e447204d555e7cf0f3d372bdda906f36078045044978dafc20171767c8b1464d52dfdf3e2ba8a4906da033a8\nB = 30fe0ef151ac51404e128c064d836b191921769dc02d9b09889ed40eb68d15bfdd2edea33580a1a4d7dcee918fefd5c776cbe80ca6131aa080d3989b5e77e1b24\nLCM = 2e4526157bbd765b0486d90bcd4728f890bc6dbd9a855c67ca5cb2d6b48f8e74e1d99485999e04b193afca58dbf282610185d6c0272007744ff26e00dbdc813929b47940b137dc56ba974da07d54a1c50ec4a5c2b26e83f47cf17f4ccce8c3687e8d1e91d7c491a599f3d057c73473723ce9eee52c20fe8ae1595447552a7ee8\n\nGCD = 10\nA = 44e04071d09119ea9783a53df35de4a989200133bb20280fdca6003d3ca63fdd9350ad1a1673d444d2f7c7be639824681643ec4f77535c626bd3ee8fa100e0bb0\nB = ca927a5a3124ce89accd6ac41a8441d352a5d42feb7f62687a5ebc0e181cc2679888ecc2d38516bdc3b3443550efccac81e53044ae9341ecace2598fe5ce67780\nLCM = 36805ba9b2412a0cb3fe4ed9bdabfa55515c9d615a3d0af268c45c5f6098d2de4a583f3791f1e3883c55d51ce23c5658fd0e8faa9a3709a1cfbd6a61dbab861690f27c86664f084c86cfd4a183b24aaadf59a6f8cbec04f1b0ded8a59b188cb46ae920052e3e099a570540dbc00f7d4a571eef08aa70d2d189a1804bf04e94a80\n\nGCD = 100\nA = 73725032b214a677687c811031555b0c51c1703f10d59b97a4d732b7feaec5726cb3882193419d3f057583b2bc02b297d76bb689977936febaae92638fdfc46a00\nB = 979f4c10f4dc60ad15068cedd62ff0ab293aeaa1d6935763aed41fe3e445de2e366e8661eadf345201529310f4b805c5800b99f351fddab95d7f313e3bb429d900\nLCM = 4460439b4be72f533e9c7232f7e99c48328b457969364c951868ceab56cb2cbbeda8be2e8e3cae45c0758048468b841fdb246b2086d19b59d17b389333166ab82ed785860620d53c44f7aaaff4625ee70fb8072df10fb4d1acb142eadc02978ff2bb07cea9f434e35424b3323a7bda3a1a57aa60c75e49ebb2f59fb653aa77da00\n\nGCD = 100000000\nA = f8b4f19e09f5862d79fb2931c4d616a1b8e0dd44781ca52902c8035166c8fca52d33a56ff484c365ec1257de7fa8ed2786163cfc051d5223b4aad859a049e8ba00000000\nB = 6e54cb41b454b080e68a2c3dd0fa79f516eb80239af2be8250ca9cd377ba501aabafc09146fad4402bdc7a49f2c3eec815e25f4c0a223f58e36709eefd92410500000000\nLCM = 6b3020a880ddeff9d17d3dc234da8771962de3322cd15ba7b1e4b1dd4a6a2a802a16c49653865c6fdf6c207cbe0940f8d81ef4cb0e159385fd709d515ee99d109ad9ad680031cbae4eab2ed62944babdade4e3036426b18920022f737897c7d751dce98d626cdda761fec48ad87a377fb70f97a0a15aa3d10d865785719cc5a200000000\n",
+ "829b2cdf3e3d6028f9a884b1f64f7262315446bea8b0231828e2f3d990fb103c17f820b39e4b8427c85643ceeca8f5dc8f191d1255768300e859bd7d88c770319ef38269660d221cb3bc061389b6fc0783485ef042b1c7d6fef\nE = c6c46453dd5aac6b37277a446b1d0c69cbe476eeff55b3ac35edb89ba97116b0e7783660f2c7b31b2a2d6c4709d0ab45d01a838100694b0777c9c9c14c959b07c437c73a5eabb7402f1001e802d797a2e7707285834fb6440a1c2f727f7bb84ddb2a49312d32fa0ce620c43872655cb5c394749c9e75d7fa25be00efe50d47d6\nM = fbbab6698a9142095c46b38a732592e4366c1838b84bf40f8c8fc7b630f73380a0d09765562365798f8c8030ed1b6728329d8bb06e882c35a1d59bfe84146a9db2afe42a414014e247390281c782fce806d62adb54778d2bcb49555459429d6ed446af5359657667f6aa19e8e3e0e24ab2bc312b2d90b5cb1ce6f2f15af15d9d\n\nModExp = ba16d7f3f6e162ce248490d164a13c00e7720d8a667e2d3ebeb13f1663e15ef5408d5b56cbc7bc793a8ca787cc50f8e15e0e9d4ee764531d04a9114eea556bb3e206ed7d85267151a056b6e68fbf35e03f2cf829708ffe1de13e95ecfe365aff1eea36340ffcd3892dee659fb1ecbe50f5080e54737c10f9c1ba638b14ef537e\nA = 9025e6183706105e948b1b0edf922f9011b9e11887d70adb00b26f272b9e76a38f3099084d9cccf12d04b1a99c0f654f8b9ed90c6dff9478c60bf05d58d734ab60eaefa14a22230ec60c90dc1f0704b61eef0bef345785ae0e6a9af7db069cf6bd2b4e0fe58a0ade83c7e46a04b9fe1d24cb9b65c6f80de713e61d70eae5b286\nE = d7e6df5d755284929b986cd9b61c9c2c8843f24c711fbdbae1a468edcae159400943725570726cdc92b3ea94f9f206729516fdda83e31d815b0c7720e7598a91d992273e3bd8ac413b441d8f1dfe5aa7c3bf3ef573adc38292676217467731e6cf440a59611b8110af88d3e62f60209b513b01fbb69a097458ad02096b5e38f0\nM = e4e784aa1fa88625a43ba0185a153a929663920be7fe674a4d33c943d3b898cff051482e7050a070cede53be5e89f31515772c7aea637576f99f82708f89d9e244f6ad3a24a02cbe5c0ff7bcf2dad5491f53db7c3f2698a7c41b44f086652f17bb05fe4c5c0a92433c34086b49d7e1825b28bab6c5a9bd0bc95b53d659afa0d7\n\n# See https://github.com/openssl/openssl/commit/e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb.\n# OpenSSL's test vectors do not include the expected value, so ModExp was\n# computed with Python 3.\nModExp = ccb051a34f9e26e381e50445632cbbd4abe56bc912020f3edd2db144aedb470095c4c33e3342d1dc4bb4056ba3078366af4cee507e85bb1b2e499ef25a933810f14faa8b1a9ce5e8d58f2789e27c887a4ff87fa59ff682727a3912a99aae6db8b3b8947d76c8454cffc6fb3f2422dca106c3845b0db68a06e5e9d7b90e552506579d812e7d96bfc6324feec90ea0800463346148f120e7caf403788539f5d87ee45aa5b313c340e0a323029f3a0bdb675510aefec171c01e2a94960cd507e461214028c86ed4e9fce31e7dbdf1a75fd6f973e2aed4a039e53a60a7aa62be8ee1f80a113833ab402d07e17151021cec29fa5b2e628ef9f2d7aa4bc86b6eec8faf\nA = 95564994a96c45954227b845a1e99cb939d5a1da99ee91acc962396ae999a9ee38603790448f2f7694c242a875f0cad0aae658eba085f312d2febbbd128dd2b58f7d1149f03724215d704344d0d62c587ae3c5939cba4b9b5f3dc5e8e911ef9a5ce1a5a749a4989d0d8368f6e1f8cdf3a362a6c97fb02047ff152b480a4ad9852d45efdf0770542992afca6a0590d52930434bba96017afbc9f99e112950a8b1a359473ec376f329bdae6a19f503be6d4be7393c4e43468831234e27e3838680b949390d2e416a3f9759e5349ab4c253f6f29f819a6fe4cbfd27ada34903300eda021f62839f5878a36f1bc3085375b00fd5fa3e68d316c0fdace87a97558465\nE = f95dc0f980fbd22e90caa5a387cc4a369f3f830d50dd321c40db8c09a7e1a241a536e096622d3280c0c1ba849c1f4a79bf490f60006d081e8cf69960189f0d312cd9e17073a3fba7881b21474a13b334116cb2f5dbf3189a6de3515d0840f053c776d3982d391b6d04d642dda5cc6d1640174c09875addb70595658f89efb439dc6fbd55f903aadd307982d3f659207f265e1ec6271b274521b7a5e28e8fd7a55df089292820477802a43cf5b6b94e999e8c9944ddebb0d0e95a60f88cb7e813ba110d20e1024774107dd02949031864923b3cb8c3f7250d6d1287b0a40db6a47bd5a469518eb65aa207ddc47d8c6e5fc8e0c105be8fc1d4b57b2e27540471d5\nM = fef15d5ce4625f1bccfbba49fc8439c72bf8202af039a2259678941b60bb4a8f2987e965d58fd8cf86a856674d519763d0e1211cc9f8596971050d56d9b35db3785866cfbca17cfdbed6060be3629d894f924a89fdc1efc624f80d41a22f19009503fcc3824ef62ccb9208430c26f2d8ceb2c63488ec4c07437aa4c96c43dd8b9289ed00a712ff66ee195dc71f5e4ead02172b63c543d69baf495f5fd63ba7bcc633bd309c016e37736da92129d0b053d4ab28d21ad7d8b6fab2a8bbdc8ee647d2fbcf2cf426cf892e6f5639e0252993965dfb73ccd277407014ea784aaa280cb7b03972bc8b0baa72360bdb44b82415b86b2f260f877791cd33ba8f2d65229b\n\n# The following inputs trigger an edge case between Montgomery reduction and the\n# \"almost\" reduction variant from https://eprint.iacr.org/2011/239\n\nModExp = 00\nA = 19c7bc9b97c6083cd7b8d1cd001452c9b67983247169c6532047eb7fc8933014dbf69fee7a358769f1429802c8ea89d4f9ca6ba6f368fbdb1fa5717b4a00\nE = bbc7e09147408571050e8d0c634682c5863b7e8a573626648902cff12e590c74f5a23ecce39732266bc15b8afbd6c48a48c83fbdc33947515cc0b6e4fb98ae2cd730e58f951fec8be7e2e3c74f4506c7fd7e29bdb28675fe8a59789ab1148e931a2ebd2d36f78bc241682a3d8083d8ff538858cd240c5a693936e5a391dc9d77118062a3f868c058440a4192267faaaba91112f45eee5842060febbf9353a6d3e7f7996573209136a5506062ea23d74067f08c613f3ff74bade25f8c3368e6dba84eae672eac11be1137fc514924fcab8c82e46d092bd047dcbadaa48c67a096ec1a04f392a8511e6acbad9954949b703e71ff837337b594055ae6f3c0fc154447a687c9ac8a2cdfd64a2e680c6ff21254735af7f5eb6b43f0bce86bda55a04143a991711081435ed4f4a89b23fc3a588022b7a8543db4bf5c8ac93603367c750ff2191f59a716340fab49bb7544759c8d846465eec1438e76395f73e7b5e945f31f1b87fefa854a0d208846eaab5fa27144fd039911608bab0eaee80f1d3553dfa2d9ba95268479b97a059613660df5ad79796e0b272244aca90ccc13449ec15c206eeed7b60405a4c5cfdf5da5d136c27fa9385d810ad198dfe794ffce9955e10520efea1e2eb794e379401b9affd863b9566ce941c4726755574a1b1946acf0090bfb93f37dd55f524485bbba7fa84b53addfde01ae1de9c57fe50d4b708dd0fa45d02af398b3d05c6d17f84c11e9aacdbe0b146cad6ddbd877731e26a17f3ebed459560d12ed7a6abc2ea6fe922e69d2622ef11b6b245b9ba8f0940faaa671a4beb727be5393a94dafaeff7221b29183e7418f4c5bb95a6a586c93dbc8ce0236d9dbe26c40513611b4141fed66599adbfb20fc30e09a4815e4159f65a6708f34584a7a77b3843941cd61a6917dcc3d07a3dfb5a2cb108bacea7e782f2111b4d22ecaaeff469ecd0da371df1ac5e9bf6df6ccba2d3a9f393d597499eaca2c206bfb81c3426c5fe45bcf16e38aecd246a319a1f37041c638b75a4839517e43a6d01bee7d85eaeedbce13cd15699d3ee42c7414cfed576590e4fb6ddb6edd3e1957efaf039bfe8b9dc75869b1f93abff15cae8b234161070fa3542303c2ed35ca66083d0ac299b81182317a2a3985269602b1fa1e822fcbda48e686d80b273f06b0a702ca7f42cbbbd2fc2b3601422c8bff6302eda3c61b293049636002649b16f3c1f0be2b6599d66493a4497cd795b10a2ab8220fafad24fa90e1bfcf39ecce337e705695c7a224bf9f445a287d6aab221341659ca4be7861f6ac4c9d33dac811e6\nM = 519b6e57781d40d897ec0c1b648d195526726b295438c9a70928ac25979563d72db91c8c42298a33b572edecdf40904c68a23337aa5341b56e92b0da5041\n\n# To fully exercise BN_mod_exp_mont_consttime codepaths, we generate inputs at\n# different bitwidths. rsaz-avx2.pl only runs at 1024-bit moduli, and\n# x86_64-mont5.pl unrolls 8 64-bit words at a time, so we want to capture both\n# multiples of 512- and non-multiples. Also include moduli that are not quite a\n# full word.\n\n# 512-bit\nModExp = 00\nA = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000e\nE = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\nM = 8f42c9e9e351ba9b32ab0cf69da43f4acf7028d19cff6e5059ea0e3fcc97c97f36a31470044737d4c0c933ac441ecb29e32c81401523afdac7de9c3fd8493c97\n\n# 1024-bit\nModExp = 00\nA = 800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002f\nE = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\nM = 9da8dc26fdf4d2e49833b240ee552beb7a6e251caa91bfb5d6cafaf8ed9461877fda8f6ac299036d35806bc1ae7872e54eaac1ec6bee6d02c6621a9cf8883b3abc33c49b3e601203e0e86ef8f0562412cc689ee2670704583909ca6d7774c9f9f9f4d77d37fedef9cb51d207cb629ec02fa03b526fd6594bfa8f2da71238a0b7\n\n# 1025-bit\nModExp = 00\nA = 010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011\nE = fffffffffffffffffffffffffffffffffffffffffffffff",
+ "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\nM = 010223abfdda02e84e11cec8ee7fc784fa135733935f7b9054bb70f1f06d234d76dcf3beed55c7f39e955dc1fef2b65009240fd02f7a1b27a78fc2867144bf666efb929856db9f671c356c4c67a068a70fe83c52eebda03668872fd270d0794f0771d217fb6b93b12529a944f7f0496a9158757c55b8ee14f803f1d2d887e2f561\n\n# 1088-bit\nModExp = 00\nA = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003d\nE = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\nM = e91f6d748773cb212a23aa348125615123b1800c9ea222c9374c757702ae4140fa333790ed8f6bf60a1d7dda65c2767cc5f33e32e333d19fbfb5a2b85795757c9ca070268763a618e9d33873d28a89bf88acd209efbb15b80cd33b92a6b3a682e1c91782fc24fb86ddff4f809219c977b54b99359094bbcc51dfe17b992ab24b74a17950ad754281\n\n# 1472-bit\nModExp = 00\nA = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001d\nE = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\nM = a8770362f4bfe4fc1ab0e52705c11a9b6ba235d5a5f22197c2d68e27ed18426ede3316af706aa79bcf943dbd51459eb15ae1f9386216b3f3a847f94440a65b97659bc5ba2adb67173714ecaa886c0b926d7a64ea45576f9d2171784ce7e801724d5b0abfd93357d538ea7ad3ad89a74f4660bdb66dfb5f684dcf00402e3cdf0ab58afd867c943c8f47b80268a789456aa7c50a619dd2f9f5e3f74b5d810f0f8dadbf4ad5b917cdcb156c4c132611c8b3b035118a9e03551f\n\n# 1536-bit\nModExp = 00\nA = 800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002\nE = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\nM = 878cd000778f927b2f1a4b8bac86efd282079a7ac0d25e09ffd2f72fbc282e65e233929d2457c7b1d63c56fb706cdfa04fb87e654c578c98d7cf59c2293dc5641086b68db4867105981daaf147a0ee91f6932ef064deae4142c19e58d50c0686f0eaf778be72450f89a98b4680bbc5ffab942195e44dd20616150fd1deca058068ca31ab2f861e99082588f17a2025bf5e536150142fca3187a259c791fc721430f24d7e338f8dc02e693a7e694d42775e80f7f7c03600b6ae86b4aba2b0e991\n\n# 2048-bit\nModExp = 00\nA = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f\nE = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\nM = 9f40a7535c561208ecb38e17c9336d9bc8484d335901b2cd42759cf03689227f6992f10cb6b586d767fbcdf30e9d82a0eda60d2694ccd0194fa96b50b56e0cdeec1951ea9e58b07e334a7f108841a0ab28256917fecea561388807ed124a17386a7a7b501f9cbf3404247a76948d0561e48137d3f9669e36f175731796aeaf78851f7d866917f661422186a4814aa35c066b5a90b9cfc918af769a9f0bb30c12581027df64ac328a0f07dbd20adb704479f6d0f233a131828c71bab19c3c34795ea4fb68aa632c6f688e5b3b84413c9031d8dc251003a590dec0dd09bfa6109ed4570701439b6f265b84ac2170c317357b5fbe5535e2bbdd93c1aacfdaa28c85\n\n# 3072-bit\nModExp = 00\nA = 80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001d\nE = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\nM = c23dfd244a58a668d514498a705c8f8f548311b24f0f98b023d2d33632534c2ae948d6641d41fd7a29fbbd594bfc7fdd6e8162cbb3056af3075347b6fc8876458d33a9d0ffdbcdf482de0c73d1310fd8fa8f9f92dd0dbb0e2034e98a30f6c11b482f7476c5b593f673a322b1130daa4314e9074270dce1076436f0d56cf196afcbb235a9a7b3ac85b9062e85fc0e63a12c468c787019f6805f9faab64fc6a0babc80785d88740243f11366bffb40ccbe8b2bb7a99a2c8238a6f656bb0117d7b2602aa400f4d77de5f93c673f13264ca70de949454e3e3f261993c1aa427e8ef4f507af744f71f3b4aaf3c981d44cc1bfb1eb1151168762b242b740573df698e500d99612e17dc760f7b3bf7c235e39e81ad7edbe6c07dbb8b139745bb394d61cb799bcafec5de074932b0b2d74797e779ac8d81f63a2b2e9baa229dfaa7f90f34ffade1d2ad022a3407d35eb2d7477c6ae8ad100f6e95c05b4f947c1fabfb11a17add384e6b4cd3a02fd9b43f46805c6c74e366b74aa3b766be7a5fbbd67fa81\n\n# 4096-bit\nModExp = 00\nA = 800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+ "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001\nE = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\nM = 8030411ecbddcb0fe4e76fd6b5bf542e8b015d1610cf96130ded12ba2cda0641bd9692080f218ea8b0d751845b519d95b843542ec8d2a07f1f93afe3189b69a4f35c983011c7f7928c3df458cc3eae85c36e6934a4b1bc0a67c8a521de336642c49e10a7ffa8d0af911aacc19e3900449161940f139220e099a150dcaf0ff96ffff6e726c1ac139969103cf6a828ac3adf0301506aa02787b4f570d5dde53a34acab8fec6fa94760abf16ee99954371ad65a6e899daab87b95811d069404991de9abe064ebbddf886e970f10d260c899dda940191a82d4c8bd36651363aff5493f4f59e700007dcadf37ebea7fcfd7600d16617ffea0d9ae659446d851d93c564e50e558f734c894d735fa273770703dab62844d9f01badf632f3d14a00f739c022c9be95f54e9cea46ec6da7cb11f4602e06962951c48204726b7f120ddbd0eb3566dc8d1e6f195a9196e96db33322d088b43aecffe9b4df182dd016aca0bd14f1c56cd1a18b89165c027029862b09ffd78e92ab614349c4fd67f49cb12cd33d0728930d0538bda57acef1365a73cc8fbac7d463b9e3c3bae0bb6224b080cdb8b5cd47d546d53111fdc22b7ff679bcfe27192920ee163b2be337d8cccc93b4de7d2d31934b9c0e97af291dcc1135b4a473bd37114eec3ba75c411887b57799d3188e7353f33a4d31735ebfc9fcfc044985148dd96da3876a5ab7ea7a404b411\n\n\n# RSAZ 512-bit.\n#\n# These are regression tests for code which historically reached the RSAZ-512\n# code. That has since been removed, but the test vectors remain. Note that the\n# lengths of the inputs, especially the *bit* length of |M|, matter a lot.\n\n# Control: No relationship between A and M except that A < M and they're the same number of limbs.\nModExp = 7f34c1cd63377bc3abf2bb5b2d1bf5f06454e1e8040fe19a72245ce9731cbee1bf9e84532300776c8021ed4f3a8de508d85b4cf320bd82065a013754857b50c4\nA = 8e4e67da6ff890643d0599387955996ef6f0c2045eb9944576ddb965ca64cdb6247727ce128ef178d4a84e5a56d2e67eb0fe389ecbf691f9244ae80f4c11b364\nE = be99d8f0650e540b9b191e9cf96f74881b902e32ed169ffd8a1776c3f3e80f0ac765aa14615713e1549f250a20fe4ee48c4e0c6176162fc7842a0dd64d640d1\nM = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725491\n\n# Same as above except A is negative.\nModExp = 71fa6a4c8ae75368eda8cc6282c26afa69e2af12a97fb9444f16b7dd6c99e0a5d6034cab4248cae4357346b211039f4a2bc4c5a20a297372094162417af703cd\nA = -8e4e67da6ff890643d0599387955996ef6f0c2045eb9944576ddb965ca64cdb6247727ce128ef178d4a84e5a56d2e67eb0fe389ecbf691f9244ae80f4c11b364\nE = be99d8f0650e540b9b191e9cf96f74881b902e32ed169ffd8a1776c3f3e80f0ac765aa14615713e1549f250a20fe4ee48c4e0c6176162fc7842a0dd64d640d1\nM = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725491\n\n# A == M - 1 == -1 (mod M) and the exponent is odd so A ^ E (mod M) == A.\nModExp = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725490\nA = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725490\nE = be99d8f0650e540b9b191e9cf96f74881b902e32ed169ffd8a1776c3f3e80f0ac765aa14615713e1549f250a20fe4ee48c4e0c6176162fc7842a0dd64d640d1\nM = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725491\n\n# Same inputs as above except A is negative. Note that A mod M with a \"correct top\" isn't the right length for RSAZ.\nModExp = 1\nA = -f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725490\nE = be99d8f0650e540b9b191e9cf96f74881b902e32ed169ffd8a1776c3f3e80f0ac765aa14615713e1549f250a20fe4ee48c4e0c6176162fc7842a0dd64d640d1\nM = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725491\n\n# A == M, so A == 0 (mod M) so A ^ E (mod M) == 0. Note that A mod M with a \"correct top\" isn't the right length for RSAZ.\nModExp = 0\nA = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725491\nE = be99d8f0650e540b9b191e9cf96f74881b902e32ed169ffd8a1776c3f3e80f0ac765aa14615713e1549f250a20fe4ee48c4e0c6176162fc7842a0dd64d640d1\nM = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725491\n\n# A is negative, and A (mod M) is the right length for RSAZ.\nModExp = 8d76eb0f8c7bc3160cc8bb0e0c3590fbed26c5932f5f525b48045c0bd46dda287ba5483f97c851fb7c12c2e858ee7a4a4d1af745cbfb3eb311fa54bea12cde25\nA = -80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\nE = be99d8f0650e540b9b191e9cf96f74881b902e32ed169ffd8a1776c3f3e80f0ac765aa14615713e1549f250a20fe4ee48c4e0c6176162fc7842a0dd64d640d1\nM = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725491\n\n\n# RSAZ 1024-bit.\n# Note that the lengths of the inputs, especially the *bit* length of |M|, matter a lot.\n\n# Control: No relationship between A and M except that A < M and they're the same number of limbs.\nModExp = 8984f8c16044f9c0ad7bd72347af90f58e6e003acda92b76e3c7c4a56ea8e918409d8e9b34884d4c89d0b17cb40fe898f2627c084a0f1698e46beccbf6f48eecc281e11ea9e5135adba460ddae157f2c655b5f589ce29b254d43a960a71cede8a08dbb86be4dac22458da232fb1ec2470856827302ed772c9ddafa408c931aa7\nA = 21158da5fe20356825e72b3f5384ec57720d22f727b27ce2f945c8ee311db781add73bf8fae96b775c909bd22fca75c44c2b0584284a5bb1c07f8eefcd6b0a44047a02b185df34f897f11d4fb9a86c9eb841b4cb8d0383441fdc5af3ef385b5e8380f605d73ed41bb42eb2c2a5704d6034b3ad058dafffce83dbbfb6295daaf8\nE = ecdebd112b3b5788669449dcddbd479a203ee9ab72a9bb9c406b97623513bf0ab9a22f1f23634d269e16bfd6d3b64202b71fc355057411967b6ac70f8d9cef0a4e06819a9a18cc06bbe438243fa9759303d98be8a65dc1cb13595ee9b99f138554425d50f6fbc025d8ffa3eaea828d6f3b82a3584146bafde34da257995f0575\nM = ff3a3e023db3bba929ca4ededbace13d0d1264387b5ef62734e177eaf47a78af56b58aacc8ac5d46f5b066bafb95d93d4442bb948653613eec76837b4ffb7991cb080b6c8b403fb09bc817d026e283ee47ab2fc9af274b12f626eda2fe02004a8e27b9ed7d3b614e8955c7e7c2c0700edd079455237c4475fbd41857e206e4b7\n\n# Same as above except A is negative.\nModExp = 75b54540dd6ec1e87c4e77bb93fd50477ea463fdadb5cab05119b34585d18f971617fc1194240ffa6bdfb53e4785f0a451e03f8c3c444aa6080a96af5906eaa508862a4de15b2c55c023b6f278cd04c1e24fd0711244afeda8e3444256e51261ed99fe66beedb52c43c825b4c7a1adc7d4b111e2208ecd495df91e175573ca10\nA = -21158da5fe20356825e72b3f5384ec57720d22f727b27ce2f945c8ee311db781add73bf8fae96b775c909bd22fca75c44c2b0584284a5bb1c07f8eefcd6b0a44047a02b185df34f897f11d4fb9a86c9eb841b4cb8d0383441fdc5af3ef385b5e8380f605d73ed41bb42eb2c2a5704d6034b3ad058dafffce83dbbfb6295daaf8\nE = ecdebd112b3b5788669449dcddbd479a203ee9ab72a9bb9c406b97623513bf0ab9a22f1f23634d269e16bfd6d3b64202b71fc355057411967b6",
+ "ac70f8d9cef0a4e06819a9a18cc06bbe438243fa9759303d98be8a65dc1cb13595ee9b99f138554425d50f6fbc025d8ffa3eaea828d6f3b82a3584146bafde34da257995f0575\nM = ff3a3e023db3bba929ca4ededbace13d0d1264387b5ef62734e177eaf47a78af56b58aacc8ac5d46f5b066bafb95d93d4442bb948653613eec76837b4ffb7991cb080b6c8b403fb09bc817d026e283ee47ab2fc9af274b12f626eda2fe02004a8e27b9ed7d3b614e8955c7e7c2c0700edd079455237c4475fbd41857e206e4b7\n\n# A == M - 1 == -1 (mod M) and the exponent is odd so A ^ E (mod M) == A.\nModExp = b5d257b2c50b050d42f0852eff5cfa2571157c500cd0bd9aa0b2ccdd89c531c9609d520eb81d928fb52b06da25dc713561aa0bd365ee56db9e62ac6787a85936990f44438363560f7af9e0c16f378e5b83f658252390d849401817624da97ec613a1b855fd901847352f434a777e4e32af0cb4033c7547fb6437d067fcd3d964\nA = b5d257b2c50b050d42f0852eff5cfa2571157c500cd0bd9aa0b2ccdd89c531c9609d520eb81d928fb52b06da25dc713561aa0bd365ee56db9e62ac6787a85936990f44438363560f7af9e0c16f378e5b83f658252390d849401817624da97ec613a1b855fd901847352f434a777e4e32af0cb4033c7547fb6437d067fcd3d964\nE = 61803d4973ae68cfb2ba6770dbed70d36760fa42c01a16d1482eacf0d01adf7a917bc86ece58a73b920295c1291b90f49167ef856ecad149330e1fd49ec71392fb62d47270b53e6d4f3c8f044b80a5736753364896932abc6d872c4c5e135d1edb200597a93ceb262ff6c99079177cd10808b9ed20c8cd7352d80ac7f6963103\nM = b5d257b2c50b050d42f0852eff5cfa2571157c500cd0bd9aa0b2ccdd89c531c9609d520eb81d928fb52b06da25dc713561aa0bd365ee56db9e62ac6787a85936990f44438363560f7af9e0c16f378e5b83f658252390d849401817624da97ec613a1b855fd901847352f434a777e4e32af0cb4033c7547fb6437d067fcd3d965\n\n# Same inputs as above except A is negative. Note that A mod M with a \"correct top\" isn't the right length for RSAZ.\nModExp = 1\nA = -b5d257b2c50b050d42f0852eff5cfa2571157c500cd0bd9aa0b2ccdd89c531c9609d520eb81d928fb52b06da25dc713561aa0bd365ee56db9e62ac6787a85936990f44438363560f7af9e0c16f378e5b83f658252390d849401817624da97ec613a1b855fd901847352f434a777e4e32af0cb4033c7547fb6437d067fcd3d964\nE = 61803d4973ae68cfb2ba6770dbed70d36760fa42c01a16d1482eacf0d01adf7a917bc86ece58a73b920295c1291b90f49167ef856ecad149330e1fd49ec71392fb62d47270b53e6d4f3c8f044b80a5736753364896932abc6d872c4c5e135d1edb200597a93ceb262ff6c99079177cd10808b9ed20c8cd7352d80ac7f6963103\nM = b5d257b2c50b050d42f0852eff5cfa2571157c500cd0bd9aa0b2ccdd89c531c9609d520eb81d928fb52b06da25dc713561aa0bd365ee56db9e62ac6787a85936990f44438363560f7af9e0c16f378e5b83f658252390d849401817624da97ec613a1b855fd901847352f434a777e4e32af0cb4033c7547fb6437d067fcd3d965\n\n# A == M, so A == 0 (mod M) so A ^ E (mod M) == 0. Note that A mod M with a \"correct top\" isn't the right length for RSAZ.\nModExp = 0\nA = b5d257b2c50b050d42f0852eff5cfa2571157c500cd0bd9aa0b2ccdd89c531c9609d520eb81d928fb52b06da25dc713561aa0bd365ee56db9e62ac6787a85936990f44438363560f7af9e0c16f378e5b83f658252390d849401817624da97ec613a1b855fd901847352f434a777e4e32af0cb4033c7547fb6437d067fcd3d965\nE = 61803d4973ae68cfb2ba6770dbed70d36760fa42c01a16d1482eacf0d01adf7a917bc86ece58a73b920295c1291b90f49167ef856ecad149330e1fd49ec71392fb62d47270b53e6d4f3c8f044b80a5736753364896932abc6d872c4c5e135d1edb200597a93ceb262ff6c99079177cd10808b9ed20c8cd7352d80ac7f6963103\nM = b5d257b2c50b050d42f0852eff5cfa2571157c500cd0bd9aa0b2ccdd89c531c9609d520eb81d928fb52b06da25dc713561aa0bd365ee56db9e62ac6787a85936990f44438363560f7af9e0c16f378e5b83f658252390d849401817624da97ec613a1b855fd901847352f434a777e4e32af0cb4033c7547fb6437d067fcd3d965\n\n# A is negative, and A (mod M) is the right length for RSAZ.\nModExp = 9cf810b9e89d5cbc4b79ae64e123ea06d92965e2bab077df97a1b906dc2e1ddcf96a9c4ed14e2cd96309b829ea9cc2a74a7d4b43c5f34d792a7c583201427754b8f78b783608070a84b61f18913e3ced7f7f530972de7764667c54e29d756eea38a93cd1703c676a4587231b0ebfeadddf908e2877a7a84b5bfc370ecf0d158d\nA = -8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\nE = 61803d4973ae68cfb2ba6770dbed70d36760fa42c01a16d1482eacf0d01adf7a917bc86ece58a73b920295c1291b90f49167ef856ecad149330e1fd49ec71392fb62d47270b53e6d4f3c8f044b80a5736753364896932abc6d872c4c5e135d1edb200597a93ceb262ff6c99079177cd10808b9ed20c8cd7352d80ac7f6963103\nM = b5d257b2c50b050d42f0852eff5cfa2571157c500cd0bd9aa0b2ccdd89c531c9609d520eb81d928fb52b06da25dc713561aa0bd365ee56db9e62ac6787a85936990f44438363560f7af9e0c16f378e5b83f658252390d849401817624da97ec613a1b855fd901847352f434a777e4e32af0cb4033c7547fb6437d067fcd3d965\n\n# Regression test for CVE-2017-3738.\nModExp = d360792bd8210786607817c3dda64cc38c8d0f25569597cb1f363c7919a0c3587baff01a2283edaeb04fc288ac0ab3f279b2a89ffcb452d8bdf72422a9f9780f4aa702dc964cf033149d3a339883062cab8564aebdbfac0bf68985e522c6fe545b346044690c525ca85d3f4eb3e3c25cdf541545afc84a309e9b1d7807003461\nA = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff2020202020df\nE = 2020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020FF2020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020\nM = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff2020202020ff\n\n# Test vectors for CVE-2019-1551. (We do not carry the assembly file with the\n# bug, but we use the test vectors anyway.)\n\n# Original test vectors by OSS-Fuzz.\nModExp = 9d675d188a07e9bd1b32638cc8cfd5002ef89bd1a9648f806567b87939140a67977dc8da17323b8e4c6bc53875cda8b656df8f54cc32e44fd9c21d122ea3c0d6\nA = dea9b3e0b44ae67b2ac9b7c2b18eeb4dab206b014981a46ac409f195eeb6896f132cf8497c87d1188008ee511054ebb426203355b7d515dce9501cb759ac1373\nE = b01ae745b101e9e45ec05dcff72e7f8fc04c79ffe324301fda0b4f7be81d85c4e875c73fc6c5cb40000000000000000000000000000000000\nM = ffffffff01ffffffffffffffffffffffffffe2000000000000000000000000000010fab8d960706cd4c21818115650cad61d4f10da325dffffffff00ffff00ff\n\nModExp = 651f811b62ee8770e3598c340864dd6b0be9bb6376b6f933ab216fd55538e6ad1000cb2b3c64f54d554e004b6eec8138e6ecff00452d443a42041b72e6cd9ead\nA = 3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e\nE = 3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e09003e3e3e3e3e3e3e3e3e3e3e3e3e3e010900230a01230a2100ffffff0000adf300a58700000000ffffff00\nM = ffffff0b00000000000000000000000000ffffffff0000ffffffff00000a0000000a00000000000000000000ffffffff000000000000ffffffffffff000000ff\n\n# Test vectors for rsaz_512_sqr bug, with rcx/rbx=1\n\n# between first and second iteration\nModExp = 1\nA = 624e6a171024e6a171024e6a171024e6a171024e6a171024e6a171024e6a171024e6a171024e6a171024e6a171024e6a14ce297f2873536f959d8c3390d973b6\nE = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006e\nM = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006f\n\n# between second and third iteration\nModExp = 1\nA = 11024e6a171024e6a171024e6a171024e6a171024e6a171024e6a171024e6a171024e6a171024e6a14ce297f2873536f959d8c3390d97360800000000000000f\nE = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006e\nM = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006f\n\n# between third and fourth iteration\nModExp = 1\nA = 4171024e6a171024e6a171024e6a171024e6a171024e6a171024e6a171024e6a14ce297f2873536f959d8c3390d9736080000000000000000000000000000039\nE = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006e\nM = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006f\n\n# between fourth",
+ " and fifth iteration\nModExp = 1\nA = 6a171024e6a171024e6a171024e6a171024e6a171024e6a14ce297f2873536f959d8c3390d97360800000000000000000000000000000000000000000000006\nE = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006e\nM = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006f\n\n# between fifth and sixth iteration\nModExp = 1\nA = 44e6a171024e6a171024e6a171024e6a14ce297f2873536f959d8c3390d97360800000000000000000000000000000000000000000000000000000000000003c\nE = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006e\nM = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006f\n\n# between sixth and seventh iteration\nModExp = 1\nA = 1024e6a171024e6a14ce297f2873536f959d8c3390d973608000000000000000000000000000000000000000000000000000000000000000000000000000000e\nE = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006e\nM = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006f\n\n# between seventh and eighth iteration\nModExp = 1\nA = 626eee5e3c8653be47ed15e84b97cc7f800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000187\nE = c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002f8\nM = c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002f9\n\n# Test vectors for rsaz_512_srq bug, with rcx/rbx=2\n\n# between first and second iteration\nModExp = 1\nA = 3c40939a85c40939a85c40939a85c40939a85c40939a85c40939a85c40939a85c40939a85c40939a85c40939a85c4093995e8efdb195e8efd8caf477ed8caf7c\nE = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006e\nM = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006f\n\n# between second and third iteration\nModExp = 1\nA = 485c40939a85c40939a85c40939a85c40939a85c40939a85c40939a85c40939a85c40939a85c4093995e8efdb195e8efd8caf477ed8caf47800000000000003f\nE = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006e\nM = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006f\n\n# between third and forth iteration\nModExp = 1\nA = 59a85c40939a85c40939a85c40939a85c40939a85c40939a85c40939a85c4093995e8efdb195e8efd8caf477ed8caf478000000000000000000000000000004e\nE = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006e\nM = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006f\n\n# between forth and fifth iteration\nModExp = 1\nA = 2939a85c40939a85c40939a85c40939a85c40939a85c4093995e8efdb195e8efd8caf477ed8caf47800000000000000000000000000000000000000000000024\nE = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006e\nM = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006f\n\n# between fifth and sixth iteration\nModExp = 1\nA = 640939a85c40939a85c40939a85c4093995e8efdb195e8efd8caf477ed8caf478000000000000000000000000000000000000000000000000000000000000057\nE = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006e\nM = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006f\n\n# between sixth and seventh iteration\nModExp = 1\nA = 25c40939a85c4093995e8efdb195e8efd8caf477ed8caf4780000000000000000000000000000000000000000000000000000000000000000000000000000021\nE = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006e\nM = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006f\n\n# between seventh and eighth iteration\nModExp = 1\nA = 7b4919849931b28a14fcace213f2b3884fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff84b6e67b66ce4d9c\nE = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000004c\nM = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000004d\n\n\n# Exp tests.\n#\n# These test vectors satisfy A ^ E = Exp.\n\nExp = aa6d7ac431\nA = d0e07\nE = 2\n\nExp = 12d416b110dbb4e467ff0c89a22122f4da8240\nA = 1a18cf6\nE = 6\n\nExp = 49a3b33e23d84f1ce0d5d83f5dcb651d50cf3920f0143da2310d0512a90a06cd8f38977df8a756c30883de38df092000\nA = 2a3acbd2\nE = d\n\nExp = 5b4a0d5a956f885f275712b194459980f24708bfb6393d71bd37dce852ce455724f5ee5030775fb86b4295edc98afaafc097e4d82a97c0078ec0eac763db16549c5145c4cf2d3124f88cf9a5c71da0625afb99b26801786fe49a778415dc025954021753d08691947a208b613f0be5c1\nA = 54b3ae461\nE = 1a\n\nExp = a0ea5f6a4de49beb8fb7f0dab280d6a32c5a3814c9a5153a7944cec0a9028497846a8a89044348721a0bb5f0c3ded3e980574ea321b0cdb0ead4f4e93841ea7478a7f15d9729b646a8165813a0750e8124f5465dda9b105e1bbeff18fd09c09a2e26610d9176d253b877c3a8908a6be521cbe1e472a7a1b7820e4e890f8f28aacd34609c686e76e15b01bd9324a71290812724ea564d11c874a6765b262c3e57d479da0287a76026a1e8fe53da0b02405da1d379eaa30fc65f\nA = fccec0f6df\nE = 25\n\n\n# ModSqrt tests.\n#\n# These test vectors satisfy ModSqrt * ModSqrt = A (mod P) with P a prime.\n# ModSqrt is in [0, (P-1)/2].\n\nModSqrt = 1\nA = 1\nP = 2\n\nModSqrt = 1\nA = 1\nP = 2\n\nModSqrt = 1\nA = 1\nP = 2\n\nModSqrt = 1\nA = -1\nP = 2\n\nModSqrt = 1\nA = -1\nP = 2\n\nModSqrt = 0\nA = 0\nP = 3\n\nModSqrt = 0\nA = -3\nP = 3\n\nModSqrt = 0\nA = -3\nP = 3\n\nModSqrt = 0\nA = 0\nP = 3\n\nModSqrt = 0\nA = 0\nP = 3\n\nModSqrt = 0\nA = 0\nP = 5\n\nModSqrt = 1\nA = -4\nP = 5\n\nModSqrt = 0\nA = -5\nP = 5\n\nModSqrt = 2\nA = 4\nP = 5\n\nModSqrt = 0\nA = -5\nP = 5\n\nModSqrt = 3\nA = -5\nP = 7\n\nModSqrt = 0\nA = 0\nP = 7\n\nModSqrt = 0\nA = 0\nP = 7\n\nModSqrt = 2\nA = 4\nP = 7\n\nModSqrt = 3\nA = -5\nP = 7\n\nModSqrt = 4\nA = 10\nP = b\n\nModSqrt = 0\nA = 0\nP = b\n\nModSqrt = 3\nA = -2\nP = b\n\nModSqrt = 3\nA = -2\nP = b\n\nModSqrt = 2\nA = 4\nP = b\n\nModSqrt = 2\nA = 1e\nP = d\n\nModSqrt = 2\nA = 1e\nP = d\n\nModSqrt = 0\nA = -d\nP = d\n\nModSqrt = 0\nA = -d\nP = d\n\nModSqrt = 3\nA = 9\nP = d\n\nModSqrt = 8\nA = d\nP = 11\n\nModSqrt = 6\nA = df\nP = 11\n\nModSqrt = 4\nA = 10\nP = 11\n\nModSqrt = 5\nA = 90\nP = 11\n\nModSqrt = 3\nA = 80\nP = 11\n\nModSqrt = 9\nA = -e\nP = 13\n\nModSqrt = 7\nA = 7d\nP = 13\n\nModSqrt = 6\nA = 37\nP = 13\n\nModSqrt = 1\nA = 1\nP = 13\n\nModSqrt = 8\nA = 1a\nP = 13\n\nModSqrt = 54d4cf0fafe265056a29016778cea6b712bc66a132fb5e6b6865e9b49e4c97ec\nA = 599c10484b22d0b5a115268c7538ca99b3253a311a4ab1ca11c3665b0bec393a1167d1ad94fb84cb2c7ad7e2c933e8f613bdd08fe1f1aa4a9b0b9de0c8a7c9d4\nP = cfc4ccae35458ab5be1a1bc0664188253301f8702af4f8fb19fed12de0c653b1\n\nModSqrt = 38a7365a15365e911286c1be2a7afe76ef390234d76269e04dee17313f6ea54d\nA = 1c4aabb4d8369710131c664ecf2849e963c1bc31d66e0b939bacf99a870c71f24ed71bdddcf566f3908271fee43fc1ebb51eac7e3153efae641b49d2e796a12a\nP = cfc4ccae35458ab5be1a1bc0664188253301f8702af4f8fb19fed12de0c653b1\n\nModSqrt = 35ab18a560dece04725667f640ca61d1d59f14d191f94c79f58531acd097d444\nA = 685168ae855d60eba220d803f5296459b30a289580668db9ed51bca51cc2d453a937e13819ae34f7a9a143ac96d17420c53919167e46279b562b550be1cd9abc\nP = cfc4ccae35458ab5be1a1bc0664188253301f8702af4f8fb19fed12de0c653b1\n\nModSqrt = 288370029e87024175e5bec0eab0929179f42e16995e7f6194eefc61061e54f4\nA = 2a14ab77c045bdc48220ba9c463e1a4b4049cb01edb53be0937767eb2ec19b7d719855052281250a36a0b76d9a5d967d0756e1ded7a052f7056191ad66bcfc9\nP = cfc4ccae35458ab5be1a1bc0664188253301f8702af4f8fb19fed12de0c653b1\n\nModSqrt = 32255cf01dc9",
+ "43577ec2bcb221b98491d7a1130d046d6c68e95fedff643ce3a4\nA = e26f6dd46a513a1dd3fb14b71be1d4c9e9d79eda1cde10ea4d1eb8abfd4d5857572205e247184dd0cbefa37b5c0bf680ba2bd28c5741f725cfe2aae37419baf\nP = cfc4ccae35458ab5be1a1bc0664188253301f8702af4f8fb19fed12de0c653b1\n\nModSqrt = 5172345e801ada63fbc4782e32583cc3b4fea88b9e6dfd542f3542f8538ade66\nA = 40dafa8342b302bb04b1f3ddb3b9015a8fc1b597857c115b40631c7be9e22de89358fca23b331596ee5ff304dad7811e6d8e8822f7aa533c9e7c882634ea550\nP = a6813d316f9aca30f98b4f864b8b4b8f51493af930bd4d3a1b205a710e99add3\n\nModSqrt = 4dcf63c423bf0e39aca2293d57f6792d023db649d6719fe936446904b9f7e60d\nA = 5bcdb514bbe84261e169203e8017909b60c9bb330400c766ee01b0189378e70e61867a164a12643ddc9e94b61e09e5b158cbe85be228a3cc48f95a552958b8f2\nP = a6813d316f9aca30f98b4f864b8b4b8f51493af930bd4d3a1b205a710e99add3\n\nModSqrt = cf77c5c2d12a500b75cbfb1f3e66ee75d886b9365cf4f8b4d1bd18a6be0f387\nA = 4652ddc2ea7b460d8ec3c9059b8f9b5dae6cac55b51f2ad86fcb336b25235737965cc515e2ff0b54835015b7ebeeda6fadd986471d8cb424d309fc353d1e269\nP = a6813d316f9aca30f98b4f864b8b4b8f51493af930bd4d3a1b205a710e99add3\n\nModSqrt = 1e0549e4c5a26023e9d24fd8c67419960746f82b1ecd113bdac66f570a475d87\nA = 5f4a6d450ab1390d96ab1deaa0ba18f897cb63daf0c9e1ef6c08e804c26b5e842f6c08f13db5d4a6e88f07af2a3cb04fa06fc3e59c410b9356f025ed81acc74\nP = a6813d316f9aca30f98b4f864b8b4b8f51493af930bd4d3a1b205a710e99add3\n\nModSqrt = 144481a781d831c1ca046ca9e322d79ad4d2c6dd9f780bea9d1ced9cd20b7b23\nA = 4c254fabca441017132b9eacd4ca40a336db3e5c09715773fa07af095989a91cc968ff07a9ff56ed06b0ce0c5269f7b2ab68564ecab9f4467a7e96b6cc6b21b7\nP = a6813d316f9aca30f98b4f864b8b4b8f51493af930bd4d3a1b205a710e99add3\n\nModSqrt = 216fecc7667f488a3d2d102a38b46b4860ab858300b8638af4f34e1103fd73ba\nA = 17878f8048227573a9d70f53c0e76ff13fe9f56e9c984c92514d3d13dec23c816661f0618d21371b80dfd885cb59551bdf80046f65f22ea9b89c78645a6e455a\nP = bd37c850cf7d702bac879f3c21a51a5a4df2b8eb0935861e0753a6eb62261a95\n\nModSqrt = 458e5e789ccd2417174f7e30bb31914b9656bd8cf2b9f5a9752a8737a67707bc\nA = 5c7d39a4bb04e69201aa519f80ee7e62ea14ca55e13656d1da3f45367e2fb2d061aa2940708d02ac67d35cd2ccf54a1bf95bcbc759779e692cfdcbb3aa1a05b\nP = bd37c850cf7d702bac879f3c21a51a5a4df2b8eb0935861e0753a6eb62261a95\n\nModSqrt = 543125a16c2bb8b8f8a2c39c497e5224ec77533602d7dbe24002e32dcbd2ef1a\nA = 3413afae333b2ad9ff45c7f3c7e5934b3127e8b1a55225958ee6ccf42423e81559bf070ad3f3353b78c0ffd41475af49f59d268ef78bdae879f5155e8d1cc07\nP = bd37c850cf7d702bac879f3c21a51a5a4df2b8eb0935861e0753a6eb62261a95\n\nModSqrt = 10e16859c67bdb2eaab52a7c847dbf37162eda258a9f6262ebacfe4cbbbc1080\nA = 21ce7905894faf220bdf4a82a2d855994ca2dc9feaecaa53c7f146e1f49934215695e9bb46ba370b7005a90c399674caa8969eb442e7914d90f749774d7fd194\nP = bd37c850cf7d702bac879f3c21a51a5a4df2b8eb0935861e0753a6eb62261a95\n\nModSqrt = 32a00586adc6f6cc2b1a04e1be0ab569fde235e1436c38b6af92bc5ebd60bc1c\nA = 350da4fd8cf03c12f7dd6ac6d3ab801a3413964083e374662aaf878d6838b97d4feb9e52cd307a25b113e101661a865463ee2480c626aa4e2ec437d72e7bae4c\nP = bd37c850cf7d702bac879f3c21a51a5a4df2b8eb0935861e0753a6eb62261a95\n\nModSqrt = 971f75bc7afa8b4b50f1d4b05e52deac7d4836a08d30546f29649bf1ca6a247\nA = 655ed4c5d8d0afb4f9360372ee1ef1303898d2423e585108a3303faedb55064d2ef25666ed4c4d71fe6063fea1f3142b435714b0e30b339dd791d347c884654\nP = 9810151ad4bc9c5d68fc326395b509f2625bfebca1c3801ad4da7539fdbaa6f7\n\nModSqrt = 48fa882b7cb6a29de9e3769f72eb67f1efd4d2af56f0c7e410c610efcbce2065\nA = 14f3503f33b243800eac1defaab33e04c01e80163fb3efd03860970cc016832431ca4fc6d1b760f4f40166b0b8b3c40dbebc81460cc10890172243770338f090\nP = 9810151ad4bc9c5d68fc326395b509f2625bfebca1c3801ad4da7539fdbaa6f7\n\nModSqrt = 236fd7e397ea7f8bc2a288eb7236ca41936fa702b7dccca56c8852e147511f7d\nA = 1bbd0980feac854782813bcde4da85e8a054549a1b515e065da4236528035e756882e29e762cf60453e375cca9dc6ff637f9558bf86646e3b928f68f82af7efe\nP = 9810151ad4bc9c5d68fc326395b509f2625bfebca1c3801ad4da7539fdbaa6f7\n\nModSqrt = 693f0cbe8c81b0afde0cd2f83e53795dcae6b0cc4ba930ab5c752400d787f14\nA = 7b20f9664b23907e152ab8c9a907f72e8670c1c38ab4cd1411ea7c2159c09aa131afe068929b8e6ad1409b74c04975180d1cd0a9fa74e923c3fd451e8da2c34\nP = 9810151ad4bc9c5d68fc326395b509f2625bfebca1c3801ad4da7539fdbaa6f7\n\nModSqrt = 4a086c50b0bad576501ddb6280743b2c9d247841eb7f14d90561432ff7dca6f0\nA = 4367431ec0cd0d7626538b93a090c30fe0c97c18ca03b97ddae304b619112b5b4d02bf0f041fa3fd673f9ef2ceb07eb2079d11c56dd903b1a87e8252a97b8079\nP = 9810151ad4bc9c5d68fc326395b509f2625bfebca1c3801ad4da7539fdbaa6f7\n\nModSqrt = 18f8433fa468d8065157708f1f1e53b8e31d39c6011fbc2bad93de1b5548e19c\nA = 739c032bb4139c199c40f548d37234298772e4ccb9d3ba28412b60ad23b4c465b0787e2382f1c5a4a87af2d20eb978b7dcbe73f2112249477d15c8a85e54a79\nP = adcd56924f73836ebe4dccfe006ad3b1e5076562cd11b161642cab7af2284659\n\nModSqrt = 49e3c8eef5e067cabd51a7c01384ce05ab8f4342f655559d8a689eb7b20e0106\nA = 18400c2cc3e06b99b4e39c77b9af5ff0e9c683f1708321afa4cd5b6988d13b36b1d9eb4379b7902d9ceb40c03f814b2b6a01b90509bbb4532f13ab1571c4d04a\nP = adcd56924f73836ebe4dccfe006ad3b1e5076562cd11b161642cab7af2284659\n\nModSqrt = 35548c530745f440329325cc8a5fbd90c16a7f0788879a4869bc4d4f73acda0e\nA = 181a3c5ab02566e7166c4d6d2f2bd4a8ecc25991a98d270bde80cf4332766a7068b14240bf5f5dcd45e90ef252596da3eb05b11d68b2063f7b3a825742593ca9\nP = adcd56924f73836ebe4dccfe006ad3b1e5076562cd11b161642cab7af2284659\n\nModSqrt = 1ab7046e6af061ade5f9719008fa4d989007e2a579a134a5b9f19ec410984096\nA = 1008a03e211fab0d45856377079bc96b0776c2d4c0175661f3493246cea2ab0a02a706c85314fb707ad9906bedb2cfd577d62092ae08ff21d7b949373ea954c7\nP = adcd56924f73836ebe4dccfe006ad3b1e5076562cd11b161642cab7af2284659\n\nModSqrt = 2be9e3e7515960d90f115b89f60dedc173a73ce163b4036e85b7b6a76fd90852\nA = 392053a9f0100540a8e1a0c353e922068a84dad3a4a8e8962fbc0bee2b6a06e20d08ade16eb1409a16acfcac3db5c43c421505e07035ca308b15c4a6db0864c0\nP = adcd56924f73836ebe4dccfe006ad3b1e5076562cd11b161642cab7af2284659\n\nModSqrt = 5b301bb93bdcf050183107e36258b53b4805918114ea1c2227b0911d5b4dc077\nA = 55e55e5f94dc3d7aabc921f6469d85fa2e1e92a87347c57afad5872306ae69f9fb99297d1e3e793dd9e8632244208154de5da7114fd876383bf1422f7ece024\nP = d43280ac150f725f4a2a1dceb1c79bcac57855a4eba72ae93762d09bcb2444fb\n\nModSqrt = 2df9609e2f5a5156c3260461b2ee52eacdef00bd8b091479813143a6c5283f71\nA = 2099325b7f12fe77353ddf3f2b2c5ef77b49671b150af954cf84e9675e3ecde3e057084641a633d19533b4712ab49924c8b5c31d591abcc88291f51253fa2a7\nP = d43280ac150f725f4a2a1dceb1c79bcac57855a4eba72ae93762d09bcb2444fb\n\nModSqrt = dfab751710e9008e25e422d1199d6fbec4dc7fba35b4da9d225a746eb4126a0\nA = c006af53d4737fb293584df6ffe2e4cb3fd8dc77fb7c1f13b97bb9c249e3ee5fb9feff7488265b3093906c08a4946f142ac7b491937d24bfba6413366ce371d\nP = d43280ac150f725f4a2a1dceb1c79bcac57855a4eba72ae93762d09bcb2444fb\n\nModSqrt = 26bc030008d6c60a09fb0e16093a649fcb40c6c21a8e2da2353ba4b07c4f85d5\nA = 1eaabcfad2ed349ac9356e6f4da0b301266ddde811cb0f817aba8f5c10fb8b8ba9d0ef2dd386b668f16eac296118fdb8cb7afe1b865648c81c2fa3cf21f2711b\nP = d43280ac150f725f4a2a1dceb1c79bcac57855a4eba72ae93762d09bcb2444fb\n\nModSqrt = 35051b1482ec2578f3dc0000a422cb5111e43c37f1ac20b1844d3de2128c4556\nA = 315ff9de178681116f2a5fa78eebf4818e1d680435eacdfaf9d0e5c4fc01fc034b352c82fd52c81ca30d68864952dacc99d08269c9dd7ca99ccf22da98c3840\nP = d43280ac150f725f4a2a1dceb1c79bcac57855a4eba72ae93762d09bcb2444fb\n\nModSqrt = a5474252885cacf004c460a7793ff0b0a2187bb1a9ed700ae3470199faef71f\nA = 19856fc1351c4b02abf573bb2fc6ff92355fa369d62bb8f2260fa772fb1693f509a56cad661930abcac049dd70f4b16bed4a4c172e73e772504c9990ce7f92f\nP = dc315fd52684fba79e577a204de9053b11a5d7a414263fec9eff6ff62188829d\n\nModSqrt = 12daf4722387ecf47de1b0b6b110a062dc5ea2685bc9dbde66b8d15622985029\nA = fb8479787069116abc42abfd7dc0c24d2ad04fe0c04b42a6dff714af715d17e0fd77855f950f264542b06d48e8818de813ddb7975798b7debefcdaa5ff86beb\nP = dc315fd52684fba79e577a204de9053b11a5d7a414263fec9eff6ff62188829d\n\nModSqrt = 397996ed5c0ac6ad32e43c337e9de421b87774cc162bf7ac7bbedf4a9029255e\nA = 5aa04353321bd2de92481be740357f979da464b53aa39111fdbb734cf7af6b3857d1baa08d3a126a3dd34a2fbae2bf2b84e900686c1d31505b390185acef5fe5\nP = dc315fd52684fba79e577a204de9053b11a5d7a414263fec9eff6ff62188829d\n\nModSqrt = 2cf4b844a54ba359dc592ef1b49f43fcfeae84d1087edfefdd0b9174b43c0a3c\nA = 365a8650510bcfd8fa87432f167cf487234c215857403b9270b5eebeafa48cd6da47fd60dc311b94d1d72baad0447",
+ "c31f0b212d755f46c256e16e5e015e6546e\nP = dc315fd52684fba79e577a204de9053b11a5d7a414263fec9eff6ff62188829d\n\nModSqrt = 9277c73043ff767c3fa606f0cd66b9d854a600c8c18287f191ce277758c3f31\nA = 62cec3901626d03e8df66299a87c54b1f7a55cafc99f0b6bba1b5d51a3d2b7d2171c9135a9d8a5346d436e0136b12e515e703e3cd84ecfe154eb94c6772a6d72\nP = dc315fd52684fba79e577a204de9053b11a5d7a414263fec9eff6ff62188829d\n\nModSqrt = 4189e5a90c1b1abdc1c7c05b3587e6f362e06f927b6cf5f0d271aab3d6f90765\nA = 336b8d0f9dac842c696bc020f49c6aa023842c16f2052eb02f17959006554ca0012042c80c72590f21c6bf5a3714c9cb552aa69730e33db93a56a909b273f39\nP = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f\n\nModSqrt = 36ccd38cb5a6bd8a73bca55936a2227c503664422c2296faf7e2b1c6a375a43a\nA = fecfd60a376befbe48d2c4f6d070d716d2f403cd5daefbce62b720df44deb605162c8f20f49fd7ec30d4f8e70d803d45b3a44b5d912baa3410d991165d7c507\nP = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f\n\nModSqrt = 198fc8569be172dc9b71023ed3d42d2ba94bae4099643f6517ab03f540527fdb\nA = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ec\nP = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f\n\nModSqrt = 21b7f74c30ded681d6138cf8e6fd798f32a049e94138e982f1845df3dc9e686f\nA = 9a30b791c1ba4f394b4e3dcd5837e474237f4fe8987b255c098a47b2c14c598ec69d2beae444dd4fe9c4ede8173d2b187677cc706a3c28f3b81627d8a5fb6fd\nP = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f\n\nModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186\nA = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81\nP = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f\n\n\n# NotModSquare tests.\n#\n# These test vectors are such that NotModSquare is not a square modulo P.\n\nNotModSquare = 03\nP = 07\n\nNotModSquare = 05\nP = 07\n\nNotModSquare = 06\nP = 07\n\nNotModSquare = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951e\nP = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f\n\n\n# ModInv tests.\n#\n# These test vectors satisfy ModInv * A = 1 (mod M) and 0 <= ModInv < M.\n\nModInv = 00\nA = 00\nM = 01\n\nModInv = 00\nA = 01\nM = 01\n\nModInv = 00\nA = 02\nM = 01\n\nModInv = 00\nA = 03\nM = 01\n\nModInv = 64\nA = 54\nM = e3\n\nModInv = 13\nA = 2b\nM = 30\n\nModInv = 2f\nA = 30\nM = 37\n\nModInv = 4\nA = 13\nM = 4b\n\nModInv = 1c47\nA = cd4\nM = 6a21\n\nModInv = 2b97\nA = 8e7\nM = 49c0\n\nModInv = 29b9\nA = fcb\nM = 3092\n\nModInv = a83\nA = 14bf\nM = 41ae\n\nModInv = 18f15fe1\nA = 11b5d53e\nM = 322e92a1\n\nModInv = 32f9453b\nA = 8af6df6\nM = 33d45eb7\n\nModInv = d696369\nA = c5f89dd5\nM = fc09c17c\n\nModInv = 622839d8\nA = 60c2526\nM = 74200493\n\nModInv = fb5a8aee7bbc4ef\nA = 24ebd835a70be4e2\nM = 9c7256574e0c5e93\n\nModInv = 846bc225402419c\nA = 23026003ab1fbdb\nM = 1683cbe32779c59b\n\nModInv = 5ff84f63a78982f9\nA = 4a2420dc733e1a0f\nM = a73c6bfabefa09e6\n\nModInv = 133e74d28ef42b43\nA = 2e9511ae29cdd41\nM = 15234df99f19fcda\n\nModInv = 46ae1fabe9521e4b99b198fc8439609023aa69be2247c0d1e27c2a0ea332f9c5\nA = 6331fec5f01014046788c919ed50dc86ac7a80c085f1b6f645dd179c0f0dc9cd\nM = 8ef409de82318259a8655a39293b1e762fa2cc7e0aeb4c59713a1e1fff6af640\n\nModInv = 444ccea3a7b21677dd294d34de53cc8a5b51e69b37782310a00fc6bcc975709b\nA = 679280bd880994c08322143a4ea8a0825d0466fda1bb6b3eb86fc8e90747512b\nM = e4fecab84b365c63a0dab4244ce3f921a9c87ec64d69a2031939f55782e99a2e\n\nModInv = 1ac7d7a03ceec5f690f567c9d61bf3469c078285bcc5cf00ac944596e887ca17\nA = 1593ef32d9c784f5091bdff952f5c5f592a3aed6ba8ea865efa6d7df87be1805\nM = 1e276882f90c95e0c1976eb079f97af075445b1361c02018d6bd7191162e67b2\n\nModInv = 639108b90dfe946f498be21303058413bbb0e59d0bd6a6115788705abd0666d6\nA = 9258d6238e4923d120b2d1033573ffcac691526ad0842a3b174dccdbb79887bd\nM = ce62909c39371d463aaba3d4b72ea6da49cb9b529e39e1972ef3ccd9a66fe08f\n\nModInv = aebde7654cb17833a106231c4b9e2f519140e85faee1bfb4192830f03f385e773c0f4767e93e874ffdc3b7a6b7e6a710e5619901c739ee8760a26128e8c91ef8cf761d0e505d8b28ae078d17e6071c372893bb7b72538e518ebc57efa70b7615e406756c49729b7c6e74f84aed7a316b6fa748ff4b9f143129d29dad1bff98bb\nA = a29dacaf5487d354280fdd2745b9ace4cd50f2bde41d0ee529bf26a1913244f708085452ff32feab19a7418897990da46a0633f7c8375d583367319091bbbe069b0052c5e48a7daac9fb650db5af768cd2508ec3e2cda7456d4b9ce1c39459627a8b77e038b826cd7e326d0685b0cd0cb50f026f18300dae9f5fd42aa150ee8b\nM = d686f9b86697313251685e995c09b9f1e337ddfaa050bd2df15bf4ca1dc46c5565021314765299c434ea1a6ec42bf92a29a7d1ffff599f4e50b79a82243fb24813060580c770d4c1140aeb2ab2685007e948b6f1f62e8001a0545619477d498132c907774479f6d95899e6251e7136f79ab6d3b7c82e4aca421e7d22fe7db19c\n\nModInv = 1ec872f4f20439e203597ca4de9d1296743f95781b2fe85d5def808558bbadef02a46b8955f47c83e1625f8bb40228eab09cad2a35c9ad62ab77a30e3932872959c5898674162da244a0ec1f68c0ed89f4b0f3572bfdc658ad15bf1b1c6e1176b0784c9935bd3ff1f49bb43753eacee1d8ca1c0b652d39ec727da83984fe3a0f\nA = 2e527b0a1dc32460b2dd94ec446c692989f7b3c7451a5cbeebf69fc0ea9c4871fbe78682d5dc5b66689f7ed889b52161cd9830b589a93d21ab26dbede6c33959f5a0f0d107169e2daaac78bac8cf2d41a1eb1369cb6dc9e865e73bb2e51b886f4e896082db199175e3dde0c4ed826468f238a77bd894245d0918efc9ca84f945\nM = b13133a9ebe0645f987d170c077eea2aa44e85c9ab10386d02867419a590cb182d9826a882306c212dbe75225adde23f80f5b37ca75ed09df20fc277cc7fbbfac8d9ef37a50f6b68ea158f5447283618e64e1426406d26ea85232afb22bf546c75018c1c55cb84c374d58d9d44c0a13ba88ac2e387765cb4c3269e3a983250fa\n\nModInv = 30ffa1876313a69de1e4e6ee132ea1d3a3da32f3b56f5cfb11402b0ad517dce605cf8e91d69fa375dd887fa8507bd8a28b2d5ce745799126e86f416047709f93f07fbd88918a047f13100ea71b1d48f6fc6d12e5c917646df3041b302187af641eaedf4908abc36f12c204e1526a7d80e96e302fb0779c28d7da607243732f26\nA = 31157208bde6b85ebecaa63735947b3b36fa351b5c47e9e1c40c947339b78bf96066e5dbe21bb42629e6fcdb81f5f88db590bfdd5f4c0a6a0c3fc6377e5c1fd8235e46e291c688b6d6ecfb36604891c2a7c9cbcc58c26e44b43beecb9c5044b58bb58e35de3cf1128f3c116534fe4e421a33f83603c3df1ae36ec88092f67f2a\nM = 53408b23d6cb733e6c9bc3d1e2ea2286a5c83cc4e3e7470f8af3a1d9f28727f5b1f8ae348c1678f5d1105dc3edf2de64e65b9c99545c47e64b770b17c8b4ef5cf194b43a0538053e87a6b95ade1439cebf3d34c6aa72a11c1497f58f76011e16c5be087936d88aba7a740113120e939e27bd3ddcb6580c2841aa406566e33c35\n\nModInv = 87355002f305c81ba0dc97ca2234a2bc02528cefde38b94ac5bd95efc7bf4c140899107fff47f0df9e3c6aa70017ebc90610a750f112cd4f475b9c76b204a953444b4e7196ccf17e93fdaed160b7345ca9b397eddf9446e8ea8ee3676102ce70eaafbe9038a34639789e6f2f1e3f352638f2e8a8f5fc56aaea7ec705ee068dd5\nA = 42a25d0bc96f71750f5ac8a51a1605a41b506cca51c9a7ecf80cad713e56f70f1b4b6fa51cbb101f55fd74f318adefb3af04e0c8a7e281055d5a40dd40913c0e1211767c5be915972c73886106dc49325df6c2df49e9eea4536f0343a8e7d332c6159e4f5bdb20d89f90e67597c4a2a632c31b2ef2534080a9ac61f52303990d\nM = d3d3f95d50570351528a76ab1e806bae1968bd420899bdb3d87c823fac439a4354c31f6c888c939784f18fe10a95e6d203b1901caa18937ba6f8be033af10c35fc869cf3d16bef479f280f53b3499e645d0387554623207ca4989e5de00bfeaa5e9ab56474fc60dd4967b100e0832eaaf2fcb2ef82a181567057b880b3afef62\n\n\n# GCD tests.\n#\n# These test vectors satisfy gcd(A, B) = GCD and lcm(A, B) = LCM.\n\nGCD = 0\nA = 0\nB = 0\n# Just to appease the syntax-checker.\nLCM = 0\n\nGCD = 1\nA = 92ff140ac8a659b31dd904161f9213706a08a817ae845e522c3af0c9096699e059b47c8c2f16434b1c5766ebb384b79190f2b2a62c2378f45e116890e7bb407a\nB = 2f532c9e5902b0d68cd2ed69b2083bc226e8b04c549212c425a5287bb171c6a47fcb926c70cc0d34b8d6201c617aee66af865d31fdc8a2eeb986c19da8bb0897\nLCM = 1b2c97003e520b0bdd59d8c35a180b4aa36bce14211590435b990ad8f4c034ce3c77899581cb4ee1a022874203459b6d53859ab1d99ff755efa253fc0e5d8487bb000c13c566e8937f0fe90b95b68bc278610d4f232770b08d1f31bee55a03da47f2d0ebb9e7861c4f16cc22168b68593e9efcde00f54104b4c3e1a0b294d7f6\n\nGCD = a\nA = faaffa431343074f5c5d6f5788500d7bc68b86eb37edf166f699b4d75b76dae2cb7c8f6eccae8f18f6d510ef72f0b9633d5740c0bebb934d3be796bd9a53808e\nB = 2f48ec5aa5511283c2935b15725d30f62244185573203b48c7eb135b2e6db5c115c9446ac78b020574665b06a75eb287e0dbeb5da7c193294699b4c2129d2ac4\nLCM = 4a15f305e9622aa19bd8f39e968bfc16d527a47f7a5219d7b02c242c77ef8b608a4a6141f643ca97cedf07c0f1f3e8879d2568b056718aa15c0756899a08ccbe0a658bae67face96fa110edb91757bfa4828e8ff7c5d71b204f36238b12dd26f17be8ba9771f7068d63e41d423671f898f054b118760",
+ "5754bc5546f2b02c5ac\n\nGCD = 16\nA = cf0b21bde98b41b479ac8071086687a6707e9efaacd4e5299668ce1be8b13290f27fd32ae68df87c292e8583a09d73ec8e8a04a65a487380dcd7dacca3b6e692\nB = 3be3f563f81d5ad5c1211db7eff430aa345e830ce07b4bde7d4d32dba3ac618d2034351e5435fd6c7f077971fb4a1e83a7396a74fdff7fce1267112851db2582\nLCM = 233a2188de2c017235024b182286f17562b2ee5ab9fdfe4efa2f61c4ff99fa44e1ead5bf6cde05bd7502ce78373c83e3f9dbab0c9bb8620a87c2640bce5d12c685af656df789bb3d0ba1edbaa98cf4f0166d422ab17aa6706f8132264d45b72827d6671a00a9186e723379e3a3bb7902d08865f357c74100059f83800241976\n\nGCD = 1\nA = dd7b7597d7c1eb399b1cea9b3042c14bd6022d31b1d2642a8f82fc32de6eadaf012fbbf349eaec4922a8468740ca73c6090833d6a69a380ed947b39c2f9b0b76\nB = 8e0dc8654e70eec55496038a8d3fff3c2086bc6dbfc0e2dbdf5bd7de03c5aef01a3982556ac3fc34fd5f13368be6cdc252c82367b7462e210f940f847d382dd9\nLCM = 7ae667df4bd4dd35bbec28719a9f1b5e1f396a9ab386c086742a6ab3014a3386d39f35b50624d0c5b4e6b206c2635c7de5ea69e2faa85dd616a7e36622962a07632839857aa49332942feccff2aee1c962e2f4e8ccfd738a5da5bf528b4c5a2440409350f5a17a39d234403e8482ccf838e0d2758ccfb8018198a51dbb407506\n\nGCD = 1\nA = 0\nB = 1\nLCM = 0\n\nGCD = 1\nA = 1\nB = 0\nLCM = 0\n\nGCD = 1\nA = 1\nB = 1\nLCM = 1\n\nGCD = 2b2\nA = dfccaa3549c1b59ab3e114fe87dc5d187719abad58c51724e972741eb895ab79a49f385f61d531ec5c88dbb505ae375093fa848165f71a5ed65e7832a42ade191a\nB = fa58a81f43088da45e659fc1117d0f1cd015aa096c8e5377cf1832191baf7cc28b5c24998b93b64f8900a0973faedb9babaaf1854345f011739da8f1175d9684c\nLCM = 5132f7ab7a982b9dc55114bd96800b7637f9742cf8a7a00a0d69d5e4574fc85792c89a1c52bcfc74b9d7f3f6164819466c46b2d622e280ced7ad1211604084a15dc1fd1951a05c8ce37122c0ec15891d818a70d3763670ea3195098de9b1ca50ea89893a9753fb9ea801541058f44801f7f50967124abfc864a2b01c41f94193c\n\nGCD = 8e\nA = 248d96a8a4cab0a1b194e08c1146868b094597cadbc35531f0ed2d77cba9f15cb5cc7c10e64ce054bf93396d25259d750b3de3aba65073db1fd2b852a6454ac1a\nB = 4c7bad8e1844901fd6a2ce2edc82e698d28ec95d6672ca148d85b49ecc78dd0a8b870e202244210bc98592b99ff6abbd20630f9eee7d46b15ccfae8d08b86799de\nLCM = 13b01f9d9c6c13e90c97e3d95bbce5a835c631b3de3bd4ff5df13ad850f5223dbdf71c53912275d0397df9335ef3a3ba8e4684c6b25962bb7b18bc74144cb5edf0196f79863a7ff032619a71646a92281f7baace7f223d254cb4d05ec19bf8d4c8ce4455a9d770daec89c0d3cf338cbdae39cf982b3c4568f5c9def4e1133d28a\n\nGCD = 3e55\nA = 2fa97382f46676b7a4cc2b8153f17b58792d24660e187d33ce55c81cc193ccb6e1e2b89feea1d5fd8faa36e13bf947fb48635e450a4d1488d0978324194a1f43c6\nB = ab08ad074139963bc18e5d87ba68db64ca6f4c279616c64039b02c55f2375b3bc04114e8e05e1ba92fb6470768f61d123845aea36774c18612736a220934561faf\nLCM = 82c7c377ecda2cb9228604cd287df5eff94edd4a539c3eb3b3fdd4b4a79d2f4eaf2b22f8286272d3dad2e370cfcd9ea4d93ebb3f049c52b8fa23b68a5bf79af989822e2cfb978f68c6a5058f47319dffcb455b089b06ae6db9e5c8a2b6e951d6e118bd2b4cd08b6e5733476a446a57387d940d1289ec00e24315821ed3a5daf2\n\nGCD = a7a\nA = 923706dfed67834a1e7e6c8e8e9f93bfbc0b43ca1f324886cf1f1380fb9b77109275d4b50af1b7689802fe9b3623ac46c7ba0e17e908c20278127b07a5c12d86ec\nB = 64473e878a29021fac1c1ce34a63eae1f4f83ee6851333b67213278b9a4a16f005cba0e8cdb410035bb580062f0e486c1a3a01f4a4edf782495f1dc3ebfa837d86\nLCM = 57785ca45b8873032f1709331436995525eed815c55140582ce57fd852116835deac7ca9d95ce9f280e246ea4d4f1b7140ab7e0dd6dc869de87f1b27372098b155ad0a1828fd387dff514acc92eae708609285edaab900583a786caf95153f71e6e6092c8c5ee727346567e6f58d60a5e01c2fa8ebcf86da9ea46876ecc58e914\n\nGCD = 42\nA = 0\nB = 42\nLCM = 0\n\nGCD = 42\nA = 42\nB = 0\nLCM = 0\n\nGCD = 42\nA = 42\nB = 42\nLCM = 42\n\nGCD = f60d\nA = ef7886c3391407529d5cf2e75ed53e5c3f74439ad2e2dc48a79bc1a5322789b4ced2914b97f8ff4b9910d212243b54001eb8b375365b9a87bd022dd3772c78a9fd63\nB = d1d3ec32fa3103911830d4ec9f629c5f75af7039e307e05bc2977d01446cd2cbeeb8a8435b2170cf4d9197d83948c7b8999d901fe47d3ce7e4d30dc1b2de8af0c6e4\nLCM = cc376ed2dc362c38a45a719b2ed48201dab3e5506e3f1314e57af229dc7f3a6a0dad3d21cfb148c23a0bbb0092d667051aa0b35cff5b5cc61a7c52dec4ed72f6783edf181b3bf0500b79f87bb95abc66e4055f259791e4e5eb897d82de0e128ecf8a091119475351d65b7f320272db190898a02d33f45f03e27c36cb1c45208037dc\n\nGCD = 9370\nA = 1ee02fb1c02100d1937f9749f628c65384ff822e638fdb0f42e27b10ee36e380564d6e861fcad0518f4da0f8636c1b9f5124c0bc2beb3ca891004a14cd7b118ddfe0\nB = 67432fd1482d19c4a1c2a4997eab5dbf9c5421977d1de60b739af94c41a5ad384cd339ebfaa43e5ad6441d5b9aaed5a9f7485025f4b4d5014e1e406d5bd838a44e50\nLCM = 159ff177bdb0ffbd09e2aa7d86de266c5de910c12a48cbe61f6fa446f63a2151194777555cd59903d24cb30965973571fb1f89c26f2b760526f73ded7ee8a34ebcecd1a3374a7559bcdb9ac6e78be17a62b830d6bb3982afdf10cf83d61fd0d588eab17d6abef8e6a7a5763fcb766d9a4d86adf5bb904f2dd6b528b9faec603987a0\n\nGCD = c5f\nA = 5a3a2088b5c759420ed0fb9c4c7685da3725b659c132a710ef01e79435e63d009d2931ea0a9ed9432f3d6b8851730c323efb9db686486614332c6e6ba54d597cf98\nB = 1b1eb33b006a98178bb35bbcf09c5bebd92d9ace79fa34c1567efa8d6cf6361547807cd3f8e7b8cd3ddb6209dccbae4b4c16c8c1ec19741a3a57f61571882b7aed7\nLCM = c5cbbbe9532d30d2a7dd7c1c8a6e69fd4fa4828a844d6afb44f3747fef584f7f1f3b835b006f8747d84f7699e88f6267b634e7aef78d6c7584829537d79514eec7d11219721f91015f5cefdc296261d85dba388729438991a8027de4827cd9eb575622e2912b28c9ce26d441e97880d18db025812cef5de01adeaec1322a9c9858\n\nGCD = e052\nA = 67429f79b2ec3847cfc7e662880ab1d94acdf04284260fcfffd67c2862d59704ed45bcc53700c88a5eea023bc09029e9fd114fc94c227fd47a1faa1a5ef117b09bd2\nB = 39faa7cbdeb78f9028c1d50ab34fbe6924c83a1262596f6b85865d4e19cc258b3c3af1ee2898e39e5bee5839e92eac6753bbbb0253bd576d1839a59748b778846a86\nLCM = 1ab071fb733ef142e94def10b26d69982128561669e58b20b80d39cf7c2759d26b4a65d73b7f940c6e8fc417180ef62d7e52ac24678137bd927cd8d004ad52b02affe176a1ecde903dbc26dcc705678f76dd8cd874c0c3fe737474309767507bbe70dd7fb671bbb3694cedf0dcdaa0c716250ddd6dfec525261572fa3e1387f7b906\n\nGCD = 3523\nA = 0\nB = 3523\nLCM = 0\n\nGCD = 3523\nA = 3523\nB = 0\nLCM = 0\n\nGCD = 3523\nA = 3523\nB = 3523\nLCM = 3523\n\nGCD = f035a941\nA = 16cd5745464dfc426726359312398f3c4486ed8aaeea6386a67598b10f744f336c89cdafcb18e643d55c3a62f4ab2c658a0d19ea3967ea1af3aee22e11f12c6df6e886f7\nB = 74df09f309541d26b4b39e0c01152b8ad05ad2dfe9dd2b6706240e9d9f0c530bfb9e4b1cad3d4a94342aab309e66dd42d9df01b47a45173b507e41826f24eb1e8bcc4459\nLCM = b181771d0e9d6b36fdfcbf01d349c7de6b7e305e1485ea2aa32938aa919a3eee9811e1c3c649068a7572f5d251b424308da31400d81ac4078463f9f71d7efd2e681f92b13a6ab3ca5c9063032dcbdf3d3a9940ce65e54786463bbc06544e1280f25bc7579d264f6f1590cf09d1badbf542ce435a14ab04d25d88ddbac7d22e8cae1c91f\n\nGCD = 33ad1b8f\nA = 1af010429a74e1b612c2fc4d7127436f2a5dafda99015ad15385783bd3af8d81798a57d85038bcf09a2a9e99df713b4d6fc1e3926910fbbf1f006133cb27dc5ebb9cca85\nB = 92a4f45a90965a4ef454f1cdd883d20f0f3be34d43588b5914677c39d577a052d1b25a522be1a656860a540970f99cbc8a3adf3e2139770f664b4b7b9379e13daf7d26c\nLCM = 4c715520ed920718c3b2f62821bc75e3ff9fd184f76c60faf2906ef68d28cd540d3d6c071fa8704edd519709c3b09dfaee12cb02ab01ad0f3af4f5923d5705ce6d18bcab705a97e21896bb5dd8acb36ee8ec98c254a4ddc744297827a33c241f09016a5f109248c83dd41e4cea73ce3eabb28d76678b7e15545b96d22da83c111b6b624\n\nGCD = dc0429aa\nA = ccb423cfb78d7150201a97114b6644e8e0bbbb33cadb0ef5da5d3c521a244ec96e6d1538c64c10c85b2089bdd702d74c505adce9235aa4195068c9077217c0d431de7f96\nB = 710786f3d9022fc3acbf47ac901f62debcfda684a39234644bac630ab2d211111df71c0844b02c969fc5b4c5a15b785c96efd1e403514235dc9356f7faf75a0888de5e5a\nLCM = 6929af911850c55450e2f2c4c9a72adf284fe271cf26e41c66e1a2ee19e30d928ae824f13d4e2a6d7bb12d10411573e04011725d3b6089c28d87738749107d990162b485805f5eedc8f788345bcbb5963641f73c303b2d92f80529902d3c2d7899623958499c8a9133aae49a616c96a2c5482a37947f23af18c3247203ac2d0e760340e6\n\nGCD = 743166058\nA = 16cd476e8031d4624716238a3f85badd97f274cdfd9d53e0bd74de2a6c46d1827cc83057f3889588b6b7ca0640e7d743ed4a6eaf6f9b8df130011ecc72f56ef0af79680\nB = 86eba1fc8d761f22e0f596a03fcb6fe53ad15a03f5b4e37999f60b20966f78ba3280f02d3853f9ace40438ccfaf8faed7ace2f2bf089b2cdd4713f3f293bf602666c39f8\nLCM = 1a7a1b38727324d6ba0290f259b8e2b89c339b2445cada38a5a00ded1468ab069f40678ce76f7f78c7c6f97783cc8a49ef7e2a0c73abbac3abc66d1ce99566ce7f874a8949ca3442051e71967695dc65361184748c1908e1b587dc02ed899a524b34eb30b6f8db302432cfa1a8fbf2c46591e0ab3db7fd32c01b1f86c39832ee9f0c80\n\nGCD = 6612ba2c\nA = 0\nB = 6612ba2c\nLCM = 0\n\nGCD = 6612ba2c\nA = 6612ba2c\nB = 0\nLCM = 0\n\nGCD = 6612ba2c\nA = 6612ba2c\nB = 6612ba2c\nLCM = 6612ba2c\n\nGCD ",
+ "= 2272525aa08ccb20\nA = 11b9e23001e7446f6483fc9977140d91c3d82568dabb1f043a5620544fc3dda233b51009274cdb004fdff3f5c4267d34181d543d913553b6bdb11ce2a9392365fec8f9a3797e1200\nB = 11295529342bfb795f0611d03afb873c70bd16322b2cf9483f357f723b5b19f796a6206cf3ae3982daaeafcd9a68f0ce3355a7eba3fe4e743683709a2dd4b2ff46158bd99ff4d5a0\nLCM = 8d4cbf00d02f6adbaa70484bcd42ea932000843dcb667c69b75142426255f79b6c3b6bf22572597100c06c3277e40bf60c14c1f4a6822d86167812038cf1eefec2b0b19981ad99ad3125ff4a455a4a8344cbc609e1b3a173533db432bd717c72be25e05ed488d3970e7ed17a46353c5e0d91c8428d2fec7a93210759589df042cab028f545e3a00\n\nGCD = 3480bf145713d56f9\nA = 8cf8ef1d4f216c6bcec673208fd93b7561b0eb8303af57113edc5c6ff4e1eeae9ddc3112b943d947653ba2179b7f63505465126d88ad0a0a15b682f5c89aa4a2a51c768cd9fdeaa9\nB = a6fd114023e7d79017c552a9051ca827f3ffa9f31e2ee9d78f8408967064fcdc9466e95cc8fac9a4fa88248987caf7cf57af58400d27abd60d9b79d2fe03fad76b879eceb504d7f\nLCM = 1c05eee73a4f0db210a9007f94a5af88c1cdd2cba456061fd41de1e746d836fa4e0e972812842e0f44f10a61505f5d55760c48ba0d06af78bb6bde7da8b0080b29f82b1161e9c0b5458e05ac090b00f4d78b1cc10cf065124ba610e3acab092a36fe408525e21c0ddc7c9696ed4e48bd2f70423deecfe62cecc865c6088f265da0e5961d3f3a84f\n\nGCD = 917e74ae941fcaae\nA = 652f8a92d96cbf0a309629011d0fbaceb1266bc2e8243d9e494eead4cf7100c661b537a8bea93dec88cfc68597d88a976c125c3b4de19aba38d4ea9578202e59848d42652518348a\nB = 32e07b71979d57e8344e97c39680a61e07d692d824ae26b682156890792d8a766ee29a4968f461aaced5bf049044fba2f4120b1c1f05985676f975d4582e9e82750d73c532cd07b2\nLCM = 23620c7b897dc26c7717e32f3517ac70bf09fbe08f7255ab010cf4cf946f4e96304c425043452c5d5a0e841d3a3cfd9c2d84d9256f3b5974fe3ebfa9255fe20a710d3e6511606c0d85970381101c7f4986d65ad6a73a71507f146b11f903043cfa805cc0b14d4f3072da98bf22282f7762040406c02d5b3ef9e7587f63bab8b29c61d8e30911aa96\n\nGCD = 2b9adc82005b2697\nA = 19764a84f46045ef1bca571d3cbf49b4545998e64d2e564cc343a53bc7a0bcfbe0baa5383f2b346e224eb9ce1137d9a4f79e8e19f946a493ff08c9b423574d56cbe053155177c37\nB = 1bbd489ad2ab825885cdac571a95ab4924e7446ce06c0f77cf29666a1e20ed5d9bc65e4102e11131d824acad1592075e13024e11f12f8210d86ab52aa60deb250b3930aabd960e5a\nLCM = 1032a0c5fffc0425e6478185db0e5985c645dd929c7ebfeb5c1ee12ee3d7b842cfab8c9aa7ff3131ac41d4988fb928c0073103cea6bb2cc39808f1b0ad79a6d080eac5a0fc6e3853d43f903729549e03dba0a4405500e0096b9c8e00510c1852982baec441ed94efb80a78ed28ed526d055ad34751b831b8749b7c19728bf229357cc5e17eb8e1a\n\nGCD = 8d9d4f30773c4edf\nA = 0\nB = 8d9d4f30773c4edf\nLCM = 0\n\nGCD = 8d9d4f30773c4edf\nA = 8d9d4f30773c4edf\nB = 0\nLCM = 0\n\nGCD = 8d9d4f30773c4edf\nA = 8d9d4f30773c4edf\nB = 8d9d4f30773c4edf\nLCM = 8d9d4f30773c4edf\n\nGCD = 6ebd8eafb9a957a6c3d3d5016be604f9624b0debf04d19cdabccf3612bbd59e00\nA = 34dc66a0ffd5b8b5e0ffc858dfc4655753e59247c4f82a4d2543b1f7bb7be0e24d2bbf27bb0b2b7e56ee22b29bbde7baf0d7bfb96331e27ba029de9ffdff7bdb7dc4da836d0e58a0829367ec84ea256833fd4fe1456ad4dd920557a345e12000\nB = 1f3406a20e20ebf96ccb765f898889a19b7636608fd7dc7c212607b641399543f71111d60e42989de01eaa6ff19a86ea8fbde1a3d368c0d86dc899e8e250fc764090f337958ca493119cbb4ad70cbfae7097d06d4f90ec62fbdd3f0a4496e600\nLCM = ee502c50e3667946e9089d0a9a0382e7fd0b75a17db23b56a0eec997a112c4dbd56d188808f76fe90451e5605550c9559ef14a95014c6eb97e9c1c659b98515c41470142843de60f72fb4c235faa55b0a97d943221003d44e2c28928f0b84bf071256254897ed31a7fd8d174fc962bc1311f67900ac3abcad83a28e259812f1ee229511ab1d82d41f5add34693ba7519babd52eb4ec9de31581f5f2e40a000\n\nGCD = ef7399b217fc6a62b90461e58a44b22e5280d480b148ec4e3b4d106583f8e428\nA = 7025e2fe5f00aec73d90f5ad80d99ca873f71997d58e59937423a5e6ddeb5e1925ed2fd2c36a5a9fc560c9023d6332c5d8a4b333d3315ed419d60b2f98ccf28bbf5bf539284fd070d2690aeaac747a3d6384ee6450903a64c3017de33c969c98\nB = df0ac41dbabce1deeb0bceb1b65b1079850052ecf6534d0cff84a5a7fb5e63baee028d240f4419925154b96eaa69e8fbb1aae5102db7916234f290aa60c5d7e69406f02aeea9fe9384afbff7d878c9ac87cd31f7c35dff243b1441e09baff478\nLCM = 687669343f5208a6b2bb2e2efcac41ec467a438fde288cc5ef7157d130139ba65db9eb53e86a30c870bd769c0e0ab15a50f656cd9626621ae68d85eaff491b98da3ea5812062e4145af11ea5e1da457084911961ef2cd2ac45715f885ba94b4082aa76ffd1f32461f47c845b229d350bf36514c5ce3a7c782418746be342eca2721346ade73a59475f178c4f2448e1326110f5d26a0fef1a7a0c9288489e4dc8\n\nGCD = 84b917557acf24dff70cb282a07fc52548b6fbbe96ca8c46d0397c8e44d30573\nA = 81dbb771713342b33912b03f08649fb2506874b96125a1ac712bc94bfd09b679db7327a824f0a5837046f58af3a8365c89e06ff4d48784f60086a99816e0065a5f6f0f49066b0ff4c972a6b837b63373ca4bb04dcc21e5effb6dfe38271cb0fa\nB = 1da91553c0a2217442f1c502a437bb14d8c385aa595db47b23a97b53927b4493dd19f1bc8baf145bc10052394243089a7b88d19b6f106e64a5ab34acad94538ab504d1c8ebf22ac42048bbd1d4b0294a2e12c09fe2a3bd92756ba7578cb34b39\nLCM = 1d0530f8142754d1ee0249b0c3968d0ae7570e37dadbe4824ab966d655abf04cd6de5eb700eba89d8352dec3ae51f2a10267c32fbd39b788c7c5047fe69da3d7ad505435a6212f44899ba7e983bb780f62bcdee6f94b7dba8af7070a4cc008f351ae8be4579bc4a2e5c659ce000ad9c8cdc83723b32c96aeb0f5f4127f6347353d05525f559a8543cd389ad0af6f9d08a75b8c0b32419c097e6efe8746aee92e\n\nGCD = 66091477ea3b37f115038095814605896e845b20259a772f09405a8818f644aa\nA = cedac27069a68edfd49bd5a859173c8e318ba8be65673d9d2ba13c717568754ed9cbc10bb6c32da3b7238cff8c1352d6325668fd21b4e82620c2e75ee0c4b1aff6fb1e9b948bbdb1af83cecdf356299b50543b72f801b6a58444b176e4369e0\nB = 5f64ca1ba481f42c4c9cf1ffa0e515b52aa9d69ceb97c4a2897f2e9fa87f72bae56ee6c5227f354304994c6a5cc742d9f09b2c058521975f69ca5835bce898cf22b28457cd7e28870df14e663bb46c9be8f6662f4ff34d5c4ae17a888eba504e\nLCM = c163cb28642e19a40aa77887c63180c2c49fc10cda98f6f929c8131752ea30b5283a814a81681b69b9d1762e6c1a9db85f480bc17f998d235fd7e64c1caa70ef170c9e816d3e80f516b29f2c80cfb68bf208b4d5082ef078da4314b3f20c7d6c54b0aeb378096b029a7b61c0a4cd14aeddc01004c53915a4f692d2291752e5af46b23d7fa6dd61f2d56c6f4bf8e6119688abac8fd7aba80e846a7764bb3fca0\n\nGCD = bb80bf51757ba696c700fa4e4c0132b3151d2bf9ebff8382f808ded78be67182\nA = 0\nB = bb80bf51757ba696c700fa4e4c0132b3151d2bf9ebff8382f808ded78be67182\nLCM = 0\n\nGCD = bb80bf51757ba696c700fa4e4c0132b3151d2bf9ebff8382f808ded78be67182\nA = bb80bf51757ba696c700fa4e4c0132b3151d2bf9ebff8382f808ded78be67182\nB = 0\nLCM = 0\n\nGCD = bb80bf51757ba696c700fa4e4c0132b3151d2bf9ebff8382f808ded78be67182\nA = bb80bf51757ba696c700fa4e4c0132b3151d2bf9ebff8382f808ded78be67182\nB = bb80bf51757ba696c700fa4e4c0132b3151d2bf9ebff8382f808ded78be67182\nLCM = bb80bf51757ba696c700fa4e4c0132b3151d2bf9ebff8382f808ded78be67182\n\nGCD = 120451d8307219aa0c96f328ad653ccd462e92423ca93ed8a3dde45bf5cb9b13cdaf9800e4d05dd71c4db6a129fb3280ee4ec96ec5297d881c1a8b5efccbd91fef21f5c5bf5fba42a4c8eaa358f620a074b7a17054527bdaa58d5acaa0dfdc48ecba1a10ebf4d57bb4215de406e6be13fed3fe493b1cd1e2d11a8d4ac03c47756\nA = 3f8179a8e1f0b342475a855c3e1bae402dd41424cf24a0b4d2e263c8efb08bde7d92eae8607fb5e88b1378f0f1bd0733f229a35be6b1383a48d32749d5d6b32427d26323b7ab05bb5781289e96bfbc21971439319b15f6c0fe93fdb35d0b67ec41443c59a081dd3cef047ac797fccb45bece84c0bb0bb7e1797259526d8ec9cc63ba4d32cfc692ccd3d243cb2b53ac216312f3a8e8c0daa09d21b6150d697639a5e52059414a417c607be8ec0eee2e708219cadbaf37a369c4485b01ed87bbc2\nB = 2c474e396a2dd9cd10b9d7313f69d3b4ca123e9fd853edd488339236d14c56453a1381958864a04d2624e81995dabcdd0ccf60db9917813f887de68da075d0ea4440001e18f470e43b38ee3440b49be651d709fbdef980e3e4149913f4ae2681124f54523f4881376ddb533b5219e804cc26f4c2e577be4e02613c4da80ba1215775b0a5178a965ad47bd2befb32493943ded1004ef66347b4983f8d1ba990d4a943505dfce6debcfb322842ed88106cd6dee9aa592ff0d2274bc727a6e1f14c\nLCM = 9c129cf649555bfd2d3d9c64dc6d6f022295e53bca5d2f218adaa66aa60eb4694429b7e83bf81b6df4459c5104023ab9a33f006ffcd8114507baa17e2ef6fe23ebdd4740f66879033da2041f2cb7ba517ad3526ffe75614ea9432c085f71b2d65a736bac7ba42b639e330b82733372083843dcb78b6a273ab20e0d4b7c8998a14048aa15bb20a0a0bd997917107274c89b4cec175fb98043d52e6c555bd9e0036566d052a6d4e7e276d1e8835e1f06e3ca46d47747ba586e95fb1a790d992834b7c3e136141eb8a434e6c12067246ac3c0a81c69e03b1ed28aa0b3173d6eff83d278c2f461a47a416f3f9a5dae3bb410fd18817bd4115e7f1e84b936cc02364\n\nGCD = 95aa569a2c76854300d7660847dd20fe0b8c445fdbcaa98465cee61aee76ad6a438e75a8c573198570ffb62bc07ec3a2be0ae0a1f631670fa88d6f75f3161e8b9a4d44b6801ffc884c7f469c5ed1f27b1edecce9f2977f9e92d1a3b230492fea7e6f2af739dc158a7fbd29856cbedb57b4119e64b27ab09eb1c2df01507d6e7fd\nA = ",
+ "4c653b5bfec44e9be100c064dffe5d8cd59b0cf4cc56b03eabb4ef87cfda6506c9a756b811907fe9d8b783eb7a0b9e129773bf1da365ddb488d27b16fb983e89345d1ccdb4f06a67a11925c3f266373be5d7b0075189c6f3c2157e2da197058fe0a7bcc50adc34e99e254a29abbe2d5948d3157e1b0c3fca3d641760f7b9862843b63abef0b3d83fd486f4526b30382fda355575da30e9a106718a3921774c4d69f5311f8d737fe618f5236b4763fe1b2ee7f13184db67367d3903c535ff6d7b\nB = 2dcca83c99a28e9fd2f84e78973699baf2f04fd454094730948b22477834a0064817b86e0835e6d7b26e5b0b1dcf4ad91a07ac0780d6522df1fcac758cf5db6c2a5623d7c0f1afefd5718f7b6de639867d07a9ec525991304e9355d1635104bea837f74758d6aa2aab4e4afbb606af1d98de7417505e4710cd0589bdff9a0bf38a857cc59a5f1781043e694fc2337fd84bdeb28b13a222bb09328a81ec409ad586e74236393d27398cc24d412135e34247c589149e134b97f4bd538ac9a3424b\nLCM = 1760c0b0066aa0695767099e87e9388729ea89b8e8c36bddcd04d257591e741613c07b0e69447c0a468c33a745084171e06523d987d8db40a1433bf435325e8a724a0876503b34495170ff3671d42117a2e4f3a75b1d9dd809a34fa0fb26fe50d84f80a9b02e40190e5efb927a5a61a03f13edbce2e666af6c3a2a9bcb84e47e3090008753ff27c4b8cf06480f471379a93f5230923623a83b286b71a555cd5e5347282f664ed90b14b2c4de84a70375e488211a7b3931119ef3bbe029b712389fe784818a0bf29d80733ce9cc940c547aa1eb3f06d492eb676bf37802283c82ce76156dfaab5c2d5107e08062681b5fa169f6eb68e1ab8bd9b2005e90bd4fd\n\nGCD = 244b9b1290cf5b4ba2f810574c050651489f2d3a2b03e702b76ebfaf4e33de9bbe5da24c919e68d3a72eadd35982b3a89c6b18b38ff7082ac65263e52b6ec75a5717b971c98257b194c828bff0216a99536603b41a396ea2fb50f5ea7cf3edf10bb0d039123e78593ae9ffcbbba02e51e038533e83b6bc73c70551d6467f39809\nA = 41a0b1310669500681cdf888836f6c556758750f562d743ac780dd4c0d161856380e44fdbb1f8a2786bf45be6b0e7f1cb2cd85f6b9e50acc72793d92383c7d7fb796fc74d32e8fac8225bdc19ae47546d9c9c75f5f06ca684f07daccaf89ccf2cddeb7ec255d530c7dd1e71daf44cafdc9d30fbcb1cbaefae3480585f79f4177e3834a5bc91845e2e8cd8aeb27f484e5e5b2c3c076dbb6c23e91303f0a0fdde83cd33a8ea6ed1549e727b4d766c1017c169710fd98e1585d60f66e121f9180b3\nB = 251f5aeaa60b3959285f49540cdaf8e21451110bbddb9933bbbcaea3112f4eb45e435a3ba37c52d2ab79ce997a8f6c829b3aa561f2852924b8effb52396d09d2bf257ebb4fb56c7aa25648f69b06d2cd01e876c9f9c0679de9e6fffa79eb7e603723e5af7de46ee405a5a079229577b5b6fffb8d43e391fe6f4eb89638e64d6eff8026249aaa355a91625eb0bfd14caa81e4c3586aaa2e94fde143a44f223a91e226661d12f55dfcdb4215e5a64e14e968005733be6a71c465de312ca109b34a\nLCM = 431f918b274f3e43f446e4e85567883d6536a0332db662cef088f5a36b0f4b68372048174ba10fee94b9f8f1c2e189c974be2e6e8ae8e2ae108445326d40f63e38d8d4e2e46174589a3cbc9583e0036dc8146e79eee9e96f4436313b3f143dd0f5aceab05243def7f915169c360f55ef123977cf623c5ba432c3259c62fb5e37d5adab0f24b825aa4ada99ec4e83e9ca4698399e1ed633091ce5f9844c540a642cd264201116ed4168aa2105a5159f5df064f845830c469140f766c7319052ce59bd1ad7c3f2d8c30e54f147f6aeb5586c70c984302ba18d854a60aec01b394c7d66fa33fe18fe4a8cfb3238df219294e6e42190a30d28b10049a1b75853a4e\n\nGCD = 206695d52bc391a4db61bf8cb6ea96188333a9c78f477ee76976c2346dad682cf56ca6f176d86ef67d41ff5921b6162b0eca52359975872430dd14c45643eacdf028d830770714c033fd150669705851b2f02de932322d271d565d26768530c3f6cb84f0b3356f970b9070b26c050ead0417152c324c8ffe266d4e8b5b7bef3a\nA = 1114eb9f1a9d5947eb1399e57f5c980833489685023ed2fe537fe1276c1e026b9a19e6fff55aa889d6c4e977b6e6f3111e2ad463138637b50f42cf32e57d83f282de9e72f813e5969195159a666d74dcd689bd527c60199ae327f7bd548ac36868fea5fdf6f35d19b921e7c10b6448ca480de6826478cd0642d72f05af3f8e65ce42409fbd49f56e81946e89c8e83962c4edc0ed54600600a305e52d081aed3c351e450e11f8fb0ce5754c92cf765b71393b2b7a89c95df79b9ea1b3cb600862\nB = 1d8f3179ca7b5cc7119360c10de939ffa57c9043da2f2b0ca3009c9bdad9f19ed16e3c2c197bef4b527fa1bf2bbab98b77e26c329911db68bd63d3d0fbfc727a977395b9ad067106de3094d68e097830858c5ccfa505fc25e972bdee6f347e7d1163efacd3d29a791ec2a94ffeed467884ae04896efc5e7e5f43d8d76c147e3c9951a1999173bc4e5767d51268b92cc68487ba1295372143b538711e0a62bf0ac111cc750ca4dd6c318c9cbe106d7fc492261404b86a1ba728e2d25b1976dc42\nLCM = f9570211f694141bfb096560551080cbe02a80271b4505591aaea9e3b99ea1d5ac1c1f2378fd72799e117ac2a73381b1ad26314e39972164d93971479ee3ba21a4d98cef0bd299d540ce5826995dcee0de420dff73d30b23cbf3188c625c7696df517535bc5675d71faa00807efbebdca547933f4a37849d1c014484a77da6df0670c4974bcc91eb5f5fe5faf9dd095ef195ec32ad9eeebf0e63288b4032ed9e70b888afc642f4ff96f0b4c0a68787301c12e4527fe79bdfe72dd3844ab5e094a9295df6616f24d1b9eeebc2116177dacf91969dda73667bc421ef3ccd8d5c23dddc283f5d36568d31f2654926be67f78e181075bdc148f2b39c630b141ae8a\n\nGCD = 3d319c42d872f21131ce5ff3ab8bec94339308e620316dda218e85fedcd511cd62f0b2f3448d5e58fd3520ae8118abd54ead9ad9e8ec3890365c6b2cca2172d4b8839b2d2c5ab02f65180826cb0cd5c9798f5d6261efe6e6ec31dea047da7c486b0590359e6f333557f67ceebf9ea9cd5dd986a999a8c88bdbd0ca21816b2423\nA = 0\nB = 3d319c42d872f21131ce5ff3ab8bec94339308e620316dda218e85fedcd511cd62f0b2f3448d5e58fd3520ae8118abd54ead9ad9e8ec3890365c6b2cca2172d4b8839b2d2c5ab02f65180826cb0cd5c9798f5d6261efe6e6ec31dea047da7c486b0590359e6f333557f67ceebf9ea9cd5dd986a999a8c88bdbd0ca21816b2423\nLCM = 0\n\nGCD = 3d319c42d872f21131ce5ff3ab8bec94339308e620316dda218e85fedcd511cd62f0b2f3448d5e58fd3520ae8118abd54ead9ad9e8ec3890365c6b2cca2172d4b8839b2d2c5ab02f65180826cb0cd5c9798f5d6261efe6e6ec31dea047da7c486b0590359e6f333557f67ceebf9ea9cd5dd986a999a8c88bdbd0ca21816b2423\nA = 3d319c42d872f21131ce5ff3ab8bec94339308e620316dda218e85fedcd511cd62f0b2f3448d5e58fd3520ae8118abd54ead9ad9e8ec3890365c6b2cca2172d4b8839b2d2c5ab02f65180826cb0cd5c9798f5d6261efe6e6ec31dea047da7c486b0590359e6f333557f67ceebf9ea9cd5dd986a999a8c88bdbd0ca21816b2423\nB = 0\nLCM = 0\n\nGCD = 3d319c42d872f21131ce5ff3ab8bec94339308e620316dda218e85fedcd511cd62f0b2f3448d5e58fd3520ae8118abd54ead9ad9e8ec3890365c6b2cca2172d4b8839b2d2c5ab02f65180826cb0cd5c9798f5d6261efe6e6ec31dea047da7c486b0590359e6f333557f67ceebf9ea9cd5dd986a999a8c88bdbd0ca21816b2423\nA = 3d319c42d872f21131ce5ff3ab8bec94339308e620316dda218e85fedcd511cd62f0b2f3448d5e58fd3520ae8118abd54ead9ad9e8ec3890365c6b2cca2172d4b8839b2d2c5ab02f65180826cb0cd5c9798f5d6261efe6e6ec31dea047da7c486b0590359e6f333557f67ceebf9ea9cd5dd986a999a8c88bdbd0ca21816b2423\nB = 3d319c42d872f21131ce5ff3ab8bec94339308e620316dda218e85fedcd511cd62f0b2f3448d5e58fd3520ae8118abd54ead9ad9e8ec3890365c6b2cca2172d4b8839b2d2c5ab02f65180826cb0cd5c9798f5d6261efe6e6ec31dea047da7c486b0590359e6f333557f67ceebf9ea9cd5dd986a999a8c88bdbd0ca21816b2423\nLCM = 3d319c42d872f21131ce5ff3ab8bec94339308e620316dda218e85fedcd511cd62f0b2f3448d5e58fd3520ae8118abd54ead9ad9e8ec3890365c6b2cca2172d4b8839b2d2c5ab02f65180826cb0cd5c9798f5d6261efe6e6ec31dea047da7c486b0590359e6f333557f67ceebf9ea9cd5dd986a999a8c88bdbd0ca21816b2423\n\nGCD = 2\nA = 14e95a85e59ade9ef39e2f400c65db18702fa5fc485b9bba479a5282b2206129160e54f73ef4917983c17b4c5ebff7be112a886de069706eee29ba902515cb038\nB = ddcfff1d39c90c599f55495bf71c1e7597c6b08b7430707f360c6a6e5137bbc7b403c6d9e2c34f3d2f29d5d32b869346853c2de239cc35381bdfb4a01569211a\nLCM = 90f38564ee72e55d362c04599e7d74f068c75f541b84e97abba2841f1a9f66b06b5c9009f6a4c2e319fced85270588de03ccebddbd9279aaecb13bdc1dbea7f42acaee751cb7da83779b8785cc86f41b94b13b54964208ca287d981634778d1096f20e76ca636c0717fd27e0800c43f599a5eded807421b502eaf9990a8c8ed8\n\nGCD = 4\nA = 3c719c1c363cdeb7b57c2aabb71f425da4c3e6d3e447204d555e7cf0f3d372bdda906f36078045044978dafc20171767c8b1464d52dfdf3e2ba8a4906da033a8\nB = 30fe0ef151ac51404e128c064d836b191921769dc02d9b09889ed40eb68d15bfdd2edea33580a1a4d7dcee918fefd5c776cbe80ca6131aa080d3989b5e77e1b24\nLCM = 2e4526157bbd765b0486d90bcd4728f890bc6dbd9a855c67ca5cb2d6b48f8e74e1d99485999e04b193afca58dbf282610185d6c0272007744ff26e00dbdc813929b47940b137dc56ba974da07d54a1c50ec4a5c2b26e83f47cf17f4ccce8c3687e8d1e91d7c491a599f3d057c73473723ce9eee52c20fe8ae1595447552a7ee8\n\nGCD = 10\nA = 44e04071d09119ea9783a53df35de4a989200133bb20280fdca6003d3ca63fdd9350ad1a1673d444d2f7c7be639824681643ec4f77535c626bd3ee8fa100e0bb0\nB = ca927a5a3124ce89accd6ac41a8441d352a5d42feb7f62687a5ebc0e181cc2679888ecc2d38516bdc3b3443550efccac81e53044ae9341ecace2598fe5ce67780\nLCM = 36805ba9b2412a0cb3fe4ed9bdabfa55515c9d615a3d0af268c45c5f6098d2de4a583f3791f1e3883c55d51ce23c5658fd0e8faa9a3709a1cfbd6a61dbab861690f27c86664f084c86cfd4a183b24aaadf59a6f8cbec04f1b0ded8a59b188cb46ae920052e3e099a570540dbc00f7d4a571eef08aa70d2d189a1804bf04e94a80\n\nGCD = 100\nA = 73725032b214a6776",
+ "87c811031555b0c51c1703f10d59b97a4d732b7feaec5726cb3882193419d3f057583b2bc02b297d76bb689977936febaae92638fdfc46a00\nB = 979f4c10f4dc60ad15068cedd62ff0ab293aeaa1d6935763aed41fe3e445de2e366e8661eadf345201529310f4b805c5800b99f351fddab95d7f313e3bb429d900\nLCM = 4460439b4be72f533e9c7232f7e99c48328b457969364c951868ceab56cb2cbbeda8be2e8e3cae45c0758048468b841fdb246b2086d19b59d17b389333166ab82ed785860620d53c44f7aaaff4625ee70fb8072df10fb4d1acb142eadc02978ff2bb07cea9f434e35424b3323a7bda3a1a57aa60c75e49ebb2f59fb653aa77da00\n\nGCD = 100000000\nA = f8b4f19e09f5862d79fb2931c4d616a1b8e0dd44781ca52902c8035166c8fca52d33a56ff484c365ec1257de7fa8ed2786163cfc051d5223b4aad859a049e8ba00000000\nB = 6e54cb41b454b080e68a2c3dd0fa79f516eb80239af2be8250ca9cd377ba501aabafc09146fad4402bdc7a49f2c3eec815e25f4c0a223f58e36709eefd92410500000000\nLCM = 6b3020a880ddeff9d17d3dc234da8771962de3322cd15ba7b1e4b1dd4a6a2a802a16c49653865c6fdf6c207cbe0940f8d81ef4cb0e159385fd709d515ee99d109ad9ad680031cbae4eab2ed62944babdade4e3036426b18920022f737897c7d751dce98d626cdda761fec48ad87a377fb70f97a0a15aa3d10d865785719cc5a200000000\n",
};
-static const size_t kLen41 = 18795;
+static const size_t kLen37 = 18795;
-static const char *kData41[] = {
+static const char *kData37[] = {
"# This file contains test vectors for whether B is a Miller-Rabin composite\n# witness for W. W must be odd and B must satisfy 1 <= B <= W-1.\n#\n# The following Python function may be used to check values.\n#\n# def is_miller_rabin_witness(w, b):\n# # Variable names taken from FIPS 186-4 C.3.1 but the algorithm skips a\n# # couple of optimizations in the FIPS formulation.\n# m = w - 1\n# a = 0\n# while m&1 == 0:\n# a += 1\n# m //= 2\n# # b is a composite witness for w iff the following are true:\n# # - b^m != 1 (mod w)\n# # - b^(m*2^j) != -1 (mod w), for 0 <= j < a\n# z = pow(b, m, w)\n# if z == 1:\n# # b^m = 1 (mod w)\n# return False\n# for j in range(a):\n# if z == w-1:\n# # b^(m*2^j) = -1 (mod w)\n# return False\n# z = (z * z) % w\n# # At this point, z is b^(w-1) (mod w). If z is not 1, w has failed the\n# # Fermat test and is composite. If z is 1, the value of z immediately\n# # before it became 1 is a non-trivial root of unity and w is composite.\n# return True\n\n# Exhaustively test a small prime.\n\nResult = PossiblyPrime\nW = 7\nB = 1\n\nResult = PossiblyPrime\nW = 7\nB = 2\n\nResult = PossiblyPrime\nW = 7\nB = 3\n\nResult = PossiblyPrime\nW = 7\nB = 4\n\nResult = PossiblyPrime\nW = 7\nB = 5\n\nResult = PossiblyPrime\nW = 7\nB = 6\n\n\n# Random large inputs which try to cover a few cases. The nontrivial square root\n# case appears to be difficult to hit randomly.\n\n# b^m = w-1\nResult = PossiblyPrime\nW = d6b4ffc7cf70b2a2fc5d6023015875504d40e3dcce7c2e6b762c3de7bb806a5074144e7054198dabf53d23108679ccc541d5a99efeb1d1abaf89e0dbcead2a8b\nB = fabbafdbec6494ddb5ea4bf458536e87082369b0e53a200ed413f3e64b2fddc7c57c565710fbe73fae5b188fce97d8dcca74c2b5d90906c96d3c2c358a735cd\n\n# b^m = w-1\nResult = PossiblyPrime\nW = 52cc61c42b341ad56dc11495e7cb2fe31e506b9e99522efbf44cd7c28468d3833c5e360f3c77b0aa43c0495c4e14665ab0d7cee9294c722f0de47d4401828401\nB = 3bdc9639c0fc2e77ab48d46e0b4ac6529c11c900e8fe4d82d75767c0556feb23d3f42d4924d16876a743feb386b7b84c7fd16a6c252f662faf0024d19972e62f\n\n# b^m = w-1\nResult = PossiblyPrime\nW = cff9897aa7dce0f2afad262b2de57d301305de717f3539c537c4ce062f8cb70df13fbc1eb4a3b9f0958a8810d1ca9042b4f23334b285a15fee3fc66498761d4b\nB = 9ceb43132fddf9ee4104ea1cb3eb2253c1d7f803f05f0305de9e31a17dd75832f47b8bf189a9b7ca0905f2a7470d9c6349080f481ff1708696fa12d972e7d7ba\n\n# Some b^(m*2^j) = w-1\nResult = PossiblyPrime\nW = 67d1825dad5344170e65247a87aef1634a1b32bdc22f2f04d9d2959767bb5a27610fba55cd607e0f9fdd9fbb0f7f98e40d5e1eb2f52318fb5be4dbfd30d38861\nB = 260fb14724ff80984736859d8755ee98b25bcb56db9fde1db001a1e1273374034c5b75fd60b3710c7a08ce7d390776f010f384d4e32943cf0c477497d53e9e05\n\n# Some b^(m*2^j) = w-1\nResult = PossiblyPrime\nW = ad0bc85b58aaa204177aa9431a40929beb1cbea2dd6f66a25cc54600013213b225ba881805661df43f4208965ada7aacc8095d07d3cbef1a7bbfaae8b745f731\nB = 3d9310f20e9c80269fa6830c7e1a6f02fc5c58646001a9ef6b8b3e496602ff22c3dcb2ddb6a221723fc1722ce237fb46f7a7bb2945e415c8839b15a972f076c9\n\n# Some b^(m*2^j) = w-1\nResult = PossiblyPrime\nW = b25c917f55f6c7b596921daba919f35039e5d805119c1587e99849dd7104460c86214f162a6f17aea847bc7f3859e59f2991d457059511972ef373d4bc75e309\nB = a1f10b261dee84619b0423201d46af19eef9ec0612cf947c4d5c36c0c4b28207f75967e69452eabad0a5dcd28f27f7a8a7ed9c8b3e5026c6e0ba5634d94c2d44\n\n# b^m = 1\nResult = PossiblyPrime\nW = d3eeb0eff05b6992e9fa61b02755e155f4aae28c6e45ddb874edd86acdd2d83d18a20e0e00d8b8bc94b92d14fc3f41ced6ababe8ac98c7730c075dbe0f699369\nB = 6b7717269c6225203681a1cacec87cacd83003ec6e9e3f04effcc4f86634770c0860e1f2770b8f303719a44949664a1094205a99d95a0856758fed66d690105e\n\n# b^m = 1\nResult = PossiblyPrime\nW = 64561b8d9aa50340c3a01ccb3e6e17f5023513661c012be288f3900a3ca76890e67290b9560fa1d480f9d2aacccca581b5690636665f243fa13aff5d0bff12d3\nB = 1f5ff70d3d60671ebc5fbfca731898a04438053dbc3c841e6335f487e457d92d9efb5d506d5bef6872d58d12b9a41c950bfc38d12ed977c90eacdd6535b811a0\n\n# b^m = 1\nResult = PossiblyPrime\nW = 69c63fbf44df21b0ed0ee929a740c12d1f3f064da0dcd9d509f31fa45fa27d1a759ab5a9f6f1040d7ee90a0b1e68f779273c41ea1c1198fd547ff6bd70c7e787\nB = 5f7996a9bbfd8fd88e472220b70077bfdacdd63d88885134431f024c2acb7126827b174eb093eb5313f07bb5461de9b0feb7d77ca2c39c2a323a150f33ea525f\n\n# End of iteration\nResult = Composite\nW = 28cc3e08c44571c6dcb98a9ab8b4f3e2b16e1f884997d94a3188bcbb7f1b7cdaecdae8329c013ec8f75dc00004da0039943e4262cd080b16a42910102e00dddb\nB = 512061ab1c69931c2fa0bb89d8d09f3c9209230bf927ddd6fb6a72075f967ed3c4dbb5f437bf4d31ca7344782b22011ad56609dc19aed65319bababfc13dd7\n\n# End of iteration\nResult = Composite\nW = 4eeb7b4d371c45fe8586fee3b1efd792176b70f6cc2698dfa1dd028366626febe0199c3c5f77a5c3cad0057a04767383051d41965255d03681b2a37edad34a9b\nB = 4afc2e85f84017b3fd6967a227eb74c8297b40ea02733d9513bff9b3f01081963f25872f4254afc4e9321eea35b2a1e42eadb186fcc84f2f30f4a994350b93b8\n\n# End of iteration\nResult = Composite\nW = 8e35a959555dd2eb66c65cee3c264071d20671f159e1f9896f1d0ceb041905fcf053eacc189de317c3ee6f93901223cbf30d5b7ddbbdab981790e2f6397e6803\nB = 44c0153759309ec4e5b1e59d57c1b126545ef7ea302b6e43561df4d16068b922389d6924f01c945d9080d1f93a0732599bdedae72d6d590839dc0884dd860441\n\n\n# 0x6c1 = 1729 = 7 * 13 * 19 is a Fermat pseudoprime.\n\n# Found non-trivial square root\nResult = Composite\nW = 6c1\nB = b8\n\n# End of iteration\nResult = Composite\nW = 6c1\nB = 111\n\n# End of iteration\nResult = Composite\nW = 6c1\nB = 11d\n\n# Found non-trivial square root\nResult = Composite\nW = 6c1\nB = 19c\n\n# Found non-trivial square root\nResult = Composite\nW = 6c1\nB = 223\n\n# End of iteration\nResult = Composite\nW = 6c1\nB = 3aa\n\n# Found non-trivial square root\nResult = Composite\nW = 6c1\nB = 653\n\n\n# 1729 has a number of false witnesses.\n\n# b^m = 1\nResult = PossiblyPrime\nW = 6c1\nB = 78\n\n# b^m = 1\nResult = PossiblyPrime\nW = 6c1\nB = eb\n\n# b^m = w-1\nResult = PossiblyPrime\nW = 6c1\nB = 178\n\n# b^m = w-1\nResult = PossiblyPrime\nW = 6c1\nB = 178\n\n# b^m = w-1\nResult = PossiblyPrime\nW = 6c1\nB = 1aa\n\n# b^m = 1\nResult = PossiblyPrime\nW = 6c1\nB = 271\n\n# b^m = 1\nResult = PossiblyPrime\nW = 6c1\nB = 2b2\n\n\n# 1 and W-1 are always nonwitnesses.\nResult = PossiblyPrime\nW = 6c1\nB = 1\n\nResult = PossiblyPrime\nW = 6c1\nB = 6c0\n\n\n# https://kconrad.math.uconn.edu/blurbs/ugradnumthy/millerrabin.pdf, examples\n# 3.1 and 3.2 has a complete list of false witnesses for 65 = 0x41 and\n# 85 = 0x55.\n\n# b^m = 1\nResult = PossiblyPrime\nW = 41\nB = 1\n\n# Some b^(m*2^j) = w-1\nResult = PossiblyPrime\nW = 41\nB = 8\n\n# Some b^(m*2^j) = w-1\nResult = PossiblyPrime\nW = 41\nB = 12\n\n# Some b^(m*2^j) = w-1\nResult = PossiblyPrime\nW = 41\nB = 2f\n\n# Some b^(m*2^j) = w-1\nResult = PossiblyPrime\nW = 41\nB = 39\n\n# b^m = w-1\nResult = PossiblyPrime\nW = 41\nB = 40\n\n# b^m = 1\nResult = PossiblyPrime\nW = 55\nB = 1\n\n# Some b^(m*2^j) = w-1\nResult = PossiblyPrime\nW = 55\nB = d\n\n# Some b^(m*2^j) = w-1\nResult = PossiblyPrime\nW = 55\nB = 26\n\n# Some b^(m*2^j) = w-1\nResult = PossiblyPrime\nW = 55\nB = 2f\n\n# Some b^(m*2^j) = w-1\nResult = PossiblyPrime\nW = 55\nB = 48\n\n# b^m = w-1\nResult = PossiblyPrime\nW = 55\nB = 54\n\n# Other witnesses for 65 and 85 will report composite:\n\n# Found non-trivial square root\nResult = Composite\nW = 41\nB = 2c\n\n# End of iteration\nResult = Composite\nW = 41\nB = 16\n\n# End of iteration\nResult = Composite\nW = 41\nB = 14\n\n# End of iteration\nResult = Composite\nW = 41\nB = 2\n\n# End of iteration\nResult = Composite\nW = 41\nB = 3a\n\n# End of iteration\nResult = Composite\nW = 55\nB = 40\n\n# End of iteration\nResult = Composite\nW = 55\nB = 7\n\n# End of iteration\nResult = Composite\nW = 55\nB = 23\n\n# End of iteration\nResult = Composite\nW = 55\nB = 2e\n\n# End of iteration\nResult = Composite\nW = 55\nB = 2a\n\n# W below is composite, but it is one of the worst case scenarios for\n# Miller-Rabin, from Wycheproof tests. 1/4 of witnesses report the value is\n# prime. Test that we correctly classify false and true witnesses.\n\n# b^m = w-1\nResult = PossiblyPrime\nW = 550fda19f97cdfbd13930911ef6e9e1cb2b7b5215a35c215d51ebffeb435642174cbe998f4451bde2d4bd2ce92ab5b9493b657f1d77d9ad4d348550247b903906109c608ecba7f88c239c76f0afc231e7f1ac1cee87b4c34448a16f7979ff4c18e65e05d5a86909615fe56587576962a2cb3ba467d9806445a0f039907601af77ba7d07578eff612364fbcac11d35e243734aa6d9a6cdcf912a2dd0a12ba7e87\nB = 379c6027f818b5164bc13dff",
"5e996ec7210976f33570d5c60275918b8988d97a63bb6582af85682c45667a8b94b7acab4d919ede00f5bd2ba7abc8634d66f8875fd930f35ec8013d37b958e65f07de015c0574e64198d73aab5466f3a971b74830b7f1671cb9277fbc95c1ba8c29dc903d8cea1b74c22ab9164f9c438ab9ba7d9919f832e40c3e36faca7343e2314669b0104d9c4f2e1b011cdbd9c686baef0\n\n# b^m = w-1\nResult = PossiblyPrime\nW = 550fda19f97cdfbd13930911ef6e9e1cb2b7b5215a35c215d51ebffeb435642174cbe998f4451bde2d4bd2ce92ab5b9493b657f1d77d9ad4d348550247b903906109c608ecba7f88c239c76f0afc231e7f1ac1cee87b4c34448a16f7979ff4c18e65e05d5a86909615fe56587576962a2cb3ba467d9806445a0f039907601af77ba7d07578eff612364fbcac11d35e243734aa6d9a6cdcf912a2dd0a12ba7e87\nB = 3cc4b644965b2133caffc2bb6258b1ecd5b586b900a09b010382fcef709e4cd37ee3e3182bf8d393c1ab6f9a933d46338b3d960923d8c9607c2b2763d5680230a2bc0c91138e9d0ecb35e7154a06aaa902d34b9b14964b81f4d8232641492d83b22cd805a115e75ddd8e63b864c00e4c90ba36a41e7966e97e063a60a6a6cfd53e1f62a57852c7443e88dcf6245557a4b65494c3e88e466ad75316aaa9727def\n\n# b^m = 1\nResult = PossiblyPrime\nW = 550fda19f97cdfbd13930911ef6e9e1cb2b7b5215a35c215d51ebffeb435642174cbe998f4451bde2d4bd2ce92ab5b9493b657f1d77d9ad4d348550247b903906109c608ecba7f88c239c76f0afc231e7f1ac1cee87b4c34448a16f7979ff4c18e65e05d5a86909615fe56587576962a2cb3ba467d9806445a0f039907601af77ba7d07578eff612364fbcac11d35e243734aa6d9a6cdcf912a2dd0a12ba7e87\nB = 40c03b6ba22bd62c0379b1c36dfccd34d61e3d15f7af1d5f6a60ab972a9d0e956e2bb9e275294e0f1c879eb7a4555443429c99a8d74f7bd359a1046ac30072c04b0e2cbd005be15ff4ce0c93276de2c513fbc5771b5059904a87f180530f6773498114b5aaf70da01967d8294742e451df6377dd5e64b2a8968f4ba61b51a154317d63958ff3788defbeeebee21af5027c2291e8c5df8c0b66770d91b683cffe\n\n# b^m = w-1\nResult = PossiblyPrime\nW = 550fda19f97cdfbd13930911ef6e9e1cb2b7b5215a35c215d51ebffeb435642174cbe998f4451bde2d4bd2ce92ab5b9493b657f1d77d9ad4d348550247b903906109c608ecba7f88c239c76f0afc231e7f1ac1cee87b4c34448a16f7979ff4c18e65e05d5a86909615fe56587576962a2cb3ba467d9806445a0f039907601af77ba7d07578eff612364fbcac11d35e243734aa6d9a6cdcf912a2dd0a12ba7e87\nB = 3c7c71b84f0c6c3817f57511946315cec7d0120a9c30ceabda801fbaec329a8f10c7b9f0ae90a3dada9885bf73a3cabed86784af9682f3dea50a7817f65cfc9190cf997f12784223c4965ed6e52a1be26d4dde31741cd3d1a2e2f3a74040d0f3868eef849727aa855f66c94791194ad5d360298364e2de9ca9288e6423f644b01d52e1bd66a9f7f00bd7995a9ca2ed16f40e902852c6250a3b52bbbf5bfd33e8\n\n# b^m = w-1\nResult = PossiblyPrime\nW = 550fda19f97cdfbd13930911ef6e9e1cb2b7b5215a35c215d51ebffeb435642174cbe998f4451bde2d4bd2ce92ab5b9493b657f1d77d9ad4d348550247b903906109c608ecba7f88c239c76f0afc231e7f1ac1cee87b4c34448a16f7979ff4c18e65e05d5a86909615fe56587576962a2cb3ba467d9806445a0f039907601af77ba7d07578eff612364fbcac11d35e243734aa6d9a6cdcf912a2dd0a12ba7e87\nB = 36e6aa9acb399a50f52be0324dcef05f3cff3117f94538f6d0952b7d7be88ba4dc75d843ff7ff775e11f55c86ba6b2a6ddebd8850c33424b4d35c66321af426662e7074f0a2409a9ccf1c66ef7d823efc8240b8f3c7e9e8dd65a64e8a3ca5b26695ef17171ffe136c0593b179414c5b5ad0d66f2a25146c38b2f97e60b0472ed72de34bff1b6ac186f23645a1bbe909cdfc2b2d861eb44931568f1bb117d8a0c\n\n# End of iteration\nResult = Composite\nW = 550fda19f97cdfbd13930911ef6e9e1cb2b7b5215a35c215d51ebffeb435642174cbe998f4451bde2d4bd2ce92ab5b9493b657f1d77d9ad4d348550247b903906109c608ecba7f88c239c76f0afc231e7f1ac1cee87b4c34448a16f7979ff4c18e65e05d5a86909615fe56587576962a2cb3ba467d9806445a0f039907601af77ba7d07578eff612364fbcac11d35e243734aa6d9a6cdcf912a2dd0a12ba7e87\nB = 278f2215d3ab836043fbfa472216bbdcedb775a6a0ed711754d05aa75089a9e5d8201e113d68656f37381e44483cd365f5d383bdca5ae8d1f2e6575d7873851cfff0e12b1cfe100a04cb300cbd924353fcbd3307d01242cf6a5e86e752c6f4586bcabf48b018bb97e65c3ed409fd6f67f98987517356d88344b3c8945ccd753148a37b648dd2db44d19522a69a9ad8eb23edc55340e85a198abf179ad731db41\n\n# End of iteration\nResult = Composite\nW = 550fda19f97cdfbd13930911ef6e9e1cb2b7b5215a35c215d51ebffeb435642174cbe998f4451bde2d4bd2ce92ab5b9493b657f1d77d9ad4d348550247b903906109c608ecba7f88c239c76f0afc231e7f1ac1cee87b4c34448a16f7979ff4c18e65e05d5a86909615fe56587576962a2cb3ba467d9806445a0f039907601af77ba7d07578eff612364fbcac11d35e243734aa6d9a6cdcf912a2dd0a12ba7e87\nB = afa1478bebbfe1157568f4ae53549b4c3a6a8771b816970bfac6ce5c8b962231db7a41da4d5f1d8bf504dcfe440325b54e1888bdae344eb969436a35e5c6ce5300d46313cb2fcb57fc83305f65f53d392de400e9231cbbc2ac8243defcaf7063c632b9601a81d83138274702ff336d727d3e82ccacce069843ac9c1c590c772c8c586b65c7085a1df5a47fc960d4098a22418b41f0062c77b5d55d17149d167\n\n# End of iteration\nResult = Composite\nW = 550fda19f97cdfbd13930911ef6e9e1cb2b7b5215a35c215d51ebffeb435642174cbe998f4451bde2d4bd2ce92ab5b9493b657f1d77d9ad4d348550247b903906109c608ecba7f88c239c76f0afc231e7f1ac1cee87b4c34448a16f7979ff4c18e65e05d5a86909615fe56587576962a2cb3ba467d9806445a0f039907601af77ba7d07578eff612364fbcac11d35e243734aa6d9a6cdcf912a2dd0a12ba7e87\nB = 10f7030590b629e0313a61bdf46936a1f25db91b2b421f7ebb671f7844c22561b44b2f7699db61e5228ebb5817afad416325f9439eff7a82d8a630c504de12eaa44d97c79ee56e726ae74ee0b472f0d5fa8f20aee426e689cd33dd084f96bf4d928a21e815f7e8aaca4a5752f39c4a76bdfaa8227dc05d0dfa885d8b26d46fbcbf0d2e0d999d2c31ad84c306c9126539dbdf447f8dc707d29c7fa8021a767668\n\n# End of iteration\nResult = Composite\nW = 550fda19f97cdfbd13930911ef6e9e1cb2b7b5215a35c215d51ebffeb435642174cbe998f4451bde2d4bd2ce92ab5b9493b657f1d77d9ad4d348550247b903906109c608ecba7f88c239c76f0afc231e7f1ac1cee87b4c34448a16f7979ff4c18e65e05d5a86909615fe56587576962a2cb3ba467d9806445a0f039907601af77ba7d07578eff612364fbcac11d35e243734aa6d9a6cdcf912a2dd0a12ba7e87\nB = 97dbb6a55c039ec926aaa5ff15a2917a2b4cafc3ca07c4c6b05f931d86c9bf60ee05cbbace194e5ca97682ec67c36394018d68c3536fbf13b50f8a7e31eaed87307759a0a48c6c58d21bc7c38b878c53db5d7a8e1fdd81abefc50470a3800852e74d76fdd1933e45f39ee97b8efb68837721890d867b32a894dd0ceb4c5844a05d384145865c10973ce748ccdd8fee73f1bf8611ce0535430b6b98fb36cad7a\n\n# End of iteration\nResult = Composite\nW = 550fda19f97cdfbd13930911ef6e9e1cb2b7b5215a35c215d51ebffeb435642174cbe998f4451bde2d4bd2ce92ab5b9493b657f1d77d9ad4d348550247b903906109c608ecba7f88c239c76f0afc231e7f1ac1cee87b4c34448a16f7979ff4c18e65e05d5a86909615fe56587576962a2cb3ba467d9806445a0f039907601af77ba7d07578eff612364fbcac11d35e243734aa6d9a6cdcf912a2dd0a12ba7e87\nB = 225f58add44ed2b0a64a1d8452866d0f3c0cd45c8375e1bb33c188915c77fa11b81250b920245dda7f6126e5e0c79e6f98f89dc15db86394cf81b44f0d801e613fa4d5c6fef66fa31f26cfe6153f2e8159aad6b0351dcc0e93f9a68f649b2a77cff747b605b542d22419166befebec6cde3201e3c0cacaa2bc9d87073b8d1f1aa2b114d61de45ac8b0ad2141b43434a629ef284cd999fd82b310db7c57cf5c81\n\n# End of iteration\nResult = Composite\nW = 550fda19f97cdfbd13930911ef6e9e1cb2b7b5215a35c215d51ebffeb435642174cbe998f4451bde2d4bd2ce92ab5b9493b657f1d77d9ad4d348550247b903906109c608ecba7f88c239c76f0afc231e7f1ac1cee87b4c34448a16f7979ff4c18e65e05d5a86909615fe56587576962a2cb3ba467d9806445a0f039907601af77ba7d07578eff612364fbcac11d35e243734aa6d9a6cdcf912a2dd0a12ba7e87\nB = 2780926c9cf7c1eb2aaa935d90b6d4dea44eeefdfcf9ccd4a33feb215e3a1cb2d358136a490fed18403947f3d98807819737c66e12d42c3cc8c0e246b96b3c3b0795ab875fbaf668b81b5b05bf23e258ea00a0a140a790f76e04ab619800b7597f614ffc1a1c94be2f3f1a71d64eb47d98e4653d76eabedacff3a97ecf590e6a1fd55096b7bc9314629f698d0fbe9b01a1f2bc0bf3a2c097f99f1fd222b52ed2\n\n# End of iteration\nResult = Composite\nW = 550fda19f97cdfbd13930911ef6e9e1cb2b7b5215a35c215d51ebffeb435642174cbe998f4451bde2d4bd2ce92ab5b9493b657f1d77d9ad4d348550247b903906109c608ecba7f88c239c76f0afc231e7f1ac1cee87b4c34448a16f7979ff4c18e65e05d5a86909615fe56587576962a2cb3ba467d9806445a0f039907601af77ba7d07578eff612364fbcac11d35e243734aa6d9a6cdcf912a2dd0a12ba7e87\nB = 129cc5b0d9f8001b3895f1fcb4833779763636aeeeb3f980e63ea506202e6bde868444b6a58ff1dca08625f025a7e95a5eaaf1a8899eee640e3f05fbdb2867e2483bdc27c87b58684416e521c107f3667ed8dd23f0381edab767c5205a4378118bc011947cb6bdfe3fa4af50b8de876b555c9a0b2b0dae01261847f63e1e0cac2d032530bf19d5da60a04dfe22ce6343f60defbb94ccf0bdf010f89a4029720\n\n# b^m = 1\nResult = PossiblyPrime\nW = 550fda19f97cdfbd13930911ef6e9e1cb2b7b5215a35c215d51ebffeb435642174cbe998f4451bde2d4bd2ce92ab5b9493b657f1d77d9ad4d348550247b903906109c608ecba7f88c239c76f0afc231e7f1ac1cee87b4c34448a16f7979ff4c18e65e05d5a86909615fe56587576962a2cb3ba467d9806445a0f039907601af77ba7d07578eff612364fbcac11d35e243734aa6d",
"9a6cdcf912a2dd0a12ba7e87\nB = 4e2a47cf67c3331b1e9976f583f6339cf76a8d48682d01355c25b2aed90c5544e737ecfa849c17d27a64fad7e659ef48df9a3ac0410e5c7ca8d087fc3a3ba23e5a3f000be009fcc8227ead28158c5b5d66f2efb47111638ef61cea4984de42fbd476bc2236ad02154d3ce85805c45e49d16b496e313a4052a37d4b88a3b13e598d2074a3e36a37e90278601f2b2305e034f9bf3aea8e939c3ba274e8ff4d8a14\n\n# b^m = 1\nResult = PossiblyPrime\nW = 550fda19f97cdfbd13930911ef6e9e1cb2b7b5215a35c215d51ebffeb435642174cbe998f4451bde2d4bd2ce92ab5b9493b657f1d77d9ad4d348550247b903906109c608ecba7f88c239c76f0afc231e7f1ac1cee87b4c34448a16f7979ff4c18e65e05d5a86909615fe56587576962a2cb3ba467d9806445a0f039907601af77ba7d07578eff612364fbcac11d35e243734aa6d9a6cdcf912a2dd0a12ba7e87\nB = 2455c4ab826e2ae72708a8ff51348ce4821cb86fa89e298c751c1754211c63b2e9a712d40f0235f310606fcf296726a86973f19f890d571f5b90f026e8d24d07bc0478a3c1333171587387f1f7fe4a770b593216f2743318aabacb3320c40a4e52b9f409e1176fe8db099e93a7991eb8568168e2e486fa5aa228bb1dce9df3290ef13fd21c331479bb0f8b7a7e7f03c5211ae8cc46fa4d0f46e86b2dadeddd5b\n\n# End of iteration\nResult = Composite\nW = 550fda19f97cdfbd13930911ef6e9e1cb2b7b5215a35c215d51ebffeb435642174cbe998f4451bde2d4bd2ce92ab5b9493b657f1d77d9ad4d348550247b903906109c608ecba7f88c239c76f0afc231e7f1ac1cee87b4c34448a16f7979ff4c18e65e05d5a86909615fe56587576962a2cb3ba467d9806445a0f039907601af77ba7d07578eff612364fbcac11d35e243734aa6d9a6cdcf912a2dd0a12ba7e87\nB = 9951c2c02dd7deedce29bd0c78dd80066b1d69c0e6fe4a17f7d03c6a640d866d01fc8214bafb6737efd93d80a35b8993f5367ce287459b07954e9771ffbc72ccdd812d26a9bf4be0292a24eb5c3b56f09619b1c1b481f7566f7e50e65f69f5feb591bd107fec72a783429dbde6e2607f3db2c58d4b070a45b4d6b43537e19942ce890b04ae1e91069c04a96ed03ddb2f4fc456f136b98102c70a15700dbd911\n\n# End of iteration\nResult = Composite\nW = 550fda19f97cdfbd13930911ef6e9e1cb2b7b5215a35c215d51ebffeb435642174cbe998f4451bde2d4bd2ce92ab5b9493b657f1d77d9ad4d348550247b903906109c608ecba7f88c239c76f0afc231e7f1ac1cee87b4c34448a16f7979ff4c18e65e05d5a86909615fe56587576962a2cb3ba467d9806445a0f039907601af77ba7d07578eff612364fbcac11d35e243734aa6d9a6cdcf912a2dd0a12ba7e87\nB = 4cb8217d229d5f95f6d94807a99363823655d6bba6bdafa4f0dbfe7a5c538aa79c918710aad4f55caaee5ab405ebdcef29dfb76cae99fca8d5a955b6315f71a3cb2d69a217ff45aed66ba87cdc5c0de5d512c6dd12e641e9fe6a2557dd2f03bf3a18650ff139efa179f0fbe69cbb4b54e50d13177bfe7bb90de36b548d5ccfef74b05d3c08a7e2a3bb4dc8d7eb338a7a1b068c433ea204d171eda5e7c6b6722c\n",
};
+static const size_t kLen38 = 41961;
+
+static const char *kData38[] = {
+ "# This file has been modified to remove the 65536-byte long inputs.\r\n\r\n# CAVS 11.0\r\n# CMACVer information \r\n# Algorithms tested:Alg = TDES KeySize = 3 Mode = Verify \r\n# Generated on Tue Mar 15 08:40:47 2011\r\n\r\n\r\nCount = 0\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 3bb96170d5df4cce\r\nKey2 = 25d5daa22a982f08\r\nKey3 = 52f4a110dcdc9e45\r\nMsg = 00\r\nMac = 96\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 1\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 9413d38685688f58\r\nKey2 = dc38b6b3cef125f1\r\nKey3 = 5b61f4f7a1c46ed6\r\nMsg = 00\r\nMac = fc\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 2\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 101a2f13fbb69473\r\nKey2 = 76fb98f24073f4d5\r\nKey3 = 2ca2706d76d00b67\r\nMsg = 00\r\nMac = 53\r\nResult = P\r\n\r\nCount = 3\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 2f8a238552c1e367\r\nKey2 = f8131f1c26ab3289\r\nKey3 = 83d5b6ba253bea31\r\nMsg = 00\r\nMac = 95\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 4\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = c1bafb5dc7100758\r\nKey2 = e9ef047a58b5ba89\r\nKey3 = 76cb4fb55ebcc1c7\r\nMsg = 00\r\nMac = f4\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 5\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = c82c29f1cb5851b6\r\nKey2 = 8b5b45dcbf0d8079\r\nKey3 = e6407057ae34ec0b\r\nMsg = 00\r\nMac = 03\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 6\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 6b455116f4f883d5\r\nKey2 = a81a206d25152aab\r\nKey3 = 86dc07b607202abc\r\nMsg = 00\r\nMac = 75\r\nResult = P\r\n\r\nCount = 7\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = c873d5bc4598d0b0\r\nKey2 = 1c1523cb4f794c8a\r\nKey3 = cedf6797d523dcab\r\nMsg = 00\r\nMac = 2e\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 8\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 45ce943bd31fe9b5\r\nKey2 = 677cc47c13c24923\r\nKey3 = 6b2086f14934838a\r\nMsg = 00\r\nMac = 01\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 9\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 804f9ef7baf7dfc7\r\nKey2 = 9bb6494cb60b8c07\r\nKey3 = 2080fe52e0d3943d\r\nMsg = 00\r\nMac = c3\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 10\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 73c10b833e1043ab\r\nKey2 = 16dcd343645d5207\r\nKey3 = 6426f7f88c3473c8\r\nMsg = 00\r\nMac = 8b\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 11\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 310d54d96bc73452\r\nKey2 = bae34f158ceafb04\r\nKey3 = 4651c1b53de3da26\r\nMsg = 00\r\nMac = ce\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 12\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 0e3d49d0e692f20e\r\nKey2 = a9cd384a3b688c0e\r\nKey3 = 584ae5f794f8fe7f\r\nMsg = 00\r\nMac = 4b\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 13\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = b0fda857ea402f0b\r\nKey2 = d567e9f48568f1e0\r\nKey3 = 0ec2ad452a547a91\r\nMsg = 00\r\nMac = 04\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 14\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 1ac1543b1591f270\r\nKey2 = dcda0e9870b9d949\r\nKey3 = 68ea9b1c4380ae9e\r\nMsg = 00\r\nMac = 43\r\nResult = P\r\n\r\nCount = 15\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = d0b008aea4454551\r\nKey2 = 9234a7731ab610b5\r\nKey3 = 2fb97a8ffbaedae6\r\nMsg = 00\r\nMac = 4c\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 16\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 04793b0b0e976d0b\r\nKey2 = bf493e58fb73681f\r\nKey3 = 1f54a262d649b985\r\nMsg = 00\r\nMac = 77\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 17\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = 043b759b578ae570\r\nKey2 = 5e522f19cb9de092\r\nKey3 = 2af2e90eb6dcc1fd\r\nMsg = 00\r\nMac = 77\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 18\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = e58520088910513d\r\nKey2 = 7c10196e1a310dd5\r\nKey3 = 5b043b2a1ab97f85\r\nMsg = 00\r\nMac = 1c\r\nResult = P\r\n\r\nCount = 19\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 1\r\nKey1 = f27fd0f189452c15\r\nKey2 = 04681651014916ab\r\nKey3 = 204046aeeffecd15\r\nMsg = 00\r\nMac = 0b\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 20\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 860864a710ab0475\r\nKey2 = b9205751bfd91f7f\r\nKey3 = 3bf72abf13d97640\r\nMsg = 00\r\nMac = e890abe6ea126215\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 21\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = a7a1d57aabf1137c\r\nKey2 = fd0df2e35b8cdf2a\r\nKey3 = b386755bc2ab3d9d\r\nMsg = 00\r\nMac = f475587c2101eff2\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 22\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = c2c28a4c7698804c\r\nKey2 = ab25b53783dc0419\r\nKey3 = ab16341f4cead054\r\nMsg = 00\r\nMac = d335575aa3a4d8af\r\nResult = P\r\n\r\nCount = 23\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 7594a7aed3e986ba\r\nKey2 = 52a280e662d9e9da\r\nKey3 = 7649d3ad6838f2c2\r\nMsg = 00\r\nMac = 0e109f43557f250f\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 24\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 0798d9ef158cd698\r\nKey2 = fff4ade09b169762\r\nKey3 = 5b6e6849ec2c238a\r\nMsg = 00\r\nMac = 05af623529b168a9\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 25\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 254991cb4af76dc8\r\nKey2 = 2cf2e915918a025b\r\nKey3 = 2c61bfaee69b2676\r\nMsg = 00\r\nMac = 725ab7a770762894\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 26\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 9f68cbbf3bb5b3da\r\nKey2 = 31adb5a46e2cc8e3\r\nKey3 = f86ed9eaabb625da\r\nMsg = 00\r\nMac = 0422d94f874dda7e\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 27\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 1fd51f70a77ac8e9\r\nKey2 = 5dd9986e974c08ec\r\nKey3 = fd61ce34a75279f7\r\nMsg = 00\r\nMac = a163a5d269b3cc3e\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 28\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 078c57d6df9ba1d5\r\nKey2 = 08d94ac1b3d3c183\r\nKey3 = e90bf4fe7973c2c7\r\nMsg = 00\r\nMac = 9af3f01e20dc7c1e\r\nResult = P\r\n\r\nCount = 29\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 08df322f040e7c01\r\nKey2 = e92343e69d83eac7\r\nKey3 = fe94c1ec0da22c1a\r\nMsg = 00\r\nMac = 3d88c20a4f828c5b\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 30\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = b2ecf41c8692c2b0\r\nKey2 = 8ff18c1f1f296454\r\nKey3 = 383dcbc4a28c7629\r\nMsg = 00\r\nMac = 17241dc726fa4c56\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 31\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 07d99d58f2ec1fd5\r\nKey2 = ea46c73bf4b60ed0\r\nKey3 = f20ec149c831aecb\r\nMsg = 00\r\nMac = f6a8a0b536fd97d3\r\nResult = P\r\n\r\nCount = 32\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 3dfdc19426fbd56d\r\nKey2 = b03b7985b32af857\r\nKey3 = a807c7b3621ffdda\r\nMsg = 00\r\nMac = 3ef9b263ae1df460\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 33\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = fbc79bab46b97923\r\nKey2 = ece6da4c40f1e6e9\r\nKey3 = eaa76770ef517a40\r\nMsg = 00\r\nMac = b2da3efa7fc64abe\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 34\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 5ba4a1d5a80db5ef\r\nKey2 = 7ce6aeb9261cb00b\r\nKey3 = 8a5df23ea445e0c8\r\nMsg = 00\r\nMac = 51b2e75334d90889\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 35\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = e9c494e001027c86\r\nKey2 = c4649e58ea251904\r\nKey3 = 8025343dec34409e\r\nMsg = 00\r\nMac = 166123f1c59132a3\r\nResult = P\r\n\r\nCount = 36\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 6bce61e646452a46\r\nKey2 = 54ba8a020d0876fb\r\nKey3 = 34ea2f6149bad664\r\nMsg = 00\r\nMac = b0d0f625f06f2a3a\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 37\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 2f38f79bc8e0ea4a\r\nKey2 = d09876f22ca43e10\r\nKey3 = 3b8fab02299d328c\r\nMsg = 00\r\nMac = b26d377a504b8985\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 38\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 51febf790815f1d0\r\nKey2 = 9152d5e32f6713fb\r\nKey3 = 4a40c2c8fdb9f2b5\r\nMsg = 00\r\nMac = a27978e62026743b\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 39\r\nKlen = 3 \r\nMlen = 0\r\nTlen = 8\r\nKey1 = 10ba8fd6256ee9a4\r\nKey2 = fa8332a46ead52ab\r\nKey3 = b0e06e1fef04abb5\r\nMsg = 00\r\nMac = e1b0a228c142555c\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 40\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = f2fbab6734769e9b\r\nKey2 = ab45910e5775ab0d\r\nKey3 = 5bd5ea0db015a89e\r\nMsg = 7efeb7d4d14b3f2b3df4b8a276b18b49\r\nMac = 5c\r\nResult = P\r\n\r\nCount = 41\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = 5bc776ba64adf4ea\r\nKey2 = 195e04987c62a4f2\r\nKey3 = c1642fdc1a31705d\r\nMsg = d1fb4f35914404af9df3bf5c368c0e69\r\nMac = 4d\r\nResult = F (1 - Message changed)\r\n\r\nCount = 42\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = b67c57f770202c6e\r\nKey2 = e91f4fb361bcae37\r\nKey3 = ada8d3df4fbcf4b9\r\nMsg = 9800db878187c87ea05bf92054b0e3e3\r\nMac = 8b\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 43\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = ce0bc48002fe7602\r\nKey2 = e702abe31c7a2313\r\nKey3 = d61964867f2579da\r\nMsg = 704e4e75be1623b21332c14555bf5edc\r\nMac = b0\r\nResult = F (2 - Key or Key2 changed",
+ ")\r\n\r\nCount = 44\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = ad75e32cc11980f2\r\nKey2 = d0570429680e9486\r\nKey3 = c2379207f862dcfd\r\nMsg = 197de855b3962b1fdad687f9c4f1efd6\r\nMac = 44\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 45\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = 9db504803d29f126\r\nKey2 = 07fe58b3da765bad\r\nKey3 = 6dc489516e9bb5f8\r\nMsg = 8f296b265fa575d146799f9e39d52965\r\nMac = 14\r\nResult = P\r\n\r\nCount = 46\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = 991f0ed04079293d\r\nKey2 = 57077ff1baecd907\r\nKey3 = dcc7a719c4372967\r\nMsg = d9cfcc67520c5b2ceeb622c694a8e3fe\r\nMac = a3\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 47\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = eca815d6b0371cf1\r\nKey2 = 597980cdb6c892df\r\nKey3 = 3dba0ed3ba16ae1c\r\nMsg = a03636db2fdc84722aeb9d98a6ed70d0\r\nMac = 78\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 48\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = ea80a43d5886dfef\r\nKey2 = 08bf4f76a8893732\r\nKey3 = 4557a13752d6730d\r\nMsg = 0371a63ad722523ef297d8399b124593\r\nMac = be\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 49\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = e9fe73e640808c02\r\nKey2 = 9be6986446012091\r\nKey3 = 707023615462a40e\r\nMsg = 83bcb484dca73d49ac234ece3a5d2ad3\r\nMac = d6\r\nResult = F (1 - Message changed)\r\n\r\nCount = 50\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = 1fe9800ecb0dd9f1\r\nKey2 = dbbc6bc72c794c23\r\nKey3 = 899b08469b6bc8b5\r\nMsg = 95f4a41c4c64cd7310fba748aa267a14\r\nMac = 59\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 51\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = 34546261a21c1c43\r\nKey2 = 0449eaeca4f29725\r\nKey3 = 4cc4e6525186802f\r\nMsg = d204de1e671d3e43670dd67fee114402\r\nMac = 6e\r\nResult = F (1 - Message changed)\r\n\r\nCount = 52\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = 048aa8701fb5fe26\r\nKey2 = d56bd53d83e60bd9\r\nKey3 = 6707d6523ebc32f4\r\nMsg = f4e9f92fd2c9313fb61a889eaa4ff283\r\nMac = d5\r\nResult = P\r\n\r\nCount = 53\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = 6ec19b02976e5ba2\r\nKey2 = 13540732d997c2b6\r\nKey3 = 7f4068926183251c\r\nMsg = 963363ab7c82b634974954bd0fe2c307\r\nMac = d7\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 54\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = f4ecea5d32e32c6e\r\nKey2 = 385710cd3eb0fe51\r\nKey3 = 5d4c8f7ccdf10154\r\nMsg = a298857dc60ad2f0a8fa878607b50c18\r\nMac = 4c\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 55\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = b31ff49dd970f8e9\r\nKey2 = 164aefb00efb5461\r\nKey3 = 981629757f4532dc\r\nMsg = fc3957b2ed0558bce61d478be615b774\r\nMac = 90\r\nResult = P\r\n\r\nCount = 56\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = 85384543d3aef157\r\nKey2 = 57ea916d9b2fd0c8\r\nKey3 = 1a85830473fbe6c4\r\nMsg = 87db0d9d69bc0cf69cabeb92570e482b\r\nMac = 53\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 57\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = 9bf8fb0b464070f8\r\nKey2 = 10ea23c7e5a19bcb\r\nKey3 = 408c236e10863e2a\r\nMsg = f9c98cd8a7d27553da946427b8276349\r\nMac = 53\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 58\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = 91b083e9c8e9803b\r\nKey2 = 76d0341cd54c38e5\r\nKey3 = 07bca7f44a3e76bc\r\nMsg = 7e5b64dc6bcbae6bb4496fc033947343\r\nMac = de\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 59\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 1\r\nKey1 = e6795b1ffe8f3e38\r\nKey2 = 4fdcea8c73c76e75\r\nKey3 = df0726ae4c079461\r\nMsg = 5265fb6a796d99a6beec6f71ba267b5d\r\nMac = e0\r\nResult = F (1 - Message changed)\r\n\r\nCount = 60\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = 375710c76202bff1\r\nKey2 = 3bb96170d5df4cce\r\nKey3 = 23d5daa22a982f08\r\nMsg = 52f5a110dddc9f44f8a534eef9df0b22\r\nMac = b1b9e11939228900\r\nResult = P\r\n\r\nCount = 61\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = b59b855dce76adf4\r\nKey2 = be9bae10fe34fb1c\r\nKey3 = 0d49159bf804a4ea\r\nMsg = 869f3b62ee78bfeb5287168eacf69ccb\r\nMac = 169a389352793c8b\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 62\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = 615d792a7038fd89\r\nKey2 = 98ce972f016e75a8\r\nKey3 = c470255783b32f01\r\nMsg = e5aed6715aa4291f9c32baf6b8449b53\r\nMac = 73ac2da999bfdf5d\r\nResult = F (1 - Message changed)\r\n\r\nCount = 63\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = 1fb09443a1074564\r\nKey2 = 3d1aa82c086eba13\r\nKey3 = c137d0f4ea54d604\r\nMsg = 16f02efd285381d7657ca5cd99d9e25b\r\nMac = 38126d16957893ce\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 64\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = 2e5d163461fea761\r\nKey2 = 9173bf75372fb640\r\nKey3 = 9e3d1c3dcdbfbc31\r\nMsg = b10fcb03443302ae929ff95a17b025fa\r\nMac = b70f2d761ca643c9\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 65\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = b9e5861c1c4013d3\r\nKey2 = d554806efd3801a1\r\nKey3 = 64d9bc3d646e76dc\r\nMsg = 0e6c9fced82669cffe7b5a6f09dceec8\r\nMac = 78ce4635e486635a\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 66\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = ad2376516b974c70\r\nKey2 = cd3b5870c2312929\r\nKey3 = 1a731a7feacbf783\r\nMsg = 88eb7a0379da9d113343dc1fe0f3e6f7\r\nMac = 0c949483e7fa7d0c\r\nResult = F (1 - Message changed)\r\n\r\nCount = 67\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = 9ada194c100eeacb\r\nKey2 = da23ad9825c194d0\r\nKey3 = 3ef1f4c438dce031\r\nMsg = 0f9703a3454c25c0b1053de62b0ffc5b\r\nMac = c78a4ca3662527e5\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 68\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = e375f870f4d55b02\r\nKey2 = 1b015791e3e337b3\r\nKey3 = 370dc45b15671c5b\r\nMsg = 5ad9dd3b112ea4cee1654d2dfabab01e\r\nMac = 22becbbe7bfcade5\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 69\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = d61f4aeff4b5f2f8\r\nKey2 = 0486b53de3ecc297\r\nKey3 = 807fe92fc2fed376\r\nMsg = d094cf77a709c0fa5d6b4b7e9e86a2c2\r\nMac = 947d024d9d5359a8\r\nResult = P\r\n\r\nCount = 70\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = c2c28a4c7698804c\r\nKey2 = ab25b53783dc0419\r\nKey3 = ab16341f4cead054\r\nMsg = 7295a7aed3e987baef19ad68c33ba5a5\r\nMac = 58de82acc10d556f\r\nResult = P\r\n\r\nCount = 71\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = f1ce4992c851e3a8\r\nKey2 = 835ec1abef97f2c8\r\nKey3 = 5b92384f20dcc2ad\r\nMsg = 9094935fcd7c389dd17b5b121cddadf9\r\nMac = 319c70370c172de3\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 72\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = c16ebcc1165d6892\r\nKey2 = 75268c4602f8c8bf\r\nKey3 = dab97f79544cf1cd\r\nMsg = b7ba1c66282cb6092ba601407ff9578a\r\nMac = d73c26311bd44a32\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 73\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = fe4a796720a46dbc\r\nKey2 = 98f45289e9f8b080\r\nKey3 = e05def5b25520d43\r\nMsg = 31c9eed491bb0cda9b8c0eb5afa31019\r\nMac = 8c2ce22633c62751\r\nResult = F (1 - Message changed)\r\n\r\nCount = 74\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = eefb40c715c4546d\r\nKey2 = 5b2325c8d9daa48a\r\nKey3 = d5ec4a6bc82a7a62\r\nMsg = 5a97259dfa081f040d3893da2f231ca3\r\nMac = a64113544f509be8\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 75\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = 0d0851311ca45db0\r\nKey2 = 3d7c458957c8c408\r\nKey3 = 98d37c9d51ab2f25\r\nMsg = 8be16380af3e2dbc6cf678c2e3331335\r\nMac = 8817baeaa909e33a\r\nResult = P\r\n\r\nCount = 76\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = b7239438d61cd626\r\nKey2 = 082c6404cb3897b5\r\nKey3 = c4c732cdd5e043c2\r\nMsg = 7120f19169e7cbb913c7d1f0ceb006c0\r\nMac = 32841ad7621cc0fc\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 77\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = 73f449ef83df75e9\r\nKey2 = 5f3d2016bfd0703b\r\nKey3 = 31abc16b58b64af4\r\nMsg = 83ecbfcff3bc37f1305d83bc0290350c\r\nMac = 8f8ba8bfc74203fa\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 78\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = 9b6ea461c7b9abe6\r\nKey2 = 4a08dcdc5b9e01fe\r\nKey3 = 6b850e9b6ebae9d6\r\nMsg = c538416fba487fac5c94449d0757f3e9\r\nMac = c13f372e9a061db8\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 79\r\nKlen = 3 \r\nMlen = 16\r\nTlen = 8\r\nKey1 = c7aeeacb156dfbfb\r\nKey2 = ba43ef516232a7d3\r\nKey3 = 2c572aea62808c68\r\nMsg = a1bc9950759d0df4cffaf29345dfb340\r\nMac = d7dad4519b56a1eb\r\nResult = F (1 - Message changed)\r\n\r\nCount = 80\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = cda4d34370234946\r\nKey2 = c408ea6bec07c78c\r\nKey3 = 19eff7f798fd6808\r\nMsg = d1fb0b68176269cf9fda18bf13efc054f0c24fd042b9e2ecaf75e86cb60484f6\r\nMac = d8\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 81\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 02100be5627686a8\r\nKey2 = 7f0b38ec073e75ef\r\nKey3 = 373b1a64ba5416d9\r\nMsg = c60be37fb0bda4f46894690b3344643c772fbd2237db348adaa407ca2eae1654\r\nMac = fb\r\nResult = F (1 - Message changed)\r\n\r\nCount = 82\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 7597571a6e7c6bc8\r\nKey2 = c143a2a461626b1a\r\nKey3 = 6b1307d910434cc7\r\nMsg = 49cb128641f7952dfdf34f338da268b2ef1482557b593e",
+ "c57f930164264ff83e\r\nMac = 90\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 83\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = ae89ad615201546b\r\nKey2 = ae20765745458fce\r\nKey3 = efd0867fba43dcb0\r\nMsg = e47d8659c9ad94971adedd6bce744206e1cfb65d042b942d93c4363cc73ec3e3\r\nMac = 95\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 84\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = b65886f13d6e8c4a\r\nKey2 = 0708e0b0730473a8\r\nKey3 = d04f2a86dc0b9e7a\r\nMsg = b97c12251d91512fe7b3a349a982409c7412f39494d970e77acbe9d3fac3dca7\r\nMac = 05\r\nResult = P\r\n\r\nCount = 85\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 3197a4a26261588a\r\nKey2 = 0dc4a75ec8b99b58\r\nKey3 = efb93e7620205289\r\nMsg = 65f4b3a00c1c1ef39445a69b2150b034705410140ff9dad0ce21740271cef04a\r\nMac = 57\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 86\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 62c4a16e946b4313\r\nKey2 = d09ea80e7fb33449\r\nKey3 = 164fdc04c2d5f116\r\nMsg = 898e824fdc89f21779156a9e58564c4b99004b95226c2ebb8aebd0b5365a6c6a\r\nMac = 93\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 87\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 6eeff20d3d5d5223\r\nKey2 = 258076b313611c1c\r\nKey3 = b013b957f70d9e62\r\nMsg = 2d7fec1a1e9ee85cf960e5dc4e239619ed85f4b14d32cbd42dfa79f77a27f2cd\r\nMac = 0a\r\nResult = F (1 - Message changed)\r\n\r\nCount = 88\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 193e23e6fd8aa185\r\nKey2 = 1910cbdc549da804\r\nKey3 = 6b769b4923523425\r\nMsg = bd65798a1d02ab164e2d31b1387e505874779539046820bd429043c617854c36\r\nMac = d3\r\nResult = P\r\n\r\nCount = 89\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 150789ab37ef2ce9\r\nKey2 = 10cdf45dad9ed9e5\r\nKey3 = f475fd3e153898fe\r\nMsg = 044dd73a7d1ef37a437c09e9268708c82ebad189dc1e989ab3bd8d7ff75abc23\r\nMac = e4\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 90\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 48d9d08a6bdcc4f8\r\nKey2 = 1383641c08735d0e\r\nKey3 = 374a89c8cb73a7f4\r\nMsg = d62fb84f2a2442b52acf817d7f067edca031970bea092c35f29f9a931aa06dd6\r\nMac = 26\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 91\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 68f4620da8b00201\r\nKey2 = df1c8362345180d3\r\nKey3 = 26abda897f89d90d\r\nMsg = 0ac3f7f22d24b64aa584845d3a990bb69e5d2d4650640056c16c17c0b636045f\r\nMac = f9\r\nResult = P\r\n\r\nCount = 92\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 1c259df7492361b6\r\nKey2 = cd4acdb65b3e5b1c\r\nKey3 = 3b01addc2579ef64\r\nMsg = 607f4730a5ea9dabfbcd8586f680c3021c7ebc858e73354beb975d58713b0eb1\r\nMac = fa\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 93\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = f18a9dba9db5dff1\r\nKey2 = d5987013a4b69e38\r\nKey3 = dc16e0ce1351e3f4\r\nMsg = bfe99e184a7d7bf0b4ade8f402f2c49aa4948e74b2d5c905756ba5d32934dbbd\r\nMac = e4\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 94\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 8361bac48afb1091\r\nKey2 = da85400d107fbf8f\r\nKey3 = 31ec732cc29d7045\r\nMsg = 3a1ee70d4607325c13bff68e402e0a72742f6a63ae972c6dda74b6b2a3922f0c\r\nMac = 0e\r\nResult = F (1 - Message changed)\r\n\r\nCount = 95\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = d0df1adf1cf72032\r\nKey2 = 1504d564ec1aea61\r\nKey3 = c42fada45d80a43e\r\nMsg = 3a53d9c7ae59e7811699fb0973e43256ed92162267c7ca4b57f5887ad5a24e02\r\nMac = 8a\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 96\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 973bfe5b3be573da\r\nKey2 = 94b3ec7f343e46ab\r\nKey3 = dcaeabc8df405db6\r\nMsg = c8437dba76591a9031b3aa3b59fec0562d4eac439ca8efca57c3f2022b0ff775\r\nMac = 53\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 97\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = bc89867c43a74640\r\nKey2 = df347fb319464c80\r\nKey3 = fd92108a266bcdcd\r\nMsg = 1c9898ede16139560519e808ee9ddaf710a5bab30f54ed98230d1a44c189ea4f\r\nMac = f6\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 98\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = fde925e301897f67\r\nKey2 = 54b3ab80f815df15\r\nKey3 = dc58928aa286c8e5\r\nMsg = b34f898d98a3aa0fa022b1b1d76953a5b3ecc88d60f2c79b59e1b1f636bc0d60\r\nMac = 0f\r\nResult = F (1 - Message changed)\r\n\r\nCount = 99\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 1\r\nKey1 = 8a704ffe43e951f8\r\nKey2 = 2346dc8501202a40\r\nKey3 = d67afed616230113\r\nMsg = b2b4cb5e90ebf4bd265093b7f5efd4d62dc60e29737aa496e14929724e40c74f\r\nMac = df\r\nResult = P\r\n\r\nCount = 100\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = 8c1f29f440f7f8b5\r\nKey2 = 5b45fe8f1f688661\r\nKey3 = ba40f43d9e7cc86b\r\nMsg = 220817144a15a0a654fc1beaabce60270aa72df83591754ee7a5fbb40b7420d7\r\nMac = 80ac51c2ef7bd5d7\r\nResult = P\r\n\r\nCount = 101\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = d66e76d97f94ea16\r\nKey2 = f15e3ed06dd94598\r\nKey3 = ae073d1a6e5bc819\r\nMsg = 233d547ab33790859ab0dbc7a93f3bbebb610bed9acbfbce1fff580e9a1e8ef9\r\nMac = 4cb8ce681e4bc7c8\r\nResult = F (1 - Message changed)\r\n\r\nCount = 102\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = 0437836df770e943\r\nKey2 = c96e2c43bffd5298\r\nKey3 = 8552fbc16215e0c4\r\nMsg = 4f87d730bdfc7a7c72525c6b26ee9cae9a219b30d9575fedbd913a07b615a616\r\nMac = ea79cbc28f4264db\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 103\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = d849ba8570b6ef9d\r\nKey2 = f1405732aeb61f92\r\nKey3 = 73c8e51ff167f857\r\nMsg = fd03202d0bd109b6e4299c7390c1407cd21ffb110013e6381185dea8f8707de6\r\nMac = 71070b17d05dabef\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 104\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = 914cef7ab6d998dc\r\nKey2 = a767abc18cf485e9\r\nKey3 = a2624ff20b2a408a\r\nMsg = bc5ce4c0bf3ad1a93e5306c9d7dbb620dde8708efe84e78c2200f41a958cdef8\r\nMac = 3cf4aaf3d337c9c8\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 105\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = 757f52e626eabce0\r\nKey2 = 700d91f14554bcb0\r\nKey3 = 548640d0dfaec2ab\r\nMsg = 22a4cf581584346095783be0982744c6201ff040760f868ab63895058d1edb88\r\nMac = b008b1150535ef11\r\nResult = F (1 - Message changed)\r\n\r\nCount = 106\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = d65d0e58d3133b34\r\nKey2 = 289e58704994a249\r\nKey3 = e3df20ae3d585e2f\r\nMsg = 94c8414cbbec52e2d73bb8f02ef687c91432495c0c744666317d02e6d46706d2\r\nMac = b1292e1c7074dcfc\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 107\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = d77a4989f4a17f2a\r\nKey2 = 409d91d51fa4d045\r\nKey3 = 6bb652ea1526fd4f\r\nMsg = 7a08ce579ae7af8004421cff72715e0b137da81f47d8f84da34c3ed53c32c0f6\r\nMac = 8b3cb70477ca7ca8\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 108\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = e670c17519d9c2f2\r\nKey2 = dcc8a132629b462f\r\nKey3 = 58c1d52543ad570d\r\nMsg = a6dbad96ad23ff61479df39b99f0673a09f2a7eaebbd34b95d05c4146fa989f2\r\nMac = c470ec40599a0a11\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 109\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = 290d292a15b6268a\r\nKey2 = 2638d9ad83ad1f34\r\nKey3 = a7d9ba62735dc2d3\r\nMsg = ef995cbfc49b0ebccdbd37d9f40a431c385d33d4b8234d7f0d6211eaddfb709a\r\nMac = 67ae62fb8142bd8b\r\nResult = P\r\n\r\nCount = 110\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = 4faba73bcd5b5dfe\r\nKey2 = 1c97ea85207a97a7\r\nKey3 = 19eff116100dc82f\r\nMsg = c48e53c6956432460584c7ee1577c1c38b7fae2ff288199be25bf64081154139\r\nMac = d68a4558e95a67e4\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 111\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = d37c3dbc2f68baba\r\nKey2 = 918cb5e39237e016\r\nKey3 = f286b0739d38c4fb\r\nMsg = 2533361761ac80578fa262a50462045e3ec6e4d5d25c6e99a5c4ccf75f5affc0\r\nMac = c20f36e67732f864\r\nResult = P\r\n\r\nCount = 112\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = a0baa71c38d6d064\r\nKey2 = 8f58ba45cb494ab9\r\nKey3 = 853decc431f7b3cd\r\nMsg = 20e394c7cc90bdfa6186fc1ba6fff158dfc690e24ba4c9fbf11b68519d573a8a\r\nMac = 4ba956b98a99d7bf\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 113\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = b69752407c68b6bf\r\nKey2 = 8fceb05201ec4320\r\nKey3 = 2a755e372373ef26\r\nMsg = e884d65c87411584a56956d5b27ca9725b473c205b64cff09400671f5ee0473a\r\nMac = 9f3de5e8cddc374d\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 114\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = 8c04e0f27f83b0ec\r\nKey2 = 042cfb6883348fe6\r\nKey3 = 404f5dfe587ab591\r\nMsg = 8a34cd562b111fe04fa0bf5e004faedaef99d0bab9344d966c8b3847486e6f40\r\nMac = 6c530215fb25015b\r\nResult = F (1 - Message changed)\r\n\r\nCount = 115\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = 429401ea49cd97b0\r\nKey2 = a8f1b6b63101cee0\r\nKey3 = 20bcd08c5d16e049\r\nMsg = 591d88123fc9a786b247e8d5ce155f136d6fe4084117c41f2056b67f9e3e1077\r\nMac = 6c414640b424cf56\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 116\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = c470255783b32f01\r\nKey2 = e3aed6705ba4291f\r\nKey3 = 7319100e54f432d3\r\nMsg = 01acc3282fe41b62f95f5dbfb7e7bfef694c5fe34ca87d31abe7e7bbf887b48c\r",
+ "\nMac = cd99df4814667454\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 117\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = 73c10b833e1043ab\r\nKey2 = 18dcd343645d5207\r\nKey3 = 6426f7f88c3473c8\r\nMsg = 068e4a0b1a62dd64198f1b9ece814c2feeeee50ba814b70d7d42659952991b80\r\nMac = 1fc90834b7dd090b\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 118\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = 37eae98ff42afb25\r\nKey2 = f2231c028c29da9d\r\nKey3 = ef3da8d0c77fbf45\r\nMsg = f266cec01c5fc08c0bdabc9537bd1aa2df9f2b8ffbe5cc94722a3bca8de529ea\r\nMac = b3809c8b0eb9dd8d\r\nResult = P\r\n\r\nCount = 119\r\nKlen = 3 \r\nMlen = 32\r\nTlen = 8\r\nKey1 = 1358fb67155e0145\r\nKey2 = d02c54a1206b5d7f\r\nKey3 = 1c04ba46c74a5d49\r\nMsg = e38b4c3e7a82643beb3192426555ad9c9b2620d677373fc40c9ddbc4cd531347\r\nMac = b000e2ea1ef48a8f\r\nResult = F (1 - Message changed)\r\n\r\nCount = 120\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = f6b9a81067255b58\r\nKey2 = 927cfbc4cdec9285\r\nKey3 = dcd62345bfe03b92\r\nMsg = 246b66b10696adc45840\r\nMac = b4\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 121\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = fea186dc73d3807f\r\nKey2 = b8fec7387a197962\r\nKey3 = 4c91abe60db64ff1\r\nMsg = 8ba298364af144a8d5f3\r\nMac = a6\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 122\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = f264da8607ea439e\r\nKey2 = fdb9daa41fd34958\r\nKey3 = f85d6b859b9892bf\r\nMsg = 402006f6b18dbd11dcd1\r\nMac = 28\r\nResult = P\r\n\r\nCount = 123\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = 191c461adc4f7f4f\r\nKey2 = 75b932e68cb98cfd\r\nKey3 = cb2943857a1c9438\r\nMsg = 391deef3a9a41394d14a\r\nMac = 3c\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 124\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = a2c2f713430ece92\r\nKey2 = df081ae9627a1351\r\nKey3 = c1ec469ba8c73b67\r\nMsg = 37a49535684637f67573\r\nMac = 40\r\nResult = F (1 - Message changed)\r\n\r\nCount = 125\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = 7b61dac238ba3e83\r\nKey2 = d05e9ed34fc410ce\r\nKey3 = 98da194c100eeacb\r\nMsg = da22ad9825c195d1e297\r\nMac = 43\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 126\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = 13aec10d13fd37c7\r\nKey2 = 89198c3bcd38b951\r\nKey3 = ecf843cdef7397cb\r\nMsg = b7625aa78d2961c0fee6\r\nMac = f1\r\nResult = F (1 - Message changed)\r\n\r\nCount = 127\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = d94a68ec329d914a\r\nKey2 = 394a8acea420e952\r\nKey3 = ec04c8cb8602aec8\r\nMsg = e043f30a405c41938914\r\nMac = 6f\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 128\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = d5cb7579582fb6a8\r\nKey2 = e67f3ba11383d61f\r\nKey3 = da370852e9b9c2a1\r\nMsg = 7d32f440151a7069fd73\r\nMac = b7\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 129\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = 92402f6eb54526b3\r\nKey2 = 924515d92ad5a1d0\r\nKey3 = 9ead2adfb025f81a\r\nMsg = fd44d8d0fea5cfdf3321\r\nMac = 2f\r\nResult = P\r\n\r\nCount = 130\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = a9daad97ad23fe61\r\nKey2 = 32e5988a37987a38\r\nKey3 = 31626d16a780c825\r\nMsg = d6cf17192f8ad745ab5b\r\nMac = 8f\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 131\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = 52c457d9d5d5ab94\r\nKey2 = 9d3875ba6d75fdba\r\nKey3 = 4fb91a863d15ce52\r\nMsg = 4effbf732e67af7203b3\r\nMac = 04\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 132\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = 7304b65492fd0402\r\nKey2 = 62a4cb7c23708057\r\nKey3 = f2f7bf13839e01e5\r\nMsg = a630c0f362eef35b6a58\r\nMac = aa\r\nResult = P\r\n\r\nCount = 133\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = 51b33425a1349792\r\nKey2 = dc5b8ca440eae6ad\r\nKey3 = 70adf49dd0a8f119\r\nMsg = af246a8a810cca5e657b\r\nMac = 0b\r\nResult = F (1 - Message changed)\r\n\r\nCount = 134\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = f22029ce51619e0d\r\nKey2 = 9d51bcc2089785e0\r\nKey3 = 689d62621abab3b0\r\nMsg = a9c9fb632423d367b3eb\r\nMac = 0c\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 135\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = 1ca226d0dc8c328a\r\nKey2 = f18a9dc176621f51\r\nKey3 = 3d765d20e03b4cea\r\nMsg = f9d9fb44919e47cdeaf8\r\nMac = b0\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 136\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = f3ce4992c851e3a8\r\nKey2 = 835ec1abef97f2c8\r\nKey3 = 5b92384f20dcc2ad\r\nMsg = 9094935fcd7c389dd17b\r\nMac = 3c\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 137\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = bfd929cdd9c2089d\r\nKey2 = 8e49988abcfbf458\r\nKey3 = da73d986894fce4c\r\nMsg = 88018424fdb76c908bd6\r\nMac = 94\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 138\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = 57bf2ca4e3629797\r\nKey2 = ef7f675443402546\r\nKey3 = 6e4f924038f8bc92\r\nMsg = dd4f0a872f4b7089d697\r\nMac = 5b\r\nResult = F (1 - Message changed)\r\n\r\nCount = 139\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 1\r\nKey1 = ba86924908df08b3\r\nKey2 = 26b954ba52df2c98\r\nKey3 = bf38cb0e89b9f4cd\r\nMsg = a682e6fd64df4b9f4fe8\r\nMac = ea\r\nResult = P\r\n\r\nCount = 140\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = 52859849a4b6c1d5\r\nKey2 = 380e73c7aefb0168\r\nKey3 = c479fef80eb6260d\r\nMsg = ee6857533675b5ed8d43\r\nMac = 43fd25f696cb0693\r\nResult = F (1 - Message changed)\r\n\r\nCount = 141\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = 97ae01315d13ec52\r\nKey2 = c7674cc1ab0bbab3\r\nKey3 = b68fb99797b33b79\r\nMsg = ce9127f649bfff849826\r\nMac = 2dfe01d9bc07646b\r\nResult = P\r\n\r\nCount = 142\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = 2b257032b0d9b0b3\r\nKey2 = 49f7c10e8a9bcd37\r\nKey3 = 20f4fb4679106ddc\r\nMsg = b2c62d03902c44253368\r\nMac = 14c5ccf5f9433a0f\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 143\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = 0b988c3d380e5b80\r\nKey2 = b86be99162029b54\r\nKey3 = e0bc9775838a58ea\r\nMsg = 61ababff3763183c348d\r\nMac = 28a2de26aa6b4074\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 144\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = 26e9abbf201fe5b9\r\nKey2 = 7062a82f800d5183\r\nKey3 = cd45e654bf5d205e\r\nMsg = 020683e1f0392f4cac54\r\nMac = 6f1522d3c8186217\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 145\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = 3443f4016dadcd86\r\nKey2 = 235dec80323e5838\r\nKey3 = fd583285e6efbc51\r\nMsg = e64eeb89828b4297601a\r\nMac = 5575a40dba5bc4c6\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 146\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = 76c7616785916470\r\nKey2 = 5b3d1f10e5252fda\r\nKey3 = 75a2d632a46ea18c\r\nMsg = ac7d701597f0ba879055\r\nMac = 06b98e161e6a6754\r\nResult = P\r\n\r\nCount = 147\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = f12367b568a758b5\r\nKey2 = 7b2f9770924f2c0d\r\nKey3 = 1f8ad9e9b97a088a\r\nMsg = b99de8168e8c13ea4aef\r\nMac = db534a059f930ee0\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 148\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = f1adb67986923d8c\r\nKey2 = 02671957dcf75808\r\nKey3 = 52732ae970467019\r\nMsg = f759c3033d4ed34948d7\r\nMac = 2d9caabf50999ac6\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 149\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = 792f9770924f2c0d\r\nKey2 = 1f8ad9e9b97a088a\r\nKey3 = b99de9168f8c13ea\r\nMsg = 8bae64015d62f68565d1\r\nMac = a42f89527f5cb219\r\nResult = F (1 - Message changed)\r\n\r\nCount = 150\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = 31ec790d4a8a131c\r\nKey2 = 562c8cdc07e331d3\r\nKey3 = f4a7467043924c4f\r\nMsg = 1798286c37c1504fc0d7\r\nMac = f0d6e2f7edce6349\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 151\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = adb692e376a12585\r\nKey2 = 8c8c4362ea97f810\r\nKey3 = 528f204c19f21a31\r\nMsg = 6543e675d34639a7f7eb\r\nMac = fac96e6804526535\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 152\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = 62984a64ec7c4a92\r\nKey2 = feda64dfd9a24f9b\r\nKey3 = cbb04f7a1f26df31\r\nMsg = adb555fd5f5c6bdd9c4e\r\nMac = e8dee8714b285a00\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 153\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = ef0d58b55ddae95d\r\nKey2 = 80e07ca4aebcfd34\r\nKey3 = bf947ff4ab2904e5\r\nMsg = 1fe87a2f431f3718665a\r\nMac = 44a869aee76d79db\r\nResult = P\r\n\r\nCount = 154\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = aef4ceb55e3d37fe\r\nKey2 = bc0bb9d05bad972c\r\nKey3 = e0a29b2c7940ce9b\r\nMsg = 78ad5f3718acf9e8cc7c\r\nMac = dcc1d44200caf6f7\r\nResult = F (1 - Message changed)\r\n\r\nCount = 155\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = a4403438f8fb254f\r\nKey2 = bac752cd83a170b5\r\nKey3 = 6bf71654f1854589\r\nMsg = 349566b6716e5f831d69\r\nMac = 7c08cc43ff4d8e07\r\nResult = F (1 - Message changed)\r\n\r\nCount = 156\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = 2fc7f4c1ce042f73\r\nKey2 = 8346bf7a80b38640\r\nKey3 = 2ff74abfc197a732\r\nMsg = 43a32b8ab9b7ce4bbd1b\r\nMac = 8000a2612215014a\r\nResult = P\r\n\r\nCount = 157\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = c40ddc9e29ce041a\r\nKey2 = 583d6bc4c1a2abf2\r\nKey3 = 9b018fd5a4084a64\r\nMsg = 228",
+ "6a1eddd80737a724c\r\nMac = 0ff14761c982f890\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 158\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = bc327a0bcb2575df\r\nKey2 = 6b9483e6e0755d2a\r\nKey3 = 622cdc5b2916ab89\r\nMsg = e1be89af98ffd7d9257a\r\nMac = d6f4c8d96b3e2180\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 159\r\nKlen = 3 \r\nMlen = 10\r\nTlen = 8\r\nKey1 = 9e517cd616a48ada\r\nKey2 = 6d266192d5387a97\r\nKey3 = 8a081fda97c86b94\r\nMsg = 9e9fb0b2b77be6eeaae8\r\nMac = ba0b73fbffc0ab0b\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 160\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = e0b9a826a85efe94\r\nKey2 = 4f615bce7cc1ba68\r\nKey3 = 3bb56d3d9816103e\r\nMsg = cfe9ee956cb1f5a60aa6ec79a3e454224b456879\r\nMac = 64\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 161\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 1e08a794a175b69e\r\nKey2 = f7d3ab46aeb9073e\r\nKey3 = 3e7cf8cea19d0891\r\nMsg = eb4f5b04517ee93e2c900e01948ac81ca56b2b26\r\nMac = 79\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 162\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 8f26700dc140570b\r\nKey2 = 8325e3a889c823ad\r\nKey3 = 6b048aa73decf83b\r\nMsg = cefb55151933a488e2b3d421dea9720727188106\r\nMac = 85\r\nResult = P\r\n\r\nCount = 163\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 3443f4016dadcd86\r\nKey2 = 255dec80323e5838\r\nKey3 = fd583285e6efbc51\r\nMsg = e64eeb89828b4297601a5b3fcde60075fc2424ae\r\nMac = c0\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 164\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 91a401cbb6460b16\r\nKey2 = 85438675f15b6e73\r\nKey3 = b09140318a767038\r\nMsg = 8c65cde13149d9d54a5bccc17747f1d5f3e807e3\r\nMac = 56\r\nResult = F (1 - Message changed)\r\n\r\nCount = 165\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = b78a16fb9b075d3b\r\nKey2 = dcabbf7a07150261\r\nKey3 = f7644a01d5dcea46\r\nMsg = abe2fd996bb6804ed3286c057df9cea6836a2dad\r\nMac = 09\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 166\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = ce8a467534cd679e\r\nKey2 = cb9ee6fb70a42f4f\r\nKey3 = 16c1e5c1459e4ac8\r\nMsg = 3c56ccfbe92023109983e740d6a53488b813ee87\r\nMac = c8\r\nResult = F (1 - Message changed)\r\n\r\nCount = 167\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 401f0de0efd6dfa8\r\nKey2 = 16ae7c3bbc6e5b86\r\nKey3 = 4ffebf790815f1d0\r\nMsg = 9052d5e22e6712fab88e8dfaa928b6e015ca589c\r\nMac = 61\r\nResult = P\r\n\r\nCount = 168\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = d357bf5bef2cfba7\r\nKey2 = b757d3abf49b4ac2\r\nKey3 = 16388051da8a04a7\r\nMsg = b04e8f6d20924be8e4e2c6767f87b74377bdf90c\r\nMac = 72\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 169\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = f8ea68aba1bcd9e6\r\nKey2 = 4abaa4260d864573\r\nKey3 = a49840ab737af7b0\r\nMsg = 1fc99e586f87932445930a300eb28191d9c6215b\r\nMac = 19\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 170\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 94ec086d8c0110cd\r\nKey2 = 4ea11f327f70c245\r\nKey3 = c8d07adf7c7c5eb9\r\nMsg = 812dbc453a1fda59f73aceea3bc84d2c7a437dfc\r\nMac = b2\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 171\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 9d575d582a9723c1\r\nKey2 = 294af47a54b051fe\r\nKey3 = 5131bff85bf12608\r\nMsg = 266e5305b96f497a956ae82b20367ebac0b14215\r\nMac = a9\r\nResult = F (1 - Message changed)\r\n\r\nCount = 172\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 913d800ecd0dc762\r\nKey2 = 7f6ec476b6b07c15\r\nKey3 = 973262ab7c83b634\r\nMsg = 4670a266bebcdf95c62d36cda33d50e6650fcdcd\r\nMac = 4f\r\nResult = P\r\n\r\nCount = 173\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = b97ffe79d068ece5\r\nKey2 = 4a75fe2f67dae392\r\nKey3 = 45a4d9f17a9d70f8\r\nMsg = b53017500c100dea0511845597214484fc5f7f34\r\nMac = 6d\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 174\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 7e1af10bcd86c283\r\nKey2 = 51cd37540e19021a\r\nKey3 = 988fd3c7250e2a6d\r\nMsg = da1919d4a2a7fcc34c88fb2065e52bf9dbc50731\r\nMac = 22\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 175\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 8c0dc16eb9c80775\r\nKey2 = 6eeff20d3d5d5223\r\nKey3 = 258076b313611c1c\r\nMsg = b212b857f70c9f63d0c9d2ccd253c28d1534631f\r\nMac = 2e\r\nResult = F (1 - Message changed)\r\n\r\nCount = 176\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 92c29eb0bf3e73a4\r\nKey2 = c6ecfbe6cd49bf4f\r\nKey3 = ef19d9d06d7a5e7f\r\nMsg = 969304e651ca62039088f8123085ac3263796b67\r\nMac = 57\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 177\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = a4432f52975e4316\r\nKey2 = 7f2086da04fddf4f\r\nKey3 = 8302139e79684329\r\nMsg = 5c9bcd197ea59e1b58b3da707b253491cc5a5ef8\r\nMac = ea\r\nResult = P\r\n\r\nCount = 178\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 5ae0b6d6c2855b7a\r\nKey2 = ec675d3e73bfd685\r\nKey3 = d3406b868fd3ae0e\r\nMsg = 89b9ecfef6f10e81f7956dbc7ca4a335047535a8\r\nMac = 70\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 179\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 1\r\nKey1 = 8f7f85649d5e08a4\r\nKey2 = ceda75687308e07a\r\nKey3 = 9215c4c19bdc0d46\r\nMsg = e53101e6eabcda32c13d7b1dd1d88e7c2ca3ddc2\r\nMac = 14\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 180\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 7061b5f46b98d394\r\nKey2 = 58c2ce3807623475\r\nKey3 = 0df8e3c432da8a37\r\nMsg = 1086953d352e94a51a6d4c59a2295e8fff5b311e\r\nMac = 554d4df88228eba3\r\nResult = P\r\n\r\nCount = 181\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 347a25a1ec433b52\r\nKey2 = ec75d97046152c10\r\nKey3 = 86b937b6ad1ccbf8\r\nMsg = 4fe6bd43c28143ea5d40919cb5330a7e674f5bd8\r\nMac = 3d0d841895fb7c65\r\nResult = F (1 - Message changed)\r\n\r\nCount = 182\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = b3701aa7da61512c\r\nKey2 = 46dacba40740e3c1\r\nKey3 = 8f79a4dcadbc315e\r\nMsg = 4612fb4586d7518d0d648894347ae7d49d043f29\r\nMac = e5dd4392afbeabe7\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 183\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = b5b57acb2c7fd6cb\r\nKey2 = 70b02c9d8651c889\r\nKey3 = 07f485f7b00e45d9\r\nMsg = 9011231ec382ecaaae57f34de1ac6bbb50741014\r\nMac = d34581ad5a3e9e57\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 184\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 88985bdfd9852604\r\nKey2 = f7f829aec8a208b3\r\nKey3 = d5ba012ce6754554\r\nMsg = 6cad7f3b9f196839bbc5a7f755c09aa8e17c83d9\r\nMac = fc7c93552aa14ca2\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 185\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = cd0815194319d552\r\nKey2 = 346bb634027668d9\r\nKey3 = c17f2a26257afbad\r\nMsg = e31b3d97ba6ee6f2e18f084215ca0a5ca0d816d7\r\nMac = af5772396bb63d20\r\nResult = F (1 - Message changed)\r\n\r\nCount = 186\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 236e5201dfc1081a\r\nKey2 = c81526bc85c7a2ce\r\nKey3 = ab91d0aee0d68931\r\nMsg = 1f36b9cbf3d4d4dfcc4ba7fafa7c229f0a9253f4\r\nMac = 27586cf856a41e82\r\nResult = P\r\n\r\nCount = 187\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 2e01198faeb6986e\r\nKey2 = 7cb564801f15bc5d\r\nKey3 = f2d3ef0d4fec61c1\r\nMsg = 27c8c90c9e46e14b8cbb0b7559bb166d65f58aeb\r\nMac = eaa7b4a171e449ef\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 188\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = df575b851331b016\r\nKey2 = 33ec7326e9ef31e5\r\nKey3 = 1686c1ec8a3ea16d\r\nMsg = 1e4e01d38ff65d05646d544b52a6df49b897eacc\r\nMac = 45789bd32147c0ae\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 189\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 43b68c1f29ef5b94\r\nKey2 = a7dfa1cbe9ea3df1\r\nKey3 = 83d3c286e973ada1\r\nMsg = 0ca9b0f6465db0e101f8c14b2e73859d9c355b0a\r\nMac = da439a51157ff0d5\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 190\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = bf91d679268c85ce\r\nKey2 = 46b9f7bf4aa1a2c2\r\nKey3 = f7fd15fda2cd6408\r\nMsg = 0c2933e39d7e601ee6f2519eaf01294853664262\r\nMac = 455cd46d3b452a55\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 191\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 0dad9d451f890b38\r\nKey2 = 3416e3c240a16ee6\r\nKey3 = 5b80d6aefd4ab5a4\r\nMsg = b6e1de9abef7525c5dabbdc85746958781d50139\r\nMac = 3445a869cca839fb\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 192\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 96858f8f2ab56df2\r\nKey2 = 5edc3b04b94ca7cd\r\nKey3 = bf10614ce0491645\r\nMsg = ec9aa18b3e7da99dcbd7de7617a79130abe3348a\r\nMac = c744a1392fc656c2\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 193\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 46ad6ebad9644a67\r\nKey2 = da684aa48f23d619\r\nKey3 = 43a2316b40a46e25\r\nMsg = cf97c2abe3d0fc89e05538b50147a3f405391219\r\nMac = 7ac08967edc5730b\r\nResult = P\r\n\r\nCount = 194\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 68647694efb32023\r\nKey2 = 0d2938c8fe1a4057\r\nKey3 = f479f16e7552942f\r\nMsg = 33a9c750bb532d2d37ec86fa851aeb3cad1eaad8\r\nMac = 3873ae02210eb5fc\r\nResult = F (1 - Message changed)\r\n\r\nCount = 195\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 58d62fd92af7437f\r\nKey2 = 89dfb51fc807cd6d\r\nKey3 = 024fd04f40d5d0e3\r",
+ "\nMsg = cc293c9e1780b401d2e7fceef6f69edcf0f70b86\r\nMac = 6574bfceaf04b4e1\r\nResult = F (1 - Message changed)\r\n\r\nCount = 196\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 4b377f98df0b7598\r\nKey2 = bf73f4c2cb074001\r\nKey3 = dc9857f47fe6101f\r\nMsg = 9ba5dbe7a8ecfbedadd7889cd7f1ae073e01ee3b\r\nMac = aaaeb7223578bbad\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 197\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = 91c8851934cdecc2\r\nKey2 = 582562aef1205e32\r\nKey3 = a12a70eacbad310e\r\nMsg = aa390a0ae33751b0bd8de5723df91d999aa70358\r\nMac = 67f76912ed61eaab\r\nResult = P\r\n\r\nCount = 198\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = dcc2bacbea0dcd10\r\nKey2 = c18ca45ed57f8f97\r\nKey3 = 5d58157a677f1951\r\nMsg = a7573e5b7dd7f4ce9e4480f603c14145a27f7c7a\r\nMac = 2b6af968464ac63f\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 199\r\nKlen = 3 \r\nMlen = 20\r\nTlen = 8\r\nKey1 = fe6d49702f044f40\r\nKey2 = 33321613da401004\r\nKey3 = 8c3438f74cc2680d\r\nMsg = b15a118b3132c20c31e6c9d09acdee0e15fcc59d\r\nMac = 9f28413a00da00ab\r\nResult = F (2 - Key or Key2 changed)\r\n",
+};
+static const size_t kLen39 = 53587;
+
+static const char *kData39[] = {
+ "# CAVS 11.0\r\n# CMACVer information \r\n# Algorithms tested:Alg = AES KeySize = 128 Mode = Verify \r\n# Generated on Tue Mar 15 08:40:37 2011\r\n\r\n\r\nCount = 0\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 27b5686c79b3d242f96d3892c6135b26\r\nMsg = 00\r\nMac = c98d11822b9b4d7a\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 1\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = b4542a22baa348ee2d11ef62d44cebab\r\nMsg = 00\r\nMac = f7a2a3f519fc462f\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 2\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 7256e344f68b3e7f9dd6e04c5c65135c\r\nMsg = 00\r\nMac = d4d7fcc5f979230f\r\nResult = P\r\n\r\nCount = 3\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 7a2116595c5cf6482199d3312498006d\r\nMsg = 00\r\nMac = c3c4fa28709060b0\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 4\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 0341551d6c7e7c57f678068f0b41d1fe\r\nMsg = 00\r\nMac = 821030d4b7889fcf\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 5\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = b67ba2aa4e9ea9871c3def87e2dd77f4\r\nMsg = 00\r\nMac = ea896182698ac145\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 6\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 0091d39f3478d2c59bf874b96db9ce0f\r\nMsg = 00\r\nMac = fb12c5971b0f2f18\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 7\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 46a2e6bd3fd5336abf02eace3cd1e1f6\r\nMsg = 00\r\nMac = 9c6b46ef046ae1d1\r\nResult = P\r\n\r\nCount = 8\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 4b0fbd5e6f9298e5ced5ebdc60fc18a7\r\nMsg = 00\r\nMac = 221857badcbcd2be\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 9\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = fb20547da671acd4c6df37f6568a6428\r\nMsg = 00\r\nMac = ba0c9bfd3d9c0c95\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 10\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = b787def50aaf446bf15c562434844562\r\nMsg = 00\r\nMac = ba60bdae64068330\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 11\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 67d77f50727c7cd5b38e0b175a888c88\r\nMsg = 00\r\nMac = 555923e6b5fbc504\r\nResult = P\r\n\r\nCount = 12\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 6f552ef7d309bb98597b91cecc21e158\r\nMsg = 00\r\nMac = c2aa402c0443dfbd\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 13\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 411871267919a145532cc401e753ebff\r\nMsg = 00\r\nMac = 167a31913228f45f\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 14\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = abfe32efdf0464cb2eaafca8eac30d9b\r\nMsg = 00\r\nMac = 8edbc729b1923e10\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 15\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 85504d59a12f3e17edfb0b6337d4a081\r\nMsg = 00\r\nMac = 9045fd77cb26dcb2\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 16\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 55f7565826b0e2ccc1368f4de32022de\r\nMsg = 00\r\nMac = f82395416a8dc209\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 17\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = 43c8f984390debb0f26c6b9c2df8518c\r\nMsg = 00\r\nMac = b5d732086bf8feab\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 18\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = da288d2014616f16a2abf5923dea49ad\r\nMsg = 00\r\nMac = e03b67b53fc7863f\r\nResult = P\r\n\r\nCount = 19\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 8\r\nKey = e2f962d076df051c2d291b47a902ea0c\r\nMsg = 00\r\nMac = df1456a7edeb4e42\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 20\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 191b53e0c7d90161e5e2014e9b8aea31\r\nMsg = 00\r\nMac = 1e210cff3c90bd2e2a27a78ef7662f61\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 21\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 54666bdf6db300ee10982d14dac828bc\r\nMsg = 00\r\nMac = 9fef67209b8da28049b80efe98f85f13\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 22\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 9a143c21cc6c9528b9ddd7e4405682e1\r\nMsg = 00\r\nMac = 1c3c3b6d1d86ac5787234f8f6d707acc\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 23\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 802047ee1309e548ae81e93a17bff9e7\r\nMsg = 00\r\nMac = 1472aecaa0a09e45893a14090ed9a17f\r\nResult = P\r\n\r\nCount = 24\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = ab79ce74c0959aea0fd0b28ea5d0afe2\r\nMsg = 00\r\nMac = fde8a95536cc334f7fc8881a187afc61\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 25\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 644ac6fdc1e713ecb7ff1e0bd5729a57\r\nMsg = 00\r\nMac = 95a93bb50703521e6c1a8be1aab6a646\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 26\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = b4571e56f66a857daffbdc99370ceddd\r\nMsg = 00\r\nMac = d2742ea62f1d6513c4eb0e533922f251\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 27\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = abff2b097d688293701ff2c49ba48eb3\r\nMsg = 00\r\nMac = 17e724f66d4a9ef5dfc0cf903f8ff04a\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 28\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 9d45f6d97d1573de3cb3488befaf5b7f\r\nMsg = 00\r\nMac = 96ec3cf234d6704483a93885bd67e6dc\r\nResult = P\r\n\r\nCount = 29\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 00d385629e5df815a5300e6635351934\r\nMsg = 00\r\nMac = cb23bb449ac26e2186b02f7428fa022b\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 30\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 2f9109e7eea21b2615c81c03182ce603\r\nMsg = 00\r\nMac = 4532211f48124a9eacd795ea4313adaf\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 31\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 9f3830f5cd40a2396b6093b358cef1e9\r\nMsg = 00\r\nMac = f5ea59ec909a8ec2d8b11f5f276201fd\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 32\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 17378e17c41586b88523a6b6af738dc4\r\nMsg = 00\r\nMac = 40cc8b388be6789aca584659acc7aa06\r\nResult = P\r\n\r\nCount = 33\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 064e8c88a0a0766186d75867b5ca3acd\r\nMsg = 00\r\nMac = b2f94222a68fcf803868b00404ad170f\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 34\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 1e39f1cba97dac4e4d4f3bce7fda72e5\r\nMsg = 00\r\nMac = 60763815c1075c31078a9b44fe4b8427\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 35\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 06f0e4618e0ea8fa5443b50ea005b672\r\nMsg = 00\r\nMac = 295c6cd08b1d668d9fa85ef851b1e029\r\nResult = P\r\n\r\nCount = 36\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 648d77b57770b67ecda1ce7951eaaeea\r\nMsg = 00\r\nMac = 2f3fbc6edf5827fce440b9a7ff8535b4\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 37\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 6f3938932b5c1280311e892280d8a822\r\nMsg = 00\r\nMac = df02edfb316350c81dbee385d6e1d8e4\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 38\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = f909903451d1f9f45ffcb93a407ffb50\r\nMsg = 00\r\nMac = d176620722c5327270ef30956d7ac02f\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 39\r\nKlen = 16 \r\nMlen = 0\r\nTlen = 16\r\nKey = 181d92c7df1ebb0924719e066e08b95e\r\nMsg = 00\r\nMac = 144f688fa0d29faf787c48cd0765eecd\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 40\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 0c5b763b1e97b4f4dfc7059e4896ba58\r\nMsg = a0b3c6944b35f7208dfb40b4c4ba134a14dac928b679950793b3b6751221f178\r\nMac = d922ea85b3992a67\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 41\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 461d7d629778c8b05a688bee4fc01e9f\r\nMsg = 07571a6c9bcb6f97d626796bc74e551d1c45cce38afed761706f6264b7e751d3\r\nMac = 794b224a85396a27\r\nResult = P\r\n\r\nCount = 42\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = b91c6b09bf5a0487a9b5ea2fe0c1f3d2\r\nMsg = d31fd388e97727ba0a35d34ae05d9980e5974f6b3d86e2d4dd569b70f394a159\r\nMac = 2665ff2785bcb606\r\nResult = F (1 - Message changed)\r\n\r\nCount = 43\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 0737836cf771e842a70f3eeed7206799\r\nMsg = fce631a9eb130178018ca88cec966ae53ecc83a51d0a73173c8a9af10b4d04d6\r\nMac = 1eee822e37dd1e84\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 44\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 120132c315bfc9c4fb93023f5d3500d7\r\nMsg = c2576ed3189eff3205f5e01dd8fe7c64f12dc73c807c22918f607f9e43fcc5ba\r\nMac = ddca15c8b5a80cb2\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 45\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 5363bd7d867a9f9f0592dd9940a791e8\r\nMsg = f34e86b8803d386573b81045df945df8319a93b613de4c41904c8e1879844cee\r\nMac = 109dd7c920ebbf41\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 46\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 3fa1c7cffaa167557b250634e8052fa0\r\nMsg = 4255f8af18df7237e0abe98421aec9634443561752d893aaffe76380e829ef32\r\nMac = 0eceab8d28dd4a2a\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 47\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 6583a4ff27b6e109046d11b977c8293d\r\nMsg = b63be320f92",
+ "e01260fba37312224494a2764dfc928287c75dc1cafee7b698d48\r\nMac = fa0cced22e896b40\r\nResult = F (1 - Message changed)\r\n\r\nCount = 48\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 5949378fd3135dd02ee1929014000411\r\nMsg = 65c16f4e66b10c7c153be7ba2dbe3a6d4eed3b04fec44188edc229747d52f8c8\r\nMac = 9ef023345848680b\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 49\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 0e80fa889b1d96a0d23d236d4d642a27\r\nMsg = f6f094e46cdb2e45fe49b18aff1427ebdac9710fa7f47f75fc9ec7140613ef3e\r\nMac = a09774009934c9d4\r\nResult = P\r\n\r\nCount = 50\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 1f88dfd4f5c52c22b1db47f9f4fb6e2f\r\nMsg = de433ebd1cdabeac46b94cc00d984f172923535ca8fdfeeb860546357dd8e266\r\nMac = bb17b3983faee0db\r\nResult = P\r\n\r\nCount = 51\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = ab0ab9e79ee53a6946a31ea807258dbb\r\nMsg = 89ddbb042aa2aea5207b312c9831fb48138aca90626ef7c5ce474d5797ae1b2b\r\nMac = 72f316d5bfcfcf6f\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 52\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 1eb19542a0064564e096e5d7d60acaa6\r\nMsg = ca25504f3f5559aa0e88199ce1551c9240b5c76f55b83bdbf2777cded54ad3af\r\nMac = d936b1fca0a96aec\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 53\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 33f11aa36d8ab0fc53486839a576b31e\r\nMsg = a58524e37c2504468f77a9c21b0e6d1a6b5e06fa051d5b8025ef97fa69417cf2\r\nMac = fd64f7cb283adce1\r\nResult = F (1 - Message changed)\r\n\r\nCount = 54\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = a7b81d8245129aa451dcb7229de415e5\r\nMsg = 2b2ec02aba10aee056443cf90585caa2510b3b835454a99f1324567b0dcbe682\r\nMac = f4cd48f32c9dc66b\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 55\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 3c1baf0d915e5aec92bb62babad0ba2c\r\nMsg = f8f2424c2dc0d0f3821af7244038da0832c547be4ff0850b98c04d4d44a716b1\r\nMac = e17ea6862129d6b9\r\nResult = P\r\n\r\nCount = 56\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = 943a49073db6ae94a88844ed895f8fd9\r\nMsg = 8a15e5be479d3a39a459ca7b50457472cbf44f6a8324ee3d4096e2c3bf1d8190\r\nMac = adcce0ea2c8b11d9\r\nResult = F (1 - Message changed)\r\n\r\nCount = 57\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = ebf8935f53dfb3bd40453c31f627c73e\r\nMsg = 7edddb03d861dc9796f8e069bde434681620f604db436f34b7a6a3beeec925b3\r\nMac = e8ea88729d49bea4\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 58\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = f18e8feed77d1b80c31483fe69073d56\r\nMsg = 37c6206e23163c39a13f19de48cc25dc26e6f83cb376e8d2048ad7c141fa503d\r\nMac = 0d4f5cdb2a49b471\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 59\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 8\r\nKey = b4e41c7bfb8fcaa5236f656185c1496b\r\nMsg = 32758ae47884fcef766dd1fee1a7f55ca6f6691574e2ea097a68cd4072ef2e7d\r\nMac = bad08badb66c8e5f\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 60\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = 708484fba04972b815256c5dab12d5d4\r\nMsg = 97751b4893a83cfe6b760e10da795682e9668749c09036f9bfadce9dcbdd85e6\r\nMac = fa74b33267c5ffeca75e5e16978bd7b0\r\nResult = F (1 - Message changed)\r\n\r\nCount = 61\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = d0df1bdf1df6203241722fb9c9c1cf74\r\nMsg = 0e41361ebfbe4e6580fb5751e58e98de8ee5d9849fe875026fdab15a85804c1d\r\nMac = de4992c9d33659620cc203848e42a279\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 62\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = 7c0b7db9811f10d00e476c7a0d92f6e0\r\nMsg = 1ee0ec466d46fd849b40c066b4fbbd22a20a4d80a008ac9af17e4fdfd106785e\r\nMac = baecdc91e9a1fc3572adf1e4232ae285\r\nResult = P\r\n\r\nCount = 63\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = 7b4c800f5071521119e4cc6deee8729f\r\nMsg = 775946f3014523b6ea37804585cadd35e74e9382ebc1022579fbebe407281b6e\r\nMac = 2f6697f5d067aecdb3ff5a09d9169b3b\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 64\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = 7618d222630138cc14246e8fddcf98cf\r\nMsg = 432e3575a966958434da38dda3606f1f69adeaca536a7bf66c8b1e451edc3716\r\nMac = d7d78aac615ffc1bb32dfea41f2b8771\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 65\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = c8804fef18ef263c010c8a205e14516e\r\nMsg = f2d23bc605181e3894f61fa63d61ed4a610123ab7d3531c0b7579a58b74161ba\r\nMac = bfe5e2c10a5cecccd3de2529f340cf6b\r\nResult = F (1 - Message changed)\r\n\r\nCount = 66\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = f98ac86ecb742c188852980b5150d100\r\nMsg = 4e6fd4fa7669ce9552154bd796644961b51067dc02303430150aacf671280031\r\nMac = 73df5f4d3ab9240d4fb2be775188adc0\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 67\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = 638d7d95ff5f57571261e23ffa081189\r\nMsg = 5f5bc4e32764bb00085667b7f1b15433f09c1f6fa48689f8f50dcaf5021f2864\r\nMac = 96b270629b2bfbf721f1a70eccf9abe0\r\nResult = P\r\n\r\nCount = 68\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = a5a20d8139472a4cb38993c5711ac2ca\r\nMsg = 73e1e75538f9a63e49a068189e3b0a1a1e65ca5d1295589bdafa3136deaa287c\r\nMac = 320647d53ccdf2335a9c9a3452c1cee5\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 69\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = 57656be54860414e8a62223381ca4405\r\nMsg = 3447e82ecec6c8b6fe1e44ed91f933e4a70c431911eb86eefe222d5ad78193df\r\nMac = 47c6b5a28d723129648aef418b74daa8\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 70\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = e7b665600a2aa413e117c53816cbed34\r\nMsg = 5e4d49ab796025157add6d42258b9c506d9ce82bdd85c604360db0ff5aa4262c\r\nMac = e741166cfa2a58003dcae357d7a199b8\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 71\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = 693cbb46bc8366086ec7cd7776f2c563\r\nMsg = 5a908ae85ff721ffc5096aeeda5ee83bddcf639e7be68d109394e5253c22dc9b\r\nMac = 9d56b03ef83082f601a9cc8730b0de42\r\nResult = F (1 - Message changed)\r\n\r\nCount = 72\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = b4190e3462e07fca26496adcb877724f\r\nMsg = 02097035a312cb02ea7f09fc1accc230a205e4a208e64a8f204291f581a12756\r\nMac = eb9604ec71aac0cacb63e0b369ae7664\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 73\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = 4ae06c3b2940819e58eb24122a2988c9\r\nMsg = a2e7be3314238d7e4f604e134790bb15a87c09356c091b1aacb9f605b67475b5\r\nMac = 14b4507ae4b50cfe4989b544bede756c\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 74\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = 8d560de2e310ea69389221ce2e850625\r\nMsg = 04d9db45e4df19db757b9b95c25be43e822b8372ed148d49ce824a36da2b2f2e\r\nMac = 647f2874a083e82fa804b6c58c7b5c90\r\nResult = P\r\n\r\nCount = 75\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = 0e1a79c5d734118c19eaba700f5da238\r\nMsg = 026470d57dad9893dc037b80978bf70c2e552fe46c8fe8c3ebf8338bda984d94\r\nMac = b936ff3bb8afb9e42351a2a3ad49d70a\r\nResult = F (1 - Message changed)\r\n\r\nCount = 76\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = c88b1bc0050e19780ab53efbea175634\r\nMsg = 7207aa8fa87283f1f57019bf1c89645ff8fc36ab1102704e6d577671a9f7e098\r\nMac = c1dbd79e31c3b0bb824f16f735ccdfe6\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 77\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = d87df10a53eb3ea24c003d2a65e44921\r\nMsg = fedd5813146a8c2af398d6066956829833b75e44b6e010e4f025ac0fad6f869b\r\nMac = 9dd7cbb34445bfb351d01e8cdb21d695\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 78\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = 4d436a4a5c02b22ad49548b97216f277\r\nMsg = 2d73204f0b2d35806a8227206922ac9c18eff6ebddc73809179d67a702cf3e21\r\nMac = d2654d9bd6396075296cbe918d90670f\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 79\r\nKlen = 16 \r\nMlen = 32\r\nTlen = 16\r\nKey = 8af7b74e35eb38f4086343bc329ab465\r\nMsg = ada1fa439c653d0cc88c0d129ba252e86c7d20a3087be93e920bf13d8e6f0391\r\nMac = 0fc9b177c874ea909b6beb1db1b802b4\r\nResult = P\r\n\r\nCount = 80\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 91ce6c87860aa84053f42e1abc16f489\r\nMsg = 4c287bc16196698d762d5fb428e801975fdaa29026b7b78dba968bfee0f534f27cfec57c6009c55c6261e0dbb14bddf76944d0c0648b910254df6c240e8a1a50\r\nMac = c1ce12f51aa823d0\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 81\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = b7b774e5c9e2f6926660c48b8df52354\r\nMsg = 937273c7355e7b88a630d15be875234cacaa44e815f31997bf10b52c008cc3bb6d3724aaa0d7da0b391b252923d0eb6119575d346857d89af6af099883af5514\r\nMac = ff845eb2d77aa5a7\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 82\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = d7572ed0e37261efa02f8c83e695efdc\r\nMsg = 85a327b0c7a31a4116e7fae0c0971e1578ab6fbdf90124b9ecacd0e70c909f51882cdca5a8b6b7e6b46d4660122bc9e1ae3932269f68e594075dbc293a2d4eb1\r\nMac = b8b3b7526419e069\r\nResult = P\r\n\r\nCount = 83\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 259129eb760f8a770410c160e4e13a6b\r\nMsg = 77d9c30",
+ "6aa257379053cf1f2043c388a301dac2a9e2bb89eb8bab6eb3f150fe391b7a3f628be6b4b649c5c108a108f0e0c55a0800b9954251ab07e94450a23d0\r\nMac = f9376f11cbec0ec0\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 84\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 6ccd61ed20f16ca7a78192f5b6ab5528\r\nMsg = 9211231ec382ecaaae57f34de1ac6bbb50741014a978160ce59c60491e64f30da0b8aa1442e42bc0f7e31973a0dd8c3c24eebeb7c329072ea7dd0b04bc163254\r\nMac = 94c275e6a4675d8a\r\nResult = F (1 - Message changed)\r\n\r\nCount = 85\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 1cdc44c40efc3c0ed6fb84b0c2f78aec\r\nMsg = 818c636772036761af037c23aa8cb63e424f0ba0375b645de2f8f5af23d3ca3b9a5ca3951a6d02075a2c828eee326a2676ed8247164226b0267798632a519bf1\r\nMac = 74355397c7a29bb1\r\nResult = P\r\n\r\nCount = 86\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 2e523e9d8a5532127ec63b220838f11b\r\nMsg = e6d067907610109b8789e1ad00542539991677b9efc97a98d8bfcb50f3e334d0844323207fcb5a47e353e76d49dd573dbd17278dcc287b41dea8126cc7f07ab9\r\nMac = 7bd6745c6f73d92e\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 87\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 0eee5bc8994b723a580f67d45ccb194a\r\nMsg = 1dc4fcbc73dab4e73ed9d7606acdcd42b74972460c640fe50f028abdf255d9368fa3bc65b849ac31c8000eb47e5fade40ca167726aa927f2f043133d24ad0613\r\nMac = 486721355fff9cbc\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 88\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 388468d10bf0b770cc125f8b7d359261\r\nMsg = b9aaadfb3f60e48f1b421a9450129d75af2ce811ab0b1661680e9d5b147c38167ac7252ed40d916ae1e4519c3857d2c9dc2c538a106951b26d16433131438839\r\nMac = e13cef9392f4a80b\r\nResult = F (1 - Message changed)\r\n\r\nCount = 89\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = edfe2e15edf0b0c28875651d4becfca5\r\nMsg = 70b1e2e4cf260b108f5a52d0d8234838ffd6ffe7b4acd78d7d6b95aa6342b598eaf402cb47396358ce61f8b4aa3a65bed0346e0036c3c5323f051f007aa58d0e\r\nMac = 7b70730219907d18\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 90\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 6876df1a77e11165331a5ce2e0e6bea6\r\nMsg = 34b73ba208bbe1df06da768b0321243815df4ece555974dee2bf5732295f5ea9631939425e13c47681ae2ecb0bb85aa69be38560f5752a9d034222d91ad71044\r\nMac = 80e00df873439fe7\r\nResult = F (1 - Message changed)\r\n\r\nCount = 91\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = e65d5fd5f446b4eab63d56b0a5eb1d29\r\nMsg = 554395f9b113c0f2a1f155de171d6c0a805c838beb90c3756e8b864dc52517c03d8cb894d1dceae092f0e8784c7775ac664ad7320afd246086b3bc9ef237171c\r\nMac = c60f8ced2efd52fe\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 92\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 5bdbd06f4df6e15d644f3a635d7bb14f\r\nMsg = 4fcc7c2763a8dd5bfe74e34f512be8042af9ba1c73a944edfb616ad47a8d34cbcf192f3e8be3101bb3709b29c2dec39aee1913e3ac524ccb76ad50c2cc3a3e75\r\nMac = af33d5a2746bfa5c\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 93\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 13bf2f72211cc8e16ac1986a22e19f60\r\nMsg = 8ee212ed4bd110ca6a91b37bca59e19ba842e3a1b50619bc6b07ec02a09303ca5c66ba56e870d0b627d95fe829431244fe4f9218c862418f14a92bd76b5a3a82\r\nMac = 18e8cd5bd42c75ea\r\nResult = P\r\n\r\nCount = 94\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = e9b913c2f0630562eb1c16b3b1ed8409\r\nMsg = 031105ff01daa66ff95834e47b6f5c683994084d0fcb84c140d1dfa2039a95933efe6a4f91af993d966e2e45677eb1e36159047928a38eeaeb5c9a64ea59f97d\r\nMac = f00a17da0fb9e6b6\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 95\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 6fa5a5991315702cba3beb33867c7bca\r\nMsg = bb0fabffbcc6935ca35755fd4bfbd192b6812cf75c4dc95bc3a175a1501be2065d7f57058cb7a5785a185dfff7e740a5551cf7c17e65051b2c6ef9509360e878\r\nMac = dcfd143f86442183\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 96\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 3f8c6d21ec05bc439bf82774f1812bd2\r\nMsg = d726deb8537bcd671ddbaff8fcc6968f951b71aa82dfc802a53aadb2bcc2ef9a35fd90064320798b311d6d32f7dd3cd90bca39d57991eddc36260d23b108aac3\r\nMac = 449e20567875d56f\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 97\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 8ed1a4873bb37fafd4f8c2ee417443cf\r\nMsg = 1652c9539bff4b6e9f303f3e6b5d4b9ff7e85aa2a401ee8c2dc7b722dbaf6424f92ab9188882e2483405070e8666204f5a600b46949cdb830fd57433d63a55a1\r\nMac = 601eb06acc5a4e0a\r\nResult = P\r\n\r\nCount = 98\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = 83a4669cb9961448cf418cb83a16098b\r\nMsg = 26d97c3e28460d46216da39e043e024ed08e387b1e5fcfd3f962472cf1bac4676b03039b3b93927075ff41c87fe1d4a56bd9fa4784d283942787cdbdd5457f1f\r\nMac = 01a42494a10691ce\r\nResult = F (1 - Message changed)\r\n\r\nCount = 99\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 8\r\nKey = c9e6d0b3dcd8ab50ba5ff31d9c1bd95d\r\nMsg = 0d32c1cd73569ab2b10c67c167875fe22625358ed3469b424c5e052d4e49af2c97dfe1f947c972a08c938b327e01adbc48a7f57a89b49f49fa0fca5b50a57a2e\r\nMac = 476add8ee51b5e3e\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 100\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = 17281acb525b13653000ab45d86e7010\r\nMsg = 225750ca982e5b34fc62e277eaaa0f248532abf374933e572b0278566cc7cf980df26abefb493ef57f8477cac0bd19408a22e71f4ded84906996d8e7a846b5c0\r\nMac = 0f2aa7f2dffcf7df34c84d101aa9bab5\r\nResult = P\r\n\r\nCount = 101\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = d3624653ad0ed144667df0e0e355c29e\r\nMsg = 39dd298acc45cb597f0733572677f7102536c0dd86fcfcc44895d29af92a5b6a87c20f1b53087d4c874f4083aad32e877142d20ad87b1d8b7295587bfd235d9f\r\nMac = 795da5a50f5b7df40317616b5a470c02\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 102\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = 813b3d579664cebe50a8e7050a0b4e65\r\nMsg = 78ad6517a09b99c1113d175f3129aade4d4a2516ebe054f15bc833d08ffe5e2a2d60c976e1b4b14cf8edd2c72baadb2db8001fd2b8798d39ac5ce27d592f1def\r\nMac = 20f40553bedb6496233e0b53143b6d10\r\nResult = F (1 - Message changed)\r\n\r\nCount = 103\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = 21095cdbe94afa27d84bcd68276993f3\r\nMsg = 10525eb2794d03409faeab22a6d4cc4ebc0421daacb0e865b0f94eb387722897c827e31676debec9d49c36837b6bc234a95bc10ddcc7b1e5a0d9a1dca550e93e\r\nMac = c0b806ce5eaceb51b53b028e6efea9c7\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 104\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = 6c769a4822523525bb36c02518475549\r\nMsg = 4af38908fa44b46873535b39f432d9b3e677f6d06d8719af3d15b936afe515fc13d62566481fd0108bd95f6e8dbe32b3c830b1f1127d868273610aa834ccfc70\r\nMac = c1934b9c74127cfd515521df330c0333\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 105\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = 6b454930925ca09d39e1e39a2e78fbfc\r\nMsg = 2bc884394ab7050c14d66fb8901cac109c0126668d918a4419bfcc5d75fb6bc2ba07f6598d06cf8cffd62f3eb29f6a033eac7490d27aa4701f0fb9f9718d1b7f\r\nMac = db19b8ef218018e5a53abcc39b7c514a\r\nResult = F (1 - Message changed)\r\n\r\nCount = 106\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = 5df295be7c44d59c44fead3f1988356f\r\nMsg = 3d7370cc2d61af35bf7b2ba50a143b23bfa0d1eff66c5ace2d8de5a28d17883d708fff7721a2977ee2164b6e34022c22523a0649ff0e40bc8134040fee02a065\r\nMac = 81b3181acbc2d6d2960ec57441ff3c40\r\nResult = P\r\n\r\nCount = 107\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = 387fc73be9f019913f2222d98053f95b\r\nMsg = 944daaa76249bd9d3bd517d01b074920b7d4434d1a2618af902e0228c3fca658244d990f8ca42208239c42d4827cf114140cabebc2a72bb3cf9277ef008c1c81\r\nMac = 5de79be9ff9c3c9d64f9cce35b188648\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 108\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = 7424990dee834ad05f4218861ab21eae\r\nMsg = 49fd56dec210e903f6c703332637f9c267eab9333e2701a16c74ce5e0b5a16d9da68b9c5d67bb6770a3c9a90a7e93fdd5759b27bcf3a753fa39ee7545fb60026\r\nMac = 38b66049ee8ed81f3f8ce2b45a4001ad\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 109\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = 232407986ad4a8e438990fd04ffa35bf\r\nMsg = 9d88a7970d4c58cecc20ed1811298a5b37297419ca49c74fe216679dafc938a656cb92bafb78efb31f24e71c2d5b5f994f6dfd82862adfd2faeb8c408fd22aab\r\nMac = 313d46dda3ccb75f497f9069c9478b3a\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 110\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = d9bd6ac153cb0bc4e19e59c45cfe0d6f\r\nMsg = c68094c26c7f017b79f126dc26b3bbcb95f97535ca412da5f7853e15fcb52f042e6492c857c22b26ffca5520eabca20ee2cec2f0b71ea60383ece49232065e0f\r\nMac = 3b17778955990ae58e03feda7fc43998\r\nResult = P\r\n\r\nCount = 111\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = 857fa35c6f70f637a9a5e6f215c694fd\r\nMsg = a1fc1307757ed91665980e2d3cf9778d8bffc9a84cce6bd5c5a07e47af5c1b409869db8286c49d07dd5083f1826e3ec441ce8cd36c85fef8c55fff889e761286\r\nMac = e1ddd63db51d3035adfd309ddc186238\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 112\r\nKlen = 16 \r\nMlen",
+ " = 64\r\nTlen = 16\r\nKey = 501f5c58355d1800f155f272dd09afee\r\nMsg = fd3564848ceb5d8cddfd50732956d18b4af433efc2e2a914ff66aba1de7b9b816d81a936f534f47038dbf1def7c11144b7e99ecec5fee6a478899cbeb6677bfa\r\nMac = d995f9bae6150996cd9b798fcbc623c2\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 113\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = c1d636989dfbcb0edc9f014cc82da6b5\r\nMsg = 20ef1bbf8a719497797f1f1bc4617179ea682a24a92f0831cd215a01473bb8207e13f26dea1a467bde1ed638a51359ccd11210c4d0a2fb70c0374e8984f81f17\r\nMac = e4972a59db04f78da1728cab051faa98\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 114\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = b4bc5a4d40716fb06a359ef9537726b7\r\nMsg = 36594fae7b487798d62c2c95ccbf51c984df5ca6343465b2dd147c8b36a34028e53fae61f51b36b28529143cbd3edd0c077158a07bc490a79a06270940f7ed27\r\nMac = cfb3fce039ee2bb94b6961ff86688237\r\nResult = F (1 - Message changed)\r\n\r\nCount = 115\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = dc796e5d9b712c798922eef315cb4728\r\nMsg = d5755c40f52364343d2613420441afe9da9a5329d3c1e5a123ee49f5eb8ad47253f104f5d9776e08e9a9f74fadd5472326cc7b7c7ce61a1492474bc9de614543\r\nMac = 315f0ce76352448bbd8a5012a9907a23\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 116\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = b82fd283922e730a07f7ddb87484f66f\r\nMsg = 94e47b82b728d639777d5d5843de2a5c364956cb4b21cabdced2529b10b3f4275f307fbc352866d7b094cfd7426ae801aac17ac72335c04adb8d791da69b3c4c\r\nMac = 86e6a8485b43f1b258eb59688af91fbb\r\nResult = F (1 - Message changed)\r\n\r\nCount = 117\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = f6db7efdfe73dcb4a26b8448842b55e8\r\nMsg = a1fa1fcd5f095b2768e32cd733365a136a108e7493f212aaef27d86da253beb6154f103099344ee94db6304e41b4e856db0ca7fd7ab462f45a07d697b85cca1f\r\nMac = f998bba6c5d3efd78af9ef57e7a38f7b\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 118\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = 3c1ba92d096fba134dfb4ef412b2568d\r\nMsg = ba7725d74465f5d92454bff794e0be51c4d0af7d88f729834d57312c528d0a7d15694a7e0bdc334093173f1d2df1fd42e7891c6b192dc5ee527b2ffb92c66d22\r\nMac = cfe6022ad29a54627ae7c4f907ef4da1\r\nResult = P\r\n\r\nCount = 119\r\nKlen = 16 \r\nMlen = 64\r\nTlen = 16\r\nKey = 4a92337f017a85b136ba6766444bbe84\r\nMsg = b0a3a8aa5d4bdfbb4c5c52acdcc60405c379f752b077eed42f2d7777cc0329047b322b9837d5f655ea445b578d9dc7e990a3c6f97cccc6cad7951ee948194e62\r\nMac = 153eff3c035db2fdc752ebd22302adae\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 120\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = 305ec69b23e4490e0f8a5241cb9c8c85\r\nMsg = c641cf589020b94026ae\r\nMac = 3bc054afa9771970\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 121\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = 28929286bd1391468ac75f5c03689f74\r\nMsg = 3813592f268a7a863c3b\r\nMac = bf1b514d2f899620\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 122\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = 1b3163e2d3a471b9823525abc7543c4c\r\nMsg = cada03e8c967f9732a81\r\nMac = 53702fa98e6f9a19\r\nResult = P\r\n\r\nCount = 123\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = be1ed49e2cb0caf6b6a0940c58453b93\r\nMsg = 4a348c5ec996f7a97ef0\r\nMac = 3358d143dff4adfa\r\nResult = F (1 - Message changed)\r\n\r\nCount = 124\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = f18be18df045ba31b80f3283cee6a681\r\nMsg = 93006a06d7e6df775b19\r\nMac = f3252f061dce32f6\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 125\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = b9dafe18a904ba761762ec3fe0e4120b\r\nMsg = 173887316279a47fc699\r\nMac = 884f5b21d478d60b\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 126\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = 31fee08df80cc1009e661230e25939fd\r\nMsg = aa54ff7466923b265fb5\r\nMac = 03dd2a9616f653a7\r\nResult = P\r\n\r\nCount = 127\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = 65a28d970b2bc7afafb4069c26d264a4\r\nMsg = 1aa5a3a4e6c5e5394e50\r\nMac = e0423589b192caab\r\nResult = F (1 - Message changed)\r\n\r\nCount = 128\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = 6dc38e37d1379732df4dd535db88d17a\r\nMsg = 0093c6d94aed50b398ad\r\nMac = 19b08e65d391c491\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 129\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = c5329fd99848e1cdcfa406ec09745ae2\r\nMsg = 6d83d0ad7cc7efd0d2ca\r\nMac = 8ec2709e1466f8d3\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 130\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = e608914a930b9c300b677afcb8689d63\r\nMsg = 146629e70b37d8b83ee8\r\nMac = db78a639bb15c84c\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 131\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = 0a998d3d390f5a80ad398b2070489984\r\nMsg = a91c1a8d9d268ad153bb\r\nMac = 5643a8c99b99d944\r\nResult = P\r\n\r\nCount = 132\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = 2b6f78ceace47509a43ceb6b761e7866\r\nMsg = 3c0a41a78240c9d2fc22\r\nMac = 811acef50d6c1913\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 133\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = ca481f557306f9ce386edd0cfde375a5\r\nMsg = 9f3488736ef6e2c3a51b\r\nMac = 57e8a0e5965399c0\r\nResult = F (1 - Message changed)\r\n\r\nCount = 134\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = c0dd1cfb3add04cd67a8e59be7ac8dcf\r\nMsg = a7c559c82776f429ac31\r\nMac = 7e43a2b43d030ff4\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 135\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = d3130d9e5ef516b6bf172953a37913a1\r\nMsg = cbe97e14c3100c9fc564\r\nMac = db9f674a2d0e9ed9\r\nResult = F (1 - Message changed)\r\n\r\nCount = 136\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = 9ec8661a880ebfd15fd8b04f2ae09dbd\r\nMsg = eff803e0fc809cc48587\r\nMac = febec8d41b6bdc1f\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 137\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = 6c2b091433833a0ed915354dcb70d982\r\nMsg = 90f1416768fca7dd48d0\r\nMac = f6ada24319e502ab\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 138\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = bc79d444dff9d9e722effab07b068cb7\r\nMsg = 07d5a925b724e2443936\r\nMac = f964302c270af24c\r\nResult = P\r\n\r\nCount = 139\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 8\r\nKey = 1a15b24ba5d9648358f2c39c9da8512b\r\nMsg = 15b94910853a8f23dfb8\r\nMac = 8cdfbc13239e6aa1\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 140\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 618fb69c8fb670250c306b3225687d17\r\nMsg = 7f54845a57d916866eff\r\nMac = c0d4db73891bb1efa232593407856808\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 141\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 8000aa080c127cbabfdfa5d9d9728c7b\r\nMsg = e53101e6eabcda32c13d\r\nMac = 5671badc409d4b170d4c861a0b3e1fec\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 142\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = b05b5557ab145cec2f00706dbc6a3c23\r\nMsg = 5e2f601395ec406fcf96\r\nMac = d00243508d25804548c4b4b512cb1906\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 143\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = e8b13346b61daedc1f9e3b49df8d1cd6\r\nMsg = 0593365419e0f75b6323\r\nMac = 871eb97850a776e7ad498467064484f9\r\nResult = P\r\n\r\nCount = 144\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = bc498326755503ff25d02805eb351722\r\nMsg = 9ece4c82fe9d38ef64ac\r\nMac = b5e88af50d1cff3d2b6d304edf042c43\r\nResult = F (1 - Message changed)\r\n\r\nCount = 145\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 4d248e73886a0e36b3ce7c6113477f4d\r\nMsg = 8de6fe3b24fd6c202ef0\r\nMac = c1a4f6d0ff7330171cfe570e900ce2c8\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 146\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = b1b9fd78e3f8eaf4e8c91da62b2da534\r\nMsg = 482ea6f652067e8b791c\r\nMac = 63c6994c98bda91723f832020fa7d223\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 147\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 85e4e63341658144a99fbd17d94e3177\r\nMsg = 21ff834bec4ec6384522\r\nMac = 580c1e549a2ceca4743256a9cc972e84\r\nResult = P\r\n\r\nCount = 148\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 88b5448372548e6aab1b262630a28a47\r\nMsg = 36dbbff560ef04ea731b\r\nMac = 5fd17fd704baaf1ae6b3330ef2989dae\r\nResult = F (1 - Message changed)\r\n\r\nCount = 149\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 8cc76730ca47620d0b437112a2c93fd0\r\nMsg = c73be9f019913f2222d9\r\nMac = 2c73e2b5b84d8f4f3db1fc92831a03bf\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 150\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 7b657c640f155f1ff461c83cd656614d\r\nMsg = be9c5e77bf1b9dcbd4f1\r\nMac = b660ec36c0c0b4d987439505f1bf57e8\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 151\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = d5044e9f10bd274aad4f7e605bb828f2\r\nMsg = d0be84df789c98dd125b\r\nMac = a26e513b09f184caf8d76d76961d1466\r\nResult = F (1 - Message changed)\r\n\r\nCount = 152\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 24d6d4bdc9fc4cd05b2867e9123acf18\r\nMsg = 0f9703a3454c25c0b105\r\nMac = 41676ddadb7b960e0269c8a59a6d9b91\r\nResult = F (4 - Key or Key1 chan",
+ "ged)\r\n\r\nCount = 153\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 6aa049d06bf66d2e2b65541eaa3730d8\r\nMsg = c562ab24ae5cdb7654df\r\nMac = 0d4d1196158fec46bfa754a526ba4a25\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 154\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = cf3727509577f1932bd7a92589c11e67\r\nMsg = 831188efc5d1f6dc9bb8\r\nMac = b5d162c885d7d4f6f65f4188d6582240\r\nResult = P\r\n\r\nCount = 155\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 0bc2fdd890c19882640f8d4188b88b9d\r\nMsg = 296828cbee50f41d19b1\r\nMac = e583d77645a603d841eaafa8860bfa91\r\nResult = F (1 - Message changed)\r\n\r\nCount = 156\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 5bab8051e2520b75673068b9cda93cba\r\nMsg = f16cba03402f9924daa3\r\nMac = 97f7eab25dc3ab017a9affc0e400dcc3\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 157\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 7ac46e3249ca28e1ef0531d80fd37c12\r\nMsg = 3e9ddb8121760bffb7c6\r\nMac = c6eb13d5087d05b4eba2e74b283b7fe3\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 158\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = 40f78f7ad3eede36e13bce222c6a4bc7\r\nMsg = 4fa8ad212ef73d37d48e\r\nMac = 3831419e62b51b7ced0d9117e48fabf6\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 159\r\nKlen = 16 \r\nMlen = 10\r\nTlen = 16\r\nKey = a1f82c9924411e98e6f93fa0d07559e2\r\nMsg = 7d4748147575bc0113ab\r\nMac = c23dbc58fe22b34f7b007590558a3080\r\nResult = P\r\n\r\nCount = 160\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 84760f98ec565d281496b1295b25150e\r\nMsg = 9ce942ec81f8226506d48788e3acf49fcab6da22\r\nMac = 606c2f459a9ce198\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 161\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 3b6dd5169350b230774b02b9b44f06bc\r\nMsg = adb1ad81dac0ebc650d48f7a9329755a83f293d0\r\nMac = d7ceaa858508c476\r\nResult = F (1 - Message changed)\r\n\r\nCount = 162\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = f98d00755bcb45e6822121fe7cb03c8e\r\nMsg = 7064a2491f716f4a2969815e4a281a54690ced9f\r\nMac = e14634c400b9f561\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 163\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 5d27cb435e7724a246f158576fdbac68\r\nMsg = ee8ed4c12b0cf7c03bf91fba31a6a7b2d64c36c4\r\nMac = c10b474c0077a39a\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 164\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 098c12058a0bc5951fc092aba322e1a0\r\nMsg = a2b76835229017bd0e8167a40ea1e2e18cc5db0a\r\nMac = 1d44128c3db0f7b9\r\nResult = P\r\n\r\nCount = 165\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 74f7f6516a17d5386c289756240241ed\r\nMsg = 8eafce9ba466fd53eb87f499d7c76bd486db0e90\r\nMac = acd978e0065375b6\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 166\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 013bba67d26c7e52ae48dda3b67c9c96\r\nMsg = 48c0d53b85e6fa4928d3e9953afb9b451bc91a48\r\nMac = ef41ce0d30baece9\r\nResult = F (1 - Message changed)\r\n\r\nCount = 167\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 14cea4c46d837c9439b088fba0e9d85d\r\nMsg = 3477384c396a9e9efb3e169722cba779fef240c4\r\nMac = 902158426696c229\r\nResult = P\r\n\r\nCount = 168\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 24f7b08fc2e6af6402243e22ca0626f9\r\nMsg = 914cf55a3fc739b5f87ac7518cc4171b4499d951\r\nMac = b775a3c1dc11d074\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 169\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 35b5428d440503773f30748ff843be68\r\nMsg = a5e5804cfdded4d610d1b05b7313ece84f369ccc\r\nMac = 6dac0947366be803\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 170\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = c8afe4e5b1d019c2efdbeda65d874ba9\r\nMsg = f739e632436470b5a1db9fa9796ed384c0523f40\r\nMac = 04c8aceaa8f8c3a1\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 171\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 05a7910edcd7252b37e6d3d080a9ee90\r\nMsg = 702db7761abb9b5de41a86c8659270570be9d52d\r\nMac = 889a990539cbc30a\r\nResult = F (1 - Message changed)\r\n\r\nCount = 172\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 4c8b0850eab7b212ad96dc7a032f8855\r\nMsg = 2de32ff6ca41b4c97424b121b8ad4edb133c00ea\r\nMac = f5ce7f46d457ec37\r\nResult = P\r\n\r\nCount = 173\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 687bcb63755f2b5c7daf4a154e8525a8\r\nMsg = 02778ca34db1cb5df76cb1a7619448f67d63b26d\r\nMac = 49d48bb0a684c6f2\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 174\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = f8c4e562fde4379b08e512b0132766a4\r\nMsg = 627868b46ba546252f4eaa1c25205ccff72902d7\r\nMac = 5459c0ac5bb6701a\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 175\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = dd235b05c15479dfe0326ba206ac784e\r\nMsg = e044ec24ddc0605bca89925a4ebc0234811e2a0b\r\nMac = 5ed0a03da09555b3\r\nResult = P\r\n\r\nCount = 176\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 665c2d7d6e69c2ce8f0d06b41038b83c\r\nMsg = 4fcd7541000cfc223fe9da6a030c681d0fb926cf\r\nMac = 1f022feb38ae6131\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 177\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 2efb7cd914a59b6ad63b7d1812f254db\r\nMsg = 67c9fe3e163787705a20f2fc8c468c4f771991fe\r\nMac = a866d6a31c0b42e6\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 178\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = 74f6fd37ccb4b7702bb3a03b7322c0d5\r\nMsg = 011ecbe98c5cb7734476dedbb852e2474a5ad594\r\nMac = 707ec713b9bce5d5\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 179\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 8\r\nKey = e673b3a954a00082cb7516ca9a54d9a1\r\nMsg = a6fbd41a838bdf0fab3e7b56c27a8c18dc4bf970\r\nMac = ad4dfde057b54a27\r\nResult = F (1 - Message changed)\r\n\r\nCount = 180\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = ce5bf070678cb07e963263b1562ff793\r\nMsg = 2bd10c4397a19fc79a307116a0847e0aaaefe813\r\nMac = 299e5910f128a1f091dfb6b70f6a60ea\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 181\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = bf144c9bb974729aaa1188ceefdf85e1\r\nMsg = 5e1ef2ad86ceaf5439fe87d2ec9bc41b52e5ba01\r\nMac = 58b4a32ae55966e42712721363ac9eda\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 182\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = a0cd07b684bb9e0e6692e320cec4510c\r\nMsg = 6e1e490a30f0c9e3d3b79f1c36aab742bd67c585\r\nMac = 24dd518ffffc1070f13d50d0bca42711\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 183\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = e3ceb929b52a6eec02b99b13bf30721b\r\nMsg = d2e8a3e86ae0b9edc7cc3116d929a16f13ee3643\r\nMac = 10f3d29e89e4039b85e16438b2b2a470\r\nResult = P\r\n\r\nCount = 184\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = 4073251950e3331d03d67a2399576d28\r\nMsg = d5dfd0321b26e578fe987456ff061dc1cdaa4161\r\nMac = ed2823fb8fcae918064cef6211646e50\r\nResult = F (1 - Message changed)\r\n\r\nCount = 185\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = b08f47101365111133d974e8f0206507\r\nMsg = cefe484955fae117649ec158416a7439f29a596b\r\nMac = 3317717c6c0b138275090ea961c8d58f\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 186\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = 166fb8d0e110124c09013e05688605ee\r\nMsg = 24c65f715742da7d06046c783a35b2648180b4f2\r\nMac = d27901a86dbf0ed8bde0d69203646b7a\r\nResult = F (1 - Message changed)\r\n\r\nCount = 187\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = 20f6f56117758ba47a08dadf93a59056\r\nMsg = 7514e0f402e73d9c0b0576782011b2e6b2080a6a\r\nMac = 11cda489b6dc0ab48d111ee6cb26a829\r\nResult = P\r\n\r\nCount = 188\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = 7fa6ef35ad594a09cb74daf27e50a6b3\r\nMsg = ac0d616ed7dd3c3e86b3507d9f2bdc3a807d490e\r\nMac = fbad2fc6c9d0e5d21b25445f499eee10\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 189\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = 815871a8300471dc325f8289d0d37211\r\nMsg = a8ff31e90556236cb4df078943c1f2528b42a7ce\r\nMac = 5544c93de980bcf653354ce08aa9dc3b\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 190\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = 06aa3f6fc20f867b42ec234a1bcb8665\r\nMsg = 25df5cc617e6e68be181694721a2a112a1bfb7c6\r\nMac = 2eeb7ab470caea3317a6336f5eee24a6\r\nResult = F (1 - Message changed)\r\n\r\nCount = 191\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = 860f8fdb021b1974d40e3d4bc41fa967\r\nMsg = 6c982a616510db422cc2f1beb955c3e7a88b6097\r\nMac = d2280a55cd0bcd18846b4e30db6322bb\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 192\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = 15105c6285a9015d0edd414d6a806bd7\r\nMsg = f1cc55636836e67909ed3a581de20630226dd5af\r\nMac = e9cc5799a630c6f26087c1bd3b6f1791\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 193\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = b47aa890b03a8ac0dbc8f96c30fdf7db\r\nMsg = 58b06c99e0d0256cb1c556ec3b48a3bce73450a0\r\nMac = 3376cacc247686832736cea7e67e13af\r\nResult = P\r\n\r\nCount = 194\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = dd057368033252d9bb2081a0b1a0229e\r\nMsg = 81de8f50fbe35f7ed95430e74d28666c885b6100\r\nMac = faa08c5a3a4ffdce81ca31873197d0",
+ "35\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 195\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = baf5afafd7d0c8ad42a44e4e0a90fd2c\r\nMsg = cc5a4209a6a60dcf12621e17150b4576b918732e\r\nMac = 5a43002d9144a1d5e48c2dc8dc167a52\r\nResult = P\r\n\r\nCount = 196\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = fa6405355bfb5065dc81e764d20277bb\r\nMsg = 5dd1febed8e94d4715e772c3295b48eaf471daee\r\nMac = 29e96ce5ba930134670b3c68b5c512f3\r\nResult = F (1 - Message changed)\r\n\r\nCount = 197\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = ad2e3d3af6195e74b3e43296b1f618d3\r\nMsg = ca776f79b8581014ae58a4d533b60483fd1fbbd0\r\nMac = b32ce1f493b126fccb9829d4dbe76382\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 198\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = 04ae7190f0cabd117d30a359f80b720c\r\nMsg = b885e5e147f967032ab2552829a6e09210c44a45\r\nMac = 9386d73a01960ab399bb7d290674b21f\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 199\r\nKlen = 16 \r\nMlen = 20\r\nTlen = 16\r\nKey = 51fdc65f6bb0d20a3c08ac1493ddddb2\r\nMsg = 1f0a56fb615b594d938bb8a27f4b2f5463ee9a61\r\nMac = 8506fb1b74806381e2654c8764464d8d\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 200\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = cfb7e930b838dc3644f6c06f2ad0c8d1\r\nMsg = 611db4c194dbb54d80a4f4fa731cd9a6a330eaca734d3351f2cfebaba4bd541d86b3e35b4c1fa158edb0d15d610cd359a9c24878117f77f6b284f0363a576e0ef0\r\nMac = e9589a711f5d4a5a\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 201\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = d179dfeead9d765d000462785459b1e2\r\nMsg = 795ee78ffdf302f3f1f2b31629ae918409cb42979afe3752dd14968d603678520e6b55884b5ebcce416248aa74b3cfe39dfedc2bb5246001503ca4d62cd7826f0a\r\nMac = f16ea84f554dfb54\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 202\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = 22b7eb25e688672ab0e17206623094b0\r\nMsg = d830b16fa236a1dbe60f6db8d7e81a3ddb5f658c9f446e94639cae3699ec2ea6afb4fb152939d58df287271cf4b73c34e66eaf5265a623de47b135522c7aaf9f55\r\nMac = 16229efcb7523025\r\nResult = F (1 - Message changed)\r\n\r\nCount = 203\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = a64fa98b4662d801159f61eefd1c8bc5\r\nMsg = d5982c462ad40458660cd7b120ce07fce9afe812caedcebdee536ac19b5d561d679dee8ea85d62552c86093a2ac1f8d179dbd4fc006ee4b16ebe6afd2be134498e\r\nMac = 2f9a2fbcb96461fd\r\nResult = P\r\n\r\nCount = 204\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = e4fb10325d18666c382e6cc2442381e1\r\nMsg = dc28484ebfd293d62ac759d5754bdf502423e4d419fa79020805134b2ce3dff738c7556c91d810adbad8dd210f041296b73c2185d4646c97fc0a5b69ed49ac8c7c\r\nMac = 8f771ffe0c8d3445\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 205\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = fdcd3459061c36c9a0daa0dcab2b967f\r\nMsg = 1cfa3342540d03ec3fcc8378c021443ba3321fbc26dad7c5b859faba004a082a21d6d7a43d2836cc3820d1adbe4c55518714d48fd9346a254f702107da8212f605\r\nMac = 6635f9e17949a14e\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 206\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = fc593384e6eebc508d181fc49ee10e56\r\nMsg = a6c891c9dd1fcc982c35bc74cfe71651bae424602519672b466d80e160af51eefccc5fcf76467a25bce1a10853a0209d9beffbeb53228fea5f1e77ddc956ade207\r\nMac = 7a6fd94e3928d2a0\r\nResult = F (1 - Message changed)\r\n\r\nCount = 207\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = 4e4ff248f591ca27665960d9357a8de1\r\nMsg = 198d5c9c4aa35d12b62e8c4bf6f3f141e6ebefd8ab396c71f55e32bc82b094cde409547383bcc4c5e5cd2cfd2d616c8ae273e260f2c98e93f7267424b8c2421bf3\r\nMac = 9140f91a0cf70762\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 208\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = f20826990acdf225d9451a3d22f89747\r\nMsg = 03d340904ace1cd52d4b72a96d96afd77aee68ac3936415005ed0d56f46036915b1e5f2994ad49effe7bf3ee46170642e5a16f2eea804e68fa520fb79529d6c09a\r\nMac = f30b668f16bfe6c4\r\nResult = P\r\n\r\nCount = 209\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = c231ea8b75c65de68c49b76e7a3128de\r\nMsg = 5b50879191a6debdb96c0bfaf9086b7dc6e25594416b08d2c75fe16cc347d2e3c7410fe3dc030a6c161ea22f6b80973bc43d42d8558f83b32a1bfa3c03757a4d62\r\nMac = 65ba53ef4711e807\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 210\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = 8ef18639bc8c831dc0b4aeeca25eff4f\r\nMsg = 094c4d9baead7c5acd7dc58f3b4b4f57f1406b4e6af81a034d90cfa94c01760f4cacb4d2c63671d16d9594e1116b0dc2c39319523afac10175b1a485a240f7cf3f\r\nMac = d84f89e16c3b1633\r\nResult = P\r\n\r\nCount = 211\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = bab9d79aae4a1b282d8c5aa35d5c0876\r\nMsg = 02815f53c2be5f7246d4794895b4b15b6c3944819dfd3051b371f6d7d52d9f8ced84fd84095c33ea013c78aa5aa7176d6aa9bacabdafe9bab89cce4d7c183b9c0d\r\nMac = a01f976031bc8140\r\nResult = F (1 - Message changed)\r\n\r\nCount = 212\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = 42b97f583f64d88358885c66add5d03a\r\nMsg = 187fe16a764c0987a28088f5cfcf55a6b9591b6395d2d41043e09932cbc4b8ae073d08d39da9799b316eef2ed89851a8cfc4dc1c6d3cbed95663e0ecf25403e61d\r\nMac = 0820b1ca0cd34e5f\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 213\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = 4fd555bd3a5253a90b68b5d4d46bd050\r\nMsg = 1ef253c61ac8ac66734ea80eefc1dc077edd660dc3518b5ecf709f10302925a72a3938e7449f2ae707506a67022dab63113242e9dff0d027aa3d22c8462a558165\r\nMac = 3770a6cc988a28eb\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 214\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = d3a8eb3f9e5fb264ff098d85c28dd763\r\nMsg = e97a0986bf75e0e821f5adda80778863d9d479bd8ac3e7fe64a053f8016c465d581487278ef6923610a1463bdedcded62aeb22fb210dde9a0949947f8c6a6e7753\r\nMac = 4947e6e28dbba216\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 215\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = 3043857fc40be37fb0bda4f46894690b\r\nMsg = 14874a8b59b0178c5ec89cd7316d909371969c1a1a1bc8a29f78341d39ce085e7e2aad7c350a3e7b691d3929bc4b7b47fef56be9fe7e7520a00abad5308505f8f6\r\nMac = 1a8c82e9109a68a5\r\nResult = F (1 - Message changed)\r\n\r\nCount = 216\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = b325d425c810d22deb3209f29c5c1377\r\nMsg = e44c4202499440c12109296a35dfb1f669f97e7f415cd251a5e36943e134a548f0f2e841fa3541151b374c04665053382a24b99d731b99f3d411aa22644f66cd07\r\nMac = 84faaeb5a9756a27\r\nResult = P\r\n\r\nCount = 217\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = 7cb6a84e99f5573c1eb27c0078f2127b\r\nMsg = d7fa7be9c10252d6e41bc1a08195a344ef77b81785cea6b4ba453d398bf6ffb31d80e0d6a45a4af283676422b5ca94c76bfb4334f61ae0abe884278976a5a3bd21\r\nMac = 64fa7f9284c24f14\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 218\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = 00341fb81209c2abdfe3a9d607b98277\r\nMsg = 74f6fd37ccb4b7702bb3a03b7322c0d5fcc657cb2c3f1361488d853589d2d6207359b65d62d896ed66f217395000c2fa0d11f956332f2d4bdae55251adfe903b41\r\nMac = 4cf05b6e583c70f9\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 219\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 8\r\nKey = 647a5be8a66c83b4b238975388e15d00\r\nMsg = 0db33eda4188a9165147e24e40f79fee1985eb68d51627287e9c4ec995a77d89b27fb2fa6a6fd3fb7563f3e710b6d20ca145a25f9ac8116d9f628395eb769f75f0\r\nMac = e8ef4f3cd7442246\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 220\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = c98fc3416457d9eed0fa7ab1dc1b8a6a\r\nMsg = 190ae57ab8bb70464e4a10c112a54c646438301b5662f3536c26d754a02451d1a9c76abd7dbf656115b2a2ac702ec2cadae30cf86e0f0f96da39897d6222889428\r\nMac = 1bea94a457b2886e9098bf3ded932a3a\r\nResult = P\r\n\r\nCount = 221\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = 87428d5a53f750abdb335f70ee13b5d1\r\nMsg = 7bb0c2ecfd141e7e93a897b259732b6153af3542eb7289b1a18dc0aefeb4d129c9e0e27d7ef25d3afc9945277e75cb87cc7d1c9cb39e7e6ab2a49bbdf65e1c6d89\r\nMac = a854d2da46afb77a787f0606a69cf467\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 222\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = c725d9ef0dc6cfca84865cf5cc91d403\r\nMsg = d3208eb695e84c7a9250378e18be2f231ca3ebe72ba68e3ea4ff7bcf25206b43439bbd497e400dde738507cb542c7d6f961fb8bee99f0c8a6d9daf022368cc78a2\r\nMac = 35d57445a5f10fd567595fc668293e95\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 223\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = 13e3fe7856cd680593a85cda3d6ff873\r\nMsg = b208e5a1a852caef0795150cf8313ee0cff06e3d28d438c2351484005661cbdcea6d8a3466aef0c6a460da4d7dc902ec99c073d086704112085a76dab0994fcab0\r\nMac = efb2bef5aae555463ebbeebe69791459\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 224\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = 9b8112c1fb29fba2c8b0d8f16481b993\r\nMsg = f54105a04a4a02a1a07e020a6a4f4176e9c92bf40018ccac434988c650550c87625b84bd232d0e5ec20e6f6c46ba061b22a7fe36098bc7bf031ec6d6c1214bdb2d\r\nMac = 673281bc0effe92adfac4fef49477ee2\r\nResult = F (1 - Message changed)\r\n\r\nCount = 225\r\nKlen = 16 \r",
+ "\nMlen = 65\r\nTlen = 16\r\nKey = 82e71e3ad1bc9a12a46e460a05ad9c05\r\nMsg = 41fb3dd6df78fe267175297e208ac753d50aaabd9edbf5e45385dfb47988b3d966f31be7a6329fd89e2869bc6f7e4bac1e3a0300f193bdc21c03d9629c9fefaa64\r\nMac = 36f7df58abb54a053988cae066110ecb\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 226\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = b46e219217ab73c34904e24c6d995b72\r\nMsg = 887d6576572a3d8f6a1649394248c4d09d15026ffa930c0659508bac4243e7360802af084f363c2bcc4c91a04c6e86f4f8b22615d7915564949ab60b8267cb91dd\r\nMac = 10c1d8054ac549ad24ae4af2d8de97e2\r\nResult = F (1 - Message changed)\r\n\r\nCount = 227\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = b66edcc59dc9d8e34bea3baf4bfc0d5e\r\nMsg = 57caadbb1a56cc5b8a5cf9584552e17e7af9542ba13e9c54695e0dc8f24eddb93d5a3678e10c8a80ff4f27b677d40bef5cb5f9b3a659cc4127970cd2c11ebf22d5\r\nMac = 0c5864eefc04a6cac4f053ab2f65f851\r\nResult = P\r\n\r\nCount = 228\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = c607f631d792499ea43586b81fa3e2f2\r\nMsg = 21ed22abc7bbb62fb2d51d1fb8830ca95b16213f56291af976274934ab0d43805f71d9b906c44973f7d4b59b7a94d35c2220e7405dfcee98499c1c1dc92a89d7d9\r\nMac = 4e65b3d58492a0eebb66928a8214498f\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 229\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = d9e9136339d361949242e4d8a0cd6917\r\nMsg = 419b9c9b093052577837862900e7de29273eb0678bf6238223b59176c78430b6f382f27bc8d9a95b53f26f1d12e545ccb434fa0a21b84fa7badb5872e208254fbd\r\nMac = 6c81094aded51ccd4da38d0412e7ca67\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 230\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = 6f349dd8b69dd41c6f246a1685115772\r\nMsg = a5a3c8afe5b84e0c3ba4f708a87b596d1b7c8694dbe691d7240e4e4815ad5aa4ca7e5b82c50989d092b96e80aa35e97f99ed79e75cf3b8750d0d263dc208289cb2\r\nMac = cbf41299c35e65fa4e2626430f95051e\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 231\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = c15e4e552c9197184b3eb0a74f5fffe0\r\nMsg = 7c4699a7d9e2d9f31410f20029676f3c97f5793f6732f95f6d33fd7ecc205d27b8e89eda803316a3cb9951f12111b4a6aeac606b43835a469eede86eebf63e5e8b\r\nMac = 77e77de5c5600900e5b928d4be3d5f8c\r\nResult = F (1 - Message changed)\r\n\r\nCount = 232\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = 2eda9b2c6d7ad95b644a8739580ab4a4\r\nMsg = beadccddcf392ee56a8913f057da183ab06ec538e581b52c027ff7f63574b32d8bc4116efa1c56f4a4a851695a87f5fc5f7c47b46fe67b0400f2599fc80fe68d7f\r\nMac = 948e63657b8b6e2d130f6f25369d6160\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 233\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = 233088b67b741f07859d122a6a406d89\r\nMsg = 5717ed57ca0b6921f04dcacad34e0f6210c36673dc9f4d92493ff733c6e5f1c2e56805ef622a5f496049ee0ef51a0d41e9d363febb87070be558e8af61e86dc76c\r\nMac = c778152b00760fcd85bced0f58861d13\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 234\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = b7471a8b2e50fb319f198a09cdaeb319\r\nMsg = 385f9fb139dbf88561b7a500b0c7b835fe57e2698c6d9f76de4fae6dcd45c47fd8a0811ebbfba35f43c17aa360f09c767c1cd9b70bb671fa638e852ace97cc73de\r\nMac = 1a8b81be875a4814e3f988c274784a63\r\nResult = P\r\n\r\nCount = 235\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = adf072ebb71e3400a2175c96fb0007a3\r\nMsg = a49840ab727bf6b03015eaca3f15a2bb64fd27b51b27fe7a2e0559c287ac8fdd4294ca990799ff66974624b8a4539dade66cf7f06b35d8dd2f8a36e6ec0bc83533\r\nMac = ceac74b3af8750467e3b3c51624d96d1\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 236\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = 1b1d471add4e7f4fe197e3a4a44d06ab\r\nMsg = da06bd1405028d93fefa3c037b5ad551879451a28314bae86a7591b359f56e4b4e26e6fb2fe7b1af0f930cc2ae785d113e8b16546d59dbae9f41e7827be1ac89aa\r\nMac = 16d0021b1f9c00b37fefb60af3358d87\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 237\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = af5d4991c189dada2cb552c3c52d599d\r\nMsg = 1bb1e0efa2d6811d2370a039a0c47c59683befbd46c04257f86a468ae25ba03304e865e62afae77a62b3cec7b3556aae0c60475a7bfb02c69f955c7f60cc8dacdd\r\nMac = d7056fe01f0ed1b20adbe05cbccc544b\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 238\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = d149441e667b245d4640e04c53ca6f51\r\nMsg = cbb34794bc8bfdf93d3c8d9f87ec1482b516b48b1e8a89b5e3b5df70c423a243384215b4bc69c76c6b18c497cf82088af74839a8c98895869a16294dfc094360d7\r\nMac = 64f5e8dce5c3e0f9cc224e306de70b87\r\nResult = P\r\n\r\nCount = 239\r\nKlen = 16 \r\nMlen = 65\r\nTlen = 16\r\nKey = c2f5d4837f9f75fb440c3bccad7c2e69\r\nMsg = 6a84594c4b3865f047c96038060b5b413db0d4e081c62e405b815ecd9e3be651f8b9075dc8b032eb2f87c1416a5fe4195f51defe75f671f9a92d966ddf18724075\r\nMac = df8c8c61e8d604e24c7e3d0115dbe898\r\nResult = F (1 - Message changed)\r\n",
+};
+static const size_t kLen40 = 69750;
+
+static const char *kData40[] = {
+ "# This file has been modified to remove the 65536-byte long inputs.\r\n\r\n# CAVS 11.0\r\n# CMACVer information \r\n# Algorithms tested:Alg = AES KeySize = 192 Mode = Verify \r\n# Generated on Tue Mar 15 08:40:38 2011\r\n\r\n\r\nCount = 0\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 771887708683bcb3577fbd0e6c13cad39955eafdc226d17b\r\nMsg = 00\r\nMac = a0db9bb6e8891e92\r\nResult = P\r\n\r\nCount = 1\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 733fd349c56d1086794eb20ed59ddc89b065bb8533b968c6\r\nMsg = 00\r\nMac = c76f82937b457105\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 2\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 761d74be5fae170a1bdfa16081b44c1e49972e15ce0818df\r\nMsg = 00\r\nMac = c65feb3d5336dffa\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 3\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 40f4a2261f154280a311f5b172c7ae34243cf2c59b98d37e\r\nMsg = 00\r\nMac = 05d920e78520839e\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 4\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = e27150ee958b998c8a7e8b9324ead937d15580d09d6ffc3a\r\nMsg = 00\r\nMac = cf60783b5defbe3f\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 5\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = d9bf5efb694089b2de533b1a65c12ae96d8c5bd75bd67fa5\r\nMsg = 00\r\nMac = ccde2029fb26c8ff\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 6\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = bcc658b2e53d51ed00c567ded2a124f8d1f85fc72dce5f80\r\nMsg = 00\r\nMac = 35d0d9ccab5b0f41\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 7\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = e31fdf3891c9068f621430315fb1daf418c328baf5e6da97\r\nMsg = 00\r\nMac = 8802047c11abcf2a\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 8\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 16a10208e91807fc479607cbaa39fa9c7273d89ce403b796\r\nMsg = 00\r\nMac = fcedadeca37381c1\r\nResult = P\r\n\r\nCount = 9\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 50fec559910391abc23eb7f5eddbc26a1031c0abd0a29ad6\r\nMsg = 00\r\nMac = cdc41e9b491092ce\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 10\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 6e9e0ae953b1b486ecd6b766d7b961ab79bcdfe2ffe95e94\r\nMsg = 00\r\nMac = 5096b9fc700929c6\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 11\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 48043c405ef221c281d1e88246b6e1dda77e072f9d10353d\r\nMsg = 00\r\nMac = cab96cfcaad5cc20\r\nResult = P\r\n\r\nCount = 12\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 10c361934fd6ff77a5051879ff228b08d841660d48b4067e\r\nMsg = 00\r\nMac = 167e7227d59d65e1\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 13\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 867ab71470f2dc3f5f11f8bfa7272dfc9c888e8e03323103\r\nMsg = 00\r\nMac = 96d9e7b084448004\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 14\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 5b10c228b447968267293ede9131d9345daa18c11d71eff4\r\nMsg = 00\r\nMac = f7055fcd9e8a8fd0\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 15\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 997b712cd9295dc43cc19b40679f218c27af3e8c638d2e5d\r\nMsg = 00\r\nMac = 79a13778151aaaba\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 16\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 465b9364b3f06f3c28da12707673fecb4b8071de06b6e0a3\r\nMsg = 00\r\nMac = 945198b568ed3db3\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 17\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = d233ef50e0ce1924abd315510464ce22de377026529085ce\r\nMsg = 00\r\nMac = 240698cd0183f002\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 18\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = eb6e828e01930a4b0afc8bda63160942ce32df7b2c38a8c9\r\nMsg = 00\r\nMac = c68fc388f0633ecf\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 19\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 8\r\nKey = 471b8a2e5cb08c21d87e9eb7ecff1d6e6fc2335581769dc4\r\nMsg = 00\r\nMac = ab5e7c91c35a0e91\r\nResult = P\r\n\r\nCount = 20\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 8b404993b4c3f62a57e4aef272788206c8076acc32cf3a1d\r\nMsg = 00\r\nMac = 6a3beff4d1d0e84ea4d4\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 21\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 7cccb84fa5c1c795bc05a05ea5bc6497acd2de2d193fba72\r\nMsg = 00\r\nMac = 557b8efe4ca9c4e603f7\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 22\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = f1d434dac8cefca05ba120a34840531bf1542c8fd03b1ff9\r\nMsg = 00\r\nMac = e2c299a2c5159eb777cb\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 23\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 7fac8beb476b470e13a404ded315db1b15a85c2783eb3017\r\nMsg = 00\r\nMac = 50faaf26afd61c5f616c\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 24\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = f5b4c2a9f096e13ab426dd8654fc7b8ae6a4a8d3daa16b9c\r\nMsg = 00\r\nMac = 535cde3d2c32788bf167\r\nResult = P\r\n\r\nCount = 25\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = f72879cc3446de9a0a43ae1cf08935b8c83f9265b8cb2258\r\nMsg = 00\r\nMac = 4eeea4a1847f2a30010c\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 26\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 7021eaab074be980543cc70c809186d93652d7674c10ddd9\r\nMsg = 00\r\nMac = d98c93f4e0228ff68cad\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 27\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 7fd546397a9a0129861fb6815d419a307f90d259d55f3503\r\nMsg = 00\r\nMac = 13597bb97e38f400e686\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 28\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 563cfb49f1af034cd38d2112685a52ebce8dca93e84ca10f\r\nMsg = 00\r\nMac = 866bc21135b11ea1bc24\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 29\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 17e9555b9b4f89cb63f2e90aca95c27ead6a099bc41c4c05\r\nMsg = 00\r\nMac = b04b3bd1719d35e80e2d\r\nResult = P\r\n\r\nCount = 30\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = a65d24bd1ab92d8d294d654423412860e113c976f12ed76b\r\nMsg = 00\r\nMac = 83c1c0f3e89f6584bdd1\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 31\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 35555c801a2e7c68cd0c347e0f006be00fcce70fdd8d60ae\r\nMsg = 00\r\nMac = 7e3670cab617e79b3f57\r\nResult = P\r\n\r\nCount = 32\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 138b3db9baca13bc66e893efee2b767ce6a912b172c2cda7\r\nMsg = 00\r\nMac = 4686805681afa38cb7c4\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 33\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 1bc05440ee3e34d0f25e90ca1ecbb555d0fb92b311621d17\r\nMsg = 00\r\nMac = 1e9f80432b39f7318433\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 34\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 5776d94b577ed26820fb13c00ab0e2d1a1c3589bfdc45cbd\r\nMsg = 00\r\nMac = 4d5f56d3543abed97233\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 35\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 22e493c1f2e27c9be7bb07fc00fdd51089582d139b0a9f68\r\nMsg = 00\r\nMac = efe1c6493542a8412118\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 36\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = d52f030107a2becde77331fff0c24cd72ef62c0f46ae3e6b\r\nMsg = 00\r\nMac = d1b9c7f13b189cd828c7\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 37\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = be31363e5144d9ff49ee67efebeef6d9a97e22f8a3ceb209\r\nMsg = 00\r\nMac = 03228a1a80d5f3d87b56\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 38\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 6a46492ab7ae5f3dbf16ee7b8876e0b4f0449f3b4f8cd89a\r\nMsg = 00\r\nMac = f016af853140edf22d31\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 39\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 10\r\nKey = 89ef2284d8245d87f88919d4d2f71a2df05ee21d85b7d689\r\nMsg = 00\r\nMac = acdbd54bfb1f20bb65cf\r\nResult = P\r\n\r\nCount = 40\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = f4e74acdeb91d0f0ab143823102d5baed1ffe168fdb5587a\r\nMsg = 00\r\nMac = 9c15bfd3c766f88190e54d395e5387\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 41\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = d9aa4efa5d75195a400018bd38f7d8cd53fdffe88df1837f\r\nMsg = 00\r\nMac = 4a11b22e871b051ea74db3f763f140\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 42\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = 13439fb32b1514d48de6002f5d12e19e1ced4caf35042602\r\nMsg = 00\r\nMac = 1412aad5e6b7f0d924700b438e0aaa\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 43\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = ffead92a4a5dc1eec6d2e441de9a9e1b7a88c607c9a79079\r\nMsg = 00\r\nMac = 6fb18d51e9a30fe6b7a6f405b3d3b4\r\nResult = P\r\n\r\nCount = 44\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = 176ad1686a81992e042d6497a305038ba0cabf74c6ecd8eb\r\nMsg = 00\r\nMac = f676bdc753ffdad36628b1724b967e\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 45\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = acd58261bcb2eb6345af7290b1d216c3016af6697bf5ab88\r\nMsg = 00\r\nMac = a6ae95e5a23b5f5a2dd8c8a520b9a4\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 46\r\nKlen = 24 \r\n",
+ "Mlen = 0\r\nTlen = 15\r\nKey = 0b5eb52135dc6d9c1f56a2571c1389852482e7aa3edc245a\r\nMsg = 00\r\nMac = a46221058177012b073c6ebc6aff1c\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 47\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = 7bd398d1b9b45f7a024e70e71c1ee7132795fbaa2d63306d\r\nMsg = 00\r\nMac = 119bc07d7f3da0be3a87844b425c0d\r\nResult = P\r\n\r\nCount = 48\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = 47575b64fd4797cda8d67e9cf115ae850d7998c39d2f8709\r\nMsg = 00\r\nMac = 3f2010bdcb2fd70241475db9381570\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 49\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = 68627d802cfc43bb1a987e1ef4401fa84e8a7b2b43759f50\r\nMsg = 00\r\nMac = 1e0e3333ca5790a7e7df0d6d4bf860\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 50\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = 7f16b90a18deec135d32c836063cde963fc4e6daa1555476\r\nMsg = 00\r\nMac = 013e1d0bfc7a7a6c838ac98ce0da2e\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 51\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = 3c89c59ab30eba6e5be8f69f597adc534cb52e94259780f6\r\nMsg = 00\r\nMac = 7f9f1bdba93d26cc3c1f022244bff6\r\nResult = P\r\n\r\nCount = 52\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = fdcf28931c91b4b79c8f8332b4eeb3f995eb1ed2fb1e8ab9\r\nMsg = 00\r\nMac = ad7f8852f1bfd65dfbce3bb39db59b\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 53\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = 8f570ddd0963a80abec82caf8883eaddfd63cee9f375fa7a\r\nMsg = 00\r\nMac = 82b16380d804b8eef855afb5eb839d\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 54\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = cc1d70d3050f022442093e3210f5b45f1b610dc0f12fef74\r\nMsg = 00\r\nMac = d1dc61c2ef7e2cd1a4e43dc34c0ba5\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 55\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = a8a1cf9547543045fa2f00edf79bd85436bc1ae1d746790b\r\nMsg = 00\r\nMac = 48fc14782a351553ea453a3ec2538f\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 56\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = 123ff732cccb535ec7a1c47a6b0ead68df31094d896709a1\r\nMsg = 00\r\nMac = 8f29dcec0a5d026d6fe4dc64cd1d4a\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 57\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = ed06bd049d772cb6cc5a705faa734e87321dc8f2a4ea366a\r\nMsg = 00\r\nMac = e3fcf2590fa9ffe093bbfe8d3d7b0b\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 58\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = fa18c0b348aad167b7050c0ef6e7caf0436750873c7e4929\r\nMsg = 00\r\nMac = 630915919b6108770f5c3deaece1af\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 59\r\nKlen = 24 \r\nMlen = 0\r\nTlen = 15\r\nKey = f66296bf67b6e91d8ad629c1b260cb5ca1985273925e73fb\r\nMsg = 00\r\nMac = 729f983d3b49b2ebf24eb04368a851\r\nResult = P\r\n\r\nCount = 60\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 2f4a6501d8fe7b65f607757ddff6ed87ae0681b98b53331d\r\nMsg = 2361d2ed837c14b6c231daf0acf2623779e0d952e98e14149308807f79145c30\r\nMac = 9a8ad7bb37d79321\r\nResult = P\r\n\r\nCount = 61\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = e2d592cb412e65f9044257d78e7491f9f80c8b08102c2d5d\r\nMsg = 4163b7ad671761a3f27394776970b413e35a2c43ca85560cdd3c9b407bfadb4f\r\nMac = ab85ac3a4f92ee2c\r\nResult = F (1 - Message changed)\r\n\r\nCount = 62\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 1534e69565cbc541bfde6901bd6e598e41a7a703091c2240\r\nMsg = 85b78269899a4712eaa9c3de041f5a74766ec27dd5265da8a117c6f277baaa24\r\nMac = 6b177203b17cc7c2\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 63\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = f0302d9a197a285909657d611ce12458b8d24652e91ffe8c\r\nMsg = 3fd6b98961f31c7b7fff0baf1cbb5884a9290ea7b5ee49915efb4b510b6ccd8c\r\nMac = d2d84fac8ecb665d\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 64\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 2081442435626f7ce377132c46385510d9febfdd90c3f104\r\nMsg = c4185eb75fc23adff60d6380006a1c20fa2ff466ffddf67e99a421bfd729188b\r\nMac = 7373df1900b7a3df\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 65\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 715fb6fb464513f3650a9d0c3687980ab9caa9876d69dfeb\r\nMsg = d60b3402ad9f5f09375862ae7a370f0c744ffaf5001c80e3fd150730ab848689\r\nMac = ba39c81c18821872\r\nResult = F (1 - Message changed)\r\n\r\nCount = 66\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = a4d9f94e644fbcd97e0d993cb0af507eed259fbcf8fd7083\r\nMsg = 677acb68500d6cbbf77a3f34f58840f0c16044827641dc43d6767ce98f85dd5c\r\nMac = b129c1785acf17ba\r\nResult = P\r\n\r\nCount = 67\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 94b911cdc3137a6f7f32651b788eb82975660aea52b2c03b\r\nMsg = 549aa84bb182312dd016e3107f3b1f9c5b6a89b543561a450ccf713c76e66ad5\r\nMac = 7b92156f8b36d5eb\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 68\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = d3fff7b6f08dc4256239fc112890429fa00393e84e9b294f\r\nMsg = 15d1522654bcdce344b5d9753a0a6f31c859d547edf520478a8b5ae41506d5f7\r\nMac = 2d778849023fc9e9\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 69\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 77bbda69ec034d73e02b06f0af30e2dab60ac80cb7822eb1\r\nMsg = 1e6ee96598bd014c95e9540f5cadfe6885cd094e04048e81633d1d634f065f09\r\nMac = d35f3c169f67b597\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 70\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 544a757bc50658d7e73b25688e7fef86fb1f9f08ffb33a70\r\nMsg = e473fe5656713b3b0e4fd12c640e8c542950577f446b01d09cbc41b6393ef81c\r\nMac = e1dad03ab8d2f432\r\nResult = F (1 - Message changed)\r\n\r\nCount = 71\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 1bebfde2d5468ba0a3031bde629b11fd4094afcb205393fa\r\nMsg = cf27b30423bd7e40d6b3aeb4b1bc01b40aec081aa00f2e3bc63ff61ac4b684dc\r\nMac = 617fdf927d0e4e42\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 72\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = ab83567833d2f3461b5fbecc0e366694bb5ea00933b2b3e7\r\nMsg = 58d43b9f1581c590daab1a5c56d6fbcff749e489acc3ed51ee6aeeac0104e6ae\r\nMac = b29232e882dcb8ef\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 73\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 0e0fece7b6b659b642668e8ba3dca330523e70279155f485\r\nMsg = d8c35129ca5a84e2e6723332217f0fd2e19fd06eb27d84a93b75276270f97335\r\nMac = d7ea4755260630e2\r\nResult = P\r\n\r\nCount = 74\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = b15763294afa61bc27e0785500ab5739136f51bc78b65562\r\nMsg = 8e8271b2758964fa71520f26aab6f870fa76ea4aa220475b3b379ec4ef8e80a7\r\nMac = 6357fb64482d171c\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 75\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 6dd6efd6f6caa63b729aa8186e308bc1bda06307c05a2c0a\r\nMsg = d2c9c1300f5a7520614550f9d23dcba6b41be6733426616f32912f155045282c\r\nMac = a12adaf849719778\r\nResult = P\r\n\r\nCount = 76\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 35631c844313ac335aa0d590fec472d805521f0905d44ca4\r\nMsg = 766f9ac761a06f4e006f405f7b3398aecad253f5cb8653e091e17427ff0fc1f9\r\nMac = 49090265af87c220\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 77\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 35008ef5baf263ae233758ca237dec1a51d67fcd3573094c\r\nMsg = a8f1b7b73100cfe1a03003331d9d55b75fb0d2596ede723fae9240581967ba38\r\nMac = af6c2ebe004c6d71\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 78\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 6f383f798df8f4b9f0a99206cff82709c367340c7b3b0401\r\nMsg = 9668a011e5a3a613ddfd149b0e529e9e66665006f98e730400adb4a8226283af\r\nMac = f97fcc39e240b547\r\nResult = F (1 - Message changed)\r\n\r\nCount = 79\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 8\r\nKey = 9071be7a11dcf7a062d582dd5932f047396fd9eb71982bcd\r\nMsg = a8a6703044010f8301ea33bd9a808ca35838c9f58683ae3925ab67b9e1fe1ccf\r\nMac = 9065cbc5249ff8b3\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 80\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 36ad69f192ae4dcab771aeeacf01bbd32609bcbbea8ff9df\r\nMsg = 6e60fac7c027aed4632444a95824e61e2c50aa3ecdaf09ed9cec92cec35adf63\r\nMac = b6bf70e67b315c256f41\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 81\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 0cbb1d567bce009d1dc5bdb8115607213ed9a516389f728f\r\nMsg = 634efdf89ce2a9fcbd38bdc0b4cece54dfd7532880e0b4ce6eb3a4010b7cb1e7\r\nMac = 4f0af4ff9a9c9e844fe6\r\nResult = F (1 - Message changed)\r\n\r\nCount = 82\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = ec65afd2d72bf477c7fdd9fbe3f1694c328088cb5f39d9a2\r\nMsg = 10d0e88b0db8d515bdff3a791c830b28e4e3ff4fa63f45b31a3f73dfb457bf82\r\nMac = 7172095284694f5ccdf5\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 83\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = a76b981540ce229e73064af4474a7ca4a042d03a6e6bdcbf\r\nMsg = 740d4b25ca7221d0826057701a6bfd66c50a82f010a57be8c5efa0af0f761764\r\nMac = 94b657fb57cb2fd6ed3c\r\nResult = P\r\n\r\nCount = 84\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 36bf85bf63b28093d2dae511990a0bbd75184044b033c66d\r\nMsg = c1fbbae61b81ae",
+ "bacf151f1bccfb1584f3a211fe797996938c03e806392e14c1\r\nMac = 71796cf452f61db7f540\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 85\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 67b79d9ef1a47867c7d21f19f99ed1085f17a9f092fac689\r\nMsg = d354c54151c9dcdf0d0fd8c51413c2645efafb2bf6b680b25ad76d3825a4c04f\r\nMac = e324e8d377447b40629f\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 86\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = eafa8699695431ab3cfa1e87ffeae4b822a391653d2e9d78\r\nMsg = bd647990f7afec76c8f726d1de806ca0cae6f708b5024b514f11c4320913724e\r\nMac = b0da9d38a1e821ef1f39\r\nResult = P\r\n\r\nCount = 87\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 1fc4fcbc73dab4e73ed9d7606acdcd42b74972460c640fe5\r\nMsg = c86553a60da69bec1924788fc3ab985158a2d4788f33c01abead80974d26dd67\r\nMac = 992fd0b735b9fa9255c1\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 88\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 618041501dfcfdd2b60d71c04d635f6357ad8b0643af77aa\r\nMsg = e7e6b57e74ce7afbde3697e2a69d61ca615aa3dfd32fe31f5521e6ca79877613\r\nMac = c183b8f21cb2aac7201a\r\nResult = F (1 - Message changed)\r\n\r\nCount = 89\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 53bcc9e9244e2fa1752c61e65aa5c592138447ef9287fdcb\r\nMsg = 92e962f0086591b6f61c2ce5af62480722ba6a640c3f53806c421de438358721\r\nMac = 105d286777da3f2a03a5\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 90\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 6d2429921f90a22893cb65c4530e56068e9944d0b0f61fa7\r\nMsg = ea2ad7b7d3f80793391af0328fbb594d79898e1047210628bbc7441e135bfbe3\r\nMac = 482a75ec0ecf1ea59f5c\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 91\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 3100d3c70e823fee9a1bf486ec1c56771acae35246535de1\r\nMsg = 4e6ddae0d805afcd10a055bce584c848d050fb29fe8f1c64b18e1abfe46b6578\r\nMac = b0deaf1bb6d0425d1810\r\nResult = P\r\n\r\nCount = 92\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 79aa6c03dde4bc5949921563264b440ebef71b3298da67b9\r\nMsg = 879954f977e945cd4db33d20e6749a6832677adbdd9c7e262e4acf632f665f45\r\nMac = 9863fe041d191777067d\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 93\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 85467aa82c22ab019f9243c203b4371c95604dccee5d81ef\r\nMsg = b86edcc59dc9d8e34bea3baf4bfc0d5e117482a48e522c1b02a370e9124b379e\r\nMac = 54b2f4664eca96639f7a\r\nResult = F (1 - Message changed)\r\n\r\nCount = 94\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = d37e7aa9215cb5c2c2fe81834f200192ada3dd0f4ccb9d69\r\nMsg = 064f85a23e049529c74c4f8267abbbe685b6a838841a9e304fdf14b835eee396\r\nMac = 536701771f51d2ec354f\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 95\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 72e8c7d74cec3e248fe938a1159d8d969928e6da26b8cf96\r\nMsg = 58019989445d5ee855e0ffcf84e76f3383ae09cfad74276a3edaf05cbf8d714f\r\nMac = 182d3bf14cc391aef27b\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 96\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 5f847950d2a5d44137110594d3c0afa995b36422ab36d044\r\nMsg = 70523bc397417e09d791a4976960e02636ca7144a5681cf7b116daa33eface2d\r\nMac = 5f0b325fbfaede23de5c\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 97\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = b01e84220a7d514060a79088b754ac0beacb60e5b3a47020\r\nMsg = 036137cfed567fc5e234f18d6c2b8c7e9ae0f3fa526d6596e9a9ee7bf1abdf0d\r\nMac = dbe49af18c1e1bc99b73\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 98\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = d90ba47d7c9107b103cf167041dbd7b41d96016d93961917\r\nMsg = 2d53836a0437ccf27cdfe2bf2ad53f3082100a9f045cebe6b3031d21c9a6c5b6\r\nMac = 7252ee3b5eb76abeec9a\r\nResult = F (1 - Message changed)\r\n\r\nCount = 99\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 10\r\nKey = 02e5a1306f612bdec098458cff3e691d93f050ba11ba6273\r\nMsg = 4bef96da992ab9386a3463213773f3ca7164813a15e014ab819f153386fa04a3\r\nMac = 5fac9c1a1636b66e2f55\r\nResult = P\r\n\r\nCount = 100\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = 4c99ce359b8b82b67ee990529a10f2ecceadad456925a57d\r\nMsg = 89ed296a3ac03fbfb71422b9211799150b9d766a8116bebd48bd0a5068132dbc\r\nMac = e0e9583d784f87e0b7dd8fd7494a81\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 101\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = f085fb257ab64013b43a59150864a31e76c9ae94913a56ef\r\nMsg = b90ef6b773f250d4dac6fb9e62babad69ab424c96a8c0625987c030a91d27d64\r\nMac = 96f1dc9a1c668bb203428181c016ec\r\nResult = P\r\n\r\nCount = 102\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = 8109f3208d5cda0f12141e40c85959b72eff1a937dae7f4c\r\nMsg = 49ab30d5c01e91bf113764342cb8ad32e6af945341a9c6a0ee2319a910416fd6\r\nMac = d13777a33f9520793eb8cbcec047cd\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 103\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = 1eba29062320df7275a51aa090ab489571057e64f0ff6a52\r\nMsg = 754f03c2e298a699568d10c3e40390e0f8c398283ce1c35dbc4916fe479b87be\r\nMac = 87dcee48dfaa43e8223a2b338b220f\r\nResult = F (1 - Message changed)\r\n\r\nCount = 104\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = a04b976fa01411bcc9a3863cec91f486944fdca6e8754615\r\nMsg = abf45f39904a8f5766763fe80fa189ed9c6c15bb1a7a8fa0ae3058c9e5b87c63\r\nMac = 577aa39884335a4f66dce2a612515b\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 105\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = c6f0a3692c9280c48393b0dd763e5d0b90477f34ad69f192\r\nMsg = 737bab64c8a0fd6a07329bd729d2ec88685cb5404bd13a40e095a61846dbacbc\r\nMac = d61ad5f6d8aecb7b3fc1ddb1aff64d\r\nResult = F (1 - Message changed)\r\n\r\nCount = 106\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = 095eb52135dc6d9c1f56a2571c1389852482e7aa3edc245a\r\nMsg = 47c577d1a7e69828b5c3264738dd334be8d7678ec77bf1ccb5fec3843f85ffa1\r\nMac = 4fd309a62435edd9b1ac8861f904c1\r\nResult = P\r\n\r\nCount = 107\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = 2f853c1ddb31694985ea5e47322bfc8567fd7a74a46b0597\r\nMsg = 5719e671686e87e931c2c0e5842e907bf584d226e040645eaebb896b53a28c7a\r\nMac = 75ed56da2db0ffa101578118e3f620\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 108\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = 67f5adc0842d7e1a4f8591d678334c95ac83df95c4341c30\r\nMsg = 6c8aaf2f91ba87b61814ed689331264c7bf98c2223c426a4ebbf7b0db692a8d8\r\nMac = b7c591522e9a5a4f3af3aea24121b6\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 109\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = 8702cfd1ff87a749ceb0a7192f5a872740b7fc600845df4f\r\nMsg = d29b6a2d421abd00a59b756af34bd72a42f5557a2ed40f8a7ea59b2e05ff01d3\r\nMac = 33b597665d375c95464af2ad56465c\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 110\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = 64ec1fd6af554485856b7bb3c0ad16fcd9c4ec690914a09f\r\nMsg = 0418a0afc13d6215c7bd68b12a327587eb63c145120ea626fce59c16f7d66717\r\nMac = 80a85e77efe4f47d8938dd9c55d67e\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 111\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = f2991112c2cbd3038ae37b772a5090690006009f0c1965dc\r\nMsg = 231d72c9325f8c17aef4efc94855803eb2fc1eea601c84a98e8f7053840f0591\r\nMac = 14269c545a0e3d56ac9cb195cb6197\r\nResult = F (1 - Message changed)\r\n\r\nCount = 112\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = 2c6d7fb9e92d98a1dd92e96f6b4013954ce1aaa5de242e6f\r\nMsg = 87ec7423f1ebfc37ee83c85938d58259efd16e3c8e55fb871e9998baa9cac81a\r\nMac = 782b7ebbada87c3572a3918a03305f\r\nResult = P\r\n\r\nCount = 113\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = d95a1b24964bfea5dd5a65f5a1398c6f9d43b26d98b47816\r\nMsg = 92f9cf56188322d18cb41d723847e6d419cd163e2be71b78e7b8dbdd099a99b2\r\nMac = 2498787836840fe1411a17f153c546\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 114\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = 62f2490ba0c658848859fcbea8cc6774e24c9de979dd29d0\r\nMsg = 0822e3e6ba982091d532cd5271fbde25305d1f6e71880f81c618f267a9f122e0\r\nMac = ffb6c2a6c73245138ce06e458cf914\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 115\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = 1841161a3752de1491b2b2f519d8447636e149437478d2ff\r\nMsg = 238e36b73b474de88226d4298121393ac9162f1736040bcd717b6e8db85125ff\r\nMac = 4d1656a2c8632260aa55a097451fe7\r\nResult = P\r\n\r\nCount = 116\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = d7d9a5f750078f1a82dffe2c70e6b0016eb42d13e1a8aad1\r\nMsg = 28a107d22fcd0499e0ea5aceda6dbc288a5f1d9da003c626bfb9a6c27922e9bd\r\nMac = b67bc2e20c422f9c7c27a84ba0bcfe\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 117\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = dc3ca30782c9c0a7fe8923d4b8d31aaf21e63895f51fb2f1\r\nMsg = 8716298bc17ed51aa273711873e2c2863e7a5021e46a183e6c6c81f99c02918e\r\nMac = f41b1896a22db30dac50b6b3e5e2b8\r\nResult = F (1 - Message changed)\r\n\r\nCount = 118\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = 0b6b36339122610178c4bb72eb558abf15e5ed9ea0077a5c\r\nMsg = 52839f2f0853a30df14ec897a1914c685c1ac21470d00654c8c37",
+ "663bfb65fa7\r\nMac = 665f05a489f8ad0feea290401b4bf2\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 119\r\nKlen = 24 \r\nMlen = 32\r\nTlen = 15\r\nKey = e200414db0255ca3faa7f6b17a62523f2c75d99f6ae162e0\r\nMsg = e749041b314f8719e17a8cb26162e2c910b31116dd769083149238d67792f991\r\nMac = 713fb4d0c95743ee7da970cac7f771\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 120\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = ea77165284ada4599f0bc0a41db787310f53a1588282b866\r\nMsg = f3a1a6dc2092ae7099bda65f8af32aa19796254a13fd9e0e7319d50402598faad6ccae2a028604db0d44690ba3530bfc8bad062cd96635d9654647c57bb81537\r\nMac = 9c7c379b5f8ee87f\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 121\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = 18e2baabdcebcd25958eb53d1bd2a95ffb9b51a3c1d92a9f\r\nMsg = 1df7392e915726847822817cb542df6b14df16d7d3d3ea8d615fe9ee651c938a0234bef059d139c350d6b01192cecfe1d821aa0b668e5d4dd8d5ef9a1eb47db5\r\nMac = db521506073b8c9e\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 122\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = d39f12a9c6b63c17f116bc003f4def172943350e29d60258\r\nMsg = 75225a26d63e91281fb37ace46354f81de99dedfde8b770ea47f08503aea87d8d7b190dda9e150ecd1a2a182b06676da61667a04864ff4374838ee6899d8961b\r\nMac = 65aa057a01b390ec\r\nResult = P\r\n\r\nCount = 123\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = b2212ca369c611b725eccc3daa58df412787a3475f418d82\r\nMsg = 3727bac9706f482f55bda86dc052aa6810e2c1137b97fc93a65838a2724a9531199726517b6fed53b24d062eec7c22227ad9379b24da7658c0cf7ecc0368cfc5\r\nMac = b869a9e06994fb39\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 124\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = 25e5fd5c39e684696e71a6f81f843a196dcd030ce2c07afc\r\nMsg = 899b48338d5ec3bb4a681f76ef37b6e25357b50e9578d85204c3753d3b6ebccf908e3de8b02dab01839ddf1a560b1ff33857a17fa4244b96612bbdeaa7d4913c\r\nMac = cfb0650c7566dc49\r\nResult = F (1 - Message changed)\r\n\r\nCount = 125\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = 49bc9d3bcf3c22daa8cf55c1b59d4bffddc2412d60518e98\r\nMsg = 980026395d0544975dffaaa2c56db1df5816cd80cde513dc76f6f81d21f15c383c97c7233c9af2423fb28922efed2f69aa47c30de17ae1c5be17acbd0ad6cb8e\r\nMac = a7ed2a35c89130ad\r\nResult = F (1 - Message changed)\r\n\r\nCount = 126\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = c53f21f1ce3a1792a2de14277eb97664d4c561b3fd4b0e32\r\nMsg = 66e15206c23751497bc2c8d734aa1136aec08bd4e80fe3408bb3929a84efa749f379c7eb441872929b71872d761e0b448e0126e9fed86eeba611694cd2df4cf5\r\nMac = 1b86a912a0ec9f94\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 127\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = 6286e3e53ffb9bb143fcae724b45f86a23bbd74c42518144\r\nMsg = 62766e9acd41285eeed9b4007340dbb611699624274ad1179e327076135d907638c60f0c773c4ea8d9b8352027ee78ea4f22198f083d2f5cb920e55b9738c582\r\nMac = 3c56ff841dca9662\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 128\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = 9c5d43c1a1269cde199509a1eff67cc83a1759b71c9e7a6e\r\nMsg = d576565a938782fc7e9b095db6213002bf5bbfdcd761fd6d876adb2c7947702b8930a5f71ec332bfbb4ac9b9d13d90c2d808d5459d0dfe5ddeedbe3e14038fd1\r\nMac = cc7b2038ead10d8e\r\nResult = P\r\n\r\nCount = 129\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = 512a23489b8d6b62b63e9188c0ee5016f20448c082eefe82\r\nMsg = 1fdbfff7941ba22dd8e1dd13a05a3bd8f2c8096894266536c40a983929d0a6340af5233bbec1477363294519d3f3d9c6d41b20f18f76adb54495d9d43bec5afd\r\nMac = b81c76829839cd43\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 130\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = 20d22c3b6ab38c5995e22b341f359be25616b2b8c7269510\r\nMsg = a1c041d1d4e7cd6a953f2e4837e3e676ed48633a2f15828f5f3551d5ad2a19c838a49caf75529bd5d5f89b3da2c2e9922ad8dc5d20325a7b3fae9dcd305f3731\r\nMac = aac4d4f4172e1f05\r\nResult = P\r\n\r\nCount = 131\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = 22e29aa7547e5ed3a64611e04f1d55f7a397c1619669879c\r\nMsg = 773b577b95e29d36fb30779d2ea23e2ffed9e1b46aede42bbe03a904fe22ef8f874298b5f4a6afe63f6ca9522863eb5cdb1c8d4bcd445e43e7302875e6ba3592\r\nMac = 16bf98c7a5deff18\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 132\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = b320edb777d317af6c933a6530d9f5cb78d2d3104ac02120\r\nMsg = b31d3f55909bb660628de9eb95b75df776455f2f535f461edcfdf8a0cffdb096d573fedea7400f8374e62e30879a8beb259b3bffb4c3813a235b4c59853400c1\r\nMac = a0d9a7da024326ea\r\nResult = F (1 - Message changed)\r\n\r\nCount = 133\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = b9bcd0ae7100f991f4365ba0683b6d461979ffe86d0ecc24\r\nMsg = 19d0077952eba12a01db1d137050bd7e9102a31242eb38a5cfb3cf51b86c86cab57f6deef8e6eb9eb29c5dcdd852ffd627641013660b31abebd40fab60514159\r\nMac = 972119a55b125e0f\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 134\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = 00af010f462ad40a38eefb788b648e1cc292cd4bb08ebeff\r\nMsg = 573db0961531873316e87090f79e84f040c8358f8ca78fd9ea1ebeda82c1cff67c2ebbda1da0a1b233c1539cb4c0145da2a4a05431e06dac2c2731d59581a434\r\nMac = 92a67a99c128e173\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 135\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = e12f98507d6514c3b551d240595346bc9e9b6a987033b3c5\r\nMsg = 3927bac9706f482f55bda86dc052aa6810e2c1137b97fc93a65838a2724a9531199726517b6fed53b24d062eec7c22227ad9379b24da7658c0cf7ecc0368cfc5\r\nMac = ef48edc762db1d47\r\nResult = F (1 - Message changed)\r\n\r\nCount = 136\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = 66fe8076d4e8538e18b84f965255d143f1c7d377e099c1c2\r\nMsg = b3fe18cbe086955384226c11c62c1dd14e7eabda573450d005b46fd9f9eccaff24dbf5d6d8530b5e25fd9f2a629df5c20a977247cab35255d71d992d85b04c14\r\nMac = cb67f0c1819ae458\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 137\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = 82233a224ed122d7306bd6717a80fa1986964f9db41bd40b\r\nMsg = 65c46382a278490b9825d4f1907f3b9f196e136906067020b6b94ee398cb2f39ed07055dd0b151d974bb8d56ae3bc8b3b31d9054221514bd45d88a5f948ccfb1\r\nMac = 27e94d22e8961f92\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 138\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = d3e3bd80f45140cfc2f857a913a89f0c7dec86790feda4f9\r\nMsg = ff26ab66c6a10ef910f5b94589b24a7b6fae8e4396faa552b014603fcb5eee921bcfb81ffae989922debf24a6947ed6b1556c02e524b247c3966a7bc636a4fe9\r\nMac = d2d326c999095b39\r\nResult = P\r\n\r\nCount = 139\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 8\r\nKey = 466fa94c2158c1cd84b83fb2f15ccfce804f611ad0fbc4fd\r\nMsg = 5ea068d4f363dc7f1badf97b77ec85412a06dc8d8e3f4364265c7956d4088f014c78fad6c94be720ffb4ce4150da4a3f427f288031e0bdd241dd7daf975acabe\r\nMac = d6023f6ffd3c788f\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 140\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 6f5a146524457615d81a605b38a5ff03edbc5c426ec7d551\r\nMsg = 9be3a736e7e72560bea45e9c8ee8bf37c279bf5b2ef16483adcc093208c05ee51a4db04632946ba2b96cdd9d15b33c25cce2eba4ede4f97aac29ebaa4cf6bbd3\r\nMac = af8fd676ee05154b82c3\r\nResult = P\r\n\r\nCount = 141\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = c62e6eb86b8daa37936086dd2c346e3b14be5054cdc2f3a4\r\nMsg = 559407bb6930d5adbdf19a7e285ba1dee5caa03ef54e3a3fc1b8c86a02f55921de9bf7d553c22d7ad915c6384329d664e70dffaefe22ed9c4e2c233706aafa04\r\nMac = e297ad7830c79d387ac2\r\nResult = F (1 - Message changed)\r\n\r\nCount = 142\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 225557b0faca3d6cbaedec5c39c98f0ba0723f4070f2278c\r\nMsg = eb1383e84d4bfc5a9dad25374055b81eec74316b18f6e001b0623d470c027b7023456000fc61538b663cb7c0e98d77a7fc3ee2277816bacb4d9487c6741e3134\r\nMac = f07332a3b01d0e8026ce\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 143\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = c36acf733d310e3b9842b3006aa637ab092faf4a580043b5\r\nMsg = 1d674eb5d85945a6c7842042adebe549d4fe515501c06c1ba72961ee5bc98d8588afd6fd64893e21220db7ea6a973a420613130dde1d7f6a26677836d65bd0d3\r\nMac = d629ef50a784db860de4\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 144\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 332e30ab63b197e79b86e4da732bad9250c0a5c9976a6c67\r\nMsg = fb41304f9f5b0f696ddb0e2f0f57bb091f8a31b5324d3cdf15c3bdf256d3502d06db2df9bea24c7ae08fcd641f199610427f3ecf24b92a7e00aef55aeba71516\r\nMac = 983e453f602db30e1f85\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 145\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = b311796b0519a45c176f3ff458d4d818668093e82fb871f4\r\nMsg = ec1a1e9ee85cf960e5dc4e239619ed85f4b14d32cbd42dfa79f77a27f2cd740d08730de2eaeb91d0eacb8c498336e99b9a0c57c4045ef18749251dbfa733b4f4\r\nMac = cb2be0fd09f10deac5cc\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 146\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 6311e7f0a7bcc11176fb411fe719d4e0782c8935524776f3\r\nMsg = 85f647d940a6d1acb6b7851912f807063515631eaabaa019dcfb993",
+ "e86f408266cace4c24940eda0083d8569364dc1afb816c0e5b95f3bafe7745e5ddfccd6b1\r\nMac = 776b9642c47fabd7e9c8\r\nResult = P\r\n\r\nCount = 147\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 6d120cbf74df2efffe98397ee303ead4e91c5e7839b82885\r\nMsg = 27ea9ff8359463a7742cd9c9c269ee678f4ab22091fdaf29b9007a92658687cbd71c4166e68c5a1ef30160191f6d926abb28f1da01da9ae8019a520edd576346\r\nMac = 5a902959d73ac97ea071\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 148\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 8e09d421e09dac1d9d966f02a3a520972c6aed2003d907dc\r\nMsg = cb32cb87ed59ee959c011211ae7cd475c3b5feb21cbafdd0b17796d47dc4d4e61da345b399c2661182485be13dcee33a9eaa8cc4b9742361f4c36f1361381f1a\r\nMac = 1b2bc5956223b8801456\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 149\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 3eeb143d4a3c08ecd9f7df8eba42789b517dfe99e07958ed\r\nMsg = 3292b8548a35fe34136457bcff52b469eafdb1b86b6cc88bed35c4cfba43785c59d6b01c1acb6870ef1e3ccf7dad20b1733f51ab1bc48cdb2fdf7d86eda17a00\r\nMac = 3a85ae8fd368cf9846bc\r\nResult = F (1 - Message changed)\r\n\r\nCount = 150\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 606452c62290b43559a588bb03356f846cecb0ccaf0bdaf6\r\nMsg = 3cfbc77b8897b6a5613f62f6b1c89b0d68f272c6c19b9e0ec6331ef616702006e64322d3460a57d3a5074c719811cb5dd78900268890da0ac177b40d48773548\r\nMac = 325aa552529e66a13904\r\nResult = P\r\n\r\nCount = 151\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = eac3a1a6eb8efe983c6b37b6c2709f5a8851ab72cb23a66e\r\nMsg = 2801a813dfc3f1c753f4f342a113c09b8e9a7ac16483c31bfd0b746b1db692f805937eec44c16bfbd132154557afb17ed01c1f4c55fe67f0343a6329441fb955\r\nMac = 5b0b383c4870af31a9a1\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 152\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = e2d592cb412e65f9044257d78e7491f9f80c8b08102c2d5d\r\nMsg = 3f63b7ad671761a3f27394776970b413e35a2c43ca85560cdd3c9b407bfadb4f1edd0e6026572ca0d8274bdaa6870749b0a727aa8c5b7e9442100e0c9b057455\r\nMac = 0380cb126c63bb48bdb7\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 153\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = b7b86dff6746145aa7d5bba73ed6a46da5b1200bd3520357\r\nMsg = 8e7f7e7e3ac2286bef6822ef47f5f73f2ff512e599df17c3723f7a55d4144a367c774de67e7e52ca3760c37484da7a2531d1d590b5380de11c34c3fe447edc0d\r\nMac = e7aaf6f82894d8825d80\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 154\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 70a26d985e6b99bd3a37575f011f2b84ed84bebf99a52760\r\nMsg = a2cfbcfdcd90e0962f233d7fb70668c8c36cd5e195e2ef5c043268f47187cecffdd36000f96e1f509f00283effa040443b3db15cf73d55c30c65f0fd7cf9c219\r\nMac = 96d09f0a799cb52575d0\r\nResult = F (1 - Message changed)\r\n\r\nCount = 155\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 5d678acdb2e6cc03537411ae2e95da120161ecb6c92d5e23\r\nMsg = 91dee0cd1d17d9342f4d346cee19f5f42e0c3b0498447ec4043c15bb2ae8fb8a7a02d2da489f28932c05fa4ea9c0760e0cf3052a97ed898edffce3247386b98c\r\nMac = 4a40b4f63330413918a7\r\nResult = P\r\n\r\nCount = 156\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 795846f9dbf36415640276642cccf87e3dbdf6519c5b2db8\r\nMsg = 4fc989f327e1a1cc7b8af618ee6ae6d25f78e2b76b681455336945655f13fd5a639bec3a004a88ad0e2df8547a0d315b8ba15f5269038638df6169d960f5ab5b\r\nMac = cc5efa5ef19f6cc63f83\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 157\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 61eab54142fe7e16787fd2d54829cd3c4bbd793e72f9ef9e\r\nMsg = 13f079b004d1fdf02121564f0a96b057f120899ce920169561d5e3aaeb16bb8e4347c7cf8c86f9acdc25ac26fb5d845a68409c0d9df0e089940fb7a88a76e62e\r\nMac = 920de91f34eabfc31648\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 158\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = b64d00f3a4df754fa4ee6376922fb67ccce0c6209f677397\r\nMsg = 8003586af34bdd0acae4f5547394245027c2ffcdc9d1335311acc859e9a2a7b817755a601dad14495d32f1ad811a7e751ac07cf18716e1cb193c203e7551aa83\r\nMac = 79e8a0ca036d7b0bd2c0\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 159\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 10\r\nKey = 98f4596970e6515b5357f6c6396aac182d126decaddf567d\r\nMsg = 65737b65927aebcf6cefc7ca107fda8447e8bebf1f08a280d53a4b07f8e35904cc48cc08eda3c63a3475924bde1de6acebaa65fec5ee68ca22d3fe722bf33267\r\nMac = 05c51c2507108a3f8293\r\nResult = F (1 - Message changed)\r\n\r\nCount = 160\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = f0409b050346fbd319c8630e4bc9dd6d055355fbb961f018\r\nMsg = 731db98bd990b2ea19f848fda3519b32bc1d2fcb2f4d42e13f655da8e1dc2af428c185fc01a5d55e20b49d643a254e8675d560301d2ea0c5984ecce39c655de9\r\nMac = d37deaceea7ea3b50aeb02636e5095\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 161\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = f266cec01c5fc08c0bdabc9537bd1aa2df9f2b8ffbe5cc94\r\nMsg = e19cbaa489a0f65681c983cfee3a4b699339ccb096df06bc871398be9eb926d84426fd32d5d7fa4aa563a88b41afa822f761560d9897a9747cd85b3dc74b4adb\r\nMac = 8690d4f8153e56e3ab80c7e918679a\r\nResult = P\r\n\r\nCount = 162\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = 6e12c112720ef346bbbe7d1c19483721b1c52c438dad40e3\r\nMsg = ab8b36f46d1749cde7dd9936df95cdc8e0b359b8963bff4e7bd59599b32408623354a15e29f287a79801866d434a0ee9cdf37f931e53a39509057c7f2b3b413c\r\nMac = be9e70fdd15f96a8b7457cb727caf6\r\nResult = F (1 - Message changed)\r\n\r\nCount = 163\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = e9ed05813262fbe769c1104d8ba5c836dbd229a22a681de3\r\nMsg = 606452c62290b43559a588bb03356f846cecb0ccaf0bdaf67a18abd811d4315a966e2f3f87f6c2428814446563fa71864d97c8336b0e34bf9466ec95598398cd\r\nMac = 4b3ac19f4dfa04108283b0e2e3a8e6\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 164\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = 0c84328951c66e0f5341b741d2c2796d3524ef732c69e779\r\nMsg = 9071c45a99cb987aa79596a2014f54e6fe400a6bbd5de96e156cae87cf69762f1329d481213d213d42191312fd76911d8df4c6ad9304754909058cf477adfbaf\r\nMac = 1e1003ce7546009a3ba7f59dec236d\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 165\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = 3aa8ec246323db7a3953737928061c79757de2e921c27643\r\nMsg = 84e9cc9bb7f4fb62ae7396859fcf33da5ca6c80c311eb392107afeddebebe0d662a887879e4014187d2fe8feefb01e6fa0d35819d7cfbf139e99451423b62ee3\r\nMac = 4259d5f983a287fbd987e3badafb33\r\nResult = P\r\n\r\nCount = 166\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = 66c07634c94dedb5d4c6f19e7cdeb954692ccf51fa242abc\r\nMsg = 4bbc9d3bcf3c22daa8cf55c1b59d4bffddc2412d60518e986899d6a3e2a781668b0c6b9b4ee0ddbbcd06bd643eb201fe7829699e4dc86e2a1b4876bf9e40494f\r\nMac = c40f872ea2f1a1b45ab5737c2e4f33\r\nResult = F (1 - Message changed)\r\n\r\nCount = 167\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = 3b9d6b0652836457ec4f701f0dc0e5aed73d16585d61cb1b\r\nMsg = df7b23a4e4456e0152b24853fe0d5de4179974b2b9d4a1cdbefcbc01d8d311b5dda059136176ea698ab82acf20dd490be47130b1235cb48f8a6710473cfc923e\r\nMac = 602941735206bbe57ce1c2e3b9509d\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 168\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = 7253ef10bbc302f01aecf315f9a4122ba805dc4048c30ac1\r\nMsg = e12f98507d6514c3b551d240595346bc9e9b6a987033b3c50940442dc385634e2a28292856b97d5a78704388b2b6d0ff2ce7a19c64574deac593b98a7ce98bd8\r\nMac = 9e62a5b8851d3a0fcddf06fe116ac2\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 169\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = d718af395ba3f5f4c6d15c24475ec7f0f74f3238c81d42d7\r\nMsg = 0c0d3d7ff5d1b707be9648f263b8f013fa439978e959efef57d471cae02dc8e08d9d58d40381169afa039936f1f773c72003c1c5af03018725ab2408236ee4ea\r\nMac = 75749ed44b76d7ac16c98d8b6bc18f\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 170\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = ec98ec44f5a86715014783172e667a748f162c5c26a8b34a\r\nMsg = c0947efb86d54644087247f9fd95133a94075faf6250a2cc9f20df5393edbe1a4bdee20e90e877781a370a7f00cf9eee7373fc38acc54aba23b0df3f020356c9\r\nMac = d994553290066d778369b54ae06668\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 171\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = 9fab32caed6e1cb27d2115cc641779127d4aa57db0955bd6\r\nMsg = 6e3e25db29da2c787bb37755ee770e2402fb8208da23389d36030439a143f971ecc880dfda90a8231ddebd2881981ca968ed45f3763a32ec8d2fe854fc2e4b4b\r\nMac = 4d3cbf9b68da0c5b49ab3b0913a2b1\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 172\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = aae24266e5981b2ed14213a29f961cbbf7f02f63a33c987e\r\nMsg = 8244cb416b3d09521ac2fd28c29084ff3d64761d46617b59e8b221de36702c2d3dc62e61375357b702cf8d4dd0f2bf2a1f91777fec0baf2c23e3e6865bae7358\r\nMac = ab8e9df7128f4857e0a1c24fbce473\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 173\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = b9bec4e88775777ff1eb3df671fe8ac03a693a1c26ea254f\r\nMsg = 8eaed4810702df8caa",
+ "12fe7e26e7ebbca11aa2de9f3169a8262c0e3c205a708f0071401aa8de09d28a5a6e590ebeb476341880c37bfee1a501229081eb27772d\r\nMac = 273b0d874010eac97ceda34232f7ee\r\nResult = P\r\n\r\nCount = 174\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = 15120ac9468fa30c92ad87e7aba41ef552814e4ecbcb9350\r\nMsg = e3de6c6119d7db471136285d10b47a450221b16978569190ef6a22b055295603c9c1ed5da3bf96bdb43a5722cf4e2ea087cdf9b23b3093d250d44047be634b3f\r\nMac = 9a166994de85e5d60b154d49a867f4\r\nResult = F (1 - Message changed)\r\n\r\nCount = 175\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = f9b9633f12967f1841161a3752de1491b2b2f519d8447636\r\nMsg = fa14d3656f7f7610f3a629bce14648a593250c6f309c02c6c552bb42984ac58db920dbc7d98f59295f37f3e9b99da55ef074ed65801b390366669b4c7aa1c483\r\nMac = 2c9f3650866b97ecc5ed66929f41dd\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 176\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = e87275bc62ad067b121b83f220d4ee2b4245541283dfadcd\r\nMsg = 6475757f30dd0a96ad64bde5c2605a9d2ca82a7223a9ba4c39b6dd3f86a0f4bd02876d0a32ef8af1071664b603862f4b9de6bfc6e7154b136e7a72e661957bf4\r\nMac = d0bd2d3d35a22f37bf113090cebecd\r\nResult = F (1 - Message changed)\r\n\r\nCount = 177\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = 8b63d3c794e5ba0e09e5d5a5c56670bc0e289b30171ccfa4\r\nMsg = 44da1657e4be60d887a097e29d03bdbf5920bb0504e654bd963f58c487951a72e395237a9d32281125ed3a533c543de208c99bd063853abf79ddab4692c3a497\r\nMac = 29d04b97ac302fefa80f71ea378e7e\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 178\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = 17039577fa27ef5ac3bf97572d9de5f8eac0aa58ff29b990\r\nMsg = b0329a0978e5a2d1bc85bdca333e7d0d1e9950217ee9547a84e76d3f49999451bf787288e8d12d40456c8214926c14e9b076032fe315c1633d5d21d85acfb1b8\r\nMac = 51b4bc8b479dbd60e5de94ba8b9d0f\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 179\r\nKlen = 24 \r\nMlen = 64\r\nTlen = 15\r\nKey = cf6b5edc515882f8a7954a5d8517b1a85e9559858527d0db\r\nMsg = fde631afc6c042d77b579dab9298862d943be673cea59eab4a0c1b5cfddc2aef42590e6d8786d18a4646d7e338c2b984c50a50adbeff0fd64e7096f02e8385ee\r\nMac = 5ee3547a06661661c46c3778b0823d\r\nResult = P\r\n\r\nCount = 180\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 7b6f4f158422f33543ca90dd0a76cbb23c0dbef26ee140aa\r\nMsg = 6704dc39a259152d2dc3f08b8799ffecf4e1bc38\r\nMac = 5c12ff63244c64bd\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 181\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 7a381f75058b85680061eeaa0242d3a16a64a5ca50cb61fe\r\nMsg = 18b31ed5ba1c3ac562ff3ef274424b86c0815c26\r\nMac = eb8f3d508c9edb8b\r\nResult = P\r\n\r\nCount = 182\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 3662d7b7c93211535c862ef3dc2724c492cc1e53a58f23a3\r\nMsg = 8ac860504258c134c6835d4cfaabdb316c36d99e\r\nMac = bc1b870eab5bea9d\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 183\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 9eac76976750b7937b3bbc6986b4c726f0d0a63310db85d7\r\nMsg = 5de2265292780222349ac793eaa17c5a22902344\r\nMac = a69594e569230df0\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 184\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = ed1531500f319e09227d6bd181786b3b446f081abff2e697\r\nMsg = 7a734243e53cee654be988f5c735b19bb11f3389\r\nMac = 9f2cc2a8c3d0a34f\r\nResult = F (1 - Message changed)\r\n\r\nCount = 185\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 85d0d04cd3fd2fb34dc18fd55e645f7492d5280657577008\r\nMsg = df899dd6b99cc28d66604ca92431fa7f442a4927\r\nMac = 18fc40b25fb9c138\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 186\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 90b0c8b542c91c1b2dfdebb589a7eced6c9b7b43a7729840\r\nMsg = 38d1a87296529595acce251cb232db8ede65581b\r\nMac = 077570fd0efa770b\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 187\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = eceacd807db82378e9bd7c79054878f09dcb5087c2e1c349\r\nMsg = 09bf4f77a9883733590a3cc7ee97f3c9b70f4db2\r\nMac = 58af901fe0fb5d29\r\nResult = P\r\n\r\nCount = 188\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 16227835305b7586a3106d93da8bd70aa0025df69a0e85dc\r\nMsg = 1a223362dccc99472b2cd1d712ec6dadd60ef972\r\nMac = c26f3980d17f6c36\r\nResult = F (1 - Message changed)\r\n\r\nCount = 189\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = d18cf5dbf5b2094dd6ad85d975449e2dda35b184633235ca\r\nMsg = 7f557e74f53c344daf7495526d1270dfa8fd24ad\r\nMac = 5b7cf33ec05b1576\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 190\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = f1681287bc931a0d8f296e13b3584d6efcb6ca76aa90cc02\r\nMsg = 08c62ff9bd7bcf189f530d5065f8764532d2692f\r\nMac = d646e2ec15afb14d\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 191\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 116f4855121d6aa53e8b8b43a2e23d468c8568c744f49de5\r\nMsg = ab91d1aa072947d22f0dc322355a022fe7f0747f\r\nMac = 489068c07931ee9d\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 192\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 0a23972e036d62199ec327b25a3cf4e14c29279c6449d3b8\r\nMsg = 2df3e80fb6ddc1fcc7615330b24fbaa4981441c8\r\nMac = 7842f16a0cc7bd6d\r\nResult = F (1 - Message changed)\r\n\r\nCount = 193\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = becfa1c96686b04153fae144c187f034dac3ee6ed70d867c\r\nMsg = a3a114679ce30c8472149da9bf3a42b1ffb07e66\r\nMac = 74fe19b5183ed3a1\r\nResult = P\r\n\r\nCount = 194\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 866b43c8fe3769ec0aeefd4dd02210488a354d67e82a81d7\r\nMsg = d9bd6ac153cb0bc4e19e59c45cfe0d6f4c9d20a3\r\nMac = a3a2ef83eba2a6f3\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 195\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 7e00aa080c127cbabfdfa5d9d9728c7b25358aecd26f5850\r\nMsg = ce1a38cd75b9e955483ab53fe59649d087ecd1d6\r\nMac = 8375c666d09bf259\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 196\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 4bbf4c9cb6758329b2d5a53c4fbfe2d3df4fb50e57b3699b\r\nMsg = 6429ea2cc8fdaf58100347d21da64375b3ab2058\r\nMac = 77e417a60bca9a9d\r\nResult = P\r\n\r\nCount = 197\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 274b394da9402d3eafdf733994ec58ab22d71829a9839957\r\nMsg = 2b3d7949805afd73234cd327a62951b32c51df2f\r\nMac = 8f9ce09fee15516d\r\nResult = F (1 - Message changed)\r\n\r\nCount = 198\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = d4140d988448d557454c3434fd77f8597e6420566845e316\r\nMsg = b53017500c100dea0511845597214484fc5f7f34\r\nMac = b9e85ce9178b81c7\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 199\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 8\r\nKey = 43d0d326c511e3bcf4f52660fc3c706a6a95c0ab550615f6\r\nMsg = 7c880698ef372304a663f0f02944500393585d42\r\nMac = 843f71e93b22f1e4\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 200\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 273cc5013785baeb5abc79c8bde73af71085d7018e7be92a\r\nMsg = 086e6e3a21787acf7293446516b5f54da95a2988\r\nMac = 658a112d7a9e7a08c024\r\nResult = F (1 - Message changed)\r\n\r\nCount = 201\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 492bf7946bce1d3c6f168f4475e5bb3a67d5df2fa01e64bc\r\nMsg = f7b577f1396b23c27eb637e53d3d92460270b001\r\nMac = f2dffabed6871cca2e41\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 202\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 8e7d8a44244daa7df2b340993e32dac50e05d7b2e103be98\r\nMsg = 2c3c3582e026a3f29ffd21a92a8e1ee70f3a4147\r\nMac = 1bb40d091dde1903ac0a\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 203\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = d2069266b0f180cb319e30ded7535bbe52d24be151de4bb5\r\nMsg = 392d567f0b8045359dedd1591517ded0171fdcda\r\nMac = c1ca2813ad38fd7f0f58\r\nResult = P\r\n\r\nCount = 204\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = f35c46bca9236830ff4bb057cd5764f02720ccb03b253937\r\nMsg = d4586dbdd5655cf659891f5b6015da524548dbbe\r\nMac = 4b6dcc78f6e0e9b7e35a\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 205\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 509f1e38591e03a30a7409bc7e18595848253308c15edf40\r\nMsg = fd2109cac9f42fbb093a8675e5cd962c4c31df2f\r\nMac = 35387ef3967eed5b579b\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 206\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 0e9cf0ec43ca3fb7fb9a2b1999ae635d5041bf42f1b0bea1\r\nMsg = 65960c7fd43891ebdc7bf862b28d4822a8488270\r\nMac = 93c33247ca546a8c3fba\r\nResult = P\r\n\r\nCount = 207\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 51597a4c68cd228371e86c179fe04492642ad9b888405067\r\nMsg = cd8799124d94064f47d7eec59aff543b81ac66f4\r\nMac = 0eed36a27b40560b89db\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 208\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = f9f049328f5db22c41a501088e5759ef4d04db0c4b4f6d3f\r\nMsg = 7bdc26b5b4df58af539d91eb2ea10263a3e58b07\r\nMac = 68c45551f1367c989a9d\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 209\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 5343dacb05a29b3119d6f19bdfbcd6674950e710fc70180a\r\nMsg = 057c2d386fb1693b845bef585e76e0fc",
+ "4971ffb3\r\nMac = 372a801d1cd33d1059ba\r\nResult = F (1 - Message changed)\r\n\r\nCount = 210\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 5987fcfe8a1ee76afaef54cb22d8b2a20b116f72bfc7117f\r\nMsg = 8abbdf380c668c6ff34a4f128567bfaf256570db\r\nMac = 5a8089b3d9f6c72fc858\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 211\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 301e0712ce74a1ad02079aeb0ce35edacc33f9a5d907cf70\r\nMsg = b2d894833daef4070b764361685fc94a780a7292\r\nMac = 57a225eca09fb227f79e\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 212\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 144840494d15b2b31ad63ee05bf579a5e9fb98f534a6309c\r\nMsg = 71bf573cf63b0022d8143780fc2d9c7dbd0505ac\r\nMac = d1b2baf05cdd5fecd1cb\r\nResult = P\r\n\r\nCount = 213\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = b4bc602dc860108aaff5b3befb948a561ac495a22af9085b\r\nMsg = 3fa85ca50cc4c4817e951b5a95ac006973324c2f\r\nMac = daa1246b82d2e14e3056\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 214\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = ff48804c82414ff67f9b917a4d5d062d439454aad8eb4b0f\r\nMsg = 6def37d9b73fed0390f260491f582d2215369811\r\nMac = d7712f7d5f0da5dec6b6\r\nResult = F (1 - Message changed)\r\n\r\nCount = 215\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 0273e421ee670be6322675f26f9014c040a76f0c869698f0\r\nMsg = d9de46934cb56e58899a31fd14ca64509131dc27\r\nMac = b3e79909c16c561eb7ca\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 216\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 27eb9812d3f7816fb6a1cfe474496e80750b1ed3959ec7f5\r\nMsg = 776ba7990086731ef7504947be74b3c455bfde5f\r\nMac = fc0f2dcf4e6fa041830d\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 217\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = c56f710e39deed799ffde6d10e8aebfa2bab5e5e073d78e2\r\nMsg = f6fe0f16403182d012f8b6e02539c386075b4585\r\nMac = 6bcc4c1b06099220e9c0\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 218\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 0236ce1fd3ef645a64b4ee7048dd35942e6a09e8099884a8\r\nMsg = dbf06366f766e2811ecd5d4384d6d08336adc37e\r\nMac = 1de717c402baf964e817\r\nResult = P\r\n\r\nCount = 219\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 10\r\nKey = 5cf781067bc1ef948e929b7287279c71cae5143631ca57d6\r\nMsg = a7f3fb7ed1342862247fb4b1993788837cc87041\r\nMac = ee867d4c0f910e9d9288\r\nResult = F (1 - Message changed)\r\n\r\nCount = 220\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 3e19b6f3f3fa3c2551466c9e09f0391350682495426fbb08\r\nMsg = c7496322ede893ae368884a91f80c3bac3505c0d\r\nMac = 55b25da032db8f3b4293a4865df77e\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 221\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 5717ed57ca0b6921f04dcacad34e0f6210c36673dc9f4d92\r\nMsg = 5e3ed45f07a6b3c225ba73d04d867f9c5b4aa703\r\nMac = 1b642dcc4fa08cbd36d109d55a8501\r\nResult = P\r\n\r\nCount = 222\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 8eca0fb8033e63e24a54a3e63bcf8e4ec331b04ddedfeeff\r\nMsg = e3807f6d8c6471ffe188df67d952a7d67021bf41\r\nMac = 9a37eda1e3331bf86d208b2c0338c9\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 223\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 633f44dad6995a6af0302692142a47430491ae7b54f8b00c\r\nMsg = 3caa9b8b24097d29bd24b913692acf96cc78b998\r\nMac = a6665b3b158f37f587dfa0bde7f300\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 224\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 14ef8096666ddf28e0ac5f3458b52f3e0c601deae57fffc9\r\nMsg = 11d5cef384474f33c2d313e6e1050d8c7ae5b019\r\nMac = 2643bb3e1c01f406d90104c4437189\r\nResult = F (1 - Message changed)\r\n\r\nCount = 225\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 0c2e1951eeba1a9b6592202b1b8547f43fd755fbd844a874\r\nMsg = 9ad62bff38e28f75302b6527c1c107543f798817\r\nMac = f42ff7aa728c2d815ac7c701b59627\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 226\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 1ee2df7aa80e3a131e2aad9c17bcbf546d8b25e5a849db31\r\nMsg = c4e8594cd09be010b6934157e0557686310e8dbe\r\nMac = 34496d184bbdc0c9a57916ff64dc3c\r\nResult = F (1 - Message changed)\r\n\r\nCount = 227\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 75650ce366757618af20205b69af7e5d4e82c398c00101e2\r\nMsg = 42a71eb81ad1c97ac53b88831b2d15f3c57e7cf8\r\nMac = 4c03394a98bb43e6197074abe63070\r\nResult = P\r\n\r\nCount = 228\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 386c659bc45d0a88acd54ef7eeaa3e140e1cafb1b01474a0\r\nMsg = f4fc5acff75d404849675b813cf7adcaeb8f3d56\r\nMac = 5cfb2fc8869304428fc012a14b616e\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 229\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = ac192759625f4e42d1d1fa73dc0f62199142155615478f88\r\nMsg = d33f716df06e9047f8d718ab1faa06ec7b773bb7\r\nMac = bbf5b7207faa5b004216fa5caf3f93\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 230\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = efb497fb9b85d472e7c9d061aff501f7b1e3a311a86cfc69\r\nMsg = 1fd425560816aa21d6572150d1161cfb3bd61e6b\r\nMac = 2b7e14864d29437647cc1b27a8a0ad\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 231\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 344fbbeaf82ede8a401df7cc121ed3da43be9bcadeeb5614\r\nMsg = 93febc9e16003cc8d6490ba5a6e64dd673a0f887\r\nMac = d34ef878392bc226f7ce1519f3bc23\r\nResult = F (1 - Message changed)\r\n\r\nCount = 232\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 4b6c6b6be3c04985bff49719c4e11be97d7757801dafadc3\r\nMsg = 754336f8cf27f4bcc7af5207ff02a662232d9a62\r\nMac = 5389c533cf43ca0332574802c2ace3\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 233\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = fe5ddb0645387cc6535e5b7991e6428c4157a76bb41084fe\r\nMsg = 216d9eb896edc693520f99ac91f34cb54e76d719\r\nMac = b43388ba7859f803655d914b60ce90\r\nResult = P\r\n\r\nCount = 234\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = ed14373671cd8041e00874b5d098ea225eaf9c68bb51cecb\r\nMsg = 0569c6be9ddcfbb82618fdcfcab3dd60c20c49f5\r\nMac = c2c11297111a92a484868179c5931d\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 235\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = f2faab6735779e9ac49716e7fcd3faac939366a7249f4f0a\r\nMsg = e7292269b07683acf5bea0b300782749074e2313\r\nMac = e10f324c19d79ed83256f15e302699\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 236\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 2bddd90daa1251a42a0e2fd2858568887f85e6d96d57daff\r\nMsg = 0f8b828c0e59effbdecc30abb6cae0d9af9c7636\r\nMac = 1aab0530749ac4c6432157730ee3ee\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 237\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 586233e492b76ade095e8f5ffc6df4bf6caad2a675953b2b\r\nMsg = 92af89c950d6221473a358dd0f280277bde7ab0c\r\nMac = 2a79121e68ea6b841e175ab5066388\r\nResult = F (1 - Message changed)\r\n\r\nCount = 238\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 5aea45c0995e950f333e29f4db82ea4c4c080ff82fe32bd6\r\nMsg = d9ff1c84bdb03114ebd5f471247a579311f4672b\r\nMac = dc58e7582cb555ea784036a8ba4b8b\r\nResult = P\r\n\r\nCount = 239\r\nKlen = 24 \r\nMlen = 20\r\nTlen = 15\r\nKey = 900c8283c7d50d6da79cc07d3dc7b76c2ef76100fa3ae2df\r\nMsg = 3f8c6d21ec05bc439bf82774f1812bd2dfe0d3c4\r\nMac = ec1fa18916f991d7276428b9c93c70\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 240\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = abbb803150cd7fdb9f3d571bc749debe72c825e45568aa5e\r\nMsg = bb5fd7f4fb020d38c13df3003a9bb852a86948f406c51624eaf81989b006\r\nMac = 799d598f32ebd9cc\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 241\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = 2fa619eed51bccdd2ce63580ebf85467ac9136f79256bf1b\r\nMsg = f92d1a6731f3bdd811fde1ed936de907ebbc4179670857859aafe788b91c\r\nMac = 6477feb7dd4c818a\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 242\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = d0115f369d0f74073a46e3b9625660847dd7ac7571e40814\r\nMsg = 97da5d1f669dc60b6c6fe4369e01f3fbb9af30b483b23d885497c684d6ef\r\nMac = 3d7f0acc627b785b\r\nResult = P\r\n\r\nCount = 243\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = 045c4b86eed865cd989f035afe8c257c400c11b1f72548c6\r\nMsg = 5a6233e492b76ade095e8f5ffc6df4bf6caad2a675953b2bdfa8513df1dd\r\nMac = b5a44479b0be31ce\r\nResult = F (1 - Message changed)\r\n\r\nCount = 244\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = 4a83bf338fc0125ee1966df46d46a0d0b41e51569b3fa957\r\nMsg = 794a86f5b20d344ad86fd5523d08f1864737be57731440c29aa6b4257457\r\nMac = b45939cc01918eab\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 245\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = d9ccd93317441e9d6ccc358f31e7e2ccef8c921b23d74299\r\nMsg = 48754401bb69bed2cce8689e47210435878c7ce184d911f60d26b4aa5174\r\nMac = e0d1b6a530944550\r\nResult = P\r\n\r\nCount = 246\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = 1e50fae752ac3a6e2b1755475e84441947e9f4b1d29546f4\r\nMsg = 34245df514f6c273d252271a980929e50a7cb0e77b05c7d46092abc30493\r\nMac = a0fd99f1405b027e\r\nResult = F (1 - Message changed)\r\n\r\nCount ",
+ "= 247\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = 4f98838899bb47fd3b0fd5efcf55403996567a0fbe1abdda\r\nMsg = 0c8cc752ae8d487c621be129326513a5ccb4141e324d21aab399148c1a83\r\nMac = 1aef1b7bc7856c6e\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 248\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = c98a22a667aafab0c94047e03837d51b11490693d5c57ea2\r\nMsg = e4fb1612e50607457dee8087ec41e57fcd7fc550497eaf1c8b0d47c773d8\r\nMac = 2c467fe37fee5342\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 249\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = bc6d4c46476ac1ea902be391b8a3f04e102aecead167f0e4\r\nMsg = 93b3314baf20e28a39e89592012c35adfaa3ee6d3d8e494051ee9944aaf4\r\nMac = 7f10757d2d36a55d\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 250\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = 5783548205826853ae740d35d6d69ab524c38fdfc5c51eb1\r\nMsg = 11c90809f9c53d2f77b56af0a42287ac6920e3d2921cceb824d496caf1a7\r\nMac = 07630c2fc52a24b2\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 251\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = 9cac76976750b7937b3bbc6986b4c726f0d0a63310db85d7\r\nMsg = 5de2265292780222349ac793eaa17c5a22902344063f497aabb9dc038ce2\r\nMac = fd092bab159861c0\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 252\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = 616de0b0f868eec923bf9edebbbaa51d3faaa3f86b2a5687\r\nMsg = 38013d62558647bc21d293830aa3ba80ff3fb84a8e0938754c5213077771\r\nMac = b4e782780989dc11\r\nResult = F (1 - Message changed)\r\n\r\nCount = 253\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = 5df77b26f3d34eba49d287addf0a38d20514e2b7e6059935\r\nMsg = 1930a8b428334df9fa1ac16890f3a6a93fcf9d6855d00b06ff831d8f6a70\r\nMac = a8ad975046cd7571\r\nResult = P\r\n\r\nCount = 254\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = c56f710e39deed799ffde6d10e8aebfa2bab5e5e073d78e2\r\nMsg = f6fe0f16403182d012f8b6e02539c386075b4585be5b18d6ae1c5f9ebdff\r\nMac = d0df47dda012655d\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 255\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = fef8982f7342f1b953658453cd5ea413700eff00f1ee7d6f\r\nMsg = 269b6c1c95bc079398bb31e285a887c1832202d6ec257a2cf62468e29358\r\nMac = d2c90040bf66b2a6\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 256\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = a34dfa24847c365291ce1b54bcf8d9a75d861e5133cc3a74\r\nMsg = 105d2b82676bf67ca9575ffd31d7d114e709826fccb6a5c3d3d7e26ff258\r\nMac = 5e60278f98b3135c\r\nResult = F (1 - Message changed)\r\n\r\nCount = 257\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = 520fe80cc4a3a5ad9c31f7010504923b7a7fd88292a64f98\r\nMsg = 2e1e0712ce74a1ad02079aeb0ce35edacc33f9a5d907cf70d0548d84ec3c\r\nMac = daf839ef84f1c81d\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 258\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = da4775b8f7d654bc4cf2eb75ecf4831411bbc9a960ea2df0\r\nMsg = bfaccce3a9e66f45e454090ffedc348306dc2807951ce0bf100178612703\r\nMac = 3e2eb7f029e687be\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 259\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 8\r\nKey = 15e3b3c5794fececd703ac58ccb22a78e15bbd55c579416b\r\nMsg = c6c3457ffcb6e66c085ecb69492deaa704e25aeeabb7b7795fdcc807b325\r\nMac = afd75cdc02222e65\r\nResult = P\r\n\r\nCount = 260\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = e0f2cdfb64bda8f02ab90620fc5a1943c4b536a99f3f8820\r\nMsg = fd0365ff6061e5f55c0e382f5861aad99c135f9511f33ace4bdcfe48c6e4\r\nMac = a1046d4b29fc50ed94a4\r\nResult = F (1 - Message changed)\r\n\r\nCount = 261\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = c7aafe7d3b419fa4ea06143897054846ac4b25e4744b62ba\r\nMsg = f1baf3be69f69611fcd47256e43830a1b3fd8bd3952eb26ed679eda7a4e0\r\nMac = dbc419e1ddd5cfdc63a7\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 262\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = 58c219f2bc8ef2ed7a82cf70e4af4747e36a30809a5a6222\r\nMsg = 622642aa69b3efe14abe0a1d2ba20f3f76efddf62e6cafe2845c4dfaa501\r\nMac = 4e496c3d2d84d11923c2\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 263\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = abccee975feb10f635d548a8502f7c8b6adbd2be74117257\r\nMsg = 4f37a460d180a12789779fc335326c983ad6b18295b47f1715b82b2dc704\r\nMac = 41b234e0173770c469b9\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 264\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = 0218eb619dbbde2e846218339aee4383792856496eb3b85c\r\nMsg = 28d3510a37d5f8481e7f22941c1fb1d6c70686fbad9747a23c9d5f18dfe2\r\nMac = 3cede44c942387d91767\r\nResult = P\r\n\r\nCount = 265\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = 88b2514f368d51db283039efcde1891652a77daf68feec43\r\nMsg = 067a3a0434e92cac02710221fbb6dfcb7ef0264e2994905491317c8c3697\r\nMac = 128e652ce0a8f1a6194d\r\nResult = F (1 - Message changed)\r\n\r\nCount = 266\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = f2a78c449621278e9e927fcd50742d042d98d5142380fd3d\r\nMsg = df899dd6b99cc28d66604ca92431fa7f442a4927d03b392e707b548b8ebf\r\nMac = 2eca3c42b5e5d0f3b9e4\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 267\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = 01fbfbde7dfdd6f0a0c5244cf6c36eece4d6dedd8baa463b\r\nMsg = 485ef613bdab5473763bb269a0d8c7a4bf4850bba072a96f8fc39a31cbd0\r\nMac = 333eb331d6a0d46fa279\r\nResult = P\r\n\r\nCount = 268\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = 6ce99c231d2ef0fd48c2375dca93f8bb0df97d4a44e835cf\r\nMsg = 32d71e59634126ac6c6156a80a0dfa0175b29e9f40a3169680b1c15830fc\r\nMac = 3e90350e115c425ba466\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 269\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = f7a93aab5707ca3d2362c5669198e0218493acc3cb7b02d3\r\nMsg = aeec40ca8964fd6a67d3dc871ebf1bfb72f52907f1d6ad441bf2cadcc6d8\r\nMac = 7381d65aa138c86713b5\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 270\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = 84f39f5207afcfd677a7544579f2b888a1eabdee4e835924\r\nMsg = b8d21e9c70bf63f04be311d50f84aad7e1bd2b0e517434ab978d68d01c5d\r\nMac = 4ab61c537f8b15f824cd\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 271\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = d488bdda400932de56a9f105f0e74ee79c2ed869faaadc31\r\nMsg = e64949ed85de6359595f286e29014c26daa7759aee56e4194ee958774606\r\nMac = 2752bc490802b9dd8686\r\nResult = F (1 - Message changed)\r\n\r\nCount = 272\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = 76ddfb075fce4be8854185c6899a88d06e24854506b31237\r\nMsg = 9d86ae7d70e839078babf7fd60480a4351690867c6a8af837d9ad465220c\r\nMac = 2522efecaa1ba11c0260\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 273\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = 618041501dfcfdd2b60d71c04d635f6357ad8b0643af77aa\r\nMsg = e5e6b57e74ce7afbde3697e2a69d61ca615aa3dfd32fe31f5521e6ca7987\r\nMac = d958753757a11eacc848\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 274\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = dff6b9493de80447ee18ea7311fc9b8d74f77ac1ab21ce84\r\nMsg = d70aef3532bdc5293a3ebb11589ac1f801c9f93ea0d656e1d04068facf9f\r\nMac = 9a761e0e54767e414cf2\r\nResult = P\r\n\r\nCount = 275\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = d7780ba2dc5cc584472b64bc9f6246bedb27c70aca22c0a3\r\nMsg = 14691c1b47ff1547c1d2151913c2d1862d8f54782291ea202caa3d8ef07a\r\nMac = 78a2bf3a5fc87a14e090\r\nResult = P\r\n\r\nCount = 276\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = 3bc5dba883e2e3b81df06760cc32f11009cf5a5503cbe864\r\nMsg = 9d043e368b41acb5eebb99197e15adbc3d19175a0bfcc97275e3e5efcfa5\r\nMac = f457293acf683c873add\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 277\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = 7b3fba25c5ef410ecec62276b105ecc01c325dc2530e8364\r\nMsg = fda4bede287c57eea4448af5e99d41c7d307d1f202af7f387f874342a29c\r\nMac = 0cfb78ede5f4c185c33b\r\nResult = F (1 - Message changed)\r\n\r\nCount = 278\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = 38efdbbc5645f65414b9cb81d2f9e4f190cf6e6e05eaedbe\r\nMsg = 50422c5e6a0fb8231b3bb6e2f89607019be6ad92a4dae8e0fe3f9e486476\r\nMac = 0c1acd8e8527e2663486\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 279\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 10\r\nKey = 94ea5b0aa6c8b07e379122006042c920077bd61610df6b4b\r\nMsg = 1d52f401f01058356d8c4c630f64c5322caa6063d6365ebf0040ec4ee12e\r\nMac = 2dec0d3bca617209b07a\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 280\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 5584994f80640233ac8eb4d2f873e8c997499095250b48b3\r\nMsg = 91febca4f1ae7e27501400c44ce8681ec90f5a5637c962db142c9284b1d1\r\nMac = f0b3135c1748e823aed10c4694fc60\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 281\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 57e99653fdcab10135a2ee3bf45c1be69e9ed57bd74dfbad\r\nMsg = 51c88fd98a7d82043a1500fc3d8a66ba7ab7760467c7fd89cfeeb22dd257\r\nMac = c588ee1d4f330e51872065c02cae61\r\nResult = F (1 - Message changed)\r\n\r\nCount = 282\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = f622d736124641bb7d53706bf2a69db2fc31461fb92818be\r\nMsg = f09569906",
+ "381138cc49e3fc2384c5d33c34abd3d617c487b52ec6ee7b510\r\nMac = 610e1c1f9ab35059580061b8662a81\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 283\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 9662baae49c26e5452f3304ceed3b78326d2020a99a63f69\r\nMsg = 1d93aca4e2e31f5ebb84fad580fe74f5b6d1d86ab30cd0c8031be4090be1\r\nMac = 3c5a4eb51ec58ef3468bb00e7cae8c\r\nResult = P\r\n\r\nCount = 284\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = f2100615431349aba5c4f5a7f358fe7be579f4cb9e8f33d2\r\nMsg = aaf26bff7ad4116969c15d9206de6c737b7dda87619e3575d9b6b2efd8b0\r\nMac = 7396deeb4316fc6d84d3af119656f3\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 285\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = a5993acbea8c55d7eb55d60596f83e1d9f2cf636d06240da\r\nMsg = 0bc1fede6a6ed9e1deda82612fbaa6e60f0b2461fd5d131e6a7206f41a07\r\nMac = 2f6b0a9f2a972d299bfa5892f8ea83\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 286\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 775846f9dbf36415640276642cccf87e3dbdf6519c5b2db8\r\nMsg = 4fc989f327e1a1cc7b8af618ee6ae6d25f78e2b76b681455336945655f13\r\nMac = 8b3cf3171912096763a2ebe5ea9e41\r\nResult = P\r\n\r\nCount = 287\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = b214b16bbac27ccc9773d3c8dd31275da4876c039740ca8d\r\nMsg = 7786a3e30acffd6dde375bd859dd6be2c9221b979d0c66d1d5ed6e00b73f\r\nMac = 1a73acbf4e9250610b74c727b9c42c\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 288\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 032b4cfce8a1acd89de5f6f78794e2813bbcdb89959dafec\r\nMsg = 3f0bf0141dd3ace0fabeace61811eac5ec801deb7ffe3b0514d43db90bf0\r\nMac = c24066cbc00cb5c28e48141b627411\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 289\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = a053255875ed4b5193bd9c5fa4172a1f660ecfd2a394c2a5\r\nMsg = 14666eb960c6b4f8b6ccc49f79a039b12c02e0972c300f1e9d0a38c0a474\r\nMac = abce3abc224772a43c058016bf25bc\r\nResult = F (1 - Message changed)\r\n\r\nCount = 290\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 0ee87b40abaa99f598fba22c3e677a85ca3ec95c3a51aca8\r\nMsg = 1bff19aacb9c7d0a44a15ce686a2469e3934d086365d36f449484498353d\r\nMac = 4d565c2e12901845e77ed8b02746ca\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 291\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 3384f8563cfd0fc8019bacc9b691c9ba4ae6dc8cf4c00629\r\nMsg = d31e959cf7842db351db407266ddae0b36e37f34270576724083e9989764\r\nMac = 96d0dbf51d96b532321da593383964\r\nResult = P\r\n\r\nCount = 292\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 375904fb9fcafb7f19877b145b0284cef61ac7a3d88f537c\r\nMsg = 441bd4db5e80c7db1b575a19b7bad021a719658a2c818566291d3cdd32fd\r\nMac = 3b8dac029f6658e44e5f5bb8f8ee40\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 293\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 3c1ca347a7d3d8db8f704410c493d7a65718cb7bffec2dff\r\nMsg = 555fd02fad4f44484133f9472c050f9da27390fa2a3e48cb0be0d7020171\r\nMac = 32be39d874c15a0fffc7111f76bbc4\r\nResult = F (1 - Message changed)\r\n\r\nCount = 294\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 8bed296a3ac03fbfb71422b9211799150b9d766a8116bebd\r\nMsg = 6df3de543cdb6d1adb6ca7df6b5a4510fc8379a4f2c87497ad1c2b9a69da\r\nMac = f24ff3218e7905d81c3e99c84bfd26\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 295\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 9530bb291d38f6bed10318081dde8fd178f02eb0e8b7d022\r\nMsg = 5f48624302d1acf7750994d45f0999ecd89a3861cd0268d5a51e672124b1\r\nMac = 0afed54c577e550eba7ac94a2d82d8\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 296\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = f5400b86ace6e3da5f090befb96fc05d0409bf41fc77b4e0\r\nMsg = 1c79b055fded54af5ad2f3253f93a090ec003863d9458d3ff718c4c13937\r\nMac = 59f94d4b13539a5f0a8672e4599bad\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 297\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = c033e4a512297caecdbead892b11a9f7007af9a74bcab89e\r\nMsg = 3ce965d58856663d54269af4791ec57ef98227ea387d525769c23ab74674\r\nMac = 0dc19e37a255dabb61957f7f89ab06\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 298\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 2459f951d1255d093b72144b83b05ea3185d5123d1ca864d\r\nMsg = 661c6ff41af91a6d828a4d5d507f8a9130abe91412070950c5fa4c75c8d7\r\nMac = ac8e75b4465a52b3a7da3746f9875a\r\nResult = F (1 - Message changed)\r\n\r\nCount = 299\r\nKlen = 24 \r\nMlen = 30\r\nTlen = 15\r\nKey = 3b63415210361822e23cccf0faae88cd7642f44cec45fe37\r\nMsg = d7f78e950d2ab520a6f1e82ec6f206b2e8c71131c85234bd80500527f131\r\nMac = 15e59760acd3dd74155d6d3739c189\r\nResult = P\r\n",
+};
+static const size_t kLen41 = 61387;
+
+static const char *kData41[] = {
+ "# CAVS 11.0\r\n# CMACVer information \r\n# Algorithms tested:Alg = AES KeySize = 256 Mode = Verify \r\n# Generated on Tue Mar 15 08:40:45 2011\r\n\r\n\r\nCount = 0\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 45b74171271e1fdc19f9beadda58010d843af69dc2f4ad003dd74b9b570d5a98\r\nMsg = 00\r\nMac = dc0ee796\r\nResult = P\r\n\r\nCount = 1\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 2cb4239fffd13762fb5391f5a4760d12d96ea12666a793b4d651e9f4891c22c1\r\nMsg = 00\r\nMac = 2e19d6cf\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 2\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = d88586da8b605a6fd5a45d316b89fea15e27ff4d92238397718e68b8e00ad605\r\nMsg = 00\r\nMac = 8ad78885\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 3\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 136ffda3359fee8c81e6dac131256f4bffc0d3c3e74f8aaf2f979a0fa5b8ed32\r\nMsg = 00\r\nMac = e430d0da\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 4\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = e1a7867476bee9928b7237ab7a3d502fbe3d2d45b6e4c41aa9f12b79099f019d\r\nMsg = 00\r\nMac = b6f00f90\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 5\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 5b4d945d55dea22e37821ec396476a4bfb617d2f392ad93afe67bcfda9cd9b72\r\nMsg = 00\r\nMac = 5076ef43\r\nResult = P\r\n\r\nCount = 6\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 23df62a79fd5866425427d0ccabf05b16590e8452ee22e028b51910926ad314a\r\nMsg = 00\r\nMac = 7bd29398\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 7\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = ce9da814595f76a7e52a1222c7c9a6579b3cc2e393ba51580ff6cc9b6ea2ad8a\r\nMsg = 00\r\nMac = ce872fd7\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 8\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 507c4f32246d637fe08e454c638b014438109e1fca31f724d40ac6ec1aa20268\r\nMsg = 00\r\nMac = 282a7ec2\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 9\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 537dfe9fc000468dde29800549b1cfaae67ad89d22c8264d7eadcd914ac54ef4\r\nMsg = 00\r\nMac = 7936b7d5\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 10\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 1f57959cecbd377374477e33b34979814f260f77867392ed645998f73a3b06ae\r\nMsg = 00\r\nMac = b4b63264\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 11\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 3d272b4a1a1031369aff514e2df98d580f972b5abeacc05cb1288e6e473c0fed\r\nMsg = 00\r\nMac = 18b35edb\r\nResult = P\r\n\r\nCount = 12\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 8774d1acf96362215a3d1e51e1a52a980685dec4f3afd2d438c03c00c04a79f9\r\nMsg = 00\r\nMac = 80eb7a84\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 13\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = f37155beb5eed8899d9ed4b5fa21b60b40af289f090a355d5bb1aee52957cd99\r\nMsg = 00\r\nMac = 6827f73d\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 14\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = fcb52c44379ae8083bdc7b827383df93cb1a7ecc21574730f9fe003b7302de23\r\nMsg = 00\r\nMac = ccad16d9\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 15\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 83e231ecf8913ebce00e62b8f00c1abbaad710142fdb912c54664169f7af0e51\r\nMsg = 00\r\nMac = 8e393f56\r\nResult = P\r\n\r\nCount = 16\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 7d35e77450e2adf8805d5ad67de5835b2c5dccafe8440865c7e7a1501ed53a98\r\nMsg = 00\r\nMac = c6899710\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 17\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = 87143071241bb65261fe7afcc102416e59b9e46ee0c9007308f0eec10e45f6d6\r\nMsg = 00\r\nMac = a1a4449e\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 18\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = d30d2d1670553c71ff0264ab861574dd03a103d954226d1b540f18fc47b3fc29\r\nMsg = 00\r\nMac = 217ac763\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 19\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 4\r\nKey = d6983226b2c3a431abcceb77c8ec6b9bae80199115b28c5d7c56561e1b12944c\r\nMsg = 00\r\nMac = 26c717ce\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 20\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 0cf53b4aae3e0a209e58385dd32d9cc6163265241332c332af4de4b99b4022fa\r\nMsg = 00\r\nMac = 1bfd19f6e1070186\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 21\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 5f988f38410d26d293ef32d74eaa81acca82545e767ab59dcc750a09849cebad\r\nMsg = 00\r\nMac = 7e52911c0d7987a2\r\nResult = P\r\n\r\nCount = 22\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = d8fd6e1dfcca8f656705aed7e356a576baf8907c8d10d54c833d62a8a6703624\r\nMsg = 00\r\nMac = 31b478b4b4adaae0\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 23\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 49fd56dec210e903f6c703332637f9c267eab9333e2701a16c74ce5e0b5a16d9\r\nMsg = 00\r\nMac = c8be2b36c93684f3\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 24\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = fa282e1f3276a3e0c769f2ba25ce830591e860300cc03ab57abdb14c0374d060\r\nMsg = 00\r\nMac = 27b8111c3d9f14f1\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 25\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 1c6942e914218135496e0d7910abe67b9f7f29bb09029bb37021865d7543c4f6\r\nMsg = 00\r\nMac = 466b7077bec98b7b\r\nResult = P\r\n\r\nCount = 26\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 08f199a8d7e3ea821dd3106e8947cd2e9d485342b25a64713db2b8a650a49ffd\r\nMsg = 00\r\nMac = 796deae0d06b1bf4\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 27\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = febacddf3448c7464297ae53166793e2ed962de0d0947c5e5e17abe3cc103b07\r\nMsg = 00\r\nMac = 5e2d21aa3351a2a0\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 28\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 59b9fb83b6a85f017bde6c0ff3ced955b9f343cc71b680c6b591302f52759412\r\nMsg = 00\r\nMac = 3e5428eca10808b6\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 29\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = f07e6655424125462a96390e02bfee9d89cb271bd9bbf22a9de45f6b7e949343\r\nMsg = 00\r\nMac = eed5aed01096226b\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 30\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = a04f84bd79406c138d02698f003276d0449120bef4578d78fecabe8e070e1171\r\nMsg = 00\r\nMac = 18553226e5f9788a\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 31\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 1673a52494e9af02472c1777232aa3813c7c162593eca7112f34b3807009af5e\r\nMsg = 00\r\nMac = c5907fff58c68ee7\r\nResult = P\r\n\r\nCount = 32\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 1e4ffbed2d5a7bcda5e24a66048660629d57567f83307087a846db8246ff332a\r\nMsg = 00\r\nMac = 29599bc212927246\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 33\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 8b80c24ab4a3c24ced82ca8c69924553a37a139bfa2541c59e15188ab0fa5a34\r\nMsg = 00\r\nMac = 299746d93b0b4881\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 34\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = a00ebf59768f6437b48a91923f5effcf31c745b980f79f2edde9ed18dcf2ffa0\r\nMsg = 00\r\nMac = 61950ed83db6bf74\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 35\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 319d3f58fd7257901ff364fa68b86b1ba27c11962b2c5be8e33eb95548444322\r\nMsg = 00\r\nMac = 26793e8f8d5eb7c2\r\nResult = F (1 - MAC changed - for 0-len msg)\r\n\r\nCount = 36\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 015a9d1f2df2c31f14cfbdc0bd68725fe8113a024f2a43312d963207fd6f0d88\r\nMsg = 00\r\nMac = b19fc2680b8b82b7\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 37\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 003cff344c4e1932ac628440d819eaaafcc3ebe7c525cb7abb7a6716d2b76e05\r\nMsg = 00\r\nMac = 48a98dbf16257142\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 38\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = 1a581f36e1816d346f7bcc6df78316aa353111e447fee6f0bd05d562f30626ab\r\nMsg = 00\r\nMac = 587155c18ebbf8b8\r\nResult = P\r\n\r\nCount = 39\r\nKlen = 32 \r\nMlen = 0\r\nTlen = 8\r\nKey = ebab54c4a22a16f7d9546bbf682b995a6ce944e949f1920eee058db95ab9c93f\r\nMsg = 00\r\nMac = 067927f063adfaac\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 40\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = 58405ef8fb69e88221edc10a92c01cc44255aa7083096adb79bec3a8cec6d050\r\nMsg = b4aaf9ad1bde60a8d7e7cb16c1cf6b713df17d1507b028973068a95963a5ad5b\r\nMac = 42ffe65f\r\nResult = P\r\n\r\nCount = 41\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = ca0f404e3389e9527135f53eb58bca7726266b8086d33fb512e8143daad7633a\r\nMsg = 8f2a6b2185f73372ccaeaa7f93d30d1ca80a451ee0e46ccbbaf98c8f3f37aaf1\r\nMac = f2b311b4\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 42\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = 67b896b88f07962e08471634ab7e522144d716a2969bde55a05c3c931f747a8d\r\nMsg = 0218eb619dbbde2e846218339aee4383792856496eb3b85cc43fa81446fedc5d\r\nMac = 69db1949\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 43\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = 422994df8766f7a6a7ebfa2ca57ed6189d9e9e8455c8715c14f3f407b75dff4a\r\nMsg =",
+ " 12f0c45d06a138a964fb11b2d450620a2977bcd2952afe371cad6e3d48b009bc\r\nMac = fc5f1ccc\r\nResult = F (1 - Message changed)\r\n\r\nCount = 44\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = 3291be3aecd2e06cd2ee61a14d723450043d450567cbb0bf88ba32972d86dca3\r\nMsg = 343d5a4ad39acf81adcf24e9807618932abcb3bc076734f179174c77c8cb89e9\r\nMac = 3593d615\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 45\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = a1885ce431cedbb60f7b3d96a06cbc60a964df156ea4b4191abc5a9f60a0c361\r\nMsg = eedd0d767a25b24ee25fe747718256af51d7b4bfe900adc069381a71a2dc7aad\r\nMac = c558f768\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 46\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = 039188ec58fa55acde53c337fcfd0013f0c6efa55c60ce470112159bcaada11e\r\nMsg = 009f47f180e085776be6644aeac0070be64c289f84a7ba3dece7cdc54f0db354\r\nMac = 20d3639b\r\nResult = P\r\n\r\nCount = 47\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = f7d946f66e1cc4e5a79dfb5559cbea5a128545eac38e17ee7f3bac9a806faefa\r\nMsg = f250c49f9882f10db247adfdb2112c2589e1011f77c48e0f219dbf85e326f8a5\r\nMac = 90b4bfcb\r\nResult = F (1 - Message changed)\r\n\r\nCount = 48\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = a61f586ddbbe0219187f8f446d4b172f5e9bf855d1d5d6592ad8e03eb4d555d6\r\nMsg = 71c8eb0079559a306e236c49b7ce1b6cfe26c7888733eb7ec07690831a72c0c5\r\nMac = 78ce0135\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 49\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = 7774802fd82fe96c05431acd40b49b1160d403c0db09b10f23d0bd0435022edc\r\nMsg = e75b6ca1b87e775b33536979422a1cf743f58c71b1599adb00050972c843cdf2\r\nMac = d885703e\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 50\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = c4261ebb87a76aaa82a00392ee2e2318f0b52d5f2724e374847ad9ea5c8929c1\r\nMsg = a41bb1f256228302cd0548ae2148ff42774d18c2d6d3e38b36bc4938da13bac3\r\nMac = 857d8909\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 51\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = 6219c19233c1b91d7785fde3b65df3bd2e1d74331ba62e4d365947a77cd243c4\r\nMsg = 68f17b9f57734784144112c79bf360ee324d37f9a7718137d954b15e796fa9db\r\nMac = 0e85de57\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 52\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = 7e8cae1374d3a21bf2dd3786754668f17aa63dd5e3654cff9dd18041806d1968\r\nMsg = 2d335be62ecfed45183f5a04014c1a52afb7b918b9cc1f2be93b15c6e5240537\r\nMac = b56ee72c\r\nResult = P\r\n\r\nCount = 53\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = c2425ed20cd28fda67a2bcc0ab342a49d79d6b4eb196266cb0d116fc18895545\r\nMsg = b5f24c00cd15e377f444ae55e02b335379e7ae14e7c9bd05f0575d8981941553\r\nMac = 2e44c573\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 54\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = 1f7871680bfa59a8a178604dc513b51a3d4c682cc4c421de594512e9dd062ad0\r\nMsg = fcb43224bf8989e1809d90481ba043328febaf4b6c1c05d18800ed98f4b71c52\r\nMac = bee03b92\r\nResult = F (1 - Message changed)\r\n\r\nCount = 55\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = d8a27558d070214d3f765cf969b2b8f09c0b14ebc492cb2539072b04db9f29fc\r\nMsg = fc69a1f0d0ba8eca9e7c0570cec9c76b511c74b2d8b65928444189675eb42fbc\r\nMac = fab3b2f6\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 56\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = 72354b455230b72a6dbfa5cf6c3726d7f8e65ca773f9d469e99d165743657b36\r\nMsg = aac60835c309d837aacc635931af95702a4784c214283ebbfb43c4e29973560b\r\nMac = 69519d9e\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 57\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = ca92b095173076a40e24522297be27fd3a765c8d417f24c71a9f03b3fe3d8e20\r\nMsg = a96c4d5c89a364263c97a453308b9360bc0ed868602b9ff54fe13f162ad31ab2\r\nMac = c59a1a39\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 58\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = aa56f98e03f559eea02ad958e125f2312ff97bc3310079ce437b383f247a9b3f\r\nMsg = 01bf2aa8dc66ca44d16d4567f1adddd4461f78706ff15cf68ad937eb57aa62d5\r\nMac = 31171cfc\r\nResult = P\r\n\r\nCount = 59\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 4\r\nKey = a0e317b790870e6703e6077dfb8ea327c12e29a17107284cb89d5effddb2d9a1\r\nMsg = eb4ea6b72dfc6657e835bf82054796183330c02a8db3c5b179abe37fd0a05675\r\nMac = 05d54199\r\nResult = F (1 - Message changed)\r\n\r\nCount = 60\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = e3de27949ff64066131c81bfee172b308f9bb0b31710678ec394837b79434605\r\nMsg = e41557341e8dae33568524f3f64b23426044c9db3526463ad16786af14f611b2\r\nMac = 975ad1d2fcff6a85\r\nResult = F (1 - Message changed)\r\n\r\nCount = 61\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = 492dacdcb4a35fc438a6eaa35e26d2f683a1e85e92df28f213dfe1da6511161a\r\nMsg = 0515ad7b8576258645d37b7ac771745620e2e9e009cd778f34ed77a7dc5c30a6\r\nMac = 9f43dba2aad2f539\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 62\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = d71c50d55850d432cd8c8ff4ea427b3f19cbe14c785a7704202fcbcead0de5a5\r\nMsg = 7ffbc4a09583029cbb0acb6b13f08a189033da22c2ecf921f01d79ac68a9397b\r\nMac = 5d00ffc5f8cf1ddd\r\nResult = P\r\n\r\nCount = 63\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = 557eb2e709d58915a8bada6433f2e5660247e0cb1588ea84a9d24028090eb396\r\nMsg = 003132645e3026f6a2b9d0644c16e5e4d1bf8b53a51f0e1b999bd45a67d19341\r\nMac = 6f3d9f50d09476ef\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 64\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = 351d779277148ab4474843cc798942cacbe863eb1c1c9338dc25e251c12fda68\r\nMsg = 34bcdd3d0469c01d0d95a85ca705d887385bfde20596a90b47d902db826dbc8d\r\nMac = 79ded259f93456bc\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 65\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = e1c17ce3d3c61468a7652a95128bc0f6c33d9ccc46e7490327f15f645a94040c\r\nMsg = 97829c60ca9a71c23eaf1c4b4fbd72043037ef0cd356b68e0db0d4f0f50cc54d\r\nMac = a93f0d16499f63ec\r\nResult = F (1 - Message changed)\r\n\r\nCount = 66\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = a9a86a4407b7ecebc89434baa65ef173e88bd2dad9899b717ca578867c2d916f\r\nMsg = 25a152850b4b80b19d8f0b504b2a8a241824b3a1fca8d85c8713b2c0c84b5e02\r\nMac = fe84ce3defe00f67\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 67\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = ed14373671cd8041e00874b5d098ea225eaf9c68bb51cecbe8083149bdda062a\r\nMsg = 38106cdc72b1ddd0fe11f23819096dd7479e95ee9730940c28f51e28eca653ed\r\nMac = 470404ed731640a7\r\nResult = P\r\n\r\nCount = 68\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = 009f47f180e085776be6644aeac0070be64c289f84a7ba3dece7cdc54f0db354\r\nMsg = 2eced43c084a86f89f61e7237425137c167aac29e4cac4071afafd3f0c9dee1a\r\nMac = f67d432e5b6fc5e4\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 69\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = f250c49f9882f10db247adfdb2112c2589e1011f77c48e0f219dbf85e326f8a5\r\nMsg = ce61d6d8de1b299c9b063d1e1cb1faf7a616faa7c6673d7f9c0a1ebe7ae285fa\r\nMac = e1d950593abc14e4\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 70\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = 001150b2dd572288b6fde466ec2c2a64c75a9d516b7096f7082bec9f52c20ad8\r\nMsg = 6dc38e37d1379732df4dd535db88d17aa59d7cf9e8d60ae695b4047b90d899f7\r\nMac = 2de6700fc1562ad3\r\nResult = P\r\n\r\nCount = 71\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = 68e00d394855b6697da8213a120dc2213b3a8a1e88c9b93f5edef465a809974a\r\nMsg = d21aed2073e8ae9c0560f9dc1adb961d4f959fa12c0384a44c675192bea13477\r\nMac = 9594f10d5ce5e616\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 72\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = be0f6052baf658a3607d999b81401edf7e2afac2b143e1b908c8ea0ff38193d9\r\nMsg = e502f0b4710bfe517e783c4bbb85055c8471b04e12dd6776f276367fb5d36369\r\nMac = d409a879dccca77d\r\nResult = F (1 - Message changed)\r\n\r\nCount = 73\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = 7147b3c5ffb2660c45cd8d78a6fd44bdd5ba75349642b32ec88f6688a287297f\r\nMsg = cebe84df789c98dd125bf43cd993e2f089611b98d10be04904e2468d116dd2ab\r\nMac = 21cfc1e6c1c38df8\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 74\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = 205e751926038ef940c6599d84a9e1b4737bc826e9fcde544d43f2a10b5de931\r\nMsg = 86ffd5bd3bd1cae10706a61d247b2257b165f37cb53ff21761077a2295a9111b\r\nMac = 73d66ea826b84fc0\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 75\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = 8c8a502eafcfbb813dd1ea907b1660a41fcaa3f905aa93c22320f96ebfaf632a\r\nMsg = 626aed82974ef29a1ba0a6c6fefcbf34ca982e6214835183502f6a24ea2e500f\r\nMac = ca3d007ecd99be83\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 76\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = 596db502a357e102566291b916b32b8a09e99d3739f5e6543a2cd8fb0c9a1cc2\r\nMsg = 22bade59214fa4b933cb5e3dc5f096e239af4c2f44f582b095c7fea6b8914bfd\r\nMac = ff4ec21d89d4762c\r\nResult = P\r\n\r\nCount = 77\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = f51f2fb4b3fd8045b70d34b600a2697cbf7503be0d8cfb5cdc60f9312e3e269",
+ "5\r\nMsg = 4d43702be4f0530319555d7f1a3356160f6cae48051f12e22a153d7e405c1149\r\nMac = 3d615ee77043d8b4\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 78\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = 80a4b14f951490618ce53d39abd3d786b425d4f76b26a25052d98ebdb7e9e666\r\nMsg = 0b2a77b0175ffafee40cf83bd19e785dc7ec4319786c49b3e7a741142aea901d\r\nMac = aedcaa2e26d2f5a7\r\nResult = F (1 - Message changed)\r\n\r\nCount = 79\r\nKlen = 32 \r\nMlen = 32\r\nTlen = 8\r\nKey = 39fb57fadff7cd9e1cfdba154422b71d693d08807d86da46ba63c929417ea549\r\nMsg = 567c7400f190d06e682b3dac5f751639a9007362b1a2a8b618800fbb9f6c08df\r\nMac = e29461fe8c6b3767\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 80\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 535ed61510eb268100be032b7a258e84bdb32448269d3000a76444ca74b4695c\r\nMsg = f7f28df82f910badc5f4b3860af28cbb6a1c7af3fafa6dae5398d8e0a14165def78be77ee6948f7a4d8a64167271ed0352203082368de1cd874bd3b2e351b281\r\nMac = 4a0fd541\r\nResult = F (1 - Message changed)\r\n\r\nCount = 81\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 713fd349c56d1086794eb20ed59ddc89b065bb8533b968c6dfa60bddd16646fd\r\nMsg = 4f3b91aeaaabfc7d4dd6821549d4eee2ea17f59aa196c67b422be2d46f3a2ec65494464c969b157985a6a30199a72dfb1c0b7be524e16ee9c43fd95e83e19192\r\nMac = bd4eab1e\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 82\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 1f89d9ee93294aeaf3503d15a6dbef48708de48897a72b3545b9e3852eb7fe31\r\nMsg = ea0608b19f47676f0f342cc2742e003a6a74fa2850f41e0cf162235163887a3830dd8b13b45842b3c686ca239bdb9897e646ac9f440713a0d8c5b18532db3db2\r\nMac = 8bddd404\r\nResult = P\r\n\r\nCount = 83\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 2b50dbe8a5ed0c7cb69aa60a38d10cfa4553c73d58c0ce84b26504b0fd55038a\r\nMsg = 2586563b0102f662b5a8f9bfb0c1d107a4c27569d27bc066889213e3e830427ceafaae1ca543aecaca7f34c671fbadd518cc28d9e806bba43b2e220e5cf1aa45\r\nMac = 987514d4\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 84\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 29a7ed3aa55c7eb7e5bf343ca0efbf8b2062ce67b086255551a8efa0ae16569f\r\nMsg = 2e6f2d21aa133a5061622f08ac64c6b3a3dc8154862033055c27c3a3d9e42dc885d2c9f91bd1d0212f301c3e140b2f5bfdd777be623bd162a6214ba8f60e2e49\r\nMac = 1bf45457\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 85\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982\r\nMsg = 65916ae3d88ab2add5c0c6910ea993d385cbd35c5077ea0d9db30e53f378abfcbb1e0649fe14204470d4dd53ae16650ec444cb4ef22fed86b0009b57ef71fb5e\r\nMac = 578f80b2\r\nResult = F (1 - Message changed)\r\n\r\nCount = 86\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 47e49e5b57fbb834932fa32107697471119f1be3c3a6e71a8c474d4b1596e539\r\nMsg = b3cec7ad75e2bf6c87029a67365aa83cf797ae2f4d42e720ed4c48ba21ea08ee6aa3609f69a6909fff6222dbb45172d255146e4ce1c59b48a7895936a8646766\r\nMac = e6e64597\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 87\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = f0b0aaacc25a791c236aed0e9b537fad00a15efa9c89b5068ac52c64639fb1de\r\nMsg = 9a5a9560baed3b8e0e90b92655d4e5f33889e5d7253d9f6c5aff71ea4069224cfbdd19ae3f0ecdfa65c27dc3bed721712784a09fdde243c193ab6a0ac2417e8d\r\nMac = 990bb31e\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 88\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 14db1ffc1c87117fc72981706c0f90404acc98aabe950839baeb6f0b727bd6d4\r\nMsg = 3d736aeca5720f5c7bbb16df61f6d785facfa070aaa89c2d9e8af9450d62490ebd6a29c7c8e521e4a00fcca7515439f006c09056cfb7f976a1e6b98b9f799e40\r\nMac = a6786e52\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 89\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = c6f0a3692c9280c48393b0dd763e5d0b90477f34ad69f192ae4dcab771aeeacf\r\nMsg = 8439ff717e1e15161119494d368d7f3812601588265bbefbc6d48e22cc8a51688dd021500cee38fe6ec402f9aeb0762f92b2a73adece96e1c7b24be2aa9924ef\r\nMac = 70126cfa\r\nResult = P\r\n\r\nCount = 90\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 75225a26d63e91281fb37ace46354f81de99dedfde8b770ea47f08503aea87d8\r\nMsg = d729d8cd1631aacfe485b1f408a4fb60256e7a8ed6e5b53afc34be7e57f1643b549fa9ba2677779318688ece225cc149babd6259ec37fbb4adc03e8f6dd63f03\r\nMac = 5112f762\r\nResult = P\r\n\r\nCount = 91\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = ab72eef2aba30205c986e2052d6e2c67881d24ae5fceaa8fa77969539152527e\r\nMsg = 5251a0aadbc92b76705eb053d09b25b5ad38eebabfe1980d143ac90aa81f7723353059824c8d9befa5ded6f5b4973f407c7a1f4aa85d8337d82d34fd3933e9c7\r\nMac = 52f7a014\r\nResult = F (1 - Message changed)\r\n\r\nCount = 92\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 6906d6533fbc33f56e38e6a639798005daa228ebd2fc8f93803d26fef30b8e95\r\nMsg = 6341370e126097f9721a13c977eb4875cf1286e15c3adfa4e7597e0e13d93b6a8ff66c809067fd5e7f40c358ee170d4ed1657c2deb3015b886e79589678e0452\r\nMac = 1b6a021e\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 93\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = cd9072aeffebbdfcce95b569c34158d0e130ef24dc99e3f98a4dd246949be269\r\nMsg = f882339f93ff114bfead78044aab1c7fe109dbf1bb2d968ad476403fdd2034cd3168ccfb0cf02f1ff7646ae3875ec349478749edf300b08be7005cc0d6bebc15\r\nMac = d16bcdc7\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 94\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 3005c0100dff59e5e4b0e3b95abbbc79749dc49ba29a79b1fcf7613ecb6aa9c8\r\nMsg = 4c2c670f3ac1c4e33a8d43063c8983e20f1ce6a73299fef1e70a42a5882c061b1ebaaa8330ee1181d946541b1d84b8d57df8de1ac9013ade36d2c682b172f8f8\r\nMac = e5689100\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 95\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = f32eefb301356fb1cad6dfa94864542b5f8cd8e98438bdbfbbb431f0c10f12b3\r\nMsg = dae6db62842a8a25123e50041b701ad17e2f63a0496443c3d905a9f943e6e4e2f3d369b693ddd0372ff11fe496af4b700378fc72fcc9915e7bc864b44c1d4f77\r\nMac = 280624c3\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 96\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = b0212ca369c611b725eccc3daa58df412787a3475f418d820971af46773382c0\r\nMsg = 13ca022396285bf7b82a600b560208c54ee14f8496bce684895029027e6451a09f4eeb0af9b889dacfa4b7b934ae30c7d991523e23edd0528048a75bfc525335\r\nMac = 8e9759db\r\nResult = F (1 - Message changed)\r\n\r\nCount = 97\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 57a9d1ea216c69c6e360221f8c858a9d356598a8b253e2cf67f1116b5df5927f\r\nMsg = 77772e91be674abb0f496b47dbd632e5616177a0d16a8c11b271c2d381082f379b2cae385dd526b189cc10cdebbd33bf3d8db2b449ed49064d30d4b3a359110d\r\nMac = 41022947\r\nResult = P\r\n\r\nCount = 98\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 749f2fb720d321757473afc5d3a377a0eaacb425e5591026e3a1bae6a785b921\r\nMsg = 2e4f5149d67c955c409b63b04d95538808da6202e69a50ed4d3846da52fcbc76c7089a17758d9d94a63efd5ae7054dbc0bf5a28b7381f7e78debd0549bff1e11\r\nMac = 67b34b0a\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 99\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = f8ebad761b9e73c77faae3fd9390093fef595e77e6d7f6b35e2dfccbde925c44\r\nMsg = 18430f34d5b5fddbd228a910cab9c48e1ba2b5f57819eacbde756cc0c993b736a778c8008d37776a2915077af8ecfc76b8cd2ca621e9195bd0b27e31843d2890\r\nMac = 7a446398\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 100\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 5bb9fb83b6a85f017bde6c0ff3ced955b9f343cc71b680c6b591302f52759412\r\nMsg = ee7e6655424125462a96390e02bfee9d89cb271bd9bbf22a9de45f6b7e949343def818dfc93d777528f609cd38be0a013b1eef816eb1f9593a850bb7aec5b9a7\r\nMac = 5e1fa5b9c9dcd90e\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 101\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 57a9d1ea216c69c6e360221f8c858a9d356598a8b253e2cf67f1116b5df5927f\r\nMsg = 77772e91be674abb0f496b47dbd632e5616177a0d16a8c11b271c2d381082f379b2cae385dd526b189cc10cdebbd33bf3d8db2b449ed49064d30d4b3a359110d\r\nMac = 430229471a1cf1b5\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 102\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 749f2fb720d321757473afc5d3a377a0eaacb425e5591026e3a1bae6a785b921\r\nMsg = 304f5149d67c955c409b63b04d95538808da6202e69a50ed4d3846da52fcbc76c7089a17758d9d94a63efd5ae7054dbc0bf5a28b7381f7e78debd0549bff1e11\r\nMac = 65b34b0ace2fc6bc\r\nResult = F (1 - Message changed)\r\n\r\nCount = 103\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = f8ebad761b9e73c77faae3fd9390093fef595e77e6d7f6b35e2dfccbde925c44\r\nMsg = 18430f34d5b5fddbd228a910cab9c48e1ba2b5f57819eacbde756cc0c993b736a778c8008d37776a2915077af8ecfc76b8cd2ca621e9195bd0b27e31843d2890\r\nMac = 7a446398a5c59ec6\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 104\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445\r\nMsg = c66d322247ebf272e6a353f9940b00847cf78e27f2bc0c81a696db411e47c0e9630137d3fa860a71158e23d80b699e8006e52345fb7273b2e084407f19394258\r\nMac = 129",
+ "e40ed97c02ff9\r\nResult = P\r\n\r\nCount = 105\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 8ea05a5033ab8b009664fa2800c24e217488ce6888cad14774ad75b2696e9470\r\nMsg = b3f09d990c2f41c8707368bba007803621ecd76540cdb8705435d74f4300eee04710a936f241c034709e625b0dd5dae1f6e86d034426819c365a05f5be420cdf\r\nMac = 08e5d5b3facd3b01\r\nResult = P\r\n\r\nCount = 106\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 016b5537198ed152670c5fcfb70ade276de97ce0cb771c5f6f66fcfe1dfd945e\r\nMsg = 7ad591e67c6a3ce3c9f871e328fc4ce3b6e7048e80691da551efdfa4c96b06a3af53bb7a88ecc32869c8f776098df4d71af91393da239c24e50436e04d35a2d9\r\nMac = 36df9931a14dca9b\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 107\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 22d5d4c3a3aa8d2fd5f25c08b83cea60e94058e8235ddd050646b02617f82854\r\nMsg = e86dd3216500273d0b6150227cf03adc20c8a5fed4a2799fdff759a327657a3ca554b6af16d9dc5cf3db4bf9a474bf1ef1996a06b9fe4794e634ab94a0141d44\r\nMac = f0246b4959d2fa89\r\nResult = F (1 - Message changed)\r\n\r\nCount = 108\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = c892b095173076a40e24522297be27fd3a765c8d417f24c71a9f03b3fe3d8e20\r\nMsg = a96c4d5c89a364263c97a453308b9360bc0ed868602b9ff54fe13f162ad31ab20f3fc51bd2346ae68a006afb50e846e8431dbf7bd0eb3c8f30326d26311a2eb8\r\nMac = 1d943a8b0c470221\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 109\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 2c87c0d64806fe303c5e97bccf48360f89374b6119319bfaf8defbe74adf58f1\r\nMsg = 37c6206e23163c39a13f19de48cc25dc26e6f83cb376e8d2048ad7c141fa503d594bd395f4d36c70aa1e8a5672910f735d4da49884574f833ef54760975b0790\r\nMac = 58cb614230d590f4\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 110\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 028600eebf6b3eb04d8fac18399965aa8fb5f3954d3a657e188ba17f2e3bfc70\r\nMsg = 5b80d1cf745b14cb71cbc8dfe0bc7c7358f721c00099b3e250c41c2e1c9455c5ce55ce69f3f31090f9b1a1b7361e27f92d46d1e00d25f37b7b61f0b191385dd4\r\nMac = 02587102e6450de1\r\nResult = P\r\n\r\nCount = 111\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = ea1a626b623e9440e3f6f5c0b8b63b9967374ee82c1957fca5cd195ccfb2840b\r\nMsg = d082b2aad7058c3142021457d47d51d8ebaab62ab452f6039e771a1b0f3bd03355fe0656dfc7b75fade505bb05d689706867e75ec41da5c5ebd43d0844a670b1\r\nMac = c874df0a8aa87c5f\r\nResult = F (1 - Message changed)\r\n\r\nCount = 112\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = d1155265fe296f374366dbd11f14466df1ea210cc88b0d1876509347e64815c2\r\nMsg = 3e3d3a464b2e6030be877f8db4c1c42bd2b8247adcf792ee833675a57f21594ade5be4399cc30ce373f68874f41584b4d7c8992b9082fc892307f645382c9483\r\nMac = 6bfdc96378f0c8f2\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 113\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 9bcf914f787fd3cf62c6315a12feee358eaacf1f63ac802932b933c86b098a29\r\nMsg = 02c8b892b13f04d99b875b8aaa32136d19dd6b9c2a10d8871c66993a57ee91e3ebd0568e38348634ee5f5af4391f7da0356a1e7ba8424441f0db61683a002ba6\r\nMac = 365da451a2787193\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 114\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 35d5df6d714e2ba5b307c4d1908e108bc6fece682a23aa35e2de0e80d4cb3c5b\r\nMsg = 963ef1899cff6e0a6dcd80a27b63c20fdb8e9fa1ee3e14ed40ddb7c6b0dff969d29ba8f89159b82a19ac4240f402cd3b7279cd4c4ff4698c906f81edae8ff070\r\nMac = 33995a3d9c470cf4\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 115\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 511ab5e28b6fda481fa5a0fb3709b249fbf29be56346378a4d3f67e1cd6f09a5\r\nMsg = e4cbbf14f27490843b0f9a17b4520d4bb2c89726f4c788cae4a3344a1a2198bc222e41907fd16a20ef5f6587f1ee3cb7850b97c633b0e0894e70a6647af53f60\r\nMac = 3b4aacb52525b58b\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 116\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 5e79f14d5f687ce62b82f856695af9f7dd350543ec763de75b593f1859e44c2a\r\nMsg = c0dfcb62fbc3a67ceb792b3428d040ed5e50999296702472b709a44f4c0b9bb1876f6e80866cc4d2d6ee2f0236440e029d18b2f27ea5bff14a24d53337877053\r\nMac = af30acca71feba3c\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 117\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = cf8a477434cc679e52dc3f3f3520eb108239dad5bb363034bf0768c790343e70\r\nMsg = b891b1ab5a6919e0b99013e40fa7c910e55a480bd043d3d85b0b7d1342d3f777e1d2a6a4eb3ff81f5f71f99bb845217765c0708778f5be17a2294c2d5f369e0f\r\nMac = dc10e268f5f73bbc\r\nResult = F (1 - Message changed)\r\n\r\nCount = 118\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 67d77f50727c7cd5b38e0b175a888c88687c97f2ccaa3daecc519116a7c5683c\r\nMsg = 02c5c55e7677c84a199d6e534772123c4e5c933622cfa8ef536e74cb3d745b717f53138aae9bfec54a1cb71ff04feb61d2f26aea65f37dae598f7b7fcebb978c\r\nMac = 885050ec166faef6\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 119\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 0091d39f3478d2c59bf874b96db9ce0f7e8b85a9b805e07dc96b219819d51663\r\nMsg = 7207aa8fa87283f1f57019bf1c89645ff8fc36ab1102704e6d577671a9f7e098482573c64ab24fe8007c697020353c411566bccb98b38c7784607045e61405b3\r\nMac = 96f639a86a2d698e\r\nResult = P\r\n\r\nCount = 120\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 0e6d99ee5137c8f6b9bb45a961be8a29358a91189cf9974f5bcf20d3b64c3b04\r\nMsg = 543ef4638f1322131402172d193bd304b34e3745ecedb9db16f35c0f5fa6\r\nMac = 33f10660\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 121\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 82421ddaaa5767a496f2b78f816cd1e1e6699f6e9e6576c34c909ba5f8dc06ba\r\nMsg = 4e2f0f91990b855a00d27fbb2e8db7184cd82909de361b52e7a75b16547d\r\nMac = 3f5ed151\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 122\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 134f20cb62084a98601f0e69d257fd2064beb47248caa79720a71d461ed07ce0\r\nMsg = c248fa87a6e48cdfafd1e5ac00f95fb1dfda861465747265796654dcff54\r\nMac = e7b21645\r\nResult = P\r\n\r\nCount = 123\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 98505229c1927d13001b53850d0b7d56f49087afc6c2351190cc1b998e4d6883\r\nMsg = 9bee2e347f763c5c506876bb514b5ba1248abc6b3d17cd4c96537d4ea432\r\nMac = 2c212c7d\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 124\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = cad710b48ea0bce4a897482a535aeeaeabebb42619578a9d1296927301b3bfa6\r\nMsg = c1db23e776272765a0fee49edcce28ff7702b9ff9b6e31a4c3ed0c497248\r\nMac = 7f27420d\r\nResult = F (1 - Message changed)\r\n\r\nCount = 125\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 0bbf4f77a9883733590a3cc7ee97f3c9b70f4db255620e88cd5080badc73684c\r\nMsg = 7ff9ca86f820e4d57995d450611009ffaa726e6fbe4ce1558ca1e775daed\r\nMac = b2e5a268\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 126\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 6efabed650ce05ff22b67768e3bcc88c7746952106ecea92a38707af2b8a64a4\r\nMsg = 9cbce402511b890c8c9fa215b59c813b3e51b5dce01e776327f145623002\r\nMac = 03728e46\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 127\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = ca2843847a1c9539917206d344161dc40b379fd45dfa6a73ba6fa14defc40920\r\nMsg = d9365304c4363fba73feaa69d4cbb343a76eb2d29de6782ebb34d873006b\r\nMac = a94841ee\r\nResult = F (1 - Message changed)\r\n\r\nCount = 128\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = e5a1108da9cf587bcbdf051e216231bc27f0e6c1e97729b324d23768a89e0e77\r\nMsg = 536d4b6182a698d456e1fd9d522aab38cf05656f41a5e02cbd5e6f8cb85d\r\nMac = f52a4ba3\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 129\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 008ee06bf9b19536190e87820af9cdddb40aac44b0c3b1e50074fc29fe5cdff2\r\nMsg = c1eb4c800c631d9f387d2e8e431677b7fc8f65235ad0cf9b118d2b0d67c8\r\nMac = ba255bd7\r\nResult = P\r\n\r\nCount = 130\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = ba0bfda3b03c736c121cf9a257db55060b621be5168619ec4182f13ef6a408c4\r\nMsg = 69be384eb107340d953753e6a860ea2710e662e8953de8eff8f465d086f3\r\nMac = 9f650d24\r\nResult = P\r\n\r\nCount = 131\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 7a88524accb59f1c6307a1719a011eff211df24645086c67710ef539f5d3f29a\r\nMsg = bebe346356681f27bc62f0b838a25268e3b04194b865bf83eef2c8928625\r\nMac = b2566e6a\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 132\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 9c956d7bbe2028739d73a2f0a80af5f2f180de923d5571e65bee0b25b5dd890b\r\nMsg = e0d2ea49e3e4a5823efd1b229c705ec3bb5048a7658f10fba2671c5d2cf9\r\nMac = 480a14ab\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 133\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 2090b970a71ce2cf399a0d9e1d3d72c4eb500004abcba1303b24bf9af16707cc\r\nMsg = 0e0ef2cd18533bee01f19870f2fb22176c7e04748db4dcb98f7a65cc9104\r\nMac = ddb6f30c\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 134\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 66921951731e95bbd45c014af5cf623933350dd9a90d1a36465716f8239bf887\r\nMsg = 0de1e090eb47dd4fca966e5f8fa5616618701164370d8a43fae2eeaf3016\r\nMac = b91b3131\r\nResult = F (1 - Message cha",
+ "nged)\r\n\r\nCount = 135\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 43c1142877d9f450e12d7b6db47a85baca7eea7fde595393fb394c1f34369aa4\r\nMsg = 77772e91be674abb0f496b47dbd632e5616177a0d16a8c11b271c2d38108\r\nMac = b2de16cc\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 136\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = db4b6206d001af121051cec70195055fc1fd0dc06ccc74549bc440152aded5e7\r\nMsg = 94394feda0528fcc67124dd1d77f0ec0b911f08c3e01e0c0dbc40c1d57d2\r\nMac = 5f72de94\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 137\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 4d658be9cfcdb19f79abc78f4d7f986d02b43a03098b37c8ca56ebb331e62d51\r\nMsg = e28660f57b044a44a19ca40ff7b6469a41523e8d1cef22f4edaba58917ab\r\nMac = 11fa4d1e\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 138\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = 70b4cf3883fea8c6cd852a4293c7e5cb0586a6cd71294883b760cdbbfd07aeda\r\nMsg = 4cb9aa069475e54b25e5688a52dd4acd134169c858105f01a0a1b134c72d\r\nMac = b6b60815\r\nResult = F (1 - Message changed)\r\n\r\nCount = 139\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 4\r\nKey = f75bb63d52c35137448c58383afe47e026d536f67e3afdff87f29b10d3d6d9e0\r\nMsg = 4259e4fdf10acd8da40accd6354f4baef4859a2f5ebada0d2c5b1b26905f\r\nMac = 336ee1e8\r\nResult = P\r\n\r\nCount = 140\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = c938f6bcdeca02939fef931c969a25edcc3daf338d8286016e3c7ee78f9d52c7\r\nMsg = 47179ddaa9d7ef6b9a53c646325c80db69128c6fc4f92ccd345078383b9e\r\nMac = 5cbd65df0ca36898\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 141\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = 9540e4bdd8c7ab99f0b76dd9de24c340a60f7706f680448509d5dc35cb5930da\r\nMsg = 4715a9a66d10b2dc1869d90fcf9b7fa99e91b40abcb8fc356b5853c92024\r\nMac = dcbd4dae7cc60d46\r\nResult = P\r\n\r\nCount = 142\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = d5c396fc1ee960215e57cfeeea1e792fab9334f2c45dd93e74cc47023e6daa4c\r\nMsg = ce188965b4d347a6c36a6fa5a47296b32ff0fa27311266b16b1d56ebdda7\r\nMac = 1684fadaea17bc79\r\nResult = F (1 - Message changed)\r\n\r\nCount = 143\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = 897193cbbccbead9957876b8b42a77b404aed32a3f63bb9ab5f08cfe4936f35a\r\nMsg = 87767f13bb4904d0df0d64eb22c9ddb65e81b5739baad86ad5e2c239ffde\r\nMac = 84ef6f59b770d42a\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 144\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = 86aa015253a7114e1770b6a48fdb3ef22e9d5abac25fdc145315c09f4e8b69bd\r\nMsg = 2595cb8d4d6aaa148596e8502ec80a030d82195f9e1d9a26ab0ec0101e67\r\nMac = 63e67c44ecc05dab\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 145\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = a082c12e97bddeb0c74c13aa4ba788f8a127c44fbac6682050271dbf7ad6cbc4\r\nMsg = 7fc97a698d7b0eed7d7602a5d13e956a538c71c4b45978a47439c05601ea\r\nMac = 3e1fe077fc7e903b\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 146\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = 18716638a2f6b4fb8dd2849fa9aab80b8dc846ee7e6b3cb0926101a814d8dd8f\r\nMsg = 6593194b9970545c5a910b2b4fcd46f0ddc7aa0bf873f0a339d5958d310c\r\nMac = c4556a75b754f6c9\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 147\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = 6237aa30f1e3df239c96e7e50b69496da9305951024fb83a6fd01e96f6b2578c\r\nMsg = 0c5b7d1ba68654cd24871964f1b31ef7900dabc025baa02d37b55b35b4c4\r\nMac = 22c74fc64489ca5e\r\nResult = P\r\n\r\nCount = 148\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = 32f60011bec76a79d2e837c611fad1cad486ee6f2aeeb74f1ea32a7e3899bdaa\r\nMsg = cf772bac3e767534b13efd381119b66f8a99b91aa52c8d3ab5f0a60073c9\r\nMac = 08d02ce41d4964b9\r\nResult = F (1 - Message changed)\r\n\r\nCount = 149\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = cb6cee5ba7b799f16254a17b1870cdb85fe0ef3f42110c138742bd7734f0d504\r\nMsg = 40d3c65a00d9204b76e013975ffd729b351698105d47448da285a84de281\r\nMac = 4cc6718396dbe247\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 150\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = 9b8cdf91e848eeded2598ccdf084bf591ec2eb668236f555ca61a9d6b49959fd\r\nMsg = 7b3cc6f18a27047f4cdc35404e44eb8e51b1855d4bcd54ccafd1fcfaeef7\r\nMac = faf72c383b56a4ef\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 151\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = e6fdbe9a1efe081bbcfeb25b844734fe60aa6b80a5b5f611982de1a331b88041\r\nMsg = 59a0f85349c3f378d56c509a0a45a1512b5072474b297f9c1a8c24890016\r\nMac = 020354f33df66723\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 152\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = da360852e8b8c3a1b65af9e8630ee5481aa91dce414166f8f3dacb75b142f12d\r\nMsg = 61d908e9663fb195afc259529fc229b14e87995f8d3591b125fcce816090\r\nMac = f8963157ef7c1ba3\r\nResult = P\r\n\r\nCount = 153\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = c9bf0e7e470d0ffc88593796c4cf9a61c6db81d343305ee06a0f0563bcc618c0\r\nMsg = 19378e17c41586b88523a6b6af738dc47e63ea64b4b83fa283f1e502add5\r\nMac = 550523c0347fbcf1\r\nResult = F (1 - Message changed)\r\n\r\nCount = 154\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = 7129ca274190400720bba27651f1ee0d5aa79116af9929418e198f9928a715b7\r\nMsg = 891e73a81d7574ce6f73e09e08cbaa0b9db242963f4469cdd2234512c061\r\nMac = 9982a14d261a4060\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 155\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = dfaa73c82a978548c99c0f1c34e1edc2c4edd42b73613511e4e6648ba364f9df\r\nMsg = 18044ac51ea97341061ae7d5bce017fd5cfb1554a384a75aa3919a74ba59\r\nMac = fd3a17e8c51a004f\r\nResult = P\r\n\r\nCount = 156\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = 6f0be1905d1b5b607574ad93a1e7b4a536020fc6798acae862253916a0562707\r\nMsg = 8e502d5af4701025787e5b251121676182a0b26cdf52847f4d56d2ca0983\r\nMac = 73d76950066c77d0\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 157\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = b9fe826b0138de8184a3002d8bb59d228862e4a14f8556f88282d8494d29068c\r\nMsg = c97ca1930b65064b70d12fc46af4d5e220e6009e729a28a13b0f9a11d3ca\r\nMac = b8bccd70bb90084f\r\nResult = F (1 - Message changed)\r\n\r\nCount = 158\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = 99c8f69fb91b17299461fd8d633bd516dcdb172760695ec476a5775377cdb7a4\r\nMsg = ef589e3b4ad9a7ba390574a2db5330baea64894f8f881cd67b842dd23393\r\nMac = 38e11613e67e0416\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 159\r\nKlen = 32 \r\nMlen = 30\r\nTlen = 8\r\nKey = a86e8b43a1e81dce7b26420c0409628d145445d1c512e1c3df3270839475c668\r\nMsg = c71a0d1e20a7dc8e7adea91a408ecf3d512bcb15a6d8fc1435c6a7f915bd\r\nMac = 101c06c22819404a\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 160\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = c5a850167a5bfdf56636ce9e56e2952855504e35cc4f5d24ee5e168853be82d8\r\nMsg = d4794f6f563d5f6445450b59c1ff95d24eadc9c02b68eaa5df64edf81475e5cba8d2bfab021a2fc8\r\nMac = bf99dc0b\r\nResult = P\r\n\r\nCount = 161\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = 551e188cbb7c7d1ff33b4bd5bb6c60da184b18f44d68d5c30704df47d8be6fa2\r\nMsg = 2b421be47d07dcb12a0706f7490d05024fce8f433079e18ec78f4c8678f5f1551448c9a0fc70e8b9\r\nMac = 32aeb3d7\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 162\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = 000da8307f0e6112f0b8a8b1f927f62e8a9e5aefc0d37995088dd32e867148ac\r\nMsg = b89266f3a33e5b6883206e44f8e8e0cb01275039c304960e8630f0aa011c5c19d769443061a060d9\r\nMac = 1b5e30f0\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 163\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = f4ae2113ce96435b27369fd4571ae2841a965c8ddbfe61023219eff9abd490e2\r\nMsg = 433ea4e1923267fe443e1e89d2472834b72ef97323ad6d82f3825ca9e1d06fbff8c232ed4c716ab4\r\nMac = 05b3c894\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 164\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = e7c78ef4c4b959ee00cb1a09d71221a43892ef8ad705edd27ed85d03a377907c\r\nMsg = 4da25d1e7064bc4b4903a77452952885a06ba0712544210d30c0182533182fcac90b71e9f71caf22\r\nMac = c15acf48\r\nResult = F (1 - Message changed)\r\n\r\nCount = 165\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = 6f48b3bf240525adcb02985900fa29747e4b1265e5a8899abb0ee51cb0f90367\r\nMsg = 98bf67b6e342dd94c948e76aabb69e7d091d24fba54ae233e4181404768988963915a2495b42a4eb\r\nMac = 71bb5873\r\nResult = F (1 - Message changed)\r\n\r\nCount = 166\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = cb6cee5ba7b799f16254a17b1870cdb85fe0ef3f42110c138742bd7734f0d504\r\nMsg = 40d3c65a00d9204b76e013975ffd729b351698105d47448da285a84de281bc3307cfd80b39488213\r\nMac = 592e54d4\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 167\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = bbab624862e268765e9e6a13df55cf7a2267520e4e66042ba0b4905dc554c3d0\r\nMsg = d43b841f174335f1347834590b0984a2cb35f7a00a0ee993157d2d4f8487489a12ceddd6ac5b69e0\r\nMac = 3480805a\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 168\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = 2fc9e8f409cc6c0156ccf9f00686ac7abba6cbe08982a737fa08c7035",
+ "6f54208\r\nMsg = c1cd63e24e41f69a146b448cee0a2107817c8105732745aed817541eede8ee6809e73ddbd0742d84\r\nMac = 91623558\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 169\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = c49dc812061fa4995aa7c160ed7cdf769dd1ef570d8fc9c7f8552101c5bdb711\r\nMsg = 74ec6f53d188be3bdb647f37619fa5848076c66d21bac164c381a4517b1dcd2a384a4fc44cab97e9\r\nMac = 07471b07\r\nResult = P\r\n\r\nCount = 170\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = 84b6cd1c6618c42ba74e746075dc28700333578131ca6fde6971d2f0c6e31e6a\r\nMsg = dc79743d2360cc52cee202b9bde9abc7c09d9d0311d89c3722da36c7993feb42992e913744d2f74a\r\nMac = 3acba1e8\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 171\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = dd472b0bf50519020a182f122239d161d9659773b4df454eb378fedc250eb490\r\nMsg = bdf56403d5ff8df4ffca92eb40d54a79b5595abcd67b9e2ffcc5cbc621d7523be75a87a2dc360244\r\nMac = 3bb0894f\r\nResult = P\r\n\r\nCount = 172\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = 00ebd245e8c0e0b60847da5c8f7a1f33604932b9cd47a845a1a44599645b62ba\r\nMsg = a238e542f1c22621aebbe331e71123ed7f2591e4192180ae378c2c24a31c42d10fcba3a3f82c65e6\r\nMac = 1d17d6ab\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 173\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = 2ecddb226ae668315eecf107c344926330b94077e029ac3bb67e6a077ee05361\r\nMsg = 38ee97f0dc635c7416a024e3af5c95dd1d496db8a5a5c3bcc20b9093ca906dfbcf0b9ebec3b450e4\r\nMac = 08834104\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 174\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = 0a2978b5f20d3b5e5ed7ed5a78a093a51d5aa6e728077346f429c27f1c79b635\r\nMsg = 28313dfdc449628f4e2d6c895381844559067823cebb56cd41493ac0d29d6408e7d78d4a21637b08\r\nMac = b2635d7b\r\nResult = F (1 - Message changed)\r\n\r\nCount = 175\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = 7f2286d42b4f9eefed1087f3eb3dc814145be4a110c0e74176f83e7d4068cb7e\r\nMsg = 6c1aa088d1a6086d0e72636744a6840c80ab8223409c61b733f7ef6a4199ed0ccbe96f6c3453866e\r\nMac = 10bf9789\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 176\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = bb0fabffbcc6935ca35755fd4bfbd192b6812cf75c4dc95bc3a175a1501be206\r\nMsg = 9801da81a6d9861f26900401aeaec89a74e3d5aec0a5d612a11b6bb4e03ac1db322e65afb1fb5afb\r\nMac = 9ad23631\r\nResult = P\r\n\r\nCount = 177\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = ed1d11cc4876f58feefc463b52d8d36e69c4c2c9227b32fe356d1e2a1bb88466\r\nMsg = b16e6c44f429efdc06a892cede56296e12bf185d4b3c6953f7d31b1c3d59bce136d93aa95a3af61f\r\nMac = 29b26a75\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 178\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = a6fd8382447181bd300ec1ef039d3f353446d01fde490509c3ef52a992bf6fe4\r\nMsg = d41f8fbb6f968dda0c1b2cadbec04a6c72124eb5dc40b8d2b180fd3b17af915b5a374597e036d38d\r\nMac = 2b343893\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 179\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 4\r\nKey = df0821c9ea6ab329c626d11b4bc1ba7351ca934ece6aae483e3d0bef48601f78\r\nMsg = 84b9c150a1df00ba29386197d79d29a2ceb42fe6390c9e763169f75fe15c55dbe817f5c7fe80f557\r\nMac = 3a5026ef\r\nResult = F (1 - Message changed)\r\n\r\nCount = 180\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 0f1b73e54f4571b2d42aa5ab673f3e99b44f6c37a07a5d4edc7d6b1fba349401\r\nMsg = 3918467effb5d5dc009aaefce84d8cb4fe8f80eb608f4c678f5d0de02ea11e59078d38b04f10de73\r\nMac = 1c207499e0877bb2\r\nResult = F (1 - Message changed)\r\n\r\nCount = 181\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 25a152850b4b80b19d8f0b504b2a8a241824b3a1fca8d85c8713b2c0c84b5e02\r\nMsg = b06f6b3f197bae7d8cde9daf38530e25bc51b68f9aa23ec0e95199b14bca96c91f3db15bf8432f71\r\nMac = b860013252ae83a4\r\nResult = P\r\n\r\nCount = 182\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 849d861aa5a37c6389f7bc2fc3b4860fac9d2277fa5e1a1f9415a6aaa5106886\r\nMsg = 191b53e0c7d90161e5e2014e9b8aea315b4bddf5750aba4be69c944d71896361f210f961ee6b38f9\r\nMac = c9dc7e167c2e442b\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 183\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 29dd1ee0ffa12de3a1f2cb8e4e24d2e548794a5e7e372f946bfd733f3c564764\r\nMsg = 891c806e0700f6df72befe47ff088d917cc30763866810a2fcaa9f38b45953156c860b7303e8b15f\r\nMac = 2f7355b3994f45d9\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 184\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 6cd7349d96feffbcf6e95a96eacbbe8ddab702ef70052b7804f78518589df3f7\r\nMsg = bbe054fbef86db3ce7ad796e6d0add15455b9cff57fb787610b4e1ba05d5bcaed98564d16157ee70\r\nMac = 8a421387c53702d3\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 185\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = a32e186c29f6f1852b483a37b50c02defeb2ce81488198bc082c17fd47a741f4\r\nMsg = e687143dc4d98dcc6a2dfe6ee0f85d565d1f46bb0fafe62a17d01720d6f4ccd86754b0626c9d0af5\r\nMac = d44d78445c5ed8de\r\nResult = F (1 - Message changed)\r\n\r\nCount = 186\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 338f8054d58c26c49360c3e87af56523acf6d89d03e56ff2f868002bc3e431ed\r\nMsg = d42b10d3a688c39edf543ae7330466eeb9e3b678ef073967ff83038d40ded1c200c4f03481fc5aff\r\nMac = b25bf6993f18d503\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 187\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 96e04382027fffcaf779c984be80da16f8437db0e39a7123d9048ff71954acb7\r\nMsg = 494c8f931029a4919e2dcbc16512a8bfe275382e7d29c9abb1d14a006caec59ab9b52a3e9ce54ef7\r\nMac = 5a94a03591ee9cc7\r\nResult = P\r\n\r\nCount = 188\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 682f8bc1eafd4d369df384841a88db7b7fb96c9dd9abd6dedc9290a8d8d17d22\r\nMsg = 87b937b1d36e8a9ab33a1d3eed617030923acaabc7e620dfcb3c388936030fc67f647729c19e040b\r\nMac = 89347722a73d8bf9\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 189\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 954222a9cabaa5a0a91100b158a3aeb655c4473d0b00afe6a7a78e0d278a01a9\r\nMsg = b9197eb50c8168d16b8a12bd261d553ffcc521d979b26fee820376252e452213d736c21471cf0179\r\nMac = e5d175fa24cf0fd6\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 190\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 18349be2894d49290339b97f4db28c92b3e112ffac77100abbf9c093935b1a46\r\nMsg = 4b02fd5a46ac681a42424ac9723911af4e389ac73829f36f60916563e51cb2ec3d7d9b55d674a59f\r\nMac = 18c98fd13595f857\r\nResult = P\r\n\r\nCount = 191\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = f1f9fdfa9ae3ba8bc6fcdb2e15ae2c47e6292c2acb091fe03e325f298ffff3bd\r\nMsg = 75965cfbf66b0ba13274fce6537fd7aa4efa5d75195a400018bd38f7d8cd53fdffe88df1837fa06f\r\nMac = 935e4d4367aef07e\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 192\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 4652bacedb47faee1be641ebf433157f416b4c7d9e8c7c6f7b17b47e70156993\r\nMsg = 17e6acda3c05c9549eadad55d8918f4870aec63a18802fa33175cf838fa2b9b17cb43270ff2a1444\r\nMac = 7ce4adc343a4498a\r\nResult = F (1 - Message changed)\r\n\r\nCount = 193\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 200e4929c275557d9caab0ba3b0a153dd8010ff8f11ebc1f336dd0249d01dce6\r\nMsg = bd05d26ebfcb5f6e102e79976fbd038e02da6a64a6be90bb84bd092be5cb8ae447409e94afd89b8b\r\nMac = 5484fd10e83798c2\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 194\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 8c6a6e77534976b4d74a0972742989dbc0f753281a5ff10a862e9048b813b4a9\r\nMsg = 869c482db2b0825cd09d295749359b99fde85240e5ddaebef642f4d249e096b77af2b59b4e37e452\r\nMac = 9e640a86d55be78d\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 195\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = be3db75687360fc31c27752a5f32125cf04f8bbab694339ebcb57ff63fc7ba32\r\nMsg = 33dfb223c009001a7b3b81916bb094390c42c24a47884fc8a0410f05b2f57b67d8d9046b2ef4a8ea\r\nMac = c7666f25d2329fb6\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 196\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 29e7acc4facc2618f242ec9260a8ec36c4c9dabb89bb8092f00855234b0c505a\r\nMsg = 09bf4f77a9883733590a3cc7ee97f3c9b70f4db255620e88cd5080badc73684c8b80393302ca8803\r\nMac = 424535e20d082087\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 197\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 23f0d00daef3177fbcda6e9953a5a37d5da395204d8af5fb05c74e03f71343da\r\nMsg = 2222135e545f2af53be42d7a463719447e0a6a305fbe8e43e6279a91eb8f3c5db1fdf081bcb77711\r\nMac = 52c42541e2e93f3e\r\nResult = P\r\n\r\nCount = 198\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 6746d9a90e0e763679d5469a1bcffcc4f18f35f50c7714d14c7329b76ce7984e\r\nMsg = 68530f15423071410a349872c559669301096c827333adc4df9da477387c89870942d12513b7f475\r\nMac = 2bf36912e1139629\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 199\r\nKlen = 32 \r\nMlen = 40\r\nTlen = 8\r\nKey = 6b1d94bc0c6e45fc905c509ea667853e4b2c5a8848dd914efcef14d95b12247d\r\nMsg = 207b649c46c1963723624d8428d4b64c08cd4091cc055175223d3758f880614149a9cf7f3725c790\r\nMac = 34f46b361bddf55c\r\nResult = F (1 - Message changed)\r\n\r\nCount = 200\r\nKlen =",
+ " 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 5c77fe134af3fef72fcd16006097dc7dbc45ca10339ae3bc85e0993e4cdcefa1\r\nMsg = fab52c44379ae8083bdc7b827383df93cb1a7ecc21574730f9fe003b7302de237bed535d40832763e7a2cab5806de91d39aa3f38d167ae3250e48ed1f6ad45b5\r\nMac = 03f36c5a\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 201\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 997c6b4b513bbdeaf701867bbe81bdee63de0d0d18c870bcc1e9ff7f627f093e\r\nMsg = 4c23d92665e88a4f6f732de384034d493d5df37b767a8260557de05688e8d60dcd0eba9cb8cc4bceb174dcbd3c0ab5a37db3b6ecfb6a3d90a4f54a9f1117e11e\r\nMac = 9e798c73\r\nResult = F (1 - Message changed)\r\n\r\nCount = 202\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 64e390edd97c0af1ba5165900828e0630606f83d4df5240e1b05c307ee9153ff\r\nMsg = 1ae71094fc1b304adfa3378c4efa8fb290526bb314714c9613beca2a709c91f7e3f6aa74561bfc7b8fcd12f910941eea3b593e85ba2fffb31e7420c6c6199868\r\nMac = 1977347f\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 203\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 44e2f6d41e04b75f541e724c6f6325f27d7475b3676fa0247f28b36e58b6fdf5\r\nMsg = b9ac624288352617e4d375f33953b431cbf8f03f9ecbda9893330ff2d3c59db8705dc3ba4a6ef924309630ac48765b10b1c02ec0669126d76602c95012fa2f77\r\nMac = 2cba4713\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 204\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 8e0f75b7029d4afc2a86adb4a088b89ef9783965027c1176497ada0fdfd0cd99\r\nMsg = 21cd3ff946e2b3c1c61932205899502852b1333d1c79a3d4e5b6617996ffba17041e5b746ab967fb1632c7be62cbc2bbe60ecd5eec6ca4482424994f9a662cc6\r\nMac = b651d356\r\nResult = P\r\n\r\nCount = 205\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 35b1106d174acce103ecf5801b03d3c10d579c4ee491ebad25fb6f1f1787e0c8\r\nMsg = 960026395d0544975dffaaa2c56db1df5816cd80cde513dc76f6f81d21f15c383c97c7233c9af2423fb28922efed2f69aa47c30de17ae1c5be17acbd0ad6cb8e\r\nMac = 8a8f65a8\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 206\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 71efa75961dfd60ad533082a8cfe111214eb02573adc4591c5d0e961640a3ab2\r\nMsg = 6bafbd22b75e21e1fa5444af283e69d53ac2f0412f717a2153f74eb1c195fc5127d240dbc96d2833c9957920a55c505a016a05e4a7ee549bccdbbf1095502e93\r\nMac = 88fea081\r\nResult = F (1 - Message changed)\r\n\r\nCount = 207\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 11752eb8aeffa364c9947092c1612461cc19b6c3a3ddd1817b5e6f7f3745a942\r\nMsg = 2d9109e7eea21b2615c81c03182ce6033c93783b13d698624392bd2a8a202bd0ffc860f29b31afa2f71c2bb85752c66ce8dbba244671288a4135ffe2e1a0209b\r\nMac = b5a26c1c\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 208\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 279a6c226f6a48f3128626012baaa309d99065a59dc0a4c003a6e94d85e61638\r\nMsg = 9bff96ba07a52d9ea2415283321395cf57cb37c610fad7a482c74de9f5e3d7f520bf73d4a6fc8b5be023d774dd9680b6a7c68139c8a753a80d61c9978a493917\r\nMac = 5e281941\r\nResult = P\r\n\r\nCount = 209\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 0bcdcaa87ddf8bbe6db8411d14bb9064e4a121286cc8a6e97fce1844935f436b\r\nMsg = 3ec0aa8d30d5ed825b77dc7095f421b1e608158797a377ff8bed641bd387832f7c14818cabf9bd5ced6044cdc883ff7296272be693660ab234b2d870ba170131\r\nMac = 1da79d07\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 210\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 1b41d148e3c202d419ce16385139da196dede5be63987e6940a2bae86d62e567\r\nMsg = 13ecd70e2d76dd53a19b2e5fc0afe0c0793577ba8948b7d4ef3ab797a07a37927dbb33a18252b96f40e0f73a8d3298d67a6551f5854eb6a51019531a122ff8ae\r\nMac = 91bd49b2\r\nResult = F (1 - Message changed)\r\n\r\nCount = 211\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = a1ccc9c992c8a307ad39504854456696f8eafd7c8da0c0c53b3a4485570e985e\r\nMsg = f68b0c3b4556c7f8866b3fa873ed2014418d6421d3f224512e5dae8c2d8dd92175e09508acbcc66ae62d536260cf790671ef66a1bded0343ace4117c1b8d7764\r\nMac = b9317feb\r\nResult = P\r\n\r\nCount = 212\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 4d8d0264ae6d8f7a7440dd760e0ded25a3a94cb0491fe81e7b55221ac8ed24f7\r\nMsg = 5faaf6b8ee8ed5b56bfc1a7f886f9f91a6566ceb99c39462ab675a3ae3be98f68787626fdf77e6243c2e96d1396a8a43417b1f6a51f7e5b0ffaeb889bce02c4b\r\nMac = 3f610010\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 213\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = bcf95051ae2ae84ac32a763d5477ccc4659a9ed3e25de5932939826dc90e2464\r\nMsg = fce924dd27db3e07837694c34f576c16084e5b0a254ca3af0582bf6026c73b47973ac924b02992490032cae987a887932539d3fa53cdfff711b03bd11ff464bb\r\nMac = 7b7e89ef\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 214\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 45ce953ad31ee9b53a9c948883bc86f4bbe0f0744085a9943cbad1066cd7b4f3\r\nMsg = edb1aaa7e8ac37bca99ff8eff5516464aa33fc2bebef8a727d43abf971108bc604aef019c3837aa2f3d429f22fda1f305319a70d99ed77f902663298f855316f\r\nMac = cbf4addd\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 215\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = d60841cd71d7227ab56e767817760edba9ce2290f8da504b341ee2c1910b5018\r\nMsg = 365fea641559759d1e5b5581218486318b1c776de812b1aca6a9ba6b1c6e39c5cb6d5a44e3a474f709b8eac457e74f00a43ecd3d060cc7639696bd03730c70e7\r\nMac = 7406f935\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 216\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = d172f991eb697ffdefc57349dadbe51066d2744c39041cd55ca75024eead495d\r\nMsg = 6a91da64812b9bb41a026e727b4f77c384813da2948caed5a9846420c86a26b89f46b2fa6975b95d12452ca69bbfb65bc1c48a79d95c5e69ff4ab7316fe468e8\r\nMac = 6bd82bcc\r\nResult = F (1 - Message changed)\r\n\r\nCount = 217\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = 3725c7905bfaca415908c617b78f8deeeff286e0c2bba268d0de92c7664238a7\r\nMsg = fc4bbe329a86089ebe2a2f3320dad55a9bdac1133dd28ddc9ace9ed665885a2341ea9492d4cf4b7e1d0a95f308a9d613407b35b845cf515bbe7f2f35102d78a3\r\nMac = c8e11823\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 218\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = bb3087d1b5b0f6f14a532c3604c82874fb15e97a4b3883dfc50e71ffe5752d40\r\nMsg = 979a9f96112d1ea95eec2cdfdf48c55114472360aa7de24bb53761013af96b33f02b17ae470fece8aaf649d801b4040b7b5152f58a01e7852f565efc77b5dafe\r\nMac = 66466425\r\nResult = P\r\n\r\nCount = 219\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 4\r\nKey = eeb983439a03ee6a315ebf941e9368f90bb6845b03b31839d72a1946c17d2f19\r\nMsg = 6d5573c9279897d7d1602d8a95c04bb5ca3fad2dbe89a024b3651eb227e73bb559e7c0db08b215fd7efe64afcd24fb155989f2f8965d0e181389e6c4b8e244a9\r\nMac = 7f77d596\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 220\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 6f0353a0ad95df6d3190a251435f62c30ed6b9cc0dd024c3c316565cad83d2e1\r\nMsg = 83011a83db0524628b55589ba0165523ce7c916465eaf185805b97ec7f00fc01b82a3e356a6bbb44f2f8deb6425239ac8e26d4d94871c5cf4fe7017c649672f4\r\nMac = 9e56e4574dd01fe8\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 221\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 777a22c5fa2f864a9233587e3e9634172ce25006daacbba97b68e7429c8266a8\r\nMsg = 1f7d58d65c36142620172fda3197d3c629bc7bc584e1aaa0f8b6dd320588becaccc39ad124b515adeb941de49ac31c851c5172c4e1c322e42e13cb5ab7f8db2f\r\nMac = 498dafe2807ba34e\r\nResult = P\r\n\r\nCount = 222\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = e17736560b1a13aa8e536500ea6cdb9a6757309aadf25a6a9189055a309c3f8b\r\nMsg = 1a6b80d506147c3c02c89f50892bd1f04d34f9f21e8307140df43835d17495c56a13be7a045be5441de01d84ea19d579f76e9ffa0f92376b5b13c0eacd3050c9\r\nMac = 52d3fbc6e5821f1d\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 223\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = f31f2fb4b3fd8045b70d34b600a2697cbf7503be0d8cfb5cdc60f9312e3e2695\r\nMsg = 4f43702be4f0530319555d7f1a3356160f6cae48051f12e22a153d7e405c11494c31e6098e24225eb676094755c6d7e992ec0c8c1e2608e76a72d79d173a4e07\r\nMac = 71239a4c38fa04b3\r\nResult = F (1 - Message changed)\r\n\r\nCount = 224\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 10a678f591b4d87280f42d77a91635575e2e82ef610a7c9105c3a9418f932c24\r\nMsg = f7b577f1396b23c27eb637e53d3d92460270b001cc612fd3b4d68bcdd09c2d50571ea4350636324cc2428a087e7bd8785f8202791e3c2d2bafe084a1204e34dd\r\nMac = 5b11c1407904c15e\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 225\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = b8728441226558fa9764824597fe254bf8c2623789541feaf6c007efeb0dd2b1\r\nMsg = 80a2be15809f12738f305be3a210ba0c933599c4b24b48257c60e8e3aae189dc6ec58ff1f9085a15405b26a3001a2ff5ff7e1932961490676c6d2cda8417979b\r\nMac = e73ed6c4f81b0ecd\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 226\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 22a877d974cdf4d65bbd77958b2b77fc5ddb33a221aca3ecb6d5ae76596f9db4\r\nMsg = ce2ce41f76ca7477972d38a3e8fad1122db34ee80c379fa01f884cf648d1670445a8bfab8490563438c21537ac2dbfbcd7bb24a132d6973cc62ba14089adf7e5\r\nMac = 0ff91813a56b98dd\r\nResult = F (1 - Message",
+ " changed)\r\n\r\nCount = 227\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 03fa02c4df99b8295f502e3145e2edd3ff16722b87092e708bc8d126cc1ec894\r\nMsg = ec9a9babb68e09c38617c9b16e8a2d92e711030bcda4b9e0ab35c4c2392b41692312dde30c91f32cd39cf5fe15ea0deaf3aa04a8157262acee78d7f94204d93a\r\nMac = e50d9a04f79cf9b4\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 228\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 0e12df1bf17e9645c5507bc2069ca4611dc0488c9996231dbcee1c73393b26c4\r\nMsg = 86814ce4a867f80ce9b618c6aecce37c89851508bbb095c8f7c055f569c47a30f79abe5ec75f12b601298718d6f96ea1c1ebbe7c0cb0b7fb973ec5e6d5c6a713\r\nMac = 05338bce9ed8f495\r\nResult = P\r\n\r\nCount = 229\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 51c88fd98a7d82043a1500fc3d8a66ba7ab7760467c7fd89cfeeb22dd25762a2\r\nMsg = 0e403cff47adee3ec5bb6b178dabfc7d53b60a04eaad33a2fedd9db705358a4c73ab2d982ddbbdc941f1c701d4cac89e5c56fbbe0f4170029ad25e931713ba63\r\nMac = 38c34175627b07e8\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 230\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 0feb23c7e4a19bcbd70bd300d76ec9045d696f8c9687f49ec4154400e231d2f0\r\nMsg = 0330ed97e44e8b15a49f29c72a7997d05d398a9d45dae41a6cc635258beb824362124691e86cb7fea46e4ab85bdf79e4eb30c492770bf6f0c42ea9bde37a0c01\r\nMac = 271a7c2e687d84c5\r\nResult = P\r\n\r\nCount = 231\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 5d649799771f9074d18a2477ccd4d9e136e01451c1eb2e8bb370cb79e0486770\r\nMsg = d715bc0520dbb86543e76fede49dc6be2cce59d3c0db133ff31efcb63a85514fe080da88fa1e788b9e73feb0503c4142bdc67386ac0bacf9311ecada23ca7be8\r\nMac = 42de9f52567b4506\r\nResult = F (1 - Message changed)\r\n\r\nCount = 232\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 4c96d520d8d5a54eb73f8f558e328d1b3e5ba360161fb8444739a40a97a58a1b\r\nMsg = ee409b050346fbd319c8630e4bc9dd6d055355fbb961f018d3fda0c1eea6f61248f43709737fb18d4efc4faf34a96c2f73ece54200367292692e36870a0c94c5\r\nMac = 28610f524d88e727\r\nResult = F (2 - Key or Key2 changed)\r\n\r\nCount = 233\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = b186b9273d8cd77d68c05ec5389b2f6e2f267fe6cd6e7cb35a3233c0dfe0b1f4\r\nMsg = 0df3fc6396f851785fca9aa5ffb0cd98bdecf8bbae4c82641efcb34d319e7643ca9c5e22acbde800e0f700a95685c64ccf399173f9123438dc1181b676490cbf\r\nMac = 8d2f69b44614485a\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 234\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 1b1374648d93aadb186326e4ca2b82fd37f7234712816fe4feb339a3a16880df\r\nMsg = 9a661677f1e07153e1c9c661c91901757f5b4d9938031f01a802773d6a9863b2a169c44be0d4546c4780e828ef37f3b389f84c1a41473131e9c88bcd530c7334\r\nMac = 72838b59593c011c\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 235\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = f70b8a4eee3518bba071af55f25f7b698a5b7dc8865cdaca6d1c7993657acc95\r\nMsg = 795ee1af7504621aac329f5081912de545fa11174f3979b14f11aa30df813a235b467fd8f3a14734fe5ac9e39105dcb25184673885cd19bc70ee5a53dd4e8149\r\nMac = 93542734d6cd43de\r\nResult = P\r\n\r\nCount = 236\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 0c456d199abae4758734f506c4e9ccdb767e4fd156d5a4085726f3938a516d74\r\nMsg = 78f3bf568f1c3f2866eff8a246a70cf0faee4c3078f3fb27c4bdd53312bf50812bac2280118c0396e610b4110a22406084c18283a30ce7c0e49c769817170df9\r\nMac = c4c5be3c94fb7b9c\r\nResult = F (4 - Key or Key1 changed)\r\n\r\nCount = 237\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = 0a8725bd8c8eab9ed52ca47835837b9f00a6c8d834ab17105b01eb4eb30402e7\r\nMsg = d7867ff428c37836161a534d1d697fba43e86b0096c49b63d50afaf06ec772bda86eba7222796f087c5367d1547642b974d041cb496c5cf7984e8e126c9f741e\r\nMac = b5d40f8633965c33\r\nResult = F (3 - MAC changed)\r\n\r\nCount = 238\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = ce9ea80e7fb235486b5f1d0321c68a0e44cd5f15e21f27c402754a2f7c138772\r\nMsg = c246453f5d0f4957e6418b4d17b748f5c30e7ee672b4af2e4e41e145400be94056f4e94768871849fb44c1ee65378fce32d007e0c7ee5635453d4de6b0c2aa4b\r\nMac = 33ae4c66895989ee\r\nResult = F (1 - Message changed)\r\n\r\nCount = 239\r\nKlen = 32 \r\nMlen = 64\r\nTlen = 8\r\nKey = f26fad377bf7d6b35d8ea2e0621b678dad85826fadd3ee684d9215086b77e555\r\nMsg = 63539f949990883ac4f3ef9158b382a30254023c301de9fcd3cd4faa638a0ecb241a2573a9555a5c96da2435aa02c73cfc12c10f84b565bfdea9c6274bb8d67c\r\nMac = 8cda222f03f92913\r\nResult = F (2 - Key or Key2 changed)\r\n",
+};
static const size_t kLen42 = 155170;
static const char *kData42[] = {
@@ -4549,40 +4551,40 @@
if (strcmp(path, "crypto/curve25519/ed25519_tests.txt") == 0) {
return AssembleString(kData31, kLen31);
}
- if (strcmp(path, "crypto/cmac/cavp_3des_cmac_tests.txt") == 0) {
+ if (strcmp(path, "crypto/ecdh_extra/ecdh_tests.txt") == 0) {
return AssembleString(kData32, kLen32);
}
- if (strcmp(path, "crypto/cmac/cavp_aes128_cmac_tests.txt") == 0) {
+ if (strcmp(path, "crypto/evp/evp_tests.txt") == 0) {
return AssembleString(kData33, kLen33);
}
- if (strcmp(path, "crypto/cmac/cavp_aes192_cmac_tests.txt") == 0) {
+ if (strcmp(path, "crypto/evp/scrypt_tests.txt") == 0) {
return AssembleString(kData34, kLen34);
}
- if (strcmp(path, "crypto/cmac/cavp_aes256_cmac_tests.txt") == 0) {
+ if (strcmp(path, "crypto/fipsmodule/aes/aes_tests.txt") == 0) {
return AssembleString(kData35, kLen35);
}
- if (strcmp(path, "crypto/ecdh_extra/ecdh_tests.txt") == 0) {
+ if (strcmp(path, "crypto/fipsmodule/bn/bn_tests.txt") == 0) {
return AssembleString(kData36, kLen36);
}
- if (strcmp(path, "crypto/evp/evp_tests.txt") == 0) {
+ if (strcmp(path, "crypto/fipsmodule/bn/miller_rabin_tests.txt") == 0) {
return AssembleString(kData37, kLen37);
}
- if (strcmp(path, "crypto/evp/scrypt_tests.txt") == 0) {
+ if (strcmp(path, "crypto/fipsmodule/cmac/cavp_3des_cmac_tests.txt") == 0) {
return AssembleString(kData38, kLen38);
}
- if (strcmp(path, "crypto/fipsmodule/aes/aes_tests.txt") == 0) {
+ if (strcmp(path, "crypto/fipsmodule/cmac/cavp_aes128_cmac_tests.txt") == 0) {
return AssembleString(kData39, kLen39);
}
- if (strcmp(path, "crypto/fipsmodule/bn/bn_tests.txt") == 0) {
+ if (strcmp(path, "crypto/fipsmodule/cmac/cavp_aes192_cmac_tests.txt") == 0) {
return AssembleString(kData40, kLen40);
}
- if (strcmp(path, "crypto/fipsmodule/bn/miller_rabin_tests.txt") == 0) {
+ if (strcmp(path, "crypto/fipsmodule/cmac/cavp_aes256_cmac_tests.txt") == 0) {
return AssembleString(kData41, kLen41);
}
if (strcmp(path, "crypto/fipsmodule/ec/ec_scalar_base_mult_tests.txt") == 0) {
return AssembleString(kData42, kLen42);
}
- if (strcmp(path, "crypto/fipsmodule/ec/p256-x86_64_tests.txt") == 0) {
+ if (strcmp(path, "crypto/fipsmodule/ec/p256-nistz_tests.txt") == 0) {
return AssembleString(kData43, kLen43);
}
if (strcmp(path, "crypto/fipsmodule/ecdsa/ecdsa_sign_tests.txt") == 0) {
diff --git a/err_data.c b/err_data.c
index ec391d5..04b265d 100644
--- a/err_data.c
+++ b/err_data.c
@@ -76,54 +76,54 @@
0xc3b00f7,
0xc3b8921,
0x10320892,
- 0x10329608,
- 0x10331614,
- 0x1033962d,
- 0x10341640,
+ 0x10329620,
+ 0x1033162c,
+ 0x10339645,
+ 0x10341658,
0x10348f72,
0x10350cab,
- 0x10359653,
- 0x1036167d,
- 0x10369690,
- 0x103716af,
- 0x103796c8,
- 0x103816dd,
- 0x103896fb,
- 0x1039170a,
- 0x10399726,
- 0x103a1741,
- 0x103a9750,
- 0x103b176c,
- 0x103b9787,
- 0x103c17ad,
+ 0x1035966b,
+ 0x10361695,
+ 0x103696a8,
+ 0x103716c7,
+ 0x103796e0,
+ 0x103816f5,
+ 0x10389713,
+ 0x10391722,
+ 0x1039973e,
+ 0x103a1759,
+ 0x103a9768,
+ 0x103b1784,
+ 0x103b979f,
+ 0x103c17c5,
0x103c80f7,
- 0x103d17be,
- 0x103d97d2,
- 0x103e17f1,
- 0x103e9800,
- 0x103f1817,
- 0x103f982a,
+ 0x103d17d6,
+ 0x103d97ea,
+ 0x103e1809,
+ 0x103e9818,
+ 0x103f182f,
+ 0x103f9842,
0x10400c6f,
- 0x1040983d,
- 0x1041185b,
- 0x1041986e,
- 0x10421888,
- 0x10429898,
- 0x104318ac,
- 0x104398c2,
- 0x104418da,
- 0x104498ef,
- 0x10451903,
- 0x10459915,
+ 0x10409855,
+ 0x10411873,
+ 0x10419886,
+ 0x104218a0,
+ 0x104298b0,
+ 0x104318c4,
+ 0x104398da,
+ 0x104418f2,
+ 0x10449907,
+ 0x1045191b,
+ 0x1045992d,
0x10460635,
0x1046899a,
- 0x1047192a,
- 0x10479941,
- 0x10481956,
- 0x10489964,
+ 0x10471942,
+ 0x10479959,
+ 0x1048196e,
+ 0x1048997c,
0x10490ebe,
- 0x1049979e,
- 0x104a1668,
+ 0x104997b6,
+ 0x104a1680,
0x14320c52,
0x14328c60,
0x14330c6f,
@@ -193,50 +193,50 @@
0x283480b9,
0x283500f7,
0x28358cb7,
- 0x2c3232a7,
+ 0x2c3232bf,
0x2c329351,
- 0x2c3332b5,
- 0x2c33b2c7,
- 0x2c3432db,
- 0x2c34b2ed,
- 0x2c353308,
- 0x2c35b31a,
- 0x2c36334a,
+ 0x2c3332cd,
+ 0x2c33b2df,
+ 0x2c3432f3,
+ 0x2c34b305,
+ 0x2c353320,
+ 0x2c35b332,
+ 0x2c363362,
0x2c36833a,
- 0x2c373357,
- 0x2c37b383,
- 0x2c3833a8,
- 0x2c38b3bf,
- 0x2c3933dd,
- 0x2c39b3ed,
- 0x2c3a33ff,
- 0x2c3ab413,
- 0x2c3b3424,
- 0x2c3bb443,
+ 0x2c37336f,
+ 0x2c37b39b,
+ 0x2c3833c0,
+ 0x2c38b3d7,
+ 0x2c3933f5,
+ 0x2c39b405,
+ 0x2c3a3417,
+ 0x2c3ab42b,
+ 0x2c3b343c,
+ 0x2c3bb45b,
0x2c3c1363,
0x2c3c9379,
- 0x2c3d3488,
+ 0x2c3d34a0,
0x2c3d9392,
- 0x2c3e34b2,
- 0x2c3eb4c0,
- 0x2c3f34d8,
- 0x2c3fb4f0,
- 0x2c40351a,
+ 0x2c3e34ca,
+ 0x2c3eb4d8,
+ 0x2c3f34f0,
+ 0x2c3fb508,
+ 0x2c403532,
0x2c409264,
- 0x2c41352b,
- 0x2c41b53e,
+ 0x2c413543,
+ 0x2c41b556,
0x2c42122a,
- 0x2c42b54f,
+ 0x2c42b567,
0x2c43076d,
- 0x2c43b435,
- 0x2c443396,
- 0x2c44b4fd,
- 0x2c45332d,
- 0x2c45b369,
- 0x2c4633cd,
- 0x2c46b457,
- 0x2c47346c,
- 0x2c47b4a5,
+ 0x2c43b44d,
+ 0x2c4433ae,
+ 0x2c44b515,
+ 0x2c453345,
+ 0x2c45b381,
+ 0x2c4633e5,
+ 0x2c46b46f,
+ 0x2c473484,
+ 0x2c47b4bd,
0x30320000,
0x30328015,
0x3033001f,
@@ -375,261 +375,261 @@
0x3c418db2,
0x3c420ebe,
0x3c428e48,
- 0x403219f6,
- 0x40329a0c,
- 0x40331a3a,
- 0x40339a44,
- 0x40341a5b,
- 0x40349a79,
- 0x40351a89,
- 0x40359a9b,
- 0x40361aa8,
- 0x40369ab4,
- 0x40371ac9,
- 0x40379adb,
- 0x40381ae6,
- 0x40389af8,
+ 0x40321a0e,
+ 0x40329a24,
+ 0x40331a52,
+ 0x40339a5c,
+ 0x40341a73,
+ 0x40349a91,
+ 0x40351aa1,
+ 0x40359ab3,
+ 0x40361ac0,
+ 0x40369acc,
+ 0x40371ae1,
+ 0x40379af3,
+ 0x40381afe,
+ 0x40389b10,
0x40390f72,
- 0x40399b08,
- 0x403a1b1b,
- 0x403a9b3c,
- 0x403b1b4d,
- 0x403b9b5d,
+ 0x40399b20,
+ 0x403a1b33,
+ 0x403a9b54,
+ 0x403b1b65,
+ 0x403b9b75,
0x403c0071,
0x403c8090,
- 0x403d1bbe,
- 0x403d9bd4,
- 0x403e1be3,
- 0x403e9c1b,
- 0x403f1c35,
- 0x403f9c5d,
- 0x40401c72,
- 0x40409c86,
- 0x40411cc1,
- 0x40419cdc,
- 0x40421cf5,
- 0x40429d08,
- 0x40431d1c,
- 0x40439d4a,
- 0x40441d61,
+ 0x403d1bd6,
+ 0x403d9bec,
+ 0x403e1bfb,
+ 0x403e9c33,
+ 0x403f1c4d,
+ 0x403f9c75,
+ 0x40401c8a,
+ 0x40409c9e,
+ 0x40411cd9,
+ 0x40419cf4,
+ 0x40421d0d,
+ 0x40429d20,
+ 0x40431d34,
+ 0x40439d62,
+ 0x40441d79,
0x404480b9,
- 0x40451d76,
- 0x40459d88,
- 0x40461dac,
- 0x40469dcc,
- 0x40471dda,
- 0x40479e01,
- 0x40481e72,
- 0x40489f2c,
- 0x40491f43,
- 0x40499f5d,
- 0x404a1f74,
- 0x404a9f92,
- 0x404b1faa,
- 0x404b9fd7,
- 0x404c1fed,
- 0x404c9fff,
- 0x404d2020,
- 0x404da059,
- 0x404e206d,
- 0x404ea07a,
- 0x404f2114,
- 0x404fa18a,
- 0x405021f9,
- 0x4050a20d,
- 0x40512240,
- 0x40522250,
- 0x4052a274,
- 0x4053228c,
- 0x4053a29f,
- 0x405422b4,
- 0x4054a2d7,
- 0x40552302,
- 0x4055a33f,
- 0x40562364,
- 0x4056a37d,
- 0x40572395,
- 0x4057a3a8,
- 0x405823bd,
- 0x4058a3e4,
- 0x40592413,
- 0x4059a440,
- 0x405a2454,
- 0x405aa464,
- 0x405b247c,
- 0x405ba48d,
- 0x405c24a0,
- 0x405ca4df,
- 0x405d24ec,
- 0x405da511,
- 0x405e254f,
+ 0x40451d8e,
+ 0x40459da0,
+ 0x40461dc4,
+ 0x40469de4,
+ 0x40471df2,
+ 0x40479e19,
+ 0x40481e8a,
+ 0x40489f44,
+ 0x40491f5b,
+ 0x40499f75,
+ 0x404a1f8c,
+ 0x404a9faa,
+ 0x404b1fc2,
+ 0x404b9fef,
+ 0x404c2005,
+ 0x404ca017,
+ 0x404d2038,
+ 0x404da071,
+ 0x404e2085,
+ 0x404ea092,
+ 0x404f212c,
+ 0x404fa1a2,
+ 0x40502211,
+ 0x4050a225,
+ 0x40512258,
+ 0x40522268,
+ 0x4052a28c,
+ 0x405322a4,
+ 0x4053a2b7,
+ 0x405422cc,
+ 0x4054a2ef,
+ 0x4055231a,
+ 0x4055a357,
+ 0x4056237c,
+ 0x4056a395,
+ 0x405723ad,
+ 0x4057a3c0,
+ 0x405823d5,
+ 0x4058a3fc,
+ 0x4059242b,
+ 0x4059a458,
+ 0x405a246c,
+ 0x405aa47c,
+ 0x405b2494,
+ 0x405ba4a5,
+ 0x405c24b8,
+ 0x405ca4f7,
+ 0x405d2504,
+ 0x405da529,
+ 0x405e2567,
0x405e8afe,
- 0x405f2570,
- 0x405fa57d,
- 0x4060258b,
- 0x4060a5ad,
- 0x4061260e,
- 0x4061a646,
- 0x4062265d,
- 0x4062a66e,
- 0x406326bb,
- 0x4063a6d0,
- 0x406426e7,
- 0x4064a713,
- 0x4065272e,
- 0x4065a745,
- 0x4066275d,
- 0x4066a787,
- 0x406727b2,
- 0x4067a7f7,
- 0x4068283f,
- 0x4068a860,
- 0x40692892,
- 0x4069a8c0,
- 0x406a28e1,
- 0x406aa901,
- 0x406b2a89,
- 0x406baaac,
- 0x406c2ac2,
- 0x406cadcc,
- 0x406d2dfb,
- 0x406dae23,
- 0x406e2e51,
- 0x406eae9e,
- 0x406f2ef7,
- 0x406faf2f,
- 0x40702f42,
- 0x4070af5f,
+ 0x405f2588,
+ 0x405fa595,
+ 0x406025a3,
+ 0x4060a5c5,
+ 0x40612626,
+ 0x4061a65e,
+ 0x40622675,
+ 0x4062a686,
+ 0x406326d3,
+ 0x4063a6e8,
+ 0x406426ff,
+ 0x4064a72b,
+ 0x40652746,
+ 0x4065a75d,
+ 0x40662775,
+ 0x4066a79f,
+ 0x406727ca,
+ 0x4067a80f,
+ 0x40682857,
+ 0x4068a878,
+ 0x406928aa,
+ 0x4069a8d8,
+ 0x406a28f9,
+ 0x406aa919,
+ 0x406b2aa1,
+ 0x406baac4,
+ 0x406c2ada,
+ 0x406cade4,
+ 0x406d2e13,
+ 0x406dae3b,
+ 0x406e2e69,
+ 0x406eaeb6,
+ 0x406f2f0f,
+ 0x406faf47,
+ 0x40702f5a,
+ 0x4070af77,
0x4071084d,
- 0x4071af71,
- 0x40722f84,
- 0x4072afba,
- 0x40732fd2,
- 0x40739563,
- 0x40742fe6,
- 0x4074b000,
- 0x40753011,
- 0x4075b025,
- 0x40763033,
+ 0x4071af89,
+ 0x40722f9c,
+ 0x4072afd2,
+ 0x40732fea,
+ 0x4073957b,
+ 0x40742ffe,
+ 0x4074b018,
+ 0x40753029,
+ 0x4075b03d,
+ 0x4076304b,
0x40769327,
- 0x40773058,
- 0x4077b098,
- 0x407830b3,
- 0x4078b0ec,
- 0x40793103,
- 0x4079b119,
- 0x407a3145,
- 0x407ab158,
- 0x407b316d,
- 0x407bb17f,
- 0x407c31b0,
- 0x407cb1b9,
- 0x407d287b,
- 0x407da1b2,
- 0x407e30c8,
- 0x407ea3f4,
- 0x407f1dee,
- 0x407f9fc1,
- 0x40802124,
- 0x40809e16,
- 0x40812262,
- 0x4081a0c8,
- 0x40822e3c,
- 0x40829b69,
- 0x408323cf,
- 0x4083a6f8,
- 0x40841e2a,
- 0x4084a42c,
- 0x408524b1,
- 0x4085a5d5,
- 0x40862531,
- 0x4086a1cc,
- 0x40872e82,
- 0x4087a623,
- 0x40881ba7,
- 0x4088a80a,
- 0x40891bf6,
- 0x40899b83,
- 0x408a2afa,
- 0x408a997b,
- 0x408b3194,
- 0x408baf0c,
- 0x408c24c1,
- 0x408c99b3,
- 0x408d1f12,
- 0x408d9e5c,
- 0x408e2042,
- 0x408ea31f,
- 0x408f281e,
- 0x408fa5f1,
- 0x409027d3,
- 0x4090a503,
- 0x40912ae2,
- 0x409199d9,
- 0x40921c43,
- 0x4092aebd,
- 0x40932f9d,
- 0x4093a1dd,
- 0x40941e3e,
- 0x4094ab13,
- 0x4095267f,
- 0x4095b125,
- 0x40962e69,
- 0x4096a13d,
- 0x40972228,
- 0x4097a091,
- 0x40981ca3,
- 0x4098a693,
- 0x40992ed9,
- 0x4099a34c,
- 0x409a22e5,
- 0x409a9997,
- 0x409b1e98,
- 0x409b9ec3,
- 0x409c307a,
- 0x409c9eeb,
- 0x409d20f9,
- 0x409da0de,
- 0x409e1d34,
- 0x409ea172,
- 0x409f215a,
- 0x409f9e8b,
- 0x40a0219a,
- 0x40a0a0ab,
- 0x41f429b4,
- 0x41f92a46,
- 0x41fe2939,
- 0x41feabef,
- 0x41ff2d1d,
- 0x420329cd,
- 0x420829ef,
- 0x4208aa2b,
- 0x4209291d,
- 0x4209aa65,
- 0x420a2974,
- 0x420aa954,
- 0x420b2994,
- 0x420baa0d,
- 0x420c2d39,
- 0x420cab23,
- 0x420d2bd6,
- 0x420dac0d,
- 0x42122c40,
- 0x42172d00,
- 0x4217ac82,
- 0x421c2ca4,
- 0x421f2c5f,
- 0x42212db1,
- 0x42262ce3,
- 0x422b2d8f,
- 0x422babb1,
- 0x422c2d71,
- 0x422cab64,
- 0x422d2b3d,
- 0x422dad50,
- 0x422e2b90,
- 0x42302cbf,
- 0x4230ac27,
+ 0x40773070,
+ 0x4077b0b0,
+ 0x407830cb,
+ 0x4078b104,
+ 0x4079311b,
+ 0x4079b131,
+ 0x407a315d,
+ 0x407ab170,
+ 0x407b3185,
+ 0x407bb197,
+ 0x407c31c8,
+ 0x407cb1d1,
+ 0x407d2893,
+ 0x407da1ca,
+ 0x407e30e0,
+ 0x407ea40c,
+ 0x407f1e06,
+ 0x407f9fd9,
+ 0x4080213c,
+ 0x40809e2e,
+ 0x4081227a,
+ 0x4081a0e0,
+ 0x40822e54,
+ 0x40829b81,
+ 0x408323e7,
+ 0x4083a710,
+ 0x40841e42,
+ 0x4084a444,
+ 0x408524c9,
+ 0x4085a5ed,
+ 0x40862549,
+ 0x4086a1e4,
+ 0x40872e9a,
+ 0x4087a63b,
+ 0x40881bbf,
+ 0x4088a822,
+ 0x40891c0e,
+ 0x40899b9b,
+ 0x408a2b12,
+ 0x408a9993,
+ 0x408b31ac,
+ 0x408baf24,
+ 0x408c24d9,
+ 0x408c99cb,
+ 0x408d1f2a,
+ 0x408d9e74,
+ 0x408e205a,
+ 0x408ea337,
+ 0x408f2836,
+ 0x408fa609,
+ 0x409027eb,
+ 0x4090a51b,
+ 0x40912afa,
+ 0x409199f1,
+ 0x40921c5b,
+ 0x4092aed5,
+ 0x40932fb5,
+ 0x4093a1f5,
+ 0x40941e56,
+ 0x4094ab2b,
+ 0x40952697,
+ 0x4095b13d,
+ 0x40962e81,
+ 0x4096a155,
+ 0x40972240,
+ 0x4097a0a9,
+ 0x40981cbb,
+ 0x4098a6ab,
+ 0x40992ef1,
+ 0x4099a364,
+ 0x409a22fd,
+ 0x409a99af,
+ 0x409b1eb0,
+ 0x409b9edb,
+ 0x409c3092,
+ 0x409c9f03,
+ 0x409d2111,
+ 0x409da0f6,
+ 0x409e1d4c,
+ 0x409ea18a,
+ 0x409f2172,
+ 0x409f9ea3,
+ 0x40a021b2,
+ 0x40a0a0c3,
+ 0x41f429cc,
+ 0x41f92a5e,
+ 0x41fe2951,
+ 0x41feac07,
+ 0x41ff2d35,
+ 0x420329e5,
+ 0x42082a07,
+ 0x4208aa43,
+ 0x42092935,
+ 0x4209aa7d,
+ 0x420a298c,
+ 0x420aa96c,
+ 0x420b29ac,
+ 0x420baa25,
+ 0x420c2d51,
+ 0x420cab3b,
+ 0x420d2bee,
+ 0x420dac25,
+ 0x42122c58,
+ 0x42172d18,
+ 0x4217ac9a,
+ 0x421c2cbc,
+ 0x421f2c77,
+ 0x42212dc9,
+ 0x42262cfb,
+ 0x422b2da7,
+ 0x422babc9,
+ 0x422c2d89,
+ 0x422cab7c,
+ 0x422d2b55,
+ 0x422dad68,
+ 0x422e2ba8,
+ 0x42302cd7,
+ 0x4230ac3f,
0x44320778,
0x44328787,
0x44330793,
@@ -651,104 +651,105 @@
0x48329363,
0x48331379,
0x48339392,
- 0x4c3213b7,
- 0x4c3293c7,
- 0x4c3313da,
- 0x4c3393fa,
+ 0x4c3213cf,
+ 0x4c3293df,
+ 0x4c3313f2,
+ 0x4c339412,
0x4c3400b9,
0x4c3480f7,
- 0x4c351406,
- 0x4c359414,
- 0x4c361430,
- 0x4c369456,
- 0x4c371465,
- 0x4c379473,
- 0x4c381488,
- 0x4c389494,
- 0x4c3914b4,
- 0x4c3994de,
- 0x4c3a14f7,
- 0x4c3a9510,
+ 0x4c35141e,
+ 0x4c35942c,
+ 0x4c361448,
+ 0x4c36946e,
+ 0x4c37147d,
+ 0x4c37948b,
+ 0x4c3814a0,
+ 0x4c3894ac,
+ 0x4c3914cc,
+ 0x4c3994f6,
+ 0x4c3a150f,
+ 0x4c3a9528,
0x4c3b0635,
- 0x4c3b9529,
- 0x4c3c153b,
- 0x4c3c954a,
- 0x4c3d1563,
+ 0x4c3b9541,
+ 0x4c3c1553,
+ 0x4c3c9562,
+ 0x4c3d157b,
0x4c3d8c92,
- 0x4c3e15d0,
- 0x4c3e9572,
- 0x4c3f15f2,
+ 0x4c3e15e8,
+ 0x4c3e958a,
+ 0x4c3f160a,
0x4c3f9327,
- 0x4c401588,
- 0x4c4093a3,
- 0x4c4115c0,
- 0x4c419443,
- 0x4c4215ac,
- 0x50323561,
- 0x5032b570,
- 0x5033357b,
- 0x5033b58b,
- 0x503435a4,
- 0x5034b5be,
- 0x503535cc,
- 0x5035b5e2,
- 0x503635f4,
- 0x5036b60a,
- 0x50373623,
- 0x5037b636,
- 0x5038364e,
- 0x5038b65f,
- 0x50393674,
- 0x5039b688,
- 0x503a36a8,
- 0x503ab6be,
- 0x503b36d6,
- 0x503bb6e8,
- 0x503c3704,
- 0x503cb71b,
- 0x503d3734,
- 0x503db74a,
- 0x503e3757,
- 0x503eb76d,
- 0x503f377f,
+ 0x4c4015a0,
+ 0x4c4093bb,
+ 0x4c4115d8,
+ 0x4c41945b,
+ 0x4c4215c4,
+ 0x4c4293a3,
+ 0x50323579,
+ 0x5032b588,
+ 0x50333593,
+ 0x5033b5a3,
+ 0x503435bc,
+ 0x5034b5d6,
+ 0x503535e4,
+ 0x5035b5fa,
+ 0x5036360c,
+ 0x5036b622,
+ 0x5037363b,
+ 0x5037b64e,
+ 0x50383666,
+ 0x5038b677,
+ 0x5039368c,
+ 0x5039b6a0,
+ 0x503a36c0,
+ 0x503ab6d6,
+ 0x503b36ee,
+ 0x503bb700,
+ 0x503c371c,
+ 0x503cb733,
+ 0x503d374c,
+ 0x503db762,
+ 0x503e376f,
+ 0x503eb785,
+ 0x503f3797,
0x503f83b3,
- 0x50403792,
- 0x5040b7a2,
- 0x504137bc,
- 0x5041b7cb,
- 0x504237e5,
- 0x5042b802,
- 0x50433812,
- 0x5043b822,
- 0x5044383f,
+ 0x504037aa,
+ 0x5040b7ba,
+ 0x504137d4,
+ 0x5041b7e3,
+ 0x504237fd,
+ 0x5042b81a,
+ 0x5043382a,
+ 0x5043b83a,
+ 0x50443857,
0x50448469,
- 0x50453853,
- 0x5045b871,
- 0x50463884,
- 0x5046b89a,
- 0x504738ac,
- 0x5047b8c1,
- 0x504838e7,
- 0x5048b8f5,
- 0x50493908,
- 0x5049b91d,
- 0x504a3933,
- 0x504ab943,
- 0x504b3963,
- 0x504bb976,
- 0x504c3999,
- 0x504cb9c7,
- 0x504d39f4,
- 0x504dba11,
- 0x504e3a2c,
- 0x504eba48,
- 0x504f3a5a,
- 0x504fba71,
- 0x50503a80,
+ 0x5045386b,
+ 0x5045b889,
+ 0x5046389c,
+ 0x5046b8b2,
+ 0x504738c4,
+ 0x5047b8d9,
+ 0x504838ff,
+ 0x5048b90d,
+ 0x50493920,
+ 0x5049b935,
+ 0x504a394b,
+ 0x504ab95b,
+ 0x504b397b,
+ 0x504bb98e,
+ 0x504c39b1,
+ 0x504cb9df,
+ 0x504d3a0c,
+ 0x504dba29,
+ 0x504e3a44,
+ 0x504eba60,
+ 0x504f3a72,
+ 0x504fba89,
+ 0x50503a98,
0x50508729,
- 0x50513a93,
- 0x5051b831,
- 0x505239d9,
+ 0x50513aab,
+ 0x5051b849,
+ 0x505239f1,
0x58320fb0,
0x68320f72,
0x68328cca,
@@ -790,21 +791,21 @@
0x783e0aed,
0x783e8a9f,
0x7c321240,
- 0x80321456,
+ 0x8032146e,
0x80328090,
- 0x80333276,
+ 0x8033328e,
0x803380b9,
- 0x80343285,
- 0x8034b1ed,
- 0x8035320b,
- 0x8035b299,
- 0x8036324d,
- 0x8036b1fc,
- 0x8037323f,
- 0x8037b1da,
- 0x80383260,
- 0x8038b21c,
- 0x80393231,
+ 0x8034329d,
+ 0x8034b205,
+ 0x80353223,
+ 0x8035b2b1,
+ 0x80363265,
+ 0x8036b214,
+ 0x80373257,
+ 0x8037b1f2,
+ 0x80383278,
+ 0x8038b234,
+ 0x80393249,
};
const size_t kOpenSSLReasonValuesLen = sizeof(kOpenSSLReasonValues) / sizeof(kOpenSSLReasonValues[0]);
@@ -1073,6 +1074,7 @@
"NOT_PKCS7_SIGNED_DATA\0"
"NO_CERTIFICATES_INCLUDED\0"
"NO_CRLS_INCLUDED\0"
+ "AMBIGUOUS_FRIENDLY_NAME\0"
"BAD_ITERATION_COUNT\0"
"BAD_PKCS12_DATA\0"
"BAD_PKCS12_VERSION\0"
diff --git a/eureka.mk b/eureka.mk
index 9b500f8..8fc507c 100644
--- a/eureka.mk
+++ b/eureka.mk
@@ -68,7 +68,6 @@
src/crypto/chacha/chacha.c\
src/crypto/cipher_extra/cipher_extra.c\
src/crypto/cipher_extra/derive_key.c\
- src/crypto/cipher_extra/e_aesccm.c\
src/crypto/cipher_extra/e_aesctrhmac.c\
src/crypto/cipher_extra/e_aesgcmsiv.c\
src/crypto/cipher_extra/e_chacha20poly1305.c\
@@ -78,7 +77,6 @@
src/crypto/cipher_extra/e_rc4.c\
src/crypto/cipher_extra/e_tls.c\
src/crypto/cipher_extra/tls_cbc.c\
- src/crypto/cmac/cmac.c\
src/crypto/conf/conf.c\
src/crypto/cpu_aarch64_apple.c\
src/crypto/cpu_aarch64_fuchsia.c\
@@ -104,7 +102,6 @@
src/crypto/ecdsa_extra/ecdsa_asn1.c\
src/crypto/engine/engine.c\
src/crypto/err/err.c\
- src/crypto/evp/digestsign.c\
src/crypto/evp/evp.c\
src/crypto/evp/evp_asn1.c\
src/crypto/evp/evp_ctx.c\
@@ -308,10 +305,13 @@
linux_aarch64_sources := \
linux-aarch64/crypto/chacha/chacha-armv8.S\
+ linux-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S\
linux-aarch64/crypto/fipsmodule/aesv8-armx64.S\
linux-aarch64/crypto/fipsmodule/armv8-mont.S\
linux-aarch64/crypto/fipsmodule/ghash-neon-armv8.S\
linux-aarch64/crypto/fipsmodule/ghashv8-armx64.S\
+ linux-aarch64/crypto/fipsmodule/p256-armv8-asm.S\
+ linux-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S\
linux-aarch64/crypto/fipsmodule/sha1-armv8.S\
linux-aarch64/crypto/fipsmodule/sha256-armv8.S\
linux-aarch64/crypto/fipsmodule/sha512-armv8.S\
diff --git a/linux-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S b/linux-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S
new file mode 100644
index 0000000..4aeaa06
--- /dev/null
+++ b/linux-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S
@@ -0,0 +1,3020 @@
+// This file is generated from a similarly-named Perl script in the BoringSSL
+// source tree. Do not edit by hand.
+
+#if !defined(__has_feature)
+#define __has_feature(x) 0
+#endif
+#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM)
+#define OPENSSL_NO_ASM
+#endif
+
+#if !defined(OPENSSL_NO_ASM)
+#if defined(__aarch64__)
+#if defined(BORINGSSL_PREFIX)
+#include <boringssl_prefix_symbols_asm.h>
+#endif
+#include <openssl/arm_arch.h>
+.section .rodata
+
+.align 7
+.Lchacha20_consts:
+.byte 'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k'
+.Linc:
+.long 1,2,3,4
+.Lrol8:
+.byte 3,0,1,2, 7,4,5,6, 11,8,9,10, 15,12,13,14
+.Lclamp:
+.quad 0x0FFFFFFC0FFFFFFF, 0x0FFFFFFC0FFFFFFC
+
+.text
+
+.type .Lpoly_hash_ad_internal,%function
+.align 6
+.Lpoly_hash_ad_internal:
+.cfi_startproc
+ cbnz x4, .Lpoly_hash_intro
+ ret
+
+.Lpoly_hash_intro:
+ cmp x4, #16
+ b.lt .Lpoly_hash_ad_tail
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ sub x4, x4, #16
+ b .Lpoly_hash_ad_internal
+
+.Lpoly_hash_ad_tail:
+ cbz x4, .Lpoly_hash_ad_ret
+
+ eor v20.16b, v20.16b, v20.16b // Use T0 to load the AAD
+ sub x4, x4, #1
+
+.Lpoly_hash_tail_16_compose:
+ ext v20.16b, v20.16b, v20.16b, #15
+ ldrb w11, [x3, x4]
+ mov v20.b[0], w11
+ subs x4, x4, #1
+ b.ge .Lpoly_hash_tail_16_compose
+ mov x11, v20.d[0]
+ mov x12, v20.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+
+.Lpoly_hash_ad_ret:
+ ret
+.cfi_endproc
+.size .Lpoly_hash_ad_internal, .-.Lpoly_hash_ad_internal
+
+/////////////////////////////////
+//
+// void chacha20_poly1305_seal(uint8_t *pt, uint8_t *ct, size_t len_in, uint8_t *ad, size_t len_ad, union open_data *seal_data);
+//
+.globl chacha20_poly1305_seal
+.hidden chacha20_poly1305_seal
+.type chacha20_poly1305_seal,%function
+.align 6
+chacha20_poly1305_seal:
+ AARCH64_SIGN_LINK_REGISTER
+.cfi_startproc
+ stp x29, x30, [sp, #-80]!
+.cfi_def_cfa_offset 80
+.cfi_offset w30, -72
+.cfi_offset w29, -80
+ mov x29, sp
+# We probably could do .cfi_def_cfa w29, 80 at this point, but since
+# we don't actually use the frame pointer like that, it's probably not
+# worth bothering.
+ stp d8, d9, [sp, #16]
+ stp d10, d11, [sp, #32]
+ stp d12, d13, [sp, #48]
+ stp d14, d15, [sp, #64]
+.cfi_offset b15, -8
+.cfi_offset b14, -16
+.cfi_offset b13, -24
+.cfi_offset b12, -32
+.cfi_offset b11, -40
+.cfi_offset b10, -48
+.cfi_offset b9, -56
+.cfi_offset b8, -64
+
+ adrp x11, .Lchacha20_consts
+ add x11, x11, :lo12:.Lchacha20_consts
+
+ ld1 {v24.16b - v27.16b}, [x11] // .Load the CONSTS, INC, ROL8 and CLAMP values
+ ld1 {v28.16b - v30.16b}, [x5]
+
+ mov x15, #1 // Prepare the Poly1305 state
+ mov x8, #0
+ mov x9, #0
+ mov x10, #0
+
+ ldr x12, [x5, #56] // The total cipher text length includes extra_in_len
+ add x12, x12, x2
+ mov v31.d[0], x4 // Store the input and aad lengths
+ mov v31.d[1], x12
+
+ cmp x2, #128
+ b.le .Lseal_128 // Optimization for smaller buffers
+
+ // Initially we prepare 5 ChaCha20 blocks. Four to encrypt up to 4 blocks (256 bytes) of plaintext,
+ // and one for the Poly1305 R and S keys. The first four blocks (A0-A3..D0-D3) are computed vertically,
+ // the fifth block (A4-D4) horizontally.
+ ld4r {v0.4s,v1.4s,v2.4s,v3.4s}, [x11]
+ mov v4.16b, v24.16b
+
+ ld4r {v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16
+ mov v9.16b, v28.16b
+
+ ld4r {v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16
+ mov v14.16b, v29.16b
+
+ ld4r {v15.4s,v16.4s,v17.4s,v18.4s}, [x5]
+ add v15.4s, v15.4s, v25.4s
+ mov v19.16b, v30.16b
+
+ sub x5, x5, #32
+
+ mov x6, #10
+
+.align 5
+.Lseal_init_rounds:
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ add v3.4s, v3.4s, v8.4s
+ add v4.4s, v4.4s, v9.4s
+
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ eor v18.16b, v18.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+ rev32 v18.8h, v18.8h
+ rev32 v19.8h, v19.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ add v13.4s, v13.4s, v18.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ eor v8.16b, v8.16b, v13.16b
+ eor v9.16b, v9.16b, v14.16b
+
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+ ushr v7.4s, v8.4s, #20
+ sli v7.4s, v8.4s, #12
+ ushr v8.4s, v9.4s, #20
+ sli v8.4s, v9.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ add v3.4s, v3.4s, v7.4s
+ add v4.4s, v4.4s, v8.4s
+
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ eor v18.16b, v18.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+ tbl v18.16b, {v18.16b}, v26.16b
+ tbl v19.16b, {v19.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ add v13.4s, v13.4s, v18.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ eor v7.16b, v7.16b, v13.16b
+ eor v8.16b, v8.16b, v14.16b
+
+ ushr v9.4s, v8.4s, #25
+ sli v9.4s, v8.4s, #7
+ ushr v8.4s, v7.4s, #25
+ sli v8.4s, v7.4s, #7
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v9.16b, v9.16b, v9.16b, #4
+ ext v14.16b, v14.16b, v14.16b, #8
+ ext v19.16b, v19.16b, v19.16b, #12
+ add v0.4s, v0.4s, v6.4s
+ add v1.4s, v1.4s, v7.4s
+ add v2.4s, v2.4s, v8.4s
+ add v3.4s, v3.4s, v5.4s
+ add v4.4s, v4.4s, v9.4s
+
+ eor v18.16b, v18.16b, v0.16b
+ eor v15.16b, v15.16b, v1.16b
+ eor v16.16b, v16.16b, v2.16b
+ eor v17.16b, v17.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ rev32 v18.8h, v18.8h
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+ rev32 v19.8h, v19.8h
+
+ add v12.4s, v12.4s, v18.4s
+ add v13.4s, v13.4s, v15.4s
+ add v10.4s, v10.4s, v16.4s
+ add v11.4s, v11.4s, v17.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v6.16b, v6.16b, v12.16b
+ eor v7.16b, v7.16b, v13.16b
+ eor v8.16b, v8.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v9.16b, v9.16b, v14.16b
+
+ ushr v20.4s, v6.4s, #20
+ sli v20.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+ ushr v7.4s, v8.4s, #20
+ sli v7.4s, v8.4s, #12
+ ushr v8.4s, v5.4s, #20
+ sli v8.4s, v5.4s, #12
+ ushr v5.4s, v9.4s, #20
+ sli v5.4s, v9.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ add v3.4s, v3.4s, v8.4s
+ add v4.4s, v4.4s, v5.4s
+
+ eor v18.16b, v18.16b, v0.16b
+ eor v15.16b, v15.16b, v1.16b
+ eor v16.16b, v16.16b, v2.16b
+ eor v17.16b, v17.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ tbl v18.16b, {v18.16b}, v26.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+ tbl v19.16b, {v19.16b}, v26.16b
+
+ add v12.4s, v12.4s, v18.4s
+ add v13.4s, v13.4s, v15.4s
+ add v10.4s, v10.4s, v16.4s
+ add v11.4s, v11.4s, v17.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v20.16b, v20.16b, v12.16b
+ eor v6.16b, v6.16b, v13.16b
+ eor v7.16b, v7.16b, v10.16b
+ eor v8.16b, v8.16b, v11.16b
+ eor v5.16b, v5.16b, v14.16b
+
+ ushr v9.4s, v5.4s, #25
+ sli v9.4s, v5.4s, #7
+ ushr v5.4s, v8.4s, #25
+ sli v5.4s, v8.4s, #7
+ ushr v8.4s, v7.4s, #25
+ sli v8.4s, v7.4s, #7
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v20.4s, #25
+ sli v6.4s, v20.4s, #7
+
+ ext v9.16b, v9.16b, v9.16b, #12
+ ext v14.16b, v14.16b, v14.16b, #8
+ ext v19.16b, v19.16b, v19.16b, #4
+ subs x6, x6, #1
+ b.hi .Lseal_init_rounds
+
+ add v15.4s, v15.4s, v25.4s
+ mov x11, #4
+ dup v20.4s, w11
+ add v25.4s, v25.4s, v20.4s
+
+ zip1 v20.4s, v0.4s, v1.4s
+ zip2 v21.4s, v0.4s, v1.4s
+ zip1 v22.4s, v2.4s, v3.4s
+ zip2 v23.4s, v2.4s, v3.4s
+
+ zip1 v0.2d, v20.2d, v22.2d
+ zip2 v1.2d, v20.2d, v22.2d
+ zip1 v2.2d, v21.2d, v23.2d
+ zip2 v3.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v5.4s, v6.4s
+ zip2 v21.4s, v5.4s, v6.4s
+ zip1 v22.4s, v7.4s, v8.4s
+ zip2 v23.4s, v7.4s, v8.4s
+
+ zip1 v5.2d, v20.2d, v22.2d
+ zip2 v6.2d, v20.2d, v22.2d
+ zip1 v7.2d, v21.2d, v23.2d
+ zip2 v8.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v10.4s, v11.4s
+ zip2 v21.4s, v10.4s, v11.4s
+ zip1 v22.4s, v12.4s, v13.4s
+ zip2 v23.4s, v12.4s, v13.4s
+
+ zip1 v10.2d, v20.2d, v22.2d
+ zip2 v11.2d, v20.2d, v22.2d
+ zip1 v12.2d, v21.2d, v23.2d
+ zip2 v13.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v15.4s, v16.4s
+ zip2 v21.4s, v15.4s, v16.4s
+ zip1 v22.4s, v17.4s, v18.4s
+ zip2 v23.4s, v17.4s, v18.4s
+
+ zip1 v15.2d, v20.2d, v22.2d
+ zip2 v16.2d, v20.2d, v22.2d
+ zip1 v17.2d, v21.2d, v23.2d
+ zip2 v18.2d, v21.2d, v23.2d
+
+ add v4.4s, v4.4s, v24.4s
+ add v9.4s, v9.4s, v28.4s
+ and v4.16b, v4.16b, v27.16b
+
+ add v0.4s, v0.4s, v24.4s
+ add v5.4s, v5.4s, v28.4s
+ add v10.4s, v10.4s, v29.4s
+ add v15.4s, v15.4s, v30.4s
+
+ add v1.4s, v1.4s, v24.4s
+ add v6.4s, v6.4s, v28.4s
+ add v11.4s, v11.4s, v29.4s
+ add v16.4s, v16.4s, v30.4s
+
+ add v2.4s, v2.4s, v24.4s
+ add v7.4s, v7.4s, v28.4s
+ add v12.4s, v12.4s, v29.4s
+ add v17.4s, v17.4s, v30.4s
+
+ add v3.4s, v3.4s, v24.4s
+ add v8.4s, v8.4s, v28.4s
+ add v13.4s, v13.4s, v29.4s
+ add v18.4s, v18.4s, v30.4s
+
+ mov x16, v4.d[0] // Move the R key to GPRs
+ mov x17, v4.d[1]
+ mov v27.16b, v9.16b // Store the S key
+
+ bl .Lpoly_hash_ad_internal
+
+ mov x3, x0
+ cmp x2, #256
+ b.le .Lseal_tail
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v0.16b
+ eor v21.16b, v21.16b, v5.16b
+ eor v22.16b, v22.16b, v10.16b
+ eor v23.16b, v23.16b, v15.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v1.16b
+ eor v21.16b, v21.16b, v6.16b
+ eor v22.16b, v22.16b, v11.16b
+ eor v23.16b, v23.16b, v16.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v2.16b
+ eor v21.16b, v21.16b, v7.16b
+ eor v22.16b, v22.16b, v12.16b
+ eor v23.16b, v23.16b, v17.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v3.16b
+ eor v21.16b, v21.16b, v8.16b
+ eor v22.16b, v22.16b, v13.16b
+ eor v23.16b, v23.16b, v18.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ sub x2, x2, #256
+
+ mov x6, #4 // In the first run of the loop we need to hash 256 bytes, therefore we hash one block for the first 4 rounds
+ mov x7, #6 // and two blocks for the remaining 6, for a total of (1 * 4 + 2 * 6) * 16 = 256
+
+.Lseal_main_loop:
+ adrp x11, .Lchacha20_consts
+ add x11, x11, :lo12:.Lchacha20_consts
+
+ ld4r {v0.4s,v1.4s,v2.4s,v3.4s}, [x11]
+ mov v4.16b, v24.16b
+
+ ld4r {v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16
+ mov v9.16b, v28.16b
+
+ ld4r {v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16
+ mov v14.16b, v29.16b
+
+ ld4r {v15.4s,v16.4s,v17.4s,v18.4s}, [x5]
+ add v15.4s, v15.4s, v25.4s
+ mov v19.16b, v30.16b
+
+ eor v20.16b, v20.16b, v20.16b //zero
+ not v21.16b, v20.16b // -1
+ sub v21.4s, v25.4s, v21.4s // Add +1
+ ext v20.16b, v21.16b, v20.16b, #12 // Get the last element (counter)
+ add v19.4s, v19.4s, v20.4s
+
+ sub x5, x5, #32
+.align 5
+.Lseal_main_loop_rounds:
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ add v3.4s, v3.4s, v8.4s
+ add v4.4s, v4.4s, v9.4s
+
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ eor v18.16b, v18.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+ rev32 v18.8h, v18.8h
+ rev32 v19.8h, v19.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ add v13.4s, v13.4s, v18.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ eor v8.16b, v8.16b, v13.16b
+ eor v9.16b, v9.16b, v14.16b
+
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+ ushr v7.4s, v8.4s, #20
+ sli v7.4s, v8.4s, #12
+ ushr v8.4s, v9.4s, #20
+ sli v8.4s, v9.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ add v3.4s, v3.4s, v7.4s
+ add v4.4s, v4.4s, v8.4s
+
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ eor v18.16b, v18.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+ tbl v18.16b, {v18.16b}, v26.16b
+ tbl v19.16b, {v19.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ add v13.4s, v13.4s, v18.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ eor v7.16b, v7.16b, v13.16b
+ eor v8.16b, v8.16b, v14.16b
+
+ ushr v9.4s, v8.4s, #25
+ sli v9.4s, v8.4s, #7
+ ushr v8.4s, v7.4s, #25
+ sli v8.4s, v7.4s, #7
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v9.16b, v9.16b, v9.16b, #4
+ ext v14.16b, v14.16b, v14.16b, #8
+ ext v19.16b, v19.16b, v19.16b, #12
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ add v0.4s, v0.4s, v6.4s
+ add v1.4s, v1.4s, v7.4s
+ add v2.4s, v2.4s, v8.4s
+ add v3.4s, v3.4s, v5.4s
+ add v4.4s, v4.4s, v9.4s
+
+ eor v18.16b, v18.16b, v0.16b
+ eor v15.16b, v15.16b, v1.16b
+ eor v16.16b, v16.16b, v2.16b
+ eor v17.16b, v17.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ rev32 v18.8h, v18.8h
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+ rev32 v19.8h, v19.8h
+
+ add v12.4s, v12.4s, v18.4s
+ add v13.4s, v13.4s, v15.4s
+ add v10.4s, v10.4s, v16.4s
+ add v11.4s, v11.4s, v17.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v6.16b, v6.16b, v12.16b
+ eor v7.16b, v7.16b, v13.16b
+ eor v8.16b, v8.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v9.16b, v9.16b, v14.16b
+
+ ushr v20.4s, v6.4s, #20
+ sli v20.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+ ushr v7.4s, v8.4s, #20
+ sli v7.4s, v8.4s, #12
+ ushr v8.4s, v5.4s, #20
+ sli v8.4s, v5.4s, #12
+ ushr v5.4s, v9.4s, #20
+ sli v5.4s, v9.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ add v3.4s, v3.4s, v8.4s
+ add v4.4s, v4.4s, v5.4s
+
+ eor v18.16b, v18.16b, v0.16b
+ eor v15.16b, v15.16b, v1.16b
+ eor v16.16b, v16.16b, v2.16b
+ eor v17.16b, v17.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ tbl v18.16b, {v18.16b}, v26.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+ tbl v19.16b, {v19.16b}, v26.16b
+
+ add v12.4s, v12.4s, v18.4s
+ add v13.4s, v13.4s, v15.4s
+ add v10.4s, v10.4s, v16.4s
+ add v11.4s, v11.4s, v17.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v20.16b, v20.16b, v12.16b
+ eor v6.16b, v6.16b, v13.16b
+ eor v7.16b, v7.16b, v10.16b
+ eor v8.16b, v8.16b, v11.16b
+ eor v5.16b, v5.16b, v14.16b
+
+ ushr v9.4s, v5.4s, #25
+ sli v9.4s, v5.4s, #7
+ ushr v5.4s, v8.4s, #25
+ sli v5.4s, v8.4s, #7
+ ushr v8.4s, v7.4s, #25
+ sli v8.4s, v7.4s, #7
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v20.4s, #25
+ sli v6.4s, v20.4s, #7
+
+ ext v9.16b, v9.16b, v9.16b, #12
+ ext v14.16b, v14.16b, v14.16b, #8
+ ext v19.16b, v19.16b, v19.16b, #4
+ subs x6, x6, #1
+ b.ge .Lseal_main_loop_rounds
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ subs x7, x7, #1
+ b.gt .Lseal_main_loop_rounds
+
+ eor v20.16b, v20.16b, v20.16b //zero
+ not v21.16b, v20.16b // -1
+ sub v21.4s, v25.4s, v21.4s // Add +1
+ ext v20.16b, v21.16b, v20.16b, #12 // Get the last element (counter)
+ add v19.4s, v19.4s, v20.4s
+
+ add v15.4s, v15.4s, v25.4s
+ mov x11, #5
+ dup v20.4s, w11
+ add v25.4s, v25.4s, v20.4s
+
+ zip1 v20.4s, v0.4s, v1.4s
+ zip2 v21.4s, v0.4s, v1.4s
+ zip1 v22.4s, v2.4s, v3.4s
+ zip2 v23.4s, v2.4s, v3.4s
+
+ zip1 v0.2d, v20.2d, v22.2d
+ zip2 v1.2d, v20.2d, v22.2d
+ zip1 v2.2d, v21.2d, v23.2d
+ zip2 v3.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v5.4s, v6.4s
+ zip2 v21.4s, v5.4s, v6.4s
+ zip1 v22.4s, v7.4s, v8.4s
+ zip2 v23.4s, v7.4s, v8.4s
+
+ zip1 v5.2d, v20.2d, v22.2d
+ zip2 v6.2d, v20.2d, v22.2d
+ zip1 v7.2d, v21.2d, v23.2d
+ zip2 v8.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v10.4s, v11.4s
+ zip2 v21.4s, v10.4s, v11.4s
+ zip1 v22.4s, v12.4s, v13.4s
+ zip2 v23.4s, v12.4s, v13.4s
+
+ zip1 v10.2d, v20.2d, v22.2d
+ zip2 v11.2d, v20.2d, v22.2d
+ zip1 v12.2d, v21.2d, v23.2d
+ zip2 v13.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v15.4s, v16.4s
+ zip2 v21.4s, v15.4s, v16.4s
+ zip1 v22.4s, v17.4s, v18.4s
+ zip2 v23.4s, v17.4s, v18.4s
+
+ zip1 v15.2d, v20.2d, v22.2d
+ zip2 v16.2d, v20.2d, v22.2d
+ zip1 v17.2d, v21.2d, v23.2d
+ zip2 v18.2d, v21.2d, v23.2d
+
+ add v0.4s, v0.4s, v24.4s
+ add v5.4s, v5.4s, v28.4s
+ add v10.4s, v10.4s, v29.4s
+ add v15.4s, v15.4s, v30.4s
+
+ add v1.4s, v1.4s, v24.4s
+ add v6.4s, v6.4s, v28.4s
+ add v11.4s, v11.4s, v29.4s
+ add v16.4s, v16.4s, v30.4s
+
+ add v2.4s, v2.4s, v24.4s
+ add v7.4s, v7.4s, v28.4s
+ add v12.4s, v12.4s, v29.4s
+ add v17.4s, v17.4s, v30.4s
+
+ add v3.4s, v3.4s, v24.4s
+ add v8.4s, v8.4s, v28.4s
+ add v13.4s, v13.4s, v29.4s
+ add v18.4s, v18.4s, v30.4s
+
+ add v4.4s, v4.4s, v24.4s
+ add v9.4s, v9.4s, v28.4s
+ add v14.4s, v14.4s, v29.4s
+ add v19.4s, v19.4s, v30.4s
+
+ cmp x2, #320
+ b.le .Lseal_tail
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v0.16b
+ eor v21.16b, v21.16b, v5.16b
+ eor v22.16b, v22.16b, v10.16b
+ eor v23.16b, v23.16b, v15.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v1.16b
+ eor v21.16b, v21.16b, v6.16b
+ eor v22.16b, v22.16b, v11.16b
+ eor v23.16b, v23.16b, v16.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v2.16b
+ eor v21.16b, v21.16b, v7.16b
+ eor v22.16b, v22.16b, v12.16b
+ eor v23.16b, v23.16b, v17.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v3.16b
+ eor v21.16b, v21.16b, v8.16b
+ eor v22.16b, v22.16b, v13.16b
+ eor v23.16b, v23.16b, v18.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v4.16b
+ eor v21.16b, v21.16b, v9.16b
+ eor v22.16b, v22.16b, v14.16b
+ eor v23.16b, v23.16b, v19.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ sub x2, x2, #320
+
+ mov x6, #0
+ mov x7, #10 // For the remainder of the loop we always hash and encrypt 320 bytes per iteration
+
+ b .Lseal_main_loop
+
+.Lseal_tail:
+ // This part of the function handles the storage and authentication of the last [0,320) bytes
+ // We assume A0-A4 ... D0-D4 hold at least inl (320 max) bytes of the stream data.
+ cmp x2, #64
+ b.lt .Lseal_tail_64
+
+ // Store and authenticate 64B blocks per iteration
+ ld1 {v20.16b - v23.16b}, [x1], #64
+
+ eor v20.16b, v20.16b, v0.16b
+ eor v21.16b, v21.16b, v5.16b
+ eor v22.16b, v22.16b, v10.16b
+ eor v23.16b, v23.16b, v15.16b
+ mov x11, v20.d[0]
+ mov x12, v20.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ mov x11, v21.d[0]
+ mov x12, v21.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ mov x11, v22.d[0]
+ mov x12, v22.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ mov x11, v23.d[0]
+ mov x12, v23.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ st1 {v20.16b - v23.16b}, [x0], #64
+ sub x2, x2, #64
+
+ // Shift the state left by 64 bytes for the next iteration of the loop
+ mov v0.16b, v1.16b
+ mov v5.16b, v6.16b
+ mov v10.16b, v11.16b
+ mov v15.16b, v16.16b
+
+ mov v1.16b, v2.16b
+ mov v6.16b, v7.16b
+ mov v11.16b, v12.16b
+ mov v16.16b, v17.16b
+
+ mov v2.16b, v3.16b
+ mov v7.16b, v8.16b
+ mov v12.16b, v13.16b
+ mov v17.16b, v18.16b
+
+ mov v3.16b, v4.16b
+ mov v8.16b, v9.16b
+ mov v13.16b, v14.16b
+ mov v18.16b, v19.16b
+
+ b .Lseal_tail
+
+.Lseal_tail_64:
+ ldp x3, x4, [x5, #48] // extra_in_len and extra_in_ptr
+
+ // Here we handle the last [0,64) bytes of plaintext
+ cmp x2, #16
+ b.lt .Lseal_tail_16
+ // Each iteration encrypt and authenticate a 16B block
+ ld1 {v20.16b}, [x1], #16
+ eor v20.16b, v20.16b, v0.16b
+ mov x11, v20.d[0]
+ mov x12, v20.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ st1 {v20.16b}, [x0], #16
+
+ sub x2, x2, #16
+
+ // Shift the state left by 16 bytes for the next iteration of the loop
+ mov v0.16b, v5.16b
+ mov v5.16b, v10.16b
+ mov v10.16b, v15.16b
+
+ b .Lseal_tail_64
+
+.Lseal_tail_16:
+ // Here we handle the last [0,16) bytes of ciphertext that require a padded block
+ cbz x2, .Lseal_hash_extra
+
+ eor v20.16b, v20.16b, v20.16b // Use T0 to load the plaintext/extra in
+ eor v21.16b, v21.16b, v21.16b // Use T1 to generate an AND mask that will only mask the ciphertext bytes
+ not v22.16b, v20.16b
+
+ mov x6, x2
+ add x1, x1, x2
+
+ cbz x4, .Lseal_tail_16_compose // No extra data to pad with, zero padding
+
+ mov x7, #16 // We need to load some extra_in first for padding
+ sub x7, x7, x2
+ cmp x4, x7
+ csel x7, x4, x7, lt // .Load the minimum of extra_in_len and the amount needed to fill the register
+ mov x12, x7
+ add x3, x3, x7
+ sub x4, x4, x7
+
+.Lseal_tail16_compose_extra_in:
+ ext v20.16b, v20.16b, v20.16b, #15
+ ldrb w11, [x3, #-1]!
+ mov v20.b[0], w11
+ subs x7, x7, #1
+ b.gt .Lseal_tail16_compose_extra_in
+
+ add x3, x3, x12
+
+.Lseal_tail_16_compose:
+ ext v20.16b, v20.16b, v20.16b, #15
+ ldrb w11, [x1, #-1]!
+ mov v20.b[0], w11
+ ext v21.16b, v22.16b, v21.16b, #15
+ subs x2, x2, #1
+ b.gt .Lseal_tail_16_compose
+
+ and v0.16b, v0.16b, v21.16b
+ eor v20.16b, v20.16b, v0.16b
+ mov v21.16b, v20.16b
+
+.Lseal_tail_16_store:
+ umov w11, v20.b[0]
+ strb w11, [x0], #1
+ ext v20.16b, v20.16b, v20.16b, #1
+ subs x6, x6, #1
+ b.gt .Lseal_tail_16_store
+
+ // Hash in the final ct block concatenated with extra_in
+ mov x11, v21.d[0]
+ mov x12, v21.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+
+.Lseal_hash_extra:
+ cbz x4, .Lseal_finalize
+
+.Lseal_hash_extra_loop:
+ cmp x4, #16
+ b.lt .Lseal_hash_extra_tail
+ ld1 {v20.16b}, [x3], #16
+ mov x11, v20.d[0]
+ mov x12, v20.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ sub x4, x4, #16
+ b .Lseal_hash_extra_loop
+
+.Lseal_hash_extra_tail:
+ cbz x4, .Lseal_finalize
+ eor v20.16b, v20.16b, v20.16b // Use T0 to load the remaining extra ciphertext
+ add x3, x3, x4
+
+.Lseal_hash_extra_load:
+ ext v20.16b, v20.16b, v20.16b, #15
+ ldrb w11, [x3, #-1]!
+ mov v20.b[0], w11
+ subs x4, x4, #1
+ b.gt .Lseal_hash_extra_load
+
+ // Hash in the final padded extra_in blcok
+ mov x11, v20.d[0]
+ mov x12, v20.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+
+.Lseal_finalize:
+ mov x11, v31.d[0]
+ mov x12, v31.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ # Final reduction step
+ sub x12, xzr, x15
+ orr x13, xzr, #3
+ subs x11, x8, #-5
+ sbcs x12, x9, x12
+ sbcs x13, x10, x13
+ csel x8, x11, x8, cs
+ csel x9, x12, x9, cs
+ csel x10, x13, x10, cs
+ mov x11, v27.d[0]
+ mov x12, v27.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+
+ stp x8, x9, [x5]
+
+ ldp d8, d9, [sp, #16]
+ ldp d10, d11, [sp, #32]
+ ldp d12, d13, [sp, #48]
+ ldp d14, d15, [sp, #64]
+.cfi_restore b15
+.cfi_restore b14
+.cfi_restore b13
+.cfi_restore b12
+.cfi_restore b11
+.cfi_restore b10
+.cfi_restore b9
+.cfi_restore b8
+ ldp x29, x30, [sp], 80
+.cfi_restore w29
+.cfi_restore w30
+.cfi_def_cfa_offset 0
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+.Lseal_128:
+ // On some architectures preparing 5 blocks for small buffers is wasteful
+ eor v25.16b, v25.16b, v25.16b
+ mov x11, #1
+ mov v25.s[0], w11
+ mov v0.16b, v24.16b
+ mov v1.16b, v24.16b
+ mov v2.16b, v24.16b
+ mov v5.16b, v28.16b
+ mov v6.16b, v28.16b
+ mov v7.16b, v28.16b
+ mov v10.16b, v29.16b
+ mov v11.16b, v29.16b
+ mov v12.16b, v29.16b
+ mov v17.16b, v30.16b
+ add v15.4s, v17.4s, v25.4s
+ add v16.4s, v15.4s, v25.4s
+
+ mov x6, #10
+
+.Lseal_128_rounds:
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v5.16b, v5.16b, v5.16b, #4
+ ext v6.16b, v6.16b, v6.16b, #4
+ ext v7.16b, v7.16b, v7.16b, #4
+
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v11.16b, v11.16b, v11.16b, #8
+ ext v12.16b, v12.16b, v12.16b, #8
+
+ ext v15.16b, v15.16b, v15.16b, #12
+ ext v16.16b, v16.16b, v16.16b, #12
+ ext v17.16b, v17.16b, v17.16b, #12
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v5.16b, v5.16b, v5.16b, #12
+ ext v6.16b, v6.16b, v6.16b, #12
+ ext v7.16b, v7.16b, v7.16b, #12
+
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v11.16b, v11.16b, v11.16b, #8
+ ext v12.16b, v12.16b, v12.16b, #8
+
+ ext v15.16b, v15.16b, v15.16b, #4
+ ext v16.16b, v16.16b, v16.16b, #4
+ ext v17.16b, v17.16b, v17.16b, #4
+ subs x6, x6, #1
+ b.hi .Lseal_128_rounds
+
+ add v0.4s, v0.4s, v24.4s
+ add v1.4s, v1.4s, v24.4s
+ add v2.4s, v2.4s, v24.4s
+
+ add v5.4s, v5.4s, v28.4s
+ add v6.4s, v6.4s, v28.4s
+ add v7.4s, v7.4s, v28.4s
+
+ // Only the first 32 bytes of the third block (counter = 0) are needed,
+ // so skip updating v12 and v17.
+ add v10.4s, v10.4s, v29.4s
+ add v11.4s, v11.4s, v29.4s
+
+ add v30.4s, v30.4s, v25.4s
+ add v15.4s, v15.4s, v30.4s
+ add v30.4s, v30.4s, v25.4s
+ add v16.4s, v16.4s, v30.4s
+
+ and v2.16b, v2.16b, v27.16b
+ mov x16, v2.d[0] // Move the R key to GPRs
+ mov x17, v2.d[1]
+ mov v27.16b, v7.16b // Store the S key
+
+ bl .Lpoly_hash_ad_internal
+ b .Lseal_tail
+.cfi_endproc
+.size chacha20_poly1305_seal,.-chacha20_poly1305_seal
+
+/////////////////////////////////
+//
+// void chacha20_poly1305_open(uint8_t *pt, uint8_t *ct, size_t len_in, uint8_t *ad, size_t len_ad, union open_data *aead_data);
+//
+.globl chacha20_poly1305_open
+.hidden chacha20_poly1305_open
+.type chacha20_poly1305_open,%function
+.align 6
+chacha20_poly1305_open:
+ AARCH64_SIGN_LINK_REGISTER
+.cfi_startproc
+ stp x29, x30, [sp, #-80]!
+.cfi_def_cfa_offset 80
+.cfi_offset w30, -72
+.cfi_offset w29, -80
+ mov x29, sp
+# We probably could do .cfi_def_cfa w29, 80 at this point, but since
+# we don't actually use the frame pointer like that, it's probably not
+# worth bothering.
+ stp d8, d9, [sp, #16]
+ stp d10, d11, [sp, #32]
+ stp d12, d13, [sp, #48]
+ stp d14, d15, [sp, #64]
+.cfi_offset b15, -8
+.cfi_offset b14, -16
+.cfi_offset b13, -24
+.cfi_offset b12, -32
+.cfi_offset b11, -40
+.cfi_offset b10, -48
+.cfi_offset b9, -56
+.cfi_offset b8, -64
+
+ adrp x11, .Lchacha20_consts
+ add x11, x11, :lo12:.Lchacha20_consts
+
+ ld1 {v24.16b - v27.16b}, [x11] // .Load the CONSTS, INC, ROL8 and CLAMP values
+ ld1 {v28.16b - v30.16b}, [x5]
+
+ mov x15, #1 // Prepare the Poly1305 state
+ mov x8, #0
+ mov x9, #0
+ mov x10, #0
+
+ mov v31.d[0], x4 // Store the input and aad lengths
+ mov v31.d[1], x2
+
+ cmp x2, #128
+ b.le .Lopen_128 // Optimization for smaller buffers
+
+ // Initially we prepare a single ChaCha20 block for the Poly1305 R and S keys
+ mov v0.16b, v24.16b
+ mov v5.16b, v28.16b
+ mov v10.16b, v29.16b
+ mov v15.16b, v30.16b
+
+ mov x6, #10
+
+.align 5
+.Lopen_init_rounds:
+ add v0.4s, v0.4s, v5.4s
+ eor v15.16b, v15.16b, v0.16b
+ rev32 v15.8h, v15.8h
+
+ add v10.4s, v10.4s, v15.4s
+ eor v5.16b, v5.16b, v10.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ add v0.4s, v0.4s, v20.4s
+ eor v15.16b, v15.16b, v0.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ eor v20.16b, v20.16b, v10.16b
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+ ext v5.16b, v5.16b, v5.16b, #4
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v15.16b, v15.16b, v15.16b, #12
+ add v0.4s, v0.4s, v5.4s
+ eor v15.16b, v15.16b, v0.16b
+ rev32 v15.8h, v15.8h
+
+ add v10.4s, v10.4s, v15.4s
+ eor v5.16b, v5.16b, v10.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ add v0.4s, v0.4s, v20.4s
+ eor v15.16b, v15.16b, v0.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ eor v20.16b, v20.16b, v10.16b
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+ ext v5.16b, v5.16b, v5.16b, #12
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v15.16b, v15.16b, v15.16b, #4
+ subs x6, x6, #1
+ b.hi .Lopen_init_rounds
+
+ add v0.4s, v0.4s, v24.4s
+ add v5.4s, v5.4s, v28.4s
+
+ and v0.16b, v0.16b, v27.16b
+ mov x16, v0.d[0] // Move the R key to GPRs
+ mov x17, v0.d[1]
+ mov v27.16b, v5.16b // Store the S key
+
+ bl .Lpoly_hash_ad_internal
+
+.Lopen_ad_done:
+ mov x3, x1
+
+// Each iteration of the loop hash 320 bytes, and prepare stream for 320 bytes
+.Lopen_main_loop:
+
+ cmp x2, #192
+ b.lt .Lopen_tail
+
+ adrp x11, .Lchacha20_consts
+ add x11, x11, :lo12:.Lchacha20_consts
+
+ ld4r {v0.4s,v1.4s,v2.4s,v3.4s}, [x11]
+ mov v4.16b, v24.16b
+
+ ld4r {v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16
+ mov v9.16b, v28.16b
+
+ ld4r {v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16
+ mov v14.16b, v29.16b
+
+ ld4r {v15.4s,v16.4s,v17.4s,v18.4s}, [x5]
+ sub x5, x5, #32
+ add v15.4s, v15.4s, v25.4s
+ mov v19.16b, v30.16b
+
+ eor v20.16b, v20.16b, v20.16b //zero
+ not v21.16b, v20.16b // -1
+ sub v21.4s, v25.4s, v21.4s // Add +1
+ ext v20.16b, v21.16b, v20.16b, #12 // Get the last element (counter)
+ add v19.4s, v19.4s, v20.4s
+
+ lsr x4, x2, #4 // How many whole blocks we have to hash, will always be at least 12
+ sub x4, x4, #10
+
+ mov x7, #10
+ subs x6, x7, x4
+ subs x6, x7, x4 // itr1 can be negative if we have more than 320 bytes to hash
+ csel x7, x7, x4, le // if itr1 is zero or less, itr2 should be 10 to indicate all 10 rounds are full
+
+ cbz x7, .Lopen_main_loop_rounds_short
+
+.align 5
+.Lopen_main_loop_rounds:
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+.Lopen_main_loop_rounds_short:
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ add v3.4s, v3.4s, v8.4s
+ add v4.4s, v4.4s, v9.4s
+
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ eor v18.16b, v18.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+ rev32 v18.8h, v18.8h
+ rev32 v19.8h, v19.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ add v13.4s, v13.4s, v18.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ eor v8.16b, v8.16b, v13.16b
+ eor v9.16b, v9.16b, v14.16b
+
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+ ushr v7.4s, v8.4s, #20
+ sli v7.4s, v8.4s, #12
+ ushr v8.4s, v9.4s, #20
+ sli v8.4s, v9.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ add v3.4s, v3.4s, v7.4s
+ add v4.4s, v4.4s, v8.4s
+
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ eor v18.16b, v18.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+ tbl v18.16b, {v18.16b}, v26.16b
+ tbl v19.16b, {v19.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ add v13.4s, v13.4s, v18.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ eor v7.16b, v7.16b, v13.16b
+ eor v8.16b, v8.16b, v14.16b
+
+ ushr v9.4s, v8.4s, #25
+ sli v9.4s, v8.4s, #7
+ ushr v8.4s, v7.4s, #25
+ sli v8.4s, v7.4s, #7
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v9.16b, v9.16b, v9.16b, #4
+ ext v14.16b, v14.16b, v14.16b, #8
+ ext v19.16b, v19.16b, v19.16b, #12
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ add v0.4s, v0.4s, v6.4s
+ add v1.4s, v1.4s, v7.4s
+ add v2.4s, v2.4s, v8.4s
+ add v3.4s, v3.4s, v5.4s
+ add v4.4s, v4.4s, v9.4s
+
+ eor v18.16b, v18.16b, v0.16b
+ eor v15.16b, v15.16b, v1.16b
+ eor v16.16b, v16.16b, v2.16b
+ eor v17.16b, v17.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ rev32 v18.8h, v18.8h
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+ rev32 v19.8h, v19.8h
+
+ add v12.4s, v12.4s, v18.4s
+ add v13.4s, v13.4s, v15.4s
+ add v10.4s, v10.4s, v16.4s
+ add v11.4s, v11.4s, v17.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v6.16b, v6.16b, v12.16b
+ eor v7.16b, v7.16b, v13.16b
+ eor v8.16b, v8.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v9.16b, v9.16b, v14.16b
+
+ ushr v20.4s, v6.4s, #20
+ sli v20.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+ ushr v7.4s, v8.4s, #20
+ sli v7.4s, v8.4s, #12
+ ushr v8.4s, v5.4s, #20
+ sli v8.4s, v5.4s, #12
+ ushr v5.4s, v9.4s, #20
+ sli v5.4s, v9.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ add v3.4s, v3.4s, v8.4s
+ add v4.4s, v4.4s, v5.4s
+
+ eor v18.16b, v18.16b, v0.16b
+ eor v15.16b, v15.16b, v1.16b
+ eor v16.16b, v16.16b, v2.16b
+ eor v17.16b, v17.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ tbl v18.16b, {v18.16b}, v26.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+ tbl v19.16b, {v19.16b}, v26.16b
+
+ add v12.4s, v12.4s, v18.4s
+ add v13.4s, v13.4s, v15.4s
+ add v10.4s, v10.4s, v16.4s
+ add v11.4s, v11.4s, v17.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v20.16b, v20.16b, v12.16b
+ eor v6.16b, v6.16b, v13.16b
+ eor v7.16b, v7.16b, v10.16b
+ eor v8.16b, v8.16b, v11.16b
+ eor v5.16b, v5.16b, v14.16b
+
+ ushr v9.4s, v5.4s, #25
+ sli v9.4s, v5.4s, #7
+ ushr v5.4s, v8.4s, #25
+ sli v5.4s, v8.4s, #7
+ ushr v8.4s, v7.4s, #25
+ sli v8.4s, v7.4s, #7
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v20.4s, #25
+ sli v6.4s, v20.4s, #7
+
+ ext v9.16b, v9.16b, v9.16b, #12
+ ext v14.16b, v14.16b, v14.16b, #8
+ ext v19.16b, v19.16b, v19.16b, #4
+ subs x7, x7, #1
+ b.gt .Lopen_main_loop_rounds
+ subs x6, x6, #1
+ b.ge .Lopen_main_loop_rounds_short
+
+ eor v20.16b, v20.16b, v20.16b //zero
+ not v21.16b, v20.16b // -1
+ sub v21.4s, v25.4s, v21.4s // Add +1
+ ext v20.16b, v21.16b, v20.16b, #12 // Get the last element (counter)
+ add v19.4s, v19.4s, v20.4s
+
+ add v15.4s, v15.4s, v25.4s
+ mov x11, #5
+ dup v20.4s, w11
+ add v25.4s, v25.4s, v20.4s
+
+ zip1 v20.4s, v0.4s, v1.4s
+ zip2 v21.4s, v0.4s, v1.4s
+ zip1 v22.4s, v2.4s, v3.4s
+ zip2 v23.4s, v2.4s, v3.4s
+
+ zip1 v0.2d, v20.2d, v22.2d
+ zip2 v1.2d, v20.2d, v22.2d
+ zip1 v2.2d, v21.2d, v23.2d
+ zip2 v3.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v5.4s, v6.4s
+ zip2 v21.4s, v5.4s, v6.4s
+ zip1 v22.4s, v7.4s, v8.4s
+ zip2 v23.4s, v7.4s, v8.4s
+
+ zip1 v5.2d, v20.2d, v22.2d
+ zip2 v6.2d, v20.2d, v22.2d
+ zip1 v7.2d, v21.2d, v23.2d
+ zip2 v8.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v10.4s, v11.4s
+ zip2 v21.4s, v10.4s, v11.4s
+ zip1 v22.4s, v12.4s, v13.4s
+ zip2 v23.4s, v12.4s, v13.4s
+
+ zip1 v10.2d, v20.2d, v22.2d
+ zip2 v11.2d, v20.2d, v22.2d
+ zip1 v12.2d, v21.2d, v23.2d
+ zip2 v13.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v15.4s, v16.4s
+ zip2 v21.4s, v15.4s, v16.4s
+ zip1 v22.4s, v17.4s, v18.4s
+ zip2 v23.4s, v17.4s, v18.4s
+
+ zip1 v15.2d, v20.2d, v22.2d
+ zip2 v16.2d, v20.2d, v22.2d
+ zip1 v17.2d, v21.2d, v23.2d
+ zip2 v18.2d, v21.2d, v23.2d
+
+ add v0.4s, v0.4s, v24.4s
+ add v5.4s, v5.4s, v28.4s
+ add v10.4s, v10.4s, v29.4s
+ add v15.4s, v15.4s, v30.4s
+
+ add v1.4s, v1.4s, v24.4s
+ add v6.4s, v6.4s, v28.4s
+ add v11.4s, v11.4s, v29.4s
+ add v16.4s, v16.4s, v30.4s
+
+ add v2.4s, v2.4s, v24.4s
+ add v7.4s, v7.4s, v28.4s
+ add v12.4s, v12.4s, v29.4s
+ add v17.4s, v17.4s, v30.4s
+
+ add v3.4s, v3.4s, v24.4s
+ add v8.4s, v8.4s, v28.4s
+ add v13.4s, v13.4s, v29.4s
+ add v18.4s, v18.4s, v30.4s
+
+ add v4.4s, v4.4s, v24.4s
+ add v9.4s, v9.4s, v28.4s
+ add v14.4s, v14.4s, v29.4s
+ add v19.4s, v19.4s, v30.4s
+
+ // We can always safely store 192 bytes
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v0.16b
+ eor v21.16b, v21.16b, v5.16b
+ eor v22.16b, v22.16b, v10.16b
+ eor v23.16b, v23.16b, v15.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v1.16b
+ eor v21.16b, v21.16b, v6.16b
+ eor v22.16b, v22.16b, v11.16b
+ eor v23.16b, v23.16b, v16.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v2.16b
+ eor v21.16b, v21.16b, v7.16b
+ eor v22.16b, v22.16b, v12.16b
+ eor v23.16b, v23.16b, v17.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ sub x2, x2, #192
+
+ mov v0.16b, v3.16b
+ mov v5.16b, v8.16b
+ mov v10.16b, v13.16b
+ mov v15.16b, v18.16b
+
+ cmp x2, #64
+ b.lt .Lopen_tail_64_store
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v3.16b
+ eor v21.16b, v21.16b, v8.16b
+ eor v22.16b, v22.16b, v13.16b
+ eor v23.16b, v23.16b, v18.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ sub x2, x2, #64
+
+ mov v0.16b, v4.16b
+ mov v5.16b, v9.16b
+ mov v10.16b, v14.16b
+ mov v15.16b, v19.16b
+
+ cmp x2, #64
+ b.lt .Lopen_tail_64_store
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v4.16b
+ eor v21.16b, v21.16b, v9.16b
+ eor v22.16b, v22.16b, v14.16b
+ eor v23.16b, v23.16b, v19.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ sub x2, x2, #64
+ b .Lopen_main_loop
+
+.Lopen_tail:
+
+ cbz x2, .Lopen_finalize
+
+ lsr x4, x2, #4 // How many whole blocks we have to hash
+
+ cmp x2, #64
+ b.le .Lopen_tail_64
+ cmp x2, #128
+ b.le .Lopen_tail_128
+
+.Lopen_tail_192:
+ // We need three more blocks
+ mov v0.16b, v24.16b
+ mov v1.16b, v24.16b
+ mov v2.16b, v24.16b
+ mov v5.16b, v28.16b
+ mov v6.16b, v28.16b
+ mov v7.16b, v28.16b
+ mov v10.16b, v29.16b
+ mov v11.16b, v29.16b
+ mov v12.16b, v29.16b
+ mov v15.16b, v30.16b
+ mov v16.16b, v30.16b
+ mov v17.16b, v30.16b
+ eor v23.16b, v23.16b, v23.16b
+ eor v21.16b, v21.16b, v21.16b
+ ins v23.s[0], v25.s[0]
+ ins v21.d[0], x15
+
+ add v22.4s, v23.4s, v21.4s
+ add v21.4s, v22.4s, v21.4s
+
+ add v15.4s, v15.4s, v21.4s
+ add v16.4s, v16.4s, v23.4s
+ add v17.4s, v17.4s, v22.4s
+
+ mov x7, #10
+ subs x6, x7, x4 // itr1 can be negative if we have more than 160 bytes to hash
+ csel x7, x7, x4, le // if itr1 is zero or less, itr2 should be 10 to indicate all 10 rounds are hashing
+ sub x4, x4, x7
+
+ cbz x7, .Lopen_tail_192_rounds_no_hash
+
+.Lopen_tail_192_rounds:
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+.Lopen_tail_192_rounds_no_hash:
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v5.16b, v5.16b, v5.16b, #4
+ ext v6.16b, v6.16b, v6.16b, #4
+ ext v7.16b, v7.16b, v7.16b, #4
+
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v11.16b, v11.16b, v11.16b, #8
+ ext v12.16b, v12.16b, v12.16b, #8
+
+ ext v15.16b, v15.16b, v15.16b, #12
+ ext v16.16b, v16.16b, v16.16b, #12
+ ext v17.16b, v17.16b, v17.16b, #12
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v5.16b, v5.16b, v5.16b, #12
+ ext v6.16b, v6.16b, v6.16b, #12
+ ext v7.16b, v7.16b, v7.16b, #12
+
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v11.16b, v11.16b, v11.16b, #8
+ ext v12.16b, v12.16b, v12.16b, #8
+
+ ext v15.16b, v15.16b, v15.16b, #4
+ ext v16.16b, v16.16b, v16.16b, #4
+ ext v17.16b, v17.16b, v17.16b, #4
+ subs x7, x7, #1
+ b.gt .Lopen_tail_192_rounds
+ subs x6, x6, #1
+ b.ge .Lopen_tail_192_rounds_no_hash
+
+ // We hashed 160 bytes at most, may still have 32 bytes left
+.Lopen_tail_192_hash:
+ cbz x4, .Lopen_tail_192_hash_done
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ sub x4, x4, #1
+ b .Lopen_tail_192_hash
+
+.Lopen_tail_192_hash_done:
+
+ add v0.4s, v0.4s, v24.4s
+ add v1.4s, v1.4s, v24.4s
+ add v2.4s, v2.4s, v24.4s
+ add v5.4s, v5.4s, v28.4s
+ add v6.4s, v6.4s, v28.4s
+ add v7.4s, v7.4s, v28.4s
+ add v10.4s, v10.4s, v29.4s
+ add v11.4s, v11.4s, v29.4s
+ add v12.4s, v12.4s, v29.4s
+ add v15.4s, v15.4s, v30.4s
+ add v16.4s, v16.4s, v30.4s
+ add v17.4s, v17.4s, v30.4s
+
+ add v15.4s, v15.4s, v21.4s
+ add v16.4s, v16.4s, v23.4s
+ add v17.4s, v17.4s, v22.4s
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+
+ eor v20.16b, v20.16b, v1.16b
+ eor v21.16b, v21.16b, v6.16b
+ eor v22.16b, v22.16b, v11.16b
+ eor v23.16b, v23.16b, v16.16b
+
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+
+ eor v20.16b, v20.16b, v2.16b
+ eor v21.16b, v21.16b, v7.16b
+ eor v22.16b, v22.16b, v12.16b
+ eor v23.16b, v23.16b, v17.16b
+
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ sub x2, x2, #128
+ b .Lopen_tail_64_store
+
+.Lopen_tail_128:
+ // We need two more blocks
+ mov v0.16b, v24.16b
+ mov v1.16b, v24.16b
+ mov v5.16b, v28.16b
+ mov v6.16b, v28.16b
+ mov v10.16b, v29.16b
+ mov v11.16b, v29.16b
+ mov v15.16b, v30.16b
+ mov v16.16b, v30.16b
+ eor v23.16b, v23.16b, v23.16b
+ eor v22.16b, v22.16b, v22.16b
+ ins v23.s[0], v25.s[0]
+ ins v22.d[0], x15
+ add v22.4s, v22.4s, v23.4s
+
+ add v15.4s, v15.4s, v22.4s
+ add v16.4s, v16.4s, v23.4s
+
+ mov x6, #10
+ sub x6, x6, x4
+
+.Lopen_tail_128_rounds:
+ add v0.4s, v0.4s, v5.4s
+ eor v15.16b, v15.16b, v0.16b
+ rev32 v15.8h, v15.8h
+
+ add v10.4s, v10.4s, v15.4s
+ eor v5.16b, v5.16b, v10.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ add v0.4s, v0.4s, v20.4s
+ eor v15.16b, v15.16b, v0.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ eor v20.16b, v20.16b, v10.16b
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+ ext v5.16b, v5.16b, v5.16b, #4
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v15.16b, v15.16b, v15.16b, #12
+ add v1.4s, v1.4s, v6.4s
+ eor v16.16b, v16.16b, v1.16b
+ rev32 v16.8h, v16.8h
+
+ add v11.4s, v11.4s, v16.4s
+ eor v6.16b, v6.16b, v11.16b
+ ushr v20.4s, v6.4s, #20
+ sli v20.4s, v6.4s, #12
+ add v1.4s, v1.4s, v20.4s
+ eor v16.16b, v16.16b, v1.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+
+ add v11.4s, v11.4s, v16.4s
+ eor v20.16b, v20.16b, v11.16b
+ ushr v6.4s, v20.4s, #25
+ sli v6.4s, v20.4s, #7
+ ext v6.16b, v6.16b, v6.16b, #4
+ ext v11.16b, v11.16b, v11.16b, #8
+ ext v16.16b, v16.16b, v16.16b, #12
+ add v0.4s, v0.4s, v5.4s
+ eor v15.16b, v15.16b, v0.16b
+ rev32 v15.8h, v15.8h
+
+ add v10.4s, v10.4s, v15.4s
+ eor v5.16b, v5.16b, v10.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ add v0.4s, v0.4s, v20.4s
+ eor v15.16b, v15.16b, v0.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ eor v20.16b, v20.16b, v10.16b
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+ ext v5.16b, v5.16b, v5.16b, #12
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v15.16b, v15.16b, v15.16b, #4
+ add v1.4s, v1.4s, v6.4s
+ eor v16.16b, v16.16b, v1.16b
+ rev32 v16.8h, v16.8h
+
+ add v11.4s, v11.4s, v16.4s
+ eor v6.16b, v6.16b, v11.16b
+ ushr v20.4s, v6.4s, #20
+ sli v20.4s, v6.4s, #12
+ add v1.4s, v1.4s, v20.4s
+ eor v16.16b, v16.16b, v1.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+
+ add v11.4s, v11.4s, v16.4s
+ eor v20.16b, v20.16b, v11.16b
+ ushr v6.4s, v20.4s, #25
+ sli v6.4s, v20.4s, #7
+ ext v6.16b, v6.16b, v6.16b, #12
+ ext v11.16b, v11.16b, v11.16b, #8
+ ext v16.16b, v16.16b, v16.16b, #4
+ subs x6, x6, #1
+ b.gt .Lopen_tail_128_rounds
+ cbz x4, .Lopen_tail_128_rounds_done
+ subs x4, x4, #1
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ b .Lopen_tail_128_rounds
+
+.Lopen_tail_128_rounds_done:
+ add v0.4s, v0.4s, v24.4s
+ add v1.4s, v1.4s, v24.4s
+ add v5.4s, v5.4s, v28.4s
+ add v6.4s, v6.4s, v28.4s
+ add v10.4s, v10.4s, v29.4s
+ add v11.4s, v11.4s, v29.4s
+ add v15.4s, v15.4s, v30.4s
+ add v16.4s, v16.4s, v30.4s
+ add v15.4s, v15.4s, v22.4s
+ add v16.4s, v16.4s, v23.4s
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+
+ eor v20.16b, v20.16b, v1.16b
+ eor v21.16b, v21.16b, v6.16b
+ eor v22.16b, v22.16b, v11.16b
+ eor v23.16b, v23.16b, v16.16b
+
+ st1 {v20.16b - v23.16b}, [x0], #64
+ sub x2, x2, #64
+
+ b .Lopen_tail_64_store
+
+.Lopen_tail_64:
+ // We just need a single block
+ mov v0.16b, v24.16b
+ mov v5.16b, v28.16b
+ mov v10.16b, v29.16b
+ mov v15.16b, v30.16b
+ eor v23.16b, v23.16b, v23.16b
+ ins v23.s[0], v25.s[0]
+ add v15.4s, v15.4s, v23.4s
+
+ mov x6, #10
+ sub x6, x6, x4
+
+.Lopen_tail_64_rounds:
+ add v0.4s, v0.4s, v5.4s
+ eor v15.16b, v15.16b, v0.16b
+ rev32 v15.8h, v15.8h
+
+ add v10.4s, v10.4s, v15.4s
+ eor v5.16b, v5.16b, v10.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ add v0.4s, v0.4s, v20.4s
+ eor v15.16b, v15.16b, v0.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ eor v20.16b, v20.16b, v10.16b
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+ ext v5.16b, v5.16b, v5.16b, #4
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v15.16b, v15.16b, v15.16b, #12
+ add v0.4s, v0.4s, v5.4s
+ eor v15.16b, v15.16b, v0.16b
+ rev32 v15.8h, v15.8h
+
+ add v10.4s, v10.4s, v15.4s
+ eor v5.16b, v5.16b, v10.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ add v0.4s, v0.4s, v20.4s
+ eor v15.16b, v15.16b, v0.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ eor v20.16b, v20.16b, v10.16b
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+ ext v5.16b, v5.16b, v5.16b, #12
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v15.16b, v15.16b, v15.16b, #4
+ subs x6, x6, #1
+ b.gt .Lopen_tail_64_rounds
+ cbz x4, .Lopen_tail_64_rounds_done
+ subs x4, x4, #1
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ b .Lopen_tail_64_rounds
+
+.Lopen_tail_64_rounds_done:
+ add v0.4s, v0.4s, v24.4s
+ add v5.4s, v5.4s, v28.4s
+ add v10.4s, v10.4s, v29.4s
+ add v15.4s, v15.4s, v30.4s
+ add v15.4s, v15.4s, v23.4s
+
+.Lopen_tail_64_store:
+ cmp x2, #16
+ b.lt .Lopen_tail_16
+
+ ld1 {v20.16b}, [x1], #16
+ eor v20.16b, v20.16b, v0.16b
+ st1 {v20.16b}, [x0], #16
+ mov v0.16b, v5.16b
+ mov v5.16b, v10.16b
+ mov v10.16b, v15.16b
+ sub x2, x2, #16
+ b .Lopen_tail_64_store
+
+.Lopen_tail_16:
+ // Here we handle the last [0,16) bytes that require a padded block
+ cbz x2, .Lopen_finalize
+
+ eor v20.16b, v20.16b, v20.16b // Use T0 to load the ciphertext
+ eor v21.16b, v21.16b, v21.16b // Use T1 to generate an AND mask
+ not v22.16b, v20.16b
+
+ add x7, x1, x2
+ mov x6, x2
+
+.Lopen_tail_16_compose:
+ ext v20.16b, v20.16b, v20.16b, #15
+ ldrb w11, [x7, #-1]!
+ mov v20.b[0], w11
+ ext v21.16b, v22.16b, v21.16b, #15
+ subs x2, x2, #1
+ b.gt .Lopen_tail_16_compose
+
+ and v20.16b, v20.16b, v21.16b
+ // Hash in the final padded block
+ mov x11, v20.d[0]
+ mov x12, v20.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ eor v20.16b, v20.16b, v0.16b
+
+.Lopen_tail_16_store:
+ umov w11, v20.b[0]
+ strb w11, [x0], #1
+ ext v20.16b, v20.16b, v20.16b, #1
+ subs x6, x6, #1
+ b.gt .Lopen_tail_16_store
+
+.Lopen_finalize:
+ mov x11, v31.d[0]
+ mov x12, v31.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ # Final reduction step
+ sub x12, xzr, x15
+ orr x13, xzr, #3
+ subs x11, x8, #-5
+ sbcs x12, x9, x12
+ sbcs x13, x10, x13
+ csel x8, x11, x8, cs
+ csel x9, x12, x9, cs
+ csel x10, x13, x10, cs
+ mov x11, v27.d[0]
+ mov x12, v27.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+
+ stp x8, x9, [x5]
+
+ ldp d8, d9, [sp, #16]
+ ldp d10, d11, [sp, #32]
+ ldp d12, d13, [sp, #48]
+ ldp d14, d15, [sp, #64]
+.cfi_restore b15
+.cfi_restore b14
+.cfi_restore b13
+.cfi_restore b12
+.cfi_restore b11
+.cfi_restore b10
+.cfi_restore b9
+.cfi_restore b8
+ ldp x29, x30, [sp], 80
+.cfi_restore w29
+.cfi_restore w30
+.cfi_def_cfa_offset 0
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+.Lopen_128:
+ // On some architectures preparing 5 blocks for small buffers is wasteful
+ eor v25.16b, v25.16b, v25.16b
+ mov x11, #1
+ mov v25.s[0], w11
+ mov v0.16b, v24.16b
+ mov v1.16b, v24.16b
+ mov v2.16b, v24.16b
+ mov v5.16b, v28.16b
+ mov v6.16b, v28.16b
+ mov v7.16b, v28.16b
+ mov v10.16b, v29.16b
+ mov v11.16b, v29.16b
+ mov v12.16b, v29.16b
+ mov v17.16b, v30.16b
+ add v15.4s, v17.4s, v25.4s
+ add v16.4s, v15.4s, v25.4s
+
+ mov x6, #10
+
+.Lopen_128_rounds:
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v5.16b, v5.16b, v5.16b, #4
+ ext v6.16b, v6.16b, v6.16b, #4
+ ext v7.16b, v7.16b, v7.16b, #4
+
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v11.16b, v11.16b, v11.16b, #8
+ ext v12.16b, v12.16b, v12.16b, #8
+
+ ext v15.16b, v15.16b, v15.16b, #12
+ ext v16.16b, v16.16b, v16.16b, #12
+ ext v17.16b, v17.16b, v17.16b, #12
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v5.16b, v5.16b, v5.16b, #12
+ ext v6.16b, v6.16b, v6.16b, #12
+ ext v7.16b, v7.16b, v7.16b, #12
+
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v11.16b, v11.16b, v11.16b, #8
+ ext v12.16b, v12.16b, v12.16b, #8
+
+ ext v15.16b, v15.16b, v15.16b, #4
+ ext v16.16b, v16.16b, v16.16b, #4
+ ext v17.16b, v17.16b, v17.16b, #4
+ subs x6, x6, #1
+ b.hi .Lopen_128_rounds
+
+ add v0.4s, v0.4s, v24.4s
+ add v1.4s, v1.4s, v24.4s
+ add v2.4s, v2.4s, v24.4s
+
+ add v5.4s, v5.4s, v28.4s
+ add v6.4s, v6.4s, v28.4s
+ add v7.4s, v7.4s, v28.4s
+
+ add v10.4s, v10.4s, v29.4s
+ add v11.4s, v11.4s, v29.4s
+
+ add v30.4s, v30.4s, v25.4s
+ add v15.4s, v15.4s, v30.4s
+ add v30.4s, v30.4s, v25.4s
+ add v16.4s, v16.4s, v30.4s
+
+ and v2.16b, v2.16b, v27.16b
+ mov x16, v2.d[0] // Move the R key to GPRs
+ mov x17, v2.d[1]
+ mov v27.16b, v7.16b // Store the S key
+
+ bl .Lpoly_hash_ad_internal
+
+.Lopen_128_store:
+ cmp x2, #64
+ b.lt .Lopen_128_store_64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+
+ mov x11, v20.d[0]
+ mov x12, v20.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ mov x11, v21.d[0]
+ mov x12, v21.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ mov x11, v22.d[0]
+ mov x12, v22.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ mov x11, v23.d[0]
+ mov x12, v23.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+
+ eor v20.16b, v20.16b, v0.16b
+ eor v21.16b, v21.16b, v5.16b
+ eor v22.16b, v22.16b, v10.16b
+ eor v23.16b, v23.16b, v15.16b
+
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ sub x2, x2, #64
+
+ mov v0.16b, v1.16b
+ mov v5.16b, v6.16b
+ mov v10.16b, v11.16b
+ mov v15.16b, v16.16b
+
+.Lopen_128_store_64:
+
+ lsr x4, x2, #4
+ mov x3, x1
+
+.Lopen_128_hash_64:
+ cbz x4, .Lopen_tail_64_store
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ sub x4, x4, #1
+ b .Lopen_128_hash_64
+.cfi_endproc
+.size chacha20_poly1305_open,.-chacha20_poly1305_open
+#endif
+#endif // !OPENSSL_NO_ASM
+.section .note.GNU-stack,"",%progbits
diff --git a/linux-aarch64/crypto/fipsmodule/p256-armv8-asm.S b/linux-aarch64/crypto/fipsmodule/p256-armv8-asm.S
new file mode 100644
index 0000000..2106b85
--- /dev/null
+++ b/linux-aarch64/crypto/fipsmodule/p256-armv8-asm.S
@@ -0,0 +1,1765 @@
+// This file is generated from a similarly-named Perl script in the BoringSSL
+// source tree. Do not edit by hand.
+
+#if !defined(__has_feature)
+#define __has_feature(x) 0
+#endif
+#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM)
+#define OPENSSL_NO_ASM
+#endif
+
+#if !defined(OPENSSL_NO_ASM)
+#if defined(__aarch64__)
+#if defined(BORINGSSL_PREFIX)
+#include <boringssl_prefix_symbols_asm.h>
+#endif
+#include "openssl/arm_arch.h"
+
+.text
+.align 5
+.Lpoly:
+.quad 0xffffffffffffffff,0x00000000ffffffff,0x0000000000000000,0xffffffff00000001
+.LRR: // 2^512 mod P precomputed for NIST P256 polynomial
+.quad 0x0000000000000003,0xfffffffbffffffff,0xfffffffffffffffe,0x00000004fffffffd
+.Lone_mont:
+.quad 0x0000000000000001,0xffffffff00000000,0xffffffffffffffff,0x00000000fffffffe
+.Lone:
+.quad 1,0,0,0
+.Lord:
+.quad 0xf3b9cac2fc632551,0xbce6faada7179e84,0xffffffffffffffff,0xffffffff00000000
+.LordK:
+.quad 0xccd1c8aaee00bc4f
+.byte 69,67,80,95,78,73,83,84,90,50,53,54,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0
+.align 2
+
+// void ecp_nistz256_to_mont(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl ecp_nistz256_to_mont
+.hidden ecp_nistz256_to_mont
+.type ecp_nistz256_to_mont,%function
+.align 6
+ecp_nistz256_to_mont:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-32]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+
+ ldr x3,.LRR // bp[0]
+ ldp x4,x5,[x1]
+ ldp x6,x7,[x1,#16]
+ ldr x12,.Lpoly+8
+ ldr x13,.Lpoly+24
+ adr x2,.LRR // &bp[0]
+
+ bl __ecp_nistz256_mul_mont
+
+ ldp x19,x20,[sp,#16]
+ ldp x29,x30,[sp],#32
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size ecp_nistz256_to_mont,.-ecp_nistz256_to_mont
+
+// void ecp_nistz256_from_mont(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl ecp_nistz256_from_mont
+.hidden ecp_nistz256_from_mont
+.type ecp_nistz256_from_mont,%function
+.align 4
+ecp_nistz256_from_mont:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-32]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+
+ mov x3,#1 // bp[0]
+ ldp x4,x5,[x1]
+ ldp x6,x7,[x1,#16]
+ ldr x12,.Lpoly+8
+ ldr x13,.Lpoly+24
+ adr x2,.Lone // &bp[0]
+
+ bl __ecp_nistz256_mul_mont
+
+ ldp x19,x20,[sp,#16]
+ ldp x29,x30,[sp],#32
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size ecp_nistz256_from_mont,.-ecp_nistz256_from_mont
+
+// void ecp_nistz256_mul_mont(BN_ULONG x0[4],const BN_ULONG x1[4],
+// const BN_ULONG x2[4]);
+.globl ecp_nistz256_mul_mont
+.hidden ecp_nistz256_mul_mont
+.type ecp_nistz256_mul_mont,%function
+.align 4
+ecp_nistz256_mul_mont:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-32]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+
+ ldr x3,[x2] // bp[0]
+ ldp x4,x5,[x1]
+ ldp x6,x7,[x1,#16]
+ ldr x12,.Lpoly+8
+ ldr x13,.Lpoly+24
+
+ bl __ecp_nistz256_mul_mont
+
+ ldp x19,x20,[sp,#16]
+ ldp x29,x30,[sp],#32
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size ecp_nistz256_mul_mont,.-ecp_nistz256_mul_mont
+
+// void ecp_nistz256_sqr_mont(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl ecp_nistz256_sqr_mont
+.hidden ecp_nistz256_sqr_mont
+.type ecp_nistz256_sqr_mont,%function
+.align 4
+ecp_nistz256_sqr_mont:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-32]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+
+ ldp x4,x5,[x1]
+ ldp x6,x7,[x1,#16]
+ ldr x12,.Lpoly+8
+ ldr x13,.Lpoly+24
+
+ bl __ecp_nistz256_sqr_mont
+
+ ldp x19,x20,[sp,#16]
+ ldp x29,x30,[sp],#32
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size ecp_nistz256_sqr_mont,.-ecp_nistz256_sqr_mont
+
+// void ecp_nistz256_div_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl ecp_nistz256_div_by_2
+.hidden ecp_nistz256_div_by_2
+.type ecp_nistz256_div_by_2,%function
+.align 4
+ecp_nistz256_div_by_2:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+ ldp x14,x15,[x1]
+ ldp x16,x17,[x1,#16]
+ ldr x12,.Lpoly+8
+ ldr x13,.Lpoly+24
+
+ bl __ecp_nistz256_div_by_2
+
+ ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size ecp_nistz256_div_by_2,.-ecp_nistz256_div_by_2
+
+// void ecp_nistz256_mul_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl ecp_nistz256_mul_by_2
+.hidden ecp_nistz256_mul_by_2
+.type ecp_nistz256_mul_by_2,%function
+.align 4
+ecp_nistz256_mul_by_2:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+ ldp x14,x15,[x1]
+ ldp x16,x17,[x1,#16]
+ ldr x12,.Lpoly+8
+ ldr x13,.Lpoly+24
+ mov x8,x14
+ mov x9,x15
+ mov x10,x16
+ mov x11,x17
+
+ bl __ecp_nistz256_add_to // ret = a+a // 2*a
+
+ ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size ecp_nistz256_mul_by_2,.-ecp_nistz256_mul_by_2
+
+// void ecp_nistz256_mul_by_3(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl ecp_nistz256_mul_by_3
+.hidden ecp_nistz256_mul_by_3
+.type ecp_nistz256_mul_by_3,%function
+.align 4
+ecp_nistz256_mul_by_3:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+ ldp x14,x15,[x1]
+ ldp x16,x17,[x1,#16]
+ ldr x12,.Lpoly+8
+ ldr x13,.Lpoly+24
+ mov x8,x14
+ mov x9,x15
+ mov x10,x16
+ mov x11,x17
+ mov x4,x14
+ mov x5,x15
+ mov x6,x16
+ mov x7,x17
+
+ bl __ecp_nistz256_add_to // ret = a+a // 2*a
+
+ mov x8,x4
+ mov x9,x5
+ mov x10,x6
+ mov x11,x7
+
+ bl __ecp_nistz256_add_to // ret += a // 2*a+a=3*a
+
+ ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size ecp_nistz256_mul_by_3,.-ecp_nistz256_mul_by_3
+
+// void ecp_nistz256_sub(BN_ULONG x0[4],const BN_ULONG x1[4],
+// const BN_ULONG x2[4]);
+.globl ecp_nistz256_sub
+.hidden ecp_nistz256_sub
+.type ecp_nistz256_sub,%function
+.align 4
+ecp_nistz256_sub:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+ ldp x14,x15,[x1]
+ ldp x16,x17,[x1,#16]
+ ldr x12,.Lpoly+8
+ ldr x13,.Lpoly+24
+
+ bl __ecp_nistz256_sub_from
+
+ ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size ecp_nistz256_sub,.-ecp_nistz256_sub
+
+// void ecp_nistz256_neg(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl ecp_nistz256_neg
+.hidden ecp_nistz256_neg
+.type ecp_nistz256_neg,%function
+.align 4
+ecp_nistz256_neg:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+ mov x2,x1
+ mov x14,xzr // a = 0
+ mov x15,xzr
+ mov x16,xzr
+ mov x17,xzr
+ ldr x12,.Lpoly+8
+ ldr x13,.Lpoly+24
+
+ bl __ecp_nistz256_sub_from
+
+ ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size ecp_nistz256_neg,.-ecp_nistz256_neg
+
+// note that __ecp_nistz256_mul_mont expects a[0-3] input pre-loaded
+// to x4-x7 and b[0] - to x3
+.type __ecp_nistz256_mul_mont,%function
+.align 4
+__ecp_nistz256_mul_mont:
+ mul x14,x4,x3 // a[0]*b[0]
+ umulh x8,x4,x3
+
+ mul x15,x5,x3 // a[1]*b[0]
+ umulh x9,x5,x3
+
+ mul x16,x6,x3 // a[2]*b[0]
+ umulh x10,x6,x3
+
+ mul x17,x7,x3 // a[3]*b[0]
+ umulh x11,x7,x3
+ ldr x3,[x2,#8] // b[1]
+
+ adds x15,x15,x8 // accumulate high parts of multiplication
+ lsl x8,x14,#32
+ adcs x16,x16,x9
+ lsr x9,x14,#32
+ adcs x17,x17,x10
+ adc x19,xzr,x11
+ mov x20,xzr
+ subs x10,x14,x8 // "*0xffff0001"
+ sbc x11,x14,x9
+ adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0]
+ mul x8,x4,x3 // lo(a[0]*b[i])
+ adcs x15,x16,x9
+ mul x9,x5,x3 // lo(a[1]*b[i])
+ adcs x16,x17,x10 // +=acc[0]*0xffff0001
+ mul x10,x6,x3 // lo(a[2]*b[i])
+ adcs x17,x19,x11
+ mul x11,x7,x3 // lo(a[3]*b[i])
+ adc x19,x20,xzr
+
+ adds x14,x14,x8 // accumulate low parts of multiplication
+ umulh x8,x4,x3 // hi(a[0]*b[i])
+ adcs x15,x15,x9
+ umulh x9,x5,x3 // hi(a[1]*b[i])
+ adcs x16,x16,x10
+ umulh x10,x6,x3 // hi(a[2]*b[i])
+ adcs x17,x17,x11
+ umulh x11,x7,x3 // hi(a[3]*b[i])
+ adc x19,x19,xzr
+ ldr x3,[x2,#8*(1+1)] // b[1+1]
+ adds x15,x15,x8 // accumulate high parts of multiplication
+ lsl x8,x14,#32
+ adcs x16,x16,x9
+ lsr x9,x14,#32
+ adcs x17,x17,x10
+ adcs x19,x19,x11
+ adc x20,xzr,xzr
+ subs x10,x14,x8 // "*0xffff0001"
+ sbc x11,x14,x9
+ adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0]
+ mul x8,x4,x3 // lo(a[0]*b[i])
+ adcs x15,x16,x9
+ mul x9,x5,x3 // lo(a[1]*b[i])
+ adcs x16,x17,x10 // +=acc[0]*0xffff0001
+ mul x10,x6,x3 // lo(a[2]*b[i])
+ adcs x17,x19,x11
+ mul x11,x7,x3 // lo(a[3]*b[i])
+ adc x19,x20,xzr
+
+ adds x14,x14,x8 // accumulate low parts of multiplication
+ umulh x8,x4,x3 // hi(a[0]*b[i])
+ adcs x15,x15,x9
+ umulh x9,x5,x3 // hi(a[1]*b[i])
+ adcs x16,x16,x10
+ umulh x10,x6,x3 // hi(a[2]*b[i])
+ adcs x17,x17,x11
+ umulh x11,x7,x3 // hi(a[3]*b[i])
+ adc x19,x19,xzr
+ ldr x3,[x2,#8*(2+1)] // b[2+1]
+ adds x15,x15,x8 // accumulate high parts of multiplication
+ lsl x8,x14,#32
+ adcs x16,x16,x9
+ lsr x9,x14,#32
+ adcs x17,x17,x10
+ adcs x19,x19,x11
+ adc x20,xzr,xzr
+ subs x10,x14,x8 // "*0xffff0001"
+ sbc x11,x14,x9
+ adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0]
+ mul x8,x4,x3 // lo(a[0]*b[i])
+ adcs x15,x16,x9
+ mul x9,x5,x3 // lo(a[1]*b[i])
+ adcs x16,x17,x10 // +=acc[0]*0xffff0001
+ mul x10,x6,x3 // lo(a[2]*b[i])
+ adcs x17,x19,x11
+ mul x11,x7,x3 // lo(a[3]*b[i])
+ adc x19,x20,xzr
+
+ adds x14,x14,x8 // accumulate low parts of multiplication
+ umulh x8,x4,x3 // hi(a[0]*b[i])
+ adcs x15,x15,x9
+ umulh x9,x5,x3 // hi(a[1]*b[i])
+ adcs x16,x16,x10
+ umulh x10,x6,x3 // hi(a[2]*b[i])
+ adcs x17,x17,x11
+ umulh x11,x7,x3 // hi(a[3]*b[i])
+ adc x19,x19,xzr
+ adds x15,x15,x8 // accumulate high parts of multiplication
+ lsl x8,x14,#32
+ adcs x16,x16,x9
+ lsr x9,x14,#32
+ adcs x17,x17,x10
+ adcs x19,x19,x11
+ adc x20,xzr,xzr
+ // last reduction
+ subs x10,x14,x8 // "*0xffff0001"
+ sbc x11,x14,x9
+ adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0]
+ adcs x15,x16,x9
+ adcs x16,x17,x10 // +=acc[0]*0xffff0001
+ adcs x17,x19,x11
+ adc x19,x20,xzr
+
+ adds x8,x14,#1 // subs x8,x14,#-1 // tmp = ret-modulus
+ sbcs x9,x15,x12
+ sbcs x10,x16,xzr
+ sbcs x11,x17,x13
+ sbcs xzr,x19,xzr // did it borrow?
+
+ csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus
+ csel x15,x15,x9,lo
+ csel x16,x16,x10,lo
+ stp x14,x15,[x0]
+ csel x17,x17,x11,lo
+ stp x16,x17,[x0,#16]
+
+ ret
+.size __ecp_nistz256_mul_mont,.-__ecp_nistz256_mul_mont
+
+// note that __ecp_nistz256_sqr_mont expects a[0-3] input pre-loaded
+// to x4-x7
+.type __ecp_nistz256_sqr_mont,%function
+.align 4
+__ecp_nistz256_sqr_mont:
+ // | | | | | |a1*a0| |
+ // | | | | |a2*a0| | |
+ // | |a3*a2|a3*a0| | | |
+ // | | | |a2*a1| | | |
+ // | | |a3*a1| | | | |
+ // *| | | | | | | | 2|
+ // +|a3*a3|a2*a2|a1*a1|a0*a0|
+ // |--+--+--+--+--+--+--+--|
+ // |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is , i.e. follow
+ //
+ // "can't overflow" below mark carrying into high part of
+ // multiplication result, which can't overflow, because it
+ // can never be all ones.
+
+ mul x15,x5,x4 // a[1]*a[0]
+ umulh x9,x5,x4
+ mul x16,x6,x4 // a[2]*a[0]
+ umulh x10,x6,x4
+ mul x17,x7,x4 // a[3]*a[0]
+ umulh x19,x7,x4
+
+ adds x16,x16,x9 // accumulate high parts of multiplication
+ mul x8,x6,x5 // a[2]*a[1]
+ umulh x9,x6,x5
+ adcs x17,x17,x10
+ mul x10,x7,x5 // a[3]*a[1]
+ umulh x11,x7,x5
+ adc x19,x19,xzr // can't overflow
+
+ mul x20,x7,x6 // a[3]*a[2]
+ umulh x1,x7,x6
+
+ adds x9,x9,x10 // accumulate high parts of multiplication
+ mul x14,x4,x4 // a[0]*a[0]
+ adc x10,x11,xzr // can't overflow
+
+ adds x17,x17,x8 // accumulate low parts of multiplication
+ umulh x4,x4,x4
+ adcs x19,x19,x9
+ mul x9,x5,x5 // a[1]*a[1]
+ adcs x20,x20,x10
+ umulh x5,x5,x5
+ adc x1,x1,xzr // can't overflow
+
+ adds x15,x15,x15 // acc[1-6]*=2
+ mul x10,x6,x6 // a[2]*a[2]
+ adcs x16,x16,x16
+ umulh x6,x6,x6
+ adcs x17,x17,x17
+ mul x11,x7,x7 // a[3]*a[3]
+ adcs x19,x19,x19
+ umulh x7,x7,x7
+ adcs x20,x20,x20
+ adcs x1,x1,x1
+ adc x2,xzr,xzr
+
+ adds x15,x15,x4 // +a[i]*a[i]
+ adcs x16,x16,x9
+ adcs x17,x17,x5
+ adcs x19,x19,x10
+ adcs x20,x20,x6
+ lsl x8,x14,#32
+ adcs x1,x1,x11
+ lsr x9,x14,#32
+ adc x2,x2,x7
+ subs x10,x14,x8 // "*0xffff0001"
+ sbc x11,x14,x9
+ adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0]
+ adcs x15,x16,x9
+ lsl x8,x14,#32
+ adcs x16,x17,x10 // +=acc[0]*0xffff0001
+ lsr x9,x14,#32
+ adc x17,x11,xzr // can't overflow
+ subs x10,x14,x8 // "*0xffff0001"
+ sbc x11,x14,x9
+ adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0]
+ adcs x15,x16,x9
+ lsl x8,x14,#32
+ adcs x16,x17,x10 // +=acc[0]*0xffff0001
+ lsr x9,x14,#32
+ adc x17,x11,xzr // can't overflow
+ subs x10,x14,x8 // "*0xffff0001"
+ sbc x11,x14,x9
+ adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0]
+ adcs x15,x16,x9
+ lsl x8,x14,#32
+ adcs x16,x17,x10 // +=acc[0]*0xffff0001
+ lsr x9,x14,#32
+ adc x17,x11,xzr // can't overflow
+ subs x10,x14,x8 // "*0xffff0001"
+ sbc x11,x14,x9
+ adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0]
+ adcs x15,x16,x9
+ adcs x16,x17,x10 // +=acc[0]*0xffff0001
+ adc x17,x11,xzr // can't overflow
+
+ adds x14,x14,x19 // accumulate upper half
+ adcs x15,x15,x20
+ adcs x16,x16,x1
+ adcs x17,x17,x2
+ adc x19,xzr,xzr
+
+ adds x8,x14,#1 // subs x8,x14,#-1 // tmp = ret-modulus
+ sbcs x9,x15,x12
+ sbcs x10,x16,xzr
+ sbcs x11,x17,x13
+ sbcs xzr,x19,xzr // did it borrow?
+
+ csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus
+ csel x15,x15,x9,lo
+ csel x16,x16,x10,lo
+ stp x14,x15,[x0]
+ csel x17,x17,x11,lo
+ stp x16,x17,[x0,#16]
+
+ ret
+.size __ecp_nistz256_sqr_mont,.-__ecp_nistz256_sqr_mont
+
+// Note that __ecp_nistz256_add_to expects both input vectors pre-loaded to
+// x4-x7 and x8-x11. This is done because it's used in multiple
+// contexts, e.g. in multiplication by 2 and 3...
+.type __ecp_nistz256_add_to,%function
+.align 4
+__ecp_nistz256_add_to:
+ adds x14,x14,x8 // ret = a+b
+ adcs x15,x15,x9
+ adcs x16,x16,x10
+ adcs x17,x17,x11
+ adc x1,xzr,xzr // zap x1
+
+ adds x8,x14,#1 // subs x8,x4,#-1 // tmp = ret-modulus
+ sbcs x9,x15,x12
+ sbcs x10,x16,xzr
+ sbcs x11,x17,x13
+ sbcs xzr,x1,xzr // did subtraction borrow?
+
+ csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus
+ csel x15,x15,x9,lo
+ csel x16,x16,x10,lo
+ stp x14,x15,[x0]
+ csel x17,x17,x11,lo
+ stp x16,x17,[x0,#16]
+
+ ret
+.size __ecp_nistz256_add_to,.-__ecp_nistz256_add_to
+
+.type __ecp_nistz256_sub_from,%function
+.align 4
+__ecp_nistz256_sub_from:
+ ldp x8,x9,[x2]
+ ldp x10,x11,[x2,#16]
+ subs x14,x14,x8 // ret = a-b
+ sbcs x15,x15,x9
+ sbcs x16,x16,x10
+ sbcs x17,x17,x11
+ sbc x1,xzr,xzr // zap x1
+
+ subs x8,x14,#1 // adds x8,x4,#-1 // tmp = ret+modulus
+ adcs x9,x15,x12
+ adcs x10,x16,xzr
+ adc x11,x17,x13
+ cmp x1,xzr // did subtraction borrow?
+
+ csel x14,x14,x8,eq // ret = borrow ? ret+modulus : ret
+ csel x15,x15,x9,eq
+ csel x16,x16,x10,eq
+ stp x14,x15,[x0]
+ csel x17,x17,x11,eq
+ stp x16,x17,[x0,#16]
+
+ ret
+.size __ecp_nistz256_sub_from,.-__ecp_nistz256_sub_from
+
+.type __ecp_nistz256_sub_morf,%function
+.align 4
+__ecp_nistz256_sub_morf:
+ ldp x8,x9,[x2]
+ ldp x10,x11,[x2,#16]
+ subs x14,x8,x14 // ret = b-a
+ sbcs x15,x9,x15
+ sbcs x16,x10,x16
+ sbcs x17,x11,x17
+ sbc x1,xzr,xzr // zap x1
+
+ subs x8,x14,#1 // adds x8,x4,#-1 // tmp = ret+modulus
+ adcs x9,x15,x12
+ adcs x10,x16,xzr
+ adc x11,x17,x13
+ cmp x1,xzr // did subtraction borrow?
+
+ csel x14,x14,x8,eq // ret = borrow ? ret+modulus : ret
+ csel x15,x15,x9,eq
+ csel x16,x16,x10,eq
+ stp x14,x15,[x0]
+ csel x17,x17,x11,eq
+ stp x16,x17,[x0,#16]
+
+ ret
+.size __ecp_nistz256_sub_morf,.-__ecp_nistz256_sub_morf
+
+.type __ecp_nistz256_div_by_2,%function
+.align 4
+__ecp_nistz256_div_by_2:
+ subs x8,x14,#1 // adds x8,x4,#-1 // tmp = a+modulus
+ adcs x9,x15,x12
+ adcs x10,x16,xzr
+ adcs x11,x17,x13
+ adc x1,xzr,xzr // zap x1
+ tst x14,#1 // is a even?
+
+ csel x14,x14,x8,eq // ret = even ? a : a+modulus
+ csel x15,x15,x9,eq
+ csel x16,x16,x10,eq
+ csel x17,x17,x11,eq
+ csel x1,xzr,x1,eq
+
+ lsr x14,x14,#1 // ret >>= 1
+ orr x14,x14,x15,lsl#63
+ lsr x15,x15,#1
+ orr x15,x15,x16,lsl#63
+ lsr x16,x16,#1
+ orr x16,x16,x17,lsl#63
+ lsr x17,x17,#1
+ stp x14,x15,[x0]
+ orr x17,x17,x1,lsl#63
+ stp x16,x17,[x0,#16]
+
+ ret
+.size __ecp_nistz256_div_by_2,.-__ecp_nistz256_div_by_2
+.globl ecp_nistz256_point_double
+.hidden ecp_nistz256_point_double
+.type ecp_nistz256_point_double,%function
+.align 5
+ecp_nistz256_point_double:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-96]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+ stp x21,x22,[sp,#32]
+ sub sp,sp,#32*4
+
+.Ldouble_shortcut:
+ ldp x14,x15,[x1,#32]
+ mov x21,x0
+ ldp x16,x17,[x1,#48]
+ mov x22,x1
+ ldr x12,.Lpoly+8
+ mov x8,x14
+ ldr x13,.Lpoly+24
+ mov x9,x15
+ ldp x4,x5,[x22,#64] // forward load for p256_sqr_mont
+ mov x10,x16
+ mov x11,x17
+ ldp x6,x7,[x22,#64+16]
+ add x0,sp,#0
+ bl __ecp_nistz256_add_to // p256_mul_by_2(S, in_y);
+
+ add x0,sp,#64
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Zsqr, in_z);
+
+ ldp x8,x9,[x22]
+ ldp x10,x11,[x22,#16]
+ mov x4,x14 // put Zsqr aside for p256_sub
+ mov x5,x15
+ mov x6,x16
+ mov x7,x17
+ add x0,sp,#32
+ bl __ecp_nistz256_add_to // p256_add(M, Zsqr, in_x);
+
+ add x2,x22,#0
+ mov x14,x4 // restore Zsqr
+ mov x15,x5
+ ldp x4,x5,[sp,#0] // forward load for p256_sqr_mont
+ mov x16,x6
+ mov x17,x7
+ ldp x6,x7,[sp,#0+16]
+ add x0,sp,#64
+ bl __ecp_nistz256_sub_morf // p256_sub(Zsqr, in_x, Zsqr);
+
+ add x0,sp,#0
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(S, S);
+
+ ldr x3,[x22,#32]
+ ldp x4,x5,[x22,#64]
+ ldp x6,x7,[x22,#64+16]
+ add x2,x22,#32
+ add x0,sp,#96
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(tmp0, in_z, in_y);
+
+ mov x8,x14
+ mov x9,x15
+ ldp x4,x5,[sp,#0] // forward load for p256_sqr_mont
+ mov x10,x16
+ mov x11,x17
+ ldp x6,x7,[sp,#0+16]
+ add x0,x21,#64
+ bl __ecp_nistz256_add_to // p256_mul_by_2(res_z, tmp0);
+
+ add x0,sp,#96
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(tmp0, S);
+
+ ldr x3,[sp,#64] // forward load for p256_mul_mont
+ ldp x4,x5,[sp,#32]
+ ldp x6,x7,[sp,#32+16]
+ add x0,x21,#32
+ bl __ecp_nistz256_div_by_2 // p256_div_by_2(res_y, tmp0);
+
+ add x2,sp,#64
+ add x0,sp,#32
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(M, M, Zsqr);
+
+ mov x8,x14 // duplicate M
+ mov x9,x15
+ mov x10,x16
+ mov x11,x17
+ mov x4,x14 // put M aside
+ mov x5,x15
+ mov x6,x16
+ mov x7,x17
+ add x0,sp,#32
+ bl __ecp_nistz256_add_to
+ mov x8,x4 // restore M
+ mov x9,x5
+ ldr x3,[x22] // forward load for p256_mul_mont
+ mov x10,x6
+ ldp x4,x5,[sp,#0]
+ mov x11,x7
+ ldp x6,x7,[sp,#0+16]
+ bl __ecp_nistz256_add_to // p256_mul_by_3(M, M);
+
+ add x2,x22,#0
+ add x0,sp,#0
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, in_x);
+
+ mov x8,x14
+ mov x9,x15
+ ldp x4,x5,[sp,#32] // forward load for p256_sqr_mont
+ mov x10,x16
+ mov x11,x17
+ ldp x6,x7,[sp,#32+16]
+ add x0,sp,#96
+ bl __ecp_nistz256_add_to // p256_mul_by_2(tmp0, S);
+
+ add x0,x21,#0
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(res_x, M);
+
+ add x2,sp,#96
+ bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, tmp0);
+
+ add x2,sp,#0
+ add x0,sp,#0
+ bl __ecp_nistz256_sub_morf // p256_sub(S, S, res_x);
+
+ ldr x3,[sp,#32]
+ mov x4,x14 // copy S
+ mov x5,x15
+ mov x6,x16
+ mov x7,x17
+ add x2,sp,#32
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, M);
+
+ add x2,x21,#32
+ add x0,x21,#32
+ bl __ecp_nistz256_sub_from // p256_sub(res_y, S, res_y);
+
+ add sp,x29,#0 // destroy frame
+ ldp x19,x20,[x29,#16]
+ ldp x21,x22,[x29,#32]
+ ldp x29,x30,[sp],#96
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size ecp_nistz256_point_double,.-ecp_nistz256_point_double
+.globl ecp_nistz256_point_add
+.hidden ecp_nistz256_point_add
+.type ecp_nistz256_point_add,%function
+.align 5
+ecp_nistz256_point_add:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-96]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+ stp x21,x22,[sp,#32]
+ stp x23,x24,[sp,#48]
+ stp x25,x26,[sp,#64]
+ stp x27,x28,[sp,#80]
+ sub sp,sp,#32*12
+
+ ldp x4,x5,[x2,#64] // in2_z
+ ldp x6,x7,[x2,#64+16]
+ mov x21,x0
+ mov x22,x1
+ mov x23,x2
+ ldr x12,.Lpoly+8
+ ldr x13,.Lpoly+24
+ orr x8,x4,x5
+ orr x10,x6,x7
+ orr x25,x8,x10
+ cmp x25,#0
+ csetm x25,ne // ~in2infty
+ add x0,sp,#192
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z2sqr, in2_z);
+
+ ldp x4,x5,[x22,#64] // in1_z
+ ldp x6,x7,[x22,#64+16]
+ orr x8,x4,x5
+ orr x10,x6,x7
+ orr x24,x8,x10
+ cmp x24,#0
+ csetm x24,ne // ~in1infty
+ add x0,sp,#128
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z);
+
+ ldr x3,[x23,#64]
+ ldp x4,x5,[sp,#192]
+ ldp x6,x7,[sp,#192+16]
+ add x2,x23,#64
+ add x0,sp,#320
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, Z2sqr, in2_z);
+
+ ldr x3,[x22,#64]
+ ldp x4,x5,[sp,#128]
+ ldp x6,x7,[sp,#128+16]
+ add x2,x22,#64
+ add x0,sp,#352
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z);
+
+ ldr x3,[x22,#32]
+ ldp x4,x5,[sp,#320]
+ ldp x6,x7,[sp,#320+16]
+ add x2,x22,#32
+ add x0,sp,#320
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, S1, in1_y);
+
+ ldr x3,[x23,#32]
+ ldp x4,x5,[sp,#352]
+ ldp x6,x7,[sp,#352+16]
+ add x2,x23,#32
+ add x0,sp,#352
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y);
+
+ add x2,sp,#320
+ ldr x3,[sp,#192] // forward load for p256_mul_mont
+ ldp x4,x5,[x22]
+ ldp x6,x7,[x22,#16]
+ add x0,sp,#160
+ bl __ecp_nistz256_sub_from // p256_sub(R, S2, S1);
+
+ orr x14,x14,x15 // see if result is zero
+ orr x16,x16,x17
+ orr x26,x14,x16 // ~is_equal(S1,S2)
+
+ add x2,sp,#192
+ add x0,sp,#256
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(U1, in1_x, Z2sqr);
+
+ ldr x3,[sp,#128]
+ ldp x4,x5,[x23]
+ ldp x6,x7,[x23,#16]
+ add x2,sp,#128
+ add x0,sp,#288
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in2_x, Z1sqr);
+
+ add x2,sp,#256
+ ldp x4,x5,[sp,#160] // forward load for p256_sqr_mont
+ ldp x6,x7,[sp,#160+16]
+ add x0,sp,#96
+ bl __ecp_nistz256_sub_from // p256_sub(H, U2, U1);
+
+ orr x14,x14,x15 // see if result is zero
+ orr x16,x16,x17
+ orr x14,x14,x16 // ~is_equal(U1,U2)
+
+ mvn x27,x24 // -1/0 -> 0/-1
+ mvn x28,x25 // -1/0 -> 0/-1
+ orr x14,x14,x27
+ orr x14,x14,x28
+ orr x14,x14,x26
+ cbnz x14,.Ladd_proceed // if(~is_equal(U1,U2) | in1infty | in2infty | ~is_equal(S1,S2))
+
+.Ladd_double:
+ mov x1,x22
+ mov x0,x21
+ ldp x23,x24,[x29,#48]
+ ldp x25,x26,[x29,#64]
+ ldp x27,x28,[x29,#80]
+ add sp,sp,#256 // #256 is from #32*(12-4). difference in stack frames
+ b .Ldouble_shortcut
+
+.align 4
+.Ladd_proceed:
+ add x0,sp,#192
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R);
+
+ ldr x3,[x22,#64]
+ ldp x4,x5,[sp,#96]
+ ldp x6,x7,[sp,#96+16]
+ add x2,x22,#64
+ add x0,sp,#64
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z);
+
+ ldp x4,x5,[sp,#96]
+ ldp x6,x7,[sp,#96+16]
+ add x0,sp,#128
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H);
+
+ ldr x3,[x23,#64]
+ ldp x4,x5,[sp,#64]
+ ldp x6,x7,[sp,#64+16]
+ add x2,x23,#64
+ add x0,sp,#64
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, res_z, in2_z);
+
+ ldr x3,[sp,#96]
+ ldp x4,x5,[sp,#128]
+ ldp x6,x7,[sp,#128+16]
+ add x2,sp,#96
+ add x0,sp,#224
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H);
+
+ ldr x3,[sp,#128]
+ ldp x4,x5,[sp,#256]
+ ldp x6,x7,[sp,#256+16]
+ add x2,sp,#128
+ add x0,sp,#288
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, U1, Hsqr);
+
+ mov x8,x14
+ mov x9,x15
+ mov x10,x16
+ mov x11,x17
+ add x0,sp,#128
+ bl __ecp_nistz256_add_to // p256_mul_by_2(Hsqr, U2);
+
+ add x2,sp,#192
+ add x0,sp,#0
+ bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr);
+
+ add x2,sp,#224
+ bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub);
+
+ add x2,sp,#288
+ ldr x3,[sp,#224] // forward load for p256_mul_mont
+ ldp x4,x5,[sp,#320]
+ ldp x6,x7,[sp,#320+16]
+ add x0,sp,#32
+ bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x);
+
+ add x2,sp,#224
+ add x0,sp,#352
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S1, Hcub);
+
+ ldr x3,[sp,#160]
+ ldp x4,x5,[sp,#32]
+ ldp x6,x7,[sp,#32+16]
+ add x2,sp,#160
+ add x0,sp,#32
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R);
+
+ add x2,sp,#352
+ bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2);
+
+ ldp x4,x5,[sp,#0] // res
+ ldp x6,x7,[sp,#0+16]
+ ldp x8,x9,[x23] // in2
+ ldp x10,x11,[x23,#16]
+ ldp x14,x15,[x22,#0] // in1
+ cmp x24,#0 // ~, remember?
+ ldp x16,x17,[x22,#0+16]
+ csel x8,x4,x8,ne
+ csel x9,x5,x9,ne
+ ldp x4,x5,[sp,#0+0+32] // res
+ csel x10,x6,x10,ne
+ csel x11,x7,x11,ne
+ cmp x25,#0 // ~, remember?
+ ldp x6,x7,[sp,#0+0+48]
+ csel x14,x8,x14,ne
+ csel x15,x9,x15,ne
+ ldp x8,x9,[x23,#0+32] // in2
+ csel x16,x10,x16,ne
+ csel x17,x11,x17,ne
+ ldp x10,x11,[x23,#0+48]
+ stp x14,x15,[x21,#0]
+ stp x16,x17,[x21,#0+16]
+ ldp x14,x15,[x22,#32] // in1
+ cmp x24,#0 // ~, remember?
+ ldp x16,x17,[x22,#32+16]
+ csel x8,x4,x8,ne
+ csel x9,x5,x9,ne
+ ldp x4,x5,[sp,#0+32+32] // res
+ csel x10,x6,x10,ne
+ csel x11,x7,x11,ne
+ cmp x25,#0 // ~, remember?
+ ldp x6,x7,[sp,#0+32+48]
+ csel x14,x8,x14,ne
+ csel x15,x9,x15,ne
+ ldp x8,x9,[x23,#32+32] // in2
+ csel x16,x10,x16,ne
+ csel x17,x11,x17,ne
+ ldp x10,x11,[x23,#32+48]
+ stp x14,x15,[x21,#32]
+ stp x16,x17,[x21,#32+16]
+ ldp x14,x15,[x22,#64] // in1
+ cmp x24,#0 // ~, remember?
+ ldp x16,x17,[x22,#64+16]
+ csel x8,x4,x8,ne
+ csel x9,x5,x9,ne
+ csel x10,x6,x10,ne
+ csel x11,x7,x11,ne
+ cmp x25,#0 // ~, remember?
+ csel x14,x8,x14,ne
+ csel x15,x9,x15,ne
+ csel x16,x10,x16,ne
+ csel x17,x11,x17,ne
+ stp x14,x15,[x21,#64]
+ stp x16,x17,[x21,#64+16]
+
+.Ladd_done:
+ add sp,x29,#0 // destroy frame
+ ldp x19,x20,[x29,#16]
+ ldp x21,x22,[x29,#32]
+ ldp x23,x24,[x29,#48]
+ ldp x25,x26,[x29,#64]
+ ldp x27,x28,[x29,#80]
+ ldp x29,x30,[sp],#96
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size ecp_nistz256_point_add,.-ecp_nistz256_point_add
+.globl ecp_nistz256_point_add_affine
+.hidden ecp_nistz256_point_add_affine
+.type ecp_nistz256_point_add_affine,%function
+.align 5
+ecp_nistz256_point_add_affine:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-80]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+ stp x21,x22,[sp,#32]
+ stp x23,x24,[sp,#48]
+ stp x25,x26,[sp,#64]
+ sub sp,sp,#32*10
+
+ mov x21,x0
+ mov x22,x1
+ mov x23,x2
+ ldr x12,.Lpoly+8
+ ldr x13,.Lpoly+24
+
+ ldp x4,x5,[x1,#64] // in1_z
+ ldp x6,x7,[x1,#64+16]
+ orr x8,x4,x5
+ orr x10,x6,x7
+ orr x24,x8,x10
+ cmp x24,#0
+ csetm x24,ne // ~in1infty
+
+ ldp x14,x15,[x2] // in2_x
+ ldp x16,x17,[x2,#16]
+ ldp x8,x9,[x2,#32] // in2_y
+ ldp x10,x11,[x2,#48]
+ orr x14,x14,x15
+ orr x16,x16,x17
+ orr x8,x8,x9
+ orr x10,x10,x11
+ orr x14,x14,x16
+ orr x8,x8,x10
+ orr x25,x14,x8
+ cmp x25,#0
+ csetm x25,ne // ~in2infty
+
+ add x0,sp,#128
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z);
+
+ mov x4,x14
+ mov x5,x15
+ mov x6,x16
+ mov x7,x17
+ ldr x3,[x23]
+ add x2,x23,#0
+ add x0,sp,#96
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, Z1sqr, in2_x);
+
+ add x2,x22,#0
+ ldr x3,[x22,#64] // forward load for p256_mul_mont
+ ldp x4,x5,[sp,#128]
+ ldp x6,x7,[sp,#128+16]
+ add x0,sp,#160
+ bl __ecp_nistz256_sub_from // p256_sub(H, U2, in1_x);
+
+ add x2,x22,#64
+ add x0,sp,#128
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z);
+
+ ldr x3,[x22,#64]
+ ldp x4,x5,[sp,#160]
+ ldp x6,x7,[sp,#160+16]
+ add x2,x22,#64
+ add x0,sp,#64
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z);
+
+ ldr x3,[x23,#32]
+ ldp x4,x5,[sp,#128]
+ ldp x6,x7,[sp,#128+16]
+ add x2,x23,#32
+ add x0,sp,#128
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y);
+
+ add x2,x22,#32
+ ldp x4,x5,[sp,#160] // forward load for p256_sqr_mont
+ ldp x6,x7,[sp,#160+16]
+ add x0,sp,#192
+ bl __ecp_nistz256_sub_from // p256_sub(R, S2, in1_y);
+
+ add x0,sp,#224
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H);
+
+ ldp x4,x5,[sp,#192]
+ ldp x6,x7,[sp,#192+16]
+ add x0,sp,#288
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R);
+
+ ldr x3,[sp,#160]
+ ldp x4,x5,[sp,#224]
+ ldp x6,x7,[sp,#224+16]
+ add x2,sp,#160
+ add x0,sp,#256
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H);
+
+ ldr x3,[x22]
+ ldp x4,x5,[sp,#224]
+ ldp x6,x7,[sp,#224+16]
+ add x2,x22,#0
+ add x0,sp,#96
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in1_x, Hsqr);
+
+ mov x8,x14
+ mov x9,x15
+ mov x10,x16
+ mov x11,x17
+ add x0,sp,#224
+ bl __ecp_nistz256_add_to // p256_mul_by_2(Hsqr, U2);
+
+ add x2,sp,#288
+ add x0,sp,#0
+ bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr);
+
+ add x2,sp,#256
+ bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub);
+
+ add x2,sp,#96
+ ldr x3,[x22,#32] // forward load for p256_mul_mont
+ ldp x4,x5,[sp,#256]
+ ldp x6,x7,[sp,#256+16]
+ add x0,sp,#32
+ bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x);
+
+ add x2,x22,#32
+ add x0,sp,#128
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, in1_y, Hcub);
+
+ ldr x3,[sp,#192]
+ ldp x4,x5,[sp,#32]
+ ldp x6,x7,[sp,#32+16]
+ add x2,sp,#192
+ add x0,sp,#32
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R);
+
+ add x2,sp,#128
+ bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2);
+
+ ldp x4,x5,[sp,#0] // res
+ ldp x6,x7,[sp,#0+16]
+ ldp x8,x9,[x23] // in2
+ ldp x10,x11,[x23,#16]
+ ldp x14,x15,[x22,#0] // in1
+ cmp x24,#0 // ~, remember?
+ ldp x16,x17,[x22,#0+16]
+ csel x8,x4,x8,ne
+ csel x9,x5,x9,ne
+ ldp x4,x5,[sp,#0+0+32] // res
+ csel x10,x6,x10,ne
+ csel x11,x7,x11,ne
+ cmp x25,#0 // ~, remember?
+ ldp x6,x7,[sp,#0+0+48]
+ csel x14,x8,x14,ne
+ csel x15,x9,x15,ne
+ ldp x8,x9,[x23,#0+32] // in2
+ csel x16,x10,x16,ne
+ csel x17,x11,x17,ne
+ ldp x10,x11,[x23,#0+48]
+ stp x14,x15,[x21,#0]
+ stp x16,x17,[x21,#0+16]
+ adr x23,.Lone_mont-64
+ ldp x14,x15,[x22,#32] // in1
+ cmp x24,#0 // ~, remember?
+ ldp x16,x17,[x22,#32+16]
+ csel x8,x4,x8,ne
+ csel x9,x5,x9,ne
+ ldp x4,x5,[sp,#0+32+32] // res
+ csel x10,x6,x10,ne
+ csel x11,x7,x11,ne
+ cmp x25,#0 // ~, remember?
+ ldp x6,x7,[sp,#0+32+48]
+ csel x14,x8,x14,ne
+ csel x15,x9,x15,ne
+ ldp x8,x9,[x23,#32+32] // in2
+ csel x16,x10,x16,ne
+ csel x17,x11,x17,ne
+ ldp x10,x11,[x23,#32+48]
+ stp x14,x15,[x21,#32]
+ stp x16,x17,[x21,#32+16]
+ ldp x14,x15,[x22,#64] // in1
+ cmp x24,#0 // ~, remember?
+ ldp x16,x17,[x22,#64+16]
+ csel x8,x4,x8,ne
+ csel x9,x5,x9,ne
+ csel x10,x6,x10,ne
+ csel x11,x7,x11,ne
+ cmp x25,#0 // ~, remember?
+ csel x14,x8,x14,ne
+ csel x15,x9,x15,ne
+ csel x16,x10,x16,ne
+ csel x17,x11,x17,ne
+ stp x14,x15,[x21,#64]
+ stp x16,x17,[x21,#64+16]
+
+ add sp,x29,#0 // destroy frame
+ ldp x19,x20,[x29,#16]
+ ldp x21,x22,[x29,#32]
+ ldp x23,x24,[x29,#48]
+ ldp x25,x26,[x29,#64]
+ ldp x29,x30,[sp],#80
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size ecp_nistz256_point_add_affine,.-ecp_nistz256_point_add_affine
+////////////////////////////////////////////////////////////////////////
+// void ecp_nistz256_ord_mul_mont(uint64_t res[4], uint64_t a[4],
+// uint64_t b[4]);
+.globl ecp_nistz256_ord_mul_mont
+.hidden ecp_nistz256_ord_mul_mont
+.type ecp_nistz256_ord_mul_mont,%function
+.align 4
+ecp_nistz256_ord_mul_mont:
+ AARCH64_VALID_CALL_TARGET
+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
+ stp x29,x30,[sp,#-64]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+ stp x21,x22,[sp,#32]
+ stp x23,x24,[sp,#48]
+
+ adr x23,.Lord
+ ldr x3,[x2] // bp[0]
+ ldp x4,x5,[x1]
+ ldp x6,x7,[x1,#16]
+
+ ldp x12,x13,[x23,#0]
+ ldp x21,x22,[x23,#16]
+ ldr x23,[x23,#32]
+
+ mul x14,x4,x3 // a[0]*b[0]
+ umulh x8,x4,x3
+
+ mul x15,x5,x3 // a[1]*b[0]
+ umulh x9,x5,x3
+
+ mul x16,x6,x3 // a[2]*b[0]
+ umulh x10,x6,x3
+
+ mul x17,x7,x3 // a[3]*b[0]
+ umulh x19,x7,x3
+
+ mul x24,x14,x23
+
+ adds x15,x15,x8 // accumulate high parts of multiplication
+ adcs x16,x16,x9
+ adcs x17,x17,x10
+ adc x19,x19,xzr
+ mov x20,xzr
+ ldr x3,[x2,#8*1] // b[i]
+
+ lsl x8,x24,#32
+ subs x16,x16,x24
+ lsr x9,x24,#32
+ sbcs x17,x17,x8
+ sbcs x19,x19,x9
+ sbc x20,x20,xzr
+
+ subs xzr,x14,#1
+ umulh x9,x12,x24
+ mul x10,x13,x24
+ umulh x11,x13,x24
+
+ adcs x10,x10,x9
+ mul x8,x4,x3
+ adc x11,x11,xzr
+ mul x9,x5,x3
+
+ adds x14,x15,x10
+ mul x10,x6,x3
+ adcs x15,x16,x11
+ mul x11,x7,x3
+ adcs x16,x17,x24
+ adcs x17,x19,x24
+ adc x19,x20,xzr
+
+ adds x14,x14,x8 // accumulate low parts
+ umulh x8,x4,x3
+ adcs x15,x15,x9
+ umulh x9,x5,x3
+ adcs x16,x16,x10
+ umulh x10,x6,x3
+ adcs x17,x17,x11
+ umulh x11,x7,x3
+ adc x19,x19,xzr
+ mul x24,x14,x23
+ adds x15,x15,x8 // accumulate high parts
+ adcs x16,x16,x9
+ adcs x17,x17,x10
+ adcs x19,x19,x11
+ adc x20,xzr,xzr
+ ldr x3,[x2,#8*2] // b[i]
+
+ lsl x8,x24,#32
+ subs x16,x16,x24
+ lsr x9,x24,#32
+ sbcs x17,x17,x8
+ sbcs x19,x19,x9
+ sbc x20,x20,xzr
+
+ subs xzr,x14,#1
+ umulh x9,x12,x24
+ mul x10,x13,x24
+ umulh x11,x13,x24
+
+ adcs x10,x10,x9
+ mul x8,x4,x3
+ adc x11,x11,xzr
+ mul x9,x5,x3
+
+ adds x14,x15,x10
+ mul x10,x6,x3
+ adcs x15,x16,x11
+ mul x11,x7,x3
+ adcs x16,x17,x24
+ adcs x17,x19,x24
+ adc x19,x20,xzr
+
+ adds x14,x14,x8 // accumulate low parts
+ umulh x8,x4,x3
+ adcs x15,x15,x9
+ umulh x9,x5,x3
+ adcs x16,x16,x10
+ umulh x10,x6,x3
+ adcs x17,x17,x11
+ umulh x11,x7,x3
+ adc x19,x19,xzr
+ mul x24,x14,x23
+ adds x15,x15,x8 // accumulate high parts
+ adcs x16,x16,x9
+ adcs x17,x17,x10
+ adcs x19,x19,x11
+ adc x20,xzr,xzr
+ ldr x3,[x2,#8*3] // b[i]
+
+ lsl x8,x24,#32
+ subs x16,x16,x24
+ lsr x9,x24,#32
+ sbcs x17,x17,x8
+ sbcs x19,x19,x9
+ sbc x20,x20,xzr
+
+ subs xzr,x14,#1
+ umulh x9,x12,x24
+ mul x10,x13,x24
+ umulh x11,x13,x24
+
+ adcs x10,x10,x9
+ mul x8,x4,x3
+ adc x11,x11,xzr
+ mul x9,x5,x3
+
+ adds x14,x15,x10
+ mul x10,x6,x3
+ adcs x15,x16,x11
+ mul x11,x7,x3
+ adcs x16,x17,x24
+ adcs x17,x19,x24
+ adc x19,x20,xzr
+
+ adds x14,x14,x8 // accumulate low parts
+ umulh x8,x4,x3
+ adcs x15,x15,x9
+ umulh x9,x5,x3
+ adcs x16,x16,x10
+ umulh x10,x6,x3
+ adcs x17,x17,x11
+ umulh x11,x7,x3
+ adc x19,x19,xzr
+ mul x24,x14,x23
+ adds x15,x15,x8 // accumulate high parts
+ adcs x16,x16,x9
+ adcs x17,x17,x10
+ adcs x19,x19,x11
+ adc x20,xzr,xzr
+ lsl x8,x24,#32 // last reduction
+ subs x16,x16,x24
+ lsr x9,x24,#32
+ sbcs x17,x17,x8
+ sbcs x19,x19,x9
+ sbc x20,x20,xzr
+
+ subs xzr,x14,#1
+ umulh x9,x12,x24
+ mul x10,x13,x24
+ umulh x11,x13,x24
+
+ adcs x10,x10,x9
+ adc x11,x11,xzr
+
+ adds x14,x15,x10
+ adcs x15,x16,x11
+ adcs x16,x17,x24
+ adcs x17,x19,x24
+ adc x19,x20,xzr
+
+ subs x8,x14,x12 // ret -= modulus
+ sbcs x9,x15,x13
+ sbcs x10,x16,x21
+ sbcs x11,x17,x22
+ sbcs xzr,x19,xzr
+
+ csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus
+ csel x15,x15,x9,lo
+ csel x16,x16,x10,lo
+ stp x14,x15,[x0]
+ csel x17,x17,x11,lo
+ stp x16,x17,[x0,#16]
+
+ ldp x19,x20,[sp,#16]
+ ldp x21,x22,[sp,#32]
+ ldp x23,x24,[sp,#48]
+ ldr x29,[sp],#64
+ ret
+.size ecp_nistz256_ord_mul_mont,.-ecp_nistz256_ord_mul_mont
+
+////////////////////////////////////////////////////////////////////////
+// void ecp_nistz256_ord_sqr_mont(uint64_t res[4], uint64_t a[4],
+// int rep);
+.globl ecp_nistz256_ord_sqr_mont
+.hidden ecp_nistz256_ord_sqr_mont
+.type ecp_nistz256_ord_sqr_mont,%function
+.align 4
+ecp_nistz256_ord_sqr_mont:
+ AARCH64_VALID_CALL_TARGET
+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
+ stp x29,x30,[sp,#-64]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+ stp x21,x22,[sp,#32]
+ stp x23,x24,[sp,#48]
+
+ adr x23,.Lord
+ ldp x4,x5,[x1]
+ ldp x6,x7,[x1,#16]
+
+ ldp x12,x13,[x23,#0]
+ ldp x21,x22,[x23,#16]
+ ldr x23,[x23,#32]
+ b .Loop_ord_sqr
+
+.align 4
+.Loop_ord_sqr:
+ sub x2,x2,#1
+ ////////////////////////////////////////////////////////////////
+ // | | | | | |a1*a0| |
+ // | | | | |a2*a0| | |
+ // | |a3*a2|a3*a0| | | |
+ // | | | |a2*a1| | | |
+ // | | |a3*a1| | | | |
+ // *| | | | | | | | 2|
+ // +|a3*a3|a2*a2|a1*a1|a0*a0|
+ // |--+--+--+--+--+--+--+--|
+ // |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is , i.e. follow
+ //
+ // "can't overflow" below mark carrying into high part of
+ // multiplication result, which can't overflow, because it
+ // can never be all ones.
+
+ mul x15,x5,x4 // a[1]*a[0]
+ umulh x9,x5,x4
+ mul x16,x6,x4 // a[2]*a[0]
+ umulh x10,x6,x4
+ mul x17,x7,x4 // a[3]*a[0]
+ umulh x19,x7,x4
+
+ adds x16,x16,x9 // accumulate high parts of multiplication
+ mul x8,x6,x5 // a[2]*a[1]
+ umulh x9,x6,x5
+ adcs x17,x17,x10
+ mul x10,x7,x5 // a[3]*a[1]
+ umulh x11,x7,x5
+ adc x19,x19,xzr // can't overflow
+
+ mul x20,x7,x6 // a[3]*a[2]
+ umulh x1,x7,x6
+
+ adds x9,x9,x10 // accumulate high parts of multiplication
+ mul x14,x4,x4 // a[0]*a[0]
+ adc x10,x11,xzr // can't overflow
+
+ adds x17,x17,x8 // accumulate low parts of multiplication
+ umulh x4,x4,x4
+ adcs x19,x19,x9
+ mul x9,x5,x5 // a[1]*a[1]
+ adcs x20,x20,x10
+ umulh x5,x5,x5
+ adc x1,x1,xzr // can't overflow
+
+ adds x15,x15,x15 // acc[1-6]*=2
+ mul x10,x6,x6 // a[2]*a[2]
+ adcs x16,x16,x16
+ umulh x6,x6,x6
+ adcs x17,x17,x17
+ mul x11,x7,x7 // a[3]*a[3]
+ adcs x19,x19,x19
+ umulh x7,x7,x7
+ adcs x20,x20,x20
+ adcs x1,x1,x1
+ adc x3,xzr,xzr
+
+ adds x15,x15,x4 // +a[i]*a[i]
+ mul x24,x14,x23
+ adcs x16,x16,x9
+ adcs x17,x17,x5
+ adcs x19,x19,x10
+ adcs x20,x20,x6
+ adcs x1,x1,x11
+ adc x3,x3,x7
+ subs xzr,x14,#1
+ umulh x9,x12,x24
+ mul x10,x13,x24
+ umulh x11,x13,x24
+
+ adcs x10,x10,x9
+ adc x11,x11,xzr
+
+ adds x14,x15,x10
+ adcs x15,x16,x11
+ adcs x16,x17,x24
+ adc x17,xzr,x24 // can't overflow
+ mul x11,x14,x23
+ lsl x8,x24,#32
+ subs x15,x15,x24
+ lsr x9,x24,#32
+ sbcs x16,x16,x8
+ sbc x17,x17,x9 // can't borrow
+ subs xzr,x14,#1
+ umulh x9,x12,x11
+ mul x10,x13,x11
+ umulh x24,x13,x11
+
+ adcs x10,x10,x9
+ adc x24,x24,xzr
+
+ adds x14,x15,x10
+ adcs x15,x16,x24
+ adcs x16,x17,x11
+ adc x17,xzr,x11 // can't overflow
+ mul x24,x14,x23
+ lsl x8,x11,#32
+ subs x15,x15,x11
+ lsr x9,x11,#32
+ sbcs x16,x16,x8
+ sbc x17,x17,x9 // can't borrow
+ subs xzr,x14,#1
+ umulh x9,x12,x24
+ mul x10,x13,x24
+ umulh x11,x13,x24
+
+ adcs x10,x10,x9
+ adc x11,x11,xzr
+
+ adds x14,x15,x10
+ adcs x15,x16,x11
+ adcs x16,x17,x24
+ adc x17,xzr,x24 // can't overflow
+ mul x11,x14,x23
+ lsl x8,x24,#32
+ subs x15,x15,x24
+ lsr x9,x24,#32
+ sbcs x16,x16,x8
+ sbc x17,x17,x9 // can't borrow
+ subs xzr,x14,#1
+ umulh x9,x12,x11
+ mul x10,x13,x11
+ umulh x24,x13,x11
+
+ adcs x10,x10,x9
+ adc x24,x24,xzr
+
+ adds x14,x15,x10
+ adcs x15,x16,x24
+ adcs x16,x17,x11
+ adc x17,xzr,x11 // can't overflow
+ lsl x8,x11,#32
+ subs x15,x15,x11
+ lsr x9,x11,#32
+ sbcs x16,x16,x8
+ sbc x17,x17,x9 // can't borrow
+ adds x14,x14,x19 // accumulate upper half
+ adcs x15,x15,x20
+ adcs x16,x16,x1
+ adcs x17,x17,x3
+ adc x19,xzr,xzr
+
+ subs x8,x14,x12 // ret -= modulus
+ sbcs x9,x15,x13
+ sbcs x10,x16,x21
+ sbcs x11,x17,x22
+ sbcs xzr,x19,xzr
+
+ csel x4,x14,x8,lo // ret = borrow ? ret : ret-modulus
+ csel x5,x15,x9,lo
+ csel x6,x16,x10,lo
+ csel x7,x17,x11,lo
+
+ cbnz x2,.Loop_ord_sqr
+
+ stp x4,x5,[x0]
+ stp x6,x7,[x0,#16]
+
+ ldp x19,x20,[sp,#16]
+ ldp x21,x22,[sp,#32]
+ ldp x23,x24,[sp,#48]
+ ldr x29,[sp],#64
+ ret
+.size ecp_nistz256_ord_sqr_mont,.-ecp_nistz256_ord_sqr_mont
+////////////////////////////////////////////////////////////////////////
+// void ecp_nistz256_select_w5(uint64_t *val, uint64_t *in_t, int index);
+.globl ecp_nistz256_select_w5
+.hidden ecp_nistz256_select_w5
+.type ecp_nistz256_select_w5,%function
+.align 4
+ecp_nistz256_select_w5:
+ AARCH64_VALID_CALL_TARGET
+
+ // x10 := x0
+ // w9 := 0; loop counter and incremented internal index
+ mov x10, x0
+ mov w9, #0
+
+ // [v16-v21] := 0
+ movi v16.16b, #0
+ movi v17.16b, #0
+ movi v18.16b, #0
+ movi v19.16b, #0
+ movi v20.16b, #0
+ movi v21.16b, #0
+
+.Lselect_w5_loop:
+ // Loop 16 times.
+
+ // Increment index (loop counter); tested at the end of the loop
+ add w9, w9, #1
+
+ // [v22-v27] := Load a (3*256-bit = 6*128-bit) table entry starting at x1
+ // and advance x1 to point to the next entry
+ ld1 {v22.2d, v23.2d, v24.2d, v25.2d}, [x1],#64
+
+ // x11 := (w9 == w2)? All 1s : All 0s
+ cmp w9, w2
+ csetm x11, eq
+
+ // continue loading ...
+ ld1 {v26.2d, v27.2d}, [x1],#32
+
+ // duplicate mask_64 into Mask (all 0s or all 1s)
+ dup v3.2d, x11
+
+ // [v16-v19] := (Mask == all 1s)? [v22-v25] : [v16-v19]
+ // i.e., values in output registers will remain the same if w9 != w2
+ bit v16.16b, v22.16b, v3.16b
+ bit v17.16b, v23.16b, v3.16b
+
+ bit v18.16b, v24.16b, v3.16b
+ bit v19.16b, v25.16b, v3.16b
+
+ bit v20.16b, v26.16b, v3.16b
+ bit v21.16b, v27.16b, v3.16b
+
+ // If bit #4 is not 0 (i.e. idx_ctr < 16) loop back
+ tbz w9, #4, .Lselect_w5_loop
+
+ // Write [v16-v21] to memory at the output pointer
+ st1 {v16.2d, v17.2d, v18.2d, v19.2d}, [x10],#64
+ st1 {v20.2d, v21.2d}, [x10]
+
+ ret
+.size ecp_nistz256_select_w5,.-ecp_nistz256_select_w5
+
+
+////////////////////////////////////////////////////////////////////////
+// void ecp_nistz256_select_w7(uint64_t *val, uint64_t *in_t, int index);
+.globl ecp_nistz256_select_w7
+.hidden ecp_nistz256_select_w7
+.type ecp_nistz256_select_w7,%function
+.align 4
+ecp_nistz256_select_w7:
+ AARCH64_VALID_CALL_TARGET
+
+ // w9 := 0; loop counter and incremented internal index
+ mov w9, #0
+
+ // [v16-v21] := 0
+ movi v16.16b, #0
+ movi v17.16b, #0
+ movi v18.16b, #0
+ movi v19.16b, #0
+
+.Lselect_w7_loop:
+ // Loop 64 times.
+
+ // Increment index (loop counter); tested at the end of the loop
+ add w9, w9, #1
+
+ // [v22-v25] := Load a (2*256-bit = 4*128-bit) table entry starting at x1
+ // and advance x1 to point to the next entry
+ ld1 {v22.2d, v23.2d, v24.2d, v25.2d}, [x1],#64
+
+ // x11 := (w9 == w2)? All 1s : All 0s
+ cmp w9, w2
+ csetm x11, eq
+
+ // duplicate mask_64 into Mask (all 0s or all 1s)
+ dup v3.2d, x11
+
+ // [v16-v19] := (Mask == all 1s)? [v22-v25] : [v16-v19]
+ // i.e., values in output registers will remain the same if w9 != w2
+ bit v16.16b, v22.16b, v3.16b
+ bit v17.16b, v23.16b, v3.16b
+
+ bit v18.16b, v24.16b, v3.16b
+ bit v19.16b, v25.16b, v3.16b
+
+ // If bit #6 is not 0 (i.e. idx_ctr < 64) loop back
+ tbz w9, #6, .Lselect_w7_loop
+
+ // Write [v16-v19] to memory at the output pointer
+ st1 {v16.2d, v17.2d, v18.2d, v19.2d}, [x0]
+
+ ret
+.size ecp_nistz256_select_w7,.-ecp_nistz256_select_w7
+#endif
+#endif // !OPENSSL_NO_ASM
+.section .note.GNU-stack,"",%progbits
diff --git a/linux-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S b/linux-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S
new file mode 100644
index 0000000..9243b8b
--- /dev/null
+++ b/linux-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S
@@ -0,0 +1,320 @@
+// This file is generated from a similarly-named Perl script in the BoringSSL
+// source tree. Do not edit by hand.
+
+#if !defined(__has_feature)
+#define __has_feature(x) 0
+#endif
+#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM)
+#define OPENSSL_NO_ASM
+#endif
+
+#if !defined(OPENSSL_NO_ASM)
+#if defined(__aarch64__)
+#if defined(BORINGSSL_PREFIX)
+#include <boringssl_prefix_symbols_asm.h>
+#endif
+#include "openssl/arm_arch.h"
+
+.text
+.globl beeu_mod_inverse_vartime
+.hidden beeu_mod_inverse_vartime
+.type beeu_mod_inverse_vartime, %function
+.align 4
+beeu_mod_inverse_vartime:
+ // Reserve enough space for 14 8-byte registers on the stack
+ // in the first stp call for x29, x30.
+ // Then store the remaining callee-saved registers.
+ //
+ // | x29 | x30 | x19 | x20 | ... | x27 | x28 | x0 | x2 |
+ // ^ ^
+ // sp <------------------- 112 bytes ----------------> old sp
+ // x29 (FP)
+ //
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-112]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+ stp x21,x22,[sp,#32]
+ stp x23,x24,[sp,#48]
+ stp x25,x26,[sp,#64]
+ stp x27,x28,[sp,#80]
+ stp x0,x2,[sp,#96]
+
+ // B = b3..b0 := a
+ ldp x25,x26,[x1]
+ ldp x27,x28,[x1,#16]
+
+ // n3..n0 := n
+ // Note: the value of input params are changed in the following.
+ ldp x0,x1,[x2]
+ ldp x2,x30,[x2,#16]
+
+ // A = a3..a0 := n
+ mov x21, x0
+ mov x22, x1
+ mov x23, x2
+ mov x24, x30
+
+ // X = x4..x0 := 1
+ mov x3, #1
+ eor x4, x4, x4
+ eor x5, x5, x5
+ eor x6, x6, x6
+ eor x7, x7, x7
+
+ // Y = y4..y0 := 0
+ eor x8, x8, x8
+ eor x9, x9, x9
+ eor x10, x10, x10
+ eor x11, x11, x11
+ eor x12, x12, x12
+
+.Lbeeu_loop:
+ // if B == 0, jump to .Lbeeu_loop_end
+ orr x14, x25, x26
+ orr x14, x14, x27
+
+ // reverse the bit order of x25. This is needed for clz after this macro
+ rbit x15, x25
+
+ orr x14, x14, x28
+ cbz x14,.Lbeeu_loop_end
+
+
+ // 0 < B < |n|,
+ // 0 < A <= |n|,
+ // (1) X*a == B (mod |n|),
+ // (2) (-1)*Y*a == A (mod |n|)
+
+ // Now divide B by the maximum possible power of two in the
+ // integers, and divide X by the same value mod |n|.
+ // When we're done, (1) still holds.
+
+ // shift := number of trailing 0s in x25
+ // ( = number of leading 0s in x15; see the "rbit" instruction in TEST_B_ZERO)
+ clz x13, x15
+
+ // If there is no shift, goto shift_A_Y
+ cbz x13, .Lbeeu_shift_A_Y
+
+ // Shift B right by "x13" bits
+ neg x14, x13
+ lsr x25, x25, x13
+ lsl x15, x26, x14
+
+ lsr x26, x26, x13
+ lsl x19, x27, x14
+
+ orr x25, x25, x15
+
+ lsr x27, x27, x13
+ lsl x20, x28, x14
+
+ orr x26, x26, x19
+
+ lsr x28, x28, x13
+
+ orr x27, x27, x20
+
+
+ // Shift X right by "x13" bits, adding n whenever X becomes odd.
+ // x13--;
+ // x14 := 0; needed in the addition to the most significant word in SHIFT1
+ eor x14, x14, x14
+.Lbeeu_shift_loop_X:
+ tbz x3, #0, .Lshift1_0
+ adds x3, x3, x0
+ adcs x4, x4, x1
+ adcs x5, x5, x2
+ adcs x6, x6, x30
+ adc x7, x7, x14
+.Lshift1_0:
+ // var0 := [var1|var0]<64..1>;
+ // i.e. concatenate var1 and var0,
+ // extract bits <64..1> from the resulting 128-bit value
+ // and put them in var0
+ extr x3, x4, x3, #1
+ extr x4, x5, x4, #1
+ extr x5, x6, x5, #1
+ extr x6, x7, x6, #1
+ lsr x7, x7, #1
+
+ subs x13, x13, #1
+ bne .Lbeeu_shift_loop_X
+
+ // Note: the steps above perform the same sequence as in p256_beeu-x86_64-asm.pl
+ // with the following differences:
+ // - "x13" is set directly to the number of trailing 0s in B
+ // (using rbit and clz instructions)
+ // - The loop is only used to call SHIFT1(X)
+ // and x13 is decreased while executing the X loop.
+ // - SHIFT256(B, x13) is performed before right-shifting X; they are independent
+
+.Lbeeu_shift_A_Y:
+ // Same for A and Y.
+ // Afterwards, (2) still holds.
+ // Reverse the bit order of x21
+ // x13 := number of trailing 0s in x21 (= number of leading 0s in x15)
+ rbit x15, x21
+ clz x13, x15
+
+ // If there is no shift, goto |B-A|, X+Y update
+ cbz x13, .Lbeeu_update_B_X_or_A_Y
+
+ // Shift A right by "x13" bits
+ neg x14, x13
+ lsr x21, x21, x13
+ lsl x15, x22, x14
+
+ lsr x22, x22, x13
+ lsl x19, x23, x14
+
+ orr x21, x21, x15
+
+ lsr x23, x23, x13
+ lsl x20, x24, x14
+
+ orr x22, x22, x19
+
+ lsr x24, x24, x13
+
+ orr x23, x23, x20
+
+
+ // Shift Y right by "x13" bits, adding n whenever Y becomes odd.
+ // x13--;
+ // x14 := 0; needed in the addition to the most significant word in SHIFT1
+ eor x14, x14, x14
+.Lbeeu_shift_loop_Y:
+ tbz x8, #0, .Lshift1_1
+ adds x8, x8, x0
+ adcs x9, x9, x1
+ adcs x10, x10, x2
+ adcs x11, x11, x30
+ adc x12, x12, x14
+.Lshift1_1:
+ // var0 := [var1|var0]<64..1>;
+ // i.e. concatenate var1 and var0,
+ // extract bits <64..1> from the resulting 128-bit value
+ // and put them in var0
+ extr x8, x9, x8, #1
+ extr x9, x10, x9, #1
+ extr x10, x11, x10, #1
+ extr x11, x12, x11, #1
+ lsr x12, x12, #1
+
+ subs x13, x13, #1
+ bne .Lbeeu_shift_loop_Y
+
+.Lbeeu_update_B_X_or_A_Y:
+ // Try T := B - A; if cs, continue with B > A (cs: carry set = no borrow)
+ // Note: this is a case of unsigned arithmetic, where T fits in 4 64-bit words
+ // without taking a sign bit if generated. The lack of a carry would
+ // indicate a negative result. See, for example,
+ // https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/condition-codes-1-condition-flags-and-codes
+ subs x14, x25, x21
+ sbcs x15, x26, x22
+ sbcs x19, x27, x23
+ sbcs x20, x28, x24
+ bcs .Lbeeu_B_greater_than_A
+
+ // Else A > B =>
+ // A := A - B; Y := Y + X; goto beginning of the loop
+ subs x21, x21, x25
+ sbcs x22, x22, x26
+ sbcs x23, x23, x27
+ sbcs x24, x24, x28
+
+ adds x8, x8, x3
+ adcs x9, x9, x4
+ adcs x10, x10, x5
+ adcs x11, x11, x6
+ adc x12, x12, x7
+ b .Lbeeu_loop
+
+.Lbeeu_B_greater_than_A:
+ // Continue with B > A =>
+ // B := B - A; X := X + Y; goto beginning of the loop
+ mov x25, x14
+ mov x26, x15
+ mov x27, x19
+ mov x28, x20
+
+ adds x3, x3, x8
+ adcs x4, x4, x9
+ adcs x5, x5, x10
+ adcs x6, x6, x11
+ adc x7, x7, x12
+ b .Lbeeu_loop
+
+.Lbeeu_loop_end:
+ // The Euclid's algorithm loop ends when A == gcd(a,n);
+ // this would be 1, when a and n are co-prime (i.e. do not have a common factor).
+ // Since (-1)*Y*a == A (mod |n|), Y>0
+ // then out = -Y mod n
+
+ // Verify that A = 1 ==> (-1)*Y*a = A = 1 (mod |n|)
+ // Is A-1 == 0?
+ // If not, fail.
+ sub x14, x21, #1
+ orr x14, x14, x22
+ orr x14, x14, x23
+ orr x14, x14, x24
+ cbnz x14, .Lbeeu_err
+
+ // If Y>n ==> Y:=Y-n
+.Lbeeu_reduction_loop:
+ // x_i := y_i - n_i (X is no longer needed, use it as temp)
+ // (x14 = 0 from above)
+ subs x3, x8, x0
+ sbcs x4, x9, x1
+ sbcs x5, x10, x2
+ sbcs x6, x11, x30
+ sbcs x7, x12, x14
+
+ // If result is non-negative (i.e., cs = carry set = no borrow),
+ // y_i := x_i; goto reduce again
+ // else
+ // y_i := y_i; continue
+ csel x8, x3, x8, cs
+ csel x9, x4, x9, cs
+ csel x10, x5, x10, cs
+ csel x11, x6, x11, cs
+ csel x12, x7, x12, cs
+ bcs .Lbeeu_reduction_loop
+
+ // Now Y < n (Y cannot be equal to n, since the inverse cannot be 0)
+ // out = -Y = n-Y
+ subs x8, x0, x8
+ sbcs x9, x1, x9
+ sbcs x10, x2, x10
+ sbcs x11, x30, x11
+
+ // Save Y in output (out (x0) was saved on the stack)
+ ldr x3, [sp,#96]
+ stp x8, x9, [x3]
+ stp x10, x11, [x3,#16]
+ // return 1 (success)
+ mov x0, #1
+ b .Lbeeu_finish
+
+.Lbeeu_err:
+ // return 0 (error)
+ eor x0, x0, x0
+
+.Lbeeu_finish:
+ // Restore callee-saved registers, except x0, x2
+ add sp,x29,#0
+ ldp x19,x20,[sp,#16]
+ ldp x21,x22,[sp,#32]
+ ldp x23,x24,[sp,#48]
+ ldp x25,x26,[sp,#64]
+ ldp x27,x28,[sp,#80]
+ ldp x29,x30,[sp],#112
+
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size beeu_mod_inverse_vartime,.-beeu_mod_inverse_vartime
+#endif
+#endif // !OPENSSL_NO_ASM
+.section .note.GNU-stack,"",%progbits
diff --git a/linux-x86_64/crypto/fipsmodule/x86_64-mont5.S b/linux-x86_64/crypto/fipsmodule/x86_64-mont5.S
index 55cc781..59367b6 100644
--- a/linux-x86_64/crypto/fipsmodule/x86_64-mont5.S
+++ b/linux-x86_64/crypto/fipsmodule/x86_64-mont5.S
@@ -2067,187 +2067,6 @@
.byte 0xf3,0xc3
.cfi_endproc
.size __bn_post4x_internal,.-__bn_post4x_internal
-.globl bn_from_montgomery
-.hidden bn_from_montgomery
-.type bn_from_montgomery,@function
-.align 32
-bn_from_montgomery:
-.cfi_startproc
- testl $7,%r9d
- jz bn_from_mont8x
- xorl %eax,%eax
- .byte 0xf3,0xc3
-.cfi_endproc
-.size bn_from_montgomery,.-bn_from_montgomery
-
-.type bn_from_mont8x,@function
-.align 32
-bn_from_mont8x:
-.cfi_startproc
-.byte 0x67
- movq %rsp,%rax
-.cfi_def_cfa_register %rax
- pushq %rbx
-.cfi_offset %rbx,-16
- pushq %rbp
-.cfi_offset %rbp,-24
- pushq %r12
-.cfi_offset %r12,-32
- pushq %r13
-.cfi_offset %r13,-40
- pushq %r14
-.cfi_offset %r14,-48
- pushq %r15
-.cfi_offset %r15,-56
-.Lfrom_prologue:
-
- shll $3,%r9d
- leaq (%r9,%r9,2),%r10
- negq %r9
- movq (%r8),%r8
-
-
-
-
-
-
-
-
- leaq -320(%rsp,%r9,2),%r11
- movq %rsp,%rbp
- subq %rdi,%r11
- andq $4095,%r11
- cmpq %r11,%r10
- jb .Lfrom_sp_alt
- subq %r11,%rbp
- leaq -320(%rbp,%r9,2),%rbp
- jmp .Lfrom_sp_done
-
-.align 32
-.Lfrom_sp_alt:
- leaq 4096-320(,%r9,2),%r10
- leaq -320(%rbp,%r9,2),%rbp
- subq %r10,%r11
- movq $0,%r10
- cmovcq %r10,%r11
- subq %r11,%rbp
-.Lfrom_sp_done:
- andq $-64,%rbp
- movq %rsp,%r11
- subq %rbp,%r11
- andq $-4096,%r11
- leaq (%r11,%rbp,1),%rsp
- movq (%rsp),%r10
- cmpq %rbp,%rsp
- ja .Lfrom_page_walk
- jmp .Lfrom_page_walk_done
-
-.Lfrom_page_walk:
- leaq -4096(%rsp),%rsp
- movq (%rsp),%r10
- cmpq %rbp,%rsp
- ja .Lfrom_page_walk
-.Lfrom_page_walk_done:
-
- movq %r9,%r10
- negq %r9
-
-
-
-
-
-
-
-
-
-
- movq %r8,32(%rsp)
- movq %rax,40(%rsp)
-.cfi_escape 0x0f,0x05,0x77,0x28,0x06,0x23,0x08
-.Lfrom_body:
- movq %r9,%r11
- leaq 48(%rsp),%rax
- pxor %xmm0,%xmm0
- jmp .Lmul_by_1
-
-.align 32
-.Lmul_by_1:
- movdqu (%rsi),%xmm1
- movdqu 16(%rsi),%xmm2
- movdqu 32(%rsi),%xmm3
- movdqa %xmm0,(%rax,%r9,1)
- movdqu 48(%rsi),%xmm4
- movdqa %xmm0,16(%rax,%r9,1)
-.byte 0x48,0x8d,0xb6,0x40,0x00,0x00,0x00
- movdqa %xmm1,(%rax)
- movdqa %xmm0,32(%rax,%r9,1)
- movdqa %xmm2,16(%rax)
- movdqa %xmm0,48(%rax,%r9,1)
- movdqa %xmm3,32(%rax)
- movdqa %xmm4,48(%rax)
- leaq 64(%rax),%rax
- subq $64,%r11
- jnz .Lmul_by_1
-
-.byte 102,72,15,110,207
-.byte 102,72,15,110,209
-.byte 0x67
- movq %rcx,%rbp
-.byte 102,73,15,110,218
- leaq OPENSSL_ia32cap_P(%rip),%r11
- movl 8(%r11),%r11d
- andl $0x80108,%r11d
- cmpl $0x80108,%r11d
- jne .Lfrom_mont_nox
-
- leaq (%rax,%r9,1),%rdi
- call __bn_sqrx8x_reduction
- call __bn_postx4x_internal
-
- pxor %xmm0,%xmm0
- leaq 48(%rsp),%rax
- jmp .Lfrom_mont_zero
-
-.align 32
-.Lfrom_mont_nox:
- call __bn_sqr8x_reduction
- call __bn_post4x_internal
-
- pxor %xmm0,%xmm0
- leaq 48(%rsp),%rax
- jmp .Lfrom_mont_zero
-
-.align 32
-.Lfrom_mont_zero:
- movq 40(%rsp),%rsi
-.cfi_def_cfa %rsi,8
- movdqa %xmm0,0(%rax)
- movdqa %xmm0,16(%rax)
- movdqa %xmm0,32(%rax)
- movdqa %xmm0,48(%rax)
- leaq 64(%rax),%rax
- subq $32,%r9
- jnz .Lfrom_mont_zero
-
- movq $1,%rax
- movq -48(%rsi),%r15
-.cfi_restore %r15
- movq -40(%rsi),%r14
-.cfi_restore %r14
- movq -32(%rsi),%r13
-.cfi_restore %r13
- movq -24(%rsi),%r12
-.cfi_restore %r12
- movq -16(%rsi),%rbp
-.cfi_restore %rbp
- movq -8(%rsi),%rbx
-.cfi_restore %rbx
- leaq (%rsi),%rsp
-.cfi_def_cfa_register %rsp
-.Lfrom_epilogue:
- .byte 0xf3,0xc3
-.cfi_endproc
-.size bn_from_mont8x,.-bn_from_mont8x
.type bn_mulx4x_mont_gather5,@function
.align 32
bn_mulx4x_mont_gather5:
diff --git a/sources.bp b/sources.bp
index 7e1293f..92c328a 100644
--- a/sources.bp
+++ b/sources.bp
@@ -70,7 +70,6 @@
"src/crypto/chacha/chacha.c",
"src/crypto/cipher_extra/cipher_extra.c",
"src/crypto/cipher_extra/derive_key.c",
- "src/crypto/cipher_extra/e_aesccm.c",
"src/crypto/cipher_extra/e_aesctrhmac.c",
"src/crypto/cipher_extra/e_aesgcmsiv.c",
"src/crypto/cipher_extra/e_chacha20poly1305.c",
@@ -80,7 +79,6 @@
"src/crypto/cipher_extra/e_rc4.c",
"src/crypto/cipher_extra/e_tls.c",
"src/crypto/cipher_extra/tls_cbc.c",
- "src/crypto/cmac/cmac.c",
"src/crypto/conf/conf.c",
"src/crypto/cpu_aarch64_apple.c",
"src/crypto/cpu_aarch64_fuchsia.c",
@@ -106,7 +104,6 @@
"src/crypto/ecdsa_extra/ecdsa_asn1.c",
"src/crypto/engine/engine.c",
"src/crypto/err/err.c",
- "src/crypto/evp/digestsign.c",
"src/crypto/evp/evp.c",
"src/crypto/evp/evp_asn1.c",
"src/crypto/evp/evp_ctx.c",
@@ -253,6 +250,7 @@
linux_arm64: {
srcs: [
"linux-aarch64/crypto/chacha/chacha-armv8.S",
+ "linux-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S",
"linux-aarch64/crypto/test/trampoline-armv8.S",
],
},
@@ -294,6 +292,8 @@
"linux-aarch64/crypto/fipsmodule/armv8-mont.S",
"linux-aarch64/crypto/fipsmodule/ghash-neon-armv8.S",
"linux-aarch64/crypto/fipsmodule/ghashv8-armx64.S",
+ "linux-aarch64/crypto/fipsmodule/p256-armv8-asm.S",
+ "linux-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S",
"linux-aarch64/crypto/fipsmodule/sha1-armv8.S",
"linux-aarch64/crypto/fipsmodule/sha256-armv8.S",
"linux-aarch64/crypto/fipsmodule/sha512-armv8.S",
@@ -440,7 +440,6 @@
"src/crypto/chacha/chacha_test.cc",
"src/crypto/cipher_extra/aead_test.cc",
"src/crypto/cipher_extra/cipher_test.cc",
- "src/crypto/cmac/cmac_test.cc",
"src/crypto/compiler_test.cc",
"src/crypto/conf/conf_test.cc",
"src/crypto/constant_time_test.cc",
@@ -460,13 +459,15 @@
"src/crypto/evp/scrypt_test.cc",
"src/crypto/fipsmodule/aes/aes_test.cc",
"src/crypto/fipsmodule/bn/bn_test.cc",
+ "src/crypto/fipsmodule/cmac/cmac_test.cc",
"src/crypto/fipsmodule/ec/ec_test.cc",
- "src/crypto/fipsmodule/ec/p256-x86_64_test.cc",
+ "src/crypto/fipsmodule/ec/p256-nistz_test.cc",
"src/crypto/fipsmodule/ecdsa/ecdsa_test.cc",
"src/crypto/fipsmodule/md5/md5_test.cc",
"src/crypto/fipsmodule/modes/gcm_test.cc",
"src/crypto/fipsmodule/rand/ctrdrbg_test.cc",
"src/crypto/fipsmodule/rand/fork_detect_test.cc",
+ "src/crypto/fipsmodule/service_indicator/service_indicator_test.cc",
"src/crypto/fipsmodule/sha/sha_test.cc",
"src/crypto/hkdf/hkdf_test.cc",
"src/crypto/hmac_extra/hmac_test.cc",
diff --git a/sources.mk b/sources.mk
index 1f1d08f..2e8e9e8 100644
--- a/sources.mk
+++ b/sources.mk
@@ -68,7 +68,6 @@
src/crypto/chacha/chacha.c\
src/crypto/cipher_extra/cipher_extra.c\
src/crypto/cipher_extra/derive_key.c\
- src/crypto/cipher_extra/e_aesccm.c\
src/crypto/cipher_extra/e_aesctrhmac.c\
src/crypto/cipher_extra/e_aesgcmsiv.c\
src/crypto/cipher_extra/e_chacha20poly1305.c\
@@ -78,7 +77,6 @@
src/crypto/cipher_extra/e_rc4.c\
src/crypto/cipher_extra/e_tls.c\
src/crypto/cipher_extra/tls_cbc.c\
- src/crypto/cmac/cmac.c\
src/crypto/conf/conf.c\
src/crypto/cpu_aarch64_apple.c\
src/crypto/cpu_aarch64_fuchsia.c\
@@ -104,7 +102,6 @@
src/crypto/ecdsa_extra/ecdsa_asn1.c\
src/crypto/engine/engine.c\
src/crypto/err/err.c\
- src/crypto/evp/digestsign.c\
src/crypto/evp/evp.c\
src/crypto/evp/evp_asn1.c\
src/crypto/evp/evp_ctx.c\
@@ -250,10 +247,13 @@
linux_aarch64_sources := \
linux-aarch64/crypto/chacha/chacha-armv8.S\
+ linux-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S\
linux-aarch64/crypto/fipsmodule/aesv8-armx64.S\
linux-aarch64/crypto/fipsmodule/armv8-mont.S\
linux-aarch64/crypto/fipsmodule/ghash-neon-armv8.S\
linux-aarch64/crypto/fipsmodule/ghashv8-armx64.S\
+ linux-aarch64/crypto/fipsmodule/p256-armv8-asm.S\
+ linux-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S\
linux-aarch64/crypto/fipsmodule/sha1-armv8.S\
linux-aarch64/crypto/fipsmodule/sha256-armv8.S\
linux-aarch64/crypto/fipsmodule/sha512-armv8.S\
diff --git a/src/.gitignore b/src/.gitignore
index 1a27c89..ab8580c 100644
--- a/src/.gitignore
+++ b/src/.gitignore
@@ -15,7 +15,6 @@
util/bot/cmake-linux64
util/bot/cmake-mac
util/bot/cmake-win32
-util/bot/cmake-win32.zip
util/bot/golang
util/bot/libFuzzer
util/bot/libcxx
diff --git a/src/BUILDING.md b/src/BUILDING.md
index e9a2b0c..e7dfd6e 100644
--- a/src/BUILDING.md
+++ b/src/BUILDING.md
@@ -30,7 +30,8 @@
by CMake, it may be configured explicitly by setting
`CMAKE_ASM_NASM_COMPILER`.
- * C and C++ compilers with C++11 support are required. On Windows, MSVC from
+ * C and C++ compilers with C++14 support are required. If using a C compiler
+ other than MSVC, C11 support is also requried. On Windows, MSVC from
Visual Studio 2017 or later with Platform SDK 8.1 or later are supported,
but newer versions are recommended. Recent versions of GCC (6.1+) and Clang
should work on non-Windows platforms, and maybe on Windows too.
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 35ff4c1..aadcb9b 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -3,6 +3,12 @@
# Defer enabling C and CXX languages.
project(BoringSSL NONE)
+# Don't install BoringSSL to system directories by default; it has no stable
+# ABI. Instead, default to an "install" directory under the source.
+if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
+ set(CMAKE_INSTALL_PREFIX ${CMAKE_SOURCE_DIR}/install CACHE PATH "" FORCE)
+endif()
+
if(WIN32)
# On Windows, prefer cl over gcc if both are available. By default most of
# the CMake generators prefer gcc, even on Windows.
@@ -14,6 +20,8 @@
enable_language(C)
enable_language(CXX)
+include(GNUInstallDirs)
+
# This is a dummy target which all other targets depend on (manually - see other
# CMakeLists.txt files). This gives us a hook to add any targets which need to
# run before all other targets.
@@ -114,6 +122,13 @@
set(EMSCRIPTEN 1)
endif()
+set(CMAKE_CXX_STANDARD 14)
+set(CMAKE_CXX_STANDARD_REQUIRED ON)
+if(MSVC AND NOT CLANG)
+ set(CMAKE_C_STANDARD 11)
+ set(CMAKE_C_STANDARD_REQUIRED ON)
+endif()
+
if(CMAKE_COMPILER_IS_GNUCXX OR CLANG)
# Note clang-cl is odd and sets both CLANG and MSVC. We base our configuration
# primarily on our normal Clang one.
@@ -156,14 +171,8 @@
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${C_CXX_FLAGS} -Wmissing-prototypes -Wold-style-definition -Wstrict-prototypes")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${C_CXX_FLAGS} -Wmissing-declarations")
- if(NOT MSVC)
- set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11")
- if(APPLE)
- set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -stdlib=libc++")
- endif()
- if(NOT BORINGSSL_ALLOW_CXX_RUNTIME)
- set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-exceptions -fno-rtti")
- endif()
+ if(NOT MSVC AND NOT BORINGSSL_ALLOW_CXX_RUNTIME)
+ set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-exceptions -fno-rtti")
endif()
# In GCC, -Wmissing-declarations is the C++ spelling of -Wmissing-prototypes
@@ -253,10 +262,6 @@
add_definitions("-D_STL_EXTRA_DISABLED_WARNINGS=4774 4987")
endif()
-if(CMAKE_COMPILER_IS_GNUCXX)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=c11")
-endif()
-
# pthread_rwlock_t on Linux requires a feature flag. We limit this to Linux
# because, on Apple platforms, it instead disables APIs we use. See compat(5)
# and sys/cdefs.h. Reportedly, FreeBSD also breaks when this is set. See
@@ -541,6 +546,7 @@
set_target_properties(libcxxabi PROPERTIES COMPILE_FLAGS "-Wno-missing-prototypes -Wno-implicit-fallthrough")
# libc++abi depends on libc++ internal headers.
set_property(TARGET libcxxabi APPEND PROPERTY INCLUDE_DIRECTORIES "${CMAKE_SOURCE_DIR}/util/bot/libcxx/src")
+ install(TARGETS libcxxabi EXPORT OpenSSLTargets)
add_library(libcxx ${LIBCXX_SOURCES})
if(ASAN OR MSAN OR TSAN)
@@ -556,6 +562,7 @@
-DLIBCXX_BUILDING_LIBCXXABI
)
target_link_libraries(libcxx libcxxabi)
+ install(TARGETS libcxx EXPORT OpenSSLTargets DESTINATION ${CMAKE_INSTALL_LIBDIR})
endif()
# Add minimal googletest targets. The provided one has many side-effects, and
@@ -656,3 +663,12 @@
WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}
DEPENDS all_tests bssl_shim handshaker fips_specific_tests_if_any
USES_TERMINAL)
+
+install(DIRECTORY include/ DESTINATION ${CMAKE_INSTALL_INCLUDEDIR})
+
+install(EXPORT OpenSSLTargets
+ FILE OpenSSLTargets.cmake
+ NAMESPACE OpenSSL::
+ DESTINATION lib/cmake/OpenSSL
+)
+install(FILES OpenSSLConfig.cmake DESTINATION lib/cmake/OpenSSL)
diff --git a/src/OpenSSLConfig.cmake b/src/OpenSSLConfig.cmake
new file mode 100644
index 0000000..3ebaf19
--- /dev/null
+++ b/src/OpenSSLConfig.cmake
@@ -0,0 +1,32 @@
+include(${CMAKE_CURRENT_LIST_DIR}/OpenSSLTargets.cmake)
+
+# Recursively collect dependency locations for the imported targets.
+macro(_openssl_config_libraries libraries target)
+ get_property(_DEPS TARGET ${target} PROPERTY INTERFACE_LINK_LIBRARIES)
+ foreach(_DEP ${_DEPS})
+ if(TARGET ${_DEP})
+ _openssl_config_libraries(${libraries} ${_DEP})
+ else()
+ list(APPEND ${libraries} ${_DEP})
+ endif()
+ endforeach()
+ get_property(_LOC TARGET ${target} PROPERTY LOCATION)
+ list(APPEND ${libraries} ${_LOC})
+endmacro()
+
+set(OPENSSL_FOUND YES)
+get_property(OPENSSL_INCLUDE_DIR TARGET OpenSSL::SSL PROPERTY INTERFACE_INCLUDE_DIRECTORIES)
+get_property(OPENSSL_CRYPTO_LIBRARY TARGET OpenSSL::Crypto PROPERTY LOCATION)
+_openssl_config_libraries(OPENSSL_CRYPTO_LIBRARIES OpenSSL::Crypto)
+list(REMOVE_DUPLICATES OPENSSL_CRYPTO_LIBRARIES)
+
+get_property(OPENSSL_SSL_LIBRARY TARGET OpenSSL::Crypto PROPERTY LOCATION)
+_openssl_config_libraries(OPENSSL_SSL_LIBRARIES OpenSSL::SSL)
+list(REMOVE_DUPLICATES OPENSSL_SSL_LIBRARIES)
+
+set(OPENSSL_LIBRARIES ${OPENSSL_CRYPTO_LIBRARIES} ${OPENSSL_SSL_LIBRARIES})
+list(REMOVE_DUPLICATES OPENSSL_LIBRARIES)
+
+set(_DEP)
+set(_DEPS)
+set(_LOC)
diff --git a/src/crypto/CMakeLists.txt b/src/crypto/CMakeLists.txt
index 79802c6..cf7199c 100644
--- a/src/crypto/CMakeLists.txt
+++ b/src/crypto/CMakeLists.txt
@@ -121,6 +121,7 @@
chacha/chacha-armv8.${ASM_EXT}
test/trampoline-armv8.${ASM_EXT}
+ cipher_extra/chacha20_poly1305_armv8.${ASM_EXT}
)
endif()
@@ -159,6 +160,7 @@
perlasm(chacha/chacha-x86_64.${ASM_EXT} chacha/asm/chacha-x86_64.pl)
perlasm(cipher_extra/aes128gcmsiv-x86_64.${ASM_EXT} cipher_extra/asm/aes128gcmsiv-x86_64.pl)
perlasm(cipher_extra/chacha20_poly1305_x86_64.${ASM_EXT} cipher_extra/asm/chacha20_poly1305_x86_64.pl)
+perlasm(cipher_extra/chacha20_poly1305_armv8.${ASM_EXT} cipher_extra/asm/chacha20_poly1305_armv8.pl)
perlasm(test/trampoline-armv4.${ASM_EXT} test/asm/trampoline-armv4.pl)
perlasm(test/trampoline-armv8.${ASM_EXT} test/asm/trampoline-armv8.pl)
perlasm(test/trampoline-ppc.${ASM_EXT} test/asm/trampoline-ppc.pl)
@@ -251,7 +253,6 @@
chacha/chacha.c
cipher_extra/cipher_extra.c
cipher_extra/derive_key.c
- cipher_extra/e_aesccm.c
cipher_extra/e_aesctrhmac.c
cipher_extra/e_aesgcmsiv.c
cipher_extra/e_chacha20poly1305.c
@@ -261,7 +262,6 @@
cipher_extra/e_rc4.c
cipher_extra/e_tls.c
cipher_extra/tls_cbc.c
- cmac/cmac.c
conf/conf.c
cpu_aarch64_apple.c
cpu_aarch64_fuchsia.c
@@ -288,7 +288,6 @@
err/err.c
err_data.c
engine/engine.c
- evp/digestsign.c
evp/evp.c
evp/evp_asn1.c
evp/evp_ctx.c
@@ -435,19 +434,21 @@
${CRYPTO_ARCH_SOURCES}
${CRYPTO_FIPS_OBJECTS}
)
+target_include_directories(crypto INTERFACE
+ $<BUILD_INTERFACE:${CMAKE_SOURCE_DIR}/include>
+ $<INSTALL_INTERFACE:include>
+)
+install(TARGETS crypto EXPORT OpenSSLTargets DESTINATION ${CMAKE_INSTALL_LIBDIR})
+set_property(TARGET crypto PROPERTY EXPORT_NAME Crypto)
if(FIPS_SHARED)
- set(EXTRA_INJECT_HASH_ARGS)
- if(ANDROID)
- set(EXTRA_INJECT_HASH_ARGS "-sha256")
- endif()
# Rewrite libcrypto.so to inject the correct module hash value. This assumes
# UNIX-style library naming, but we only support FIPS mode on Linux anyway.
add_custom_command(
TARGET crypto POST_BUILD
COMMAND ${GO_EXECUTABLE} run
${CMAKE_CURRENT_SOURCE_DIR}/../util/fipstools/inject_hash/inject_hash.go
- -o libcrypto.so -in-object libcrypto.so ${EXTRA_INJECT_HASH_ARGS}
+ -o libcrypto.so -in-object libcrypto.so
# The DEPENDS argument to a POST_BUILD rule appears to be ignored. Thus
# go_executable isn't used (as it doesn't get built), but we list this
# dependency anyway in case it starts working in some CMake version.
@@ -501,7 +502,6 @@
chacha/chacha_test.cc
cipher_extra/aead_test.cc
cipher_extra/cipher_test.cc
- cmac/cmac_test.cc
compiler_test.cc
conf/conf_test.cc
constant_time_test.cc
@@ -521,13 +521,15 @@
evp/scrypt_test.cc
fipsmodule/aes/aes_test.cc
fipsmodule/bn/bn_test.cc
+ fipsmodule/cmac/cmac_test.cc
fipsmodule/ec/ec_test.cc
- fipsmodule/ec/p256-x86_64_test.cc
+ fipsmodule/ec/p256-nistz_test.cc
fipsmodule/ecdsa/ecdsa_test.cc
fipsmodule/md5/md5_test.cc
fipsmodule/modes/gcm_test.cc
fipsmodule/rand/ctrdrbg_test.cc
fipsmodule/rand/fork_detect_test.cc
+ fipsmodule/service_indicator/service_indicator_test.cc
fipsmodule/sha/sha_test.cc
hkdf/hkdf_test.cc
hpke/hpke_test.cc
diff --git a/src/crypto/asn1/a_strex.c b/src/crypto/asn1/a_strex.c
index 3732894..56aa033 100644
--- a/src/crypto/asn1/a_strex.c
+++ b/src/crypto/asn1/a_strex.c
@@ -56,6 +56,7 @@
#include <openssl/asn1.h>
+#include <assert.h>
#include <ctype.h>
#include <inttypes.h>
#include <string.h>
@@ -155,100 +156,98 @@
return 1;
}
-#define BUF_TYPE_WIDTH_MASK 0x7
-#define BUF_TYPE_CONVUTF8 0x8
-
/*
* This function sends each character in a buffer to do_esc_char(). It
* interprets the content formats and converts to or from UTF8 as
* appropriate.
*/
-static int do_buf(unsigned char *buf, int buflen,
- int type, unsigned char flags, char *quotes, BIO *out)
+static int do_buf(const unsigned char *buf, int buflen, int encoding,
+ int utf8_convert, unsigned char flags, char *quotes, BIO *out)
{
- int i, outlen, len, charwidth;
- unsigned char orflags, *p, *q;
- uint32_t c;
- p = buf;
- q = buf + buflen;
- outlen = 0;
- charwidth = type & BUF_TYPE_WIDTH_MASK;
-
- switch (charwidth) {
- case 4:
+ /* Reject invalid UCS-4 and UCS-2 lengths without parsing. */
+ switch (encoding) {
+ case MBSTRING_UNIV:
if (buflen & 3) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_UNIVERSALSTRING);
return -1;
}
break;
- case 2:
+ case MBSTRING_BMP:
if (buflen & 1) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_BMPSTRING);
return -1;
}
break;
- default:
- break;
}
+ const unsigned char *p = buf;
+ const unsigned char *q = buf + buflen;
+ int outlen = 0;
while (p != q) {
- if (p == buf && flags & ASN1_STRFLGS_ESC_2253)
+ unsigned char orflags = 0;
+ if (p == buf && flags & ASN1_STRFLGS_ESC_2253) {
orflags = CHARTYPE_FIRST_ESC_2253;
- else
- orflags = 0;
+ }
/* TODO(davidben): Replace this with |cbs_get_ucs2_be|, etc., to check
- * for invalid codepoints. */
- switch (charwidth) {
- case 4:
+ * for invalid codepoints. Before doing that, enforce it in the parser,
+ * https://crbug.com/boringssl/427, so these error cases are not
+ * reachable from parsed objects. */
+ uint32_t c;
+ switch (encoding) {
+ case MBSTRING_UNIV:
c = ((uint32_t)*p++) << 24;
c |= ((uint32_t)*p++) << 16;
c |= ((uint32_t)*p++) << 8;
c |= *p++;
break;
- case 2:
+ case MBSTRING_BMP:
c = ((uint32_t)*p++) << 8;
c |= *p++;
break;
- case 1:
+ case MBSTRING_ASC:
c = *p++;
break;
- case 0:
- i = UTF8_getc(p, buflen, &c);
- if (i < 0)
+ case MBSTRING_UTF8: {
+ int consumed = UTF8_getc(p, buflen, &c);
+ if (consumed < 0)
return -1; /* Invalid UTF8String */
- buflen -= i;
- p += i;
+ buflen -= consumed;
+ p += consumed;
break;
+ }
+
default:
- return -1; /* invalid width */
+ assert(0);
+ return -1;
}
if (p == q && flags & ASN1_STRFLGS_ESC_2253)
orflags = CHARTYPE_LAST_ESC_2253;
- if (type & BUF_TYPE_CONVUTF8) {
+ if (utf8_convert) {
unsigned char utfbuf[6];
int utflen;
utflen = UTF8_putc(utfbuf, sizeof utfbuf, c);
- for (i = 0; i < utflen; i++) {
+ for (int i = 0; i < utflen; i++) {
/*
* We don't need to worry about setting orflags correctly
* because if utflen==1 its value will be correct anyway
* otherwise each character will be > 0x7f and so the
* character will never be escaped on first and last.
*/
- len = do_esc_char(utfbuf[i], (unsigned char)(flags | orflags),
- quotes, out);
- if (len < 0)
+ int len = do_esc_char(utfbuf[i], flags | orflags, quotes, out);
+ if (len < 0) {
return -1;
+ }
outlen += len;
}
} else {
- len = do_esc_char(c, (unsigned char)(flags | orflags), quotes, out);
- if (len < 0)
+ int len = do_esc_char(c, flags | orflags, quotes, out);
+ if (len < 0) {
return -1;
+ }
outlen += len;
}
}
@@ -331,22 +330,31 @@
return outlen + 1;
}
-/*
- * Lookup table to convert tags to character widths, 0 = UTF8 encoded, -1 is
- * used for non string types otherwise it is the number of bytes per
- * character
- */
-
-static const signed char tag2nbyte[] = {
- -1, -1, -1, -1, -1, /* 0-4 */
- -1, -1, -1, -1, -1, /* 5-9 */
- -1, -1, 0, -1, /* 10-13 */
- -1, -1, -1, -1, /* 15-17 */
- 1, 1, 1, /* 18-20 */
- -1, 1, 1, 1, /* 21-24 */
- -1, 1, -1, /* 25-27 */
- 4, -1, 2 /* 28-30 */
-};
+/* string_type_to_encoding returns the |MBSTRING_*| constant for the encoding
+ * used by the |ASN1_STRING| type |type|, or -1 if |tag| is not a string
+ * type. */
+static int string_type_to_encoding(int type) {
+ /* This function is sometimes passed ASN.1 universal types and sometimes
+ * passed |ASN1_STRING| type values */
+ switch (type) {
+ case V_ASN1_UTF8STRING:
+ return MBSTRING_UTF8;
+ case V_ASN1_NUMERICSTRING:
+ case V_ASN1_PRINTABLESTRING:
+ case V_ASN1_T61STRING:
+ case V_ASN1_IA5STRING:
+ case V_ASN1_UTCTIME:
+ case V_ASN1_GENERALIZEDTIME:
+ case V_ASN1_ISO64STRING:
+ /* |MBSTRING_ASC| refers to Latin-1, not ASCII. */
+ return MBSTRING_ASC;
+ case V_ASN1_UNIVERSALSTRING:
+ return MBSTRING_UNIV;
+ case V_ASN1_BMPSTRING:
+ return MBSTRING_BMP;
+ }
+ return -1;
+}
/*
* This is the main function, print out an ASN1_STRING taking note of various
@@ -356,79 +364,77 @@
int ASN1_STRING_print_ex(BIO *out, const ASN1_STRING *str, unsigned long lflags)
{
- int outlen, len;
- int type;
- char quotes;
- unsigned char flags;
- quotes = 0;
/* Keep a copy of escape flags */
- flags = (unsigned char)(lflags & ESC_FLAGS);
-
- type = str->type;
-
- outlen = 0;
-
+ unsigned char flags = (unsigned char)(lflags & ESC_FLAGS);
+ int type = str->type;
+ int outlen = 0;
if (lflags & ASN1_STRFLGS_SHOW_TYPE) {
- const char *tagname;
- tagname = ASN1_tag2str(type);
+ const char *tagname = ASN1_tag2str(type);
outlen += strlen(tagname);
if (!maybe_write(out, tagname, outlen) || !maybe_write(out, ":", 1))
return -1;
outlen++;
}
- /* Decide what to do with type, either dump content or display it */
-
- /* Dump everything */
- if (lflags & ASN1_STRFLGS_DUMP_ALL)
- type = -1;
- /* Ignore the string type */
- else if (lflags & ASN1_STRFLGS_IGNORE_TYPE)
- type = 1;
- else {
- /* Else determine width based on type */
- if ((type > 0) && (type < 31))
- type = tag2nbyte[type];
- else
- type = -1;
- if ((type == -1) && !(lflags & ASN1_STRFLGS_DUMP_UNKNOWN))
- type = 1;
+ /* Decide what to do with |str|, either dump the contents or display it. */
+ int encoding;
+ if (lflags & ASN1_STRFLGS_DUMP_ALL) {
+ /* Dump everything. */
+ encoding = -1;
+ } else if (lflags & ASN1_STRFLGS_IGNORE_TYPE) {
+ /* Ignore the string type and interpret the contents as Latin-1. */
+ encoding = MBSTRING_ASC;
+ } else {
+ encoding = string_type_to_encoding(type);
+ if (encoding == -1 && (lflags & ASN1_STRFLGS_DUMP_UNKNOWN) == 0) {
+ encoding = MBSTRING_ASC;
+ }
}
- if (type == -1) {
- len = do_dump(lflags, out, str);
+ if (encoding == -1) {
+ int len = do_dump(lflags, out, str);
if (len < 0)
return -1;
outlen += len;
return outlen;
}
+ int utf8_convert = 0;
if (lflags & ASN1_STRFLGS_UTF8_CONVERT) {
- /*
- * Note: if string is UTF8 and we want to convert to UTF8 then we
- * just interpret it as 1 byte per character to avoid converting
- * twice.
- */
- if (!type)
- type = 1;
- else
- type |= BUF_TYPE_CONVUTF8;
+ /* If the string is UTF-8, skip decoding and just interpret it as 1 byte
+ * per character to avoid converting twice.
+ *
+ * TODO(davidben): This is not quite a valid optimization if the input
+ * was invalid UTF-8. */
+ if (encoding == MBSTRING_UTF8) {
+ encoding = MBSTRING_ASC;
+ } else {
+ utf8_convert = 1;
+ }
}
- len = do_buf(str->data, str->length, type, flags, "es, NULL);
- if (len < 0)
+ /* Measure the length. */
+ char quotes = 0;
+ int len = do_buf(str->data, str->length, encoding, utf8_convert, flags,
+ "es, NULL);
+ if (len < 0) {
return -1;
+ }
outlen += len;
- if (quotes)
+ if (quotes) {
outlen += 2;
- if (!out)
+ }
+ if (!out) {
return outlen;
- if (quotes && !maybe_write(out, "\"", 1))
+ }
+
+ /* Encode the value. */
+ if ((quotes && !maybe_write(out, "\"", 1)) ||
+ do_buf(str->data, str->length, encoding, utf8_convert, flags, NULL,
+ out) < 0 ||
+ (quotes && !maybe_write(out, "\"", 1))) {
return -1;
- if (do_buf(str->data, str->length, type, flags, NULL, out) < 0)
- return -1;
- if (quotes && !maybe_write(out, "\"", 1))
- return -1;
+ }
return outlen;
}
@@ -451,22 +457,19 @@
int ASN1_STRING_to_UTF8(unsigned char **out, const ASN1_STRING *in)
{
- ASN1_STRING stmp, *str = &stmp;
- int mbflag, type, ret;
if (!in)
return -1;
- type = in->type;
- if ((type < 0) || (type > 30))
+ int mbflag = string_type_to_encoding(in->type);
+ if (mbflag == -1) {
+ OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNKNOWN_TAG);
return -1;
- mbflag = tag2nbyte[type];
- if (mbflag == -1)
- return -1;
- mbflag |= MBSTRING_FLAG;
+ }
+ ASN1_STRING stmp, *str = &stmp;
stmp.data = NULL;
stmp.length = 0;
stmp.flags = 0;
- ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag,
- B_ASN1_UTF8STRING);
+ int ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag,
+ B_ASN1_UTF8STRING);
if (ret < 0)
return ret;
*out = stmp.data;
diff --git a/src/crypto/asn1/asn1_test.cc b/src/crypto/asn1/asn1_test.cc
index 7d69889..6087ef4 100644
--- a/src/crypto/asn1/asn1_test.cc
+++ b/src/crypto/asn1/asn1_test.cc
@@ -871,6 +871,8 @@
{{0, 0, 0xfd, 0xd5}, V_ASN1_UNIVERSALSTRING, nullptr},
// BMPString is UCS-2, not UTF-16, so surrogate pairs are invalid.
{{0xd8, 0, 0xdc, 1}, V_ASN1_BMPSTRING, nullptr},
+ // INTEGERs are stored as strings, but cannot be converted to UTF-8.
+ {{0x01}, V_ASN1_INTEGER, nullptr},
};
for (const auto &test : kTests) {
@@ -2075,6 +2077,47 @@
sizeof(kIndefinite)));
}
+template <typename T>
+void ExpectNoParse(T *(*d2i)(T **, const uint8_t **, long),
+ const std::vector<uint8_t> &in) {
+ SCOPED_TRACE(Bytes(in));
+ const uint8_t *ptr = in.data();
+ bssl::UniquePtr<T> obj(d2i(nullptr, &ptr, in.size()));
+ EXPECT_FALSE(obj);
+}
+
+// The zero tag, constructed or primitive, is reserved and should rejected by
+// the parser.
+TEST(ASN1Test, ZeroTag) {
+ ExpectNoParse(d2i_ASN1_TYPE, {0x00, 0x00});
+ ExpectNoParse(d2i_ASN1_TYPE, {0x00, 0x10, 0x00});
+ ExpectNoParse(d2i_ASN1_TYPE, {0x20, 0x00});
+ ExpectNoParse(d2i_ASN1_TYPE, {0x20, 0x00});
+ ExpectNoParse(d2i_ASN1_SEQUENCE_ANY, {0x30, 0x02, 0x00, 0x00});
+ ExpectNoParse(d2i_ASN1_SET_ANY, {0x31, 0x02, 0x00, 0x00});
+ // SEQUENCE {
+ // OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.1 }
+ // [UNIVERSAL 0 PRIMITIVE] {}
+ // }
+ ExpectNoParse(d2i_X509_ALGOR,
+ {0x30, 0x10, 0x06, 0x0c, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12,
+ 0x04, 0x01, 0x84, 0xb7, 0x09, 0x01, 0x00, 0x00});
+ // SEQUENCE {
+ // OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.1 }
+ // [UNIVERSAL 0 CONSTRUCTED] {}
+ // }
+ ExpectNoParse(d2i_X509_ALGOR,
+ {0x30, 0x10, 0x06, 0x0c, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12,
+ 0x04, 0x01, 0x84, 0xb7, 0x09, 0x01, 0x20, 0x00});
+ // SEQUENCE {
+ // OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.1 }
+ // [UNIVERSAL 0 PRIMITIVE] { "a" }
+ // }
+ ExpectNoParse(d2i_X509_ALGOR,
+ {0x30, 0x11, 0x06, 0x0c, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12,
+ 0x04, 0x01, 0x84, 0xb7, 0x09, 0x01, 0x00, 0x01, 0x61});
+}
+
// The ASN.1 macros do not work on Windows shared library builds, where usage of
// |OPENSSL_EXPORT| is a bit stricter.
#if !defined(OPENSSL_WINDOWS) || !defined(BORINGSSL_SHARED_LIBRARY)
diff --git a/src/crypto/asn1/tasn_dec.c b/src/crypto/asn1/tasn_dec.c
index beb9a0b..5bfd930 100644
--- a/src/crypto/asn1/tasn_dec.c
+++ b/src/crypto/asn1/tasn_dec.c
@@ -74,27 +74,27 @@
*/
#define ASN1_MAX_CONSTRUCTED_NEST 30
-static int asn1_check_eoc(const unsigned char **in, long len);
-
static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,
char *cst, const unsigned char **in, long len,
- int exptag, int expclass, char opt, ASN1_TLC *ctx);
+ int exptag, int expclass, char opt);
static int asn1_template_ex_d2i(ASN1_VALUE **pval,
const unsigned char **in, long len,
const ASN1_TEMPLATE *tt, char opt,
- ASN1_TLC *ctx, int depth);
+ int depth);
static int asn1_template_noexp_d2i(ASN1_VALUE **val,
const unsigned char **in, long len,
const ASN1_TEMPLATE *tt, char opt,
- ASN1_TLC *ctx, int depth);
+ int depth);
static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
int utype, const ASN1_ITEM *it);
static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
const unsigned char **in, long len,
const ASN1_ITEM *it,
- int tag, int aclass, char opt,
- ASN1_TLC *ctx);
+ int tag, int aclass, char opt);
+static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in,
+ long len, const ASN1_ITEM *it, int tag, int aclass,
+ char opt, int depth);
/* Table to convert tags to bit values, used for MSTRING type */
static const unsigned long tag2bit[32] = {
@@ -126,10 +126,6 @@
/* Macro to initialize and invalidate the cache */
-#define asn1_tlc_clear(c) if (c) (c)->valid = 0
-/* Version to avoid compiler warning about 'c' always non-NULL */
-#define asn1_tlc_clear_nc(c) (c)->valid = 0
-
/*
* Decode an ASN1 item, this currently behaves just like a standard 'd2i'
* function. 'in' points to a buffer to read the data from, in future we
@@ -141,12 +137,11 @@
const unsigned char **in, long len,
const ASN1_ITEM *it)
{
- ASN1_TLC c;
ASN1_VALUE *ptmpval = NULL;
if (!pval)
pval = &ptmpval;
- asn1_tlc_clear_nc(&c);
- if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0)
+
+ if (asn1_item_ex_d2i(pval, in, len, it, -1, 0, 0, 0) > 0)
return *pval;
return NULL;
}
@@ -158,7 +153,7 @@
static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in,
long len, const ASN1_ITEM *it, int tag, int aclass,
- char opt, ASN1_TLC *ctx, int depth)
+ char opt, int depth)
{
const ASN1_TEMPLATE *tt, *errtt = NULL;
const ASN1_EXTERN_FUNCS *ef;
@@ -202,10 +197,10 @@
goto err;
}
return asn1_template_ex_d2i(pval, in, len,
- it->templates, opt, ctx, depth);
+ it->templates, opt, depth);
}
return asn1_d2i_ex_primitive(pval, in, len, it,
- tag, aclass, opt, ctx);
+ tag, aclass, opt);
break;
case ASN1_ITYPE_MSTRING:
@@ -221,7 +216,7 @@
p = *in;
/* Just read in tag and class */
ret = asn1_check_tlen(NULL, &otag, &oclass, NULL,
- &p, len, -1, 0, 1, ctx);
+ &p, len, -1, 0, 1);
if (!ret) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
goto err;
@@ -243,12 +238,12 @@
OPENSSL_PUT_ERROR(ASN1, ASN1_R_MSTRING_WRONG_TAG);
goto err;
}
- return asn1_d2i_ex_primitive(pval, in, len, it, otag, 0, 0, ctx);
+ return asn1_d2i_ex_primitive(pval, in, len, it, otag, 0, 0);
case ASN1_ITYPE_EXTERN:
/* Use new style d2i */
ef = it->funcs;
- return ef->asn1_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx);
+ return ef->asn1_ex_d2i(pval, in, len, it, tag, aclass, opt, NULL);
case ASN1_ITYPE_CHOICE: {
/*
@@ -285,7 +280,7 @@
/*
* We mark field as OPTIONAL so its absence can be recognised.
*/
- ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx, depth);
+ ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, depth);
/* If field not present, try the next one */
if (ret == -1)
continue;
@@ -327,7 +322,7 @@
}
/* Get SEQUENCE length and update len, p */
ret = asn1_check_tlen(&len, NULL, NULL, &cst,
- &p, len, tag, aclass, opt, ctx);
+ &p, len, tag, aclass, opt);
if (!ret) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
goto err;
@@ -373,13 +368,6 @@
if (!len)
break;
q = p;
- /* TODO(https://crbug.com/boringssl/455): Although we've removed
- * indefinite-length support, this check is not quite a no-op.
- * Reject [UNIVERSAL 0] in the tag parsers themselves. */
- if (asn1_check_eoc(&p, len)) {
- OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNEXPECTED_EOC);
- goto err;
- }
/*
* This determines the OPTIONAL flag value. The field cannot be
* omitted if it is the last of a SEQUENCE and there is still
@@ -394,8 +382,7 @@
* attempt to read in field, allowing each to be OPTIONAL
*/
- ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx,
- depth);
+ ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, depth);
if (!ret) {
errtt = seqtt;
goto err;
@@ -465,7 +452,7 @@
const ASN1_ITEM *it,
int tag, int aclass, char opt, ASN1_TLC *ctx)
{
- return asn1_item_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx, 0);
+ return asn1_item_ex_d2i(pval, in, len, it, tag, aclass, opt, 0);
}
/*
@@ -476,7 +463,7 @@
static int asn1_template_ex_d2i(ASN1_VALUE **val,
const unsigned char **in, long inlen,
const ASN1_TEMPLATE *tt, char opt,
- ASN1_TLC *ctx, int depth)
+ int depth)
{
int flags, aclass;
int ret;
@@ -497,7 +484,7 @@
* where it starts: so read in EXPLICIT header to get the info.
*/
ret = asn1_check_tlen(&len, NULL, NULL, &cst,
- &p, inlen, tt->tag, aclass, opt, ctx);
+ &p, inlen, tt->tag, aclass, opt);
q = p;
if (!ret) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
@@ -509,7 +496,7 @@
return 0;
}
/* We've found the field so it can't be OPTIONAL now */
- ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx, depth);
+ ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, depth);
if (!ret) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
return 0;
@@ -522,7 +509,7 @@
goto err;
}
} else
- return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx, depth);
+ return asn1_template_noexp_d2i(val, in, inlen, tt, opt, depth);
*in = p;
return 1;
@@ -535,7 +522,7 @@
static int asn1_template_noexp_d2i(ASN1_VALUE **val,
const unsigned char **in, long len,
const ASN1_TEMPLATE *tt, char opt,
- ASN1_TLC *ctx, int depth)
+ int depth)
{
int flags, aclass;
int ret;
@@ -563,7 +550,7 @@
}
/* Get the tag */
ret = asn1_check_tlen(&len, NULL, NULL, NULL,
- &p, len, sktag, skaclass, opt, ctx);
+ &p, len, sktag, skaclass, opt);
if (!ret) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
return 0;
@@ -592,16 +579,9 @@
while (len > 0) {
ASN1_VALUE *skfield;
const unsigned char *q = p;
- /* TODO(https://crbug.com/boringssl/455): Although we've removed
- * indefinite-length support, this check is not quite a no-op.
- * Reject [UNIVERSAL 0] in the tag parsers themselves. */
- if (asn1_check_eoc(&p, len)) {
- OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNEXPECTED_EOC);
- goto err;
- }
skfield = NULL;
if (!asn1_item_ex_d2i(&skfield, &p, len, ASN1_ITEM_ptr(tt->item),
- -1, 0, 0, ctx, depth)) {
+ -1, 0, 0, depth)) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
goto err;
}
@@ -615,7 +595,7 @@
} else if (flags & ASN1_TFLG_IMPTAG) {
/* IMPLICIT tagging */
ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag,
- aclass, opt, ctx, depth);
+ aclass, opt, depth);
if (!ret) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
goto err;
@@ -624,7 +604,7 @@
} else {
/* Nothing special */
ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
- -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx,
+ -1, tt->flags & ASN1_TFLG_COMBINE, opt,
depth);
if (!ret) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
@@ -644,7 +624,7 @@
static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
const unsigned char **in, long inlen,
const ASN1_ITEM *it,
- int tag, int aclass, char opt, ASN1_TLC *ctx)
+ int tag, int aclass, char opt)
{
int ret = 0, utype;
long plen;
@@ -676,7 +656,7 @@
}
p = *in;
ret = asn1_check_tlen(NULL, &utype, &oclass, NULL,
- &p, inlen, -1, 0, 0, ctx);
+ &p, inlen, -1, 0, 0);
if (!ret) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
return 0;
@@ -691,7 +671,7 @@
p = *in;
/* Check header */
ret = asn1_check_tlen(&plen, NULL, NULL, &cst,
- &p, inlen, tag, aclass, opt, ctx);
+ &p, inlen, tag, aclass, opt);
if (!ret) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
return 0;
@@ -701,15 +681,8 @@
/* SEQUENCE, SET and "OTHER" are left in encoded form */
if ((utype == V_ASN1_SEQUENCE)
|| (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER)) {
- /*
- * Clear context cache for type OTHER because the auto clear when we
- * have a exact match wont work
- */
- if (utype == V_ASN1_OTHER) {
- asn1_tlc_clear(ctx);
- }
/* SEQUENCE and SET must be constructed */
- else if (!cst) {
+ if (utype != V_ASN1_OTHER && !cst) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_TYPE_NOT_CONSTRUCTED);
return 0;
}
@@ -868,70 +841,24 @@
return ret;
}
-/* Check for ASN1 EOC and swallow it if found */
-
-static int asn1_check_eoc(const unsigned char **in, long len)
-{
- const unsigned char *p;
- if (len < 2)
- return 0;
- p = *in;
- if (!p[0] && !p[1]) {
- *in += 2;
- return 1;
- }
- return 0;
-}
-
/*
- * Check an ASN1 tag and length: a bit like ASN1_get_object but it handles
- * the ASN1_TLC cache and checks the expected tag.
+ * Check an ASN1 tag and length: a bit like ASN1_get_object but it
+ * checks the expected tag.
*/
static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,
char *cst, const unsigned char **in, long len,
- int exptag, int expclass, char opt, ASN1_TLC *ctx)
+ int exptag, int expclass, char opt)
{
int i;
int ptag, pclass;
long plen;
- const unsigned char *p, *q;
+ const unsigned char *p;
p = *in;
- q = p;
- if (ctx && ctx->valid) {
- i = ctx->ret;
- plen = ctx->plen;
- pclass = ctx->pclass;
- ptag = ctx->ptag;
- p += ctx->hdrlen;
- } else {
- i = ASN1_get_object(&p, &plen, &ptag, &pclass, len);
- if (ctx) {
- ctx->ret = i;
- ctx->plen = plen;
- ctx->pclass = pclass;
- ctx->ptag = ptag;
- ctx->hdrlen = p - q;
- ctx->valid = 1;
- /*
- * If no error, length + header can't exceed total amount of data
- * available.
- *
- * TODO(davidben): Is this check necessary? |ASN1_get_object|
- * should already guarantee this.
- */
- if (!(i & 0x80) && ((plen + ctx->hdrlen) > len)) {
- OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);
- asn1_tlc_clear(ctx);
- return 0;
- }
- }
- }
-
+ i = ASN1_get_object(&p, &plen, &ptag, &pclass, len);
if (i & 0x80) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_OBJECT_HEADER);
- asn1_tlc_clear(ctx);
return 0;
}
if (exptag >= 0) {
@@ -941,15 +868,9 @@
*/
if (opt)
return -1;
- asn1_tlc_clear(ctx);
OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_TAG);
return 0;
}
- /*
- * We have a tag and class match: assume we are going to do something
- * with it
- */
- asn1_tlc_clear(ctx);
}
if (cst)
diff --git a/src/crypto/asn1/time_support.c b/src/crypto/asn1/time_support.c
index e748ad7..68c6086 100644
--- a/src/crypto/asn1/time_support.c
+++ b/src/crypto/asn1/time_support.c
@@ -55,7 +55,7 @@
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com). */
-#if !defined(_POSIX_C_SOURCE)
+#if defined(__linux__) && !defined(_POSIX_C_SOURCE)
#define _POSIX_C_SOURCE 201410L /* for gmtime_r */
#endif
diff --git a/src/crypto/bio/socket_helper.c b/src/crypto/bio/socket_helper.c
index fc751fd..4cd7825 100644
--- a/src/crypto/bio/socket_helper.c
+++ b/src/crypto/bio/socket_helper.c
@@ -12,8 +12,10 @@
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+#if defined(__linux__)
#undef _POSIX_C_SOURCE
#define _POSIX_C_SOURCE 200112L
+#endif
#include <openssl/bio.h>
#include <openssl/err.h>
diff --git a/src/crypto/bytestring/ber.c b/src/crypto/bytestring/ber.c
index d9b780f..dc707b9 100644
--- a/src/crypto/bytestring/ber.c
+++ b/src/crypto/bytestring/ber.c
@@ -93,11 +93,14 @@
return 1;
}
-// is_eoc returns true if |header_len| and |contents|, as returned by
-// |CBS_get_any_ber_asn1_element|, indicate an "end of contents" (EOC) value.
-static char is_eoc(size_t header_len, CBS *contents) {
- return header_len == 2 && CBS_len(contents) == 2 &&
- OPENSSL_memcmp(CBS_data(contents), "\x00\x00", 2) == 0;
+// cbs_get_eoc returns one if |cbs| begins with an "end of contents" (EOC) value
+// and zero otherwise. If an EOC was found, it advances |cbs| past it.
+static int cbs_get_eoc(CBS *cbs) {
+ if (CBS_len(cbs) >= 2 &&
+ CBS_data(cbs)[0] == 0 && CBS_data(cbs)[1] == 0) {
+ return CBS_skip(cbs, 2);
+ }
+ return 0;
}
// cbs_convert_ber reads BER data from |in| and writes DER data to |out|. If
@@ -116,21 +119,20 @@
}
while (CBS_len(in) > 0) {
+ if (looking_for_eoc && cbs_get_eoc(in)) {
+ return 1;
+ }
+
CBS contents;
unsigned tag, child_string_tag = string_tag;
size_t header_len;
int indefinite;
CBB *out_contents, out_contents_storage;
-
if (!CBS_get_any_ber_asn1_element(in, &contents, &tag, &header_len,
/*out_ber_found=*/NULL, &indefinite)) {
return 0;
}
- if (is_eoc(header_len, &contents)) {
- return looking_for_eoc;
- }
-
if (string_tag != 0) {
// This is part of a constructed string. All elements must match
// |string_tag| up to the constructed bit and get appended to |out|
diff --git a/src/crypto/bytestring/bytestring_test.cc b/src/crypto/bytestring/bytestring_test.cc
index 77261a3..a8c1913 100644
--- a/src/crypto/bytestring/bytestring_test.cc
+++ b/src/crypto/bytestring/bytestring_test.cc
@@ -699,7 +699,6 @@
static const BERTest kBERTests[] = {
// Trivial cases, also valid DER.
- {"0000", true, false, false, 0},
{"0100", true, false, false, 1},
{"020101", true, false, false, 2},
@@ -725,6 +724,12 @@
{"1f4000", true, false, false, 0x40},
// Non-minimal tags are invalid, even in BER.
{"1f804000", false, false, false, 0},
+
+ // EOCs and other forms of tag [UNIVERSAL 0] are rejected as elements.
+ {"0000", false, false, false, 0},
+ {"000100", false, false, false, 0},
+ {"00800000", false, false, false, 0},
+ {"2000", false, false, false, 0},
};
TEST(CBSTest, BERElementTest) {
diff --git a/src/crypto/bytestring/cbs.c b/src/crypto/bytestring/cbs.c
index 293e66c..010897b 100644
--- a/src/crypto/bytestring/cbs.c
+++ b/src/crypto/bytestring/cbs.c
@@ -279,6 +279,13 @@
tag |= tag_number;
+ // Tag [UNIVERSAL 0] is reserved for use by the encoding. Reject it here to
+ // avoid some ambiguity around ANY values and BER indefinite-length EOCs. See
+ // https://crbug.com/boringssl/455.
+ if ((tag & ~CBS_ASN1_CONSTRUCTED) == 0) {
+ return 0;
+ }
+
*out = tag;
return 1;
}
diff --git a/src/crypto/cipher_extra/asm/chacha20_poly1305_armv8.pl b/src/crypto/cipher_extra/asm/chacha20_poly1305_armv8.pl
new file mode 100644
index 0000000..24b5c9b
--- /dev/null
+++ b/src/crypto/cipher_extra/asm/chacha20_poly1305_armv8.pl
@@ -0,0 +1,1644 @@
+#!/usr/bin/env perl
+
+# Copyright (c) 2020, CloudFlare Ltd.
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+# SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+##############################################################################
+# #
+# Author: Vlad Krasnov #
+# #
+##############################################################################
+
+$flavour = shift;
+while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {}
+
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+die "can't locate arm-xlate.pl";
+
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
+
+my ($oup,$inp,$inl,$adp,$adl,$keyp,$itr1,$itr2) = ("x0","x1","x2","x3","x4","x5","x6","x7");
+my ($acc0,$acc1,$acc2) = map("x$_",(8..10));
+my ($t0,$t1,$t2,$t3) = map("x$_",(11..14));
+my ($one, $r0, $r1) = ("x15","x16","x17");
+my ($t0w) = $t0 =~ s/x/w/r;
+
+my ($A0,$A1,$A2,$A3,$A4,$B0,$B1,$B2,$B3,$B4,$C0,$C1,$C2,$C3,$C4,$D0,$D1,$D2,$D3,$D4) = map("v$_",(0..19));
+my ($T0,$T1,$T2,$T3) = map("v$_",(20..23));
+
+my $CONSTS = "v24";
+my $INC = "v25";
+my $ROL8 = "v26";
+my $CLAMP = "v27";
+
+my ($B_STORE, $C_STORE, $D_STORE) = map("v$_",(28..30));
+
+my $S_STORE = $CLAMP;
+my $LEN_STORE = "v31";
+
+sub chacha_qr {
+my ($a,$b,$c,$d,$t,$dir)=@_;
+my ($shift_b,$shift_d) = $dir =~ /left/ ? ("#4","#12") : ("#12","#4");
+$code.=<<___;
+ add $a.4s, $a.4s, $b.4s
+ eor $d.16b, $d.16b, $a.16b
+ rev32 $d.8h, $d.8h
+
+ add $c.4s, $c.4s, $d.4s
+ eor $b.16b, $b.16b, $c.16b
+ ushr $t.4s, $b.4s, #20
+ sli $t.4s, $b.4s, #12
+___
+ ($t,$b) = ($b,$t);
+$code.=<<___;
+ add $a.4s, $a.4s, $b.4s
+ eor $d.16b, $d.16b, $a.16b
+ tbl $d.16b, {$d.16b}, $ROL8.16b
+
+ add $c.4s, $c.4s, $d.4s
+ eor $b.16b, $b.16b, $c.16b
+ ushr $t.4s, $b.4s, #25
+ sli $t.4s, $b.4s, #7
+___
+ ($t,$b) = ($b,$t);
+$code.=<<___;
+ ext $b.16b, $b.16b, $b.16b, $shift_b
+ ext $c.16b, $c.16b, $c.16b, #8
+ ext $d.16b, $d.16b, $d.16b, $shift_d
+___
+}
+
+sub poly_add {
+my ($src)=@_;
+$code.="ldp $t0, $t1, [$src], 16
+ adds $acc0, $acc0, $t0
+ adcs $acc1, $acc1, $t1
+ adc $acc2, $acc2, $one\n";
+}
+
+sub poly_add_vec {
+my ($src)=@_;
+$code.="mov $t0, $src.d[0]
+ mov $t1, $src.d[1]
+ adds $acc0, $acc0, $t0
+ adcs $acc1, $acc1, $t1
+ adc $acc2, $acc2, $one\n";
+}
+
+sub poly_stage1 {
+$code.="mul $t0, $acc0, $r0 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh $t1, $acc0, $r0
+ mul $t2, $acc1, $r0
+ umulh $t3, $acc1, $r0
+ adds $t1, $t1, $t2
+ mul $t2, $acc2, $r0
+ adc $t2, $t2, $t3\n";
+}
+
+sub poly_stage2 {
+$code.="mul $t3, $acc0, $r1 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh $acc0, $acc0, $r1
+ adds $t1, $t1, $t3
+ mul $t3, $acc1, $r1
+ umulh $acc1, $acc1, $r1
+ adcs $t3, $t3, $acc0
+ mul $acc2, $acc2, $r1
+ adc $acc2, $acc2, $acc1
+ adds $t2, $t2, $t3
+ adc $t3, $acc2, xzr\n";
+}
+
+# At the beginning of the reduce stage t = [t3:t2:t1:t0] is a product of
+# r = [r1:r0] and acc = [acc2:acc1:acc0]
+# r is 124 bits at most (due to clamping) and acc is 131 bits at most
+# (acc2 is at most 4 before the addition and can be at most 6 when we add in
+# the next block) therefore t is at most 255 bits big, and t3 is 63 bits.
+sub poly_reduce_stage {
+$code.="and $acc2, $t2, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and $acc0, $t2, #-4
+ extr $t2, $t3, $t2, #2
+ adds $acc0, $acc0, $t0
+ lsr $t0, $t3, #2
+ adc $acc1, $t3, $t0 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds $acc0, $acc0, $t2
+ adcs $acc1, $acc1, $t1
+ adc $acc2, $acc2, xzr // At this point acc2 has the value of 4 at most \n";
+}
+
+sub poly_mul {
+ &poly_stage1();
+ &poly_stage2();
+ &poly_reduce_stage();
+}
+
+sub chacha_qr_x3 {
+my ($dir)=@_;
+my ($shift_b,$shift_d) = $dir =~ /left/ ? ("#4","#12") : ("#12","#4");
+$code.=<<___;
+ add $A0.4s, $A0.4s, $B0.4s
+ add $A1.4s, $A1.4s, $B1.4s
+ add $A2.4s, $A2.4s, $B2.4s
+ eor $D0.16b, $D0.16b, $A0.16b
+ eor $D1.16b, $D1.16b, $A1.16b
+ eor $D2.16b, $D2.16b, $A2.16b
+ rev32 $D0.8h, $D0.8h
+ rev32 $D1.8h, $D1.8h
+ rev32 $D2.8h, $D2.8h
+
+ add $C0.4s, $C0.4s, $D0.4s
+ add $C1.4s, $C1.4s, $D1.4s
+ add $C2.4s, $C2.4s, $D2.4s
+ eor $B0.16b, $B0.16b, $C0.16b
+ eor $B1.16b, $B1.16b, $C1.16b
+ eor $B2.16b, $B2.16b, $C2.16b
+ ushr $T0.4s, $B0.4s, #20
+ sli $T0.4s, $B0.4s, #12
+ ushr $B0.4s, $B1.4s, #20
+ sli $B0.4s, $B1.4s, #12
+ ushr $B1.4s, $B2.4s, #20
+ sli $B1.4s, $B2.4s, #12
+
+ add $A0.4s, $A0.4s, $T0.4s
+ add $A1.4s, $A1.4s, $B0.4s
+ add $A2.4s, $A2.4s, $B1.4s
+ eor $D0.16b, $D0.16b, $A0.16b
+ eor $D1.16b, $D1.16b, $A1.16b
+ eor $D2.16b, $D2.16b, $A2.16b
+ tbl $D0.16b, {$D0.16b}, $ROL8.16b
+ tbl $D1.16b, {$D1.16b}, $ROL8.16b
+ tbl $D2.16b, {$D2.16b}, $ROL8.16b
+
+ add $C0.4s, $C0.4s, $D0.4s
+ add $C1.4s, $C1.4s, $D1.4s
+ add $C2.4s, $C2.4s, $D2.4s
+ eor $T0.16b, $T0.16b, $C0.16b
+ eor $B0.16b, $B0.16b, $C1.16b
+ eor $B1.16b, $B1.16b, $C2.16b
+ ushr $B2.4s, $B1.4s, #25
+ sli $B2.4s, $B1.4s, #7
+ ushr $B1.4s, $B0.4s, #25
+ sli $B1.4s, $B0.4s, #7
+ ushr $B0.4s, $T0.4s, #25
+ sli $B0.4s, $T0.4s, #7
+
+ ext $B0.16b, $B0.16b, $B0.16b, $shift_b
+ ext $B1.16b, $B1.16b, $B1.16b, $shift_b
+ ext $B2.16b, $B2.16b, $B2.16b, $shift_b
+
+ ext $C0.16b, $C0.16b, $C0.16b, #8
+ ext $C1.16b, $C1.16b, $C1.16b, #8
+ ext $C2.16b, $C2.16b, $C2.16b, #8
+
+ ext $D0.16b, $D0.16b, $D0.16b, $shift_d
+ ext $D1.16b, $D1.16b, $D1.16b, $shift_d
+ ext $D2.16b, $D2.16b, $D2.16b, $shift_d
+___
+}
+
+# When preparing 5 ChaCha20 blocks in parallel, we operate on 4 blocks vertically as introduced by Andrew Moon
+# the fifth block is done horizontally
+sub chacha_qr_x5 {
+my ($dir)=@_;
+my ($a0,$a1,$a2,$a3) = $dir =~ /left/ ? ($A0,$A1,$A2,$A3) : ($A0,$A1,$A2,$A3);
+my ($b0,$b1,$b2,$b3) = $dir =~ /left/ ? ($B0,$B1,$B2,$B3) : ($B1,$B2,$B3,$B0);
+my ($c0,$c1,$c2,$c3) = $dir =~ /left/ ? ($C0,$C1,$C2,$C3) : ($C2,$C3,$C0,$C1);
+my ($d0,$d1,$d2,$d3) = $dir =~ /left/ ? ($D0,$D1,$D2,$D3) : ($D3,$D0,$D1,$D2);
+my ($shift_b,$shift_d) = $dir =~ /left/ ? ("#4","#12") : ("#12","#4");
+$code.=<<___;
+ add $a0.4s, $a0.4s, $b0.4s
+ add $a1.4s, $a1.4s, $b1.4s
+ add $a2.4s, $a2.4s, $b2.4s
+ add $a3.4s, $a3.4s, $b3.4s
+ add $A4.4s, $A4.4s, $B4.4s
+
+ eor $d0.16b, $d0.16b, $a0.16b
+ eor $d1.16b, $d1.16b, $a1.16b
+ eor $d2.16b, $d2.16b, $a2.16b
+ eor $d3.16b, $d3.16b, $a3.16b
+ eor $D4.16b, $D4.16b, $A4.16b
+
+ rev32 $d0.8h, $d0.8h
+ rev32 $d1.8h, $d1.8h
+ rev32 $d2.8h, $d2.8h
+ rev32 $d3.8h, $d3.8h
+ rev32 $D4.8h, $D4.8h
+
+ add $c0.4s, $c0.4s, $d0.4s
+ add $c1.4s, $c1.4s, $d1.4s
+ add $c2.4s, $c2.4s, $d2.4s
+ add $c3.4s, $c3.4s, $d3.4s
+ add $C4.4s, $C4.4s, $D4.4s
+
+ eor $b0.16b, $b0.16b, $c0.16b
+ eor $b1.16b, $b1.16b, $c1.16b
+ eor $b2.16b, $b2.16b, $c2.16b
+ eor $b3.16b, $b3.16b, $c3.16b
+ eor $B4.16b, $B4.16b, $C4.16b
+
+ ushr $T0.4s, $b0.4s, #20
+ sli $T0.4s, $b0.4s, #12
+ ushr $b0.4s, $b1.4s, #20
+ sli $b0.4s, $b1.4s, #12
+ ushr $b1.4s, $b2.4s, #20
+ sli $b1.4s, $b2.4s, #12
+ ushr $b2.4s, $b3.4s, #20
+ sli $b2.4s, $b3.4s, #12
+ ushr $b3.4s, $B4.4s, #20
+ sli $b3.4s, $B4.4s, #12
+
+ add $a0.4s, $a0.4s, $T0.4s
+ add $a1.4s, $a1.4s, $b0.4s
+ add $a2.4s, $a2.4s, $b1.4s
+ add $a3.4s, $a3.4s, $b2.4s
+ add $A4.4s, $A4.4s, $b3.4s
+
+ eor $d0.16b, $d0.16b, $a0.16b
+ eor $d1.16b, $d1.16b, $a1.16b
+ eor $d2.16b, $d2.16b, $a2.16b
+ eor $d3.16b, $d3.16b, $a3.16b
+ eor $D4.16b, $D4.16b, $A4.16b
+
+ tbl $d0.16b, {$d0.16b}, $ROL8.16b
+ tbl $d1.16b, {$d1.16b}, $ROL8.16b
+ tbl $d2.16b, {$d2.16b}, $ROL8.16b
+ tbl $d3.16b, {$d3.16b}, $ROL8.16b
+ tbl $D4.16b, {$D4.16b}, $ROL8.16b
+
+ add $c0.4s, $c0.4s, $d0.4s
+ add $c1.4s, $c1.4s, $d1.4s
+ add $c2.4s, $c2.4s, $d2.4s
+ add $c3.4s, $c3.4s, $d3.4s
+ add $C4.4s, $C4.4s, $D4.4s
+
+ eor $T0.16b, $T0.16b, $c0.16b
+ eor $b0.16b, $b0.16b, $c1.16b
+ eor $b1.16b, $b1.16b, $c2.16b
+ eor $b2.16b, $b2.16b, $c3.16b
+ eor $b3.16b, $b3.16b, $C4.16b
+
+ ushr $B4.4s, $b3.4s, #25
+ sli $B4.4s, $b3.4s, #7
+ ushr $b3.4s, $b2.4s, #25
+ sli $b3.4s, $b2.4s, #7
+ ushr $b2.4s, $b1.4s, #25
+ sli $b2.4s, $b1.4s, #7
+ ushr $b1.4s, $b0.4s, #25
+ sli $b1.4s, $b0.4s, #7
+ ushr $b0.4s, $T0.4s, #25
+ sli $b0.4s, $T0.4s, #7
+
+ ext $B4.16b, $B4.16b, $B4.16b, $shift_b
+ ext $C4.16b, $C4.16b, $C4.16b, #8
+ ext $D4.16b, $D4.16b, $D4.16b, $shift_d
+___
+}
+
+{
+$code.=<<___;
+#include <openssl/arm_arch.h>
+.section .rodata
+
+.align 7
+.Lchacha20_consts:
+.byte 'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k'
+.Linc:
+.long 1,2,3,4
+.Lrol8:
+.byte 3,0,1,2, 7,4,5,6, 11,8,9,10, 15,12,13,14
+.Lclamp:
+.quad 0x0FFFFFFC0FFFFFFF, 0x0FFFFFFC0FFFFFFC
+
+.text
+
+.type .Lpoly_hash_ad_internal,%function
+.align 6
+.Lpoly_hash_ad_internal:
+ .cfi_startproc
+ cbnz $adl, .Lpoly_hash_intro
+ ret
+
+.Lpoly_hash_intro:
+ cmp $adl, #16
+ b.lt .Lpoly_hash_ad_tail
+___
+ &poly_add($adp);
+ &poly_mul();
+$code.=<<___;
+ sub $adl, $adl, #16
+ b .Lpoly_hash_ad_internal
+
+.Lpoly_hash_ad_tail:
+ cbz $adl, .Lpoly_hash_ad_ret
+
+ eor $T0.16b, $T0.16b, $T0.16b // Use T0 to load the AAD
+ sub $adl, $adl, #1
+
+.Lpoly_hash_tail_16_compose:
+ ext $T0.16b, $T0.16b, $T0.16b, #15
+ ldrb $t0w, [$adp, $adl]
+ mov $T0.b[0], $t0w
+ subs $adl, $adl, #1
+ b.ge .Lpoly_hash_tail_16_compose
+___
+ &poly_add_vec($T0);
+ &poly_mul();
+$code.=<<___;
+
+.Lpoly_hash_ad_ret:
+ ret
+ .cfi_endproc
+.size .Lpoly_hash_ad_internal, .-.Lpoly_hash_ad_internal
+
+/////////////////////////////////
+//
+// void chacha20_poly1305_seal(uint8_t *pt, uint8_t *ct, size_t len_in, uint8_t *ad, size_t len_ad, union open_data *seal_data);
+//
+.globl chacha20_poly1305_seal
+.type chacha20_poly1305_seal,%function
+.align 6
+chacha20_poly1305_seal:
+ AARCH64_SIGN_LINK_REGISTER
+.cfi_startproc
+ stp x29, x30, [sp, #-80]!
+.cfi_def_cfa_offset 80
+.cfi_offset w30, -72
+.cfi_offset w29, -80
+ mov x29, sp
+# We probably could do .cfi_def_cfa w29, 80 at this point, but since
+# we don't actually use the frame pointer like that, it's probably not
+# worth bothering.
+ stp d8, d9, [sp, #16]
+ stp d10, d11, [sp, #32]
+ stp d12, d13, [sp, #48]
+ stp d14, d15, [sp, #64]
+.cfi_offset b15, -8
+.cfi_offset b14, -16
+.cfi_offset b13, -24
+.cfi_offset b12, -32
+.cfi_offset b11, -40
+.cfi_offset b10, -48
+.cfi_offset b9, -56
+.cfi_offset b8, -64
+
+ adrp $t0, :pg_hi21:.Lchacha20_consts
+ add $t0, $t0, :lo12:.Lchacha20_consts
+
+ ld1 {$CONSTS.16b - $CLAMP.16b}, [$t0] // Load the CONSTS, INC, ROL8 and CLAMP values
+ ld1 {$B_STORE.16b - $D_STORE.16b}, [$keyp]
+
+ mov $one, #1 // Prepare the Poly1305 state
+ mov $acc0, #0
+ mov $acc1, #0
+ mov $acc2, #0
+
+ ldr $t1, [$keyp, #56] // The total cipher text length includes extra_in_len
+ add $t1, $t1, $inl
+ mov $LEN_STORE.d[0], $adl // Store the input and aad lengths
+ mov $LEN_STORE.d[1], $t1
+
+ cmp $inl, #128
+ b.le .Lseal_128 // Optimization for smaller buffers
+
+ // Initially we prepare 5 ChaCha20 blocks. Four to encrypt up to 4 blocks (256 bytes) of plaintext,
+ // and one for the Poly1305 R and S keys. The first four blocks (A0-A3..D0-D3) are computed vertically,
+ // the fifth block (A4-D4) horizontally.
+ ld4r {$A0.4s-$A3.4s}, [$t0]
+ mov $A4.16b, $CONSTS.16b
+
+ ld4r {$B0.4s-$B3.4s}, [$keyp], #16
+ mov $B4.16b, $B_STORE.16b
+
+ ld4r {$C0.4s-$C3.4s}, [$keyp], #16
+ mov $C4.16b, $C_STORE.16b
+
+ ld4r {$D0.4s-$D3.4s}, [$keyp]
+ add $D0.4s, $D0.4s, $INC.4s
+ mov $D4.16b, $D_STORE.16b
+
+ sub $keyp, $keyp, #32
+
+ mov $itr1, #10
+
+.align 5
+.Lseal_init_rounds:
+___
+ &chacha_qr_x5("left");
+ &chacha_qr_x5("right");
+$code.=<<___;
+ subs $itr1, $itr1, #1
+ b.hi .Lseal_init_rounds
+
+ add $D0.4s, $D0.4s, $INC.4s
+ mov $t0, #4
+ dup $T0.4s, $t0w
+ add $INC.4s, $INC.4s, $T0.4s
+
+ zip1 $T0.4s, $A0.4s, $A1.4s
+ zip2 $T1.4s, $A0.4s, $A1.4s
+ zip1 $T2.4s, $A2.4s, $A3.4s
+ zip2 $T3.4s, $A2.4s, $A3.4s
+
+ zip1 $A0.2d, $T0.2d, $T2.2d
+ zip2 $A1.2d, $T0.2d, $T2.2d
+ zip1 $A2.2d, $T1.2d, $T3.2d
+ zip2 $A3.2d, $T1.2d, $T3.2d
+
+ zip1 $T0.4s, $B0.4s, $B1.4s
+ zip2 $T1.4s, $B0.4s, $B1.4s
+ zip1 $T2.4s, $B2.4s, $B3.4s
+ zip2 $T3.4s, $B2.4s, $B3.4s
+
+ zip1 $B0.2d, $T0.2d, $T2.2d
+ zip2 $B1.2d, $T0.2d, $T2.2d
+ zip1 $B2.2d, $T1.2d, $T3.2d
+ zip2 $B3.2d, $T1.2d, $T3.2d
+
+ zip1 $T0.4s, $C0.4s, $C1.4s
+ zip2 $T1.4s, $C0.4s, $C1.4s
+ zip1 $T2.4s, $C2.4s, $C3.4s
+ zip2 $T3.4s, $C2.4s, $C3.4s
+
+ zip1 $C0.2d, $T0.2d, $T2.2d
+ zip2 $C1.2d, $T0.2d, $T2.2d
+ zip1 $C2.2d, $T1.2d, $T3.2d
+ zip2 $C3.2d, $T1.2d, $T3.2d
+
+ zip1 $T0.4s, $D0.4s, $D1.4s
+ zip2 $T1.4s, $D0.4s, $D1.4s
+ zip1 $T2.4s, $D2.4s, $D3.4s
+ zip2 $T3.4s, $D2.4s, $D3.4s
+
+ zip1 $D0.2d, $T0.2d, $T2.2d
+ zip2 $D1.2d, $T0.2d, $T2.2d
+ zip1 $D2.2d, $T1.2d, $T3.2d
+ zip2 $D3.2d, $T1.2d, $T3.2d
+
+ add $A4.4s, $A4.4s, $CONSTS.4s
+ add $B4.4s, $B4.4s, $B_STORE.4s
+ and $A4.16b, $A4.16b, $CLAMP.16b
+
+ add $A0.4s, $A0.4s, $CONSTS.4s
+ add $B0.4s, $B0.4s, $B_STORE.4s
+ add $C0.4s, $C0.4s, $C_STORE.4s
+ add $D0.4s, $D0.4s, $D_STORE.4s
+
+ add $A1.4s, $A1.4s, $CONSTS.4s
+ add $B1.4s, $B1.4s, $B_STORE.4s
+ add $C1.4s, $C1.4s, $C_STORE.4s
+ add $D1.4s, $D1.4s, $D_STORE.4s
+
+ add $A2.4s, $A2.4s, $CONSTS.4s
+ add $B2.4s, $B2.4s, $B_STORE.4s
+ add $C2.4s, $C2.4s, $C_STORE.4s
+ add $D2.4s, $D2.4s, $D_STORE.4s
+
+ add $A3.4s, $A3.4s, $CONSTS.4s
+ add $B3.4s, $B3.4s, $B_STORE.4s
+ add $C3.4s, $C3.4s, $C_STORE.4s
+ add $D3.4s, $D3.4s, $D_STORE.4s
+
+ mov $r0, $A4.d[0] // Move the R key to GPRs
+ mov $r1, $A4.d[1]
+ mov $S_STORE.16b, $B4.16b // Store the S key
+
+ bl .Lpoly_hash_ad_internal
+
+ mov $adp, $oup
+ cmp $inl, #256
+ b.le .Lseal_tail
+
+ ld1 {$T0.16b - $T3.16b}, [$inp], #64
+ eor $T0.16b, $T0.16b, $A0.16b
+ eor $T1.16b, $T1.16b, $B0.16b
+ eor $T2.16b, $T2.16b, $C0.16b
+ eor $T3.16b, $T3.16b, $D0.16b
+ st1 {$T0.16b - $T3.16b}, [$oup], #64
+
+ ld1 {$T0.16b - $T3.16b}, [$inp], #64
+ eor $T0.16b, $T0.16b, $A1.16b
+ eor $T1.16b, $T1.16b, $B1.16b
+ eor $T2.16b, $T2.16b, $C1.16b
+ eor $T3.16b, $T3.16b, $D1.16b
+ st1 {$T0.16b - $T3.16b}, [$oup], #64
+
+ ld1 {$T0.16b - $T3.16b}, [$inp], #64
+ eor $T0.16b, $T0.16b, $A2.16b
+ eor $T1.16b, $T1.16b, $B2.16b
+ eor $T2.16b, $T2.16b, $C2.16b
+ eor $T3.16b, $T3.16b, $D2.16b
+ st1 {$T0.16b - $T3.16b}, [$oup], #64
+
+ ld1 {$T0.16b - $T3.16b}, [$inp], #64
+ eor $T0.16b, $T0.16b, $A3.16b
+ eor $T1.16b, $T1.16b, $B3.16b
+ eor $T2.16b, $T2.16b, $C3.16b
+ eor $T3.16b, $T3.16b, $D3.16b
+ st1 {$T0.16b - $T3.16b}, [$oup], #64
+
+ sub $inl, $inl, #256
+
+ mov $itr1, #4 // In the first run of the loop we need to hash 256 bytes, therefore we hash one block for the first 4 rounds
+ mov $itr2, #6 // and two blocks for the remaining 6, for a total of (1 * 4 + 2 * 6) * 16 = 256
+
+.Lseal_main_loop:
+ adrp $t0, :pg_hi21:.Lchacha20_consts
+ add $t0, $t0, :lo12:.Lchacha20_consts
+
+ ld4r {$A0.4s-$A3.4s}, [$t0]
+ mov $A4.16b, $CONSTS.16b
+
+ ld4r {$B0.4s-$B3.4s}, [$keyp], #16
+ mov $B4.16b, $B_STORE.16b
+
+ ld4r {$C0.4s-$C3.4s}, [$keyp], #16
+ mov $C4.16b, $C_STORE.16b
+
+ ld4r {$D0.4s-$D3.4s}, [$keyp]
+ add $D0.4s, $D0.4s, $INC.4s
+ mov $D4.16b, $D_STORE.16b
+
+ eor $T0.16b, $T0.16b, $T0.16b //zero
+ not $T1.16b, $T0.16b // -1
+ sub $T1.4s, $INC.4s, $T1.4s // Add +1
+ ext $T0.16b, $T1.16b, $T0.16b, #12 // Get the last element (counter)
+ add $D4.4s, $D4.4s, $T0.4s
+
+ sub $keyp, $keyp, #32
+.align 5
+.Lseal_main_loop_rounds:
+___
+ &chacha_qr_x5("left");
+ &poly_add($adp);
+ &poly_mul();
+ &chacha_qr_x5("right");
+$code.=<<___;
+ subs $itr1, $itr1, #1
+ b.ge .Lseal_main_loop_rounds
+___
+ &poly_add($adp);
+ &poly_mul();
+$code.=<<___;
+ subs $itr2, $itr2, #1
+ b.gt .Lseal_main_loop_rounds
+
+ eor $T0.16b, $T0.16b, $T0.16b //zero
+ not $T1.16b, $T0.16b // -1
+ sub $T1.4s, $INC.4s, $T1.4s // Add +1
+ ext $T0.16b, $T1.16b, $T0.16b, #12 // Get the last element (counter)
+ add $D4.4s, $D4.4s, $T0.4s
+
+ add $D0.4s, $D0.4s, $INC.4s
+ mov $t0, #5
+ dup $T0.4s, $t0w
+ add $INC.4s, $INC.4s, $T0.4s
+
+ zip1 $T0.4s, $A0.4s, $A1.4s
+ zip2 $T1.4s, $A0.4s, $A1.4s
+ zip1 $T2.4s, $A2.4s, $A3.4s
+ zip2 $T3.4s, $A2.4s, $A3.4s
+
+ zip1 $A0.2d, $T0.2d, $T2.2d
+ zip2 $A1.2d, $T0.2d, $T2.2d
+ zip1 $A2.2d, $T1.2d, $T3.2d
+ zip2 $A3.2d, $T1.2d, $T3.2d
+
+ zip1 $T0.4s, $B0.4s, $B1.4s
+ zip2 $T1.4s, $B0.4s, $B1.4s
+ zip1 $T2.4s, $B2.4s, $B3.4s
+ zip2 $T3.4s, $B2.4s, $B3.4s
+
+ zip1 $B0.2d, $T0.2d, $T2.2d
+ zip2 $B1.2d, $T0.2d, $T2.2d
+ zip1 $B2.2d, $T1.2d, $T3.2d
+ zip2 $B3.2d, $T1.2d, $T3.2d
+
+ zip1 $T0.4s, $C0.4s, $C1.4s
+ zip2 $T1.4s, $C0.4s, $C1.4s
+ zip1 $T2.4s, $C2.4s, $C3.4s
+ zip2 $T3.4s, $C2.4s, $C3.4s
+
+ zip1 $C0.2d, $T0.2d, $T2.2d
+ zip2 $C1.2d, $T0.2d, $T2.2d
+ zip1 $C2.2d, $T1.2d, $T3.2d
+ zip2 $C3.2d, $T1.2d, $T3.2d
+
+ zip1 $T0.4s, $D0.4s, $D1.4s
+ zip2 $T1.4s, $D0.4s, $D1.4s
+ zip1 $T2.4s, $D2.4s, $D3.4s
+ zip2 $T3.4s, $D2.4s, $D3.4s
+
+ zip1 $D0.2d, $T0.2d, $T2.2d
+ zip2 $D1.2d, $T0.2d, $T2.2d
+ zip1 $D2.2d, $T1.2d, $T3.2d
+ zip2 $D3.2d, $T1.2d, $T3.2d
+
+ add $A0.4s, $A0.4s, $CONSTS.4s
+ add $B0.4s, $B0.4s, $B_STORE.4s
+ add $C0.4s, $C0.4s, $C_STORE.4s
+ add $D0.4s, $D0.4s, $D_STORE.4s
+
+ add $A1.4s, $A1.4s, $CONSTS.4s
+ add $B1.4s, $B1.4s, $B_STORE.4s
+ add $C1.4s, $C1.4s, $C_STORE.4s
+ add $D1.4s, $D1.4s, $D_STORE.4s
+
+ add $A2.4s, $A2.4s, $CONSTS.4s
+ add $B2.4s, $B2.4s, $B_STORE.4s
+ add $C2.4s, $C2.4s, $C_STORE.4s
+ add $D2.4s, $D2.4s, $D_STORE.4s
+
+ add $A3.4s, $A3.4s, $CONSTS.4s
+ add $B3.4s, $B3.4s, $B_STORE.4s
+ add $C3.4s, $C3.4s, $C_STORE.4s
+ add $D3.4s, $D3.4s, $D_STORE.4s
+
+ add $A4.4s, $A4.4s, $CONSTS.4s
+ add $B4.4s, $B4.4s, $B_STORE.4s
+ add $C4.4s, $C4.4s, $C_STORE.4s
+ add $D4.4s, $D4.4s, $D_STORE.4s
+
+ cmp $inl, #320
+ b.le .Lseal_tail
+
+ ld1 {$T0.16b - $T3.16b}, [$inp], #64
+ eor $T0.16b, $T0.16b, $A0.16b
+ eor $T1.16b, $T1.16b, $B0.16b
+ eor $T2.16b, $T2.16b, $C0.16b
+ eor $T3.16b, $T3.16b, $D0.16b
+ st1 {$T0.16b - $T3.16b}, [$oup], #64
+
+ ld1 {$T0.16b - $T3.16b}, [$inp], #64
+ eor $T0.16b, $T0.16b, $A1.16b
+ eor $T1.16b, $T1.16b, $B1.16b
+ eor $T2.16b, $T2.16b, $C1.16b
+ eor $T3.16b, $T3.16b, $D1.16b
+ st1 {$T0.16b - $T3.16b}, [$oup], #64
+
+ ld1 {$T0.16b - $T3.16b}, [$inp], #64
+ eor $T0.16b, $T0.16b, $A2.16b
+ eor $T1.16b, $T1.16b, $B2.16b
+ eor $T2.16b, $T2.16b, $C2.16b
+ eor $T3.16b, $T3.16b, $D2.16b
+ st1 {$T0.16b - $T3.16b}, [$oup], #64
+
+ ld1 {$T0.16b - $T3.16b}, [$inp], #64
+ eor $T0.16b, $T0.16b, $A3.16b
+ eor $T1.16b, $T1.16b, $B3.16b
+ eor $T2.16b, $T2.16b, $C3.16b
+ eor $T3.16b, $T3.16b, $D3.16b
+ st1 {$T0.16b - $T3.16b}, [$oup], #64
+
+ ld1 {$T0.16b - $T3.16b}, [$inp], #64
+ eor $T0.16b, $T0.16b, $A4.16b
+ eor $T1.16b, $T1.16b, $B4.16b
+ eor $T2.16b, $T2.16b, $C4.16b
+ eor $T3.16b, $T3.16b, $D4.16b
+ st1 {$T0.16b - $T3.16b}, [$oup], #64
+
+ sub $inl, $inl, #320
+
+ mov $itr1, #0
+ mov $itr2, #10 // For the remainder of the loop we always hash and encrypt 320 bytes per iteration
+
+ b .Lseal_main_loop
+
+.Lseal_tail:
+ // This part of the function handles the storage and authentication of the last [0,320) bytes
+ // We assume A0-A4 ... D0-D4 hold at least inl (320 max) bytes of the stream data.
+ cmp $inl, #64
+ b.lt .Lseal_tail_64
+
+ // Store and authenticate 64B blocks per iteration
+ ld1 {$T0.16b - $T3.16b}, [$inp], #64
+
+ eor $T0.16b, $T0.16b, $A0.16b
+ eor $T1.16b, $T1.16b, $B0.16b
+ eor $T2.16b, $T2.16b, $C0.16b
+ eor $T3.16b, $T3.16b, $D0.16b
+___
+ &poly_add_vec($T0);
+ &poly_mul();
+ &poly_add_vec($T1);
+ &poly_mul();
+ &poly_add_vec($T2);
+ &poly_mul();
+ &poly_add_vec($T3);
+ &poly_mul();
+$code.=<<___;
+ st1 {$T0.16b - $T3.16b}, [$oup], #64
+ sub $inl, $inl, #64
+
+ // Shift the state left by 64 bytes for the next iteration of the loop
+ mov $A0.16b, $A1.16b
+ mov $B0.16b, $B1.16b
+ mov $C0.16b, $C1.16b
+ mov $D0.16b, $D1.16b
+
+ mov $A1.16b, $A2.16b
+ mov $B1.16b, $B2.16b
+ mov $C1.16b, $C2.16b
+ mov $D1.16b, $D2.16b
+
+ mov $A2.16b, $A3.16b
+ mov $B2.16b, $B3.16b
+ mov $C2.16b, $C3.16b
+ mov $D2.16b, $D3.16b
+
+ mov $A3.16b, $A4.16b
+ mov $B3.16b, $B4.16b
+ mov $C3.16b, $C4.16b
+ mov $D3.16b, $D4.16b
+
+ b .Lseal_tail
+
+.Lseal_tail_64:
+ ldp $adp, $adl, [$keyp, #48] // extra_in_len and extra_in_ptr
+
+ // Here we handle the last [0,64) bytes of plaintext
+ cmp $inl, #16
+ b.lt .Lseal_tail_16
+ // Each iteration encrypt and authenticate a 16B block
+ ld1 {$T0.16b}, [$inp], #16
+ eor $T0.16b, $T0.16b, $A0.16b
+___
+ &poly_add_vec($T0);
+ &poly_mul();
+$code.=<<___;
+ st1 {$T0.16b}, [$oup], #16
+
+ sub $inl, $inl, #16
+
+ // Shift the state left by 16 bytes for the next iteration of the loop
+ mov $A0.16b, $B0.16b
+ mov $B0.16b, $C0.16b
+ mov $C0.16b, $D0.16b
+
+ b .Lseal_tail_64
+
+.Lseal_tail_16:
+ // Here we handle the last [0,16) bytes of ciphertext that require a padded block
+ cbz $inl, .Lseal_hash_extra
+
+ eor $T0.16b, $T0.16b, $T0.16b // Use T0 to load the plaintext/extra in
+ eor $T1.16b, $T1.16b, $T1.16b // Use T1 to generate an AND mask that will only mask the ciphertext bytes
+ not $T2.16b, $T0.16b
+
+ mov $itr1, $inl
+ add $inp, $inp, $inl
+
+ cbz $adl, .Lseal_tail_16_compose // No extra data to pad with, zero padding
+
+ mov $itr2, #16 // We need to load some extra_in first for padding
+ sub $itr2, $itr2, $inl
+ cmp $adl, $itr2
+ csel $itr2, $adl, $itr2, lt // Load the minimum of extra_in_len and the amount needed to fill the register
+ mov $t1, $itr2
+ add $adp, $adp, $itr2
+ sub $adl, $adl, $itr2
+
+.Lseal_tail16_compose_extra_in:
+ ext $T0.16b, $T0.16b, $T0.16b, #15
+ ldrb $t0w, [$adp, #-1]!
+ mov $T0.b[0], $t0w
+ subs $itr2, $itr2, #1
+ b.gt .Lseal_tail16_compose_extra_in
+
+ add $adp, $adp, $t1
+
+.Lseal_tail_16_compose:
+ ext $T0.16b, $T0.16b, $T0.16b, #15
+ ldrb $t0w, [$inp, #-1]!
+ mov $T0.b[0], $t0w
+ ext $T1.16b, $T2.16b, $T1.16b, #15
+ subs $inl, $inl, #1
+ b.gt .Lseal_tail_16_compose
+
+ and $A0.16b, $A0.16b, $T1.16b
+ eor $T0.16b, $T0.16b, $A0.16b
+ mov $T1.16b, $T0.16b
+
+.Lseal_tail_16_store:
+ umov $t0w, $T0.b[0]
+ strb $t0w, [$oup], #1
+ ext $T0.16b, $T0.16b, $T0.16b, #1
+ subs $itr1, $itr1, #1
+ b.gt .Lseal_tail_16_store
+
+ // Hash in the final ct block concatenated with extra_in
+___
+ &poly_add_vec($T1);
+ &poly_mul();
+$code.=<<___;
+
+.Lseal_hash_extra:
+ cbz $adl, .Lseal_finalize
+
+.Lseal_hash_extra_loop:
+ cmp $adl, #16
+ b.lt .Lseal_hash_extra_tail
+ ld1 {$T0.16b}, [$adp], #16
+___
+ &poly_add_vec($T0);
+ &poly_mul();
+$code.=<<___;
+ sub $adl, $adl, #16
+ b .Lseal_hash_extra_loop
+
+.Lseal_hash_extra_tail:
+ cbz $adl, .Lseal_finalize
+ eor $T0.16b, $T0.16b, $T0.16b // Use T0 to load the remaining extra ciphertext
+ add $adp, $adp, $adl
+
+.Lseal_hash_extra_load:
+ ext $T0.16b, $T0.16b, $T0.16b, #15
+ ldrb $t0w, [$adp, #-1]!
+ mov $T0.b[0], $t0w
+ subs $adl, $adl, #1
+ b.gt .Lseal_hash_extra_load
+
+ // Hash in the final padded extra_in blcok
+___
+ &poly_add_vec($T0);
+ &poly_mul();
+$code.=<<___;
+
+.Lseal_finalize:
+___
+ &poly_add_vec($LEN_STORE);
+ &poly_mul();
+$code.=<<___;
+ # Final reduction step
+ sub $t1, xzr, $one
+ orr $t2, xzr, #3
+ subs $t0, $acc0, #-5
+ sbcs $t1, $acc1, $t1
+ sbcs $t2, $acc2, $t2
+ csel $acc0, $t0, $acc0, cs
+ csel $acc1, $t1, $acc1, cs
+ csel $acc2, $t2, $acc2, cs
+___
+ &poly_add_vec($S_STORE);
+$code.=<<___;
+
+ stp $acc0, $acc1, [$keyp]
+
+ ldp d8, d9, [sp, #16]
+ ldp d10, d11, [sp, #32]
+ ldp d12, d13, [sp, #48]
+ ldp d14, d15, [sp, #64]
+.cfi_restore b15
+.cfi_restore b14
+.cfi_restore b13
+.cfi_restore b12
+.cfi_restore b11
+.cfi_restore b10
+.cfi_restore b9
+.cfi_restore b8
+ ldp x29, x30, [sp], 80
+.cfi_restore w29
+.cfi_restore w30
+.cfi_def_cfa_offset 0
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+.Lseal_128:
+ // On some architectures preparing 5 blocks for small buffers is wasteful
+ eor $INC.16b, $INC.16b, $INC.16b
+ mov $t0, #1
+ mov $INC.s[0], $t0w
+ mov $A0.16b, $CONSTS.16b
+ mov $A1.16b, $CONSTS.16b
+ mov $A2.16b, $CONSTS.16b
+ mov $B0.16b, $B_STORE.16b
+ mov $B1.16b, $B_STORE.16b
+ mov $B2.16b, $B_STORE.16b
+ mov $C0.16b, $C_STORE.16b
+ mov $C1.16b, $C_STORE.16b
+ mov $C2.16b, $C_STORE.16b
+ mov $D2.16b, $D_STORE.16b
+ add $D0.4s, $D2.4s, $INC.4s
+ add $D1.4s, $D0.4s, $INC.4s
+
+ mov $itr1, #10
+
+.Lseal_128_rounds:
+___
+ &chacha_qr_x3("left");
+ &chacha_qr_x3("right");
+$code.=<<___;
+ subs $itr1, $itr1, #1
+ b.hi .Lseal_128_rounds
+
+ add $A0.4s, $A0.4s, $CONSTS.4s
+ add $A1.4s, $A1.4s, $CONSTS.4s
+ add $A2.4s, $A2.4s, $CONSTS.4s
+
+ add $B0.4s, $B0.4s, $B_STORE.4s
+ add $B1.4s, $B1.4s, $B_STORE.4s
+ add $B2.4s, $B2.4s, $B_STORE.4s
+
+ // Only the first 32 bytes of the third block (counter = 0) are needed,
+ // so skip updating $C2 and $D2.
+ add $C0.4s, $C0.4s, $C_STORE.4s
+ add $C1.4s, $C1.4s, $C_STORE.4s
+
+ add $D_STORE.4s, $D_STORE.4s, $INC.4s
+ add $D0.4s, $D0.4s, $D_STORE.4s
+ add $D_STORE.4s, $D_STORE.4s, $INC.4s
+ add $D1.4s, $D1.4s, $D_STORE.4s
+
+ and $A2.16b, $A2.16b, $CLAMP.16b
+ mov $r0, $A2.d[0] // Move the R key to GPRs
+ mov $r1, $A2.d[1]
+ mov $S_STORE.16b, $B2.16b // Store the S key
+
+ bl .Lpoly_hash_ad_internal
+ b .Lseal_tail
+.cfi_endproc
+.size chacha20_poly1305_seal,.-chacha20_poly1305_seal
+
+/////////////////////////////////
+//
+// void chacha20_poly1305_open(uint8_t *pt, uint8_t *ct, size_t len_in, uint8_t *ad, size_t len_ad, union open_data *aead_data);
+//
+.globl chacha20_poly1305_open
+.type chacha20_poly1305_open,%function
+.align 6
+chacha20_poly1305_open:
+ AARCH64_SIGN_LINK_REGISTER
+.cfi_startproc
+ stp x29, x30, [sp, #-80]!
+.cfi_def_cfa_offset 80
+.cfi_offset w30, -72
+.cfi_offset w29, -80
+ mov x29, sp
+# We probably could do .cfi_def_cfa w29, 80 at this point, but since
+# we don't actually use the frame pointer like that, it's probably not
+# worth bothering.
+ stp d8, d9, [sp, #16]
+ stp d10, d11, [sp, #32]
+ stp d12, d13, [sp, #48]
+ stp d14, d15, [sp, #64]
+.cfi_offset b15, -8
+.cfi_offset b14, -16
+.cfi_offset b13, -24
+.cfi_offset b12, -32
+.cfi_offset b11, -40
+.cfi_offset b10, -48
+.cfi_offset b9, -56
+.cfi_offset b8, -64
+
+ adrp $t0, :pg_hi21:.Lchacha20_consts
+ add $t0, $t0, :lo12:.Lchacha20_consts
+
+ ld1 {$CONSTS.16b - $CLAMP.16b}, [$t0] // Load the CONSTS, INC, ROL8 and CLAMP values
+ ld1 {$B_STORE.16b - $D_STORE.16b}, [$keyp]
+
+ mov $one, #1 // Prepare the Poly1305 state
+ mov $acc0, #0
+ mov $acc1, #0
+ mov $acc2, #0
+
+ mov $LEN_STORE.d[0], $adl // Store the input and aad lengths
+ mov $LEN_STORE.d[1], $inl
+
+ cmp $inl, #128
+ b.le .Lopen_128 // Optimization for smaller buffers
+
+ // Initially we prepare a single ChaCha20 block for the Poly1305 R and S keys
+ mov $A0.16b, $CONSTS.16b
+ mov $B0.16b, $B_STORE.16b
+ mov $C0.16b, $C_STORE.16b
+ mov $D0.16b, $D_STORE.16b
+
+ mov $itr1, #10
+
+.align 5
+.Lopen_init_rounds:
+___
+ &chacha_qr($A0, $B0, $C0, $D0, $T0, "left");
+ &chacha_qr($A0, $B0, $C0, $D0, $T0, "right");
+$code.=<<___;
+ subs $itr1, $itr1, #1
+ b.hi .Lopen_init_rounds
+
+ add $A0.4s, $A0.4s, $CONSTS.4s
+ add $B0.4s, $B0.4s, $B_STORE.4s
+
+ and $A0.16b, $A0.16b, $CLAMP.16b
+ mov $r0, $A0.d[0] // Move the R key to GPRs
+ mov $r1, $A0.d[1]
+ mov $S_STORE.16b, $B0.16b // Store the S key
+
+ bl .Lpoly_hash_ad_internal
+
+.Lopen_ad_done:
+ mov $adp, $inp
+
+// Each iteration of the loop hash 320 bytes, and prepare stream for 320 bytes
+.Lopen_main_loop:
+
+ cmp $inl, #192
+ b.lt .Lopen_tail
+
+ adrp $t0, :pg_hi21:.Lchacha20_consts
+ add $t0, $t0, :lo12:.Lchacha20_consts
+
+ ld4r {$A0.4s-$A3.4s}, [$t0]
+ mov $A4.16b, $CONSTS.16b
+
+ ld4r {$B0.4s-$B3.4s}, [$keyp], #16
+ mov $B4.16b, $B_STORE.16b
+
+ ld4r {$C0.4s-$C3.4s}, [$keyp], #16
+ mov $C4.16b, $C_STORE.16b
+
+ ld4r {$D0.4s-$D3.4s}, [$keyp]
+ sub $keyp, $keyp, #32
+ add $D0.4s, $D0.4s, $INC.4s
+ mov $D4.16b, $D_STORE.16b
+
+ eor $T0.16b, $T0.16b, $T0.16b //zero
+ not $T1.16b, $T0.16b // -1
+ sub $T1.4s, $INC.4s, $T1.4s // Add +1
+ ext $T0.16b, $T1.16b, $T0.16b, #12 // Get the last element (counter)
+ add $D4.4s, $D4.4s, $T0.4s
+
+ lsr $adl, $inl, #4 // How many whole blocks we have to hash, will always be at least 12
+ sub $adl, $adl, #10
+
+ mov $itr2, #10
+ subs $itr1, $itr2, $adl
+ subs $itr1, $itr2, $adl // itr1 can be negative if we have more than 320 bytes to hash
+ csel $itr2, $itr2, $adl, le // if itr1 is zero or less, itr2 should be 10 to indicate all 10 rounds are full
+
+ cbz $itr2, .Lopen_main_loop_rounds_short
+
+.align 5
+.Lopen_main_loop_rounds:
+___
+ &poly_add($adp);
+ &poly_mul();
+$code.=<<___;
+.Lopen_main_loop_rounds_short:
+___
+ &chacha_qr_x5("left");
+ &poly_add($adp);
+ &poly_mul();
+ &chacha_qr_x5("right");
+$code.=<<___;
+ subs $itr2, $itr2, #1
+ b.gt .Lopen_main_loop_rounds
+ subs $itr1, $itr1, #1
+ b.ge .Lopen_main_loop_rounds_short
+___
+$code.=<<___;
+
+ eor $T0.16b, $T0.16b, $T0.16b //zero
+ not $T1.16b, $T0.16b // -1
+ sub $T1.4s, $INC.4s, $T1.4s // Add +1
+ ext $T0.16b, $T1.16b, $T0.16b, #12 // Get the last element (counter)
+ add $D4.4s, $D4.4s, $T0.4s
+
+ add $D0.4s, $D0.4s, $INC.4s
+ mov $t0, #5
+ dup $T0.4s, $t0w
+ add $INC.4s, $INC.4s, $T0.4s
+
+ zip1 $T0.4s, $A0.4s, $A1.4s
+ zip2 $T1.4s, $A0.4s, $A1.4s
+ zip1 $T2.4s, $A2.4s, $A3.4s
+ zip2 $T3.4s, $A2.4s, $A3.4s
+
+ zip1 $A0.2d, $T0.2d, $T2.2d
+ zip2 $A1.2d, $T0.2d, $T2.2d
+ zip1 $A2.2d, $T1.2d, $T3.2d
+ zip2 $A3.2d, $T1.2d, $T3.2d
+
+ zip1 $T0.4s, $B0.4s, $B1.4s
+ zip2 $T1.4s, $B0.4s, $B1.4s
+ zip1 $T2.4s, $B2.4s, $B3.4s
+ zip2 $T3.4s, $B2.4s, $B3.4s
+
+ zip1 $B0.2d, $T0.2d, $T2.2d
+ zip2 $B1.2d, $T0.2d, $T2.2d
+ zip1 $B2.2d, $T1.2d, $T3.2d
+ zip2 $B3.2d, $T1.2d, $T3.2d
+
+ zip1 $T0.4s, $C0.4s, $C1.4s
+ zip2 $T1.4s, $C0.4s, $C1.4s
+ zip1 $T2.4s, $C2.4s, $C3.4s
+ zip2 $T3.4s, $C2.4s, $C3.4s
+
+ zip1 $C0.2d, $T0.2d, $T2.2d
+ zip2 $C1.2d, $T0.2d, $T2.2d
+ zip1 $C2.2d, $T1.2d, $T3.2d
+ zip2 $C3.2d, $T1.2d, $T3.2d
+
+ zip1 $T0.4s, $D0.4s, $D1.4s
+ zip2 $T1.4s, $D0.4s, $D1.4s
+ zip1 $T2.4s, $D2.4s, $D3.4s
+ zip2 $T3.4s, $D2.4s, $D3.4s
+
+ zip1 $D0.2d, $T0.2d, $T2.2d
+ zip2 $D1.2d, $T0.2d, $T2.2d
+ zip1 $D2.2d, $T1.2d, $T3.2d
+ zip2 $D3.2d, $T1.2d, $T3.2d
+
+ add $A0.4s, $A0.4s, $CONSTS.4s
+ add $B0.4s, $B0.4s, $B_STORE.4s
+ add $C0.4s, $C0.4s, $C_STORE.4s
+ add $D0.4s, $D0.4s, $D_STORE.4s
+
+ add $A1.4s, $A1.4s, $CONSTS.4s
+ add $B1.4s, $B1.4s, $B_STORE.4s
+ add $C1.4s, $C1.4s, $C_STORE.4s
+ add $D1.4s, $D1.4s, $D_STORE.4s
+
+ add $A2.4s, $A2.4s, $CONSTS.4s
+ add $B2.4s, $B2.4s, $B_STORE.4s
+ add $C2.4s, $C2.4s, $C_STORE.4s
+ add $D2.4s, $D2.4s, $D_STORE.4s
+
+ add $A3.4s, $A3.4s, $CONSTS.4s
+ add $B3.4s, $B3.4s, $B_STORE.4s
+ add $C3.4s, $C3.4s, $C_STORE.4s
+ add $D3.4s, $D3.4s, $D_STORE.4s
+
+ add $A4.4s, $A4.4s, $CONSTS.4s
+ add $B4.4s, $B4.4s, $B_STORE.4s
+ add $C4.4s, $C4.4s, $C_STORE.4s
+ add $D4.4s, $D4.4s, $D_STORE.4s
+
+ // We can always safely store 192 bytes
+ ld1 {$T0.16b - $T3.16b}, [$inp], #64
+ eor $T0.16b, $T0.16b, $A0.16b
+ eor $T1.16b, $T1.16b, $B0.16b
+ eor $T2.16b, $T2.16b, $C0.16b
+ eor $T3.16b, $T3.16b, $D0.16b
+ st1 {$T0.16b - $T3.16b}, [$oup], #64
+
+ ld1 {$T0.16b - $T3.16b}, [$inp], #64
+ eor $T0.16b, $T0.16b, $A1.16b
+ eor $T1.16b, $T1.16b, $B1.16b
+ eor $T2.16b, $T2.16b, $C1.16b
+ eor $T3.16b, $T3.16b, $D1.16b
+ st1 {$T0.16b - $T3.16b}, [$oup], #64
+
+ ld1 {$T0.16b - $T3.16b}, [$inp], #64
+ eor $T0.16b, $T0.16b, $A2.16b
+ eor $T1.16b, $T1.16b, $B2.16b
+ eor $T2.16b, $T2.16b, $C2.16b
+ eor $T3.16b, $T3.16b, $D2.16b
+ st1 {$T0.16b - $T3.16b}, [$oup], #64
+
+ sub $inl, $inl, #192
+
+ mov $A0.16b, $A3.16b
+ mov $B0.16b, $B3.16b
+ mov $C0.16b, $C3.16b
+ mov $D0.16b, $D3.16b
+
+ cmp $inl, #64
+ b.lt .Lopen_tail_64_store
+
+ ld1 {$T0.16b - $T3.16b}, [$inp], #64
+ eor $T0.16b, $T0.16b, $A3.16b
+ eor $T1.16b, $T1.16b, $B3.16b
+ eor $T2.16b, $T2.16b, $C3.16b
+ eor $T3.16b, $T3.16b, $D3.16b
+ st1 {$T0.16b - $T3.16b}, [$oup], #64
+
+ sub $inl, $inl, #64
+
+ mov $A0.16b, $A4.16b
+ mov $B0.16b, $B4.16b
+ mov $C0.16b, $C4.16b
+ mov $D0.16b, $D4.16b
+
+ cmp $inl, #64
+ b.lt .Lopen_tail_64_store
+
+ ld1 {$T0.16b - $T3.16b}, [$inp], #64
+ eor $T0.16b, $T0.16b, $A4.16b
+ eor $T1.16b, $T1.16b, $B4.16b
+ eor $T2.16b, $T2.16b, $C4.16b
+ eor $T3.16b, $T3.16b, $D4.16b
+ st1 {$T0.16b - $T3.16b}, [$oup], #64
+
+ sub $inl, $inl, #64
+ b .Lopen_main_loop
+
+.Lopen_tail:
+
+ cbz $inl, .Lopen_finalize
+
+ lsr $adl, $inl, #4 // How many whole blocks we have to hash
+
+ cmp $inl, #64
+ b.le .Lopen_tail_64
+ cmp $inl, #128
+ b.le .Lopen_tail_128
+
+.Lopen_tail_192:
+ // We need three more blocks
+ mov $A0.16b, $CONSTS.16b
+ mov $A1.16b, $CONSTS.16b
+ mov $A2.16b, $CONSTS.16b
+ mov $B0.16b, $B_STORE.16b
+ mov $B1.16b, $B_STORE.16b
+ mov $B2.16b, $B_STORE.16b
+ mov $C0.16b, $C_STORE.16b
+ mov $C1.16b, $C_STORE.16b
+ mov $C2.16b, $C_STORE.16b
+ mov $D0.16b, $D_STORE.16b
+ mov $D1.16b, $D_STORE.16b
+ mov $D2.16b, $D_STORE.16b
+ eor $T3.16b, $T3.16b, $T3.16b
+ eor $T1.16b, $T1.16b, $T1.16b
+ ins $T3.s[0], $INC.s[0]
+ ins $T1.d[0], $one
+
+ add $T2.4s, $T3.4s, $T1.4s
+ add $T1.4s, $T2.4s, $T1.4s
+
+ add $D0.4s, $D0.4s, $T1.4s
+ add $D1.4s, $D1.4s, $T3.4s
+ add $D2.4s, $D2.4s, $T2.4s
+
+ mov $itr2, #10
+ subs $itr1, $itr2, $adl // itr1 can be negative if we have more than 160 bytes to hash
+ csel $itr2, $itr2, $adl, le // if itr1 is zero or less, itr2 should be 10 to indicate all 10 rounds are hashing
+ sub $adl, $adl, $itr2
+
+ cbz $itr2, .Lopen_tail_192_rounds_no_hash
+
+.Lopen_tail_192_rounds:
+___
+ &poly_add($adp);
+ &poly_mul();
+$code.=<<___;
+.Lopen_tail_192_rounds_no_hash:
+___
+ &chacha_qr_x3("left");
+ &chacha_qr_x3("right");
+$code.=<<___;
+ subs $itr2, $itr2, #1
+ b.gt .Lopen_tail_192_rounds
+ subs $itr1, $itr1, #1
+ b.ge .Lopen_tail_192_rounds_no_hash
+
+ // We hashed 160 bytes at most, may still have 32 bytes left
+.Lopen_tail_192_hash:
+ cbz $adl, .Lopen_tail_192_hash_done
+___
+ &poly_add($adp);
+ &poly_mul();
+$code.=<<___;
+ sub $adl, $adl, #1
+ b .Lopen_tail_192_hash
+
+.Lopen_tail_192_hash_done:
+
+ add $A0.4s, $A0.4s, $CONSTS.4s
+ add $A1.4s, $A1.4s, $CONSTS.4s
+ add $A2.4s, $A2.4s, $CONSTS.4s
+ add $B0.4s, $B0.4s, $B_STORE.4s
+ add $B1.4s, $B1.4s, $B_STORE.4s
+ add $B2.4s, $B2.4s, $B_STORE.4s
+ add $C0.4s, $C0.4s, $C_STORE.4s
+ add $C1.4s, $C1.4s, $C_STORE.4s
+ add $C2.4s, $C2.4s, $C_STORE.4s
+ add $D0.4s, $D0.4s, $D_STORE.4s
+ add $D1.4s, $D1.4s, $D_STORE.4s
+ add $D2.4s, $D2.4s, $D_STORE.4s
+
+ add $D0.4s, $D0.4s, $T1.4s
+ add $D1.4s, $D1.4s, $T3.4s
+ add $D2.4s, $D2.4s, $T2.4s
+
+ ld1 {$T0.16b - $T3.16b}, [$inp], #64
+
+ eor $T0.16b, $T0.16b, $A1.16b
+ eor $T1.16b, $T1.16b, $B1.16b
+ eor $T2.16b, $T2.16b, $C1.16b
+ eor $T3.16b, $T3.16b, $D1.16b
+
+ st1 {$T0.16b - $T3.16b}, [$oup], #64
+
+ ld1 {$T0.16b - $T3.16b}, [$inp], #64
+
+ eor $T0.16b, $T0.16b, $A2.16b
+ eor $T1.16b, $T1.16b, $B2.16b
+ eor $T2.16b, $T2.16b, $C2.16b
+ eor $T3.16b, $T3.16b, $D2.16b
+
+ st1 {$T0.16b - $T3.16b}, [$oup], #64
+
+ sub $inl, $inl, #128
+ b .Lopen_tail_64_store
+
+.Lopen_tail_128:
+ // We need two more blocks
+ mov $A0.16b, $CONSTS.16b
+ mov $A1.16b, $CONSTS.16b
+ mov $B0.16b, $B_STORE.16b
+ mov $B1.16b, $B_STORE.16b
+ mov $C0.16b, $C_STORE.16b
+ mov $C1.16b, $C_STORE.16b
+ mov $D0.16b, $D_STORE.16b
+ mov $D1.16b, $D_STORE.16b
+ eor $T3.16b, $T3.16b, $T3.16b
+ eor $T2.16b, $T2.16b, $T2.16b
+ ins $T3.s[0], $INC.s[0]
+ ins $T2.d[0], $one
+ add $T2.4s, $T2.4s, $T3.4s
+
+ add $D0.4s, $D0.4s, $T2.4s
+ add $D1.4s, $D1.4s, $T3.4s
+
+ mov $itr1, #10
+ sub $itr1, $itr1, $adl
+
+.Lopen_tail_128_rounds:
+___
+ &chacha_qr($A0, $B0, $C0, $D0, $T0, "left");
+ &chacha_qr($A1, $B1, $C1, $D1, $T0, "left");
+ &chacha_qr($A0, $B0, $C0, $D0, $T0, "right");
+ &chacha_qr($A1, $B1, $C1, $D1, $T0, "right");
+$code.=<<___;
+ subs $itr1, $itr1, #1
+ b.gt .Lopen_tail_128_rounds
+ cbz $adl, .Lopen_tail_128_rounds_done
+ subs $adl, $adl, #1
+___
+ &poly_add($adp);
+ &poly_mul();
+$code.=<<___;
+ b .Lopen_tail_128_rounds
+
+.Lopen_tail_128_rounds_done:
+ add $A0.4s, $A0.4s, $CONSTS.4s
+ add $A1.4s, $A1.4s, $CONSTS.4s
+ add $B0.4s, $B0.4s, $B_STORE.4s
+ add $B1.4s, $B1.4s, $B_STORE.4s
+ add $C0.4s, $C0.4s, $C_STORE.4s
+ add $C1.4s, $C1.4s, $C_STORE.4s
+ add $D0.4s, $D0.4s, $D_STORE.4s
+ add $D1.4s, $D1.4s, $D_STORE.4s
+ add $D0.4s, $D0.4s, $T2.4s
+ add $D1.4s, $D1.4s, $T3.4s
+
+ ld1 {$T0.16b - $T3.16b}, [$inp], #64
+
+ eor $T0.16b, $T0.16b, $A1.16b
+ eor $T1.16b, $T1.16b, $B1.16b
+ eor $T2.16b, $T2.16b, $C1.16b
+ eor $T3.16b, $T3.16b, $D1.16b
+
+ st1 {$T0.16b - $T3.16b}, [$oup], #64
+ sub $inl, $inl, #64
+
+ b .Lopen_tail_64_store
+
+.Lopen_tail_64:
+ // We just need a single block
+ mov $A0.16b, $CONSTS.16b
+ mov $B0.16b, $B_STORE.16b
+ mov $C0.16b, $C_STORE.16b
+ mov $D0.16b, $D_STORE.16b
+ eor $T3.16b, $T3.16b, $T3.16b
+ ins $T3.s[0], $INC.s[0]
+ add $D0.4s, $D0.4s, $T3.4s
+
+ mov $itr1, #10
+ sub $itr1, $itr1, $adl
+
+.Lopen_tail_64_rounds:
+___
+ &chacha_qr($A0, $B0, $C0, $D0, $T0, "left");
+ &chacha_qr($A0, $B0, $C0, $D0, $T0, "right");
+$code.=<<___;
+ subs $itr1, $itr1, #1
+ b.gt .Lopen_tail_64_rounds
+ cbz $adl, .Lopen_tail_64_rounds_done
+ subs $adl, $adl, #1
+___
+ &poly_add($adp);
+ &poly_mul();
+$code.=<<___;
+ b .Lopen_tail_64_rounds
+
+.Lopen_tail_64_rounds_done:
+ add $A0.4s, $A0.4s, $CONSTS.4s
+ add $B0.4s, $B0.4s, $B_STORE.4s
+ add $C0.4s, $C0.4s, $C_STORE.4s
+ add $D0.4s, $D0.4s, $D_STORE.4s
+ add $D0.4s, $D0.4s, $T3.4s
+
+.Lopen_tail_64_store:
+ cmp $inl, #16
+ b.lt .Lopen_tail_16
+
+ ld1 {$T0.16b}, [$inp], #16
+ eor $T0.16b, $T0.16b, $A0.16b
+ st1 {$T0.16b}, [$oup], #16
+ mov $A0.16b, $B0.16b
+ mov $B0.16b, $C0.16b
+ mov $C0.16b, $D0.16b
+ sub $inl, $inl, #16
+ b .Lopen_tail_64_store
+
+.Lopen_tail_16:
+ // Here we handle the last [0,16) bytes that require a padded block
+ cbz $inl, .Lopen_finalize
+
+ eor $T0.16b, $T0.16b, $T0.16b // Use T0 to load the ciphertext
+ eor $T1.16b, $T1.16b, $T1.16b // Use T1 to generate an AND mask
+ not $T2.16b, $T0.16b
+
+ add $itr2, $inp, $inl
+ mov $itr1, $inl
+
+.Lopen_tail_16_compose:
+ ext $T0.16b, $T0.16b, $T0.16b, #15
+ ldrb $t0w, [$itr2, #-1]!
+ mov $T0.b[0], $t0w
+ ext $T1.16b, $T2.16b, $T1.16b, #15
+ subs $inl, $inl, #1
+ b.gt .Lopen_tail_16_compose
+
+ and $T0.16b, $T0.16b, $T1.16b
+ // Hash in the final padded block
+___
+ &poly_add_vec($T0);
+ &poly_mul();
+$code.=<<___;
+ eor $T0.16b, $T0.16b, $A0.16b
+
+.Lopen_tail_16_store:
+ umov $t0w, $T0.b[0]
+ strb $t0w, [$oup], #1
+ ext $T0.16b, $T0.16b, $T0.16b, #1
+ subs $itr1, $itr1, #1
+ b.gt .Lopen_tail_16_store
+
+.Lopen_finalize:
+___
+ &poly_add_vec($LEN_STORE);
+ &poly_mul();
+$code.=<<___;
+ # Final reduction step
+ sub $t1, xzr, $one
+ orr $t2, xzr, #3
+ subs $t0, $acc0, #-5
+ sbcs $t1, $acc1, $t1
+ sbcs $t2, $acc2, $t2
+ csel $acc0, $t0, $acc0, cs
+ csel $acc1, $t1, $acc1, cs
+ csel $acc2, $t2, $acc2, cs
+___
+ &poly_add_vec($S_STORE);
+$code.=<<___;
+
+ stp $acc0, $acc1, [$keyp]
+
+ ldp d8, d9, [sp, #16]
+ ldp d10, d11, [sp, #32]
+ ldp d12, d13, [sp, #48]
+ ldp d14, d15, [sp, #64]
+.cfi_restore b15
+.cfi_restore b14
+.cfi_restore b13
+.cfi_restore b12
+.cfi_restore b11
+.cfi_restore b10
+.cfi_restore b9
+.cfi_restore b8
+ ldp x29, x30, [sp], 80
+.cfi_restore w29
+.cfi_restore w30
+.cfi_def_cfa_offset 0
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+.Lopen_128:
+ // On some architectures preparing 5 blocks for small buffers is wasteful
+ eor $INC.16b, $INC.16b, $INC.16b
+ mov $t0, #1
+ mov $INC.s[0], $t0w
+ mov $A0.16b, $CONSTS.16b
+ mov $A1.16b, $CONSTS.16b
+ mov $A2.16b, $CONSTS.16b
+ mov $B0.16b, $B_STORE.16b
+ mov $B1.16b, $B_STORE.16b
+ mov $B2.16b, $B_STORE.16b
+ mov $C0.16b, $C_STORE.16b
+ mov $C1.16b, $C_STORE.16b
+ mov $C2.16b, $C_STORE.16b
+ mov $D2.16b, $D_STORE.16b
+ add $D0.4s, $D2.4s, $INC.4s
+ add $D1.4s, $D0.4s, $INC.4s
+
+ mov $itr1, #10
+
+.Lopen_128_rounds:
+___
+ &chacha_qr_x3("left");
+ &chacha_qr_x3("right");
+$code.=<<___;
+ subs $itr1, $itr1, #1
+ b.hi .Lopen_128_rounds
+
+ add $A0.4s, $A0.4s, $CONSTS.4s
+ add $A1.4s, $A1.4s, $CONSTS.4s
+ add $A2.4s, $A2.4s, $CONSTS.4s
+
+ add $B0.4s, $B0.4s, $B_STORE.4s
+ add $B1.4s, $B1.4s, $B_STORE.4s
+ add $B2.4s, $B2.4s, $B_STORE.4s
+
+ add $C0.4s, $C0.4s, $C_STORE.4s
+ add $C1.4s, $C1.4s, $C_STORE.4s
+
+ add $D_STORE.4s, $D_STORE.4s, $INC.4s
+ add $D0.4s, $D0.4s, $D_STORE.4s
+ add $D_STORE.4s, $D_STORE.4s, $INC.4s
+ add $D1.4s, $D1.4s, $D_STORE.4s
+
+ and $A2.16b, $A2.16b, $CLAMP.16b
+ mov $r0, $A2.d[0] // Move the R key to GPRs
+ mov $r1, $A2.d[1]
+ mov $S_STORE.16b, $B2.16b // Store the S key
+
+ bl .Lpoly_hash_ad_internal
+
+.Lopen_128_store:
+ cmp $inl, #64
+ b.lt .Lopen_128_store_64
+
+ ld1 {$T0.16b - $T3.16b}, [$inp], #64
+
+___
+ &poly_add_vec($T0);
+ &poly_mul();
+ &poly_add_vec($T1);
+ &poly_mul();
+ &poly_add_vec($T2);
+ &poly_mul();
+ &poly_add_vec($T3);
+ &poly_mul();
+$code.=<<___;
+
+ eor $T0.16b, $T0.16b, $A0.16b
+ eor $T1.16b, $T1.16b, $B0.16b
+ eor $T2.16b, $T2.16b, $C0.16b
+ eor $T3.16b, $T3.16b, $D0.16b
+
+ st1 {$T0.16b - $T3.16b}, [$oup], #64
+
+ sub $inl, $inl, #64
+
+ mov $A0.16b, $A1.16b
+ mov $B0.16b, $B1.16b
+ mov $C0.16b, $C1.16b
+ mov $D0.16b, $D1.16b
+
+.Lopen_128_store_64:
+
+ lsr $adl, $inl, #4
+ mov $adp, $inp
+
+.Lopen_128_hash_64:
+ cbz $adl, .Lopen_tail_64_store
+___
+ &poly_add($adp);
+ &poly_mul();
+$code.=<<___;
+ sub $adl, $adl, #1
+ b .Lopen_128_hash_64
+.cfi_endproc
+.size chacha20_poly1305_open,.-chacha20_poly1305_open
+___
+}
+
+foreach (split("\n",$code)) {
+ s/\`([^\`]*)\`/eval $1/ge;
+
+ print $_,"\n";
+}
+close STDOUT or die "error closing STDOUT";
diff --git a/src/crypto/cipher_extra/internal.h b/src/crypto/cipher_extra/internal.h
index 4e8fa46..0fd0755 100644
--- a/src/crypto/cipher_extra/internal.h
+++ b/src/crypto/cipher_extra/internal.h
@@ -163,7 +163,8 @@
} out;
};
-#if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM)
+#if (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \
+ !defined(OPENSSL_NO_ASM)
OPENSSL_STATIC_ASSERT(sizeof(union chacha20_poly1305_open_data) == 48,
"wrong chacha20_poly1305_open_data size");
@@ -171,10 +172,14 @@
"wrong chacha20_poly1305_seal_data size");
OPENSSL_INLINE int chacha20_poly1305_asm_capable(void) {
+#if defined(OPENSSL_X86_64)
return CRYPTO_is_SSE4_1_capable();
+#elif defined(OPENSSL_AARCH64)
+ return CRYPTO_is_NEON_capable();
+#endif
}
-// chacha20_poly1305_open is defined in chacha20_poly1305_x86_64.pl. It decrypts
+// chacha20_poly1305_open is defined in chacha20_poly1305_*.pl. It decrypts
// |plaintext_len| bytes from |ciphertext| and writes them to |out_plaintext|.
// Additional input parameters are passed in |aead_data->in|. On exit, it will
// write calculated tag value to |aead_data->out.tag|, which the caller must
@@ -185,7 +190,7 @@
size_t ad_len,
union chacha20_poly1305_open_data *data);
-// chacha20_poly1305_open is defined in chacha20_poly1305_x86_64.pl. It encrypts
+// chacha20_poly1305_open is defined in chacha20_poly1305_*.pl. It encrypts
// |plaintext_len| bytes from |plaintext| and writes them to |out_ciphertext|.
// Additional input parameters are passed in |aead_data->in|. The calculated tag
// value is over the computed ciphertext concatenated with |extra_ciphertext|
diff --git a/src/crypto/err/pkcs8.errordata b/src/crypto/err/pkcs8.errordata
index 9aac7e2..02a3fe3 100644
--- a/src/crypto/err/pkcs8.errordata
+++ b/src/crypto/err/pkcs8.errordata
@@ -1,3 +1,4 @@
+PKCS8,133,AMBIGUOUS_FRIENDLY_NAME
PKCS8,129,BAD_ITERATION_COUNT
PKCS8,100,BAD_PKCS12_DATA
PKCS8,101,BAD_PKCS12_VERSION
diff --git a/src/crypto/evp/p_ec.c b/src/crypto/evp/p_ec.c
index 9767541..ddb64a4 100644
--- a/src/crypto/evp/p_ec.c
+++ b/src/crypto/evp/p_ec.c
@@ -179,18 +179,18 @@
EC_PKEY_CTX *dctx = ctx->data;
switch (type) {
- case EVP_PKEY_CTRL_MD:
- if (EVP_MD_type((const EVP_MD *)p2) != NID_sha1 &&
- EVP_MD_type((const EVP_MD *)p2) != NID_ecdsa_with_SHA1 &&
- EVP_MD_type((const EVP_MD *)p2) != NID_sha224 &&
- EVP_MD_type((const EVP_MD *)p2) != NID_sha256 &&
- EVP_MD_type((const EVP_MD *)p2) != NID_sha384 &&
- EVP_MD_type((const EVP_MD *)p2) != NID_sha512) {
+ case EVP_PKEY_CTRL_MD: {
+ const EVP_MD *md = p2;
+ int md_type = EVP_MD_type(md);
+ if (md_type != NID_sha1 && md_type != NID_sha224 &&
+ md_type != NID_sha256 && md_type != NID_sha384 &&
+ md_type != NID_sha512) {
OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_DIGEST_TYPE);
return 0;
}
- dctx->md = p2;
+ dctx->md = md;
return 1;
+ }
case EVP_PKEY_CTRL_GET_MD:
*(const EVP_MD **)p2 = dctx->md;
diff --git a/src/crypto/fipsmodule/CMakeLists.txt b/src/crypto/fipsmodule/CMakeLists.txt
index 73f8a02..b99ebc7 100644
--- a/src/crypto/fipsmodule/CMakeLists.txt
+++ b/src/crypto/fipsmodule/CMakeLists.txt
@@ -64,6 +64,8 @@
armv8-mont.${ASM_EXT}
ghash-neon-armv8.${ASM_EXT}
ghashv8-armx.${ASM_EXT}
+ p256-armv8-asm.${ASM_EXT}
+ p256_beeu-armv8-asm.${ASM_EXT}
sha1-armv8.${ASM_EXT}
sha256-armv8.${ASM_EXT}
sha512-armv8.${ASM_EXT}
@@ -102,6 +104,8 @@
perlasm(md5-x86_64.${ASM_EXT} md5/asm/md5-x86_64.pl)
perlasm(p256-x86_64-asm.${ASM_EXT} ec/asm/p256-x86_64-asm.pl)
perlasm(p256_beeu-x86_64-asm.${ASM_EXT} ec/asm/p256_beeu-x86_64-asm.pl)
+perlasm(p256-armv8-asm.${ASM_EXT} ec/asm/p256-armv8-asm.pl)
+perlasm(p256_beeu-armv8-asm.${ASM_EXT} ec/asm/p256_beeu-armv8-asm.pl)
perlasm(rdrand-x86_64.${ASM_EXT} rand/asm/rdrand-x86_64.pl)
perlasm(rsaz-avx2.${ASM_EXT} bn/asm/rsaz-avx2.pl)
perlasm(sha1-586.${ASM_EXT} sha/asm/sha1-586.pl)
diff --git a/src/crypto/fipsmodule/aes/aes_test.cc b/src/crypto/fipsmodule/aes/aes_test.cc
index eef2567..a38bf9c 100644
--- a/src/crypto/fipsmodule/aes/aes_test.cc
+++ b/src/crypto/fipsmodule/aes/aes_test.cc
@@ -559,6 +559,10 @@
TEST(AESTest, VPAESToBSAESConvert) {
+ if (!vpaes_capable()) {
+ GTEST_SKIP();
+ }
+
const int kNumIterations = 1000;
for (int i = 0; i < kNumIterations; i++) {
uint8_t key[256 / 8];
diff --git a/src/crypto/fipsmodule/aes/key_wrap.c b/src/crypto/fipsmodule/aes/key_wrap.c
index 9a5b28d..0ec5f26 100644
--- a/src/crypto/fipsmodule/aes/key_wrap.c
+++ b/src/crypto/fipsmodule/aes/key_wrap.c
@@ -55,6 +55,7 @@
#include <openssl/mem.h>
#include "../../internal.h"
+#include "../service_indicator/internal.h"
// kDefaultIV is the default IV value given in RFC 3394, 2.2.3.1.
@@ -98,6 +99,7 @@
}
OPENSSL_memcpy(out, A, 8);
+ FIPS_service_indicator_update_state();
return (int)in_len + 8;
}
@@ -151,6 +153,7 @@
return -1;
}
+ FIPS_service_indicator_update_state();
return (int)in_len - 8;
}
@@ -190,12 +193,15 @@
assert(padded_len >= 8);
memset(padded_in + padded_len - 8, 0, 8);
memcpy(padded_in, in, in_len);
+ FIPS_service_indicator_lock_state();
const int ret = AES_wrap_key(key, block, out, padded_in, padded_len);
+ FIPS_service_indicator_unlock_state();
OPENSSL_free(padded_in);
if (ret < 0) {
return 0;
}
*out_len = ret;
+ FIPS_service_indicator_update_state();
return 1;
}
@@ -232,5 +238,9 @@
}
*out_len = constant_time_select_w(ok, claimed_len, 0);
- return ok & 1;
+ const int ret = ok & 1;
+ if (ret) {
+ FIPS_service_indicator_update_state();
+ }
+ return ret;
}
diff --git a/src/crypto/fipsmodule/aes/mode_wrappers.c b/src/crypto/fipsmodule/aes/mode_wrappers.c
index d29fb27..10d98a6 100644
--- a/src/crypto/fipsmodule/aes/mode_wrappers.c
+++ b/src/crypto/fipsmodule/aes/mode_wrappers.c
@@ -52,6 +52,7 @@
#include "../aes/internal.h"
#include "../modes/internal.h"
+#include "../service_indicator/internal.h"
void AES_ctr128_encrypt(const uint8_t *in, uint8_t *out, size_t len,
@@ -74,6 +75,8 @@
CRYPTO_ctr128_encrypt_ctr32(in, out, len, key, ivec, ecount_buf, num,
aes_nohw_ctr32_encrypt_blocks);
}
+
+ FIPS_service_indicator_update_state();
}
void AES_ecb_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key,
@@ -86,24 +89,23 @@
} else {
AES_decrypt(in, out, key);
}
+
+ FIPS_service_indicator_update_state();
}
void AES_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len,
const AES_KEY *key, uint8_t *ivec, const int enc) {
if (hwaes_capable()) {
aes_hw_cbc_encrypt(in, out, len, key, ivec, enc);
- return;
- }
-
- if (!vpaes_capable()) {
+ } else if (!vpaes_capable()) {
aes_nohw_cbc_encrypt(in, out, len, key, ivec, enc);
- return;
- }
- if (enc) {
+ } else if (enc) {
CRYPTO_cbc128_encrypt(in, out, len, key, ivec, AES_encrypt);
} else {
CRYPTO_cbc128_decrypt(in, out, len, key, ivec, AES_decrypt);
}
+
+ FIPS_service_indicator_update_state();
}
void AES_ofb128_encrypt(const uint8_t *in, uint8_t *out, size_t length,
diff --git a/src/crypto/fipsmodule/bcm.c b/src/crypto/fipsmodule/bcm.c
index faff6c4..1792134 100644
--- a/src/crypto/fipsmodule/bcm.c
+++ b/src/crypto/fipsmodule/bcm.c
@@ -58,10 +58,13 @@
#include "cipher/aead.c"
#include "cipher/cipher.c"
#include "cipher/e_aes.c"
+#include "cipher/e_aesccm.c"
+#include "cmac/cmac.c"
#include "dh/check.c"
#include "dh/dh.c"
#include "digest/digest.c"
#include "digest/digests.c"
+#include "digestsign/digestsign.c"
#include "ecdh/ecdh.c"
#include "ecdsa/ecdsa.c"
#include "ec/ec.c"
@@ -71,7 +74,7 @@
#include "ec/oct.c"
#include "ec/p224-64.c"
#include "ec/p256.c"
-#include "ec/p256-x86_64.c"
+#include "ec/p256-nistz.c"
#include "ec/scalar.c"
#include "ec/simple.c"
#include "ec/simple_mul.c"
@@ -97,6 +100,7 @@
#include "rsa/rsa_impl.c"
#include "self_check/fips.c"
#include "self_check/self_check.c"
+#include "service_indicator/service_indicator.c"
#include "sha/sha1-altivec.c"
#include "sha/sha1.c"
#include "sha/sha256.c"
@@ -210,21 +214,12 @@
assert_within(rodata_start, kP256Params, rodata_end);
assert_within(rodata_start, kPKCS1SigPrefixes, rodata_end);
-#if defined(OPENSSL_AARCH64) || defined(OPENSSL_ANDROID)
uint8_t result[SHA256_DIGEST_LENGTH];
const EVP_MD *const kHashFunction = EVP_sha256();
if (!boringssl_self_test_sha256() ||
!boringssl_self_test_hmac_sha256()) {
return 0;
}
-#else
- uint8_t result[SHA512_DIGEST_LENGTH];
- const EVP_MD *const kHashFunction = EVP_sha512();
- if (!boringssl_self_test_sha512() ||
- !boringssl_self_test_hmac_sha256()) {
- return 0;
- }
-#endif
static const uint8_t kHMACKey[64] = {0};
unsigned result_len;
diff --git a/src/crypto/fipsmodule/bn/asm/x86_64-mont5.pl b/src/crypto/fipsmodule/bn/asm/x86_64-mont5.pl
index 54335cc..012e7aa 100755
--- a/src/crypto/fipsmodule/bn/asm/x86_64-mont5.pl
+++ b/src/crypto/fipsmodule/bn/asm/x86_64-mont5.pl
@@ -2088,194 +2088,6 @@
.size __bn_post4x_internal,.-__bn_post4x_internal
___
}
-{
-$code.=<<___;
-.globl bn_from_montgomery
-.type bn_from_montgomery,\@abi-omnipotent
-.align 32
-bn_from_montgomery:
-.cfi_startproc
- testl \$7,`($win64?"48(%rsp)":"%r9d")`
- jz bn_from_mont8x
- xor %eax,%eax
- ret
-.cfi_endproc
-.size bn_from_montgomery,.-bn_from_montgomery
-
-.type bn_from_mont8x,\@function,6
-.align 32
-bn_from_mont8x:
-.cfi_startproc
- .byte 0x67
- mov %rsp,%rax
-.cfi_def_cfa_register %rax
- push %rbx
-.cfi_push %rbx
- push %rbp
-.cfi_push %rbp
- push %r12
-.cfi_push %r12
- push %r13
-.cfi_push %r13
- push %r14
-.cfi_push %r14
- push %r15
-.cfi_push %r15
-.Lfrom_prologue:
-
- shl \$3,${num}d # convert $num to bytes
- lea ($num,$num,2),%r10 # 3*$num in bytes
- neg $num
- mov ($n0),$n0 # *n0
-
- ##############################################################
- # Ensure that stack frame doesn't alias with $rptr+3*$num
- # modulo 4096, which covers ret[num], am[num] and n[num]
- # (see bn_exp.c). The stack is allocated to aligned with
- # bn_power5's frame, and as bn_from_montgomery happens to be
- # last operation, we use the opportunity to cleanse it.
- #
- lea -320(%rsp,$num,2),%r11
- mov %rsp,%rbp
- sub $rptr,%r11
- and \$4095,%r11
- cmp %r11,%r10
- jb .Lfrom_sp_alt
- sub %r11,%rbp # align with $aptr
- lea -320(%rbp,$num,2),%rbp # future alloca(frame+2*$num*8+256)
- jmp .Lfrom_sp_done
-
-.align 32
-.Lfrom_sp_alt:
- lea 4096-320(,$num,2),%r10
- lea -320(%rbp,$num,2),%rbp # future alloca(frame+2*$num*8+256)
- sub %r10,%r11
- mov \$0,%r10
- cmovc %r10,%r11
- sub %r11,%rbp
-.Lfrom_sp_done:
- and \$-64,%rbp
- mov %rsp,%r11
- sub %rbp,%r11
- and \$-4096,%r11
- lea (%rbp,%r11),%rsp
- mov (%rsp),%r10
- cmp %rbp,%rsp
- ja .Lfrom_page_walk
- jmp .Lfrom_page_walk_done
-
-.Lfrom_page_walk:
- lea -4096(%rsp),%rsp
- mov (%rsp),%r10
- cmp %rbp,%rsp
- ja .Lfrom_page_walk
-.Lfrom_page_walk_done:
-
- mov $num,%r10
- neg $num
-
- ##############################################################
- # Stack layout
- #
- # +0 saved $num, used in reduction section
- # +8 &t[2*$num], used in reduction section
- # +32 saved *n0
- # +40 saved %rsp
- # +48 t[2*$num]
- #
- mov $n0, 32(%rsp)
- mov %rax, 40(%rsp) # save original %rsp
-.cfi_cfa_expression %rsp+40,deref,+8
-.Lfrom_body:
- mov $num,%r11
- lea 48(%rsp),%rax
- pxor %xmm0,%xmm0
- jmp .Lmul_by_1
-
-.align 32
-.Lmul_by_1:
- movdqu ($aptr),%xmm1
- movdqu 16($aptr),%xmm2
- movdqu 32($aptr),%xmm3
- movdqa %xmm0,(%rax,$num)
- movdqu 48($aptr),%xmm4
- movdqa %xmm0,16(%rax,$num)
- .byte 0x48,0x8d,0xb6,0x40,0x00,0x00,0x00 # lea 64($aptr),$aptr
- movdqa %xmm1,(%rax)
- movdqa %xmm0,32(%rax,$num)
- movdqa %xmm2,16(%rax)
- movdqa %xmm0,48(%rax,$num)
- movdqa %xmm3,32(%rax)
- movdqa %xmm4,48(%rax)
- lea 64(%rax),%rax
- sub \$64,%r11
- jnz .Lmul_by_1
-
- movq $rptr,%xmm1
- movq $nptr,%xmm2
- .byte 0x67
- mov $nptr,%rbp
- movq %r10, %xmm3 # -num
-___
-$code.=<<___ if ($addx);
- leaq OPENSSL_ia32cap_P(%rip),%r11
- mov 8(%r11),%r11d
- and \$0x80108,%r11d
- cmp \$0x80108,%r11d # check for AD*X+BMI2+BMI1
- jne .Lfrom_mont_nox
-
- lea (%rax,$num),$rptr
- call __bn_sqrx8x_reduction
- call __bn_postx4x_internal
-
- pxor %xmm0,%xmm0
- lea 48(%rsp),%rax
- jmp .Lfrom_mont_zero
-
-.align 32
-.Lfrom_mont_nox:
-___
-$code.=<<___;
- call __bn_sqr8x_reduction
- call __bn_post4x_internal
-
- pxor %xmm0,%xmm0
- lea 48(%rsp),%rax
- jmp .Lfrom_mont_zero
-
-.align 32
-.Lfrom_mont_zero:
- mov 40(%rsp),%rsi # restore %rsp
-.cfi_def_cfa %rsi,8
- movdqa %xmm0,16*0(%rax)
- movdqa %xmm0,16*1(%rax)
- movdqa %xmm0,16*2(%rax)
- movdqa %xmm0,16*3(%rax)
- lea 16*4(%rax),%rax
- sub \$32,$num
- jnz .Lfrom_mont_zero
-
- mov \$1,%rax
- mov -48(%rsi),%r15
-.cfi_restore %r15
- mov -40(%rsi),%r14
-.cfi_restore %r14
- mov -32(%rsi),%r13
-.cfi_restore %r13
- mov -24(%rsi),%r12
-.cfi_restore %r12
- mov -16(%rsi),%rbp
-.cfi_restore %rbp
- mov -8(%rsi),%rbx
-.cfi_restore %rbx
- lea (%rsi),%rsp
-.cfi_def_cfa_register %rsp
-.Lfrom_epilogue:
- ret
-.cfi_endproc
-.size bn_from_mont8x,.-bn_from_mont8x
-___
-}
}}}
if ($addx) {{{
@@ -3864,10 +3676,6 @@
.rva .LSEH_begin_bn_power5
.rva .LSEH_end_bn_power5
.rva .LSEH_info_bn_power5
-
- .rva .LSEH_begin_bn_from_mont8x
- .rva .LSEH_end_bn_from_mont8x
- .rva .LSEH_info_bn_from_mont8x
___
$code.=<<___ if ($addx);
.rva .LSEH_begin_bn_mulx4x_mont_gather5
@@ -3899,11 +3707,6 @@
.byte 9,0,0,0
.rva mul_handler
.rva .Lpower5_prologue,.Lpower5_body,.Lpower5_epilogue # HandlerData[]
-.align 8
-.LSEH_info_bn_from_mont8x:
- .byte 9,0,0,0
- .rva mul_handler
- .rva .Lfrom_prologue,.Lfrom_body,.Lfrom_epilogue # HandlerData[]
___
$code.=<<___ if ($addx);
.align 8
diff --git a/src/crypto/fipsmodule/bn/bn_test.cc b/src/crypto/fipsmodule/bn/bn_test.cc
index 7d57802..3bcdd63 100644
--- a/src/crypto/fipsmodule/bn/bn_test.cc
+++ b/src/crypto/fipsmodule/bn/bn_test.cc
@@ -2788,15 +2788,6 @@
words, 13);
CHECK_ABI(bn_power5, r.data(), a.data(), table.data(), m->d, mont->n0,
words, 13);
- EXPECT_EQ(1, CHECK_ABI(bn_from_montgomery, r.data(), r.data(), nullptr,
- m->d, mont->n0, words));
- EXPECT_EQ(1, CHECK_ABI(bn_from_montgomery, r.data(), a.data(), nullptr,
- m->d, mont->n0, words));
- } else {
- EXPECT_EQ(0, CHECK_ABI(bn_from_montgomery, r.data(), r.data(), nullptr,
- m->d, mont->n0, words));
- EXPECT_EQ(0, CHECK_ABI(bn_from_montgomery, r.data(), a.data(), nullptr,
- m->d, mont->n0, words));
}
}
}
diff --git a/src/crypto/fipsmodule/bn/bn_tests.txt b/src/crypto/fipsmodule/bn/bn_tests.txt
index 334ef8b..9a1a5db 100644
--- a/src/crypto/fipsmodule/bn/bn_tests.txt
+++ b/src/crypto/fipsmodule/bn/bn_tests.txt
@@ -10604,6 +10604,74 @@
E = f95dc0f980fbd22e90caa5a387cc4a369f3f830d50dd321c40db8c09a7e1a241a536e096622d3280c0c1ba849c1f4a79bf490f60006d081e8cf69960189f0d312cd9e17073a3fba7881b21474a13b334116cb2f5dbf3189a6de3515d0840f053c776d3982d391b6d04d642dda5cc6d1640174c09875addb70595658f89efb439dc6fbd55f903aadd307982d3f659207f265e1ec6271b274521b7a5e28e8fd7a55df089292820477802a43cf5b6b94e999e8c9944ddebb0d0e95a60f88cb7e813ba110d20e1024774107dd02949031864923b3cb8c3f7250d6d1287b0a40db6a47bd5a469518eb65aa207ddc47d8c6e5fc8e0c105be8fc1d4b57b2e27540471d5
M = fef15d5ce4625f1bccfbba49fc8439c72bf8202af039a2259678941b60bb4a8f2987e965d58fd8cf86a856674d519763d0e1211cc9f8596971050d56d9b35db3785866cfbca17cfdbed6060be3629d894f924a89fdc1efc624f80d41a22f19009503fcc3824ef62ccb9208430c26f2d8ceb2c63488ec4c07437aa4c96c43dd8b9289ed00a712ff66ee195dc71f5e4ead02172b63c543d69baf495f5fd63ba7bcc633bd309c016e37736da92129d0b053d4ab28d21ad7d8b6fab2a8bbdc8ee647d2fbcf2cf426cf892e6f5639e0252993965dfb73ccd277407014ea784aaa280cb7b03972bc8b0baa72360bdb44b82415b86b2f260f877791cd33ba8f2d65229b
+# The following inputs trigger an edge case between Montgomery reduction and the
+# "almost" reduction variant from https://eprint.iacr.org/2011/239
+
+ModExp = 00
+A = 19c7bc9b97c6083cd7b8d1cd001452c9b67983247169c6532047eb7fc8933014dbf69fee7a358769f1429802c8ea89d4f9ca6ba6f368fbdb1fa5717b4a00
+E = bbc7e09147408571050e8d0c634682c5863b7e8a573626648902cff12e590c74f5a23ecce39732266bc15b8afbd6c48a48c83fbdc33947515cc0b6e4fb98ae2cd730e58f951fec8be7e2e3c74f4506c7fd7e29bdb28675fe8a59789ab1148e931a2ebd2d36f78bc241682a3d8083d8ff538858cd240c5a693936e5a391dc9d77118062a3f868c058440a4192267faaaba91112f45eee5842060febbf9353a6d3e7f7996573209136a5506062ea23d74067f08c613f3ff74bade25f8c3368e6dba84eae672eac11be1137fc514924fcab8c82e46d092bd047dcbadaa48c67a096ec1a04f392a8511e6acbad9954949b703e71ff837337b594055ae6f3c0fc154447a687c9ac8a2cdfd64a2e680c6ff21254735af7f5eb6b43f0bce86bda55a04143a991711081435ed4f4a89b23fc3a588022b7a8543db4bf5c8ac93603367c750ff2191f59a716340fab49bb7544759c8d846465eec1438e76395f73e7b5e945f31f1b87fefa854a0d208846eaab5fa27144fd039911608bab0eaee80f1d3553dfa2d9ba95268479b97a059613660df5ad79796e0b272244aca90ccc13449ec15c206eeed7b60405a4c5cfdf5da5d136c27fa9385d810ad198dfe794ffce9955e10520efea1e2eb794e379401b9affd863b9566ce941c4726755574a1b1946acf0090bfb93f37dd55f524485bbba7fa84b53addfde01ae1de9c57fe50d4b708dd0fa45d02af398b3d05c6d17f84c11e9aacdbe0b146cad6ddbd877731e26a17f3ebed459560d12ed7a6abc2ea6fe922e69d2622ef11b6b245b9ba8f0940faaa671a4beb727be5393a94dafaeff7221b29183e7418f4c5bb95a6a586c93dbc8ce0236d9dbe26c40513611b4141fed66599adbfb20fc30e09a4815e4159f65a6708f34584a7a77b3843941cd61a6917dcc3d07a3dfb5a2cb108bacea7e782f2111b4d22ecaaeff469ecd0da371df1ac5e9bf6df6ccba2d3a9f393d597499eaca2c206bfb81c3426c5fe45bcf16e38aecd246a319a1f37041c638b75a4839517e43a6d01bee7d85eaeedbce13cd15699d3ee42c7414cfed576590e4fb6ddb6edd3e1957efaf039bfe8b9dc75869b1f93abff15cae8b234161070fa3542303c2ed35ca66083d0ac299b81182317a2a3985269602b1fa1e822fcbda48e686d80b273f06b0a702ca7f42cbbbd2fc2b3601422c8bff6302eda3c61b293049636002649b16f3c1f0be2b6599d66493a4497cd795b10a2ab8220fafad24fa90e1bfcf39ecce337e705695c7a224bf9f445a287d6aab221341659ca4be7861f6ac4c9d33dac811e6
+M = 519b6e57781d40d897ec0c1b648d195526726b295438c9a70928ac25979563d72db91c8c42298a33b572edecdf40904c68a23337aa5341b56e92b0da5041
+
+# To fully exercise BN_mod_exp_mont_consttime codepaths, we generate inputs at
+# different bitwidths. rsaz-avx2.pl only runs at 1024-bit moduli, and
+# x86_64-mont5.pl unrolls 8 64-bit words at a time, so we want to capture both
+# multiples of 512- and non-multiples. Also include moduli that are not quite a
+# full word.
+
+# 512-bit
+ModExp = 00
+A = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000e
+E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+M = 8f42c9e9e351ba9b32ab0cf69da43f4acf7028d19cff6e5059ea0e3fcc97c97f36a31470044737d4c0c933ac441ecb29e32c81401523afdac7de9c3fd8493c97
+
+# 1024-bit
+ModExp = 00
+A = 800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002f
+E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+M = 9da8dc26fdf4d2e49833b240ee552beb7a6e251caa91bfb5d6cafaf8ed9461877fda8f6ac299036d35806bc1ae7872e54eaac1ec6bee6d02c6621a9cf8883b3abc33c49b3e601203e0e86ef8f0562412cc689ee2670704583909ca6d7774c9f9f9f4d77d37fedef9cb51d207cb629ec02fa03b526fd6594bfa8f2da71238a0b7
+
+# 1025-bit
+ModExp = 00
+A = 010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011
+E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+M = 010223abfdda02e84e11cec8ee7fc784fa135733935f7b9054bb70f1f06d234d76dcf3beed55c7f39e955dc1fef2b65009240fd02f7a1b27a78fc2867144bf666efb929856db9f671c356c4c67a068a70fe83c52eebda03668872fd270d0794f0771d217fb6b93b12529a944f7f0496a9158757c55b8ee14f803f1d2d887e2f561
+
+# 1088-bit
+ModExp = 00
+A = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003d
+E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+M = e91f6d748773cb212a23aa348125615123b1800c9ea222c9374c757702ae4140fa333790ed8f6bf60a1d7dda65c2767cc5f33e32e333d19fbfb5a2b85795757c9ca070268763a618e9d33873d28a89bf88acd209efbb15b80cd33b92a6b3a682e1c91782fc24fb86ddff4f809219c977b54b99359094bbcc51dfe17b992ab24b74a17950ad754281
+
+# 1472-bit
+ModExp = 00
+A = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001d
+E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+M = a8770362f4bfe4fc1ab0e52705c11a9b6ba235d5a5f22197c2d68e27ed18426ede3316af706aa79bcf943dbd51459eb15ae1f9386216b3f3a847f94440a65b97659bc5ba2adb67173714ecaa886c0b926d7a64ea45576f9d2171784ce7e801724d5b0abfd93357d538ea7ad3ad89a74f4660bdb66dfb5f684dcf00402e3cdf0ab58afd867c943c8f47b80268a789456aa7c50a619dd2f9f5e3f74b5d810f0f8dadbf4ad5b917cdcb156c4c132611c8b3b035118a9e03551f
+
+# 1536-bit
+ModExp = 00
+A = 800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002
+E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+M = 878cd000778f927b2f1a4b8bac86efd282079a7ac0d25e09ffd2f72fbc282e65e233929d2457c7b1d63c56fb706cdfa04fb87e654c578c98d7cf59c2293dc5641086b68db4867105981daaf147a0ee91f6932ef064deae4142c19e58d50c0686f0eaf778be72450f89a98b4680bbc5ffab942195e44dd20616150fd1deca058068ca31ab2f861e99082588f17a2025bf5e536150142fca3187a259c791fc721430f24d7e338f8dc02e693a7e694d42775e80f7f7c03600b6ae86b4aba2b0e991
+
+# 2048-bit
+ModExp = 00
+A = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f
+E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+M = 9f40a7535c561208ecb38e17c9336d9bc8484d335901b2cd42759cf03689227f6992f10cb6b586d767fbcdf30e9d82a0eda60d2694ccd0194fa96b50b56e0cdeec1951ea9e58b07e334a7f108841a0ab28256917fecea561388807ed124a17386a7a7b501f9cbf3404247a76948d0561e48137d3f9669e36f175731796aeaf78851f7d866917f661422186a4814aa35c066b5a90b9cfc918af769a9f0bb30c12581027df64ac328a0f07dbd20adb704479f6d0f233a131828c71bab19c3c34795ea4fb68aa632c6f688e5b3b84413c9031d8dc251003a590dec0dd09bfa6109ed4570701439b6f265b84ac2170c317357b5fbe5535e2bbdd93c1aacfdaa28c85
+
+# 3072-bit
+ModExp = 00
+A = 80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001d
+E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+M = c23dfd244a58a668d514498a705c8f8f548311b24f0f98b023d2d33632534c2ae948d6641d41fd7a29fbbd594bfc7fdd6e8162cbb3056af3075347b6fc8876458d33a9d0ffdbcdf482de0c73d1310fd8fa8f9f92dd0dbb0e2034e98a30f6c11b482f7476c5b593f673a322b1130daa4314e9074270dce1076436f0d56cf196afcbb235a9a7b3ac85b9062e85fc0e63a12c468c787019f6805f9faab64fc6a0babc80785d88740243f11366bffb40ccbe8b2bb7a99a2c8238a6f656bb0117d7b2602aa400f4d77de5f93c673f13264ca70de949454e3e3f261993c1aa427e8ef4f507af744f71f3b4aaf3c981d44cc1bfb1eb1151168762b242b740573df698e500d99612e17dc760f7b3bf7c235e39e81ad7edbe6c07dbb8b139745bb394d61cb799bcafec5de074932b0b2d74797e779ac8d81f63a2b2e9baa229dfaa7f90f34ffade1d2ad022a3407d35eb2d7477c6ae8ad100f6e95c05b4f947c1fabfb11a17add384e6b4cd3a02fd9b43f46805c6c74e366b74aa3b766be7a5fbbd67fa81
+
+# 4096-bit
+ModExp = 00
+A = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001
+E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+M = 8030411ecbddcb0fe4e76fd6b5bf542e8b015d1610cf96130ded12ba2cda0641bd9692080f218ea8b0d751845b519d95b843542ec8d2a07f1f93afe3189b69a4f35c983011c7f7928c3df458cc3eae85c36e6934a4b1bc0a67c8a521de336642c49e10a7ffa8d0af911aacc19e3900449161940f139220e099a150dcaf0ff96ffff6e726c1ac139969103cf6a828ac3adf0301506aa02787b4f570d5dde53a34acab8fec6fa94760abf16ee99954371ad65a6e899daab87b95811d069404991de9abe064ebbddf886e970f10d260c899dda940191a82d4c8bd36651363aff5493f4f59e700007dcadf37ebea7fcfd7600d16617ffea0d9ae659446d851d93c564e50e558f734c894d735fa273770703dab62844d9f01badf632f3d14a00f739c022c9be95f54e9cea46ec6da7cb11f4602e06962951c48204726b7f120ddbd0eb3566dc8d1e6f195a9196e96db33322d088b43aecffe9b4df182dd016aca0bd14f1c56cd1a18b89165c027029862b09ffd78e92ab614349c4fd67f49cb12cd33d0728930d0538bda57acef1365a73cc8fbac7d463b9e3c3bae0bb6224b080cdb8b5cd47d546d53111fdc22b7ff679bcfe27192920ee163b2be337d8cccc93b4de7d2d31934b9c0e97af291dcc1135b4a473bd37114eec3ba75c411887b57799d3188e7353f33a4d31735ebfc9fcfc044985148dd96da3876a5ab7ea7a404b411
+
# RSAZ 512-bit.
#
diff --git a/src/crypto/fipsmodule/bn/bytes.c b/src/crypto/fipsmodule/bn/bytes.c
index 56241e3..38d71a3 100644
--- a/src/crypto/fipsmodule/bn/bytes.c
+++ b/src/crypto/fipsmodule/bn/bytes.c
@@ -61,19 +61,38 @@
#include "internal.h"
+void bn_big_endian_to_words(BN_ULONG *out, size_t out_len, const uint8_t *in,
+ size_t in_len) {
+ for (size_t i = 0; i < out_len; i++) {
+ if (in_len < sizeof(BN_ULONG)) {
+ // Load the last partial word.
+ BN_ULONG word = 0;
+ for (size_t j = 0; j < in_len; j++) {
+ word = (word << 8) | in[j];
+ }
+ in_len = 0;
+ out[i] = word;
+ // Fill the remainder with zeros.
+ OPENSSL_memset(out + i + 1, 0, (out_len - i - 1) * sizeof(BN_ULONG));
+ break;
+ }
-BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret) {
- size_t num_words;
- unsigned m;
- BN_ULONG word = 0;
- BIGNUM *bn = NULL;
-
- if (ret == NULL) {
- ret = bn = BN_new();
+ in_len -= sizeof(BN_ULONG);
+ out[i] = CRYPTO_load_word_be(in + in_len);
}
+ // The caller should have sized the output to avoid truncation.
+ assert(in_len == 0);
+}
+
+BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret) {
+ BIGNUM *bn = NULL;
if (ret == NULL) {
- return NULL;
+ bn = BN_new();
+ if (bn == NULL) {
+ return NULL;
+ }
+ ret = bn;
}
if (len == 0) {
@@ -81,12 +100,9 @@
return ret;
}
- num_words = ((len - 1) / BN_BYTES) + 1;
- m = (len - 1) % BN_BYTES;
+ size_t num_words = ((len - 1) / BN_BYTES) + 1;
if (!bn_wexpand(ret, num_words)) {
- if (bn) {
- BN_free(bn);
- }
+ BN_free(bn);
return NULL;
}
@@ -96,15 +112,7 @@
ret->width = (int)num_words;
ret->neg = 0;
- while (len--) {
- word = (word << 8) | *(in++);
- if (m-- == 0) {
- ret->d[--num_words] = word;
- word = 0;
- m = BN_BYTES - 1;
- }
- }
-
+ bn_big_endian_to_words(ret->d, ret->width, in, len);
return ret;
}
@@ -112,13 +120,12 @@
BIGNUM *bn = NULL;
if (ret == NULL) {
bn = BN_new();
+ if (bn == NULL) {
+ return NULL;
+ }
ret = bn;
}
- if (ret == NULL) {
- return NULL;
- }
-
if (len == 0) {
ret->width = 0;
ret->neg = 0;
@@ -142,38 +149,58 @@
return ret;
}
-size_t BN_bn2bin(const BIGNUM *in, uint8_t *out) {
- size_t n, i;
- BN_ULONG l;
-
- n = i = BN_num_bytes(in);
- while (i--) {
- l = in->d[i / BN_BYTES];
- *(out++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
- }
- return n;
-}
-
-static int fits_in_bytes(const uint8_t *bytes, size_t num_bytes, size_t len) {
+// fits_in_bytes returns one if the |num_words| words in |words| can be
+// represented in |num_bytes| bytes.
+static int fits_in_bytes(const BN_ULONG *words, size_t num_words,
+ size_t num_bytes) {
+ const uint8_t *bytes = (const uint8_t *)words;
+ size_t tot_bytes = num_words * sizeof(BN_ULONG);
uint8_t mask = 0;
- for (size_t i = len; i < num_bytes; i++) {
+ for (size_t i = num_bytes; i < tot_bytes; i++) {
mask |= bytes[i];
}
return mask == 0;
}
+void bn_words_to_big_endian(uint8_t *out, size_t out_len, const BN_ULONG *in,
+ size_t in_len) {
+ // The caller should have selected an output length without truncation.
+ assert(fits_in_bytes(in, in_len, out_len));
+
+ // We only support little-endian platforms, so the internal representation is
+ // also little-endian as bytes. We can simply copy it in reverse.
+ const uint8_t *bytes = (const uint8_t *)in;
+ size_t num_bytes = in_len * sizeof(BN_ULONG);
+ if (out_len < num_bytes) {
+ num_bytes = out_len;
+ }
+
+ for (size_t i = 0; i < num_bytes; i++) {
+ out[out_len - i - 1] = bytes[i];
+ }
+ // Pad out the rest of the buffer with zeroes.
+ OPENSSL_memset(out, 0, out_len - num_bytes);
+}
+
+size_t BN_bn2bin(const BIGNUM *in, uint8_t *out) {
+ size_t n = BN_num_bytes(in);
+ bn_words_to_big_endian(out, n, in->d, in->width);
+ return n;
+}
+
int BN_bn2le_padded(uint8_t *out, size_t len, const BIGNUM *in) {
- const uint8_t *bytes = (const uint8_t *)in->d;
- size_t num_bytes = in->width * BN_BYTES;
- if (len < num_bytes) {
- if (!fits_in_bytes(bytes, num_bytes, len)) {
- return 0;
- }
- num_bytes = len;
+ if (!fits_in_bytes(in->d, in->width, len)) {
+ return 0;
}
// We only support little-endian platforms, so we can simply memcpy into the
// internal representation.
+ const uint8_t *bytes = (const uint8_t *)in->d;
+ size_t num_bytes = in->width * BN_BYTES;
+ if (len < num_bytes) {
+ num_bytes = len;
+ }
+
OPENSSL_memcpy(out, bytes, num_bytes);
// Pad out the rest of the buffer with zeroes.
OPENSSL_memset(out + num_bytes, 0, len - num_bytes);
@@ -181,22 +208,11 @@
}
int BN_bn2bin_padded(uint8_t *out, size_t len, const BIGNUM *in) {
- const uint8_t *bytes = (const uint8_t *)in->d;
- size_t num_bytes = in->width * BN_BYTES;
- if (len < num_bytes) {
- if (!fits_in_bytes(bytes, num_bytes, len)) {
- return 0;
- }
- num_bytes = len;
+ if (!fits_in_bytes(in->d, in->width, len)) {
+ return 0;
}
- // We only support little-endian platforms, so we can simply write the buffer
- // in reverse.
- for (size_t i = 0; i < num_bytes; i++) {
- out[len - i - 1] = bytes[i];
- }
- // Pad out the rest of the buffer with zeroes.
- OPENSSL_memset(out, 0, len - num_bytes);
+ bn_words_to_big_endian(out, len, in->d, in->width);
return 1;
}
diff --git a/src/crypto/fipsmodule/bn/exponentiation.c b/src/crypto/fipsmodule/bn/exponentiation.c
index f5f9dc2..38013ed 100644
--- a/src/crypto/fipsmodule/bn/exponentiation.c
+++ b/src/crypto/fipsmodule/bn/exponentiation.c
@@ -979,13 +979,13 @@
#if defined(OPENSSL_BN_ASM_MONT5)
if (window >= 5) {
window = 5; // ~5% improvement for RSA2048 sign, and even for RSA4096
- // reserve space for mont->N.d[] copy
+ // Reserve space for the |mont->N| copy.
powerbufLen += top * sizeof(mont->N.d[0]);
}
#endif
// Allocate a buffer large enough to hold all of the pre-computed
- // powers of am, am itself and tmp.
+ // powers of |am|, |am| itself, and |tmp|.
numPowers = 1 << window;
powerbufLen +=
sizeof(m->d[0]) *
@@ -1008,7 +1008,7 @@
}
OPENSSL_memset(powerbuf, 0, powerbufLen);
- // lay down tmp and am right after powers table
+ // Place |tmp| and |am| right after powers table.
tmp.d = powerbuf + top * numPowers;
am.d = tmp.d + top;
tmp.width = am.width = 0;
@@ -1028,18 +1028,26 @@
}
#if defined(OPENSSL_BN_ASM_MONT5)
- // This optimization uses ideas from http://eprint.iacr.org/2011/239,
- // specifically optimization of cache-timing attack countermeasures
- // and pre-computation optimization.
-
- // Dedicated window==4 case improves 512-bit RSA sign by ~15%, but as
- // 512-bit RSA is hardly relevant, we omit it to spare size...
+ // This optimization uses ideas from https://eprint.iacr.org/2011/239,
+ // specifically optimization of cache-timing attack countermeasures,
+ // pre-computation optimization, and Almost Montgomery Multiplication.
+ //
+ // The paper discusses a 4-bit window to optimize 512-bit modular
+ // exponentiation, used in RSA-1024 with CRT, but RSA-1024 is no longer
+ // important.
+ //
+ // |bn_mul_mont_gather5| and |bn_power5| implement the "almost" reduction
+ // variant, so the values here may not be fully reduced. They are bounded by R
+ // (i.e. they fit in |top| words), not |m|. Additionally, we pass these
+ // "almost" reduced inputs into |bn_mul_mont|, which implements the normal
+ // reduction variant. Given those inputs, |bn_mul_mont| may not give reduced
+ // output, but it will still produce "almost" reduced output.
+ //
+ // TODO(davidben): Using "almost" reduction complicates analysis of this code,
+ // and its interaction with other parts of the project. Determine whether this
+ // is actually necessary for performance.
if (window == 5 && top > 1) {
- const BN_ULONG *n0 = mont->n0;
- BN_ULONG *np;
-
- // BN_to_montgomery can contaminate words above .top
- // [in BN_DEBUG[_DEBUG] build]...
+ // Ensure |am| and |tmp| are padded to the right width.
for (i = am.width; i < top; i++) {
am.d[i] = 0;
}
@@ -1047,30 +1055,34 @@
tmp.d[i] = 0;
}
- // copy mont->N.d[] to improve cache locality
- for (np = am.d + top, i = 0; i < top; i++) {
+ // Copy |mont->N| to improve cache locality.
+ BN_ULONG *np = am.d + top;
+ for (i = 0; i < top; i++) {
np[i] = mont->N.d[i];
}
+ // Fill |powerbuf| with the first 32 powers of |am|.
+ const BN_ULONG *n0 = mont->n0;
bn_scatter5(tmp.d, top, powerbuf, 0);
bn_scatter5(am.d, am.width, powerbuf, 1);
bn_mul_mont(tmp.d, am.d, am.d, np, n0, top);
bn_scatter5(tmp.d, top, powerbuf, 2);
- // same as above, but uses squaring for 1/2 of operations
+ // Square to compute powers of two.
for (i = 4; i < 32; i *= 2) {
bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
bn_scatter5(tmp.d, top, powerbuf, i);
}
+ // Compute odd powers |i| based on |i - 1|, then all powers |i * 2^j|.
for (i = 3; i < 8; i += 2) {
- int j;
bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np, n0, top, i - 1);
bn_scatter5(tmp.d, top, powerbuf, i);
- for (j = 2 * i; j < 32; j *= 2) {
+ for (int j = 2 * i; j < 32; j *= 2) {
bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
bn_scatter5(tmp.d, top, powerbuf, j);
}
}
+ // These two loops are the above with the inner loop unrolled.
for (; i < 16; i += 2) {
bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np, n0, top, i - 1);
bn_scatter5(tmp.d, top, powerbuf, i);
@@ -1137,15 +1149,15 @@
bn_power5(tmp.d, tmp.d, powerbuf, np, n0, top, val);
}
}
-
- ret = bn_from_montgomery(tmp.d, tmp.d, NULL, np, n0, top);
- tmp.width = top;
- if (ret) {
- if (!BN_copy(rr, &tmp)) {
- ret = 0;
- }
- goto err; // non-zero ret means it's not error
- }
+ // The result is now in |tmp| in Montgomery form, but it may not be fully
+ // reduced. This is within bounds for |BN_from_montgomery| (tmp < R <= m*R)
+ // so it will, when converting from Montgomery form, produce a fully reduced
+ // result.
+ //
+ // This differs from Figure 2 of the paper, which uses AMM(h, 1) to convert
+ // from Montgomery form with unreduced output, followed by an extra
+ // reduction step. In the paper's terminology, we replace steps 9 and 10
+ // with MM(h, 1).
} else
#endif
{
@@ -1206,7 +1218,11 @@
}
}
- // Convert the final result from montgomery to standard format
+ // Convert the final result from Montgomery to standard format. If we used the
+ // |OPENSSL_BN_ASM_MONT5| codepath, |tmp| may not be fully reduced. It is only
+ // bounded by R rather than |m|. However, that is still within bounds for
+ // |BN_from_montgomery|, which implements full Montgomery reduction, not
+ // "almost" Montgomery reduction.
if (!BN_from_montgomery(rr, &tmp, mont, ctx)) {
goto err;
}
diff --git a/src/crypto/fipsmodule/bn/internal.h b/src/crypto/fipsmodule/bn/internal.h
index cab9a81..79b25b0 100644
--- a/src/crypto/fipsmodule/bn/internal.h
+++ b/src/crypto/fipsmodule/bn/internal.h
@@ -353,6 +353,9 @@
// corresponding field in |BN_MONT_CTX|. It returns one if |bn_mul_mont| handles
// inputs of this size and zero otherwise.
//
+// If at least one of |ap| or |bp| is fully reduced, |rp| will be fully reduced.
+// If neither is fully-reduced, the output may not be either.
+//
// TODO(davidben): The x86_64 implementation expects a 32-bit input and masks
// off upper bits. The aarch64 implementation expects a 64-bit input and does
// not. |size_t| is the safer option but not strictly correct for x86_64. But
@@ -372,6 +375,10 @@
// by |ap| modulo |np|, and stores the result in |rp|. The values are |num|
// words long and represented in Montgomery form. |n0| is a pointer to the
// corresponding field in |BN_MONT_CTX|.
+//
+// WARNING: This function implements Almost Montgomery Multiplication from
+// https://eprint.iacr.org/2011/239. The inputs do not need to be fully reduced.
+// However, even if they are fully reduced, the output may not be.
void bn_mul_mont_gather5(BN_ULONG *rp, const BN_ULONG *ap,
const BN_ULONG *table, const BN_ULONG *np,
const BN_ULONG *n0, int num, int power);
@@ -391,16 +398,12 @@
// values are |num| words long and represented in Montgomery form. |n0| is a
// pointer to the corresponding field in |BN_MONT_CTX|. |num| must be divisible
// by 8.
+//
+// WARNING: This function implements Almost Montgomery Multiplication from
+// https://eprint.iacr.org/2011/239. The inputs do not need to be fully reduced.
+// However, even if they are fully reduced, the output may not be.
void bn_power5(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *table,
const BN_ULONG *np, const BN_ULONG *n0, int num, int power);
-
-// bn_from_montgomery converts |ap| from Montgomery form modulo |np| and writes
-// the result in |rp|, each of which is |num| words long. It returns one on
-// success and zero if it cannot handle inputs of length |num|. |n0| is a
-// pointer to the corresponding field in |BN_MONT_CTX|.
-int bn_from_montgomery(BN_ULONG *rp, const BN_ULONG *ap,
- const BN_ULONG *not_used, const BN_ULONG *np,
- const BN_ULONG *n0, int num);
#endif // !OPENSSL_NO_ASM && OPENSSL_X86_64
uint64_t bn_mont_n0(const BIGNUM *n);
@@ -708,6 +711,25 @@
size_t num, const BN_MONT_CTX *mont);
+// Word-based byte conversion functions.
+
+// bn_big_endian_to_words interprets |in_len| bytes from |in| as a big-endian,
+// unsigned integer and writes the result to |out_len| words in |out|. |out_len|
+// must be large enough to represent any |in_len|-byte value. That is, |out_len|
+// must be at least |BN_BYTES * in_len|.
+void bn_big_endian_to_words(BN_ULONG *out, size_t out_len, const uint8_t *in,
+ size_t in_len);
+
+// bn_words_to_big_endian represents |in_len| words from |in| as a big-endian,
+// unsigned integer in |out_len| bytes. It writes the result to |out|. |out_len|
+// must be large enough to represent |in| without truncation.
+//
+// Note |out_len| may be less than |BN_BYTES * in_len| if |in| is known to have
+// leading zeros.
+void bn_words_to_big_endian(uint8_t *out, size_t out_len, const BN_ULONG *in,
+ size_t in_len);
+
+
#if defined(__cplusplus)
} // extern C
#endif
diff --git a/src/crypto/fipsmodule/bn/random.c b/src/crypto/fipsmodule/bn/random.c
index f6812f1..36ad679 100644
--- a/src/crypto/fipsmodule/bn/random.c
+++ b/src/crypto/fipsmodule/bn/random.c
@@ -115,9 +115,10 @@
#include <openssl/rand.h>
#include <openssl/type_check.h>
-#include "internal.h"
#include "../../internal.h"
#include "../rand/internal.h"
+#include "../service_indicator/internal.h"
+#include "internal.h"
int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) {
@@ -155,7 +156,10 @@
return 0;
}
+ FIPS_service_indicator_lock_state();
RAND_bytes((uint8_t *)rnd->d, words * sizeof(BN_ULONG));
+ FIPS_service_indicator_unlock_state();
+
rnd->d[words - 1] &= mask;
if (top != BN_RAND_TOP_ANY) {
if (top == BN_RAND_TOP_TWO && bits > 1) {
@@ -270,8 +274,10 @@
// Steps 4 and 5. Use |words| and |mask| together to obtain a string of N
// bits, where N is the bit length of |max_exclusive|.
+ FIPS_service_indicator_lock_state();
RAND_bytes_with_additional_data((uint8_t *)out, words * sizeof(BN_ULONG),
additional_data);
+ FIPS_service_indicator_unlock_state();
out[words - 1] &= mask;
// If out >= max_exclusive or out < min_inclusive, retry. This implements
@@ -313,7 +319,9 @@
}
// Select a uniform random number with num_bits(max_exclusive) bits.
+ FIPS_service_indicator_lock_state();
RAND_bytes((uint8_t *)r->d, words * sizeof(BN_ULONG));
+ FIPS_service_indicator_unlock_state();
r->d[words - 1] &= mask;
// Check, in constant-time, if the value is in range.
diff --git a/src/crypto/fipsmodule/bn/rsaz_exp.c b/src/crypto/fipsmodule/bn/rsaz_exp.c
index 7e15aaf..074f05d 100644
--- a/src/crypto/fipsmodule/bn/rsaz_exp.c
+++ b/src/crypto/fipsmodule/bn/rsaz_exp.c
@@ -219,6 +219,8 @@
rsaz_1024_mul_avx2(result, result, one, m, k0);
rsaz_1024_red2norm_avx2(result_norm, result);
+ BN_ULONG scratch[16];
+ bn_reduce_once_in_place(result_norm, /*carry=*/0, m_norm, scratch, 16);
OPENSSL_cleanse(storage, MOD_EXP_CTIME_STORAGE_LEN * sizeof(BN_ULONG));
}
diff --git a/src/crypto/fipsmodule/bn/rsaz_exp.h b/src/crypto/fipsmodule/bn/rsaz_exp.h
index 104bb7a..bc7a439 100644
--- a/src/crypto/fipsmodule/bn/rsaz_exp.h
+++ b/src/crypto/fipsmodule/bn/rsaz_exp.h
@@ -90,7 +90,11 @@
int i);
// rsaz_1024_red2norm_avx2 converts |red| from RSAZ to |BIGNUM| representation
-// and writes the result to |norm|.
+// and writes the result to |norm|. The result will be <= the modulus.
+//
+// WARNING: The result of this operation may not be fully reduced. |norm| may be
+// the modulus instead of zero. This function should be followed by a call to
+// |bn_reduce_once|.
void rsaz_1024_red2norm_avx2(BN_ULONG norm[16], const BN_ULONG red[40]);
diff --git a/src/crypto/fipsmodule/cipher/cipher.c b/src/crypto/fipsmodule/cipher/cipher.c
index 64ee544..a126986 100644
--- a/src/crypto/fipsmodule/cipher/cipher.c
+++ b/src/crypto/fipsmodule/cipher/cipher.c
@@ -65,6 +65,7 @@
#include <openssl/nid.h>
#include "internal.h"
+#include "../service_indicator/internal.h"
#include "../../internal.h"
@@ -322,24 +323,26 @@
}
int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) {
- int n, ret;
+ int n;
unsigned int i, b, bl;
if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
- ret = ctx->cipher->cipher(ctx, out, NULL, 0);
- if (ret < 0) {
+ // When EVP_CIPH_FLAG_CUSTOM_CIPHER is set, the return value of |cipher| is
+ // the number of bytes written, or -1 on error. Otherwise the return value
+ // is one on success and zero on error.
+ const int num_bytes = ctx->cipher->cipher(ctx, out, NULL, 0);
+ if (num_bytes < 0) {
return 0;
- } else {
- *out_len = ret;
}
- return 1;
+ *out_len = num_bytes;
+ goto out;
}
b = ctx->cipher->block_size;
assert(b <= sizeof(ctx->buf));
if (b == 1) {
*out_len = 0;
- return 1;
+ goto out;
}
bl = ctx->buf_len;
@@ -349,20 +352,21 @@
return 0;
}
*out_len = 0;
- return 1;
+ goto out;
}
n = b - bl;
for (i = bl; i < b; i++) {
ctx->buf[i] = n;
}
- ret = ctx->cipher->cipher(ctx, out, ctx->buf, b);
-
- if (ret) {
- *out_len = b;
+ if (!ctx->cipher->cipher(ctx, out, ctx->buf, b)) {
+ return 0;
}
+ *out_len = b;
- return ret;
+out:
+ EVP_Cipher_verify_service_indicator(ctx);
+ return 1;
}
int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len,
@@ -436,7 +440,7 @@
} else {
*out_len = i;
}
- return 1;
+ goto out;
}
b = ctx->cipher->block_size;
@@ -446,7 +450,7 @@
return 0;
}
*out_len = 0;
- return 1;
+ goto out;
}
if (b > 1) {
@@ -480,12 +484,30 @@
*out_len = 0;
}
+out:
+ EVP_Cipher_verify_service_indicator(ctx);
return 1;
}
int EVP_Cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
size_t in_len) {
- return ctx->cipher->cipher(ctx, out, in, in_len);
+ const int ret = ctx->cipher->cipher(ctx, out, in, in_len);
+
+ // |EVP_CIPH_FLAG_CUSTOM_CIPHER| never sets the FIPS indicator via
+ // |EVP_Cipher| because it's complicated whether the operation has completed
+ // or not. E.g. AES-GCM with a non-NULL |in| argument hasn't completed an
+ // operation. Callers should use the |EVP_AEAD| API or, at least,
+ // |EVP_CipherUpdate| etc.
+ //
+ // This call can't be pushed into |EVP_Cipher_verify_service_indicator|
+ // because whether |ret| indicates success or not depends on whether
+ // |EVP_CIPH_FLAG_CUSTOM_CIPHER| is set. (This unreasonable, but matches
+ // OpenSSL.)
+ if (!(ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) && ret) {
+ EVP_Cipher_verify_service_indicator(ctx);
+ }
+
+ return ret;
}
int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len,
diff --git a/src/crypto/fipsmodule/cipher/e_aes.c b/src/crypto/fipsmodule/cipher/e_aes.c
index 7e7c1a8..ec441e8 100644
--- a/src/crypto/fipsmodule/cipher/e_aes.c
+++ b/src/crypto/fipsmodule/cipher/e_aes.c
@@ -61,6 +61,7 @@
#include "../../internal.h"
#include "../aes/internal.h"
#include "../modes/internal.h"
+#include "../service_indicator/internal.h"
#include "../delocate.h"
@@ -485,8 +486,13 @@
if (arg) {
OPENSSL_memcpy(gctx->iv, ptr, arg);
}
- if (c->encrypt && !RAND_bytes(gctx->iv + arg, gctx->ivlen - arg)) {
- return 0;
+ if (c->encrypt) {
+ // |RAND_bytes| calls within the fipsmodule should be wrapped with state
+ // lock functions to avoid updating the service indicator with the DRBG
+ // functions.
+ FIPS_service_indicator_lock_state();
+ RAND_bytes(gctx->iv + arg, gctx->ivlen - arg);
+ FIPS_service_indicator_unlock_state();
}
gctx->iv_gen = 1;
return 1;
@@ -1099,9 +1105,14 @@
const uint8_t *in_tag, size_t in_tag_len,
const uint8_t *ad, size_t ad_len) {
struct aead_aes_gcm_ctx *gcm_ctx = (struct aead_aes_gcm_ctx *)&ctx->state;
- return aead_aes_gcm_open_gather_impl(gcm_ctx, out, nonce, nonce_len, in,
- in_len, in_tag, in_tag_len, ad, ad_len,
- ctx->tag_len);
+ if (!aead_aes_gcm_open_gather_impl(gcm_ctx, out, nonce, nonce_len, in, in_len,
+ in_tag, in_tag_len, ad, ad_len,
+ ctx->tag_len)) {
+ return 0;
+ }
+
+ AEAD_GCM_verify_service_indicator(ctx);
+ return 1;
}
DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm) {
@@ -1186,7 +1197,12 @@
return 0;
}
+ // |RAND_bytes| calls within the fipsmodule should be wrapped with state lock
+ // functions to avoid updating the service indicator with the DRBG functions.
+ FIPS_service_indicator_lock_state();
RAND_bytes(nonce, sizeof(nonce));
+ FIPS_service_indicator_unlock_state();
+
const struct aead_aes_gcm_ctx *gcm_ctx =
(const struct aead_aes_gcm_ctx *)&ctx->state;
if (!aead_aes_gcm_seal_scatter_impl(gcm_ctx, out, out_tag, out_tag_len,
@@ -1201,6 +1217,7 @@
memcpy(out_tag + *out_tag_len, nonce, sizeof(nonce));
*out_tag_len += sizeof(nonce);
+ AEAD_GCM_verify_service_indicator(ctx);
return 1;
}
@@ -1223,10 +1240,15 @@
const struct aead_aes_gcm_ctx *gcm_ctx =
(const struct aead_aes_gcm_ctx *)&ctx->state;
- return aead_aes_gcm_open_gather_impl(
+ if (!aead_aes_gcm_open_gather_impl(
gcm_ctx, out, nonce, AES_GCM_NONCE_LENGTH, in, in_len, in_tag,
in_tag_len - AES_GCM_NONCE_LENGTH, ad, ad_len,
- ctx->tag_len - AES_GCM_NONCE_LENGTH);
+ ctx->tag_len - AES_GCM_NONCE_LENGTH)) {
+ return 0;
+ }
+
+ AEAD_GCM_verify_service_indicator(ctx);
+ return 1;
}
DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm_randnonce) {
@@ -1316,9 +1338,14 @@
gcm_ctx->min_next_nonce = given_counter + 1;
- return aead_aes_gcm_seal_scatter(ctx, out, out_tag, out_tag_len,
- max_out_tag_len, nonce, nonce_len, in,
- in_len, extra_in, extra_in_len, ad, ad_len);
+ if (!aead_aes_gcm_seal_scatter(ctx, out, out_tag, out_tag_len,
+ max_out_tag_len, nonce, nonce_len, in, in_len,
+ extra_in, extra_in_len, ad, ad_len)) {
+ return 0;
+ }
+
+ AEAD_GCM_verify_service_indicator(ctx);
+ return 1;
}
DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm_tls12) {
@@ -1422,9 +1449,14 @@
gcm_ctx->min_next_nonce = given_counter + 1;
- return aead_aes_gcm_seal_scatter(ctx, out, out_tag, out_tag_len,
- max_out_tag_len, nonce, nonce_len, in,
- in_len, extra_in, extra_in_len, ad, ad_len);
+ if (!aead_aes_gcm_seal_scatter(ctx, out, out_tag, out_tag_len,
+ max_out_tag_len, nonce, nonce_len, in, in_len,
+ extra_in, extra_in_len, ad, ad_len)) {
+ return 0;
+ }
+
+ AEAD_GCM_verify_service_indicator(ctx);
+ return 1;
}
DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm_tls13) {
diff --git a/src/crypto/cipher_extra/e_aesccm.c b/src/crypto/fipsmodule/cipher/e_aesccm.c
similarity index 92%
rename from src/crypto/cipher_extra/e_aesccm.c
rename to src/crypto/fipsmodule/cipher/e_aesccm.c
index 844b9b9..fcbd20b 100644
--- a/src/crypto/cipher_extra/e_aesccm.c
+++ b/src/crypto/fipsmodule/cipher/e_aesccm.c
@@ -54,7 +54,9 @@
#include <openssl/err.h>
#include <openssl/mem.h>
-#include "../fipsmodule/cipher/internal.h"
+#include "../delocate.h"
+#include "../service_indicator/internal.h"
+#include "internal.h"
struct ccm128_context {
@@ -350,6 +352,7 @@
}
*out_tag_len = ctx->tag_len;
+ AEAD_CCM_verify_service_indicator(ctx);
return 1;
}
@@ -390,6 +393,7 @@
return 0;
}
+ AEAD_CCM_verify_service_indicator(ctx);
return 1;
}
@@ -398,25 +402,18 @@
return aead_aes_ccm_init(ctx, key, key_len, tag_len, 4, 2);
}
-static const EVP_AEAD aead_aes_128_ccm_bluetooth = {
- 16, // key length (AES-128)
- 13, // nonce length
- 4, // overhead
- 4, // max tag length
- 0, // seal_scatter_supports_extra_in
+DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_ccm_bluetooth) {
+ memset(out, 0, sizeof(EVP_AEAD));
- aead_aes_ccm_bluetooth_init,
- NULL /* init_with_direction */,
- aead_aes_ccm_cleanup,
- NULL /* open */,
- aead_aes_ccm_seal_scatter,
- aead_aes_ccm_open_gather,
- NULL /* get_iv */,
- NULL /* tag_len */,
-};
+ out->key_len = 16;
+ out->nonce_len = 13;
+ out->overhead = 4;
+ out->max_tag_len = 4;
-const EVP_AEAD *EVP_aead_aes_128_ccm_bluetooth(void) {
- return &aead_aes_128_ccm_bluetooth;
+ out->init = aead_aes_ccm_bluetooth_init;
+ out->cleanup = aead_aes_ccm_cleanup;
+ out->seal_scatter = aead_aes_ccm_seal_scatter;
+ out->open_gather = aead_aes_ccm_open_gather;
}
static int aead_aes_ccm_bluetooth_8_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
@@ -424,23 +421,16 @@
return aead_aes_ccm_init(ctx, key, key_len, tag_len, 8, 2);
}
-static const EVP_AEAD aead_aes_128_ccm_bluetooth_8 = {
- 16, // key length (AES-128)
- 13, // nonce length
- 8, // overhead
- 8, // max tag length
- 0, // seal_scatter_supports_extra_in
+DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_ccm_bluetooth_8) {
+ memset(out, 0, sizeof(EVP_AEAD));
- aead_aes_ccm_bluetooth_8_init,
- NULL /* init_with_direction */,
- aead_aes_ccm_cleanup,
- NULL /* open */,
- aead_aes_ccm_seal_scatter,
- aead_aes_ccm_open_gather,
- NULL /* get_iv */,
- NULL /* tag_len */,
-};
+ out->key_len = 16;
+ out->nonce_len = 13;
+ out->overhead = 8;
+ out->max_tag_len = 8;
-const EVP_AEAD *EVP_aead_aes_128_ccm_bluetooth_8(void) {
- return &aead_aes_128_ccm_bluetooth_8;
+ out->init = aead_aes_ccm_bluetooth_8_init;
+ out->cleanup = aead_aes_ccm_cleanup;
+ out->seal_scatter = aead_aes_ccm_seal_scatter;
+ out->open_gather = aead_aes_ccm_open_gather;
}
diff --git a/src/crypto/cmac/cavp_3des_cmac_tests.txt b/src/crypto/fipsmodule/cmac/cavp_3des_cmac_tests.txt
similarity index 100%
rename from src/crypto/cmac/cavp_3des_cmac_tests.txt
rename to src/crypto/fipsmodule/cmac/cavp_3des_cmac_tests.txt
diff --git a/src/crypto/cmac/cavp_aes128_cmac_tests.txt b/src/crypto/fipsmodule/cmac/cavp_aes128_cmac_tests.txt
similarity index 100%
rename from src/crypto/cmac/cavp_aes128_cmac_tests.txt
rename to src/crypto/fipsmodule/cmac/cavp_aes128_cmac_tests.txt
diff --git a/src/crypto/cmac/cavp_aes192_cmac_tests.txt b/src/crypto/fipsmodule/cmac/cavp_aes192_cmac_tests.txt
similarity index 100%
rename from src/crypto/cmac/cavp_aes192_cmac_tests.txt
rename to src/crypto/fipsmodule/cmac/cavp_aes192_cmac_tests.txt
diff --git a/src/crypto/cmac/cavp_aes256_cmac_tests.txt b/src/crypto/fipsmodule/cmac/cavp_aes256_cmac_tests.txt
similarity index 100%
rename from src/crypto/cmac/cavp_aes256_cmac_tests.txt
rename to src/crypto/fipsmodule/cmac/cavp_aes256_cmac_tests.txt
diff --git a/src/crypto/cmac/cmac.c b/src/crypto/fipsmodule/cmac/cmac.c
similarity index 85%
rename from src/crypto/cmac/cmac.c
rename to src/crypto/fipsmodule/cmac/cmac.c
index b6a10f7..f5c805d 100644
--- a/src/crypto/cmac/cmac.c
+++ b/src/crypto/fipsmodule/cmac/cmac.c
@@ -55,7 +55,8 @@
#include <openssl/cipher.h>
#include <openssl/mem.h>
-#include "../internal.h"
+#include "../../internal.h"
+#include "../service_indicator/internal.h"
struct cmac_ctx_st {
@@ -85,6 +86,8 @@
const uint8_t *in, size_t in_len) {
const EVP_CIPHER *cipher;
switch (key_len) {
+ // WARNING: this code assumes that all supported key sizes are FIPS
+ // Approved.
case 16:
cipher = EVP_aes_128_cbc();
break;
@@ -99,10 +102,17 @@
CMAC_CTX ctx;
CMAC_CTX_init(&ctx);
+ // We have to verify that all the CMAC services actually succeed before
+ // updating the indicator state, so we lock the state here.
+ FIPS_service_indicator_lock_state();
const int ok = CMAC_Init(&ctx, key, key_len, cipher, NULL /* engine */) &&
CMAC_Update(&ctx, in, in_len) &&
CMAC_Final(&ctx, out, &scratch_out_len);
+ FIPS_service_indicator_unlock_state();
+ if (ok) {
+ FIPS_service_indicator_update_state();
+ }
CMAC_CTX_cleanup(&ctx);
return ok;
}
@@ -173,8 +183,13 @@
int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t key_len,
const EVP_CIPHER *cipher, ENGINE *engine) {
+ int ret = 0;
uint8_t scratch[AES_BLOCK_SIZE];
+ // We have to avoid the underlying AES-CBC |EVP_CIPHER| services updating the
+ // indicator state, so we lock the state here.
+ FIPS_service_indicator_lock_state();
+
size_t block_size = EVP_CIPHER_block_size(cipher);
if ((block_size != AES_BLOCK_SIZE && block_size != 8 /* 3-DES */) ||
EVP_CIPHER_key_length(cipher) != key_len ||
@@ -182,7 +197,7 @@
!EVP_Cipher(&ctx->cipher_ctx, scratch, kZeroIV, block_size) ||
// Reset context again ready for first data.
!EVP_EncryptInit_ex(&ctx->cipher_ctx, NULL, NULL, NULL, kZeroIV)) {
- return 0;
+ goto out;
}
if (block_size == AES_BLOCK_SIZE) {
@@ -193,8 +208,11 @@
binary_field_mul_x_64(ctx->k2, ctx->k1);
}
ctx->block_used = 0;
+ ret = 1;
- return 1;
+out:
+ FIPS_service_indicator_unlock_state();
+ return ret;
}
int CMAC_Reset(CMAC_CTX *ctx) {
@@ -203,6 +221,12 @@
}
int CMAC_Update(CMAC_CTX *ctx, const uint8_t *in, size_t in_len) {
+ int ret = 0;
+
+ // We have to avoid the underlying AES-CBC |EVP_Cipher| services updating the
+ // indicator state, so we lock the state here.
+ FIPS_service_indicator_lock_state();
+
size_t block_size = EVP_CIPHER_CTX_block_size(&ctx->cipher_ctx);
assert(block_size <= AES_BLOCK_SIZE);
uint8_t scratch[AES_BLOCK_SIZE];
@@ -224,20 +248,21 @@
// case we don't want to process this block now because it might be the last
// block and that block is treated specially.
if (in_len == 0) {
- return 1;
+ ret = 1;
+ goto out;
}
assert(ctx->block_used == block_size);
if (!EVP_Cipher(&ctx->cipher_ctx, scratch, ctx->block, block_size)) {
- return 0;
+ goto out;
}
}
// Encrypt all but one of the remaining blocks.
while (in_len > block_size) {
if (!EVP_Cipher(&ctx->cipher_ctx, scratch, in, block_size)) {
- return 0;
+ goto out;
}
in += block_size;
in_len -= block_size;
@@ -245,17 +270,26 @@
OPENSSL_memcpy(ctx->block, in, in_len);
ctx->block_used = in_len;
+ ret = 1;
- return 1;
+out:
+ FIPS_service_indicator_unlock_state();
+ return ret;
}
int CMAC_Final(CMAC_CTX *ctx, uint8_t *out, size_t *out_len) {
+ int ret = 0;
size_t block_size = EVP_CIPHER_CTX_block_size(&ctx->cipher_ctx);
assert(block_size <= AES_BLOCK_SIZE);
+ // We have to avoid the underlying AES-CBC |EVP_Cipher| services updating the
+ // indicator state, so we lock the state here.
+ FIPS_service_indicator_lock_state();
+
*out_len = block_size;
if (out == NULL) {
- return 1;
+ ret = 1;
+ goto out;
}
const uint8_t *mask = ctx->k1;
@@ -273,6 +307,12 @@
for (unsigned i = 0; i < block_size; i++) {
out[i] = ctx->block[i] ^ mask[i];
}
+ ret = EVP_Cipher(&ctx->cipher_ctx, out, out, block_size);
- return EVP_Cipher(&ctx->cipher_ctx, out, out, block_size);
+out:
+ FIPS_service_indicator_unlock_state();
+ if (ret) {
+ FIPS_service_indicator_update_state();
+ }
+ return ret;
}
diff --git a/src/crypto/cmac/cmac_test.cc b/src/crypto/fipsmodule/cmac/cmac_test.cc
similarity index 94%
rename from src/crypto/cmac/cmac_test.cc
rename to src/crypto/fipsmodule/cmac/cmac_test.cc
index e8a220a..9e3744e 100644
--- a/src/crypto/cmac/cmac_test.cc
+++ b/src/crypto/fipsmodule/cmac/cmac_test.cc
@@ -23,9 +23,9 @@
#include <openssl/cmac.h>
#include <openssl/mem.h>
-#include "../test/file_test.h"
-#include "../test/test_util.h"
-#include "../test/wycheproof_util.h"
+#include "../../test/file_test.h"
+#include "../../test/test_util.h"
+#include "../../test/wycheproof_util.h"
static void test(const char *name, const uint8_t *key, size_t key_len,
@@ -248,20 +248,21 @@
}
TEST(CMACTest, CAVPAES128) {
- RunCAVPTest("crypto/cmac/cavp_aes128_cmac_tests.txt", EVP_aes_128_cbc(),
- false);
+ RunCAVPTest("crypto/fipsmodule/cmac/cavp_aes128_cmac_tests.txt",
+ EVP_aes_128_cbc(), false);
}
TEST(CMACTest, CAVPAES192) {
- RunCAVPTest("crypto/cmac/cavp_aes192_cmac_tests.txt", EVP_aes_192_cbc(),
- false);
+ RunCAVPTest("crypto/fipsmodule/cmac/cavp_aes192_cmac_tests.txt",
+ EVP_aes_192_cbc(), false);
}
TEST(CMACTest, CAVPAES256) {
- RunCAVPTest("crypto/cmac/cavp_aes256_cmac_tests.txt", EVP_aes_256_cbc(),
- false);
+ RunCAVPTest("crypto/fipsmodule/cmac/cavp_aes256_cmac_tests.txt",
+ EVP_aes_256_cbc(), false);
}
TEST(CMACTest, CAVP3DES) {
- RunCAVPTest("crypto/cmac/cavp_3des_cmac_tests.txt", EVP_des_ede3_cbc(), true);
+ RunCAVPTest("crypto/fipsmodule/cmac/cavp_3des_cmac_tests.txt",
+ EVP_des_ede3_cbc(), true);
}
diff --git a/src/crypto/fipsmodule/dh/dh.c b/src/crypto/fipsmodule/dh/dh.c
index b59afc6..8b04117 100644
--- a/src/crypto/fipsmodule/dh/dh.c
+++ b/src/crypto/fipsmodule/dh/dh.c
@@ -64,9 +64,10 @@
#include <openssl/mem.h>
#include <openssl/thread.h>
-#include "internal.h"
#include "../../internal.h"
#include "../bn/internal.h"
+#include "../service_indicator/internal.h"
+#include "internal.h"
#define OPENSSL_DH_MAX_MODULUS_BITS 10000
@@ -383,6 +384,8 @@
return 0;
}
+ FIPS_service_indicator_lock_state();
+
int ret = 0;
const size_t dh_len = DH_size(dh);
uint8_t *shared_bytes = OPENSSL_malloc(dh_len);
@@ -404,6 +407,7 @@
ret = 1;
err:
+ FIPS_service_indicator_unlock_state();
OPENSSL_free(shared_bytes);
return ret;
}
diff --git a/src/crypto/evp/digestsign.c b/src/crypto/fipsmodule/digestsign/digestsign.c
similarity index 82%
rename from src/crypto/evp/digestsign.c
rename to src/crypto/fipsmodule/digestsign/digestsign.c
index 6e4d305..e5b6bc7 100644
--- a/src/crypto/evp/digestsign.c
+++ b/src/crypto/fipsmodule/digestsign/digestsign.c
@@ -57,8 +57,10 @@
#include <openssl/err.h>
-#include "internal.h"
-#include "../fipsmodule/digest/internal.h"
+#include "../../evp/internal.h"
+#include "../delocate.h"
+#include "../digest/internal.h"
+#include "../service_indicator/internal.h"
enum evp_sign_verify_t {
@@ -66,9 +68,9 @@
evp_verify,
};
-static const struct evp_md_pctx_ops md_pctx_ops = {
- EVP_PKEY_CTX_free,
- EVP_PKEY_CTX_dup,
+DEFINE_LOCAL_DATA(struct evp_md_pctx_ops, md_pctx_ops) {
+ out->free = EVP_PKEY_CTX_free;
+ out->dup = EVP_PKEY_CTX_dup;
};
static int uses_prehash(EVP_MD_CTX *ctx, enum evp_sign_verify_t op) {
@@ -85,7 +87,7 @@
if (ctx->pctx == NULL) {
return 0;
}
- ctx->pctx_ops = &md_pctx_ops;
+ ctx->pctx_ops = md_pctx_ops();
if (op == evp_verify) {
if (!EVP_PKEY_verify_init(ctx->pctx)) {
@@ -159,11 +161,17 @@
uint8_t md[EVP_MAX_MD_SIZE];
unsigned int mdlen;
+ FIPS_service_indicator_lock_state();
EVP_MD_CTX_init(&tmp_ctx);
ret = EVP_MD_CTX_copy_ex(&tmp_ctx, ctx) &&
EVP_DigestFinal_ex(&tmp_ctx, md, &mdlen) &&
EVP_PKEY_sign(ctx->pctx, out_sig, out_sig_len, md, mdlen);
EVP_MD_CTX_cleanup(&tmp_ctx);
+ FIPS_service_indicator_unlock_state();
+
+ if (ret) {
+ EVP_DigestSign_verify_service_indicator(ctx);
+ }
return ret;
} else {
@@ -184,48 +192,76 @@
uint8_t md[EVP_MAX_MD_SIZE];
unsigned int mdlen;
+ FIPS_service_indicator_lock_state();
EVP_MD_CTX_init(&tmp_ctx);
ret = EVP_MD_CTX_copy_ex(&tmp_ctx, ctx) &&
EVP_DigestFinal_ex(&tmp_ctx, md, &mdlen) &&
EVP_PKEY_verify(ctx->pctx, sig, sig_len, md, mdlen);
+ FIPS_service_indicator_unlock_state();
EVP_MD_CTX_cleanup(&tmp_ctx);
+ if (ret) {
+ EVP_DigestVerify_verify_service_indicator(ctx);
+ }
+
return ret;
}
int EVP_DigestSign(EVP_MD_CTX *ctx, uint8_t *out_sig, size_t *out_sig_len,
const uint8_t *data, size_t data_len) {
+ FIPS_service_indicator_lock_state();
+ int ret = 0;
+
if (uses_prehash(ctx, evp_sign)) {
// If |out_sig| is NULL, the caller is only querying the maximum output
// length. |data| should only be incorporated in the final call.
if (out_sig != NULL &&
!EVP_DigestSignUpdate(ctx, data, data_len)) {
- return 0;
+ goto end;
}
- return EVP_DigestSignFinal(ctx, out_sig, out_sig_len);
+ ret = EVP_DigestSignFinal(ctx, out_sig, out_sig_len);
+ goto end;
}
if (ctx->pctx->pmeth->sign_message == NULL) {
OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
- return 0;
+ goto end;
}
- return ctx->pctx->pmeth->sign_message(ctx->pctx, out_sig, out_sig_len, data,
- data_len);
+ ret = ctx->pctx->pmeth->sign_message(ctx->pctx, out_sig, out_sig_len, data,
+ data_len);
+
+end:
+ FIPS_service_indicator_unlock_state();
+ if (ret) {
+ EVP_DigestSign_verify_service_indicator(ctx);
+ }
+ return ret;
}
int EVP_DigestVerify(EVP_MD_CTX *ctx, const uint8_t *sig, size_t sig_len,
const uint8_t *data, size_t len) {
+ FIPS_service_indicator_lock_state();
+ int ret = 0;
+
if (uses_prehash(ctx, evp_verify)) {
- return EVP_DigestVerifyUpdate(ctx, data, len) &&
- EVP_DigestVerifyFinal(ctx, sig, sig_len);
+ ret = EVP_DigestVerifyUpdate(ctx, data, len) &&
+ EVP_DigestVerifyFinal(ctx, sig, sig_len);
+ goto end;
}
if (ctx->pctx->pmeth->verify_message == NULL) {
OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
- return 0;
+ goto end;
}
- return ctx->pctx->pmeth->verify_message(ctx->pctx, sig, sig_len, data, len);
+ ret = ctx->pctx->pmeth->verify_message(ctx->pctx, sig, sig_len, data, len);
+
+end:
+ FIPS_service_indicator_unlock_state();
+ if (ret) {
+ EVP_DigestVerify_verify_service_indicator(ctx);
+ }
+ return ret;
}
diff --git a/src/crypto/fipsmodule/ec/asm/p256-armv8-asm.pl b/src/crypto/fipsmodule/ec/asm/p256-armv8-asm.pl
new file mode 100644
index 0000000..f2926b8
--- /dev/null
+++ b/src/crypto/fipsmodule/ec/asm/p256-armv8-asm.pl
@@ -0,0 +1,1702 @@
+#! /usr/bin/env perl
+# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+# ====================================================================
+# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
+# project. The module is, however, dual licensed under OpenSSL and
+# CRYPTOGAMS licenses depending on where you obtain it. For further
+# details see http://www.openssl.org/~appro/cryptogams/.
+# ====================================================================
+#
+# ECP_NISTZ256 module for ARMv8.
+#
+# February 2015.
+#
+# Original ECP_NISTZ256 submission targeting x86_64 is detailed in
+# http://eprint.iacr.org/2013/816.
+#
+# with/without -DECP_NISTZ256_ASM
+# Apple A7 +190-360%
+# Cortex-A53 +190-400%
+# Cortex-A57 +190-350%
+# Denver +230-400%
+#
+# Ranges denote minimum and maximum improvement coefficients depending
+# on benchmark. Lower coefficients are for ECDSA sign, server-side
+# operation. Keep in mind that +400% means 5x improvement.
+
+# The first two arguments should always be the flavour and output file path.
+if ($#ARGV < 1) { die "Not enough arguments provided.
+ Two arguments are necessary: the flavour and the output file path."; }
+
+$flavour = shift;
+$output = shift;
+
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+( $xlate="${dir}../../../perlasm/arm-xlate.pl" and -f $xlate) or
+die "can't locate arm-xlate.pl";
+
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
+
+{
+my ($rp,$ap,$bp,$bi,$a0,$a1,$a2,$a3,$t0,$t1,$t2,$t3,$poly1,$poly3,
+ $acc0,$acc1,$acc2,$acc3,$acc4,$acc5) =
+ map("x$_",(0..17,19,20));
+
+my ($acc6,$acc7)=($ap,$bp); # used in __ecp_nistz256_sqr_mont
+
+$code.=<<___;
+#include "openssl/arm_arch.h"
+
+.text
+.align 5
+.Lpoly:
+.quad 0xffffffffffffffff,0x00000000ffffffff,0x0000000000000000,0xffffffff00000001
+.LRR: // 2^512 mod P precomputed for NIST P256 polynomial
+.quad 0x0000000000000003,0xfffffffbffffffff,0xfffffffffffffffe,0x00000004fffffffd
+.Lone_mont:
+.quad 0x0000000000000001,0xffffffff00000000,0xffffffffffffffff,0x00000000fffffffe
+.Lone:
+.quad 1,0,0,0
+.Lord:
+.quad 0xf3b9cac2fc632551,0xbce6faada7179e84,0xffffffffffffffff,0xffffffff00000000
+.LordK:
+.quad 0xccd1c8aaee00bc4f
+.asciz "ECP_NISTZ256 for ARMv8, CRYPTOGAMS by <appro\@openssl.org>"
+
+// void ecp_nistz256_to_mont(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl ecp_nistz256_to_mont
+.type ecp_nistz256_to_mont,%function
+.align 6
+ecp_nistz256_to_mont:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-32]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+
+ ldr $bi,.LRR // bp[0]
+ ldp $a0,$a1,[$ap]
+ ldp $a2,$a3,[$ap,#16]
+ ldr $poly1,.Lpoly+8
+ ldr $poly3,.Lpoly+24
+ adr $bp,.LRR // &bp[0]
+
+ bl __ecp_nistz256_mul_mont
+
+ ldp x19,x20,[sp,#16]
+ ldp x29,x30,[sp],#32
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size ecp_nistz256_to_mont,.-ecp_nistz256_to_mont
+
+// void ecp_nistz256_from_mont(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl ecp_nistz256_from_mont
+.type ecp_nistz256_from_mont,%function
+.align 4
+ecp_nistz256_from_mont:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-32]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+
+ mov $bi,#1 // bp[0]
+ ldp $a0,$a1,[$ap]
+ ldp $a2,$a3,[$ap,#16]
+ ldr $poly1,.Lpoly+8
+ ldr $poly3,.Lpoly+24
+ adr $bp,.Lone // &bp[0]
+
+ bl __ecp_nistz256_mul_mont
+
+ ldp x19,x20,[sp,#16]
+ ldp x29,x30,[sp],#32
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size ecp_nistz256_from_mont,.-ecp_nistz256_from_mont
+
+// void ecp_nistz256_mul_mont(BN_ULONG x0[4],const BN_ULONG x1[4],
+// const BN_ULONG x2[4]);
+.globl ecp_nistz256_mul_mont
+.type ecp_nistz256_mul_mont,%function
+.align 4
+ecp_nistz256_mul_mont:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-32]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+
+ ldr $bi,[$bp] // bp[0]
+ ldp $a0,$a1,[$ap]
+ ldp $a2,$a3,[$ap,#16]
+ ldr $poly1,.Lpoly+8
+ ldr $poly3,.Lpoly+24
+
+ bl __ecp_nistz256_mul_mont
+
+ ldp x19,x20,[sp,#16]
+ ldp x29,x30,[sp],#32
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size ecp_nistz256_mul_mont,.-ecp_nistz256_mul_mont
+
+// void ecp_nistz256_sqr_mont(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl ecp_nistz256_sqr_mont
+.type ecp_nistz256_sqr_mont,%function
+.align 4
+ecp_nistz256_sqr_mont:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-32]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+
+ ldp $a0,$a1,[$ap]
+ ldp $a2,$a3,[$ap,#16]
+ ldr $poly1,.Lpoly+8
+ ldr $poly3,.Lpoly+24
+
+ bl __ecp_nistz256_sqr_mont
+
+ ldp x19,x20,[sp,#16]
+ ldp x29,x30,[sp],#32
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size ecp_nistz256_sqr_mont,.-ecp_nistz256_sqr_mont
+
+// void ecp_nistz256_div_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl ecp_nistz256_div_by_2
+.type ecp_nistz256_div_by_2,%function
+.align 4
+ecp_nistz256_div_by_2:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+ ldp $acc0,$acc1,[$ap]
+ ldp $acc2,$acc3,[$ap,#16]
+ ldr $poly1,.Lpoly+8
+ ldr $poly3,.Lpoly+24
+
+ bl __ecp_nistz256_div_by_2
+
+ ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size ecp_nistz256_div_by_2,.-ecp_nistz256_div_by_2
+
+// void ecp_nistz256_mul_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl ecp_nistz256_mul_by_2
+.type ecp_nistz256_mul_by_2,%function
+.align 4
+ecp_nistz256_mul_by_2:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+ ldp $acc0,$acc1,[$ap]
+ ldp $acc2,$acc3,[$ap,#16]
+ ldr $poly1,.Lpoly+8
+ ldr $poly3,.Lpoly+24
+ mov $t0,$acc0
+ mov $t1,$acc1
+ mov $t2,$acc2
+ mov $t3,$acc3
+
+ bl __ecp_nistz256_add_to // ret = a+a // 2*a
+
+ ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size ecp_nistz256_mul_by_2,.-ecp_nistz256_mul_by_2
+
+// void ecp_nistz256_mul_by_3(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl ecp_nistz256_mul_by_3
+.type ecp_nistz256_mul_by_3,%function
+.align 4
+ecp_nistz256_mul_by_3:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+ ldp $acc0,$acc1,[$ap]
+ ldp $acc2,$acc3,[$ap,#16]
+ ldr $poly1,.Lpoly+8
+ ldr $poly3,.Lpoly+24
+ mov $t0,$acc0
+ mov $t1,$acc1
+ mov $t2,$acc2
+ mov $t3,$acc3
+ mov $a0,$acc0
+ mov $a1,$acc1
+ mov $a2,$acc2
+ mov $a3,$acc3
+
+ bl __ecp_nistz256_add_to // ret = a+a // 2*a
+
+ mov $t0,$a0
+ mov $t1,$a1
+ mov $t2,$a2
+ mov $t3,$a3
+
+ bl __ecp_nistz256_add_to // ret += a // 2*a+a=3*a
+
+ ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size ecp_nistz256_mul_by_3,.-ecp_nistz256_mul_by_3
+
+// void ecp_nistz256_sub(BN_ULONG x0[4],const BN_ULONG x1[4],
+// const BN_ULONG x2[4]);
+.globl ecp_nistz256_sub
+.type ecp_nistz256_sub,%function
+.align 4
+ecp_nistz256_sub:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+ ldp $acc0,$acc1,[$ap]
+ ldp $acc2,$acc3,[$ap,#16]
+ ldr $poly1,.Lpoly+8
+ ldr $poly3,.Lpoly+24
+
+ bl __ecp_nistz256_sub_from
+
+ ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size ecp_nistz256_sub,.-ecp_nistz256_sub
+
+// void ecp_nistz256_neg(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl ecp_nistz256_neg
+.type ecp_nistz256_neg,%function
+.align 4
+ecp_nistz256_neg:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+ mov $bp,$ap
+ mov $acc0,xzr // a = 0
+ mov $acc1,xzr
+ mov $acc2,xzr
+ mov $acc3,xzr
+ ldr $poly1,.Lpoly+8
+ ldr $poly3,.Lpoly+24
+
+ bl __ecp_nistz256_sub_from
+
+ ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size ecp_nistz256_neg,.-ecp_nistz256_neg
+
+// note that __ecp_nistz256_mul_mont expects a[0-3] input pre-loaded
+// to $a0-$a3 and b[0] - to $bi
+.type __ecp_nistz256_mul_mont,%function
+.align 4
+__ecp_nistz256_mul_mont:
+ mul $acc0,$a0,$bi // a[0]*b[0]
+ umulh $t0,$a0,$bi
+
+ mul $acc1,$a1,$bi // a[1]*b[0]
+ umulh $t1,$a1,$bi
+
+ mul $acc2,$a2,$bi // a[2]*b[0]
+ umulh $t2,$a2,$bi
+
+ mul $acc3,$a3,$bi // a[3]*b[0]
+ umulh $t3,$a3,$bi
+ ldr $bi,[$bp,#8] // b[1]
+
+ adds $acc1,$acc1,$t0 // accumulate high parts of multiplication
+ lsl $t0,$acc0,#32
+ adcs $acc2,$acc2,$t1
+ lsr $t1,$acc0,#32
+ adcs $acc3,$acc3,$t2
+ adc $acc4,xzr,$t3
+ mov $acc5,xzr
+___
+for($i=1;$i<4;$i++) {
+ # Reduction iteration is normally performed by accumulating
+ # result of multiplication of modulus by "magic" digit [and
+ # omitting least significant word, which is guaranteed to
+ # be 0], but thanks to special form of modulus and "magic"
+ # digit being equal to least significant word, it can be
+ # performed with additions and subtractions alone. Indeed:
+ #
+ # ffff0001.00000000.0000ffff.ffffffff
+ # * abcdefgh
+ # + xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.abcdefgh
+ #
+ # Now observing that ff..ff*x = (2^n-1)*x = 2^n*x-x, we
+ # rewrite above as:
+ #
+ # xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.abcdefgh
+ # + abcdefgh.abcdefgh.0000abcd.efgh0000.00000000
+ # - 0000abcd.efgh0000.00000000.00000000.abcdefgh
+ #
+ # or marking redundant operations:
+ #
+ # xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.--------
+ # + abcdefgh.abcdefgh.0000abcd.efgh0000.--------
+ # - 0000abcd.efgh0000.--------.--------.--------
+
+$code.=<<___;
+ subs $t2,$acc0,$t0 // "*0xffff0001"
+ sbc $t3,$acc0,$t1
+ adds $acc0,$acc1,$t0 // +=acc[0]<<96 and omit acc[0]
+ mul $t0,$a0,$bi // lo(a[0]*b[i])
+ adcs $acc1,$acc2,$t1
+ mul $t1,$a1,$bi // lo(a[1]*b[i])
+ adcs $acc2,$acc3,$t2 // +=acc[0]*0xffff0001
+ mul $t2,$a2,$bi // lo(a[2]*b[i])
+ adcs $acc3,$acc4,$t3
+ mul $t3,$a3,$bi // lo(a[3]*b[i])
+ adc $acc4,$acc5,xzr
+
+ adds $acc0,$acc0,$t0 // accumulate low parts of multiplication
+ umulh $t0,$a0,$bi // hi(a[0]*b[i])
+ adcs $acc1,$acc1,$t1
+ umulh $t1,$a1,$bi // hi(a[1]*b[i])
+ adcs $acc2,$acc2,$t2
+ umulh $t2,$a2,$bi // hi(a[2]*b[i])
+ adcs $acc3,$acc3,$t3
+ umulh $t3,$a3,$bi // hi(a[3]*b[i])
+ adc $acc4,$acc4,xzr
+___
+$code.=<<___ if ($i<3);
+ ldr $bi,[$bp,#8*($i+1)] // b[$i+1]
+___
+$code.=<<___;
+ adds $acc1,$acc1,$t0 // accumulate high parts of multiplication
+ lsl $t0,$acc0,#32
+ adcs $acc2,$acc2,$t1
+ lsr $t1,$acc0,#32
+ adcs $acc3,$acc3,$t2
+ adcs $acc4,$acc4,$t3
+ adc $acc5,xzr,xzr
+___
+}
+$code.=<<___;
+ // last reduction
+ subs $t2,$acc0,$t0 // "*0xffff0001"
+ sbc $t3,$acc0,$t1
+ adds $acc0,$acc1,$t0 // +=acc[0]<<96 and omit acc[0]
+ adcs $acc1,$acc2,$t1
+ adcs $acc2,$acc3,$t2 // +=acc[0]*0xffff0001
+ adcs $acc3,$acc4,$t3
+ adc $acc4,$acc5,xzr
+
+ adds $t0,$acc0,#1 // subs $t0,$acc0,#-1 // tmp = ret-modulus
+ sbcs $t1,$acc1,$poly1
+ sbcs $t2,$acc2,xzr
+ sbcs $t3,$acc3,$poly3
+ sbcs xzr,$acc4,xzr // did it borrow?
+
+ csel $acc0,$acc0,$t0,lo // ret = borrow ? ret : ret-modulus
+ csel $acc1,$acc1,$t1,lo
+ csel $acc2,$acc2,$t2,lo
+ stp $acc0,$acc1,[$rp]
+ csel $acc3,$acc3,$t3,lo
+ stp $acc2,$acc3,[$rp,#16]
+
+ ret
+.size __ecp_nistz256_mul_mont,.-__ecp_nistz256_mul_mont
+
+// note that __ecp_nistz256_sqr_mont expects a[0-3] input pre-loaded
+// to $a0-$a3
+.type __ecp_nistz256_sqr_mont,%function
+.align 4
+__ecp_nistz256_sqr_mont:
+ // | | | | | |a1*a0| |
+ // | | | | |a2*a0| | |
+ // | |a3*a2|a3*a0| | | |
+ // | | | |a2*a1| | | |
+ // | | |a3*a1| | | | |
+ // *| | | | | | | | 2|
+ // +|a3*a3|a2*a2|a1*a1|a0*a0|
+ // |--+--+--+--+--+--+--+--|
+ // |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is $accx, i.e. follow $accx
+ //
+ // "can't overflow" below mark carrying into high part of
+ // multiplication result, which can't overflow, because it
+ // can never be all ones.
+
+ mul $acc1,$a1,$a0 // a[1]*a[0]
+ umulh $t1,$a1,$a0
+ mul $acc2,$a2,$a0 // a[2]*a[0]
+ umulh $t2,$a2,$a0
+ mul $acc3,$a3,$a0 // a[3]*a[0]
+ umulh $acc4,$a3,$a0
+
+ adds $acc2,$acc2,$t1 // accumulate high parts of multiplication
+ mul $t0,$a2,$a1 // a[2]*a[1]
+ umulh $t1,$a2,$a1
+ adcs $acc3,$acc3,$t2
+ mul $t2,$a3,$a1 // a[3]*a[1]
+ umulh $t3,$a3,$a1
+ adc $acc4,$acc4,xzr // can't overflow
+
+ mul $acc5,$a3,$a2 // a[3]*a[2]
+ umulh $acc6,$a3,$a2
+
+ adds $t1,$t1,$t2 // accumulate high parts of multiplication
+ mul $acc0,$a0,$a0 // a[0]*a[0]
+ adc $t2,$t3,xzr // can't overflow
+
+ adds $acc3,$acc3,$t0 // accumulate low parts of multiplication
+ umulh $a0,$a0,$a0
+ adcs $acc4,$acc4,$t1
+ mul $t1,$a1,$a1 // a[1]*a[1]
+ adcs $acc5,$acc5,$t2
+ umulh $a1,$a1,$a1
+ adc $acc6,$acc6,xzr // can't overflow
+
+ adds $acc1,$acc1,$acc1 // acc[1-6]*=2
+ mul $t2,$a2,$a2 // a[2]*a[2]
+ adcs $acc2,$acc2,$acc2
+ umulh $a2,$a2,$a2
+ adcs $acc3,$acc3,$acc3
+ mul $t3,$a3,$a3 // a[3]*a[3]
+ adcs $acc4,$acc4,$acc4
+ umulh $a3,$a3,$a3
+ adcs $acc5,$acc5,$acc5
+ adcs $acc6,$acc6,$acc6
+ adc $acc7,xzr,xzr
+
+ adds $acc1,$acc1,$a0 // +a[i]*a[i]
+ adcs $acc2,$acc2,$t1
+ adcs $acc3,$acc3,$a1
+ adcs $acc4,$acc4,$t2
+ adcs $acc5,$acc5,$a2
+ lsl $t0,$acc0,#32
+ adcs $acc6,$acc6,$t3
+ lsr $t1,$acc0,#32
+ adc $acc7,$acc7,$a3
+___
+for($i=0;$i<3;$i++) { # reductions, see commentary in
+ # multiplication for details
+$code.=<<___;
+ subs $t2,$acc0,$t0 // "*0xffff0001"
+ sbc $t3,$acc0,$t1
+ adds $acc0,$acc1,$t0 // +=acc[0]<<96 and omit acc[0]
+ adcs $acc1,$acc2,$t1
+ lsl $t0,$acc0,#32
+ adcs $acc2,$acc3,$t2 // +=acc[0]*0xffff0001
+ lsr $t1,$acc0,#32
+ adc $acc3,$t3,xzr // can't overflow
+___
+}
+$code.=<<___;
+ subs $t2,$acc0,$t0 // "*0xffff0001"
+ sbc $t3,$acc0,$t1
+ adds $acc0,$acc1,$t0 // +=acc[0]<<96 and omit acc[0]
+ adcs $acc1,$acc2,$t1
+ adcs $acc2,$acc3,$t2 // +=acc[0]*0xffff0001
+ adc $acc3,$t3,xzr // can't overflow
+
+ adds $acc0,$acc0,$acc4 // accumulate upper half
+ adcs $acc1,$acc1,$acc5
+ adcs $acc2,$acc2,$acc6
+ adcs $acc3,$acc3,$acc7
+ adc $acc4,xzr,xzr
+
+ adds $t0,$acc0,#1 // subs $t0,$acc0,#-1 // tmp = ret-modulus
+ sbcs $t1,$acc1,$poly1
+ sbcs $t2,$acc2,xzr
+ sbcs $t3,$acc3,$poly3
+ sbcs xzr,$acc4,xzr // did it borrow?
+
+ csel $acc0,$acc0,$t0,lo // ret = borrow ? ret : ret-modulus
+ csel $acc1,$acc1,$t1,lo
+ csel $acc2,$acc2,$t2,lo
+ stp $acc0,$acc1,[$rp]
+ csel $acc3,$acc3,$t3,lo
+ stp $acc2,$acc3,[$rp,#16]
+
+ ret
+.size __ecp_nistz256_sqr_mont,.-__ecp_nistz256_sqr_mont
+
+// Note that __ecp_nistz256_add_to expects both input vectors pre-loaded to
+// $a0-$a3 and $t0-$t3. This is done because it's used in multiple
+// contexts, e.g. in multiplication by 2 and 3...
+.type __ecp_nistz256_add_to,%function
+.align 4
+__ecp_nistz256_add_to:
+ adds $acc0,$acc0,$t0 // ret = a+b
+ adcs $acc1,$acc1,$t1
+ adcs $acc2,$acc2,$t2
+ adcs $acc3,$acc3,$t3
+ adc $ap,xzr,xzr // zap $ap
+
+ adds $t0,$acc0,#1 // subs $t0,$a0,#-1 // tmp = ret-modulus
+ sbcs $t1,$acc1,$poly1
+ sbcs $t2,$acc2,xzr
+ sbcs $t3,$acc3,$poly3
+ sbcs xzr,$ap,xzr // did subtraction borrow?
+
+ csel $acc0,$acc0,$t0,lo // ret = borrow ? ret : ret-modulus
+ csel $acc1,$acc1,$t1,lo
+ csel $acc2,$acc2,$t2,lo
+ stp $acc0,$acc1,[$rp]
+ csel $acc3,$acc3,$t3,lo
+ stp $acc2,$acc3,[$rp,#16]
+
+ ret
+.size __ecp_nistz256_add_to,.-__ecp_nistz256_add_to
+
+.type __ecp_nistz256_sub_from,%function
+.align 4
+__ecp_nistz256_sub_from:
+ ldp $t0,$t1,[$bp]
+ ldp $t2,$t3,[$bp,#16]
+ subs $acc0,$acc0,$t0 // ret = a-b
+ sbcs $acc1,$acc1,$t1
+ sbcs $acc2,$acc2,$t2
+ sbcs $acc3,$acc3,$t3
+ sbc $ap,xzr,xzr // zap $ap
+
+ subs $t0,$acc0,#1 // adds $t0,$a0,#-1 // tmp = ret+modulus
+ adcs $t1,$acc1,$poly1
+ adcs $t2,$acc2,xzr
+ adc $t3,$acc3,$poly3
+ cmp $ap,xzr // did subtraction borrow?
+
+ csel $acc0,$acc0,$t0,eq // ret = borrow ? ret+modulus : ret
+ csel $acc1,$acc1,$t1,eq
+ csel $acc2,$acc2,$t2,eq
+ stp $acc0,$acc1,[$rp]
+ csel $acc3,$acc3,$t3,eq
+ stp $acc2,$acc3,[$rp,#16]
+
+ ret
+.size __ecp_nistz256_sub_from,.-__ecp_nistz256_sub_from
+
+.type __ecp_nistz256_sub_morf,%function
+.align 4
+__ecp_nistz256_sub_morf:
+ ldp $t0,$t1,[$bp]
+ ldp $t2,$t3,[$bp,#16]
+ subs $acc0,$t0,$acc0 // ret = b-a
+ sbcs $acc1,$t1,$acc1
+ sbcs $acc2,$t2,$acc2
+ sbcs $acc3,$t3,$acc3
+ sbc $ap,xzr,xzr // zap $ap
+
+ subs $t0,$acc0,#1 // adds $t0,$a0,#-1 // tmp = ret+modulus
+ adcs $t1,$acc1,$poly1
+ adcs $t2,$acc2,xzr
+ adc $t3,$acc3,$poly3
+ cmp $ap,xzr // did subtraction borrow?
+
+ csel $acc0,$acc0,$t0,eq // ret = borrow ? ret+modulus : ret
+ csel $acc1,$acc1,$t1,eq
+ csel $acc2,$acc2,$t2,eq
+ stp $acc0,$acc1,[$rp]
+ csel $acc3,$acc3,$t3,eq
+ stp $acc2,$acc3,[$rp,#16]
+
+ ret
+.size __ecp_nistz256_sub_morf,.-__ecp_nistz256_sub_morf
+
+.type __ecp_nistz256_div_by_2,%function
+.align 4
+__ecp_nistz256_div_by_2:
+ subs $t0,$acc0,#1 // adds $t0,$a0,#-1 // tmp = a+modulus
+ adcs $t1,$acc1,$poly1
+ adcs $t2,$acc2,xzr
+ adcs $t3,$acc3,$poly3
+ adc $ap,xzr,xzr // zap $ap
+ tst $acc0,#1 // is a even?
+
+ csel $acc0,$acc0,$t0,eq // ret = even ? a : a+modulus
+ csel $acc1,$acc1,$t1,eq
+ csel $acc2,$acc2,$t2,eq
+ csel $acc3,$acc3,$t3,eq
+ csel $ap,xzr,$ap,eq
+
+ lsr $acc0,$acc0,#1 // ret >>= 1
+ orr $acc0,$acc0,$acc1,lsl#63
+ lsr $acc1,$acc1,#1
+ orr $acc1,$acc1,$acc2,lsl#63
+ lsr $acc2,$acc2,#1
+ orr $acc2,$acc2,$acc3,lsl#63
+ lsr $acc3,$acc3,#1
+ stp $acc0,$acc1,[$rp]
+ orr $acc3,$acc3,$ap,lsl#63
+ stp $acc2,$acc3,[$rp,#16]
+
+ ret
+.size __ecp_nistz256_div_by_2,.-__ecp_nistz256_div_by_2
+___
+########################################################################
+# following subroutines are "literal" implementation of those found in
+# ecp_nistz256.c
+#
+########################################################################
+# void ecp_nistz256_point_double(P256_POINT *out,const P256_POINT *inp);
+#
+{
+my ($S,$M,$Zsqr,$tmp0)=map(32*$_,(0..3));
+# above map() describes stack layout with 4 temporary
+# 256-bit vectors on top.
+my ($rp_real,$ap_real) = map("x$_",(21,22));
+
+$code.=<<___;
+.globl ecp_nistz256_point_double
+.type ecp_nistz256_point_double,%function
+.align 5
+ecp_nistz256_point_double:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-96]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+ stp x21,x22,[sp,#32]
+ sub sp,sp,#32*4
+
+.Ldouble_shortcut:
+ ldp $acc0,$acc1,[$ap,#32]
+ mov $rp_real,$rp
+ ldp $acc2,$acc3,[$ap,#48]
+ mov $ap_real,$ap
+ ldr $poly1,.Lpoly+8
+ mov $t0,$acc0
+ ldr $poly3,.Lpoly+24
+ mov $t1,$acc1
+ ldp $a0,$a1,[$ap_real,#64] // forward load for p256_sqr_mont
+ mov $t2,$acc2
+ mov $t3,$acc3
+ ldp $a2,$a3,[$ap_real,#64+16]
+ add $rp,sp,#$S
+ bl __ecp_nistz256_add_to // p256_mul_by_2(S, in_y);
+
+ add $rp,sp,#$Zsqr
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Zsqr, in_z);
+
+ ldp $t0,$t1,[$ap_real]
+ ldp $t2,$t3,[$ap_real,#16]
+ mov $a0,$acc0 // put Zsqr aside for p256_sub
+ mov $a1,$acc1
+ mov $a2,$acc2
+ mov $a3,$acc3
+ add $rp,sp,#$M
+ bl __ecp_nistz256_add_to // p256_add(M, Zsqr, in_x);
+
+ add $bp,$ap_real,#0
+ mov $acc0,$a0 // restore Zsqr
+ mov $acc1,$a1
+ ldp $a0,$a1,[sp,#$S] // forward load for p256_sqr_mont
+ mov $acc2,$a2
+ mov $acc3,$a3
+ ldp $a2,$a3,[sp,#$S+16]
+ add $rp,sp,#$Zsqr
+ bl __ecp_nistz256_sub_morf // p256_sub(Zsqr, in_x, Zsqr);
+
+ add $rp,sp,#$S
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(S, S);
+
+ ldr $bi,[$ap_real,#32]
+ ldp $a0,$a1,[$ap_real,#64]
+ ldp $a2,$a3,[$ap_real,#64+16]
+ add $bp,$ap_real,#32
+ add $rp,sp,#$tmp0
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(tmp0, in_z, in_y);
+
+ mov $t0,$acc0
+ mov $t1,$acc1
+ ldp $a0,$a1,[sp,#$S] // forward load for p256_sqr_mont
+ mov $t2,$acc2
+ mov $t3,$acc3
+ ldp $a2,$a3,[sp,#$S+16]
+ add $rp,$rp_real,#64
+ bl __ecp_nistz256_add_to // p256_mul_by_2(res_z, tmp0);
+
+ add $rp,sp,#$tmp0
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(tmp0, S);
+
+ ldr $bi,[sp,#$Zsqr] // forward load for p256_mul_mont
+ ldp $a0,$a1,[sp,#$M]
+ ldp $a2,$a3,[sp,#$M+16]
+ add $rp,$rp_real,#32
+ bl __ecp_nistz256_div_by_2 // p256_div_by_2(res_y, tmp0);
+
+ add $bp,sp,#$Zsqr
+ add $rp,sp,#$M
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(M, M, Zsqr);
+
+ mov $t0,$acc0 // duplicate M
+ mov $t1,$acc1
+ mov $t2,$acc2
+ mov $t3,$acc3
+ mov $a0,$acc0 // put M aside
+ mov $a1,$acc1
+ mov $a2,$acc2
+ mov $a3,$acc3
+ add $rp,sp,#$M
+ bl __ecp_nistz256_add_to
+ mov $t0,$a0 // restore M
+ mov $t1,$a1
+ ldr $bi,[$ap_real] // forward load for p256_mul_mont
+ mov $t2,$a2
+ ldp $a0,$a1,[sp,#$S]
+ mov $t3,$a3
+ ldp $a2,$a3,[sp,#$S+16]
+ bl __ecp_nistz256_add_to // p256_mul_by_3(M, M);
+
+ add $bp,$ap_real,#0
+ add $rp,sp,#$S
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, in_x);
+
+ mov $t0,$acc0
+ mov $t1,$acc1
+ ldp $a0,$a1,[sp,#$M] // forward load for p256_sqr_mont
+ mov $t2,$acc2
+ mov $t3,$acc3
+ ldp $a2,$a3,[sp,#$M+16]
+ add $rp,sp,#$tmp0
+ bl __ecp_nistz256_add_to // p256_mul_by_2(tmp0, S);
+
+ add $rp,$rp_real,#0
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(res_x, M);
+
+ add $bp,sp,#$tmp0
+ bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, tmp0);
+
+ add $bp,sp,#$S
+ add $rp,sp,#$S
+ bl __ecp_nistz256_sub_morf // p256_sub(S, S, res_x);
+
+ ldr $bi,[sp,#$M]
+ mov $a0,$acc0 // copy S
+ mov $a1,$acc1
+ mov $a2,$acc2
+ mov $a3,$acc3
+ add $bp,sp,#$M
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, M);
+
+ add $bp,$rp_real,#32
+ add $rp,$rp_real,#32
+ bl __ecp_nistz256_sub_from // p256_sub(res_y, S, res_y);
+
+ add sp,x29,#0 // destroy frame
+ ldp x19,x20,[x29,#16]
+ ldp x21,x22,[x29,#32]
+ ldp x29,x30,[sp],#96
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size ecp_nistz256_point_double,.-ecp_nistz256_point_double
+___
+}
+
+########################################################################
+# void ecp_nistz256_point_add(P256_POINT *out,const P256_POINT *in1,
+# const P256_POINT *in2);
+{
+my ($res_x,$res_y,$res_z,
+ $H,$Hsqr,$R,$Rsqr,$Hcub,
+ $U1,$U2,$S1,$S2)=map(32*$_,(0..11));
+my ($Z1sqr, $Z2sqr) = ($Hsqr, $Rsqr);
+# above map() describes stack layout with 12 temporary
+# 256-bit vectors on top.
+my ($rp_real,$ap_real,$bp_real,$in1infty,$in2infty,$temp0,$temp1,$temp2)=map("x$_",(21..28));
+
+$code.=<<___;
+.globl ecp_nistz256_point_add
+.type ecp_nistz256_point_add,%function
+.align 5
+ecp_nistz256_point_add:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-96]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+ stp x21,x22,[sp,#32]
+ stp x23,x24,[sp,#48]
+ stp x25,x26,[sp,#64]
+ stp x27,x28,[sp,#80]
+ sub sp,sp,#32*12
+
+ ldp $a0,$a1,[$bp,#64] // in2_z
+ ldp $a2,$a3,[$bp,#64+16]
+ mov $rp_real,$rp
+ mov $ap_real,$ap
+ mov $bp_real,$bp
+ ldr $poly1,.Lpoly+8
+ ldr $poly3,.Lpoly+24
+ orr $t0,$a0,$a1
+ orr $t2,$a2,$a3
+ orr $in2infty,$t0,$t2
+ cmp $in2infty,#0
+ csetm $in2infty,ne // ~in2infty
+ add $rp,sp,#$Z2sqr
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z2sqr, in2_z);
+
+ ldp $a0,$a1,[$ap_real,#64] // in1_z
+ ldp $a2,$a3,[$ap_real,#64+16]
+ orr $t0,$a0,$a1
+ orr $t2,$a2,$a3
+ orr $in1infty,$t0,$t2
+ cmp $in1infty,#0
+ csetm $in1infty,ne // ~in1infty
+ add $rp,sp,#$Z1sqr
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z);
+
+ ldr $bi,[$bp_real,#64]
+ ldp $a0,$a1,[sp,#$Z2sqr]
+ ldp $a2,$a3,[sp,#$Z2sqr+16]
+ add $bp,$bp_real,#64
+ add $rp,sp,#$S1
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, Z2sqr, in2_z);
+
+ ldr $bi,[$ap_real,#64]
+ ldp $a0,$a1,[sp,#$Z1sqr]
+ ldp $a2,$a3,[sp,#$Z1sqr+16]
+ add $bp,$ap_real,#64
+ add $rp,sp,#$S2
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z);
+
+ ldr $bi,[$ap_real,#32]
+ ldp $a0,$a1,[sp,#$S1]
+ ldp $a2,$a3,[sp,#$S1+16]
+ add $bp,$ap_real,#32
+ add $rp,sp,#$S1
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, S1, in1_y);
+
+ ldr $bi,[$bp_real,#32]
+ ldp $a0,$a1,[sp,#$S2]
+ ldp $a2,$a3,[sp,#$S2+16]
+ add $bp,$bp_real,#32
+ add $rp,sp,#$S2
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y);
+
+ add $bp,sp,#$S1
+ ldr $bi,[sp,#$Z2sqr] // forward load for p256_mul_mont
+ ldp $a0,$a1,[$ap_real]
+ ldp $a2,$a3,[$ap_real,#16]
+ add $rp,sp,#$R
+ bl __ecp_nistz256_sub_from // p256_sub(R, S2, S1);
+
+ orr $acc0,$acc0,$acc1 // see if result is zero
+ orr $acc2,$acc2,$acc3
+ orr $temp0,$acc0,$acc2 // ~is_equal(S1,S2)
+
+ add $bp,sp,#$Z2sqr
+ add $rp,sp,#$U1
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(U1, in1_x, Z2sqr);
+
+ ldr $bi,[sp,#$Z1sqr]
+ ldp $a0,$a1,[$bp_real]
+ ldp $a2,$a3,[$bp_real,#16]
+ add $bp,sp,#$Z1sqr
+ add $rp,sp,#$U2
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in2_x, Z1sqr);
+
+ add $bp,sp,#$U1
+ ldp $a0,$a1,[sp,#$R] // forward load for p256_sqr_mont
+ ldp $a2,$a3,[sp,#$R+16]
+ add $rp,sp,#$H
+ bl __ecp_nistz256_sub_from // p256_sub(H, U2, U1);
+
+ orr $acc0,$acc0,$acc1 // see if result is zero
+ orr $acc2,$acc2,$acc3
+ orr $acc0,$acc0,$acc2 // ~is_equal(U1,U2)
+
+ mvn $temp1,$in1infty // -1/0 -> 0/-1
+ mvn $temp2,$in2infty // -1/0 -> 0/-1
+ orr $acc0,$acc0,$temp1
+ orr $acc0,$acc0,$temp2
+ orr $acc0,$acc0,$temp0
+ cbnz $acc0,.Ladd_proceed // if(~is_equal(U1,U2) | in1infty | in2infty | ~is_equal(S1,S2))
+
+.Ladd_double:
+ mov $ap,$ap_real
+ mov $rp,$rp_real
+ ldp x23,x24,[x29,#48]
+ ldp x25,x26,[x29,#64]
+ ldp x27,x28,[x29,#80]
+ add sp,sp,#256 // #256 is from #32*(12-4). difference in stack frames
+ b .Ldouble_shortcut
+
+.align 4
+.Ladd_proceed:
+ add $rp,sp,#$Rsqr
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R);
+
+ ldr $bi,[$ap_real,#64]
+ ldp $a0,$a1,[sp,#$H]
+ ldp $a2,$a3,[sp,#$H+16]
+ add $bp,$ap_real,#64
+ add $rp,sp,#$res_z
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z);
+
+ ldp $a0,$a1,[sp,#$H]
+ ldp $a2,$a3,[sp,#$H+16]
+ add $rp,sp,#$Hsqr
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H);
+
+ ldr $bi,[$bp_real,#64]
+ ldp $a0,$a1,[sp,#$res_z]
+ ldp $a2,$a3,[sp,#$res_z+16]
+ add $bp,$bp_real,#64
+ add $rp,sp,#$res_z
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, res_z, in2_z);
+
+ ldr $bi,[sp,#$H]
+ ldp $a0,$a1,[sp,#$Hsqr]
+ ldp $a2,$a3,[sp,#$Hsqr+16]
+ add $bp,sp,#$H
+ add $rp,sp,#$Hcub
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H);
+
+ ldr $bi,[sp,#$Hsqr]
+ ldp $a0,$a1,[sp,#$U1]
+ ldp $a2,$a3,[sp,#$U1+16]
+ add $bp,sp,#$Hsqr
+ add $rp,sp,#$U2
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, U1, Hsqr);
+
+ mov $t0,$acc0
+ mov $t1,$acc1
+ mov $t2,$acc2
+ mov $t3,$acc3
+ add $rp,sp,#$Hsqr
+ bl __ecp_nistz256_add_to // p256_mul_by_2(Hsqr, U2);
+
+ add $bp,sp,#$Rsqr
+ add $rp,sp,#$res_x
+ bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr);
+
+ add $bp,sp,#$Hcub
+ bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub);
+
+ add $bp,sp,#$U2
+ ldr $bi,[sp,#$Hcub] // forward load for p256_mul_mont
+ ldp $a0,$a1,[sp,#$S1]
+ ldp $a2,$a3,[sp,#$S1+16]
+ add $rp,sp,#$res_y
+ bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x);
+
+ add $bp,sp,#$Hcub
+ add $rp,sp,#$S2
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S1, Hcub);
+
+ ldr $bi,[sp,#$R]
+ ldp $a0,$a1,[sp,#$res_y]
+ ldp $a2,$a3,[sp,#$res_y+16]
+ add $bp,sp,#$R
+ add $rp,sp,#$res_y
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R);
+
+ add $bp,sp,#$S2
+ bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2);
+
+ ldp $a0,$a1,[sp,#$res_x] // res
+ ldp $a2,$a3,[sp,#$res_x+16]
+ ldp $t0,$t1,[$bp_real] // in2
+ ldp $t2,$t3,[$bp_real,#16]
+___
+for($i=0;$i<64;$i+=32) { # conditional moves
+$code.=<<___;
+ ldp $acc0,$acc1,[$ap_real,#$i] // in1
+ cmp $in1infty,#0 // ~$in1intfy, remember?
+ ldp $acc2,$acc3,[$ap_real,#$i+16]
+ csel $t0,$a0,$t0,ne
+ csel $t1,$a1,$t1,ne
+ ldp $a0,$a1,[sp,#$res_x+$i+32] // res
+ csel $t2,$a2,$t2,ne
+ csel $t3,$a3,$t3,ne
+ cmp $in2infty,#0 // ~$in2intfy, remember?
+ ldp $a2,$a3,[sp,#$res_x+$i+48]
+ csel $acc0,$t0,$acc0,ne
+ csel $acc1,$t1,$acc1,ne
+ ldp $t0,$t1,[$bp_real,#$i+32] // in2
+ csel $acc2,$t2,$acc2,ne
+ csel $acc3,$t3,$acc3,ne
+ ldp $t2,$t3,[$bp_real,#$i+48]
+ stp $acc0,$acc1,[$rp_real,#$i]
+ stp $acc2,$acc3,[$rp_real,#$i+16]
+___
+}
+$code.=<<___;
+ ldp $acc0,$acc1,[$ap_real,#$i] // in1
+ cmp $in1infty,#0 // ~$in1intfy, remember?
+ ldp $acc2,$acc3,[$ap_real,#$i+16]
+ csel $t0,$a0,$t0,ne
+ csel $t1,$a1,$t1,ne
+ csel $t2,$a2,$t2,ne
+ csel $t3,$a3,$t3,ne
+ cmp $in2infty,#0 // ~$in2intfy, remember?
+ csel $acc0,$t0,$acc0,ne
+ csel $acc1,$t1,$acc1,ne
+ csel $acc2,$t2,$acc2,ne
+ csel $acc3,$t3,$acc3,ne
+ stp $acc0,$acc1,[$rp_real,#$i]
+ stp $acc2,$acc3,[$rp_real,#$i+16]
+
+.Ladd_done:
+ add sp,x29,#0 // destroy frame
+ ldp x19,x20,[x29,#16]
+ ldp x21,x22,[x29,#32]
+ ldp x23,x24,[x29,#48]
+ ldp x25,x26,[x29,#64]
+ ldp x27,x28,[x29,#80]
+ ldp x29,x30,[sp],#96
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size ecp_nistz256_point_add,.-ecp_nistz256_point_add
+___
+}
+
+########################################################################
+# void ecp_nistz256_point_add_affine(P256_POINT *out,const P256_POINT *in1,
+# const P256_POINT_AFFINE *in2);
+{
+my ($res_x,$res_y,$res_z,
+ $U2,$S2,$H,$R,$Hsqr,$Hcub,$Rsqr)=map(32*$_,(0..9));
+my $Z1sqr = $S2;
+# above map() describes stack layout with 10 temporary
+# 256-bit vectors on top.
+my ($rp_real,$ap_real,$bp_real,$in1infty,$in2infty,$temp)=map("x$_",(21..26));
+
+$code.=<<___;
+.globl ecp_nistz256_point_add_affine
+.type ecp_nistz256_point_add_affine,%function
+.align 5
+ecp_nistz256_point_add_affine:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-80]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+ stp x21,x22,[sp,#32]
+ stp x23,x24,[sp,#48]
+ stp x25,x26,[sp,#64]
+ sub sp,sp,#32*10
+
+ mov $rp_real,$rp
+ mov $ap_real,$ap
+ mov $bp_real,$bp
+ ldr $poly1,.Lpoly+8
+ ldr $poly3,.Lpoly+24
+
+ ldp $a0,$a1,[$ap,#64] // in1_z
+ ldp $a2,$a3,[$ap,#64+16]
+ orr $t0,$a0,$a1
+ orr $t2,$a2,$a3
+ orr $in1infty,$t0,$t2
+ cmp $in1infty,#0
+ csetm $in1infty,ne // ~in1infty
+
+ ldp $acc0,$acc1,[$bp] // in2_x
+ ldp $acc2,$acc3,[$bp,#16]
+ ldp $t0,$t1,[$bp,#32] // in2_y
+ ldp $t2,$t3,[$bp,#48]
+ orr $acc0,$acc0,$acc1
+ orr $acc2,$acc2,$acc3
+ orr $t0,$t0,$t1
+ orr $t2,$t2,$t3
+ orr $acc0,$acc0,$acc2
+ orr $t0,$t0,$t2
+ orr $in2infty,$acc0,$t0
+ cmp $in2infty,#0
+ csetm $in2infty,ne // ~in2infty
+
+ add $rp,sp,#$Z1sqr
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z);
+
+ mov $a0,$acc0
+ mov $a1,$acc1
+ mov $a2,$acc2
+ mov $a3,$acc3
+ ldr $bi,[$bp_real]
+ add $bp,$bp_real,#0
+ add $rp,sp,#$U2
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, Z1sqr, in2_x);
+
+ add $bp,$ap_real,#0
+ ldr $bi,[$ap_real,#64] // forward load for p256_mul_mont
+ ldp $a0,$a1,[sp,#$Z1sqr]
+ ldp $a2,$a3,[sp,#$Z1sqr+16]
+ add $rp,sp,#$H
+ bl __ecp_nistz256_sub_from // p256_sub(H, U2, in1_x);
+
+ add $bp,$ap_real,#64
+ add $rp,sp,#$S2
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z);
+
+ ldr $bi,[$ap_real,#64]
+ ldp $a0,$a1,[sp,#$H]
+ ldp $a2,$a3,[sp,#$H+16]
+ add $bp,$ap_real,#64
+ add $rp,sp,#$res_z
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z);
+
+ ldr $bi,[$bp_real,#32]
+ ldp $a0,$a1,[sp,#$S2]
+ ldp $a2,$a3,[sp,#$S2+16]
+ add $bp,$bp_real,#32
+ add $rp,sp,#$S2
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y);
+
+ add $bp,$ap_real,#32
+ ldp $a0,$a1,[sp,#$H] // forward load for p256_sqr_mont
+ ldp $a2,$a3,[sp,#$H+16]
+ add $rp,sp,#$R
+ bl __ecp_nistz256_sub_from // p256_sub(R, S2, in1_y);
+
+ add $rp,sp,#$Hsqr
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H);
+
+ ldp $a0,$a1,[sp,#$R]
+ ldp $a2,$a3,[sp,#$R+16]
+ add $rp,sp,#$Rsqr
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R);
+
+ ldr $bi,[sp,#$H]
+ ldp $a0,$a1,[sp,#$Hsqr]
+ ldp $a2,$a3,[sp,#$Hsqr+16]
+ add $bp,sp,#$H
+ add $rp,sp,#$Hcub
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H);
+
+ ldr $bi,[$ap_real]
+ ldp $a0,$a1,[sp,#$Hsqr]
+ ldp $a2,$a3,[sp,#$Hsqr+16]
+ add $bp,$ap_real,#0
+ add $rp,sp,#$U2
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in1_x, Hsqr);
+
+ mov $t0,$acc0
+ mov $t1,$acc1
+ mov $t2,$acc2
+ mov $t3,$acc3
+ add $rp,sp,#$Hsqr
+ bl __ecp_nistz256_add_to // p256_mul_by_2(Hsqr, U2);
+
+ add $bp,sp,#$Rsqr
+ add $rp,sp,#$res_x
+ bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr);
+
+ add $bp,sp,#$Hcub
+ bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub);
+
+ add $bp,sp,#$U2
+ ldr $bi,[$ap_real,#32] // forward load for p256_mul_mont
+ ldp $a0,$a1,[sp,#$Hcub]
+ ldp $a2,$a3,[sp,#$Hcub+16]
+ add $rp,sp,#$res_y
+ bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x);
+
+ add $bp,$ap_real,#32
+ add $rp,sp,#$S2
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, in1_y, Hcub);
+
+ ldr $bi,[sp,#$R]
+ ldp $a0,$a1,[sp,#$res_y]
+ ldp $a2,$a3,[sp,#$res_y+16]
+ add $bp,sp,#$R
+ add $rp,sp,#$res_y
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R);
+
+ add $bp,sp,#$S2
+ bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2);
+
+ ldp $a0,$a1,[sp,#$res_x] // res
+ ldp $a2,$a3,[sp,#$res_x+16]
+ ldp $t0,$t1,[$bp_real] // in2
+ ldp $t2,$t3,[$bp_real,#16]
+___
+for($i=0;$i<64;$i+=32) { # conditional moves
+$code.=<<___;
+ ldp $acc0,$acc1,[$ap_real,#$i] // in1
+ cmp $in1infty,#0 // ~$in1intfy, remember?
+ ldp $acc2,$acc3,[$ap_real,#$i+16]
+ csel $t0,$a0,$t0,ne
+ csel $t1,$a1,$t1,ne
+ ldp $a0,$a1,[sp,#$res_x+$i+32] // res
+ csel $t2,$a2,$t2,ne
+ csel $t3,$a3,$t3,ne
+ cmp $in2infty,#0 // ~$in2intfy, remember?
+ ldp $a2,$a3,[sp,#$res_x+$i+48]
+ csel $acc0,$t0,$acc0,ne
+ csel $acc1,$t1,$acc1,ne
+ ldp $t0,$t1,[$bp_real,#$i+32] // in2
+ csel $acc2,$t2,$acc2,ne
+ csel $acc3,$t3,$acc3,ne
+ ldp $t2,$t3,[$bp_real,#$i+48]
+ stp $acc0,$acc1,[$rp_real,#$i]
+ stp $acc2,$acc3,[$rp_real,#$i+16]
+___
+$code.=<<___ if ($i == 0);
+ adr $bp_real,.Lone_mont-64
+___
+}
+$code.=<<___;
+ ldp $acc0,$acc1,[$ap_real,#$i] // in1
+ cmp $in1infty,#0 // ~$in1intfy, remember?
+ ldp $acc2,$acc3,[$ap_real,#$i+16]
+ csel $t0,$a0,$t0,ne
+ csel $t1,$a1,$t1,ne
+ csel $t2,$a2,$t2,ne
+ csel $t3,$a3,$t3,ne
+ cmp $in2infty,#0 // ~$in2intfy, remember?
+ csel $acc0,$t0,$acc0,ne
+ csel $acc1,$t1,$acc1,ne
+ csel $acc2,$t2,$acc2,ne
+ csel $acc3,$t3,$acc3,ne
+ stp $acc0,$acc1,[$rp_real,#$i]
+ stp $acc2,$acc3,[$rp_real,#$i+16]
+
+ add sp,x29,#0 // destroy frame
+ ldp x19,x20,[x29,#16]
+ ldp x21,x22,[x29,#32]
+ ldp x23,x24,[x29,#48]
+ ldp x25,x26,[x29,#64]
+ ldp x29,x30,[sp],#80
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size ecp_nistz256_point_add_affine,.-ecp_nistz256_point_add_affine
+___
+}
+if (1) {
+my ($ord0,$ord1) = ($poly1,$poly3);
+my ($ord2,$ord3,$ordk,$t4) = map("x$_",(21..24));
+my $acc7 = $bi;
+
+$code.=<<___;
+////////////////////////////////////////////////////////////////////////
+// void ecp_nistz256_ord_mul_mont(uint64_t res[4], uint64_t a[4],
+// uint64_t b[4]);
+.globl ecp_nistz256_ord_mul_mont
+.type ecp_nistz256_ord_mul_mont,%function
+.align 4
+ecp_nistz256_ord_mul_mont:
+ AARCH64_VALID_CALL_TARGET
+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
+ stp x29,x30,[sp,#-64]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+ stp x21,x22,[sp,#32]
+ stp x23,x24,[sp,#48]
+
+ adr $ordk,.Lord
+ ldr $bi,[$bp] // bp[0]
+ ldp $a0,$a1,[$ap]
+ ldp $a2,$a3,[$ap,#16]
+
+ ldp $ord0,$ord1,[$ordk,#0]
+ ldp $ord2,$ord3,[$ordk,#16]
+ ldr $ordk,[$ordk,#32]
+
+ mul $acc0,$a0,$bi // a[0]*b[0]
+ umulh $t0,$a0,$bi
+
+ mul $acc1,$a1,$bi // a[1]*b[0]
+ umulh $t1,$a1,$bi
+
+ mul $acc2,$a2,$bi // a[2]*b[0]
+ umulh $t2,$a2,$bi
+
+ mul $acc3,$a3,$bi // a[3]*b[0]
+ umulh $acc4,$a3,$bi
+
+ mul $t4,$acc0,$ordk
+
+ adds $acc1,$acc1,$t0 // accumulate high parts of multiplication
+ adcs $acc2,$acc2,$t1
+ adcs $acc3,$acc3,$t2
+ adc $acc4,$acc4,xzr
+ mov $acc5,xzr
+___
+for ($i=1;$i<4;$i++) {
+ ################################################################
+ # ffff0000.ffffffff.yyyyyyyy.zzzzzzzz
+ # * abcdefgh
+ # + xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx
+ #
+ # Now observing that ff..ff*x = (2^n-1)*x = 2^n*x-x, we
+ # rewrite above as:
+ #
+ # xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx
+ # - 0000abcd.efgh0000.abcdefgh.00000000.00000000
+ # + abcdefgh.abcdefgh.yzayzbyz.cyzdyzey.zfyzgyzh
+$code.=<<___;
+ ldr $bi,[$bp,#8*$i] // b[i]
+
+ lsl $t0,$t4,#32
+ subs $acc2,$acc2,$t4
+ lsr $t1,$t4,#32
+ sbcs $acc3,$acc3,$t0
+ sbcs $acc4,$acc4,$t1
+ sbc $acc5,$acc5,xzr
+
+ subs xzr,$acc0,#1
+ umulh $t1,$ord0,$t4
+ mul $t2,$ord1,$t4
+ umulh $t3,$ord1,$t4
+
+ adcs $t2,$t2,$t1
+ mul $t0,$a0,$bi
+ adc $t3,$t3,xzr
+ mul $t1,$a1,$bi
+
+ adds $acc0,$acc1,$t2
+ mul $t2,$a2,$bi
+ adcs $acc1,$acc2,$t3
+ mul $t3,$a3,$bi
+ adcs $acc2,$acc3,$t4
+ adcs $acc3,$acc4,$t4
+ adc $acc4,$acc5,xzr
+
+ adds $acc0,$acc0,$t0 // accumulate low parts
+ umulh $t0,$a0,$bi
+ adcs $acc1,$acc1,$t1
+ umulh $t1,$a1,$bi
+ adcs $acc2,$acc2,$t2
+ umulh $t2,$a2,$bi
+ adcs $acc3,$acc3,$t3
+ umulh $t3,$a3,$bi
+ adc $acc4,$acc4,xzr
+ mul $t4,$acc0,$ordk
+ adds $acc1,$acc1,$t0 // accumulate high parts
+ adcs $acc2,$acc2,$t1
+ adcs $acc3,$acc3,$t2
+ adcs $acc4,$acc4,$t3
+ adc $acc5,xzr,xzr
+___
+}
+$code.=<<___;
+ lsl $t0,$t4,#32 // last reduction
+ subs $acc2,$acc2,$t4
+ lsr $t1,$t4,#32
+ sbcs $acc3,$acc3,$t0
+ sbcs $acc4,$acc4,$t1
+ sbc $acc5,$acc5,xzr
+
+ subs xzr,$acc0,#1
+ umulh $t1,$ord0,$t4
+ mul $t2,$ord1,$t4
+ umulh $t3,$ord1,$t4
+
+ adcs $t2,$t2,$t1
+ adc $t3,$t3,xzr
+
+ adds $acc0,$acc1,$t2
+ adcs $acc1,$acc2,$t3
+ adcs $acc2,$acc3,$t4
+ adcs $acc3,$acc4,$t4
+ adc $acc4,$acc5,xzr
+
+ subs $t0,$acc0,$ord0 // ret -= modulus
+ sbcs $t1,$acc1,$ord1
+ sbcs $t2,$acc2,$ord2
+ sbcs $t3,$acc3,$ord3
+ sbcs xzr,$acc4,xzr
+
+ csel $acc0,$acc0,$t0,lo // ret = borrow ? ret : ret-modulus
+ csel $acc1,$acc1,$t1,lo
+ csel $acc2,$acc2,$t2,lo
+ stp $acc0,$acc1,[$rp]
+ csel $acc3,$acc3,$t3,lo
+ stp $acc2,$acc3,[$rp,#16]
+
+ ldp x19,x20,[sp,#16]
+ ldp x21,x22,[sp,#32]
+ ldp x23,x24,[sp,#48]
+ ldr x29,[sp],#64
+ ret
+.size ecp_nistz256_ord_mul_mont,.-ecp_nistz256_ord_mul_mont
+
+////////////////////////////////////////////////////////////////////////
+// void ecp_nistz256_ord_sqr_mont(uint64_t res[4], uint64_t a[4],
+// int rep);
+.globl ecp_nistz256_ord_sqr_mont
+.type ecp_nistz256_ord_sqr_mont,%function
+.align 4
+ecp_nistz256_ord_sqr_mont:
+ AARCH64_VALID_CALL_TARGET
+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
+ stp x29,x30,[sp,#-64]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+ stp x21,x22,[sp,#32]
+ stp x23,x24,[sp,#48]
+
+ adr $ordk,.Lord
+ ldp $a0,$a1,[$ap]
+ ldp $a2,$a3,[$ap,#16]
+
+ ldp $ord0,$ord1,[$ordk,#0]
+ ldp $ord2,$ord3,[$ordk,#16]
+ ldr $ordk,[$ordk,#32]
+ b .Loop_ord_sqr
+
+.align 4
+.Loop_ord_sqr:
+ sub $bp,$bp,#1
+ ////////////////////////////////////////////////////////////////
+ // | | | | | |a1*a0| |
+ // | | | | |a2*a0| | |
+ // | |a3*a2|a3*a0| | | |
+ // | | | |a2*a1| | | |
+ // | | |a3*a1| | | | |
+ // *| | | | | | | | 2|
+ // +|a3*a3|a2*a2|a1*a1|a0*a0|
+ // |--+--+--+--+--+--+--+--|
+ // |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is $accx, i.e. follow $accx
+ //
+ // "can't overflow" below mark carrying into high part of
+ // multiplication result, which can't overflow, because it
+ // can never be all ones.
+
+ mul $acc1,$a1,$a0 // a[1]*a[0]
+ umulh $t1,$a1,$a0
+ mul $acc2,$a2,$a0 // a[2]*a[0]
+ umulh $t2,$a2,$a0
+ mul $acc3,$a3,$a0 // a[3]*a[0]
+ umulh $acc4,$a3,$a0
+
+ adds $acc2,$acc2,$t1 // accumulate high parts of multiplication
+ mul $t0,$a2,$a1 // a[2]*a[1]
+ umulh $t1,$a2,$a1
+ adcs $acc3,$acc3,$t2
+ mul $t2,$a3,$a1 // a[3]*a[1]
+ umulh $t3,$a3,$a1
+ adc $acc4,$acc4,xzr // can't overflow
+
+ mul $acc5,$a3,$a2 // a[3]*a[2]
+ umulh $acc6,$a3,$a2
+
+ adds $t1,$t1,$t2 // accumulate high parts of multiplication
+ mul $acc0,$a0,$a0 // a[0]*a[0]
+ adc $t2,$t3,xzr // can't overflow
+
+ adds $acc3,$acc3,$t0 // accumulate low parts of multiplication
+ umulh $a0,$a0,$a0
+ adcs $acc4,$acc4,$t1
+ mul $t1,$a1,$a1 // a[1]*a[1]
+ adcs $acc5,$acc5,$t2
+ umulh $a1,$a1,$a1
+ adc $acc6,$acc6,xzr // can't overflow
+
+ adds $acc1,$acc1,$acc1 // acc[1-6]*=2
+ mul $t2,$a2,$a2 // a[2]*a[2]
+ adcs $acc2,$acc2,$acc2
+ umulh $a2,$a2,$a2
+ adcs $acc3,$acc3,$acc3
+ mul $t3,$a3,$a3 // a[3]*a[3]
+ adcs $acc4,$acc4,$acc4
+ umulh $a3,$a3,$a3
+ adcs $acc5,$acc5,$acc5
+ adcs $acc6,$acc6,$acc6
+ adc $acc7,xzr,xzr
+
+ adds $acc1,$acc1,$a0 // +a[i]*a[i]
+ mul $t4,$acc0,$ordk
+ adcs $acc2,$acc2,$t1
+ adcs $acc3,$acc3,$a1
+ adcs $acc4,$acc4,$t2
+ adcs $acc5,$acc5,$a2
+ adcs $acc6,$acc6,$t3
+ adc $acc7,$acc7,$a3
+___
+for($i=0; $i<4; $i++) { # reductions
+$code.=<<___;
+ subs xzr,$acc0,#1
+ umulh $t1,$ord0,$t4
+ mul $t2,$ord1,$t4
+ umulh $t3,$ord1,$t4
+
+ adcs $t2,$t2,$t1
+ adc $t3,$t3,xzr
+
+ adds $acc0,$acc1,$t2
+ adcs $acc1,$acc2,$t3
+ adcs $acc2,$acc3,$t4
+ adc $acc3,xzr,$t4 // can't overflow
+___
+$code.=<<___ if ($i<3);
+ mul $t3,$acc0,$ordk
+___
+$code.=<<___;
+ lsl $t0,$t4,#32
+ subs $acc1,$acc1,$t4
+ lsr $t1,$t4,#32
+ sbcs $acc2,$acc2,$t0
+ sbc $acc3,$acc3,$t1 // can't borrow
+___
+ ($t3,$t4) = ($t4,$t3);
+}
+$code.=<<___;
+ adds $acc0,$acc0,$acc4 // accumulate upper half
+ adcs $acc1,$acc1,$acc5
+ adcs $acc2,$acc2,$acc6
+ adcs $acc3,$acc3,$acc7
+ adc $acc4,xzr,xzr
+
+ subs $t0,$acc0,$ord0 // ret -= modulus
+ sbcs $t1,$acc1,$ord1
+ sbcs $t2,$acc2,$ord2
+ sbcs $t3,$acc3,$ord3
+ sbcs xzr,$acc4,xzr
+
+ csel $a0,$acc0,$t0,lo // ret = borrow ? ret : ret-modulus
+ csel $a1,$acc1,$t1,lo
+ csel $a2,$acc2,$t2,lo
+ csel $a3,$acc3,$t3,lo
+
+ cbnz $bp,.Loop_ord_sqr
+
+ stp $a0,$a1,[$rp]
+ stp $a2,$a3,[$rp,#16]
+
+ ldp x19,x20,[sp,#16]
+ ldp x21,x22,[sp,#32]
+ ldp x23,x24,[sp,#48]
+ ldr x29,[sp],#64
+ ret
+.size ecp_nistz256_ord_sqr_mont,.-ecp_nistz256_ord_sqr_mont
+___
+} }
+
+########################################################################
+# select subroutines
+# These select functions are similar to those in p256-x86_64-asm.pl
+# They load all points in the lookup table
+# keeping in the output only the one corresponding to the input index.
+{
+my ($val,$in_t)=map("x$_",(0..1));
+my ($index)=("w2");
+my ($Idx_ctr,$Val_in, $Mask_64)=("w9", "x10", "x11");
+my ($Mask)=("v3");
+my ($Ra,$Rb,$Rc,$Rd,$Re,$Rf)=map("v$_",(16..21));
+my ($T0a,$T0b,$T0c,$T0d,$T0e,$T0f)=map("v$_",(22..27));
+$code.=<<___;
+////////////////////////////////////////////////////////////////////////
+// void ecp_nistz256_select_w5(uint64_t *val, uint64_t *in_t, int index);
+.globl ecp_nistz256_select_w5
+.type ecp_nistz256_select_w5,%function
+.align 4
+ecp_nistz256_select_w5:
+ AARCH64_VALID_CALL_TARGET
+
+ // $Val_in := $val
+ // $Idx_ctr := 0; loop counter and incremented internal index
+ mov $Val_in, $val
+ mov $Idx_ctr, #0
+
+ // [$Ra-$Rf] := 0
+ movi $Ra.16b, #0
+ movi $Rb.16b, #0
+ movi $Rc.16b, #0
+ movi $Rd.16b, #0
+ movi $Re.16b, #0
+ movi $Rf.16b, #0
+
+.Lselect_w5_loop:
+ // Loop 16 times.
+
+ // Increment index (loop counter); tested at the end of the loop
+ add $Idx_ctr, $Idx_ctr, #1
+
+ // [$T0a-$T0f] := Load a (3*256-bit = 6*128-bit) table entry starting at $in_t
+ // and advance $in_t to point to the next entry
+ ld1 {$T0a.2d, $T0b.2d, $T0c.2d, $T0d.2d}, [$in_t],#64
+
+ // $Mask_64 := ($Idx_ctr == $index)? All 1s : All 0s
+ cmp $Idx_ctr, $index
+ csetm $Mask_64, eq
+
+ // continue loading ...
+ ld1 {$T0e.2d, $T0f.2d}, [$in_t],#32
+
+ // duplicate mask_64 into Mask (all 0s or all 1s)
+ dup $Mask.2d, $Mask_64
+
+ // [$Ra-$Rd] := (Mask == all 1s)? [$T0a-$T0d] : [$Ra-$Rd]
+ // i.e., values in output registers will remain the same if $Idx_ctr != $index
+ bit $Ra.16b, $T0a.16b, $Mask.16b
+ bit $Rb.16b, $T0b.16b, $Mask.16b
+
+ bit $Rc.16b, $T0c.16b, $Mask.16b
+ bit $Rd.16b, $T0d.16b, $Mask.16b
+
+ bit $Re.16b, $T0e.16b, $Mask.16b
+ bit $Rf.16b, $T0f.16b, $Mask.16b
+
+ // If bit #4 is not 0 (i.e. idx_ctr < 16) loop back
+ tbz $Idx_ctr, #4, .Lselect_w5_loop
+
+ // Write [$Ra-$Rf] to memory at the output pointer
+ st1 {$Ra.2d, $Rb.2d, $Rc.2d, $Rd.2d}, [$Val_in],#64
+ st1 {$Re.2d, $Rf.2d}, [$Val_in]
+
+ ret
+.size ecp_nistz256_select_w5,.-ecp_nistz256_select_w5
+
+
+////////////////////////////////////////////////////////////////////////
+// void ecp_nistz256_select_w7(uint64_t *val, uint64_t *in_t, int index);
+.globl ecp_nistz256_select_w7
+.type ecp_nistz256_select_w7,%function
+.align 4
+ecp_nistz256_select_w7:
+ AARCH64_VALID_CALL_TARGET
+
+ // $Idx_ctr := 0; loop counter and incremented internal index
+ mov $Idx_ctr, #0
+
+ // [$Ra-$Rf] := 0
+ movi $Ra.16b, #0
+ movi $Rb.16b, #0
+ movi $Rc.16b, #0
+ movi $Rd.16b, #0
+
+.Lselect_w7_loop:
+ // Loop 64 times.
+
+ // Increment index (loop counter); tested at the end of the loop
+ add $Idx_ctr, $Idx_ctr, #1
+
+ // [$T0a-$T0d] := Load a (2*256-bit = 4*128-bit) table entry starting at $in_t
+ // and advance $in_t to point to the next entry
+ ld1 {$T0a.2d, $T0b.2d, $T0c.2d, $T0d.2d}, [$in_t],#64
+
+ // $Mask_64 := ($Idx_ctr == $index)? All 1s : All 0s
+ cmp $Idx_ctr, $index
+ csetm $Mask_64, eq
+
+ // duplicate mask_64 into Mask (all 0s or all 1s)
+ dup $Mask.2d, $Mask_64
+
+ // [$Ra-$Rd] := (Mask == all 1s)? [$T0a-$T0d] : [$Ra-$Rd]
+ // i.e., values in output registers will remain the same if $Idx_ctr != $index
+ bit $Ra.16b, $T0a.16b, $Mask.16b
+ bit $Rb.16b, $T0b.16b, $Mask.16b
+
+ bit $Rc.16b, $T0c.16b, $Mask.16b
+ bit $Rd.16b, $T0d.16b, $Mask.16b
+
+ // If bit #6 is not 0 (i.e. idx_ctr < 64) loop back
+ tbz $Idx_ctr, #6, .Lselect_w7_loop
+
+ // Write [$Ra-$Rd] to memory at the output pointer
+ st1 {$Ra.2d, $Rb.2d, $Rc.2d, $Rd.2d}, [$val]
+
+ ret
+.size ecp_nistz256_select_w7,.-ecp_nistz256_select_w7
+___
+}
+
+foreach (split("\n",$code)) {
+ s/\`([^\`]*)\`/eval $1/ge;
+
+ print $_,"\n";
+}
+close STDOUT or die "error closing STDOUT: $!"; # enforce flush
diff --git a/src/crypto/fipsmodule/ec/asm/p256_beeu-armv8-asm.pl b/src/crypto/fipsmodule/ec/asm/p256_beeu-armv8-asm.pl
new file mode 100644
index 0000000..e259aef
--- /dev/null
+++ b/src/crypto/fipsmodule/ec/asm/p256_beeu-armv8-asm.pl
@@ -0,0 +1,455 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+# SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+#
+#
+# This code is based on p256_beeu-x86_64-asm.pl (which is based on BN_mod_inverse_odd).
+#
+
+# The first two arguments should always be the flavour and output file path.
+if ($#ARGV < 1) { die "Not enough arguments provided.
+ Two arguments are necessary: the flavour and the output file path."; }
+
+$flavour = shift;
+$output = shift;
+
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+( $xlate="${dir}../../../perlasm/arm-xlate.pl" and -f $xlate) or
+die "can't locate arm-xlate.pl";
+
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
+#############################################################################
+# extern int beeu_mod_inverse_vartime(BN_ULONG out[P256_LIMBS],
+# BN_ULONG a[P256_LIMBS],
+# BN_ULONG n[P256_LIMBS]);
+#
+# (Binary Extended GCD (Euclidean) Algorithm.
+# See A. Menezes, P. vanOorschot, and S. Vanstone's Handbook of Applied Cryptography,
+# Chapter 14, Algorithm 14.61 and Note 14.64
+# http://cacr.uwaterloo.ca/hac/about/chap14.pdf)
+
+# Assumption 1: n is odd for the BEEU
+# Assumption 2: 1 < a < n < 2^256
+
+# Details
+# The inverse of x modulo y can be calculated using Alg. 14.61, where "a" would be that inverse.
+# In other words,
+# ax == 1 (mod y) (where the symbol “==“ denotes ”congruent“)
+# a == x^{-1} (mod y)
+#
+# It can be shown that throughout all the iterations of the algorithm, the following holds:
+# u = Ax + By
+# v = Cx + Dy
+# The values B and D are not of interest in this case, so they need not be computed by the algorithm.
+# This means the following congruences hold through the iterations of the algorithm.
+# Ax == u (mod y)
+# Cx == v (mod y)
+
+# Now we will modify the notation to match that of BN_mod_inverse_odd()
+# on which beeu_mod_inverse_vartime() in `p256_beeu-x86_64-asm` is based.
+# In those functions:
+# x, y -> a, n
+# u, v -> B, A
+# A, C -> X, Y’, where Y’ = -Y
+# Hence, the following holds throughout the algorithm iterations
+# Xa == B (mod n)
+# -Ya == A (mod n)
+#
+# Same algorithm in Python:
+# def beeu(a, n):
+# X = 1
+# Y = 0
+# B = a
+# A = n
+# while (B != 0):
+# while (B % 2) == 0:
+# B >>= 1
+# if (X % 2) == 1:
+# X = X + n
+# X >>= 1
+# while (A % 2) == 0:
+# A >>= 1
+# if (Y % 2) == 1:
+# Y = Y + n
+# Y >>= 1
+# if (B >= A):
+# B = B - A
+# X = X + Y
+# else:
+# A = A - B
+# Y = Y + X
+# if (A != 1):
+# # error
+# return 0
+# else:
+# while (Y > n):
+# Y = Y - n
+# Y = n - Y
+# return Y
+
+
+# For the internal variables,
+# x0-x2, x30 are used to hold the modulus n. The input parameters passed in
+# x1,x2 are copied first before corrupting them. x0 (out) is stored on the stack.
+# x3-x7 are used for parameters, which is not the case in this function, so they are corruptible
+# x8 is corruptible here
+# (the function doesn't return a struct, hence x8 doesn't contain a passed-in address
+# for that struct).
+# x9-x15 are corruptible registers
+# x19-x28 are callee-saved registers
+
+# X/Y will hold the inverse parameter
+# Assumption: a,n,X,Y < 2^(256)
+# Initially, X := 1, Y := 0
+# A := n, B := a
+
+# Function parameters (as per the Procedure Call Standard)
+my($out, $a_in, $n_in)=map("x$_",(0..2));
+# Internal variables
+my($n0, $n1, $n2, $n3)=map("x$_",(0..2,30));
+my($x0, $x1, $x2, $x3, $x4)=map("x$_",(3..7));
+my($y0, $y1, $y2, $y3, $y4)=map("x$_",(8..12));
+my($shift)=("x13");
+my($t0, $t1, $t2, $t3)=map("x$_",(14,15,19,20));
+my($a0, $a1, $a2, $a3)=map("x$_",(21..24));
+my($b0, $b1, $b2, $b3)=map("x$_",(25..28));
+
+# if B == 0, jump to end of loop
+sub TEST_B_ZERO {
+ return <<___;
+ orr $t0, $b0, $b1
+ orr $t0, $t0, $b2
+
+ // reverse the bit order of $b0. This is needed for clz after this macro
+ rbit $t1, $b0
+
+ orr $t0, $t0, $b3
+ cbz $t0,.Lbeeu_loop_end
+___
+}
+
+# Shift right by 1 bit, adding the modulus first if the variable is odd
+# if least_sig_bit(var0) == 0,
+# goto shift1_<ctr>
+# else
+# add n and goto shift1_<ctr>
+# Prerequisite: t0 = 0
+$g_next_label = 0;
+sub SHIFT1 {
+ my ($var0, $var1, $var2, $var3, $var4) = @_;
+ my $label = ".Lshift1_${g_next_label}";
+ $g_next_label++;
+ return <<___;
+ tbz $var0, #0, $label
+ adds $var0, $var0, $n0
+ adcs $var1, $var1, $n1
+ adcs $var2, $var2, $n2
+ adcs $var3, $var3, $n3
+ adc $var4, $var4, $t0
+$label:
+ // var0 := [var1|var0]<64..1>;
+ // i.e. concatenate var1 and var0,
+ // extract bits <64..1> from the resulting 128-bit value
+ // and put them in var0
+ extr $var0, $var1, $var0, #1
+ extr $var1, $var2, $var1, #1
+ extr $var2, $var3, $var2, #1
+ extr $var3, $var4, $var3, #1
+ lsr $var4, $var4, #1
+___
+}
+
+# compilation by clang 10.0.0 with -O2/-O3 of
+# a[0] = (a[0] >> count) | (a[1] << (64-count));
+# a[1] = (a[1] >> count) | (a[2] << (64-count));
+# a[2] = (a[2] >> count) | (a[3] << (64-count));
+# a[3] >>= count;
+# Note: EXTR instruction used in SHIFT1 is similar to x86_64's SHRDQ
+# except that the second source operand of EXTR is only immediate;
+# that's why it cannot be used here where $shift is a variable
+#
+# In the following,
+# t0 := 0 - shift
+#
+# then var0, for example, will be shifted right as follows:
+# var0 := (var0 >> (uint(shift) mod 64)) | (var1 << (uint(t0) mod 64))
+# "uint() mod 64" is from the definition of LSL and LSR instructions.
+#
+# What matters here is the order of instructions relative to certain other
+# instructions, i.e.
+# - lsr and lsl must precede orr of the corresponding registers.
+# - lsl must preced the lsr of the same register afterwards.
+# The chosen order of the instructions overall is to try and maximize
+# the pipeline usage.
+sub SHIFT256 {
+ my ($var0, $var1, $var2, $var3) = @_;
+ return <<___;
+ neg $t0, $shift
+ lsr $var0, $var0, $shift
+ lsl $t1, $var1, $t0
+
+ lsr $var1, $var1, $shift
+ lsl $t2, $var2, $t0
+
+ orr $var0, $var0, $t1
+
+ lsr $var2, $var2, $shift
+ lsl $t3, $var3, $t0
+
+ orr $var1, $var1, $t2
+
+ lsr $var3, $var3, $shift
+
+ orr $var2, $var2, $t3
+___
+}
+
+$code.=<<___;
+#include "openssl/arm_arch.h"
+
+.text
+.globl beeu_mod_inverse_vartime
+.type beeu_mod_inverse_vartime, %function
+.align 4
+beeu_mod_inverse_vartime:
+ // Reserve enough space for 14 8-byte registers on the stack
+ // in the first stp call for x29, x30.
+ // Then store the remaining callee-saved registers.
+ //
+ // | x29 | x30 | x19 | x20 | ... | x27 | x28 | x0 | x2 |
+ // ^ ^
+ // sp <------------------- 112 bytes ----------------> old sp
+ // x29 (FP)
+ //
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-112]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+ stp x21,x22,[sp,#32]
+ stp x23,x24,[sp,#48]
+ stp x25,x26,[sp,#64]
+ stp x27,x28,[sp,#80]
+ stp x0,x2,[sp,#96]
+
+ // B = b3..b0 := a
+ ldp $b0,$b1,[$a_in]
+ ldp $b2,$b3,[$a_in,#16]
+
+ // n3..n0 := n
+ // Note: the value of input params are changed in the following.
+ ldp $n0,$n1,[$n_in]
+ ldp $n2,$n3,[$n_in,#16]
+
+ // A = a3..a0 := n
+ mov $a0, $n0
+ mov $a1, $n1
+ mov $a2, $n2
+ mov $a3, $n3
+
+ // X = x4..x0 := 1
+ mov $x0, #1
+ eor $x1, $x1, $x1
+ eor $x2, $x2, $x2
+ eor $x3, $x3, $x3
+ eor $x4, $x4, $x4
+
+ // Y = y4..y0 := 0
+ eor $y0, $y0, $y0
+ eor $y1, $y1, $y1
+ eor $y2, $y2, $y2
+ eor $y3, $y3, $y3
+ eor $y4, $y4, $y4
+
+.Lbeeu_loop:
+ // if B == 0, jump to .Lbeeu_loop_end
+ ${\TEST_B_ZERO}
+
+ // 0 < B < |n|,
+ // 0 < A <= |n|,
+ // (1) X*a == B (mod |n|),
+ // (2) (-1)*Y*a == A (mod |n|)
+
+ // Now divide B by the maximum possible power of two in the
+ // integers, and divide X by the same value mod |n|.
+ // When we're done, (1) still holds.
+
+ // shift := number of trailing 0s in $b0
+ // ( = number of leading 0s in $t1; see the "rbit" instruction in TEST_B_ZERO)
+ clz $shift, $t1
+
+ // If there is no shift, goto shift_A_Y
+ cbz $shift, .Lbeeu_shift_A_Y
+
+ // Shift B right by "$shift" bits
+ ${\SHIFT256($b0, $b1, $b2, $b3)}
+
+ // Shift X right by "$shift" bits, adding n whenever X becomes odd.
+ // $shift--;
+ // $t0 := 0; needed in the addition to the most significant word in SHIFT1
+ eor $t0, $t0, $t0
+.Lbeeu_shift_loop_X:
+ ${\SHIFT1($x0, $x1, $x2, $x3, $x4)}
+ subs $shift, $shift, #1
+ bne .Lbeeu_shift_loop_X
+
+ // Note: the steps above perform the same sequence as in p256_beeu-x86_64-asm.pl
+ // with the following differences:
+ // - "$shift" is set directly to the number of trailing 0s in B
+ // (using rbit and clz instructions)
+ // - The loop is only used to call SHIFT1(X)
+ // and $shift is decreased while executing the X loop.
+ // - SHIFT256(B, $shift) is performed before right-shifting X; they are independent
+
+.Lbeeu_shift_A_Y:
+ // Same for A and Y.
+ // Afterwards, (2) still holds.
+ // Reverse the bit order of $a0
+ // $shift := number of trailing 0s in $a0 (= number of leading 0s in $t1)
+ rbit $t1, $a0
+ clz $shift, $t1
+
+ // If there is no shift, goto |B-A|, X+Y update
+ cbz $shift, .Lbeeu_update_B_X_or_A_Y
+
+ // Shift A right by "$shift" bits
+ ${\SHIFT256($a0, $a1, $a2, $a3)}
+
+ // Shift Y right by "$shift" bits, adding n whenever Y becomes odd.
+ // $shift--;
+ // $t0 := 0; needed in the addition to the most significant word in SHIFT1
+ eor $t0, $t0, $t0
+.Lbeeu_shift_loop_Y:
+ ${\SHIFT1($y0, $y1, $y2, $y3, $y4)}
+ subs $shift, $shift, #1
+ bne .Lbeeu_shift_loop_Y
+
+.Lbeeu_update_B_X_or_A_Y:
+ // Try T := B - A; if cs, continue with B > A (cs: carry set = no borrow)
+ // Note: this is a case of unsigned arithmetic, where T fits in 4 64-bit words
+ // without taking a sign bit if generated. The lack of a carry would
+ // indicate a negative result. See, for example,
+ // https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/condition-codes-1-condition-flags-and-codes
+ subs $t0, $b0, $a0
+ sbcs $t1, $b1, $a1
+ sbcs $t2, $b2, $a2
+ sbcs $t3, $b3, $a3
+ bcs .Lbeeu_B_greater_than_A
+
+ // Else A > B =>
+ // A := A - B; Y := Y + X; goto beginning of the loop
+ subs $a0, $a0, $b0
+ sbcs $a1, $a1, $b1
+ sbcs $a2, $a2, $b2
+ sbcs $a3, $a3, $b3
+
+ adds $y0, $y0, $x0
+ adcs $y1, $y1, $x1
+ adcs $y2, $y2, $x2
+ adcs $y3, $y3, $x3
+ adc $y4, $y4, $x4
+ b .Lbeeu_loop
+
+.Lbeeu_B_greater_than_A:
+ // Continue with B > A =>
+ // B := B - A; X := X + Y; goto beginning of the loop
+ mov $b0, $t0
+ mov $b1, $t1
+ mov $b2, $t2
+ mov $b3, $t3
+
+ adds $x0, $x0, $y0
+ adcs $x1, $x1, $y1
+ adcs $x2, $x2, $y2
+ adcs $x3, $x3, $y3
+ adc $x4, $x4, $y4
+ b .Lbeeu_loop
+
+.Lbeeu_loop_end:
+ // The Euclid's algorithm loop ends when A == gcd(a,n);
+ // this would be 1, when a and n are co-prime (i.e. do not have a common factor).
+ // Since (-1)*Y*a == A (mod |n|), Y>0
+ // then out = -Y mod n
+
+ // Verify that A = 1 ==> (-1)*Y*a = A = 1 (mod |n|)
+ // Is A-1 == 0?
+ // If not, fail.
+ sub $t0, $a0, #1
+ orr $t0, $t0, $a1
+ orr $t0, $t0, $a2
+ orr $t0, $t0, $a3
+ cbnz $t0, .Lbeeu_err
+
+ // If Y>n ==> Y:=Y-n
+.Lbeeu_reduction_loop:
+ // x_i := y_i - n_i (X is no longer needed, use it as temp)
+ // ($t0 = 0 from above)
+ subs $x0, $y0, $n0
+ sbcs $x1, $y1, $n1
+ sbcs $x2, $y2, $n2
+ sbcs $x3, $y3, $n3
+ sbcs $x4, $y4, $t0
+
+ // If result is non-negative (i.e., cs = carry set = no borrow),
+ // y_i := x_i; goto reduce again
+ // else
+ // y_i := y_i; continue
+ csel $y0, $x0, $y0, cs
+ csel $y1, $x1, $y1, cs
+ csel $y2, $x2, $y2, cs
+ csel $y3, $x3, $y3, cs
+ csel $y4, $x4, $y4, cs
+ bcs .Lbeeu_reduction_loop
+
+ // Now Y < n (Y cannot be equal to n, since the inverse cannot be 0)
+ // out = -Y = n-Y
+ subs $y0, $n0, $y0
+ sbcs $y1, $n1, $y1
+ sbcs $y2, $n2, $y2
+ sbcs $y3, $n3, $y3
+
+ // Save Y in output (out (x0) was saved on the stack)
+ ldr x3, [sp,#96]
+ stp $y0, $y1, [x3]
+ stp $y2, $y3, [x3,#16]
+ // return 1 (success)
+ mov x0, #1
+ b .Lbeeu_finish
+
+.Lbeeu_err:
+ // return 0 (error)
+ eor x0, x0, x0
+
+.Lbeeu_finish:
+ // Restore callee-saved registers, except x0, x2
+ add sp,x29,#0
+ ldp x19,x20,[sp,#16]
+ ldp x21,x22,[sp,#32]
+ ldp x23,x24,[sp,#48]
+ ldp x25,x26,[sp,#64]
+ ldp x27,x28,[sp,#80]
+ ldp x29,x30,[sp],#112
+
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+.size beeu_mod_inverse_vartime,.-beeu_mod_inverse_vartime
+___
+
+
+foreach (split("\n",$code)) {
+ s/\`([^\`]*)\`/eval $1/ge;
+
+ print $_,"\n";
+}
+close STDOUT or die "error closing STDOUT: $!"; # enforce flush
diff --git a/src/crypto/fipsmodule/ec/ec.c b/src/crypto/fipsmodule/ec/ec.c
index 93fdcfc..c70fb11 100644
--- a/src/crypto/fipsmodule/ec/ec.c
+++ b/src/crypto/fipsmodule/ec/ec.c
@@ -246,7 +246,8 @@
out->curves[2].param_len = 32;
out->curves[2].params = kP256Params;
out->curves[2].method =
-#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \
+#if !defined(OPENSSL_NO_ASM) && \
+ (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \
!defined(OPENSSL_SMALL)
EC_GFp_nistz256_method();
#else
@@ -1174,15 +1175,12 @@
return 0;
}
- // For simplicity, in case of width mismatches between |group->field| and
- // |group->order|, zero any untouched words in |out|.
- OPENSSL_memset(out, 0, sizeof(EC_SCALAR));
- for (size_t i = 0; i < len; i++) {
- out->bytes[len - i - 1] = bytes[i];
- }
-
- // We must have p < 2×order, assuming p is not tiny (p >= 17). Thus rather we
- // can reduce by performing at most one subtraction.
+ // The x-coordinate is bounded by p, but we need a scalar, bounded by the
+ // order. These may not have the same size. However, we must have p < 2×order,
+ // assuming p is not tiny (p >= 17).
+ //
+ // Thus |bytes| will fit in |order.width + 1| words, and we can reduce by
+ // performing at most one subtraction.
//
// Proof: We only work with prime order curves, so the number of points on
// the curve is the order. Thus Hasse's theorem gives:
@@ -1196,14 +1194,11 @@
//
// Additionally, one can manually check this property for built-in curves. It
// is enforced for legacy custom curves in |EC_GROUP_set_generator|.
-
- // The above does not guarantee |group->field| is not one word larger than
- // |group->order|, so read one extra carry word.
- BN_ULONG tmp[EC_MAX_WORDS];
- BN_ULONG carry =
- group->order.width < EC_MAX_WORDS ? out->words[group->order.width] : 0;
- bn_reduce_once_in_place(out->words, carry, group->order.d, tmp,
- group->order.width);
+ const BIGNUM *order = &group->order;
+ BN_ULONG words[EC_MAX_WORDS + 1];
+ bn_big_endian_to_words(words, order->width + 1, bytes, len);
+ bn_reduce_once(out->words, words, /*carry=*/words[order->width], order->d,
+ order->width);
return 1;
}
diff --git a/src/crypto/fipsmodule/ec/ec_key.c b/src/crypto/fipsmodule/ec/ec_key.c
index 2d04d13..8b89dc2 100644
--- a/src/crypto/fipsmodule/ec/ec_key.c
+++ b/src/crypto/fipsmodule/ec/ec_key.c
@@ -329,14 +329,17 @@
}
int EC_KEY_check_fips(const EC_KEY *key) {
+ int ret = 0;
+ FIPS_service_indicator_lock_state();
+
if (EC_KEY_is_opaque(key)) {
// Opaque keys can't be checked.
OPENSSL_PUT_ERROR(EC, EC_R_PUBLIC_KEY_VALIDATION_FAILED);
- return 0;
+ goto end;
}
if (!EC_KEY_check_key(key)) {
- return 0;
+ goto end;
}
if (key->priv_key) {
@@ -350,11 +353,19 @@
ECDSA_SIG_free(sig);
if (!ok) {
OPENSSL_PUT_ERROR(EC, EC_R_PUBLIC_KEY_VALIDATION_FAILED);
- return 0;
+ goto end;
}
}
- return 1;
+ ret = 1;
+
+end:
+ FIPS_service_indicator_unlock_state();
+ if (ret) {
+ EC_KEY_keygen_verify_service_indicator(key);
+ }
+
+ return ret;
}
int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, const BIGNUM *x,
diff --git a/src/crypto/fipsmodule/ec/internal.h b/src/crypto/fipsmodule/ec/internal.h
index 488adb8..522c8d9 100644
--- a/src/crypto/fipsmodule/ec/internal.h
+++ b/src/crypto/fipsmodule/ec/internal.h
@@ -100,9 +100,7 @@
// An EC_SCALAR is an integer fully reduced modulo the order. Only the first
// |order->width| words are used. An |EC_SCALAR| is specific to an |EC_GROUP|
// and must not be mixed between groups.
-typedef union {
- // bytes is the representation of the scalar in little-endian order.
- uint8_t bytes[EC_MAX_BYTES];
+typedef struct {
BN_ULONG words[EC_MAX_WORDS];
} EC_SCALAR;
@@ -192,9 +190,7 @@
// are used. An |EC_FELEM| is specific to an |EC_GROUP| and must not be mixed
// between groups. Additionally, the representation (whether or not elements are
// represented in Montgomery-form) may vary between |EC_METHOD|s.
-typedef union {
- // bytes is the representation of the field element in little-endian order.
- uint8_t bytes[EC_MAX_BYTES];
+typedef struct {
BN_ULONG words[EC_MAX_WORDS];
} EC_FELEM;
diff --git a/src/crypto/fipsmodule/ec/make_p256-x86_64-tests.go b/src/crypto/fipsmodule/ec/make_p256-nistz-tests.go
similarity index 96%
rename from src/crypto/fipsmodule/ec/make_p256-x86_64-tests.go
rename to src/crypto/fipsmodule/ec/make_p256-nistz-tests.go
index 958a97a..36194e6 100644
--- a/src/crypto/fipsmodule/ec/make_p256-x86_64-tests.go
+++ b/src/crypto/fipsmodule/ec/make_p256-nistz-tests.go
@@ -69,7 +69,7 @@
func isAffineInfinity(x, y *big.Int) bool {
// Infinity, in affine coordinates, is represented as (0, 0) by
- // both Go and p256-x86_64-asm.pl.
+ // both Go, p256-x86_64-asm.pl and p256-armv8-asm.pl.
return x.Sign() == 0 && y.Sign() == 0
}
@@ -107,8 +107,8 @@
// arbitrary X and Y and include the special case. We also have
// not verified that add and double preserve this
// property. Thus, generate test vectors with unrelated X and Y,
- // to test that p256-x86_64-asm.pl correctly handles
- // unconstrained representations of infinity.
+ // to test that p256-x86_64-asm.pl and p256-armv8-asm.pl correctly
+ // handle unconstrained representations of infinity.
x = randNonZeroInt(p)
y = randNonZeroInt(p)
z = zero
diff --git a/src/crypto/fipsmodule/ec/make_tables.go b/src/crypto/fipsmodule/ec/make_tables.go
index 34e8c23..dbcaab0 100644
--- a/src/crypto/fipsmodule/ec/make_tables.go
+++ b/src/crypto/fipsmodule/ec/make_tables.go
@@ -23,8 +23,8 @@
)
func main() {
- if err := writeP256X86_64Table("p256-x86_64-table.h"); err != nil {
- fmt.Fprintf(os.Stderr, "Error writing p256-x86_64-table.h: %s\n", err)
+ if err := writeP256NistzTable("p256-nistz-table.h"); err != nil {
+ fmt.Fprintf(os.Stderr, "Error writing p256-nistz-table.h: %s\n", err)
os.Exit(1)
}
@@ -34,7 +34,7 @@
}
}
-func writeP256X86_64Table(path string) error {
+func writeP256NistzTable(path string) error {
curve := elliptic.P256()
tables := make([][][2]*big.Int, 0, 37)
for shift := 0; shift < 256; shift += 7 {
@@ -59,7 +59,7 @@
*/
// This is the precomputed constant time access table for the code in
-// p256-x86_64.c, for the default generator. The table consists of 37
+// p256-nistz.c, for the default generator. The table consists of 37
// subtables, each subtable contains 64 affine points. The affine points are
// encoded as eight uint64's, four for the x coordinate and four for the y.
// Both values are in little-endian order. There are 37 tables because a
diff --git a/src/crypto/fipsmodule/ec/p224-64.c b/src/crypto/fipsmodule/ec/p224-64.c
index da4308c..0f51970 100644
--- a/src/crypto/fipsmodule/ec/p224-64.c
+++ b/src/crypto/fipsmodule/ec/p224-64.c
@@ -52,11 +52,6 @@
typedef p224_limb p224_felem[4];
typedef p224_widelimb p224_widefelem[7];
-// Field element represented as a byte arrary. 28*8 = 224 bits is also the
-// group order size for the elliptic curve, and we also use this type for
-// scalars for point multiplication.
-typedef uint8_t p224_felem_bytearray[28];
-
// Precomputed multiples of the standard generator
// Points are given in coordinates (X, Y, Z) where Z normally is 1
// (0 for the point at infinity).
@@ -180,31 +175,16 @@
{0x32477c61b6e8c6, 0xb46a97570f018b, 0x91176d0a7e95d1, 0x3df90fbc4c7d0e},
{1, 0, 0, 0}}}};
-static uint64_t p224_load_u64(const uint8_t in[8]) {
- uint64_t ret;
- OPENSSL_memcpy(&ret, in, sizeof(ret));
- return ret;
-}
// Helper functions to convert field elements to/from internal representation
-static void p224_bin28_to_felem(p224_felem out, const uint8_t in[28]) {
- out[0] = p224_load_u64(in) & 0x00ffffffffffffff;
- out[1] = p224_load_u64(in + 7) & 0x00ffffffffffffff;
- out[2] = p224_load_u64(in + 14) & 0x00ffffffffffffff;
- out[3] = p224_load_u64(in + 20) >> 8;
-}
-
-static void p224_felem_to_bin28(uint8_t out[28], const p224_felem in) {
- for (size_t i = 0; i < 7; ++i) {
- out[i] = in[0] >> (8 * i);
- out[i + 7] = in[1] >> (8 * i);
- out[i + 14] = in[2] >> (8 * i);
- out[i + 21] = in[3] >> (8 * i);
- }
-}
static void p224_generic_to_felem(p224_felem out, const EC_FELEM *in) {
- p224_bin28_to_felem(out, in->bytes);
+ // |p224_felem|'s minimal representation uses four 56-bit words. |EC_FELEM|
+ // uses four 64-bit words. (The top-most word only has 32 bits.)
+ out[0] = in->words[0] & 0x00ffffffffffffff;
+ out[1] = ((in->words[0] >> 56) | (in->words[1] << 8)) & 0x00ffffffffffffff;
+ out[2] = ((in->words[1] >> 48) | (in->words[2] << 16)) & 0x00ffffffffffffff;
+ out[3] = ((in->words[2] >> 40) | (in->words[3] << 24)) & 0x00ffffffffffffff;
}
// Requires 0 <= in < 2*p (always call p224_felem_reduce first)
@@ -256,9 +236,12 @@
tmp2[2] = tmp[2];
tmp2[3] = tmp[3];
- p224_felem_to_bin28(out->bytes, tmp2);
- // 224 is not a multiple of 64, so zero the remaining bytes.
- OPENSSL_memset(out->bytes + 28, 0, 32 - 28);
+ // |p224_felem|'s minimal representation uses four 56-bit words. |EC_FELEM|
+ // uses four 64-bit words. (The top-most word only has 32 bits.)
+ out->words[0] = tmp2[0] | (tmp2[1] << 56);
+ out->words[1] = (tmp2[1] >> 8) | (tmp2[2] << 48);
+ out->words[2] = (tmp2[2] >> 16) | (tmp2[3] << 40);
+ out->words[3] = tmp2[3] >> 24;
}
@@ -865,12 +848,13 @@
}
}
-// p224_get_bit returns the |i|th bit in |in|
-static crypto_word_t p224_get_bit(const p224_felem_bytearray in, size_t i) {
+// p224_get_bit returns the |i|th bit in |in|.
+static crypto_word_t p224_get_bit(const EC_SCALAR *in, size_t i) {
if (i >= 224) {
return 0;
}
- return (in[i >> 3] >> (i & 7)) & 1;
+ static_assert(sizeof(in->words[0]) == 8, "BN_ULONG is not 64-bit");
+ return (in->words[i >> 6] >> (i & 63)) & 1;
}
// Takes the Jacobian coordinates (X, Y, Z) of a point and returns
@@ -977,12 +961,12 @@
// Add every 5 doublings.
if (i % 5 == 0) {
- crypto_word_t bits = p224_get_bit(scalar->bytes, i + 4) << 5;
- bits |= p224_get_bit(scalar->bytes, i + 3) << 4;
- bits |= p224_get_bit(scalar->bytes, i + 2) << 3;
- bits |= p224_get_bit(scalar->bytes, i + 1) << 2;
- bits |= p224_get_bit(scalar->bytes, i) << 1;
- bits |= p224_get_bit(scalar->bytes, i - 1);
+ crypto_word_t bits = p224_get_bit(scalar, i + 4) << 5;
+ bits |= p224_get_bit(scalar, i + 3) << 4;
+ bits |= p224_get_bit(scalar, i + 2) << 3;
+ bits |= p224_get_bit(scalar, i + 1) << 2;
+ bits |= p224_get_bit(scalar, i) << 1;
+ bits |= p224_get_bit(scalar, i - 1);
crypto_word_t sign, digit;
ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits);
@@ -1022,10 +1006,10 @@
}
// First, look 28 bits upwards.
- crypto_word_t bits = p224_get_bit(scalar->bytes, i + 196) << 3;
- bits |= p224_get_bit(scalar->bytes, i + 140) << 2;
- bits |= p224_get_bit(scalar->bytes, i + 84) << 1;
- bits |= p224_get_bit(scalar->bytes, i + 28);
+ crypto_word_t bits = p224_get_bit(scalar, i + 196) << 3;
+ bits |= p224_get_bit(scalar, i + 140) << 2;
+ bits |= p224_get_bit(scalar, i + 84) << 1;
+ bits |= p224_get_bit(scalar, i + 28);
// Select the point to add, in constant time.
p224_select_point(bits, 16, g_p224_pre_comp[1], tmp);
@@ -1038,10 +1022,10 @@
}
// Second, look at the current position/
- bits = p224_get_bit(scalar->bytes, i + 168) << 3;
- bits |= p224_get_bit(scalar->bytes, i + 112) << 2;
- bits |= p224_get_bit(scalar->bytes, i + 56) << 1;
- bits |= p224_get_bit(scalar->bytes, i);
+ bits = p224_get_bit(scalar, i + 168) << 3;
+ bits |= p224_get_bit(scalar, i + 112) << 2;
+ bits |= p224_get_bit(scalar, i + 56) << 1;
+ bits |= p224_get_bit(scalar, i);
// Select the point to add, in constant time.
p224_select_point(bits, 16, g_p224_pre_comp[0], tmp);
p224_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1 /* mixed */,
@@ -1080,10 +1064,10 @@
// Add multiples of the generator.
if (i <= 27) {
// First, look 28 bits upwards.
- crypto_word_t bits = p224_get_bit(g_scalar->bytes, i + 196) << 3;
- bits |= p224_get_bit(g_scalar->bytes, i + 140) << 2;
- bits |= p224_get_bit(g_scalar->bytes, i + 84) << 1;
- bits |= p224_get_bit(g_scalar->bytes, i + 28);
+ crypto_word_t bits = p224_get_bit(g_scalar, i + 196) << 3;
+ bits |= p224_get_bit(g_scalar, i + 140) << 2;
+ bits |= p224_get_bit(g_scalar, i + 84) << 1;
+ bits |= p224_get_bit(g_scalar, i + 28);
size_t index = (size_t)bits;
p224_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1 /* mixed */,
@@ -1092,10 +1076,10 @@
assert(!skip);
// Second, look at the current position.
- bits = p224_get_bit(g_scalar->bytes, i + 168) << 3;
- bits |= p224_get_bit(g_scalar->bytes, i + 112) << 2;
- bits |= p224_get_bit(g_scalar->bytes, i + 56) << 1;
- bits |= p224_get_bit(g_scalar->bytes, i);
+ bits = p224_get_bit(g_scalar, i + 168) << 3;
+ bits |= p224_get_bit(g_scalar, i + 112) << 2;
+ bits |= p224_get_bit(g_scalar, i + 56) << 1;
+ bits |= p224_get_bit(g_scalar, i);
index = (size_t)bits;
p224_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1 /* mixed */,
g_p224_pre_comp[0][index][0], g_p224_pre_comp[0][index][1],
@@ -1104,12 +1088,12 @@
// Incorporate |p_scalar| every 5 doublings.
if (i % 5 == 0) {
- crypto_word_t bits = p224_get_bit(p_scalar->bytes, i + 4) << 5;
- bits |= p224_get_bit(p_scalar->bytes, i + 3) << 4;
- bits |= p224_get_bit(p_scalar->bytes, i + 2) << 3;
- bits |= p224_get_bit(p_scalar->bytes, i + 1) << 2;
- bits |= p224_get_bit(p_scalar->bytes, i) << 1;
- bits |= p224_get_bit(p_scalar->bytes, i - 1);
+ crypto_word_t bits = p224_get_bit(p_scalar, i + 4) << 5;
+ bits |= p224_get_bit(p_scalar, i + 3) << 4;
+ bits |= p224_get_bit(p_scalar, i + 2) << 3;
+ bits |= p224_get_bit(p_scalar, i + 1) << 2;
+ bits |= p224_get_bit(p_scalar, i) << 1;
+ bits |= p224_get_bit(p_scalar, i - 1);
crypto_word_t sign, digit;
ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits);
diff --git a/src/crypto/fipsmodule/ec/p256-x86_64-table.h b/src/crypto/fipsmodule/ec/p256-nistz-table.h
similarity index 99%
rename from src/crypto/fipsmodule/ec/p256-x86_64-table.h
rename to src/crypto/fipsmodule/ec/p256-nistz-table.h
index 3af0b01..b81480b 100644
--- a/src/crypto/fipsmodule/ec/p256-x86_64-table.h
+++ b/src/crypto/fipsmodule/ec/p256-nistz-table.h
@@ -9,7 +9,7 @@
*/
// This is the precomputed constant time access table for the code in
-// p256-x86_64.c, for the default generator. The table consists of 37
+// p256-nistz.c, for the default generator. The table consists of 37
// subtables, each subtable contains 64 affine points. The affine points are
// encoded as eight uint64's, four for the x coordinate and four for the y.
// Both values are in little-endian order. There are 37 tables because a
diff --git a/src/crypto/fipsmodule/ec/p256-x86_64.c b/src/crypto/fipsmodule/ec/p256-nistz.c
similarity index 97%
rename from src/crypto/fipsmodule/ec/p256-x86_64.c
rename to src/crypto/fipsmodule/ec/p256-nistz.c
index 506b7d2..1d56dcf 100644
--- a/src/crypto/fipsmodule/ec/p256-x86_64.c
+++ b/src/crypto/fipsmodule/ec/p256-nistz.c
@@ -30,10 +30,10 @@
#include "../delocate.h"
#include "../../internal.h"
#include "internal.h"
-#include "p256-x86_64.h"
+#include "p256-nistz.h"
-
-#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \
+#if !defined(OPENSSL_NO_ASM) && \
+ (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \
!defined(OPENSSL_SMALL)
typedef P256_POINT_AFFINE PRECOMP256_ROW[64];
@@ -45,7 +45,7 @@
};
// Precomputed tables for the default generator
-#include "p256-x86_64-table.h"
+#include "p256-nistz-table.h"
// Recode window to a signed digit, see |ec_GFp_nistp_recode_scalar_bits| in
// util.c for details
@@ -201,7 +201,7 @@
// ~1599 ((96 * 16) + 63) bytes of stack space.
alignas(64) P256_POINT table[16];
uint8_t p_str[33];
- OPENSSL_memcpy(p_str, p_scalar->bytes, 32);
+ OPENSSL_memcpy(p_str, p_scalar->words, 32);
p_str[32] = 0;
// table[0] is implicitly (0,0,0) (the point at infinity), therefore it is
@@ -321,7 +321,7 @@
alignas(32) p256_point_union_t t, p;
uint8_t p_str[33];
- OPENSSL_memcpy(p_str, scalar->bytes, 32);
+ OPENSSL_memcpy(p_str, scalar->words, 32);
p_str[32] = 0;
// First window
@@ -366,7 +366,7 @@
alignas(32) p256_point_union_t t, p;
uint8_t p_str[33];
- OPENSSL_memcpy(p_str, g_scalar->bytes, 32);
+ OPENSSL_memcpy(p_str, g_scalar->words, 32);
p_str[32] = 0;
// First window
@@ -554,10 +554,12 @@
static int ecp_nistz256_scalar_to_montgomery_inv_vartime(const EC_GROUP *group,
EC_SCALAR *out,
const EC_SCALAR *in) {
+#if defined(OPENSSL_X86_64)
if (!CRYPTO_is_AVX_capable()) {
// No AVX support; fallback to generic code.
return ec_simple_scalar_to_montgomery_inv_vartime(group, out, in);
}
+#endif
assert(group->order.width == P256_LIMBS);
if (!beeu_mod_inverse_vartime(out->words, in->words, group->order.d)) {
@@ -628,5 +630,6 @@
out->cmp_x_coordinate = ecp_nistz256_cmp_x_coordinate;
}
-#endif /* !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \
+#endif /* !defined(OPENSSL_NO_ASM) && \
+ (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \
!defined(OPENSSL_SMALL) */
diff --git a/src/crypto/fipsmodule/ec/p256-x86_64.h b/src/crypto/fipsmodule/ec/p256-nistz.h
similarity index 95%
rename from src/crypto/fipsmodule/ec/p256-x86_64.h
rename to src/crypto/fipsmodule/ec/p256-nistz.h
index 5deb81a..0d0a6be 100644
--- a/src/crypto/fipsmodule/ec/p256-x86_64.h
+++ b/src/crypto/fipsmodule/ec/p256-nistz.h
@@ -30,7 +30,8 @@
#endif
-#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \
+#if !defined(OPENSSL_NO_ASM) && \
+ (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \
!defined(OPENSSL_SMALL)
// P-256 field operations.
@@ -142,8 +143,9 @@
void ecp_nistz256_point_add_affine(P256_POINT *r, const P256_POINT *a,
const P256_POINT_AFFINE *b);
-#endif /* !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \
- !defined(OPENSSL_SMALL) */
+#endif /* !defined(OPENSSL_NO_ASM) && \
+ (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \
+ !defined(OPENSSL_SMALL) */
#if defined(__cplusplus)
diff --git a/src/crypto/fipsmodule/ec/p256-x86_64_test.cc b/src/crypto/fipsmodule/ec/p256-nistz_test.cc
similarity index 97%
rename from src/crypto/fipsmodule/ec/p256-x86_64_test.cc
rename to src/crypto/fipsmodule/ec/p256-nistz_test.cc
index f6f070a..6aa51e8 100644
--- a/src/crypto/fipsmodule/ec/p256-x86_64_test.cc
+++ b/src/crypto/fipsmodule/ec/p256-nistz_test.cc
@@ -30,15 +30,16 @@
#include "../../test/abi_test.h"
#include "../../test/file_test.h"
#include "../../test/test_util.h"
-#include "p256-x86_64.h"
+#include "p256-nistz.h"
// Disable tests if BORINGSSL_SHARED_LIBRARY is defined. These tests need access
// to internal functions.
-#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \
+#if !defined(OPENSSL_NO_ASM) && \
+ (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \
!defined(OPENSSL_SMALL) && !defined(BORINGSSL_SHARED_LIBRARY)
-TEST(P256_X86_64Test, SelectW5) {
+TEST(P256_NistzTest, SelectW5) {
// Fill a table with some garbage input.
alignas(64) P256_POINT table[16];
for (size_t i = 0; i < 16; i++) {
@@ -68,7 +69,7 @@
CHECK_ABI(ecp_nistz256_select_w5, &val, table, 7);
}
-TEST(P256_X86_64Test, SelectW7) {
+TEST(P256_NistzTest, SelectW7) {
// Fill a table with some garbage input.
alignas(64) P256_POINT_AFFINE table[64];
for (size_t i = 0; i < 64; i++) {
@@ -97,11 +98,13 @@
CHECK_ABI(ecp_nistz256_select_w7, &val, table, 42);
}
-TEST(P256_X86_64Test, BEEU) {
+TEST(P256_NistzTest, BEEU) {
+#if defined(OPENSSL_X86_64)
if (!CRYPTO_is_AVX_capable()) {
// No AVX support; cannot run the BEEU code.
return;
}
+#endif
bssl::UniquePtr<EC_GROUP> group(
EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
@@ -146,8 +149,8 @@
EXPECT_TRUE(bn_less_than_words(out, order_words, P256_LIMBS));
// Calculate out*in and confirm that it equals one, modulo the order.
- OPENSSL_memcpy(in_scalar.bytes, in, sizeof(in));
- OPENSSL_memcpy(out_scalar.bytes, out, sizeof(out));
+ OPENSSL_memcpy(in_scalar.words, in, sizeof(in));
+ OPENSSL_memcpy(out_scalar.words, out, sizeof(out));
ec_scalar_to_montgomery(group.get(), &in_scalar, &in_scalar);
ec_scalar_to_montgomery(group.get(), &out_scalar, &out_scalar);
ec_scalar_mul_montgomery(group.get(), &result, &in_scalar, &out_scalar);
@@ -483,8 +486,8 @@
}
}
-TEST(P256_X86_64Test, TestVectors) {
- return FileTestGTest("crypto/fipsmodule/ec/p256-x86_64_tests.txt",
+TEST(P256_NistzTest, TestVectors) {
+ return FileTestGTest("crypto/fipsmodule/ec/p256-nistz_tests.txt",
[](FileTest *t) {
if (t->GetParameter() == "Negate") {
TestNegate(t);
@@ -503,7 +506,7 @@
}
// Instrument the functions covered in TestVectors for ABI checking.
-TEST(P256_X86_64Test, ABI) {
+TEST(P256_NistzTest, ABI) {
BN_ULONG a[P256_LIMBS], b[P256_LIMBS], c[P256_LIMBS];
OPENSSL_memset(a, 0x01, sizeof(a));
// These functions are all constant-time, so it is only necessary to
diff --git a/src/crypto/fipsmodule/ec/p256-x86_64_tests.txt b/src/crypto/fipsmodule/ec/p256-nistz_tests.txt
similarity index 100%
rename from src/crypto/fipsmodule/ec/p256-x86_64_tests.txt
rename to src/crypto/fipsmodule/ec/p256-nistz_tests.txt
diff --git a/src/crypto/fipsmodule/ec/p256.c b/src/crypto/fipsmodule/ec/p256.c
index 0d0e766..b3ee9d4 100644
--- a/src/crypto/fipsmodule/ec/p256.c
+++ b/src/crypto/fipsmodule/ec/p256.c
@@ -81,17 +81,22 @@
fiat_p256_selectznz(out, !!t, z, nz);
}
+static void fiat_p256_from_words(fiat_p256_felem out,
+ const BN_ULONG in[32 / sizeof(BN_ULONG)]) {
+ // Typically, |BN_ULONG| and |fiat_p256_limb_t| will be the same type, but on
+ // 64-bit platforms without |uint128_t|, they are different. However, on
+ // little-endian systems, |uint64_t[4]| and |uint32_t[8]| have the same
+ // layout.
+ OPENSSL_memcpy(out, in, 32);
+}
+
static void fiat_p256_from_generic(fiat_p256_felem out, const EC_FELEM *in) {
- fiat_p256_from_bytes(out, in->bytes);
+ fiat_p256_from_words(out, in->words);
}
static void fiat_p256_to_generic(EC_FELEM *out, const fiat_p256_felem in) {
- // This works because 256 is a multiple of 64, so there are no excess bytes to
- // zero when rounding up to |BN_ULONG|s.
- OPENSSL_STATIC_ASSERT(
- 256 / 8 == sizeof(BN_ULONG) * ((256 + BN_BITS2 - 1) / BN_BITS2),
- "fiat_p256_to_bytes leaves bytes uninitialized");
- fiat_p256_to_bytes(out->bytes, in);
+ // See |fiat_p256_from_words|.
+ OPENSSL_memcpy(out->words, in, 32);
}
// fiat_p256_inv_square calculates |out| = |in|^{-2}
@@ -394,12 +399,18 @@
}
}
-// fiat_p256_get_bit returns the |i|th bit in |in|
-static crypto_word_t fiat_p256_get_bit(const uint8_t *in, int i) {
+// fiat_p256_get_bit returns the |i|th bit in |in|.
+static crypto_word_t fiat_p256_get_bit(const EC_SCALAR *in, int i) {
if (i < 0 || i >= 256) {
return 0;
}
- return (in[i >> 3] >> (i & 7)) & 1;
+#if defined(OPENSSL_64_BIT)
+ static_assert(sizeof(BN_ULONG) == 8, "BN_ULONG was not 64-bit");
+ return (in->words[i >> 6] >> (i & 63)) & 1;
+#else
+ static_assert(sizeof(BN_ULONG) == 4, "BN_ULONG was not 32-bit");
+ return (in->words[i >> 5] >> (i & 31)) & 1;
+#endif
}
// OPENSSL EC_METHOD FUNCTIONS
@@ -500,12 +511,12 @@
// do other additions every 5 doublings
if (i % 5 == 0) {
- crypto_word_t bits = fiat_p256_get_bit(scalar->bytes, i + 4) << 5;
- bits |= fiat_p256_get_bit(scalar->bytes, i + 3) << 4;
- bits |= fiat_p256_get_bit(scalar->bytes, i + 2) << 3;
- bits |= fiat_p256_get_bit(scalar->bytes, i + 1) << 2;
- bits |= fiat_p256_get_bit(scalar->bytes, i) << 1;
- bits |= fiat_p256_get_bit(scalar->bytes, i - 1);
+ crypto_word_t bits = fiat_p256_get_bit(scalar, i + 4) << 5;
+ bits |= fiat_p256_get_bit(scalar, i + 3) << 4;
+ bits |= fiat_p256_get_bit(scalar, i + 2) << 3;
+ bits |= fiat_p256_get_bit(scalar, i + 1) << 2;
+ bits |= fiat_p256_get_bit(scalar, i) << 1;
+ bits |= fiat_p256_get_bit(scalar, i - 1);
crypto_word_t sign, digit;
ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits);
@@ -545,10 +556,10 @@
}
// First, look 32 bits upwards.
- crypto_word_t bits = fiat_p256_get_bit(scalar->bytes, i + 224) << 3;
- bits |= fiat_p256_get_bit(scalar->bytes, i + 160) << 2;
- bits |= fiat_p256_get_bit(scalar->bytes, i + 96) << 1;
- bits |= fiat_p256_get_bit(scalar->bytes, i + 32);
+ crypto_word_t bits = fiat_p256_get_bit(scalar, i + 224) << 3;
+ bits |= fiat_p256_get_bit(scalar, i + 160) << 2;
+ bits |= fiat_p256_get_bit(scalar, i + 96) << 1;
+ bits |= fiat_p256_get_bit(scalar, i + 32);
// Select the point to add, in constant time.
fiat_p256_select_point_affine((fiat_p256_limb_t)bits, 15,
fiat_p256_g_pre_comp[1], tmp);
@@ -564,10 +575,10 @@
}
// Second, look at the current position.
- bits = fiat_p256_get_bit(scalar->bytes, i + 192) << 3;
- bits |= fiat_p256_get_bit(scalar->bytes, i + 128) << 2;
- bits |= fiat_p256_get_bit(scalar->bytes, i + 64) << 1;
- bits |= fiat_p256_get_bit(scalar->bytes, i);
+ bits = fiat_p256_get_bit(scalar, i + 192) << 3;
+ bits |= fiat_p256_get_bit(scalar, i + 128) << 2;
+ bits |= fiat_p256_get_bit(scalar, i + 64) << 1;
+ bits |= fiat_p256_get_bit(scalar, i);
// Select the point to add, in constant time.
fiat_p256_select_point_affine((fiat_p256_limb_t)bits, 15,
fiat_p256_g_pre_comp[0], tmp);
@@ -617,10 +628,10 @@
// constant-time lookup.
if (i <= 31) {
// First, look 32 bits upwards.
- crypto_word_t bits = fiat_p256_get_bit(g_scalar->bytes, i + 224) << 3;
- bits |= fiat_p256_get_bit(g_scalar->bytes, i + 160) << 2;
- bits |= fiat_p256_get_bit(g_scalar->bytes, i + 96) << 1;
- bits |= fiat_p256_get_bit(g_scalar->bytes, i + 32);
+ crypto_word_t bits = fiat_p256_get_bit(g_scalar, i + 224) << 3;
+ bits |= fiat_p256_get_bit(g_scalar, i + 160) << 2;
+ bits |= fiat_p256_get_bit(g_scalar, i + 96) << 1;
+ bits |= fiat_p256_get_bit(g_scalar, i + 32);
if (bits != 0) {
size_t index = (size_t)(bits - 1);
fiat_p256_point_add(ret[0], ret[1], ret[2], ret[0], ret[1], ret[2],
@@ -631,10 +642,10 @@
}
// Second, look at the current position.
- bits = fiat_p256_get_bit(g_scalar->bytes, i + 192) << 3;
- bits |= fiat_p256_get_bit(g_scalar->bytes, i + 128) << 2;
- bits |= fiat_p256_get_bit(g_scalar->bytes, i + 64) << 1;
- bits |= fiat_p256_get_bit(g_scalar->bytes, i);
+ bits = fiat_p256_get_bit(g_scalar, i + 192) << 3;
+ bits |= fiat_p256_get_bit(g_scalar, i + 128) << 2;
+ bits |= fiat_p256_get_bit(g_scalar, i + 64) << 1;
+ bits |= fiat_p256_get_bit(g_scalar, i);
if (bits != 0) {
size_t index = (size_t)(bits - 1);
fiat_p256_point_add(ret[0], ret[1], ret[2], ret[0], ret[1], ret[2],
@@ -687,7 +698,7 @@
fiat_p256_mul(Z2_mont, Z2_mont, Z2_mont);
fiat_p256_felem r_Z2;
- fiat_p256_from_bytes(r_Z2, r->bytes); // r < order < p, so this is valid.
+ fiat_p256_from_words(r_Z2, r->words); // r < order < p, so this is valid.
fiat_p256_mul(r_Z2, r_Z2, Z2_mont);
fiat_p256_felem X;
diff --git a/src/crypto/fipsmodule/ec/scalar.c b/src/crypto/fipsmodule/ec/scalar.c
index e4ae9d7..036049e 100644
--- a/src/crypto/fipsmodule/ec/scalar.c
+++ b/src/crypto/fipsmodule/ec/scalar.c
@@ -54,9 +54,7 @@
void ec_scalar_to_bytes(const EC_GROUP *group, uint8_t *out, size_t *out_len,
const EC_SCALAR *in) {
size_t len = BN_num_bytes(&group->order);
- for (size_t i = 0; i < len; i++) {
- out[len - i - 1] = in->bytes[i];
- }
+ bn_words_to_big_endian(out, len, in->words, group->order.width);
*out_len = len;
}
@@ -67,11 +65,7 @@
return 0;
}
- OPENSSL_memset(out, 0, sizeof(EC_SCALAR));
-
- for (size_t i = 0; i < len; i++) {
- out->bytes[i] = in[len - i - 1];
- }
+ bn_big_endian_to_words(out->words, group->order.width, in, len);
if (!bn_less_than_words(out->words, group->order.d, group->order.width)) {
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR);
diff --git a/src/crypto/fipsmodule/ec/simple.c b/src/crypto/fipsmodule/ec/simple.c
index b6d9312..58d8121 100644
--- a/src/crypto/fipsmodule/ec/simple.c
+++ b/src/crypto/fipsmodule/ec/simple.c
@@ -330,9 +330,7 @@
void ec_GFp_simple_felem_to_bytes(const EC_GROUP *group, uint8_t *out,
size_t *out_len, const EC_FELEM *in) {
size_t len = BN_num_bytes(&group->field);
- for (size_t i = 0; i < len; i++) {
- out[i] = in->bytes[len - 1 - i];
- }
+ bn_words_to_big_endian(out, len, in->words, group->field.width);
*out_len = len;
}
@@ -343,10 +341,7 @@
return 0;
}
- OPENSSL_memset(out, 0, sizeof(EC_FELEM));
- for (size_t i = 0; i < len; i++) {
- out->bytes[i] = in[len - 1 - i];
- }
+ bn_big_endian_to_words(out->words, group->field.width, in, len);
if (!bn_less_than_words(out->words, group->field.d, group->field.width)) {
OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);
diff --git a/src/crypto/fipsmodule/ecdh/ecdh.c b/src/crypto/fipsmodule/ecdh/ecdh.c
index 36fbadc..25d0702 100644
--- a/src/crypto/fipsmodule/ecdh/ecdh.c
+++ b/src/crypto/fipsmodule/ecdh/ecdh.c
@@ -74,8 +74,9 @@
#include <openssl/mem.h>
#include <openssl/sha.h>
-#include "../ec/internal.h"
#include "../../internal.h"
+#include "../ec/internal.h"
+#include "../service_indicator/internal.h"
int ECDH_compute_key_fips(uint8_t *out, size_t out_len, const EC_POINT *pub_key,
@@ -103,6 +104,7 @@
return 0;
}
+ FIPS_service_indicator_lock_state();
switch (out_len) {
case SHA224_DIGEST_LENGTH:
SHA224(buf, buflen, out);
@@ -118,8 +120,11 @@
break;
default:
OPENSSL_PUT_ERROR(ECDH, ECDH_R_UNKNOWN_DIGEST_LENGTH);
+ FIPS_service_indicator_unlock_state();
return 0;
}
+ FIPS_service_indicator_unlock_state();
+ ECDH_verify_service_indicator(priv_key);
return 1;
}
diff --git a/src/crypto/fipsmodule/ecdsa/ecdsa.c b/src/crypto/fipsmodule/ecdsa/ecdsa.c
index db0c6e5..ef77e42 100644
--- a/src/crypto/fipsmodule/ecdsa/ecdsa.c
+++ b/src/crypto/fipsmodule/ecdsa/ecdsa.c
@@ -78,10 +78,7 @@
if (digest_len > num_bytes) {
digest_len = num_bytes;
}
- OPENSSL_memset(out, 0, sizeof(EC_SCALAR));
- for (size_t i = 0; i < digest_len; i++) {
- out->bytes[i] = digest[digest_len - 1 - i];
- }
+ bn_big_endian_to_words(out->words, order->width, digest, digest_len);
// If it is still too long, truncate remaining bits with a shift.
if (8 * digest_len > num_bits) {
@@ -326,6 +323,9 @@
// into the RBG. This is a hardening measure against entropy failure.
OPENSSL_STATIC_ASSERT(SHA512_DIGEST_LENGTH >= 32,
"additional_data is too large for SHA-512");
+
+ FIPS_service_indicator_lock_state();
+
SHA512_CTX sha;
uint8_t additional_data[SHA512_DIGEST_LENGTH];
SHA512_Init(&sha);
@@ -333,17 +333,22 @@
SHA512_Update(&sha, digest, digest_len);
SHA512_Final(additional_data, &sha);
+ ECDSA_SIG *ret = NULL;
for (;;) {
EC_SCALAR k;
if (!ec_random_nonzero_scalar(group, &k, additional_data)) {
- return NULL;
+ ret = NULL;
+ goto out;
}
int retry;
- ECDSA_SIG *sig =
- ecdsa_sign_impl(group, &retry, priv_key, &k, digest, digest_len);
- if (sig != NULL || !retry) {
- return sig;
+ ret = ecdsa_sign_impl(group, &retry, priv_key, &k, digest, digest_len);
+ if (ret != NULL || !retry) {
+ goto out;
}
}
+
+out:
+ FIPS_service_indicator_unlock_state();
+ return ret;
}
diff --git a/src/crypto/fipsmodule/hmac/hmac.c b/src/crypto/fipsmodule/hmac/hmac.c
index d37cec8..454d0c0 100644
--- a/src/crypto/fipsmodule/hmac/hmac.c
+++ b/src/crypto/fipsmodule/hmac/hmac.c
@@ -70,13 +70,22 @@
unsigned int *out_len) {
HMAC_CTX ctx;
HMAC_CTX_init(&ctx);
- if (!HMAC_Init_ex(&ctx, key, key_len, evp_md, NULL) ||
- !HMAC_Update(&ctx, data, data_len) ||
- !HMAC_Final(&ctx, out, out_len)) {
- out = NULL;
- }
+
+ // The underlying hash functions should not set the FIPS service indicator
+ // until all operations have completed.
+ FIPS_service_indicator_lock_state();
+ const int ok = HMAC_Init_ex(&ctx, key, key_len, evp_md, NULL) &&
+ HMAC_Update(&ctx, data, data_len) &&
+ HMAC_Final(&ctx, out, out_len);
+ FIPS_service_indicator_unlock_state();
HMAC_CTX_cleanup(&ctx);
+
+ if (!ok) {
+ return NULL;
+ }
+
+ HMAC_verify_service_indicator(evp_md);
return out;
}
@@ -120,6 +129,9 @@
int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, size_t key_len,
const EVP_MD *md, ENGINE *impl) {
+ int ret = 0;
+ FIPS_service_indicator_lock_state();
+
if (md == NULL) {
md = ctx->md;
}
@@ -143,7 +155,7 @@
if (!EVP_DigestInit_ex(&ctx->md_ctx, md, impl) ||
!EVP_DigestUpdate(&ctx->md_ctx, key, key_len) ||
!EVP_DigestFinal_ex(&ctx->md_ctx, key_block, &key_block_len)) {
- return 0;
+ goto out;
}
} else {
assert(key_len <= sizeof(key_block));
@@ -160,7 +172,7 @@
}
if (!EVP_DigestInit_ex(&ctx->i_ctx, md, impl) ||
!EVP_DigestUpdate(&ctx->i_ctx, pad, EVP_MD_block_size(md))) {
- return 0;
+ goto out;
}
for (size_t i = 0; i < EVP_MAX_MD_BLOCK_SIZE; i++) {
@@ -168,17 +180,17 @@
}
if (!EVP_DigestInit_ex(&ctx->o_ctx, md, impl) ||
!EVP_DigestUpdate(&ctx->o_ctx, pad, EVP_MD_block_size(md))) {
- return 0;
+ goto out;
}
ctx->md = md;
}
- if (!EVP_MD_CTX_copy_ex(&ctx->md_ctx, &ctx->i_ctx)) {
- return 0;
- }
+ ret = EVP_MD_CTX_copy_ex(&ctx->md_ctx, &ctx->i_ctx);
- return 1;
+out:
+ FIPS_service_indicator_unlock_state();
+ return ret;
}
int HMAC_Update(HMAC_CTX *ctx, const uint8_t *data, size_t data_len) {
@@ -186,9 +198,11 @@
}
int HMAC_Final(HMAC_CTX *ctx, uint8_t *out, unsigned int *out_len) {
+ int ret = 0;
unsigned int i;
uint8_t buf[EVP_MAX_MD_SIZE];
+ FIPS_service_indicator_lock_state();
// TODO(davidben): The only thing that can officially fail here is
// |EVP_MD_CTX_copy_ex|, but even that should be impossible in this case.
if (!EVP_DigestFinal_ex(&ctx->md_ctx, buf, &i) ||
@@ -196,10 +210,17 @@
!EVP_DigestUpdate(&ctx->md_ctx, buf, i) ||
!EVP_DigestFinal_ex(&ctx->md_ctx, out, out_len)) {
*out_len = 0;
- return 0;
+ goto out;
}
- return 1;
+ ret = 1;
+
+ out:
+ FIPS_service_indicator_unlock_state();
+ if (ret) {
+ HMAC_verify_service_indicator(ctx->md);
+ }
+ return ret;
}
size_t HMAC_size(const HMAC_CTX *ctx) {
diff --git a/src/crypto/fipsmodule/rand/ctrdrbg.c b/src/crypto/fipsmodule/rand/ctrdrbg.c
index b2fda1d..83e7f5b 100644
--- a/src/crypto/fipsmodule/rand/ctrdrbg.c
+++ b/src/crypto/fipsmodule/rand/ctrdrbg.c
@@ -19,6 +19,7 @@
#include "internal.h"
#include "../cipher/internal.h"
+#include "../service_indicator/internal.h"
// Section references in this file refer to SP 800-90Ar1:
@@ -194,6 +195,7 @@
}
drbg->reseed_counter++;
+ FIPS_service_indicator_update_state();
return 1;
}
diff --git a/src/crypto/fipsmodule/rand/urandom.c b/src/crypto/fipsmodule/rand/urandom.c
index fa0a333..508d441 100644
--- a/src/crypto/fipsmodule/rand/urandom.c
+++ b/src/crypto/fipsmodule/rand/urandom.c
@@ -135,7 +135,7 @@
}
value[length] = 0;
- if (strcasecmp(value, "true") == 0) {
+ if (OPENSSL_strcasecmp(value, "true") == 0) {
*extra_getrandom_flags_for_seed_bss_get() = GRND_RANDOM;
}
#endif
diff --git a/src/crypto/fipsmodule/rsa/padding.c b/src/crypto/fipsmodule/rsa/padding.c
index 28f1b45..605647a 100644
--- a/src/crypto/fipsmodule/rsa/padding.c
+++ b/src/crypto/fipsmodule/rsa/padding.c
@@ -67,6 +67,7 @@
#include <openssl/sha.h>
#include "internal.h"
+#include "../service_indicator/internal.h"
#include "../../internal.h"
@@ -145,20 +146,17 @@
return 1;
}
-static int rand_nonzero(uint8_t *out, size_t len) {
- if (!RAND_bytes(out, len)) {
- return 0;
- }
+static void rand_nonzero(uint8_t *out, size_t len) {
+ FIPS_service_indicator_lock_state();
+ RAND_bytes(out, len);
for (size_t i = 0; i < len; i++) {
while (out[i] == 0) {
- if (!RAND_bytes(out + i, 1)) {
- return 0;
- }
+ RAND_bytes(out + i, 1);
}
}
- return 1;
+ FIPS_service_indicator_unlock_state();
}
int RSA_padding_add_PKCS1_type_2(uint8_t *to, size_t to_len,
@@ -178,10 +176,7 @@
to[1] = 2;
size_t padding_len = to_len - 3 - from_len;
- if (!rand_nonzero(to + 2, padding_len)) {
- return 0;
- }
-
+ rand_nonzero(to + 2, padding_len);
to[2 + padding_len] = 0;
OPENSSL_memcpy(to + to_len - from_len, from, from_len);
return 1;
@@ -275,6 +270,7 @@
int ret = 0;
EVP_MD_CTX ctx;
EVP_MD_CTX_init(&ctx);
+ FIPS_service_indicator_lock_state();
size_t md_len = EVP_MD_size(md);
@@ -310,6 +306,7 @@
err:
EVP_MD_CTX_cleanup(&ctx);
+ FIPS_service_indicator_unlock_state();
return ret;
}
@@ -346,23 +343,25 @@
uint8_t *seed = to + 1;
uint8_t *db = to + mdlen + 1;
+ uint8_t *dbmask = NULL;
+ int ret = 0;
+ FIPS_service_indicator_lock_state();
if (!EVP_Digest(param, param_len, db, NULL, md, NULL)) {
- return 0;
+ goto out;
}
OPENSSL_memset(db + mdlen, 0, emlen - from_len - 2 * mdlen - 1);
db[emlen - from_len - mdlen - 1] = 0x01;
OPENSSL_memcpy(db + emlen - from_len - mdlen, from, from_len);
if (!RAND_bytes(seed, mdlen)) {
- return 0;
+ goto out;
}
- uint8_t *dbmask = OPENSSL_malloc(emlen - mdlen);
+ dbmask = OPENSSL_malloc(emlen - mdlen);
if (dbmask == NULL) {
OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
- return 0;
+ goto out;
}
- int ret = 0;
if (!PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md)) {
goto out;
}
@@ -381,6 +380,7 @@
out:
OPENSSL_free(dbmask);
+ FIPS_service_indicator_unlock_state();
return ret;
}
@@ -410,6 +410,7 @@
}
size_t dblen = from_len - mdlen - 1;
+ FIPS_service_indicator_lock_state();
db = OPENSSL_malloc(dblen);
if (db == NULL) {
OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
@@ -470,6 +471,7 @@
OPENSSL_memcpy(out, db + one_index, mlen);
*out_len = mlen;
OPENSSL_free(db);
+ FIPS_service_indicator_unlock_state();
return 1;
decoding_err:
@@ -478,6 +480,7 @@
OPENSSL_PUT_ERROR(RSA, RSA_R_OAEP_DECODING_ERROR);
err:
OPENSSL_free(db);
+ FIPS_service_indicator_unlock_state();
return 0;
}
@@ -501,6 +504,7 @@
}
hLen = EVP_MD_size(Hash);
+ FIPS_service_indicator_lock_state();
// Negative sLen has special meanings:
// -1 sLen == hLen
@@ -578,6 +582,7 @@
err:
OPENSSL_free(DB);
EVP_MD_CTX_cleanup(&ctx);
+ FIPS_service_indicator_unlock_state();
return ret;
}
@@ -595,6 +600,7 @@
mgf1Hash = Hash;
}
+ FIPS_service_indicator_lock_state();
hLen = EVP_MD_size(Hash);
if (BN_is_zero(rsa->n)) {
@@ -690,6 +696,7 @@
err:
OPENSSL_free(salt);
+ FIPS_service_indicator_unlock_state();
return ret;
}
diff --git a/src/crypto/fipsmodule/rsa/rsa_impl.c b/src/crypto/fipsmodule/rsa/rsa_impl.c
index 1046f35..0958961 100644
--- a/src/crypto/fipsmodule/rsa/rsa_impl.c
+++ b/src/crypto/fipsmodule/rsa/rsa_impl.c
@@ -66,11 +66,12 @@
#include <openssl/thread.h>
#include <openssl/type_check.h>
-#include "internal.h"
-#include "../bn/internal.h"
#include "../../internal.h"
+#include "../bn/internal.h"
#include "../delocate.h"
#include "../rand/fork_detect.h"
+#include "../service_indicator/internal.h"
+#include "internal.h"
int rsa_check_public_key(const RSA *rsa) {
@@ -1419,6 +1420,10 @@
BN_set_word(e, RSA_F4) &&
RSA_generate_key_ex_maybe_fips(rsa, bits, e, cb, /*check_fips=*/1);
BN_free(e);
+
+ if (ret) {
+ FIPS_service_indicator_update_state();
+ }
return ret;
}
diff --git a/src/crypto/fipsmodule/self_check/fips.c b/src/crypto/fipsmodule/self_check/fips.c
index 11c9309..2d75828 100644
--- a/src/crypto/fipsmodule/self_check/fips.c
+++ b/src/crypto/fipsmodule/self_check/fips.c
@@ -28,8 +28,10 @@
int FIPS_mode_set(int on) { return on == FIPS_mode(); }
+const char *FIPS_module_name(void) { return "BoringCrypto"; }
+
uint32_t FIPS_version(void) {
- return 0;
+ return 2022061300;
}
int FIPS_query_algorithm_status(const char *algorithm) {
diff --git a/src/crypto/fipsmodule/self_check/self_check.c b/src/crypto/fipsmodule/self_check/self_check.c
index b248789..fe9c914 100644
--- a/src/crypto/fipsmodule/self_check/self_check.c
+++ b/src/crypto/fipsmodule/self_check/self_check.c
@@ -36,6 +36,7 @@
#include "../ecdsa/internal.h"
#include "../rand/internal.h"
#include "../rsa/internal.h"
+#include "../service_indicator/internal.h"
#include "../tls/internal.h"
@@ -616,9 +617,11 @@
#if defined(BORINGSSL_FIPS)
static void run_self_test_rsa(void) {
+ FIPS_service_indicator_lock_state();
if (!boringssl_self_test_rsa()) {
BORINGSSL_FIPS_abort();
}
+ FIPS_service_indicator_unlock_state();
}
DEFINE_STATIC_ONCE(g_self_test_once_rsa);
@@ -628,9 +631,11 @@
}
static void run_self_test_ecc(void) {
+ FIPS_service_indicator_lock_state();
if (!boringssl_self_test_ecc()) {
BORINGSSL_FIPS_abort();
}
+ FIPS_service_indicator_unlock_state();
}
DEFINE_STATIC_ONCE(g_self_test_once_ecc);
@@ -640,9 +645,11 @@
}
static void run_self_test_ffdh(void) {
+ FIPS_service_indicator_lock_state();
if (!boringssl_self_test_ffdh()) {
BORINGSSL_FIPS_abort();
}
+ FIPS_service_indicator_unlock_state();
}
DEFINE_STATIC_ONCE(g_self_test_once_ffdh);
diff --git a/src/crypto/fipsmodule/service_indicator/internal.h b/src/crypto/fipsmodule/service_indicator/internal.h
new file mode 100644
index 0000000..bbc4e4e
--- /dev/null
+++ b/src/crypto/fipsmodule/service_indicator/internal.h
@@ -0,0 +1,89 @@
+/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_SERVICE_INDICATOR_INTERNAL_H
+#define OPENSSL_HEADER_SERVICE_INDICATOR_INTERNAL_H
+
+#include <openssl/base.h>
+#include <openssl/service_indicator.h>
+
+#if defined(BORINGSSL_FIPS)
+
+// FIPS_service_indicator_update_state records that an approved service has been
+// invoked.
+void FIPS_service_indicator_update_state(void);
+
+// FIPS_service_indicator_lock_state and |FIPS_service_indicator_unlock_state|
+// stop |FIPS_service_indicator_update_state| from actually updating the service
+// indicator. This is used when a primitive calls a potentially approved
+// primitive to avoid false positives. For example, just because a key
+// generation calls |RAND_bytes| (and thus the approved DRBG) doesn't mean that
+// the key generation operation itself is approved.
+//
+// This lock nests: i.e. locking twice is fine so long as each lock is paired
+// with an unlock. If the (64-bit) counter overflows, the process aborts.
+void FIPS_service_indicator_lock_state(void);
+void FIPS_service_indicator_unlock_state(void);
+
+// The following functions may call |FIPS_service_indicator_update_state| if
+// their parameter specifies an approved operation.
+
+void AEAD_GCM_verify_service_indicator(const EVP_AEAD_CTX *ctx);
+void AEAD_CCM_verify_service_indicator(const EVP_AEAD_CTX *ctx);
+void EC_KEY_keygen_verify_service_indicator(const EC_KEY *eckey);
+void ECDH_verify_service_indicator(const EC_KEY *ec_key);
+void EVP_Cipher_verify_service_indicator(const EVP_CIPHER_CTX *ctx);
+void EVP_DigestSign_verify_service_indicator(const EVP_MD_CTX *ctx);
+void EVP_DigestVerify_verify_service_indicator(const EVP_MD_CTX *ctx);
+void HMAC_verify_service_indicator(const EVP_MD *evp_md);
+void TLSKDF_verify_service_indicator(const EVP_MD *dgst);
+
+#else
+
+// Service indicator functions are no-ops in non-FIPS builds.
+
+OPENSSL_INLINE void FIPS_service_indicator_update_state(void) {}
+OPENSSL_INLINE void FIPS_service_indicator_lock_state(void) {}
+OPENSSL_INLINE void FIPS_service_indicator_unlock_state(void) {}
+
+OPENSSL_INLINE void AEAD_GCM_verify_service_indicator(
+ OPENSSL_UNUSED const EVP_AEAD_CTX *ctx) {}
+
+OPENSSL_INLINE void AEAD_CCM_verify_service_indicator(
+ OPENSSL_UNUSED const EVP_AEAD_CTX *ctx) {}
+
+OPENSSL_INLINE void EC_KEY_keygen_verify_service_indicator(
+ OPENSSL_UNUSED const EC_KEY *eckey) {}
+
+OPENSSL_INLINE void ECDH_verify_service_indicator(
+ OPENSSL_UNUSED const EC_KEY *ec_key) {}
+
+OPENSSL_INLINE void EVP_Cipher_verify_service_indicator(
+ OPENSSL_UNUSED const EVP_CIPHER_CTX *ctx) {}
+
+OPENSSL_INLINE void EVP_DigestSign_verify_service_indicator(
+ OPENSSL_UNUSED const EVP_MD_CTX *ctx) {}
+
+OPENSSL_INLINE void EVP_DigestVerify_verify_service_indicator(
+ OPENSSL_UNUSED const EVP_MD_CTX *ctx) {}
+
+OPENSSL_INLINE void HMAC_verify_service_indicator(
+ OPENSSL_UNUSED const EVP_MD *evp_md) {}
+
+OPENSSL_INLINE void TLSKDF_verify_service_indicator(
+ OPENSSL_UNUSED const EVP_MD *dgst) {}
+
+#endif // BORINGSSL_FIPS
+
+#endif // OPENSSL_HEADER_SERVICE_INDICATOR_INTERNAL_H
diff --git a/src/crypto/fipsmodule/service_indicator/service_indicator.c b/src/crypto/fipsmodule/service_indicator/service_indicator.c
new file mode 100644
index 0000000..eb4669b
--- /dev/null
+++ b/src/crypto/fipsmodule/service_indicator/service_indicator.c
@@ -0,0 +1,333 @@
+/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/crypto.h>
+#include <openssl/ec.h>
+#include <openssl/ec_key.h>
+#include <openssl/evp.h>
+#include <openssl/service_indicator.h>
+
+#include "../../evp/internal.h"
+#include "../../internal.h"
+#include "internal.h"
+
+#if defined(BORINGSSL_FIPS)
+
+#define STATE_UNLOCKED 0
+
+// fips_service_indicator_state is a thread-local structure that stores the
+// state of the FIPS service indicator.
+struct fips_service_indicator_state {
+ // lock_state records the number of times the indicator has been locked.
+ // When it is zero (i.e. |STATE_UNLOCKED|) then the indicator can be updated.
+ uint64_t lock_state;
+ // counter is the indicator state. It is incremented when an approved service
+ // completes.
+ uint64_t counter;
+};
+
+// service_indicator_get returns a pointer to the |fips_service_indicator_state|
+// for the current thread. It returns NULL on error.
+//
+// FIPS 140-3 requires that the module should provide the service indicator
+// for approved services irrespective of whether the user queries it or not.
+// Hence, it is lazily initialized in any call to an approved service.
+static struct fips_service_indicator_state *service_indicator_get(void) {
+ struct fips_service_indicator_state *indicator = CRYPTO_get_thread_local(
+ OPENSSL_THREAD_LOCAL_FIPS_SERVICE_INDICATOR_STATE);
+
+ if (indicator == NULL) {
+ indicator = OPENSSL_malloc(sizeof(struct fips_service_indicator_state));
+ if (indicator == NULL) {
+ OPENSSL_PUT_ERROR(CRYPTO, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+
+ indicator->lock_state = STATE_UNLOCKED;
+ indicator->counter = 0;
+
+ if (!CRYPTO_set_thread_local(
+ OPENSSL_THREAD_LOCAL_FIPS_SERVICE_INDICATOR_STATE, indicator,
+ OPENSSL_free)) {
+ OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
+ return NULL;
+ }
+ }
+
+ return indicator;
+}
+
+static uint64_t service_indicator_get_counter(void) {
+ struct fips_service_indicator_state *indicator = service_indicator_get();
+ if (indicator == NULL) {
+ return 0;
+ }
+ return indicator->counter;
+}
+
+uint64_t FIPS_service_indicator_before_call(void) {
+ return service_indicator_get_counter();
+}
+
+uint64_t FIPS_service_indicator_after_call(void) {
+ return service_indicator_get_counter();
+}
+
+void FIPS_service_indicator_update_state(void) {
+ struct fips_service_indicator_state *indicator = service_indicator_get();
+ if (indicator && indicator->lock_state == STATE_UNLOCKED) {
+ indicator->counter++;
+ }
+}
+
+void FIPS_service_indicator_lock_state(void) {
+ struct fips_service_indicator_state *indicator = service_indicator_get();
+ if (indicator == NULL) {
+ return;
+ }
+
+ // |FIPS_service_indicator_lock_state| and
+ // |FIPS_service_indicator_unlock_state| should not under/overflow in normal
+ // operation. They are still checked and errors added to facilitate testing in
+ // service_indicator_test.cc. This should only happen if lock/unlock are
+ // called in an incorrect order or multiple times in the same function.
+ const uint64_t new_state = indicator->lock_state + 1;
+ if (new_state < indicator->lock_state) {
+ // Overflow. This would imply that our call stack length has exceeded a
+ // |uint64_t| which impossible on a 64-bit system.
+ abort();
+ }
+
+ indicator->lock_state = new_state;
+}
+
+void FIPS_service_indicator_unlock_state(void) {
+ struct fips_service_indicator_state *indicator = service_indicator_get();
+ if (indicator == NULL) {
+ return;
+ }
+
+ if (indicator->lock_state == 0) {
+ abort();
+ }
+
+ indicator->lock_state--;
+}
+
+void AEAD_GCM_verify_service_indicator(const EVP_AEAD_CTX *ctx) {
+ const size_t key_len = EVP_AEAD_key_length(ctx->aead);
+ if (key_len == 16 || key_len == 32) {
+ FIPS_service_indicator_update_state();
+ }
+}
+
+void AEAD_CCM_verify_service_indicator(const EVP_AEAD_CTX *ctx) {
+ if (EVP_AEAD_key_length(ctx->aead) == 16 && ctx->tag_len == 4) {
+ FIPS_service_indicator_update_state();
+ }
+}
+
+// is_ec_fips_approved returns one if the curve corresponding to the given NID
+// is FIPS approved, and zero otherwise.
+static int is_ec_fips_approved(int curve_nid) {
+ switch (curve_nid) {
+ case NID_secp224r1:
+ case NID_X9_62_prime256v1:
+ case NID_secp384r1:
+ case NID_secp521r1:
+ return 1;
+ default:
+ return 0;
+ }
+}
+
+// is_md_fips_approved_for_signing returns one if the given message digest type
+// is FIPS approved for signing, and zero otherwise.
+static int is_md_fips_approved_for_signing(int md_type) {
+ switch (md_type) {
+ case NID_sha224:
+ case NID_sha256:
+ case NID_sha384:
+ case NID_sha512:
+ case NID_sha512_256:
+ return 1;
+ default:
+ return 0;
+ }
+}
+
+// is_md_fips_approved_for_verifying returns one if the given message digest
+// type is FIPS approved for verifying, and zero otherwise.
+static int is_md_fips_approved_for_verifying(int md_type) {
+ switch (md_type) {
+ case NID_sha1:
+ case NID_sha224:
+ case NID_sha256:
+ case NID_sha384:
+ case NID_sha512:
+ case NID_sha512_256:
+ return 1;
+ default:
+ return 0;
+ }
+}
+
+static void evp_md_ctx_verify_service_indicator(const EVP_MD_CTX *ctx,
+ int rsa_1024_ok,
+ int (*md_ok)(int md_type)) {
+ if (EVP_MD_CTX_md(ctx) == NULL) {
+ // Signature schemes without a prehash are currently never FIPS approved.
+ goto err;
+ }
+
+ EVP_PKEY_CTX *const pctx = ctx->pctx;
+ const EVP_PKEY *const pkey = EVP_PKEY_CTX_get0_pkey(pctx);
+ const int pkey_type = EVP_PKEY_id(pkey);
+ const int md_type = EVP_MD_CTX_type(ctx);
+
+ // EVP_PKEY_RSA_PSS SPKIs aren't supported.
+ if (pkey_type == EVP_PKEY_RSA) {
+ // Message digest used in the private key should be of the same type
+ // as the given one, so we extract the MD type from the |EVP_PKEY|
+ // and compare it with the type in |ctx|.
+ const EVP_MD *pctx_md;
+ if (!EVP_PKEY_CTX_get_signature_md(pctx, &pctx_md)) {
+ goto err;
+ }
+ if (EVP_MD_type(pctx_md) != md_type) {
+ goto err;
+ }
+
+ int padding;
+ if (!EVP_PKEY_CTX_get_rsa_padding(pctx, &padding)) {
+ goto err;
+ }
+ if (padding == RSA_PKCS1_PSS_PADDING) {
+ int salt_len;
+ const EVP_MD *mgf1_md;
+ if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pctx, &salt_len) ||
+ !EVP_PKEY_CTX_get_rsa_mgf1_md(pctx, &mgf1_md) ||
+ (salt_len != -1 && salt_len != (int)EVP_MD_size(pctx_md)) ||
+ EVP_MD_type(mgf1_md) != md_type) {
+ // Only PSS where saltLen == hashLen is tested with ACVP. Cases with
+ // non-standard padding functions are also excluded.
+ goto err;
+ }
+ }
+
+ // The approved RSA key sizes for signing are 2048, 3072 and 4096 bits.
+ // Note: |EVP_PKEY_size| returns the size in bytes.
+ size_t pkey_size = EVP_PKEY_size(ctx->pctx->pkey);
+
+ // Check if the MD type and the RSA key size are approved.
+ if (md_ok(md_type) &&
+ ((rsa_1024_ok && pkey_size == 128) || pkey_size == 256 ||
+ pkey_size == 384 || pkey_size == 512)) {
+ FIPS_service_indicator_update_state();
+ }
+ } else if (pkey_type == EVP_PKEY_EC) {
+ // Check if the MD type and the elliptic curve are approved.
+ if (md_ok(md_type) && is_ec_fips_approved(EC_GROUP_get_curve_name(
+ ctx->pctx->pkey->pkey.ec->group))) {
+ FIPS_service_indicator_update_state();
+ }
+ }
+
+ err:
+ // Ensure that junk errors aren't left on the queue.
+ ERR_clear_error();
+}
+
+void EC_KEY_keygen_verify_service_indicator(const EC_KEY *eckey) {
+ if (is_ec_fips_approved(EC_GROUP_get_curve_name(eckey->group))) {
+ FIPS_service_indicator_update_state();
+ }
+}
+
+void ECDH_verify_service_indicator(const EC_KEY *ec_key) {
+ if (is_ec_fips_approved(EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)))) {
+ FIPS_service_indicator_update_state();
+ }
+}
+
+void EVP_Cipher_verify_service_indicator(const EVP_CIPHER_CTX *ctx) {
+ switch (EVP_CIPHER_CTX_nid(ctx)) {
+ case NID_aes_128_ecb:
+ case NID_aes_192_ecb:
+ case NID_aes_256_ecb:
+
+ case NID_aes_128_cbc:
+ case NID_aes_192_cbc:
+ case NID_aes_256_cbc:
+
+ case NID_aes_128_ctr:
+ case NID_aes_192_ctr:
+ case NID_aes_256_ctr:
+ FIPS_service_indicator_update_state();
+ }
+}
+
+void EVP_DigestVerify_verify_service_indicator(const EVP_MD_CTX *ctx) {
+ return evp_md_ctx_verify_service_indicator(ctx, /*rsa_1024_ok=*/1,
+ is_md_fips_approved_for_verifying);
+}
+
+void EVP_DigestSign_verify_service_indicator(const EVP_MD_CTX *ctx) {
+ return evp_md_ctx_verify_service_indicator(ctx, /*rsa_1024_ok=*/0,
+ is_md_fips_approved_for_signing);
+}
+
+void HMAC_verify_service_indicator(const EVP_MD *evp_md) {
+ switch (evp_md->type) {
+ case NID_sha1:
+ case NID_sha224:
+ case NID_sha256:
+ case NID_sha384:
+ case NID_sha512:
+ case NID_sha512_256:
+ FIPS_service_indicator_update_state();
+ break;
+ }
+}
+
+void TLSKDF_verify_service_indicator(const EVP_MD *md) {
+ // HMAC-MD5, HMAC-SHA1, and HMAC-MD5/HMAC-SHA1 (both used concurrently) are
+ // approved for use in the KDF in TLS 1.0/1.1.
+ // HMAC-SHA{256, 384, 512} are approved for use in the KDF in TLS 1.2.
+ // These Key Derivation functions are to be used in the context of the TLS
+ // protocol.
+ switch (EVP_MD_type(md)) {
+ case NID_md5:
+ case NID_sha1:
+ case NID_md5_sha1:
+ case NID_sha256:
+ case NID_sha384:
+ case NID_sha512:
+ FIPS_service_indicator_update_state();
+ break;
+ }
+}
+
+#else
+
+uint64_t FIPS_service_indicator_before_call(void) { return 0; }
+
+uint64_t FIPS_service_indicator_after_call(void) {
+ // One is returned so that the return value is always greater than zero, the
+ // return value of |FIPS_service_indicator_before_call|. This makes everything
+ // report as "approved" in non-FIPS builds.
+ return 1;
+}
+
+#endif // BORINGSSL_FIPS
diff --git a/src/crypto/fipsmodule/service_indicator/service_indicator_test.cc b/src/crypto/fipsmodule/service_indicator/service_indicator_test.cc
new file mode 100644
index 0000000..d0da9c9
--- /dev/null
+++ b/src/crypto/fipsmodule/service_indicator/service_indicator_test.cc
@@ -0,0 +1,2410 @@
+/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <gtest/gtest.h>
+
+#include <openssl/aead.h>
+#include <openssl/aes.h>
+#include <openssl/bn.h>
+#include <openssl/cipher.h>
+#include <openssl/cmac.h>
+#include <openssl/crypto.h>
+#include <openssl/dh.h>
+#include <openssl/digest.h>
+#include <openssl/ec.h>
+#include <openssl/ecdh.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/md4.h>
+#include <openssl/md5.h>
+#include <openssl/rand.h>
+#include <openssl/rsa.h>
+#include <openssl/service_indicator.h>
+
+#include "../../test/abi_test.h"
+#include "../../test/test_util.h"
+#include "../bn/internal.h"
+#include "../rand/internal.h"
+#include "../tls/internal.h"
+
+
+using bssl::FIPSStatus;
+
+static const uint8_t kAESKey[16] = {'A', 'W', 'S', '-', 'L', 'C', 'C', 'r',
+ 'y', 'p', 't', 'o', ' ', 'K', 'e', 'y'};
+
+static const uint8_t kPlaintext[64] = {
+ 'A', 'W', 'S', '-', 'L', 'C', 'C', 'r', 'y', 'p', 't', 'o', 'M',
+ 'o', 'd', 'u', 'l', 'e', ' ', 'F', 'I', 'P', 'S', ' ', 'K', 'A',
+ 'T', ' ', 'E', 'n', 'c', 'r', 'y', 'p', 't', 'i', 'o', 'n', ' ',
+ 'a', 'n', 'd', ' ', 'D', 'e', 'c', 'r', 'y', 'p', 't', 'i', 'o',
+ 'n', ' ', 'P', 'l', 'a', 'i', 'n', 't', 'e', 'x', 't', '!'};
+
+#if defined(BORINGSSL_FIPS)
+
+// kEVPKeyGenShouldCallFIPSFunctions determines whether |EVP_PKEY_keygen_*|
+// functions should call the FIPS versions of the key-generation functions.
+static const bool kEVPKeyGenShouldCallFIPSFunctions = false;
+
+// kCurveSecp256k1Supported determines whether secp256k1 tests should be run.
+static const bool kCurveSecp256k1Supported = false;
+
+// kEVPDeriveSetsServiceIndicator is true if `EVP_PKEY_derive` should set the
+// service indicator for some algorithms.
+static const bool kEVPDeriveSetsServiceIndicator = false;
+
+template <typename T>
+class TestWithNoErrors : public testing::TestWithParam<T> {
+ void TearDown() override {
+ if (ERR_peek_error() != 0) {
+ auto f = [](const char *str, size_t len, void *unused) -> int {
+ fprintf(stderr, "%s\n", str);
+ return 1;
+ };
+ ERR_print_errors_cb(f, nullptr);
+ ADD_FAILURE();
+ }
+ }
+};
+
+static const uint8_t kAESKey_192[24] = {'A', 'W', 'S', '-', 'L', 'C', 'C', 'r',
+ 'y', 'p', 't', 'o', ' ', '1', '9', '2',
+ '-', 'b', 'i', 't', ' ', 'K', 'e', 'y'};
+
+static const uint8_t kAESKey_256[32] = {'A', 'W', 'S', '-', 'L', 'C', 'C', 'r',
+ 'y', 'p', 't', 'o', ' ', '2', '5', '6',
+ '-', 'b', 'i', 't', ' ', 'L', 'o', 'n',
+ 'g', ' ', 'K', 'e', 'y', '!', '!', '!'};
+
+static const uint8_t kAESIV[AES_BLOCK_SIZE] = {0};
+
+static bssl::UniquePtr<DH> GetDH() {
+ // kFFDHE2048PrivateKeyData is a 225-bit value. (225 because that's the
+ // minimum private key size in
+ // https://tools.ietf.org/html/rfc7919#appendix-A.1.)
+ static const uint8_t kFFDHE2048PrivateKey[] = {
+ 0x01, 0x91, 0x17, 0x3f, 0x2a, 0x05, 0x70, 0x18, 0x7e, 0xc4,
+ 0x22, 0xee, 0xb7, 0x0a, 0x15, 0x2f, 0x39, 0x64, 0x58, 0xf3,
+ 0xb8, 0x18, 0x7b, 0xe3, 0x6b, 0xd3, 0x8a, 0x4f, 0xa1};
+ bssl::UniquePtr<BIGNUM> priv(
+ BN_bin2bn(kFFDHE2048PrivateKey, sizeof(kFFDHE2048PrivateKey), nullptr));
+ if (!priv) {
+ return nullptr;
+ }
+ bssl::UniquePtr<DH> dh(DH_get_rfc7919_2048());
+ if (!dh || !DH_set0_key(dh.get(), nullptr, priv.get())) {
+ return nullptr;
+ }
+ priv.release(); // |DH_set0_key| takes ownership on success.
+ return dh;
+}
+
+static void DoCipherFinal(EVP_CIPHER_CTX *ctx, std::vector<uint8_t> *out,
+ bssl::Span<const uint8_t> in,
+ FIPSStatus expect_approved) {
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+ size_t max_out = in.size();
+ if (EVP_CIPHER_CTX_encrypting(ctx)) {
+ unsigned block_size = EVP_CIPHER_CTX_block_size(ctx);
+ max_out += block_size - (max_out % block_size);
+ }
+ out->resize(max_out);
+
+ size_t total = 0;
+ int len;
+ ASSERT_TRUE(EVP_CipherUpdate(ctx, out->data(), &len, in.data(), in.size()));
+ total += static_cast<size_t>(len);
+ // Check if the overall service is approved by checking |EVP_CipherFinal_ex|,
+ // which should be the last part of the service.
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_CipherFinal_ex(ctx, out->data() + total, &len)));
+ total += static_cast<size_t>(len);
+ ASSERT_LE(total, max_out);
+ out->resize(total);
+
+ EXPECT_EQ(approved, expect_approved);
+}
+
+static const uint8_t kTDES_EDE3_CipherText[64] = {
+ 0x2a, 0x17, 0x79, 0x5a, 0x9b, 0x1d, 0xd8, 0x72, 0x06, 0xc6, 0xe7,
+ 0x55, 0x14, 0xaa, 0x7b, 0x2a, 0x6e, 0xfc, 0x71, 0x29, 0xff, 0x9b,
+ 0x67, 0x73, 0x7c, 0x9e, 0x15, 0x74, 0x80, 0xc8, 0x2f, 0xca, 0x93,
+ 0xaa, 0x8e, 0xba, 0x2c, 0x48, 0x88, 0x51, 0xc7, 0xa4, 0xf4, 0xe3,
+ 0x2b, 0x33, 0xe5, 0xa1, 0x58, 0x0a, 0x08, 0x3c, 0xb9, 0xf6, 0xf1,
+ 0x20, 0x67, 0x02, 0x49, 0xa0, 0x92, 0x18, 0xde, 0x2b};
+
+static const uint8_t kTDES_EDE3_CBCCipherText[64] = {
+ 0x2a, 0x17, 0x79, 0x5a, 0x9b, 0x1d, 0xd8, 0x72, 0xbf, 0x3f, 0xfd,
+ 0xe4, 0x0d, 0x66, 0x33, 0x49, 0x3b, 0x8c, 0xa6, 0xd0, 0x0a, 0x66,
+ 0xae, 0xf1, 0xd9, 0xa7, 0xd6, 0xfb, 0xa2, 0x39, 0x6f, 0xf6, 0x1b,
+ 0x8f, 0x67, 0xe1, 0x2b, 0x58, 0x1c, 0xb6, 0xa2, 0xec, 0xb3, 0xc2,
+ 0xe6, 0xd1, 0xcc, 0x11, 0x05, 0xdd, 0xee, 0x9d, 0x87, 0x95, 0xe9,
+ 0x58, 0xc7, 0xef, 0xa4, 0x6d, 0x5e, 0xd6, 0x57, 0x01};
+
+// AES-OFB is not an approved service, and is only used to test we are not
+// validating un-approved services correctly.
+static const uint8_t kAESOFBCiphertext[64] = {
+ 0x49, 0xf5, 0x6a, 0x7d, 0x3e, 0xd7, 0xb2, 0x47, 0x35, 0xca, 0x54,
+ 0xf5, 0xf1, 0xb8, 0xd1, 0x48, 0x8e, 0x47, 0x09, 0x95, 0xd5, 0xa0,
+ 0xc6, 0xa3, 0xe4, 0x94, 0xaf, 0xd4, 0x1b, 0x64, 0x25, 0x65, 0x28,
+ 0x9e, 0x82, 0xba, 0x92, 0xca, 0x75, 0xb3, 0xf3, 0x78, 0x44, 0x87,
+ 0xd6, 0x11, 0xf9, 0x22, 0xa3, 0xf3, 0xc6, 0x1d, 0x30, 0x00, 0x5b,
+ 0x77, 0x18, 0x38, 0x39, 0x08, 0x5e, 0x0a, 0x56, 0x6b};
+
+static const uint8_t kAESECBCiphertext[64] = {
+ 0xa4, 0xc1, 0x5c, 0x51, 0x2a, 0x2e, 0x2a, 0xda, 0xd9, 0x02, 0x23,
+ 0xe7, 0xa9, 0x34, 0x9d, 0xd8, 0x15, 0xc5, 0xf5, 0x55, 0x8e, 0xb0,
+ 0x29, 0x95, 0x48, 0x6c, 0x7f, 0xa9, 0x47, 0x19, 0x0b, 0x54, 0xe5,
+ 0x0f, 0x05, 0x76, 0xbb, 0xd0, 0x1a, 0x6c, 0xab, 0xe9, 0xfd, 0x5b,
+ 0xd8, 0x0b, 0x0a, 0xbd, 0x7f, 0xea, 0xda, 0x52, 0x07, 0x65, 0x13,
+ 0x6c, 0xbe, 0xfc, 0x36, 0x82, 0x4b, 0x6a, 0xc3, 0xd5};
+
+static const uint8_t kAESECBCiphertext_192[64] = {
+ 0x1d, 0xc8, 0xaa, 0xa7, 0x29, 0x01, 0x17, 0x09, 0x72, 0xc6, 0xe9,
+ 0x63, 0x02, 0x9d, 0xeb, 0x01, 0xeb, 0xc0, 0xda, 0x82, 0x6c, 0x30,
+ 0x7d, 0x60, 0x1b, 0x3e, 0xc7, 0x7b, 0xe3, 0x18, 0xa2, 0x43, 0x59,
+ 0x15, 0x4a, 0xe4, 0x8a, 0x84, 0xda, 0x16, 0x90, 0x7b, 0xfa, 0x64,
+ 0x37, 0x62, 0x19, 0xf1, 0x95, 0x11, 0x61, 0x84, 0xb0, 0x70, 0x49,
+ 0x72, 0x9f, 0xe7, 0x3a, 0x18, 0x99, 0x01, 0xba, 0xb0};
+
+static const uint8_t kAESECBCiphertext_256[64] = {
+ 0x6f, 0x2d, 0x6d, 0x7a, 0xc1, 0x8f, 0x00, 0x9f, 0x2d, 0xcf, 0xba,
+ 0xe6, 0x4f, 0xdd, 0xe0, 0x09, 0x5b, 0xf3, 0xa4, 0xaf, 0xce, 0x45,
+ 0x49, 0x6e, 0x28, 0x7b, 0x48, 0x57, 0xb5, 0xf5, 0xd8, 0x05, 0x16,
+ 0x0f, 0xea, 0x21, 0x0c, 0x39, 0x78, 0xee, 0x9e, 0x57, 0x3c, 0x40,
+ 0x11, 0x9c, 0xd9, 0x34, 0x97, 0xb9, 0xa6, 0x06, 0x40, 0x60, 0xa2,
+ 0x0c, 0x01, 0xe3, 0x9c, 0xda, 0x3e, 0xad, 0x99, 0x3d};
+
+static const uint8_t kAESCBCCiphertext[64] = {
+ 0xa4, 0xc1, 0x5c, 0x51, 0x2a, 0x2e, 0x2a, 0xda, 0xd9, 0x02, 0x23,
+ 0xe7, 0xa9, 0x34, 0x9d, 0xd8, 0x5c, 0xb3, 0x65, 0x54, 0x72, 0xc8,
+ 0x06, 0xf1, 0x36, 0xc3, 0x97, 0x73, 0x87, 0xca, 0x44, 0x99, 0x21,
+ 0xb8, 0xdb, 0x93, 0x22, 0x00, 0x89, 0x7c, 0x1c, 0xea, 0x36, 0x23,
+ 0x18, 0xdb, 0xc1, 0x52, 0x8c, 0x23, 0x66, 0x11, 0x0d, 0xa8, 0xe9,
+ 0xb8, 0x08, 0x8b, 0xaa, 0x81, 0x47, 0x01, 0xa4, 0x4f};
+
+static const uint8_t kAESCBCCiphertext_192[64] = {
+ 0x1d, 0xc8, 0xaa, 0xa7, 0x29, 0x01, 0x17, 0x09, 0x72, 0xc6, 0xe9,
+ 0x63, 0x02, 0x9d, 0xeb, 0x01, 0xb4, 0x48, 0xa8, 0x00, 0x94, 0x46,
+ 0x7f, 0xe3, 0xc1, 0x24, 0xea, 0x41, 0xa0, 0x2b, 0x47, 0x2f, 0xae,
+ 0x19, 0xce, 0x0d, 0xfa, 0x90, 0x45, 0x85, 0xce, 0xc4, 0x21, 0x0c,
+ 0x74, 0x38, 0x13, 0xfd, 0x64, 0xba, 0x58, 0x10, 0x37, 0x53, 0x48,
+ 0x66, 0x02, 0x76, 0xfb, 0xb1, 0x3a, 0x19, 0xce, 0x61};
+
+static const uint8_t kAESCBCCiphertext_256[64] = {
+ 0x6f, 0x2d, 0x6d, 0x7a, 0xc1, 0x8f, 0x00, 0x9f, 0x2d, 0xcf, 0xba,
+ 0xe6, 0x4f, 0xdd, 0xe0, 0x09, 0x9e, 0xa8, 0x28, 0xdc, 0x27, 0xde,
+ 0x89, 0x26, 0xc7, 0x94, 0x6a, 0xbf, 0xb6, 0x94, 0x05, 0x08, 0x6c,
+ 0x39, 0x07, 0x52, 0xfa, 0x7b, 0xca, 0x7d, 0x9b, 0xbf, 0xb2, 0x43,
+ 0x2b, 0x69, 0xee, 0xc5, 0x68, 0x4c, 0xdd, 0x62, 0xae, 0x8d, 0x7e,
+ 0x71, 0x0c, 0x8f, 0x11, 0xce, 0x1d, 0x8b, 0xee, 0x94};
+
+static const uint8_t kAESCTRCiphertext[64] = {
+ 0x49, 0xf5, 0x6a, 0x7d, 0x3e, 0xd7, 0xb2, 0x47, 0x35, 0xca, 0x54,
+ 0xf5, 0xf1, 0xb8, 0xd1, 0x48, 0xb0, 0x18, 0xc4, 0x5e, 0xeb, 0x42,
+ 0xfd, 0x10, 0x49, 0x1f, 0x2b, 0x11, 0xe9, 0xb0, 0x07, 0xa4, 0x00,
+ 0x56, 0xec, 0x25, 0x53, 0x4d, 0x70, 0x98, 0x38, 0x85, 0x5d, 0x54,
+ 0xab, 0x2c, 0x19, 0x13, 0x6d, 0xf3, 0x0e, 0x6f, 0x48, 0x2f, 0xab,
+ 0xe1, 0x82, 0xd4, 0x30, 0xa9, 0x16, 0x73, 0x93, 0xc3};
+
+static const uint8_t kAESCTRCiphertext_192[64] = {
+ 0x72, 0x7d, 0xbb, 0xd4, 0x8b, 0x16, 0x8b, 0x19, 0xa4, 0xeb, 0xa6,
+ 0xfa, 0xa0, 0xd0, 0x2b, 0xbb, 0x9b, 0x1f, 0xbf, 0x4d, 0x67, 0xfb,
+ 0xea, 0x89, 0x16, 0xd7, 0xa4, 0xb6, 0xbe, 0x1a, 0x78, 0x1c, 0x3d,
+ 0x44, 0x49, 0xa0, 0xf2, 0xb2, 0xb3, 0x82, 0x0f, 0xdd, 0xac, 0xd6,
+ 0xea, 0x6e, 0x1f, 0x09, 0x8d, 0xa5, 0xdb, 0x4f, 0x3f, 0x97, 0x90,
+ 0x26, 0xed, 0xf6, 0xbb, 0x62, 0xb3, 0x6f, 0x52, 0x67};
+
+static const uint8_t kAESCTRCiphertext_256[64] = {
+ 0x4a, 0x87, 0x44, 0x09, 0xf4, 0x1d, 0x80, 0x94, 0x51, 0x9a, 0xe4,
+ 0x89, 0x49, 0xcb, 0x98, 0x0d, 0x27, 0xc5, 0xba, 0x20, 0x00, 0x45,
+ 0xbb, 0x29, 0x75, 0xc0, 0xb7, 0x23, 0x0d, 0x81, 0x9f, 0x43, 0xaa,
+ 0x78, 0x89, 0xc0, 0xc4, 0x6d, 0x99, 0x0d, 0xb8, 0x9b, 0xc3, 0x25,
+ 0xa6, 0xd1, 0x7c, 0x98, 0x3e, 0xff, 0x06, 0x59, 0x41, 0xcf, 0xb2,
+ 0xd5, 0x2f, 0x95, 0xea, 0x83, 0xb1, 0x42, 0xb8, 0xb2};
+
+static const uint8_t kAESCFBCiphertext[64] = {
+ 0x49, 0xf5, 0x6a, 0x7d, 0x3e, 0xd7, 0xb2, 0x47, 0x35, 0xca, 0x54,
+ 0xf5, 0xf1, 0xb8, 0xd1, 0x48, 0x01, 0xdc, 0xba, 0x43, 0x3a, 0x7b,
+ 0xbf, 0x84, 0x91, 0x49, 0xc5, 0xc9, 0xd6, 0xcf, 0x6a, 0x2c, 0x3a,
+ 0x66, 0x99, 0x68, 0xe3, 0xd0, 0x56, 0x05, 0xe7, 0x99, 0x7f, 0xc3,
+ 0xbc, 0x09, 0x13, 0xa6, 0xf0, 0xde, 0x17, 0xf4, 0x85, 0x9a, 0xee,
+ 0x29, 0xc3, 0x77, 0xab, 0xc4, 0xf6, 0xdb, 0xae, 0x24};
+
+static const uint8_t kAESCCMCiphertext[64 + 4] = {
+ 0x7a, 0x02, 0x5d, 0x48, 0x02, 0x44, 0x78, 0x7f, 0xb4, 0x71, 0x74, 0x7b,
+ 0xec, 0x4d, 0x90, 0x29, 0x7b, 0xa7, 0x65, 0xbb, 0x3e, 0x80, 0x41, 0x7e,
+ 0xab, 0xb4, 0x58, 0x22, 0x4f, 0x86, 0xcd, 0xcc, 0xc2, 0x12, 0xeb, 0x36,
+ 0x39, 0x89, 0xe3, 0x66, 0x2a, 0xbf, 0xe3, 0x6c, 0x95, 0x60, 0x13, 0x9e,
+ 0x93, 0xcc, 0xb4, 0x06, 0xbe, 0xaf, 0x3f, 0xba, 0x13, 0x73, 0x09, 0x92,
+ 0xd1, 0x80, 0x73, 0xb3, 0xc3, 0xa3, 0xa4, 0x8b,
+};
+
+static const uint8_t kAESKWCiphertext[72] = {
+ 0x44, 0xec, 0x7d, 0x92, 0x2c, 0x9f, 0xf3, 0xe8, 0xac, 0xb1, 0xea, 0x3d,
+ 0x0a, 0xc7, 0x51, 0x27, 0xe8, 0x03, 0x11, 0x78, 0xe5, 0xaf, 0x8d, 0xb1,
+ 0x70, 0x96, 0x2e, 0xfa, 0x05, 0x48, 0x48, 0x99, 0x1a, 0x58, 0xcc, 0xfe,
+ 0x11, 0x36, 0x5d, 0x49, 0x98, 0x1e, 0xbb, 0xd6, 0x0b, 0xf5, 0xb9, 0x64,
+ 0xa4, 0x30, 0x3e, 0x60, 0xf6, 0xc5, 0xff, 0x82, 0x30, 0x9a, 0xa7, 0x48,
+ 0x82, 0xe2, 0x00, 0xc1, 0xe9, 0xc2, 0x73, 0x6f, 0xbc, 0x89, 0x66, 0x9d};
+
+static const uint8_t kAESKWPCiphertext[72] = {
+ 0x29, 0x5e, 0xb9, 0xea, 0x96, 0xa7, 0xa5, 0xca, 0xfa, 0xeb, 0xda, 0x78,
+ 0x13, 0xea, 0x83, 0xca, 0x41, 0xdb, 0x4d, 0x36, 0x7d, 0x39, 0x8a, 0xd6,
+ 0xef, 0xd3, 0xd2, 0x2d, 0x3a, 0xc8, 0x55, 0xc8, 0x73, 0xd7, 0x79, 0x55,
+ 0xad, 0xc0, 0xce, 0xad, 0x12, 0x54, 0x51, 0xf0, 0x70, 0x76, 0xff, 0xe7,
+ 0x0c, 0xb2, 0x8e, 0xdd, 0xb6, 0x9a, 0x27, 0x74, 0x98, 0x28, 0xe0, 0xfa,
+ 0x11, 0xe6, 0x3f, 0x86, 0x93, 0x23, 0xf8, 0x0d, 0xcb, 0xaf, 0x2b, 0xb7};
+
+static const uint8_t kAESCMACOutput[16] = {0xe7, 0x32, 0x43, 0xb4, 0xae, 0x79,
+ 0x08, 0x86, 0xe7, 0x9f, 0x0d, 0x3f,
+ 0x88, 0x3f, 0x1a, 0xfd};
+
+const uint8_t kDHOutput[2048 / 8] = {
+ 0x83, 0xf0, 0xd8, 0x4f, 0xdb, 0xe7, 0x65, 0xb6, 0x80, 0x6f, 0xa3, 0x22,
+ 0x9b, 0x33, 0x1c, 0x87, 0x89, 0xc8, 0x1d, 0x2c, 0xa1, 0xba, 0xa3, 0xb8,
+ 0xdf, 0xad, 0x42, 0xea, 0x9a, 0x75, 0xfe, 0xbf, 0xc1, 0xa8, 0xf6, 0xda,
+ 0xec, 0xdf, 0x48, 0x61, 0x7d, 0x7f, 0x3d, 0xab, 0xbd, 0xda, 0xd1, 0xd3,
+ 0xd8, 0xaf, 0x44, 0x4a, 0xba, 0x3f, 0x0e, 0x99, 0x8d, 0x11, 0xdc, 0x63,
+ 0xb1, 0xe0, 0x65, 0xf2, 0xb9, 0x82, 0x81, 0x8c, 0x88, 0x75, 0x8f, 0xa0,
+ 0x94, 0x52, 0x2a, 0x2f, 0x2d, 0x10, 0xb1, 0xf4, 0xd2, 0xdd, 0x0f, 0x8a,
+ 0x7e, 0x49, 0x7b, 0x1e, 0xfd, 0x8c, 0x78, 0xf9, 0x11, 0xdf, 0x80, 0x8b,
+ 0x2e, 0x86, 0x34, 0xbf, 0x4b, 0xca, 0x13, 0x3e, 0x85, 0x63, 0xeb, 0xe4,
+ 0xff, 0xec, 0xb0, 0xe8, 0x83, 0xf6, 0x2c, 0x45, 0x21, 0x90, 0x34, 0x9c,
+ 0x9d, 0x9d, 0xfe, 0x1a, 0x48, 0x53, 0xef, 0x97, 0xd5, 0xea, 0x6a, 0x65,
+ 0xf5, 0xe9, 0x9f, 0x91, 0x4f, 0xb4, 0x43, 0xe7, 0x1f, 0x0a, 0x2e, 0xdb,
+ 0xe6, 0x84, 0x30, 0xdb, 0xad, 0xe4, 0xaf, 0x2c, 0xf9, 0x93, 0xe8, 0x0a,
+ 0xab, 0x7f, 0x1c, 0xde, 0xb3, 0x80, 0xb6, 0x02, 0x42, 0xba, 0x18, 0x0d,
+ 0x0f, 0xc2, 0x1d, 0xa4, 0x4b, 0x2b, 0x84, 0x74, 0x10, 0x97, 0x6d, 0xdc,
+ 0xfa, 0x99, 0xdc, 0xba, 0xf2, 0xcb, 0x1b, 0xe8, 0x1a, 0xba, 0x0c, 0x67,
+ 0x60, 0x07, 0x87, 0xcc, 0xc6, 0x0d, 0xef, 0x56, 0x07, 0x80, 0x55, 0xae,
+ 0x03, 0xa3, 0x62, 0x31, 0x4c, 0x50, 0xf7, 0xf6, 0x87, 0xb3, 0x8d, 0xe2,
+ 0x11, 0x86, 0xe7, 0x9d, 0x98, 0x3c, 0x2a, 0x6c, 0x8a, 0xf0, 0xa7, 0x73,
+ 0x33, 0x07, 0x4e, 0x70, 0xee, 0x14, 0x4b, 0xa3, 0xf7, 0x4f, 0x8f, 0x1a,
+ 0xa2, 0xf6, 0xd1, 0xeb, 0x4d, 0x04, 0xf9, 0x4c, 0x07, 0x36, 0xb1, 0x46,
+ 0x53, 0x55, 0xb1, 0x23};
+
+static const uint8_t kOutput_md4[MD4_DIGEST_LENGTH] = {
+ 0xab, 0x6b, 0xda, 0x84, 0xc0, 0x6b, 0xd0, 0x1d,
+ 0x19, 0xc0, 0x08, 0x11, 0x07, 0x8d, 0xce, 0x0e};
+
+static const uint8_t kOutput_md5[MD5_DIGEST_LENGTH] = {
+ 0xe9, 0x70, 0xa2, 0xf7, 0x9c, 0x55, 0x57, 0xac,
+ 0x4e, 0x7f, 0x6b, 0xbc, 0xa3, 0xb9, 0xb7, 0xdb};
+
+static const uint8_t kOutput_sha1[SHA_DIGEST_LENGTH] = {
+ 0xaa, 0x18, 0x71, 0x34, 0x00, 0x71, 0x67, 0x9f, 0xa1, 0x6d,
+ 0x20, 0x82, 0x91, 0x0f, 0x53, 0x0a, 0xcd, 0x6e, 0xa4, 0x34};
+
+static const uint8_t kOutput_sha224[SHA224_DIGEST_LENGTH] = {
+ 0x5f, 0x1a, 0x9e, 0x68, 0x4c, 0xb7, 0x42, 0x68, 0xa0, 0x8b,
+ 0x87, 0xd7, 0x96, 0xb6, 0xcf, 0x1e, 0x4f, 0x85, 0x1c, 0x47,
+ 0xe9, 0x29, 0xb3, 0xb2, 0x73, 0x72, 0xd2, 0x69};
+
+static const uint8_t kOutput_sha256[SHA256_DIGEST_LENGTH] = {
+ 0xe7, 0x63, 0x1c, 0xbb, 0x12, 0xb5, 0xbf, 0x4f, 0x99, 0x05, 0x9d,
+ 0x40, 0x15, 0x55, 0x34, 0x9c, 0x26, 0x36, 0xd2, 0xfe, 0x6a, 0xd6,
+ 0x26, 0xb4, 0x9d, 0x33, 0x07, 0xf5, 0xe6, 0x29, 0x13, 0x92};
+
+static const uint8_t kOutput_sha384[SHA384_DIGEST_LENGTH] = {
+ 0x15, 0x81, 0x48, 0x8d, 0x95, 0xf2, 0x66, 0x84, 0x65, 0x94, 0x3e, 0xb9,
+ 0x8c, 0xda, 0x36, 0x30, 0x2a, 0x85, 0xc0, 0xcd, 0xec, 0x38, 0xa0, 0x1f,
+ 0x72, 0xe2, 0x68, 0xfe, 0x4e, 0xdb, 0x27, 0x8b, 0x50, 0x15, 0xe0, 0x24,
+ 0xc3, 0x65, 0xd1, 0x66, 0x2a, 0x3e, 0xe7, 0x00, 0x16, 0x51, 0xf5, 0x18};
+
+static const uint8_t kOutput_sha512[SHA512_DIGEST_LENGTH] = {
+ 0x71, 0xcc, 0xec, 0x03, 0xf8, 0x76, 0xf4, 0x0b, 0xf1, 0x1b, 0x89,
+ 0x27, 0x83, 0xa1, 0x70, 0x02, 0x00, 0x2b, 0xe9, 0x3c, 0x3c, 0x65,
+ 0x12, 0xb9, 0xa8, 0x8c, 0xc5, 0x9d, 0xae, 0x3c, 0x73, 0x43, 0x76,
+ 0x4d, 0x98, 0xed, 0xd0, 0xbe, 0xb4, 0xf9, 0x0b, 0x5c, 0x5d, 0x34,
+ 0x46, 0x30, 0x18, 0xc2, 0x05, 0x88, 0x8a, 0x3c, 0x25, 0xcc, 0x06,
+ 0xf8, 0x73, 0xb9, 0xe4, 0x18, 0xa8, 0xc2, 0xf0, 0xe5};
+
+static const uint8_t kOutput_sha512_256[SHA512_256_DIGEST_LENGTH] = {
+ 0x1a, 0x78, 0x68, 0x6b, 0x69, 0x6d, 0x28, 0x14, 0x6b, 0x37, 0x11,
+ 0x2d, 0xfb, 0x72, 0x35, 0xfa, 0xc1, 0xc4, 0x5f, 0x5c, 0x49, 0x91,
+ 0x08, 0x95, 0x0b, 0x0f, 0xc9, 0x88, 0x44, 0x12, 0x01, 0x6a};
+
+static const uint8_t kHMACOutput_sha1[SHA_DIGEST_LENGTH] = {
+ 0x34, 0xac, 0x50, 0x9b, 0xa9, 0x4c, 0x39, 0xef, 0x45, 0xa0,
+ 0x6b, 0xdc, 0xfc, 0xbd, 0x3d, 0x42, 0xe8, 0x0a, 0x97, 0x86};
+
+static const uint8_t kHMACOutput_sha224[SHA224_DIGEST_LENGTH] = {
+ 0x30, 0x62, 0x97, 0x45, 0x9e, 0xea, 0x62, 0xe4, 0x5d, 0xbb,
+ 0x7d, 0x25, 0x3f, 0x77, 0x0f, 0x9d, 0xa4, 0xbd, 0x17, 0x96,
+ 0x23, 0x53, 0xe1, 0x76, 0xf3, 0xf8, 0x9b, 0x74};
+
+static const uint8_t kHMACOutput_sha256[SHA256_DIGEST_LENGTH] = {
+ 0x68, 0x33, 0x3e, 0x74, 0x9a, 0x49, 0xab, 0x77, 0xb4, 0x1a, 0x40,
+ 0xd8, 0x55, 0x07, 0xa7, 0xb6, 0x48, 0xa1, 0xa5, 0xa9, 0xd1, 0x7b,
+ 0x85, 0xe9, 0x33, 0x09, 0x16, 0x79, 0xcc, 0xe9, 0x29, 0x97};
+
+static const uint8_t kHMACOutput_sha384[SHA384_DIGEST_LENGTH] = {
+ 0xcc, 0x39, 0x22, 0x0e, 0x9f, 0x2e, 0x26, 0x4a, 0xb5, 0xf8, 0x4a, 0x0f,
+ 0x73, 0x51, 0x26, 0x1a, 0xf2, 0xef, 0x15, 0xf3, 0x5f, 0x77, 0xce, 0xbb,
+ 0x4c, 0x69, 0x86, 0x0e, 0x1f, 0x5c, 0x4d, 0xc9, 0x96, 0xd9, 0xed, 0x74,
+ 0x6c, 0x45, 0x05, 0x7a, 0x0e, 0x3f, 0x36, 0x8a, 0xda, 0x2a, 0x35, 0xf9};
+
+static const uint8_t kHMACOutput_sha512[SHA512_DIGEST_LENGTH] = {
+ 0x4c, 0x09, 0x46, 0x50, 0x7c, 0xb3, 0xa1, 0xfa, 0xbc, 0xf2, 0xc4,
+ 0x4f, 0x1e, 0x3d, 0xa9, 0x0b, 0x29, 0x4e, 0x12, 0x09, 0x09, 0x32,
+ 0xde, 0x82, 0xa0, 0xab, 0xf6, 0x5e, 0x66, 0x19, 0xd0, 0x86, 0x9a,
+ 0x92, 0xe3, 0xf9, 0x13, 0xa7, 0xe6, 0xfc, 0x1a, 0x2e, 0x50, 0xda,
+ 0xf6, 0x8f, 0xb2, 0xd5, 0xb2, 0x6e, 0x97, 0x82, 0x25, 0x5a, 0x1e,
+ 0xbf, 0x9b, 0x99, 0x8c, 0xf0, 0x37, 0xe6, 0x3d, 0x40};
+
+static const uint8_t kHMACOutput_sha512_256[SHA512_256_DIGEST_LENGTH] = {
+ 0x9c, 0x95, 0x9c, 0x03, 0xc9, 0x8c, 0x90, 0xee, 0x7a, 0xff, 0xed,
+ 0x26, 0xba, 0x75, 0x90, 0xd0, 0xb9, 0xd4, 0x09, 0xf5, 0x22, 0xd6,
+ 0xb6, 0xab, 0xa8, 0xb9, 0xae, 0x01, 0x06, 0x37, 0x8f, 0xd1};
+
+static const uint8_t kDRBGEntropy[48] = {
+ 'B', 'C', 'M', ' ', 'K', 'n', 'o', 'w', 'n', ' ', 'A', 'n',
+ 's', 'w', 'e', 'r', ' ', 'T', 'e', 's', 't', ' ', 'D', 'B',
+ 'R', 'G', ' ', 'I', 'n', 'i', 't', 'i', 'a', 'l', ' ', 'E',
+ 'n', 't', 'r', 'o', 'p', 'y', ' ', ' ', ' ', ' ', ' ', ' '};
+
+static const uint8_t kDRBGPersonalization[18] = {'B', 'C', 'M', 'P', 'e', 'r',
+ 's', 'o', 'n', 'a', 'l', 'i',
+ 'z', 'a', 't', 'i', 'o', 'n'};
+
+static const uint8_t kDRBGAD[16] = {'B', 'C', 'M', ' ', 'D', 'R', 'B', 'G',
+ ' ', 'K', 'A', 'T', ' ', 'A', 'D', ' '};
+
+const uint8_t kDRBGOutput[64] = {
+ 0x1d, 0x63, 0xdf, 0x05, 0x51, 0x49, 0x22, 0x46, 0xcd, 0x9b, 0xc5,
+ 0xbb, 0xf1, 0x5d, 0x44, 0xae, 0x13, 0x78, 0xb1, 0xe4, 0x7c, 0xf1,
+ 0x96, 0x33, 0x3d, 0x60, 0xb6, 0x29, 0xd4, 0xbb, 0x6b, 0x44, 0xf9,
+ 0xef, 0xd9, 0xf4, 0xa2, 0xba, 0x48, 0xea, 0x39, 0x75, 0x59, 0x32,
+ 0xf7, 0x31, 0x2c, 0x98, 0x14, 0x2b, 0x49, 0xdf, 0x02, 0xb6, 0x5d,
+ 0x71, 0x09, 0x50, 0xdb, 0x23, 0xdb, 0xe5, 0x22, 0x95};
+
+static const uint8_t kDRBGEntropy2[48] = {
+ 'B', 'C', 'M', ' ', 'K', 'n', 'o', 'w', 'n', ' ', 'A', 'n',
+ 's', 'w', 'e', 'r', ' ', 'T', 'e', 's', 't', ' ', 'D', 'B',
+ 'R', 'G', ' ', 'R', 'e', 's', 'e', 'e', 'd', ' ', 'E', 'n',
+ 't', 'r', 'o', 'p', 'y', ' ', ' ', ' ', ' ', ' ', ' ', ' '};
+
+static const uint8_t kDRBGReseedOutput[64] = {
+ 0xa4, 0x77, 0x05, 0xdb, 0x14, 0x11, 0x76, 0x71, 0x42, 0x5b, 0xd8,
+ 0xd7, 0xa5, 0x4f, 0x8b, 0x39, 0xf2, 0x10, 0x4a, 0x50, 0x5b, 0xa2,
+ 0xc8, 0xf0, 0xbb, 0x3e, 0xa1, 0xa5, 0x90, 0x7d, 0x54, 0xd9, 0xc6,
+ 0xb0, 0x96, 0xc0, 0x2b, 0x7e, 0x9b, 0xc9, 0xa1, 0xdd, 0x78, 0x2e,
+ 0xd5, 0xa8, 0x66, 0x16, 0xbd, 0x18, 0x3c, 0xf2, 0xaa, 0x7a, 0x2b,
+ 0x37, 0xf9, 0xab, 0x35, 0x64, 0x15, 0x01, 0x3f, 0xc4,
+};
+
+static const uint8_t kTLSSecret[32] = {
+ 0xbf, 0xe4, 0xb7, 0xe0, 0x26, 0x55, 0x5f, 0x6a, 0xdf, 0x5d, 0x27,
+ 0xd6, 0x89, 0x99, 0x2a, 0xd6, 0xf7, 0x65, 0x66, 0x07, 0x4b, 0x55,
+ 0x5f, 0x64, 0x55, 0xcd, 0xd5, 0x77, 0xa4, 0xc7, 0x09, 0x61,
+};
+static const char kTLSLabel[] = "FIPS self test";
+static const uint8_t kTLSSeed1[16] = {
+ 0x8f, 0x0d, 0xe8, 0xb6, 0x90, 0x8f, 0xb1, 0xd2,
+ 0x6d, 0x51, 0xf4, 0x79, 0x18, 0x63, 0x51, 0x65,
+};
+static const uint8_t kTLSSeed2[16] = {
+ 0x7d, 0x24, 0x1a, 0x9d, 0x3c, 0x59, 0xbf, 0x3c,
+ 0x31, 0x1e, 0x2b, 0x21, 0x41, 0x8d, 0x32, 0x81,
+};
+
+static const uint8_t kTLSOutput_mdsha1[32] = {
+ 0x36, 0xa9, 0x31, 0xb0, 0x43, 0xe3, 0x64, 0x72, 0xb9, 0x47, 0x54,
+ 0x0d, 0x8a, 0xfc, 0xe3, 0x5c, 0x1c, 0x15, 0x67, 0x7e, 0xa3, 0x5d,
+ 0xf2, 0x3a, 0x57, 0xfd, 0x50, 0x16, 0xe1, 0xa4, 0xa6, 0x37,
+};
+
+static const uint8_t kTLSOutput_md[32] = {
+ 0x79, 0xef, 0x46, 0xc4, 0x35, 0xbc, 0xe5, 0xda, 0xd3, 0x66, 0x91,
+ 0xdc, 0x86, 0x09, 0x41, 0x66, 0xf2, 0x0c, 0xeb, 0xe6, 0xab, 0x5c,
+ 0x58, 0xf4, 0x65, 0xce, 0x2f, 0x5f, 0x4b, 0x34, 0x1e, 0xa1,
+};
+
+static const uint8_t kTLSOutput_sha1[32] = {
+ 0xbb, 0x0a, 0x73, 0x52, 0xf8, 0x85, 0xd7, 0xbd, 0x12, 0x34, 0x78,
+ 0x3b, 0x54, 0x4c, 0x75, 0xfe, 0xd7, 0x23, 0x6e, 0x22, 0x3f, 0x42,
+ 0x34, 0x99, 0x57, 0x6b, 0x14, 0xc4, 0xc8, 0xae, 0x9f, 0x4c,
+};
+
+static const uint8_t kTLSOutput_sha224[32] = {
+ 0xdd, 0xaf, 0x6f, 0xaa, 0xd9, 0x2b, 0x3d, 0xb9, 0x46, 0x4c, 0x55,
+ 0x8a, 0xf7, 0xa6, 0x9b, 0x0b, 0x35, 0xcc, 0x07, 0xa7, 0x55, 0x5b,
+ 0x5e, 0x39, 0x12, 0xc0, 0xd4, 0x30, 0xdf, 0x0c, 0xdf, 0x6b,
+};
+
+static const uint8_t kTLSOutput_sha256[32] = {
+ 0x67, 0x85, 0xde, 0x60, 0xfc, 0x0a, 0x83, 0xe9, 0xa2, 0x2a, 0xb3,
+ 0xf0, 0x27, 0x0c, 0xba, 0xf7, 0xfa, 0x82, 0x3d, 0x14, 0x77, 0x1d,
+ 0x86, 0x29, 0x79, 0x39, 0x77, 0x8a, 0xd5, 0x0e, 0x9d, 0x32,
+};
+
+static const uint8_t kTLSOutput_sha384[32] = {
+ 0x75, 0x15, 0x3f, 0x44, 0x7a, 0xfd, 0x34, 0xed, 0x2b, 0x67, 0xbc,
+ 0xd8, 0x57, 0x96, 0xab, 0xff, 0xf4, 0x0c, 0x05, 0x94, 0x02, 0x23,
+ 0x81, 0xbf, 0x0e, 0xd2, 0xec, 0x7c, 0xe0, 0xa7, 0xc3, 0x7d,
+};
+
+static const uint8_t kTLSOutput_sha512[32] = {
+ 0x68, 0xb9, 0xc8, 0x4c, 0xf5, 0x51, 0xfc, 0x7a, 0x1f, 0x6c, 0xe5,
+ 0x43, 0x73, 0x80, 0x53, 0x7c, 0xae, 0x76, 0x55, 0x67, 0xe0, 0x79,
+ 0xbf, 0x3a, 0x53, 0x71, 0xb7, 0x9c, 0xb5, 0x03, 0x15, 0x3f,
+};
+
+static const uint8_t kAESGCMCiphertext_128[64 + 16] = {
+ 0x38, 0x71, 0xcb, 0x61, 0x70, 0x60, 0x13, 0x8b, 0x2f, 0x91, 0x09, 0x7f,
+ 0x83, 0x20, 0x0f, 0x1f, 0x71, 0xe2, 0x47, 0x46, 0x6f, 0x5f, 0xa8, 0xad,
+ 0xa8, 0xfc, 0x0a, 0xfd, 0x36, 0x65, 0x84, 0x90, 0x28, 0x2b, 0xcb, 0x4f,
+ 0x68, 0xae, 0x09, 0xba, 0xae, 0xdd, 0xdb, 0x91, 0xcc, 0x38, 0xb3, 0xad,
+ 0x10, 0x84, 0xb8, 0x45, 0x36, 0xf3, 0x96, 0xb4, 0xef, 0xba, 0xda, 0x10,
+ 0xf8, 0x8b, 0xf3, 0xda, 0x91, 0x1f, 0x8c, 0xd8, 0x39, 0x7b, 0x1c, 0xfd,
+ 0xe7, 0x99, 0x7d, 0xb7, 0x22, 0x69, 0x67, 0xbd,
+};
+
+static const uint8_t kAESGCMCiphertext_192[64 + 16] = {
+ 0x05, 0x63, 0x6e, 0xe4, 0xd1, 0x9f, 0xd0, 0x91, 0x18, 0xc9, 0xf8, 0xfd,
+ 0xc2, 0x62, 0x09, 0x05, 0x91, 0xb4, 0x92, 0x66, 0x18, 0xe7, 0x93, 0x6a,
+ 0xc7, 0xde, 0x81, 0x36, 0x93, 0x79, 0x45, 0x34, 0xc0, 0x6d, 0x14, 0x94,
+ 0x93, 0x39, 0x2b, 0x7f, 0x4f, 0x10, 0x1c, 0xa5, 0xfe, 0x3b, 0x37, 0xd7,
+ 0x0a, 0x98, 0xd7, 0xb5, 0xe0, 0xdc, 0xe4, 0x9f, 0x36, 0x40, 0xad, 0x03,
+ 0xbf, 0x53, 0xe0, 0x7c, 0x3f, 0x57, 0x4f, 0x80, 0x99, 0xe6, 0x90, 0x4e,
+ 0x59, 0x2e, 0xe0, 0x76, 0x53, 0x09, 0xc3, 0xd3,
+};
+
+static const uint8_t kAESGCMCiphertext_256[64 + 16] = {
+ 0x92, 0x5f, 0xae, 0x84, 0xe7, 0x40, 0xfa, 0x1e, 0xaf, 0x8f, 0x97, 0x0e,
+ 0x8e, 0xdd, 0x6a, 0x94, 0x22, 0xee, 0x4f, 0x70, 0x66, 0xbf, 0xb1, 0x99,
+ 0x05, 0xbd, 0xd0, 0xd7, 0x91, 0x54, 0xaf, 0xe1, 0x52, 0xc9, 0x4e, 0x55,
+ 0xa5, 0x23, 0x62, 0x8b, 0x23, 0x40, 0x90, 0x56, 0xe0, 0x68, 0x63, 0xe5,
+ 0x7e, 0x5b, 0xbe, 0x96, 0x7b, 0xc4, 0x16, 0xf9, 0xbe, 0x18, 0x06, 0x79,
+ 0x8f, 0x99, 0x35, 0xe3, 0x2a, 0x82, 0xb5, 0x5e, 0x8a, 0x06, 0xbe, 0x99,
+ 0x57, 0xb1, 0x76, 0xe1, 0xc5, 0xaa, 0x82, 0xe7,
+};
+
+static const struct AEADTestVector {
+ const char *name;
+ const EVP_AEAD *aead;
+ const uint8_t *key;
+ const int key_length;
+ const uint8_t *expected_ciphertext;
+ const int cipher_text_length;
+ const FIPSStatus expect_approved;
+ const bool test_repeat_nonce;
+} kAEADTestVectors[] = {
+ // Internal IV usage of AES-GCM is approved.
+ {
+ "AES-GCM 128-bit key internal iv test",
+ EVP_aead_aes_128_gcm_randnonce(),
+ kAESKey,
+ sizeof(kAESKey),
+ nullptr,
+ 0,
+ FIPSStatus::APPROVED,
+ false,
+ },
+ {
+ "AES-GCM 256-bit key internal iv test",
+ EVP_aead_aes_256_gcm_randnonce(),
+ kAESKey_256,
+ sizeof(kAESKey_256),
+ nullptr,
+ 0,
+ FIPSStatus::APPROVED,
+ false,
+ },
+ // External IV usage of AES-GCM is not approved unless used within a TLS
+ // context.
+ {
+ "Generic AES-GCM 128-bit key external iv test",
+ EVP_aead_aes_128_gcm(),
+ kAESKey,
+ sizeof(kAESKey),
+ kAESGCMCiphertext_128,
+ sizeof(kAESGCMCiphertext_128),
+ FIPSStatus::NOT_APPROVED,
+ false,
+ },
+ {
+ "Generic AES-GCM 192-bit key external iv test",
+ EVP_aead_aes_192_gcm(),
+ kAESKey_192,
+ 24,
+ kAESGCMCiphertext_192,
+ sizeof(kAESGCMCiphertext_192),
+ FIPSStatus::NOT_APPROVED,
+ false,
+ },
+ {
+ "Generic AES-GCM 256-bit key external iv test",
+ EVP_aead_aes_256_gcm(),
+ kAESKey_256,
+ sizeof(kAESKey_256),
+ kAESGCMCiphertext_256,
+ sizeof(kAESGCMCiphertext_256),
+ FIPSStatus::NOT_APPROVED,
+ false,
+ },
+ // External IV usage of AEAD AES-GCM APIs specific for TLS is approved.
+ {
+ "TLS1.2 AES-GCM 128-bit key external iv test",
+ EVP_aead_aes_128_gcm_tls12(),
+ kAESKey,
+ sizeof(kAESKey),
+ kAESGCMCiphertext_128,
+ sizeof(kAESGCMCiphertext_128),
+ FIPSStatus::APPROVED,
+ true,
+ },
+ {
+ "TLS1.2 AES-GCM 256-bit key external iv test",
+ EVP_aead_aes_256_gcm_tls12(),
+ kAESKey_256,
+ sizeof(kAESKey_256),
+ kAESGCMCiphertext_256,
+ sizeof(kAESGCMCiphertext_256),
+ FIPSStatus::APPROVED,
+ true,
+ },
+ {
+ "TLS1.3 AES-GCM 128-bit key external iv test",
+ EVP_aead_aes_128_gcm_tls13(),
+ kAESKey,
+ sizeof(kAESKey),
+ kAESGCMCiphertext_128,
+ sizeof(kAESGCMCiphertext_128),
+ FIPSStatus::APPROVED,
+ true,
+ },
+ {
+ "TLS1.3 AES-GCM 256-bit key external iv test",
+ EVP_aead_aes_256_gcm_tls13(),
+ kAESKey_256,
+ sizeof(kAESKey_256),
+ kAESGCMCiphertext_256,
+ sizeof(kAESGCMCiphertext_256),
+ FIPSStatus::APPROVED,
+ true,
+ },
+ // 128 bit keys with 32 bit tag lengths are approved for AES-CCM.
+ {
+ "AES-CCM 128-bit key test",
+ EVP_aead_aes_128_ccm_bluetooth(),
+ kAESKey,
+ sizeof(kAESKey),
+ kAESCCMCiphertext,
+ sizeof(kAESCCMCiphertext),
+ FIPSStatus::APPROVED,
+ false,
+ },
+};
+
+class AEADServiceIndicatorTest : public TestWithNoErrors<AEADTestVector> {};
+
+INSTANTIATE_TEST_SUITE_P(All, AEADServiceIndicatorTest,
+ testing::ValuesIn(kAEADTestVectors));
+
+TEST_P(AEADServiceIndicatorTest, EVP_AEAD) {
+ const AEADTestVector &test = GetParam();
+ SCOPED_TRACE(test.name);
+
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+
+ bssl::ScopedEVP_AEAD_CTX aead_ctx;
+ std::vector<uint8_t> nonce(EVP_AEAD_nonce_length(test.aead), 0);
+ std::vector<uint8_t> encrypt_output(256);
+ std::vector<uint8_t> decrypt_output(256);
+ size_t out_len;
+
+ // Test running the EVP_AEAD_CTX interfaces one by one directly, and check
+ // |EVP_AEAD_CTX_seal| and |EVP_AEAD_CTX_open| for approval at the end.
+ // |EVP_AEAD_CTX_init| should not be approved because the function does not
+ // indicate that a service has been fully completed yet.
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_AEAD_CTX_init(aead_ctx.get(), test.aead, test.key,
+ test.key_length, 0, nullptr)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_AEAD_CTX_seal(aead_ctx.get(), encrypt_output.data(),
+ &out_len, encrypt_output.size(), nonce.data(),
+ EVP_AEAD_nonce_length(test.aead), kPlaintext,
+ sizeof(kPlaintext), nullptr, 0)));
+ EXPECT_EQ(approved, test.expect_approved);
+ encrypt_output.resize(out_len);
+ if (test.expected_ciphertext) {
+ EXPECT_EQ(Bytes(test.expected_ciphertext, test.cipher_text_length),
+ Bytes(encrypt_output));
+ }
+
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ EVP_AEAD_CTX_open(aead_ctx.get(), decrypt_output.data(), &out_len,
+ decrypt_output.size(), nonce.data(), nonce.size(),
+ encrypt_output.data(), out_len, nullptr, 0)));
+ // Decryption doesn't have nonce uniqueness requirements and so is always
+ // approved for approved key lengths.
+ EXPECT_EQ(approved, test.key_length != 24 ? FIPSStatus::APPROVED
+ : FIPSStatus::NOT_APPROVED);
+ decrypt_output.resize(out_len);
+ EXPECT_EQ(Bytes(kPlaintext), Bytes(decrypt_output));
+
+ // Second call when encrypting using the same nonce for AES-GCM TLS specific
+ // functions should fail and return |FIPSStatus::NOT_APPROVED|.
+ if (test.test_repeat_nonce) {
+ ASSERT_FALSE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ EVP_AEAD_CTX_seal(aead_ctx.get(), encrypt_output.data(), &out_len,
+ encrypt_output.size(), nonce.data(), nonce.size(),
+ kPlaintext, sizeof(kPlaintext), nullptr, 0)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ EXPECT_EQ(ERR_GET_REASON(ERR_get_error()), CIPHER_R_INVALID_NONCE);
+ }
+}
+
+static const struct CipherTestVector {
+ const EVP_CIPHER *cipher;
+ const uint8_t *key;
+ const int key_length;
+ const uint8_t *expected_ciphertext;
+ const int cipher_text_length;
+ const bool has_iv;
+ const FIPSStatus expect_approved;
+} kTestVectors[] = {
+ {
+ EVP_aes_128_ecb(),
+ kAESKey,
+ sizeof(kAESKey),
+ kAESECBCiphertext,
+ sizeof(kAESECBCiphertext),
+ false,
+ FIPSStatus::APPROVED,
+ },
+ {
+ EVP_aes_192_ecb(),
+ kAESKey_192,
+ sizeof(kAESKey_192),
+ kAESECBCiphertext_192,
+ sizeof(kAESECBCiphertext_192),
+ false,
+ FIPSStatus::APPROVED,
+ },
+ {
+ EVP_aes_256_ecb(),
+ kAESKey_256,
+ sizeof(kAESKey_256),
+ kAESECBCiphertext_256,
+ sizeof(kAESECBCiphertext_256),
+ false,
+ FIPSStatus::APPROVED,
+ },
+ {
+ EVP_aes_128_cbc(),
+ kAESKey,
+ sizeof(kAESKey),
+ kAESCBCCiphertext,
+ sizeof(kAESCBCCiphertext),
+ true,
+ FIPSStatus::APPROVED,
+ },
+ {
+ EVP_aes_192_cbc(),
+ kAESKey_192,
+ sizeof(kAESKey_192),
+ kAESCBCCiphertext_192,
+ sizeof(kAESCBCCiphertext_192),
+ true,
+ FIPSStatus::APPROVED,
+ },
+ {
+ EVP_aes_256_cbc(),
+ kAESKey_256,
+ sizeof(kAESKey_256),
+ kAESCBCCiphertext_256,
+ sizeof(kAESCBCCiphertext_256),
+ true,
+ FIPSStatus::APPROVED,
+ },
+ {
+ EVP_aes_128_ctr(),
+ kAESKey,
+ sizeof(kAESKey),
+ kAESCTRCiphertext,
+ sizeof(kAESCTRCiphertext),
+ true,
+ FIPSStatus::APPROVED,
+ },
+ {
+ EVP_aes_192_ctr(),
+ kAESKey_192,
+ sizeof(kAESKey_192),
+ kAESCTRCiphertext_192,
+ sizeof(kAESCTRCiphertext_192),
+ true,
+ FIPSStatus::APPROVED,
+ },
+ {
+ EVP_aes_256_ctr(),
+ kAESKey_256,
+ sizeof(kAESKey_256),
+ kAESCTRCiphertext_256,
+ sizeof(kAESCTRCiphertext_256),
+ true,
+ FIPSStatus::APPROVED,
+ },
+ {
+ EVP_aes_128_ofb(),
+ kAESKey,
+ sizeof(kAESKey),
+ kAESOFBCiphertext,
+ sizeof(kAESOFBCiphertext),
+ true,
+ FIPSStatus::NOT_APPROVED,
+ },
+ {
+ EVP_des_ede3(),
+ kAESKey_192,
+ sizeof(kAESKey_192),
+ kTDES_EDE3_CipherText,
+ sizeof(kTDES_EDE3_CipherText),
+ false,
+ FIPSStatus::NOT_APPROVED,
+ },
+ {
+ EVP_des_ede3_cbc(),
+ kAESKey_192,
+ sizeof(kAESKey_192),
+ kTDES_EDE3_CBCCipherText,
+ sizeof(kTDES_EDE3_CBCCipherText),
+ false,
+ FIPSStatus::NOT_APPROVED,
+ },
+};
+
+class EVPServiceIndicatorTest : public TestWithNoErrors<CipherTestVector> {};
+
+static void TestOperation(const EVP_CIPHER *cipher, bool encrypt,
+ const bssl::Span<const uint8_t> key,
+ const bssl::Span<const uint8_t> plaintext,
+ const bssl::Span<const uint8_t> ciphertext,
+ FIPSStatus expect_approved) {
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+ bssl::Span<const uint8_t> in, out;
+ if (encrypt) {
+ in = plaintext;
+ out = ciphertext;
+ } else {
+ in = ciphertext;
+ out = plaintext;
+ }
+
+ bssl::ScopedEVP_CIPHER_CTX ctx;
+ // Test running the EVP_Cipher interfaces one by one directly, and check
+ // |EVP_EncryptFinal_ex| and |EVP_DecryptFinal_ex| for approval at the end.
+ ASSERT_TRUE(EVP_CipherInit_ex(ctx.get(), cipher, nullptr, nullptr, nullptr,
+ encrypt ? 1 : 0));
+ ASSERT_LE(EVP_CIPHER_CTX_iv_length(ctx.get()), sizeof(kAESIV));
+
+ ASSERT_TRUE(EVP_CIPHER_CTX_set_key_length(ctx.get(), key.size()));
+ ASSERT_TRUE(EVP_CipherInit_ex(ctx.get(), cipher, nullptr, key.data(), kAESIV,
+ encrypt ? 1 : 0));
+ ASSERT_TRUE(EVP_CIPHER_CTX_set_padding(ctx.get(), 0));
+ std::vector<uint8_t> encrypt_result;
+ DoCipherFinal(ctx.get(), &encrypt_result, in, expect_approved);
+ EXPECT_EQ(Bytes(out), Bytes(encrypt_result));
+
+ // Test using the one-shot |EVP_Cipher| function for approval.
+ bssl::ScopedEVP_CIPHER_CTX ctx2;
+ uint8_t output[256];
+ ASSERT_TRUE(EVP_CipherInit_ex(ctx2.get(), cipher, nullptr, key.data(), kAESIV,
+ encrypt ? 1 : 0));
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_Cipher(ctx2.get(), output, in.data(), in.size()));
+ EXPECT_EQ(approved, expect_approved);
+ EXPECT_EQ(Bytes(out), Bytes(output, in.size()));
+}
+
+INSTANTIATE_TEST_SUITE_P(All, EVPServiceIndicatorTest,
+ testing::ValuesIn(kTestVectors));
+
+TEST_P(EVPServiceIndicatorTest, EVP_Ciphers) {
+ const CipherTestVector &test = GetParam();
+
+ const EVP_CIPHER *cipher = test.cipher;
+ std::vector<uint8_t> key(test.key, test.key + test.key_length);
+ std::vector<uint8_t> plaintext(kPlaintext, kPlaintext + sizeof(kPlaintext));
+ std::vector<uint8_t> ciphertext(
+ test.expected_ciphertext,
+ test.expected_ciphertext + test.cipher_text_length);
+
+ TestOperation(cipher, true /* encrypt */, key, plaintext, ciphertext,
+ test.expect_approved);
+ TestOperation(cipher, false /* decrypt */, key, plaintext, ciphertext,
+ test.expect_approved);
+}
+
+static const struct DigestTestVector {
+ // name is the name of the digest test.
+ const char *name;
+ // length of digest.
+ const int length;
+ // func is the digest to test.
+ const EVP_MD *(*func)();
+ // one_shot_func is the convenience one-shot version of the digest.
+ uint8_t *(*one_shot_func)(const uint8_t *, size_t, uint8_t *);
+ // expected_digest is the expected digest.
+ const uint8_t *expected_digest;
+ // expected to be approved or not.
+ const FIPSStatus expect_approved;
+} kDigestTestVectors[] = {
+ {
+ "MD4",
+ MD4_DIGEST_LENGTH,
+ &EVP_md4,
+ &MD4,
+ kOutput_md4,
+ FIPSStatus::NOT_APPROVED,
+ },
+ {
+ "MD5",
+ MD5_DIGEST_LENGTH,
+ &EVP_md5,
+ &MD5,
+ kOutput_md5,
+ FIPSStatus::NOT_APPROVED,
+ },
+ {
+ "SHA-1",
+ SHA_DIGEST_LENGTH,
+ &EVP_sha1,
+ &SHA1,
+ kOutput_sha1,
+ FIPSStatus::APPROVED,
+ },
+ {
+ "SHA-224",
+ SHA224_DIGEST_LENGTH,
+ &EVP_sha224,
+ &SHA224,
+ kOutput_sha224,
+ FIPSStatus::APPROVED,
+ },
+ {
+ "SHA-256",
+ SHA256_DIGEST_LENGTH,
+ &EVP_sha256,
+ &SHA256,
+ kOutput_sha256,
+ FIPSStatus::APPROVED,
+ },
+ {
+ "SHA-384",
+ SHA384_DIGEST_LENGTH,
+ &EVP_sha384,
+ &SHA384,
+ kOutput_sha384,
+ FIPSStatus::APPROVED,
+ },
+ {
+ "SHA-512",
+ SHA512_DIGEST_LENGTH,
+ &EVP_sha512,
+ &SHA512,
+ kOutput_sha512,
+ FIPSStatus::APPROVED,
+ },
+ {
+ "SHA-512/256",
+ SHA512_256_DIGEST_LENGTH,
+ &EVP_sha512_256,
+ &SHA512_256,
+ kOutput_sha512_256,
+ FIPSStatus::APPROVED,
+ },
+};
+
+class EVPMDServiceIndicatorTest : public TestWithNoErrors<DigestTestVector> {};
+
+INSTANTIATE_TEST_SUITE_P(All, EVPMDServiceIndicatorTest,
+ testing::ValuesIn(kDigestTestVectors));
+
+TEST_P(EVPMDServiceIndicatorTest, EVP_Digests) {
+ const DigestTestVector &test = GetParam();
+ SCOPED_TRACE(test.name);
+
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+ bssl::ScopedEVP_MD_CTX ctx;
+ std::vector<uint8_t> digest(test.length);
+ unsigned digest_len;
+
+ // Test running the EVP_Digest interfaces one by one directly, and check
+ // |EVP_DigestFinal_ex| for approval at the end. |EVP_DigestInit_ex| and
+ // |EVP_DigestUpdate| should not be approved, because the functions do not
+ // indicate that a service has been fully completed yet.
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_DigestInit_ex(ctx.get(), test.func(), nullptr)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_DigestUpdate(ctx.get(), kPlaintext, sizeof(kPlaintext))));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_DigestFinal_ex(ctx.get(), digest.data(), &digest_len)));
+ EXPECT_EQ(approved, test.expect_approved);
+ EXPECT_EQ(Bytes(test.expected_digest, digest_len), Bytes(digest));
+
+ // Test using the one-shot |EVP_Digest| function for approval.
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_Digest(kPlaintext, sizeof(kPlaintext), digest.data(),
+ &digest_len, test.func(), nullptr)));
+ EXPECT_EQ(approved, test.expect_approved);
+ EXPECT_EQ(Bytes(test.expected_digest, test.length), Bytes(digest));
+
+ // Test using the one-shot API for approval.
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ test.one_shot_func(kPlaintext, sizeof(kPlaintext), digest.data()));
+ EXPECT_EQ(approved, test.expect_approved);
+ EXPECT_EQ(Bytes(test.expected_digest, test.length), Bytes(digest));
+}
+
+static const struct HMACTestVector {
+ // func is the hash function for HMAC to test.
+ const EVP_MD *(*func)(void);
+ // expected_digest is the expected digest.
+ const uint8_t *expected_digest;
+ // expected to be approved or not.
+ const FIPSStatus expect_approved;
+} kHMACTestVectors[] = {
+ {EVP_sha1, kHMACOutput_sha1, FIPSStatus::APPROVED},
+ {EVP_sha224, kHMACOutput_sha224, FIPSStatus::APPROVED},
+ {EVP_sha256, kHMACOutput_sha256, FIPSStatus::APPROVED},
+ {EVP_sha384, kHMACOutput_sha384, FIPSStatus::APPROVED},
+ {EVP_sha512, kHMACOutput_sha512, FIPSStatus::APPROVED},
+ {EVP_sha512_256, kHMACOutput_sha512_256, FIPSStatus::APPROVED},
+};
+
+class HMACServiceIndicatorTest : public TestWithNoErrors<HMACTestVector> {};
+
+INSTANTIATE_TEST_SUITE_P(All, HMACServiceIndicatorTest,
+ testing::ValuesIn(kHMACTestVectors));
+
+TEST_P(HMACServiceIndicatorTest, HMACTest) {
+ const HMACTestVector &test = GetParam();
+
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+ // The key is deliberately long in order to trigger digesting it down to a
+ // block size. This tests that doing so does not cause the indicator to be
+ // mistakenly set in |HMAC_Init_ex|.
+ const uint8_t kHMACKey[512] = {0};
+ const EVP_MD *const digest = test.func();
+ const unsigned expected_mac_len = EVP_MD_size(digest);
+ std::vector<uint8_t> mac(expected_mac_len);
+
+ // Test running the HMAC interfaces one by one directly, and check
+ // |HMAC_Final| for approval at the end. |HMAC_Init_ex| and |HMAC_Update|
+ // should not be approved, because the functions do not indicate that a
+ // service has been fully completed yet.
+ unsigned mac_len;
+ bssl::ScopedHMAC_CTX ctx;
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ HMAC_Init_ex(ctx.get(), kHMACKey, sizeof(kHMACKey), digest, nullptr)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, HMAC_Update(ctx.get(), kPlaintext, sizeof(kPlaintext))));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, HMAC_Final(ctx.get(), mac.data(), &mac_len)));
+ EXPECT_EQ(approved, test.expect_approved);
+ EXPECT_EQ(Bytes(test.expected_digest, expected_mac_len),
+ Bytes(mac.data(), mac_len));
+
+ // Test using the one-shot API for approval.
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, HMAC(digest, kHMACKey, sizeof(kHMACKey), kPlaintext,
+ sizeof(kPlaintext), mac.data(), &mac_len)));
+ EXPECT_EQ(approved, test.expect_approved);
+ EXPECT_EQ(Bytes(test.expected_digest, expected_mac_len),
+ Bytes(mac.data(), mac_len));
+}
+
+// RSA tests are not parameterized with the |kRSATestVectors| as key
+// generation for RSA is time consuming.
+TEST(ServiceIndicatorTest, RSAKeyGen) {
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+ bssl::UniquePtr<RSA> rsa(RSA_new());
+ ASSERT_TRUE(rsa);
+
+ // |RSA_generate_key_fips| may only be used for 2048-, 3072-, and 4096-bit
+ // keys.
+ for (const size_t bits : {512, 1024, 3071, 4095}) {
+ SCOPED_TRACE(bits);
+
+ rsa.reset(RSA_new());
+ EXPECT_FALSE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, RSA_generate_key_fips(rsa.get(), bits, nullptr)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ }
+
+ // Test that we can generate keys of the supported lengths:
+ for (const size_t bits : {2048, 3072, 4096}) {
+ SCOPED_TRACE(bits);
+
+ rsa.reset(RSA_new());
+ EXPECT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, RSA_generate_key_fips(rsa.get(), bits, nullptr)));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+ EXPECT_EQ(bits, BN_num_bits(rsa->n));
+ }
+
+ // Test running the EVP_PKEY_keygen interfaces one by one directly, and check
+ // |EVP_PKEY_keygen| for approval at the end. |EVP_PKEY_keygen_init| should
+ // not be approved because it does not indicate an entire service has been
+ // completed.
+ bssl::UniquePtr<EVP_PKEY_CTX> ctx(EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, nullptr));
+ EVP_PKEY *raw = nullptr;
+ bssl::UniquePtr<EVP_PKEY> pkey(raw);
+ ASSERT_TRUE(ctx);
+
+ if (kEVPKeyGenShouldCallFIPSFunctions) {
+ // Test unapproved key sizes of RSA.
+ for (const size_t bits : {512, 1024, 3071, 4095}) {
+ SCOPED_TRACE(bits);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_PKEY_keygen_init(ctx.get())));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_keygen_bits(ctx.get(), bits));
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_PKEY_keygen(ctx.get(), &raw)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ pkey.reset(raw);
+ raw = nullptr;
+ }
+
+ // Test approved key sizes of RSA.
+ for (const size_t bits : {2048, 3072, 4096}) {
+ SCOPED_TRACE(bits);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_PKEY_keygen_init(ctx.get())));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_keygen_bits(ctx.get(), bits));
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_PKEY_keygen(ctx.get(), &raw)));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+ pkey.reset(raw);
+ raw = nullptr;
+ }
+ }
+}
+
+struct RSATestVector {
+ // key_size is the input rsa key size.
+ int key_size;
+ // md_func is the digest to test.
+ const EVP_MD *(*func)();
+ // whether to use pss testing or not.
+ bool use_pss;
+ // expected to be approved or not for signature generation.
+ FIPSStatus sig_gen_expect_approved;
+ // expected to be approved or not for signature verification.
+ FIPSStatus sig_ver_expect_approved;
+};
+
+static const struct RSATestVector kRSATestVectors[] = {
+ // RSA test cases that are not approved in any case.
+ {512, &EVP_sha1, false, FIPSStatus::NOT_APPROVED, FIPSStatus::NOT_APPROVED},
+ // PSS with hashLen == saltLen is not possible for 512-bit modulus.
+ {1024, &EVP_md5, false, FIPSStatus::NOT_APPROVED, FIPSStatus::NOT_APPROVED},
+ {1536, &EVP_sha256, false, FIPSStatus::NOT_APPROVED,
+ FIPSStatus::NOT_APPROVED},
+ {1536, &EVP_sha512, true, FIPSStatus::NOT_APPROVED,
+ FIPSStatus::NOT_APPROVED},
+ {2048, &EVP_md5, false, FIPSStatus::NOT_APPROVED, FIPSStatus::NOT_APPROVED},
+ {3071, &EVP_md5, true, FIPSStatus::NOT_APPROVED, FIPSStatus::NOT_APPROVED},
+ {3071, &EVP_sha256, false, FIPSStatus::NOT_APPROVED,
+ FIPSStatus::NOT_APPROVED},
+ {3071, &EVP_sha512, true, FIPSStatus::NOT_APPROVED,
+ FIPSStatus::NOT_APPROVED},
+ {4096, &EVP_md5, false, FIPSStatus::NOT_APPROVED, FIPSStatus::NOT_APPROVED},
+
+ // RSA test cases that are approved.
+ {1024, &EVP_sha1, false, FIPSStatus::NOT_APPROVED, FIPSStatus::APPROVED},
+ {1024, &EVP_sha256, false, FIPSStatus::NOT_APPROVED, FIPSStatus::APPROVED},
+ {1024, &EVP_sha512, false, FIPSStatus::NOT_APPROVED, FIPSStatus::APPROVED},
+ {1024, &EVP_sha1, true, FIPSStatus::NOT_APPROVED, FIPSStatus::APPROVED},
+ {1024, &EVP_sha256, true, FIPSStatus::NOT_APPROVED, FIPSStatus::APPROVED},
+ // PSS with hashLen == saltLen is not possible for 1024-bit modulus and
+ // SHA-512.
+
+ {2048, &EVP_sha1, false, FIPSStatus::NOT_APPROVED, FIPSStatus::APPROVED},
+ {2048, &EVP_sha224, false, FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+ {2048, &EVP_sha256, false, FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+ {2048, &EVP_sha384, false, FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+ {2048, &EVP_sha512, false, FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+ {2048, &EVP_sha1, true, FIPSStatus::NOT_APPROVED, FIPSStatus::APPROVED},
+ {2048, &EVP_sha224, true, FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+ {2048, &EVP_sha256, true, FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+ {2048, &EVP_sha384, true, FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+ {2048, &EVP_sha512, true, FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+
+ {3072, &EVP_sha1, false, FIPSStatus::NOT_APPROVED, FIPSStatus::APPROVED},
+ {3072, &EVP_sha224, false, FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+ {3072, &EVP_sha256, false, FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+ {3072, &EVP_sha384, false, FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+ {3072, &EVP_sha512, false, FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+ {3072, &EVP_sha1, true, FIPSStatus::NOT_APPROVED, FIPSStatus::APPROVED},
+ {3072, &EVP_sha224, true, FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+ {3072, &EVP_sha256, true, FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+ {3072, &EVP_sha384, true, FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+ {3072, &EVP_sha512, true, FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+
+ {4096, &EVP_sha1, false, FIPSStatus::NOT_APPROVED, FIPSStatus::APPROVED},
+ {4096, &EVP_sha224, false, FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+ {4096, &EVP_sha256, false, FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+ {4096, &EVP_sha384, false, FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+ {4096, &EVP_sha512, false, FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+ {4096, &EVP_sha1, true, FIPSStatus::NOT_APPROVED, FIPSStatus::APPROVED},
+ {4096, &EVP_sha224, true, FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+ {4096, &EVP_sha256, true, FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+ {4096, &EVP_sha384, true, FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+ {4096, &EVP_sha512, true, FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+};
+
+class RSAServiceIndicatorTest : public TestWithNoErrors<RSATestVector> {};
+
+INSTANTIATE_TEST_SUITE_P(All, RSAServiceIndicatorTest,
+ testing::ValuesIn(kRSATestVectors));
+
+static std::map<unsigned, bssl::UniquePtr<RSA>> &CachedRSAKeys() {
+ static std::map<unsigned, bssl::UniquePtr<RSA>> keys;
+ return keys;
+}
+
+static RSA *GetRSAKey(unsigned bits) {
+ auto it = CachedRSAKeys().find(bits);
+ if (it != CachedRSAKeys().end()) {
+ return it->second.get();
+ }
+
+ bssl::UniquePtr<BIGNUM> e(BN_new());
+ if (!e || !BN_set_word(e.get(), RSA_F4)) {
+ abort();
+ }
+
+ bssl::UniquePtr<RSA> key(RSA_new());
+ if (!key || !RSA_generate_key_ex(key.get(), bits, e.get(), nullptr)) {
+ abort();
+ }
+
+ RSA *const ret = key.get();
+ CachedRSAKeys().emplace(static_cast<unsigned>(bits), std::move(key));
+
+ return ret;
+}
+
+TEST_P(RSAServiceIndicatorTest, RSASigGen) {
+ const RSATestVector &test = GetParam();
+ SCOPED_TRACE(test.key_size);
+
+ bssl::UniquePtr<EVP_PKEY> pkey(EVP_PKEY_new());
+ ASSERT_TRUE(pkey);
+
+ RSA *const rsa = GetRSAKey(test.key_size);
+ ASSERT_TRUE(EVP_PKEY_set1_RSA(pkey.get(), rsa));
+
+ // Test running the EVP_DigestSign interfaces one by one directly, and check
+ // |EVP_DigestSignFinal| for approval at the end. |EVP_DigestSignInit|, and
+ // |EVP_DigestSignUpdate| should not be approved because they do not indicate
+ // an entire service has been completed.
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+ bssl::ScopedEVP_MD_CTX md_ctx;
+ EVP_PKEY_CTX *pctx = nullptr;
+ size_t sig_len;
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_DigestSignInit(md_ctx.get(), &pctx, test.func(), nullptr,
+ pkey.get())));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ if (test.use_pss) {
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ }
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ EVP_DigestSignUpdate(md_ctx.get(), kPlaintext, sizeof(kPlaintext))));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ // Determine the size of the signature. The first call of
+ // |EVP_DigestSignFinal| should not return an approval check because no crypto
+ // is being done when |nullptr| is inputted in the |*out_sig| field.
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_DigestSignFinal(md_ctx.get(), nullptr, &sig_len)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ std::vector<uint8_t> signature(sig_len);
+ // The second call performs the actual operation.
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_DigestSignFinal(md_ctx.get(), signature.data(), &sig_len)));
+ EXPECT_EQ(approved, test.sig_gen_expect_approved);
+
+ // Test using the one-shot |EVP_DigestSign| function for approval.
+ md_ctx.Reset();
+ std::vector<uint8_t> oneshot_output(sig_len);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_DigestSignInit(md_ctx.get(), &pctx, test.func(), nullptr,
+ pkey.get())));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ if (test.use_pss) {
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ }
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_DigestSign(md_ctx.get(), oneshot_output.data(), &sig_len,
+ kPlaintext, sizeof(kPlaintext))));
+ EXPECT_EQ(approved, test.sig_gen_expect_approved);
+
+ if (test.use_pss) {
+ // Odd configurations of PSS, for example where the salt length is not equal
+ // to the hash length, are not approved.
+ md_ctx.Reset();
+ ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), &pctx, test.func(), nullptr,
+ pkey.get()));
+ ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING));
+ ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 10));
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_DigestSign(md_ctx.get(), oneshot_output.data(), &sig_len,
+ kPlaintext, sizeof(kPlaintext))));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ }
+}
+
+TEST_P(RSAServiceIndicatorTest, RSASigVer) {
+ const RSATestVector &test = GetParam();
+
+ bssl::UniquePtr<EVP_PKEY> pkey(EVP_PKEY_new());
+ RSA *const rsa = GetRSAKey(test.key_size);
+
+ ASSERT_TRUE(pkey);
+ ASSERT_TRUE(EVP_PKEY_set1_RSA(pkey.get(), rsa));
+
+ std::vector<uint8_t> signature;
+ size_t sig_len;
+ bssl::ScopedEVP_MD_CTX md_ctx;
+ EVP_PKEY_CTX *pctx = nullptr;
+ ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), &pctx, test.func(), nullptr,
+ pkey.get()));
+ if (test.use_pss) {
+ ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING));
+ ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1));
+ }
+ ASSERT_TRUE(EVP_DigestSign(md_ctx.get(), nullptr, &sig_len, nullptr, 0));
+ signature.resize(sig_len);
+ ASSERT_TRUE(EVP_DigestSign(md_ctx.get(), signature.data(), &sig_len,
+ kPlaintext, sizeof(kPlaintext)));
+ signature.resize(sig_len);
+
+ // Service Indicator approval checks for RSA signature verification.
+
+ // Test running the EVP_DigestVerify interfaces one by one directly, and check
+ // |EVP_DigestVerifyFinal| for approval at the end. |EVP_DigestVerifyInit|,
+ // |EVP_DigestVerifyUpdate| should not be approved because they do not
+ // indicate an entire service has been done.
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+ md_ctx.Reset();
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_DigestVerifyInit(md_ctx.get(), &pctx, test.func(), nullptr,
+ pkey.get())));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ if (test.use_pss) {
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1));
+ }
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ EVP_DigestVerifyUpdate(md_ctx.get(), kPlaintext, sizeof(kPlaintext))));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ EVP_DigestVerifyFinal(md_ctx.get(), signature.data(), signature.size())));
+ EXPECT_EQ(approved, test.sig_ver_expect_approved);
+
+ // Test using the one-shot |EVP_DigestVerify| function for approval.
+ md_ctx.Reset();
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_DigestVerifyInit(md_ctx.get(), &pctx, test.func(), nullptr,
+ pkey.get())));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ if (test.use_pss) {
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1));
+ }
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ EVP_DigestVerify(md_ctx.get(), signature.data(), signature.size(),
+ kPlaintext, sizeof(kPlaintext))));
+ EXPECT_EQ(approved, test.sig_ver_expect_approved);
+}
+
+struct ECDSATestVector {
+ // nid is the input curve nid.
+ int nid;
+ // md_func is the digest to test.
+ const EVP_MD *(*func)();
+ // expected to be approved or not for signature generation.
+ FIPSStatus key_check_expect_approved;
+ // expected to be approved or not for signature generation.
+ FIPSStatus sig_gen_expect_approved;
+ // expected to be approved or not for signature verification.
+ FIPSStatus sig_ver_expect_approved;
+};
+
+static const struct ECDSATestVector kECDSATestVectors[] = {
+ // Only the following NIDs for |EC_GROUP| are creatable with
+ // |EC_GROUP_new_by_curve_name|, and |NID_secp256k1| will only work if
+ // |kCurveSecp256k1Supported| is true.
+ {NID_secp224r1, &EVP_sha1, FIPSStatus::APPROVED, FIPSStatus::NOT_APPROVED,
+ FIPSStatus::APPROVED},
+ {NID_secp224r1, &EVP_sha224, FIPSStatus::APPROVED, FIPSStatus::APPROVED,
+ FIPSStatus::APPROVED},
+ {NID_secp224r1, &EVP_sha256, FIPSStatus::APPROVED, FIPSStatus::APPROVED,
+ FIPSStatus::APPROVED},
+ {NID_secp224r1, &EVP_sha384, FIPSStatus::APPROVED, FIPSStatus::APPROVED,
+ FIPSStatus::APPROVED},
+ {NID_secp224r1, &EVP_sha512, FIPSStatus::APPROVED, FIPSStatus::APPROVED,
+ FIPSStatus::APPROVED},
+
+ {NID_X9_62_prime256v1, &EVP_sha1, FIPSStatus::APPROVED,
+ FIPSStatus::NOT_APPROVED, FIPSStatus::APPROVED},
+ {NID_X9_62_prime256v1, &EVP_sha224, FIPSStatus::APPROVED,
+ FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+ {NID_X9_62_prime256v1, &EVP_sha256, FIPSStatus::APPROVED,
+ FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+ {NID_X9_62_prime256v1, &EVP_sha384, FIPSStatus::APPROVED,
+ FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+ {NID_X9_62_prime256v1, &EVP_sha512, FIPSStatus::APPROVED,
+ FIPSStatus::APPROVED, FIPSStatus::APPROVED},
+
+ {NID_secp384r1, &EVP_sha1, FIPSStatus::APPROVED, FIPSStatus::NOT_APPROVED,
+ FIPSStatus::APPROVED},
+ {NID_secp384r1, &EVP_sha224, FIPSStatus::APPROVED, FIPSStatus::APPROVED,
+ FIPSStatus::APPROVED},
+ {NID_secp384r1, &EVP_sha256, FIPSStatus::APPROVED, FIPSStatus::APPROVED,
+ FIPSStatus::APPROVED},
+ {NID_secp384r1, &EVP_sha384, FIPSStatus::APPROVED, FIPSStatus::APPROVED,
+ FIPSStatus::APPROVED},
+ {NID_secp384r1, &EVP_sha512, FIPSStatus::APPROVED, FIPSStatus::APPROVED,
+ FIPSStatus::APPROVED},
+
+ {NID_secp521r1, &EVP_sha1, FIPSStatus::APPROVED, FIPSStatus::NOT_APPROVED,
+ FIPSStatus::APPROVED},
+ {NID_secp521r1, &EVP_sha224, FIPSStatus::APPROVED, FIPSStatus::APPROVED,
+ FIPSStatus::APPROVED},
+ {NID_secp521r1, &EVP_sha256, FIPSStatus::APPROVED, FIPSStatus::APPROVED,
+ FIPSStatus::APPROVED},
+ {NID_secp521r1, &EVP_sha384, FIPSStatus::APPROVED, FIPSStatus::APPROVED,
+ FIPSStatus::APPROVED},
+ {NID_secp521r1, &EVP_sha512, FIPSStatus::APPROVED, FIPSStatus::APPROVED,
+ FIPSStatus::APPROVED},
+
+ {NID_secp256k1, &EVP_sha1, FIPSStatus::NOT_APPROVED,
+ FIPSStatus::NOT_APPROVED, FIPSStatus::NOT_APPROVED},
+ {NID_secp256k1, &EVP_sha224, FIPSStatus::NOT_APPROVED,
+ FIPSStatus::NOT_APPROVED, FIPSStatus::NOT_APPROVED},
+ {NID_secp256k1, &EVP_sha256, FIPSStatus::NOT_APPROVED,
+ FIPSStatus::NOT_APPROVED, FIPSStatus::NOT_APPROVED},
+ {NID_secp256k1, &EVP_sha384, FIPSStatus::NOT_APPROVED,
+ FIPSStatus::NOT_APPROVED, FIPSStatus::NOT_APPROVED},
+ {NID_secp256k1, &EVP_sha512, FIPSStatus::NOT_APPROVED,
+ FIPSStatus::NOT_APPROVED, FIPSStatus::NOT_APPROVED},
+};
+
+class ECDSAServiceIndicatorTest : public TestWithNoErrors<ECDSATestVector> {};
+
+INSTANTIATE_TEST_SUITE_P(All, ECDSAServiceIndicatorTest,
+ testing::ValuesIn(kECDSATestVectors));
+
+TEST_P(ECDSAServiceIndicatorTest, ECDSAKeyCheck) {
+ const ECDSATestVector &test = GetParam();
+ if (test.nid == NID_secp256k1 && !kCurveSecp256k1Supported) {
+ GTEST_SKIP();
+ }
+
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+
+ // Test service indicator approval for |EC_KEY_generate_key_fips| and
+ // |EC_KEY_check_fips|.
+ bssl::UniquePtr<EC_KEY> key(EC_KEY_new_by_curve_name(test.nid));
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EC_KEY_generate_key_fips(key.get())));
+ EXPECT_EQ(approved, test.key_check_expect_approved);
+ ASSERT_TRUE(
+ CALL_SERVICE_AND_CHECK_APPROVED(approved, EC_KEY_check_fips(key.get())));
+ EXPECT_EQ(approved, test.key_check_expect_approved);
+
+ // See if |EC_KEY_check_fips| still returns approval with only the public
+ // component.
+ bssl::UniquePtr<EC_KEY> key_only_public(EC_KEY_new_by_curve_name(test.nid));
+ ASSERT_TRUE(EC_KEY_set_public_key(key_only_public.get(),
+ EC_KEY_get0_public_key(key.get())));
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EC_KEY_check_fips(key_only_public.get())));
+ EXPECT_EQ(approved, test.key_check_expect_approved);
+
+ if (kEVPKeyGenShouldCallFIPSFunctions) {
+ // Test running the EVP_PKEY_keygen interfaces one by one directly, and
+ // check |EVP_PKEY_keygen| for approval at the end. |EVP_PKEY_keygen_init|
+ // should not be approved because it does not indicate that an entire
+ // service has been completed.
+ bssl::UniquePtr<EVP_PKEY_CTX> ctx(
+ EVP_PKEY_CTX_new_id(EVP_PKEY_EC, nullptr));
+ EVP_PKEY *raw = nullptr;
+ ASSERT_TRUE(ctx);
+ ASSERT_TRUE(EVP_PKEY_keygen_init(ctx.get()));
+ ASSERT_TRUE(EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx.get(), test.nid));
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_PKEY_keygen(ctx.get(), &raw)));
+ EXPECT_EQ(approved, test.key_check_expect_approved);
+
+ EVP_PKEY_free(raw);
+ }
+}
+
+TEST_P(ECDSAServiceIndicatorTest, ECDSASigGen) {
+ const ECDSATestVector &test = GetParam();
+ if (test.nid == NID_secp256k1 && !kCurveSecp256k1Supported) {
+ GTEST_SKIP();
+ }
+
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+
+ bssl::UniquePtr<EC_GROUP> group(EC_GROUP_new_by_curve_name(test.nid));
+ bssl::UniquePtr<EC_KEY> eckey(EC_KEY_new());
+ bssl::UniquePtr<EVP_PKEY> pkey(EVP_PKEY_new());
+ bssl::ScopedEVP_MD_CTX md_ctx;
+ ASSERT_TRUE(eckey);
+ ASSERT_TRUE(EC_KEY_set_group(eckey.get(), group.get()));
+
+ // Generate a generic EC key.
+ ASSERT_TRUE(EC_KEY_generate_key(eckey.get()));
+ ASSERT_TRUE(EVP_PKEY_set1_EC_KEY(pkey.get(), eckey.get()));
+
+ // Test running the EVP_DigestSign interfaces one by one directly, and check
+ // |EVP_DigestSignFinal| for approval at the end. |EVP_DigestSignInit|,
+ // |EVP_DigestSignUpdate| should not be approved because they do not indicate
+ // an entire service has been done.
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_DigestSignInit(md_ctx.get(), nullptr, test.func(), nullptr,
+ pkey.get())));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ EVP_DigestSignUpdate(md_ctx.get(), kPlaintext, sizeof(kPlaintext))));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ // Determine the size of the signature. The first call of
+ // |EVP_DigestSignFinal| should not return an approval check because no crypto
+ // is being done when |nullptr| is given as the |out_sig| field.
+ size_t max_sig_len;
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_DigestSignFinal(md_ctx.get(), nullptr, &max_sig_len)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ std::vector<uint8_t> signature(max_sig_len);
+ // The second call performs the actual operation.
+ size_t sig_len = max_sig_len;
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_DigestSignFinal(md_ctx.get(), signature.data(), &sig_len)));
+ ASSERT_LE(sig_len, signature.size());
+ EXPECT_EQ(approved, test.sig_gen_expect_approved);
+
+ // Test using the one-shot |EVP_DigestSign| function for approval.
+ md_ctx.Reset();
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_DigestSignInit(md_ctx.get(), nullptr, test.func(), nullptr,
+ pkey.get())));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ sig_len = max_sig_len;
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_DigestSign(md_ctx.get(), signature.data(), &sig_len,
+ kPlaintext, sizeof(kPlaintext))));
+ ASSERT_LE(sig_len, signature.size());
+ EXPECT_EQ(approved, test.sig_gen_expect_approved);
+}
+
+TEST_P(ECDSAServiceIndicatorTest, ECDSASigVer) {
+ const ECDSATestVector &test = GetParam();
+ if (test.nid == NID_secp256k1 && !kCurveSecp256k1Supported) {
+ GTEST_SKIP();
+ }
+
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+
+ bssl::UniquePtr<EC_GROUP> group(EC_GROUP_new_by_curve_name(test.nid));
+ bssl::UniquePtr<EC_KEY> eckey(EC_KEY_new());
+ bssl::UniquePtr<EVP_PKEY> pkey(EVP_PKEY_new());
+ bssl::ScopedEVP_MD_CTX md_ctx;
+ ASSERT_TRUE(eckey);
+ ASSERT_TRUE(EC_KEY_set_group(eckey.get(), group.get()));
+
+ // Generate ECDSA signatures for ECDSA verification.
+ ASSERT_TRUE(EC_KEY_generate_key(eckey.get()));
+ ASSERT_TRUE(EVP_PKEY_set1_EC_KEY(pkey.get(), eckey.get()));
+ std::vector<uint8_t> signature;
+ size_t sig_len = 0;
+ ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), nullptr, test.func(), nullptr,
+ pkey.get()));
+ ASSERT_TRUE(EVP_DigestSignFinal(md_ctx.get(), nullptr, &sig_len));
+ signature.resize(sig_len);
+ ASSERT_TRUE(EVP_DigestSign(md_ctx.get(), signature.data(), &sig_len,
+ kPlaintext, sizeof(kPlaintext)));
+ signature.resize(sig_len);
+
+ // Service Indicator approval checks for ECDSA signature verification.
+
+ // Test running the EVP_DigestVerify interfaces one by one directly, and check
+ // |EVP_DigestVerifyFinal| for approval at the end. |EVP_DigestVerifyInit|,
+ // |EVP_DigestVerifyUpdate| should not be approved because they do not
+ // indicate an entire service has been done.
+ md_ctx.Reset();
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_DigestVerifyInit(md_ctx.get(), nullptr, test.func(),
+ nullptr, pkey.get())));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ EVP_DigestVerifyUpdate(md_ctx.get(), kPlaintext, sizeof(kPlaintext))));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ EVP_DigestVerifyFinal(md_ctx.get(), signature.data(), signature.size())));
+ EXPECT_EQ(approved, test.sig_ver_expect_approved);
+
+ // Test using the one-shot |EVP_DigestVerify| function for approval.
+ md_ctx.Reset();
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_DigestVerifyInit(md_ctx.get(), nullptr, test.func(),
+ nullptr, pkey.get())));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ EVP_DigestVerify(md_ctx.get(), signature.data(), signature.size(),
+ kPlaintext, sizeof(kPlaintext))));
+ EXPECT_EQ(approved, test.sig_ver_expect_approved);
+}
+
+#if defined(AWSLC_FIPS)
+
+// Test that |EVP_DigestSignFinal| and |EVP_DigestSignVerify| are approved with
+// manually constructing using the context setting functions.
+TEST_P(ECDSAServiceIndicatorTest, ManualECDSASignVerify) {
+ const ECDSATestVector &test = GetParam();
+
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+
+ bssl::ScopedEVP_MD_CTX ctx;
+ ASSERT_TRUE(EVP_DigestInit(ctx.get(), test.func()));
+ ASSERT_TRUE(EVP_DigestUpdate(ctx.get(), kPlaintext, sizeof(kPlaintext)));
+
+ bssl::UniquePtr<EC_GROUP> group(EC_GROUP_new_by_curve_name(test.nid));
+ bssl::UniquePtr<EC_KEY> eckey(EC_KEY_new());
+ bssl::UniquePtr<EVP_PKEY> pkey(EVP_PKEY_new());
+ bssl::ScopedEVP_MD_CTX md_ctx;
+ ASSERT_TRUE(eckey);
+ ASSERT_TRUE(EC_KEY_set_group(eckey.get(), group.get()));
+
+ // Generate a generic ec key.
+ EC_KEY_generate_key(eckey.get());
+ ASSERT_TRUE(EVP_PKEY_set1_EC_KEY(pkey.get(), eckey.get()));
+
+ // Manual construction for signing.
+ bssl::UniquePtr<EVP_PKEY_CTX> pctx(EVP_PKEY_CTX_new(pkey.get(), nullptr));
+ ASSERT_TRUE(EVP_PKEY_sign_init(pctx.get()));
+ ASSERT_TRUE(EVP_PKEY_CTX_set_signature_md(pctx.get(), test.func()));
+ EVP_MD_CTX_set_pkey_ctx(ctx.get(), pctx.get());
+ // Determine the size of the signature.
+ size_t sig_len = 0;
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, ASSERT_TRUE(EVP_DigestSignFinal(ctx.get(), nullptr, &sig_len)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+
+ std::vector<uint8_t> sig;
+ sig.resize(sig_len);
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ ASSERT_TRUE(EVP_DigestSignFinal(ctx.get(), sig.data(), &sig_len)));
+ EXPECT_EQ(approved, test.sig_gen_expect_approved);
+ sig.resize(sig_len);
+
+ // Manual construction for verification.
+ ASSERT_TRUE(EVP_PKEY_verify_init(pctx.get()));
+ ASSERT_TRUE(EVP_PKEY_CTX_set_signature_md(pctx.get(), test.func()));
+ EVP_MD_CTX_set_pkey_ctx(ctx.get(), pctx.get());
+
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ ASSERT_TRUE(EVP_DigestVerifyFinal(ctx.get(), sig.data(), sig_len)));
+ EXPECT_EQ(approved, test.sig_ver_expect_approved);
+}
+
+#endif // AWSLC_FIPS
+
+struct ECDHTestVector {
+ // nid is the input curve nid.
+ const int nid;
+ // digest_length is the length of the hash output to test with.
+ const int digest_length;
+ // expect_approved to be approved or not.
+ const FIPSStatus expect_approved;
+};
+
+static const struct ECDHTestVector kECDHTestVectors[] = {
+ // Only the following NIDs for |EC_GROUP| are creatable with
+ // |EC_GROUP_new_by_curve_name|.
+ // |ECDH_compute_key_fips| fails directly when an invalid hash length is
+ // inputted.
+ {NID_secp224r1, SHA224_DIGEST_LENGTH, FIPSStatus::APPROVED},
+ {NID_secp224r1, SHA256_DIGEST_LENGTH, FIPSStatus::APPROVED},
+ {NID_secp224r1, SHA384_DIGEST_LENGTH, FIPSStatus::APPROVED},
+ {NID_secp224r1, SHA512_DIGEST_LENGTH, FIPSStatus::APPROVED},
+
+ {NID_X9_62_prime256v1, SHA224_DIGEST_LENGTH, FIPSStatus::APPROVED},
+ {NID_X9_62_prime256v1, SHA256_DIGEST_LENGTH, FIPSStatus::APPROVED},
+ {NID_X9_62_prime256v1, SHA384_DIGEST_LENGTH, FIPSStatus::APPROVED},
+ {NID_X9_62_prime256v1, SHA512_DIGEST_LENGTH, FIPSStatus::APPROVED},
+
+ {NID_secp384r1, SHA224_DIGEST_LENGTH, FIPSStatus::APPROVED},
+ {NID_secp384r1, SHA256_DIGEST_LENGTH, FIPSStatus::APPROVED},
+ {NID_secp384r1, SHA384_DIGEST_LENGTH, FIPSStatus::APPROVED},
+ {NID_secp384r1, SHA512_DIGEST_LENGTH, FIPSStatus::APPROVED},
+
+ {NID_secp521r1, SHA224_DIGEST_LENGTH, FIPSStatus::APPROVED},
+ {NID_secp521r1, SHA256_DIGEST_LENGTH, FIPSStatus::APPROVED},
+ {NID_secp521r1, SHA384_DIGEST_LENGTH, FIPSStatus::APPROVED},
+ {NID_secp521r1, SHA512_DIGEST_LENGTH, FIPSStatus::APPROVED},
+
+ {NID_secp256k1, SHA224_DIGEST_LENGTH, FIPSStatus::NOT_APPROVED},
+ {NID_secp256k1, SHA256_DIGEST_LENGTH, FIPSStatus::NOT_APPROVED},
+ {NID_secp256k1, SHA384_DIGEST_LENGTH, FIPSStatus::NOT_APPROVED},
+ {NID_secp256k1, SHA512_DIGEST_LENGTH, FIPSStatus::NOT_APPROVED},
+};
+
+class ECDH_ServiceIndicatorTest : public TestWithNoErrors<ECDHTestVector> {};
+
+INSTANTIATE_TEST_SUITE_P(All, ECDH_ServiceIndicatorTest,
+ testing::ValuesIn(kECDHTestVectors));
+
+TEST_P(ECDH_ServiceIndicatorTest, ECDH) {
+ const ECDHTestVector &test = GetParam();
+ if (test.nid == NID_secp256k1 && !kCurveSecp256k1Supported) {
+ GTEST_SKIP();
+ }
+
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+
+ bssl::UniquePtr<EC_GROUP> group(EC_GROUP_new_by_curve_name(test.nid));
+ bssl::UniquePtr<EC_KEY> our_key(EC_KEY_new());
+ bssl::UniquePtr<EC_KEY> peer_key(EC_KEY_new());
+ bssl::ScopedEVP_MD_CTX md_ctx;
+ ASSERT_TRUE(our_key);
+ ASSERT_TRUE(peer_key);
+
+ // Generate two generic ec key pairs.
+ ASSERT_TRUE(EC_KEY_set_group(our_key.get(), group.get()));
+ ASSERT_TRUE(EC_KEY_generate_key(our_key.get()));
+ ASSERT_TRUE(EC_KEY_check_key(our_key.get()));
+
+ ASSERT_TRUE(EC_KEY_set_group(peer_key.get(), group.get()));
+ ASSERT_TRUE(EC_KEY_generate_key(peer_key.get()));
+ ASSERT_TRUE(EC_KEY_check_key(peer_key.get()));
+
+ // Test that |ECDH_compute_key_fips| has service indicator approval as
+ // expected.
+ std::vector<uint8_t> digest(test.digest_length);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, ECDH_compute_key_fips(digest.data(), digest.size(),
+ EC_KEY_get0_public_key(peer_key.get()),
+ our_key.get())));
+ EXPECT_EQ(approved, test.expect_approved);
+
+ // Test running the EVP_PKEY_derive interfaces one by one directly, and check
+ // |EVP_PKEY_derive| for approval at the end. |EVP_PKEY_derive_init| and
+ // |EVP_PKEY_derive_set_peer| should not be approved because they do not
+ // indicate an entire service has been done.
+ bssl::UniquePtr<EVP_PKEY> our_pkey(EVP_PKEY_new());
+ ASSERT_TRUE(EVP_PKEY_set1_EC_KEY(our_pkey.get(), our_key.get()));
+ bssl::UniquePtr<EVP_PKEY_CTX> our_ctx(
+ EVP_PKEY_CTX_new(our_pkey.get(), nullptr));
+ bssl::UniquePtr<EVP_PKEY> peer_pkey(EVP_PKEY_new());
+ ASSERT_TRUE(EVP_PKEY_set1_EC_KEY(peer_pkey.get(), peer_key.get()));
+
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_PKEY_derive_init(our_ctx.get())));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_PKEY_derive_set_peer(our_ctx.get(), peer_pkey.get())));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ // Determine the size of the output key. The first call of |EVP_PKEY_derive|
+ // should not return an approval check because no crypto is being done when
+ // |nullptr| is inputted in the |*key| field
+ size_t out_len = 0;
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_PKEY_derive(our_ctx.get(), nullptr, &out_len)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ std::vector<uint8_t> derive_output(out_len);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ EVP_PKEY_derive(our_ctx.get(), derive_output.data(), &out_len)));
+ EXPECT_EQ(approved, kEVPDeriveSetsServiceIndicator
+ ? test.expect_approved
+ : FIPSStatus::NOT_APPROVED);
+}
+
+static const struct KDFTestVector {
+ // func is the hash function for KDF to test.
+ const EVP_MD *(*func)();
+ const uint8_t *expected_output;
+ const FIPSStatus expect_approved;
+} kKDFTestVectors[] = {
+ {EVP_md5, kTLSOutput_md, FIPSStatus::APPROVED},
+ {EVP_sha1, kTLSOutput_sha1, FIPSStatus::APPROVED},
+ {EVP_md5_sha1, kTLSOutput_mdsha1, FIPSStatus::APPROVED},
+ {EVP_sha224, kTLSOutput_sha224, FIPSStatus::NOT_APPROVED},
+ {EVP_sha256, kTLSOutput_sha256, FIPSStatus::APPROVED},
+ {EVP_sha384, kTLSOutput_sha384, FIPSStatus::APPROVED},
+ {EVP_sha512, kTLSOutput_sha512, FIPSStatus::APPROVED},
+};
+
+class KDF_ServiceIndicatorTest : public TestWithNoErrors<KDFTestVector> {};
+
+INSTANTIATE_TEST_SUITE_P(All, KDF_ServiceIndicatorTest,
+ testing::ValuesIn(kKDFTestVectors));
+
+TEST_P(KDF_ServiceIndicatorTest, TLSKDF) {
+ const KDFTestVector &test = GetParam();
+
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+
+ uint8_t output[32];
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, CRYPTO_tls1_prf(test.func(), output, sizeof(output), kTLSSecret,
+ sizeof(kTLSSecret), kTLSLabel,
+ sizeof(kTLSLabel), kTLSSeed1, sizeof(kTLSSeed1),
+ kTLSSeed2, sizeof(kTLSSeed2))));
+ EXPECT_EQ(Bytes(test.expected_output, sizeof(output)),
+ Bytes(output, sizeof(output)));
+ EXPECT_EQ(approved, test.expect_approved);
+}
+
+TEST(ServiceIndicatorTest, CMAC) {
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+
+ bssl::UniquePtr<CMAC_CTX> ctx(CMAC_CTX_new());
+ ASSERT_TRUE(ctx);
+
+ // Test running the CMAC interfaces one by one directly, and check
+ // |CMAC_Final| for approval at the end. |CMAC_Init| and |CMAC_Update|
+ // should not be approved, because the functions do not indicate that a
+ // service has been fully completed yet.
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, CMAC_Init(ctx.get(), kAESKey, sizeof(kAESKey),
+ EVP_aes_128_cbc(), nullptr)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, CMAC_Update(ctx.get(), kPlaintext, sizeof(kPlaintext))));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+
+ uint8_t mac[16];
+ size_t out_len;
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, CMAC_Final(ctx.get(), mac, &out_len)));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+ EXPECT_EQ(Bytes(kAESCMACOutput), Bytes(mac));
+
+ // Test using the one-shot API for approval.
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ AES_CMAC(mac, kAESKey, sizeof(kAESKey), kPlaintext, sizeof(kPlaintext))));
+ EXPECT_EQ(Bytes(kAESCMACOutput), Bytes(mac));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+}
+
+TEST(ServiceIndicatorTest, BasicTest) {
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+
+ bssl::ScopedEVP_AEAD_CTX aead_ctx;
+ ASSERT_TRUE(EVP_AEAD_CTX_init(aead_ctx.get(),
+ EVP_aead_aes_128_gcm_randnonce(), kAESKey,
+ sizeof(kAESKey), 0, nullptr));
+ // This test ensures that the counter gets incremented once, i.e. it was
+ // locked through the internal calls.
+ const int counter_before = FIPS_service_indicator_after_call();
+ size_t out_len;
+ uint8_t output[256];
+ EVP_AEAD_CTX_seal(aead_ctx.get(), output, &out_len, sizeof(output), nullptr,
+ 0, kPlaintext, sizeof(kPlaintext), nullptr, 0);
+ const int counter_after = FIPS_service_indicator_after_call();
+ EXPECT_EQ(counter_after, counter_before + 1);
+
+ // Call an approved service.
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_AEAD_CTX_seal(aead_ctx.get(), output, &out_len,
+ sizeof(output), nullptr, 0, kPlaintext,
+ sizeof(kPlaintext), nullptr, 0));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+
+ // Fail an approved service on purpose.
+ ASSERT_FALSE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ EVP_AEAD_CTX_seal(aead_ctx.get(), output, &out_len, 0, nullptr, 0,
+ kPlaintext, sizeof(kPlaintext), nullptr, 0)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+
+ // Call a non-approved service.
+ uint8_t aes_iv[sizeof(kAESIV)];
+ memcpy(aes_iv, kAESIV, sizeof(aes_iv));
+ AES_KEY aes_key;
+ ASSERT_TRUE(AES_set_encrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) == 0);
+ int num = 0;
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, AES_ofb128_encrypt(kPlaintext, output, sizeof(kPlaintext),
+ &aes_key, aes_iv, &num));
+ EXPECT_EQ(Bytes(kAESOFBCiphertext), Bytes(output, sizeof(kAESOFBCiphertext)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+}
+
+// Test the SHA interfaces one by one and check that only |*_Final| does the
+// approval at the end.
+TEST(ServiceIndicatorTest, SHA) {
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+
+ std::vector<uint8_t> digest;
+
+ digest.resize(MD4_DIGEST_LENGTH);
+ MD4_CTX md4_ctx;
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(approved, MD4_Init(&md4_ctx)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, MD4_Update(&md4_ctx, kPlaintext, sizeof(kPlaintext))));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, MD4_Final(digest.data(), &md4_ctx)));
+ EXPECT_EQ(Bytes(kOutput_md4), Bytes(digest));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+
+ digest.resize(MD5_DIGEST_LENGTH);
+ MD5_CTX md5_ctx;
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(approved, MD5_Init(&md5_ctx)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, MD5_Update(&md5_ctx, kPlaintext, sizeof(kPlaintext))));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, MD5_Final(digest.data(), &md5_ctx)));
+ EXPECT_EQ(Bytes(kOutput_md5), Bytes(digest));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+
+ digest.resize(SHA_DIGEST_LENGTH);
+ SHA_CTX sha_ctx;
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(approved, SHA1_Init(&sha_ctx)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, SHA1_Update(&sha_ctx, kPlaintext, sizeof(kPlaintext))));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, SHA1_Final(digest.data(), &sha_ctx)));
+ EXPECT_EQ(Bytes(kOutput_sha1), Bytes(digest));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+
+ digest.resize(SHA224_DIGEST_LENGTH);
+ SHA256_CTX sha224_ctx;
+ ASSERT_TRUE(
+ CALL_SERVICE_AND_CHECK_APPROVED(approved, SHA224_Init(&sha224_ctx)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, SHA224_Update(&sha224_ctx, kPlaintext, sizeof(kPlaintext))));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, SHA224_Final(digest.data(), &sha224_ctx)));
+ EXPECT_EQ(Bytes(kOutput_sha224), Bytes(digest));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+
+ digest.resize(SHA256_DIGEST_LENGTH);
+ SHA256_CTX sha256_ctx;
+ ASSERT_TRUE(
+ CALL_SERVICE_AND_CHECK_APPROVED(approved, SHA256_Init(&sha256_ctx)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, SHA256_Update(&sha256_ctx, kPlaintext, sizeof(kPlaintext))));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, SHA256_Final(digest.data(), &sha256_ctx)));
+ EXPECT_EQ(Bytes(kOutput_sha256), Bytes(digest));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+
+ digest.resize(SHA384_DIGEST_LENGTH);
+ SHA512_CTX sha384_ctx;
+ ASSERT_TRUE(
+ CALL_SERVICE_AND_CHECK_APPROVED(approved, SHA384_Init(&sha384_ctx)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, SHA384_Update(&sha384_ctx, kPlaintext, sizeof(kPlaintext))));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, SHA384_Final(digest.data(), &sha384_ctx)));
+ EXPECT_EQ(Bytes(kOutput_sha384), Bytes(digest));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+
+ digest.resize(SHA512_DIGEST_LENGTH);
+ SHA512_CTX sha512_ctx;
+ ASSERT_TRUE(
+ CALL_SERVICE_AND_CHECK_APPROVED(approved, SHA512_Init(&sha512_ctx)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, SHA512_Update(&sha512_ctx, kPlaintext, sizeof(kPlaintext))));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, SHA512_Final(digest.data(), &sha512_ctx)));
+ EXPECT_EQ(Bytes(kOutput_sha512), Bytes(digest));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+
+ digest.resize(SHA512_256_DIGEST_LENGTH);
+ SHA512_CTX sha512_256_ctx;
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, SHA512_256_Init(&sha512_256_ctx)));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ SHA512_256_Update(&sha512_256_ctx, kPlaintext, sizeof(kPlaintext))));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, SHA512_256_Final(digest.data(), &sha512_256_ctx)));
+ EXPECT_EQ(Bytes(kOutput_sha512_256), Bytes(digest));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+}
+
+TEST(ServiceIndicatorTest, AESECB) {
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+
+ AES_KEY aes_key;
+ uint8_t output[256];
+
+ // AES-ECB Encryption KAT for 128 bit key.
+ ASSERT_TRUE(AES_set_encrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) == 0);
+ // AES_ecb_encrypt encrypts (or decrypts) a single, 16 byte block from in to
+ // out.
+ for (size_t i = 0; i < sizeof(kPlaintext) / AES_BLOCK_SIZE; i++) {
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ AES_ecb_encrypt(&kPlaintext[i * AES_BLOCK_SIZE],
+ &output[i * AES_BLOCK_SIZE], &aes_key, AES_ENCRYPT));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+ }
+ EXPECT_EQ(Bytes(kAESECBCiphertext), Bytes(output, sizeof(kAESECBCiphertext)));
+
+ // AES-ECB Decryption KAT for 128 bit key.
+ ASSERT_TRUE(AES_set_decrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) == 0);
+ for (size_t i = 0; i < sizeof(kPlaintext) / AES_BLOCK_SIZE; i++) {
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ AES_ecb_encrypt(&kAESECBCiphertext[i * AES_BLOCK_SIZE],
+ &output[i * AES_BLOCK_SIZE], &aes_key, AES_DECRYPT));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+ }
+ EXPECT_EQ(Bytes(kPlaintext), Bytes(output, sizeof(kPlaintext)));
+
+ // AES-ECB Encryption KAT for 192 bit key.
+ ASSERT_TRUE(
+ AES_set_encrypt_key(kAESKey_192, 8 * sizeof(kAESKey_192), &aes_key) == 0);
+ for (size_t i = 0; i < sizeof(kPlaintext) / AES_BLOCK_SIZE; i++) {
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ AES_ecb_encrypt(&kPlaintext[i * AES_BLOCK_SIZE],
+ &output[i * AES_BLOCK_SIZE], &aes_key, AES_ENCRYPT));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+ }
+ EXPECT_EQ(Bytes(kAESECBCiphertext_192),
+ Bytes(output, sizeof(kAESECBCiphertext_192)));
+
+ // AES-ECB Decryption KAT for 192 bit key.
+ ASSERT_TRUE(
+ AES_set_decrypt_key(kAESKey_192, 8 * sizeof(kAESKey_192), &aes_key) == 0);
+ for (size_t i = 0; i < sizeof(kPlaintext) / AES_BLOCK_SIZE; i++) {
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ AES_ecb_encrypt(&kAESECBCiphertext_192[i * AES_BLOCK_SIZE],
+ &output[i * AES_BLOCK_SIZE], &aes_key, AES_DECRYPT));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+ }
+ EXPECT_EQ(Bytes(kPlaintext), Bytes(output, sizeof(kPlaintext)));
+
+ // AES-ECB Encryption KAT for 256 bit key.
+ ASSERT_TRUE(
+ AES_set_encrypt_key(kAESKey_256, 8 * sizeof(kAESKey_256), &aes_key) == 0);
+ for (size_t i = 0; i < sizeof(kPlaintext) / AES_BLOCK_SIZE; i++) {
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ AES_ecb_encrypt(&kPlaintext[i * AES_BLOCK_SIZE],
+ &output[i * AES_BLOCK_SIZE], &aes_key, AES_ENCRYPT));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+ }
+ EXPECT_EQ(Bytes(kAESECBCiphertext_256),
+ Bytes(output, sizeof(kAESECBCiphertext_256)));
+
+ // AES-ECB Decryption KAT for 256 bit key.
+ ASSERT_TRUE(
+ AES_set_decrypt_key(kAESKey_256, 8 * sizeof(kAESKey_256), &aes_key) == 0);
+ for (size_t i = 0; i < sizeof(kPlaintext) / AES_BLOCK_SIZE; i++) {
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ AES_ecb_encrypt(&kAESECBCiphertext_256[i * AES_BLOCK_SIZE],
+ &output[i * AES_BLOCK_SIZE], &aes_key, AES_DECRYPT));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+ }
+ EXPECT_EQ(Bytes(kPlaintext), Bytes(output, sizeof(kPlaintext)));
+}
+
+TEST(ServiceIndicatorTest, AESCBC) {
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+
+ AES_KEY aes_key;
+ uint8_t aes_iv[sizeof(kAESIV)];
+ uint8_t output[sizeof(kPlaintext)];
+
+ // AES-CBC Encryption KAT for 128 bit key.
+ memcpy(aes_iv, kAESIV, sizeof(aes_iv));
+ ASSERT_TRUE(AES_set_encrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) == 0);
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, AES_cbc_encrypt(kPlaintext, output, sizeof(kPlaintext),
+ &aes_key, aes_iv, AES_ENCRYPT));
+ EXPECT_EQ(Bytes(kAESCBCCiphertext), Bytes(output));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+
+ // AES-CBC Decryption KAT for 128 bit key.
+ memcpy(aes_iv, kAESIV, sizeof(aes_iv));
+ ASSERT_TRUE(AES_set_decrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) == 0);
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ AES_cbc_encrypt(kAESCBCCiphertext, output, sizeof(kAESCBCCiphertext),
+ &aes_key, aes_iv, AES_DECRYPT));
+ EXPECT_EQ(Bytes(kPlaintext), Bytes(output));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+
+ // AES-CBC Encryption KAT for 192 bit key.
+ memcpy(aes_iv, kAESIV, sizeof(aes_iv));
+ ASSERT_TRUE(
+ AES_set_encrypt_key(kAESKey_192, 8 * sizeof(kAESKey_192), &aes_key) == 0);
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, AES_cbc_encrypt(kPlaintext, output, sizeof(kPlaintext),
+ &aes_key, aes_iv, AES_ENCRYPT));
+ EXPECT_EQ(Bytes(kAESCBCCiphertext_192), Bytes(output));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+
+ // AES-CBC Decryption KAT for 192 bit key.
+ memcpy(aes_iv, kAESIV, sizeof(aes_iv));
+ ASSERT_TRUE(
+ AES_set_decrypt_key(kAESKey_192, 8 * sizeof(kAESKey_192), &aes_key) == 0);
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, AES_cbc_encrypt(kAESCBCCiphertext_192, output,
+ sizeof(kAESCBCCiphertext_192), &aes_key, aes_iv,
+ AES_DECRYPT));
+ EXPECT_EQ(Bytes(kPlaintext), Bytes(output));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+
+ // AES-CBC Encryption KAT for 256 bit key.
+ memcpy(aes_iv, kAESIV, sizeof(aes_iv));
+ ASSERT_TRUE(
+ AES_set_encrypt_key(kAESKey_256, 8 * sizeof(kAESKey_256), &aes_key) == 0);
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, AES_cbc_encrypt(kPlaintext, output, sizeof(kPlaintext),
+ &aes_key, aes_iv, AES_ENCRYPT));
+ EXPECT_EQ(Bytes(kAESCBCCiphertext_256), Bytes(output));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+
+ // AES-CBC Decryption KAT for 256 bit key.
+ memcpy(aes_iv, kAESIV, sizeof(aes_iv));
+ ASSERT_TRUE(
+ AES_set_decrypt_key(kAESKey_256, 8 * sizeof(kAESKey_256), &aes_key) == 0);
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, AES_cbc_encrypt(kAESCBCCiphertext_256, output,
+ sizeof(kAESCBCCiphertext_256), &aes_key, aes_iv,
+ AES_DECRYPT));
+ EXPECT_EQ(Bytes(kPlaintext), Bytes(output));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+}
+
+TEST(ServiceIndicatorTest, AESCTR) {
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+
+ AES_KEY aes_key;
+ uint8_t aes_iv[sizeof(kAESIV)];
+ uint8_t output[sizeof(kPlaintext)];
+ unsigned num = 0;
+ uint8_t ecount_buf[AES_BLOCK_SIZE];
+
+ // AES-CTR Encryption KAT
+ memcpy(aes_iv, kAESIV, sizeof(aes_iv));
+ ASSERT_TRUE(AES_set_encrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) == 0);
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, AES_ctr128_encrypt(kPlaintext, output, sizeof(kPlaintext),
+ &aes_key, aes_iv, ecount_buf, &num));
+ EXPECT_EQ(Bytes(kAESCTRCiphertext), Bytes(output));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+
+ // AES-CTR Decryption KAT
+ memcpy(aes_iv, kAESIV, sizeof(aes_iv));
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ AES_ctr128_encrypt(kAESCTRCiphertext, output, sizeof(kAESCTRCiphertext),
+ &aes_key, aes_iv, ecount_buf, &num));
+ EXPECT_EQ(Bytes(kPlaintext), Bytes(output));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+
+ // AES-CTR Encryption KAT for 192 bit key.
+ memcpy(aes_iv, kAESIV, sizeof(aes_iv));
+ ASSERT_TRUE(
+ AES_set_encrypt_key(kAESKey_192, 8 * sizeof(kAESKey_192), &aes_key) == 0);
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, AES_ctr128_encrypt(kPlaintext, output, sizeof(kPlaintext),
+ &aes_key, aes_iv, ecount_buf, &num));
+ EXPECT_EQ(Bytes(kAESCTRCiphertext_192), Bytes(output));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+
+ // AES-CTR Decryption KAT for 192 bit key.
+ memcpy(aes_iv, kAESIV, sizeof(aes_iv));
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, AES_ctr128_encrypt(kAESCTRCiphertext_192, output,
+ sizeof(kAESCTRCiphertext_192), &aes_key,
+ aes_iv, ecount_buf, &num));
+ EXPECT_EQ(Bytes(kPlaintext), Bytes(output));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+
+ // AES-CTR Encryption KAT for 256 bit key.
+ memcpy(aes_iv, kAESIV, sizeof(aes_iv));
+ ASSERT_TRUE(
+ AES_set_encrypt_key(kAESKey_256, 8 * sizeof(kAESKey_256), &aes_key) == 0);
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, AES_ctr128_encrypt(kPlaintext, output, sizeof(kPlaintext),
+ &aes_key, aes_iv, ecount_buf, &num));
+ EXPECT_EQ(Bytes(kAESCTRCiphertext_256), Bytes(output));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+
+ // AES-CTR Decryption KAT for 256 bit key.
+ memcpy(aes_iv, kAESIV, sizeof(aes_iv));
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, AES_ctr128_encrypt(kAESCTRCiphertext_256, output,
+ sizeof(kAESCTRCiphertext_256), &aes_key,
+ aes_iv, ecount_buf, &num));
+ EXPECT_EQ(Bytes(kPlaintext), Bytes(output));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+}
+
+TEST(ServiceIndicatorTest, AESOFB) {
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+
+ AES_KEY aes_key;
+ uint8_t aes_iv[sizeof(kAESIV)];
+ uint8_t output[sizeof(kPlaintext)];
+ int num = 0;
+
+ // AES-OFB Encryption KAT
+ memcpy(aes_iv, kAESIV, sizeof(aes_iv));
+ ASSERT_TRUE(AES_set_encrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) == 0);
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, AES_ofb128_encrypt(kPlaintext, output, sizeof(kPlaintext),
+ &aes_key, aes_iv, &num));
+ EXPECT_EQ(Bytes(kAESOFBCiphertext), Bytes(output));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+
+ // AES-OFB Decryption KAT
+ memcpy(aes_iv, kAESIV, sizeof(aes_iv));
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ AES_ofb128_encrypt(kAESOFBCiphertext, output, sizeof(kAESOFBCiphertext),
+ &aes_key, aes_iv, &num));
+ EXPECT_EQ(Bytes(kPlaintext), Bytes(output));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+}
+
+TEST(ServiceIndicatorTest, AESCFB) {
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+
+ AES_KEY aes_key;
+ uint8_t aes_iv[sizeof(kAESIV)];
+ uint8_t output[sizeof(kPlaintext)];
+ int num = 0;
+
+ // AES-CFB Encryption KAT
+ memcpy(aes_iv, kAESIV, sizeof(aes_iv));
+ ASSERT_TRUE(AES_set_encrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) == 0);
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, AES_cfb128_encrypt(kPlaintext, output, sizeof(kPlaintext),
+ &aes_key, aes_iv, &num, AES_ENCRYPT));
+ EXPECT_EQ(Bytes(kAESCFBCiphertext), Bytes(output));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+
+ // AES-CFB Decryption KAT
+ memcpy(aes_iv, kAESIV, sizeof(aes_iv));
+ CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ AES_cfb128_encrypt(kAESCFBCiphertext, output, sizeof(kAESCFBCiphertext),
+ &aes_key, aes_iv, &num, AES_DECRYPT));
+ EXPECT_EQ(Bytes(kPlaintext), Bytes(output));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+}
+
+TEST(ServiceIndicatorTest, AESKW) {
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+
+ AES_KEY aes_key;
+ uint8_t output[sizeof(kPlaintext) + 8];
+ size_t outlen;
+
+ // AES-KW Encryption KAT
+ ASSERT_TRUE(AES_set_encrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) == 0);
+ outlen = CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ AES_wrap_key(&aes_key, nullptr, output, kPlaintext, sizeof(kPlaintext)));
+ ASSERT_EQ(outlen, sizeof(kAESKWCiphertext));
+ EXPECT_EQ(Bytes(kAESKWCiphertext), Bytes(output));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+
+ // AES-KW Decryption KAT
+ ASSERT_TRUE(AES_set_decrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) == 0);
+ outlen = CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, AES_unwrap_key(&aes_key, nullptr, output, kAESKWCiphertext,
+ sizeof(kAESKWCiphertext)));
+ ASSERT_EQ(outlen, sizeof(kPlaintext));
+ EXPECT_EQ(Bytes(kPlaintext), Bytes(output, sizeof(kPlaintext)));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+}
+
+TEST(ServiceIndicatorTest, AESKWP) {
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+
+ AES_KEY aes_key;
+ uint8_t output[sizeof(kPlaintext) + 15];
+ size_t outlen;
+
+ // AES-KWP Encryption KAT
+ ASSERT_TRUE(AES_set_encrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) == 0);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, AES_wrap_key_padded(&aes_key, output, &outlen, sizeof(output),
+ kPlaintext, sizeof(kPlaintext))));
+ EXPECT_EQ(Bytes(kAESKWPCiphertext), Bytes(output, outlen));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+
+ // AES-KWP Decryption KAT
+ ASSERT_TRUE(AES_set_decrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) == 0);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ AES_unwrap_key_padded(&aes_key, output, &outlen, sizeof(output),
+ kAESKWPCiphertext, sizeof(kAESKWPCiphertext))));
+ EXPECT_EQ(Bytes(kPlaintext), Bytes(output, outlen));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+}
+
+TEST(ServiceIndicatorTest, FFDH) {
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+
+ // |DH_compute_key_padded| should be a non-approved service.
+ bssl::UniquePtr<DH> dh(GetDH());
+ uint8_t dh_out[sizeof(kDHOutput)];
+ ASSERT_EQ(DH_size(dh.get()), static_cast<int>(sizeof(dh_out)));
+ ASSERT_EQ(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, DH_compute_key_padded(
+ dh_out, DH_get0_priv_key(dh.get()), dh.get())),
+ static_cast<int>(sizeof(dh_out)));
+ EXPECT_EQ(Bytes(kDHOutput), Bytes(dh_out));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+}
+
+TEST(ServiceIndicatorTest, DRBG) {
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+ CTR_DRBG_STATE drbg;
+ uint8_t output[sizeof(kDRBGOutput)];
+
+ // Test running the DRBG interfaces and check |CTR_DRBG_generate| for approval
+ // at the end since it indicates a service is being done. |CTR_DRBG_init| and
+ // |CTR_DRBG_reseed| should not be approved, because the functions do not
+ // indicate that a service has been fully completed yet.
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, CTR_DRBG_init(&drbg, kDRBGEntropy, kDRBGPersonalization,
+ sizeof(kDRBGPersonalization))));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, CTR_DRBG_generate(&drbg, output, sizeof(kDRBGOutput), kDRBGAD,
+ sizeof(kDRBGAD))));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+ EXPECT_EQ(Bytes(kDRBGOutput), Bytes(output));
+
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ CTR_DRBG_reseed(&drbg, kDRBGEntropy2, kDRBGAD, sizeof(kDRBGAD))));
+ EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, CTR_DRBG_generate(&drbg, output, sizeof(kDRBGReseedOutput),
+ kDRBGAD, sizeof(kDRBGAD))));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+ EXPECT_EQ(Bytes(kDRBGReseedOutput), Bytes(output));
+
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, RAND_bytes(output, sizeof(output))));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+}
+
+#else // !BORINGSSL_FIPS
+
+// Service indicator calls should not be used in non-FIPS builds. However, if
+// used, the macro |CALL_SERVICE_AND_CHECK_APPROVED| will return
+// |FIPSStatus::APPROVED|, but the direct calls to
+// |FIPS_service_indicator_xxx| will not indicate an approved state.
+TEST(ServiceIndicatorTest, BasicTest) {
+ // Reset and check the initial state and counter.
+ FIPSStatus approved = FIPSStatus::NOT_APPROVED;
+ uint64_t before = FIPS_service_indicator_before_call();
+ ASSERT_EQ(before, (uint64_t)0);
+
+ // Call an approved service.
+ bssl::ScopedEVP_AEAD_CTX aead_ctx;
+ uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH] = {0};
+ uint8_t output[256];
+ size_t out_len;
+ ASSERT_TRUE(EVP_AEAD_CTX_init(aead_ctx.get(),
+ EVP_aead_aes_128_gcm_randnonce(), kAESKey,
+ sizeof(kAESKey), 0, nullptr));
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved, EVP_AEAD_CTX_seal(aead_ctx.get(), output, &out_len,
+ sizeof(output), nullptr, 0, kPlaintext,
+ sizeof(kPlaintext), nullptr, 0)));
+ // Macro should return true, to ensure FIPS/non-FIPS compatibility.
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+
+ // Call a non-approved service.
+ ASSERT_TRUE(EVP_AEAD_CTX_init(aead_ctx.get(), EVP_aead_aes_128_gcm(), kAESKey,
+ sizeof(kAESKey), 0, nullptr));
+ ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
+ approved,
+ EVP_AEAD_CTX_seal(aead_ctx.get(), output, &out_len, sizeof(output), nonce,
+ EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()),
+ kPlaintext, sizeof(kPlaintext), nullptr, 0)));
+ EXPECT_EQ(approved, FIPSStatus::APPROVED);
+}
+
+#endif // BORINGSSL_FIPS
diff --git a/src/crypto/fipsmodule/sha/sha1.c b/src/crypto/fipsmodule/sha/sha1.c
index e482c77..f921e31 100644
--- a/src/crypto/fipsmodule/sha/sha1.c
+++ b/src/crypto/fipsmodule/sha/sha1.c
@@ -62,6 +62,7 @@
#include "../../internal.h"
#include "../digest/md32_common.h"
+#include "../service_indicator/internal.h"
#include "internal.h"
@@ -108,6 +109,7 @@
CRYPTO_store_u32_be(out + 8, c->h[2]);
CRYPTO_store_u32_be(out + 12, c->h[3]);
CRYPTO_store_u32_be(out + 16, c->h[4]);
+ FIPS_service_indicator_update_state();
return 1;
}
diff --git a/src/crypto/fipsmodule/sha/sha256.c b/src/crypto/fipsmodule/sha/sha256.c
index c187c4a..454b947 100644
--- a/src/crypto/fipsmodule/sha/sha256.c
+++ b/src/crypto/fipsmodule/sha/sha256.c
@@ -62,6 +62,7 @@
#include "../../internal.h"
#include "../digest/md32_common.h"
+#include "../service_indicator/internal.h"
#include "internal.h"
@@ -150,6 +151,8 @@
CRYPTO_store_u32_be(out, c->h[i]);
out += 4;
}
+
+ FIPS_service_indicator_update_state();
return 1;
}
@@ -161,6 +164,7 @@
// TODO(davidben): Add an assert and fix code to match them up.
return sha256_final_impl(out, c);
}
+
int SHA224_Final(uint8_t out[SHA224_DIGEST_LENGTH], SHA256_CTX *ctx) {
// SHA224_Init sets |ctx->md_len| to |SHA224_DIGEST_LENGTH|, so this has a
// smaller output.
diff --git a/src/crypto/fipsmodule/sha/sha512.c b/src/crypto/fipsmodule/sha/sha512.c
index d94de28..708358e 100644
--- a/src/crypto/fipsmodule/sha/sha512.c
+++ b/src/crypto/fipsmodule/sha/sha512.c
@@ -60,8 +60,9 @@
#include <openssl/mem.h>
-#include "internal.h"
#include "../../internal.h"
+#include "../service_indicator/internal.h"
+#include "internal.h"
// The 32-bit hash algorithms share a common byte-order neutral collector and
@@ -274,6 +275,7 @@
out += 8;
}
+ FIPS_service_indicator_update_state();
return 1;
}
diff --git a/src/crypto/fipsmodule/tls/kdf.c b/src/crypto/fipsmodule/tls/kdf.c
index 347e998..6f2b68b 100644
--- a/src/crypto/fipsmodule/tls/kdf.c
+++ b/src/crypto/fipsmodule/tls/kdf.c
@@ -58,6 +58,7 @@
#include "internal.h"
#include "../../internal.h"
+#include "../service_indicator/internal.h"
// tls1_P_hash computes the TLS P_<hash> function as described in RFC 5246,
@@ -146,12 +147,16 @@
OPENSSL_memset(out, 0, out_len);
+ const EVP_MD *const original_digest = digest;
+ FIPS_service_indicator_lock_state();
+ int ret = 0;
+
if (digest == EVP_md5_sha1()) {
// If using the MD5/SHA1 PRF, |secret| is partitioned between MD5 and SHA-1.
size_t secret_half = secret_len - (secret_len / 2);
if (!tls1_P_hash(out, out_len, EVP_md5(), secret, secret_half, label,
label_len, seed1, seed1_len, seed2, seed2_len)) {
- return 0;
+ goto end;
}
// Note that, if |secret_len| is odd, the two halves share a byte.
@@ -160,6 +165,13 @@
digest = EVP_sha1();
}
- return tls1_P_hash(out, out_len, digest, secret, secret_len, label, label_len,
- seed1, seed1_len, seed2, seed2_len);
+ ret = tls1_P_hash(out, out_len, digest, secret, secret_len, label, label_len,
+ seed1, seed1_len, seed2, seed2_len);
+
+end:
+ FIPS_service_indicator_unlock_state();
+ if (ret) {
+ TLSKDF_verify_service_indicator(original_digest);
+ }
+ return ret;
}
diff --git a/src/crypto/hrss/hrss.c b/src/crypto/hrss/hrss.c
index 388c9a9..dd6e970 100644
--- a/src/crypto/hrss/hrss.c
+++ b/src/crypto/hrss/hrss.c
@@ -926,6 +926,20 @@
#endif
};
+// poly_normalize zeros out the excess elements of |x| which are included only
+// for alignment.
+static void poly_normalize(struct poly *x) {
+ OPENSSL_memset(&x->v[N], 0, 3 * sizeof(uint16_t));
+}
+
+// poly_assert_normalized asserts that the excess elements of |x| are zeroed out
+// for the cases that case. (E.g. |poly_mul_vec|.)
+static void poly_assert_normalized(const struct poly *x) {
+ assert(x->v[N] == 0);
+ assert(x->v[N + 1] == 0);
+ assert(x->v[N + 2] == 0);
+}
+
OPENSSL_UNUSED static void poly_print(const struct poly *p) {
printf("[");
for (unsigned i = 0; i < N; i++) {
@@ -1212,13 +1226,12 @@
// poly_mul_vec sets |*out| to |x|×|y| mod (𝑥^n - 1).
static void poly_mul_vec(struct POLY_MUL_SCRATCH *scratch, struct poly *out,
const struct poly *x, const struct poly *y) {
- OPENSSL_memset((uint16_t *)&x->v[N], 0, 3 * sizeof(uint16_t));
- OPENSSL_memset((uint16_t *)&y->v[N], 0, 3 * sizeof(uint16_t));
-
OPENSSL_STATIC_ASSERT(sizeof(out->v) == sizeof(vec_t) * VECS_PER_POLY,
"struct poly is the wrong size");
OPENSSL_STATIC_ASSERT(alignof(struct poly) == alignof(vec_t),
"struct poly has incorrect alignment");
+ poly_assert_normalized(x);
+ poly_assert_normalized(y);
vec_t *const prod = scratch->u.vec.prod;
vec_t *const aux_scratch = scratch->u.vec.scratch;
@@ -1316,19 +1329,22 @@
#if defined(POLY_RQ_MUL_ASM)
if (CRYPTO_is_AVX2_capable()) {
poly_Rq_mul(r->v, a->v, b->v, scratch->u.rq);
- return;
- }
+ poly_normalize(r);
+ } else
#endif
#if defined(HRSS_HAVE_VECTOR_UNIT)
if (vec_capable()) {
poly_mul_vec(scratch, r, a, b);
- return;
- }
+ } else
#endif
// Fallback, non-vector case.
- poly_mul_novec(scratch, r, a, b);
+ {
+ poly_mul_novec(scratch, r, a, b);
+ }
+
+ poly_assert_normalized(r);
}
// poly_mul_x_minus_1 sets |p| to |p|×(𝑥 - 1) mod (𝑥^n - 1).
@@ -1493,6 +1509,8 @@
shift = 0;
}
}
+
+ poly_normalize(out);
}
static void poly_from_poly3(struct poly *out, const struct poly3 *in) {
@@ -1517,6 +1535,8 @@
shift = 0;
}
}
+
+ poly_normalize(out);
}
// Polynomial inversion
@@ -1570,6 +1590,7 @@
assert(f.v[0] & 1);
poly2_reverse_700(&v, &v);
poly_from_poly2(out, &v);
+ poly_assert_normalized(out);
}
// poly_invert sets |*out| to |in^-1| (i.e. such that |*out|×|in| = 1 mod Φ(N)).
@@ -1583,6 +1604,7 @@
for (unsigned i = 0; i < N; i++) {
a.v[i] = -in->v[i];
}
+ poly_normalize(&a);
// b = in^-1 mod 2.
b = out;
@@ -1595,6 +1617,8 @@
tmp.v[0] += 2;
poly_mul(scratch, b, b, &tmp);
}
+
+ poly_assert_normalized(out);
}
// Marshal and unmarshal functions for various basic types.
@@ -1684,6 +1708,7 @@
}
out->v[N - 1] = (uint16_t)(0u - sum);
+ poly_normalize(out);
return 1;
}
@@ -1735,6 +1760,7 @@
out->v[i] = v;
}
out->v[N - 1] = 0;
+ poly_normalize(out);
}
// poly_short_sample_plus performs the T+ sample as defined in [HRSSNIST],
@@ -1757,6 +1783,7 @@
for (unsigned i = 0; i < N; i += 2) {
out->v[i] = (unsigned) out->v[i] * scale;
}
+ poly_assert_normalized(out);
}
// poly_lift computes the function discussed in [HRSS], appendix B.
@@ -1872,6 +1899,7 @@
}
poly_mul_x_minus_1(out);
+ poly_normalize(out);
}
struct public_key {
@@ -1951,6 +1979,10 @@
return 0;
}
+#if !defined(NDEBUG)
+ OPENSSL_memset(vars, 0xff, sizeof(struct vars));
+#endif
+
OPENSSL_memcpy(priv->hmac_key, in + 2 * HRSS_SAMPLE_BYTES,
sizeof(priv->hmac_key));
@@ -2010,6 +2042,10 @@
return 0;
}
+#if !defined(NDEBUG)
+ OPENSSL_memset(vars, 0xff, sizeof(struct vars));
+#endif
+
poly_short_sample(&vars->m, in);
poly_short_sample(&vars->r, in + HRSS_SAMPLE_BYTES);
poly_lift(&vars->m_lifted, &vars->m);
@@ -2067,6 +2103,10 @@
return 0;
}
+#if !defined(NDEBUG)
+ OPENSSL_memset(vars, 0xff, sizeof(struct vars));
+#endif
+
// This is HMAC, expanded inline rather than using the |HMAC| function so that
// we can avoid dealing with possible allocation failures and so keep this
// function infallible.
@@ -2117,6 +2157,7 @@
for (unsigned i = 0; i < N; i++) {
vars->r.v[i] = vars->c.v[i] - vars->m_lifted.v[i];
}
+ poly_normalize(&vars->r);
poly_mul(&vars->scratch, &vars->r, &vars->r, &priv->ph_inverse);
poly_mod_phiN(&vars->r);
poly_clamp(&vars->r);
diff --git a/src/crypto/hrss/hrss_test.cc b/src/crypto/hrss/hrss_test.cc
index bab968c..31a1560 100644
--- a/src/crypto/hrss/hrss_test.cc
+++ b/src/crypto/hrss/hrss_test.cc
@@ -201,6 +201,33 @@
}
}
+TEST(HRSS, NoWritesToConstData) {
+ // Normalisation of some polynomials used to write into the generated keys.
+ // This is fine in a purely ephemeral setting, but triggers TSAN warnings in
+ // more complex ones.
+ uint8_t generate_key_entropy[HRSS_GENERATE_KEY_BYTES];
+ RAND_bytes(generate_key_entropy, sizeof(generate_key_entropy));
+ HRSS_public_key pub, pub_orig;
+ HRSS_private_key priv, priv_orig;
+ OPENSSL_memset(&pub, 0xa3, sizeof(pub));
+ OPENSSL_memset(&priv, 0x3a, sizeof(priv));
+ ASSERT_TRUE(HRSS_generate_key(&pub, &priv, generate_key_entropy));
+ OPENSSL_memcpy(&priv_orig, &priv, sizeof(priv));
+ OPENSSL_memcpy(&pub_orig, &pub, sizeof(pub));
+
+ uint8_t ciphertext[HRSS_CIPHERTEXT_BYTES];
+ uint8_t shared_key[HRSS_KEY_BYTES];
+ uint8_t encap_entropy[HRSS_ENCAP_BYTES];
+ RAND_bytes(encap_entropy, sizeof(encap_entropy));
+ ASSERT_TRUE(HRSS_encap(ciphertext, shared_key, &pub, encap_entropy));
+
+ ASSERT_EQ(OPENSSL_memcmp(&pub, &pub_orig, sizeof(pub)), 0);
+
+ ASSERT_TRUE(HRSS_decap(shared_key, &priv, ciphertext, sizeof(ciphertext)));
+
+ ASSERT_EQ(OPENSSL_memcmp(&priv, &priv_orig, sizeof(priv)), 0);
+}
+
TEST(HRSS, Golden) {
uint8_t generate_key_entropy[HRSS_GENERATE_KEY_BYTES];
for (unsigned i = 0; i < HRSS_SAMPLE_BYTES; i++) {
diff --git a/src/crypto/internal.h b/src/crypto/internal.h
index 78dbbbf..c9b5e8e 100644
--- a/src/crypto/internal.h
+++ b/src/crypto/internal.h
@@ -126,10 +126,18 @@
#endif
#if !defined(__cplusplus)
-#if defined(_MSC_VER)
+#if defined(_MSC_VER) && !defined(__clang__)
#define alignas(x) __declspec(align(x))
#define alignof __alignof
#else
+// With the exception of MSVC, we require C11 to build the library. C11 is a
+// prerequisite for improved refcounting performance. All our supported C
+// compilers have long implemented C11 and made it default. The most likely
+// cause of pre-C11 modes is stale -std=c99 or -std=gnu99 flags in build
+// configuration. Such flags can be removed.
+#if __STDC_VERSION__ < 201112L
+#error "BoringSSL must be built in C11 mode or higher."
+#endif
#include <stdalign.h>
#endif
#endif
@@ -640,6 +648,7 @@
OPENSSL_THREAD_LOCAL_ERR = 0,
OPENSSL_THREAD_LOCAL_RAND,
OPENSSL_THREAD_LOCAL_FIPS_COUNTERS,
+ OPENSSL_THREAD_LOCAL_FIPS_SERVICE_INDICATOR_STATE,
OPENSSL_THREAD_LOCAL_TEST,
NUM_OPENSSL_THREAD_LOCALS,
} thread_local_data_t;
@@ -893,6 +902,18 @@
OPENSSL_memcpy(out, &v, sizeof(v));
}
+static inline crypto_word_t CRYPTO_load_word_be(const void *in) {
+ crypto_word_t v;
+ OPENSSL_memcpy(&v, in, sizeof(v));
+#if defined(OPENSSL_64_BIT)
+ static_assert(sizeof(v) == 8, "crypto_word_t has unexpected size");
+ return CRYPTO_bswap8(v);
+#else
+ static_assert(sizeof(v) == 4, "crypto_word_t has unexpected size");
+ return CRYPTO_bswap4(v);
+#endif
+}
+
// Bit rotation functions.
//
diff --git a/src/crypto/pkcs8/pkcs12_test.cc b/src/crypto/pkcs8/pkcs12_test.cc
index 958bd8d..79ebae3 100644
--- a/src/crypto/pkcs8/pkcs12_test.cc
+++ b/src/crypto/pkcs8/pkcs12_test.cc
@@ -599,3 +599,45 @@
ASSERT_TRUE(PKCS12CreateVector(&p12, key1.get(), {cert2.get(), cert3.get()}));
ExpectPKCS12Parse(p12, key1.get(), nullptr, {cert2.get(), cert3.get()});
}
+
+TEST(PKCS12Test, CreateWithAlias) {
+ bssl::UniquePtr<EVP_PKEY> key = MakeTestKey();
+ ASSERT_TRUE(key);
+ bssl::UniquePtr<X509> cert1 = MakeTestCert(key.get());
+ ASSERT_TRUE(cert1);
+ bssl::UniquePtr<X509> cert2 = MakeTestCert(key.get());
+ ASSERT_TRUE(cert2);
+
+ std::string alias = "I'm an alias";
+ int res = X509_alias_set1(
+ cert1.get(), reinterpret_cast<const unsigned char *>(alias.data()),
+ alias.size());
+ ASSERT_EQ(res, 1);
+
+ std::vector<X509 *> certs = {cert1.get(), cert2.get()};
+ std::vector<uint8_t> der;
+ ASSERT_TRUE(PKCS12CreateVector(&der, key.get(), certs));
+
+ bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(der.data(), der.size()));
+ ASSERT_TRUE(bio);
+ bssl::UniquePtr<PKCS12> p12(d2i_PKCS12_bio(bio.get(), nullptr));
+ ASSERT_TRUE(p12);
+
+ EVP_PKEY *parsed_key = nullptr;
+ X509 *parsed_cert = nullptr;
+ STACK_OF(X509) *ca_certs = nullptr;
+ ASSERT_TRUE(
+ PKCS12_parse(p12.get(), kPassword, &parsed_key, &parsed_cert, &ca_certs));
+
+ bssl::UniquePtr<EVP_PKEY> delete_key(parsed_key);
+ bssl::UniquePtr<X509> delete_cert(parsed_cert);
+ bssl::UniquePtr<STACK_OF(X509)> delete_ca_certs(ca_certs);
+ ASSERT_EQ(sk_X509_num(ca_certs), 1UL);
+
+ int alias_len = 0;
+ const unsigned char *parsed_alias =
+ X509_alias_get0(sk_X509_value(ca_certs, 0), &alias_len);
+ ASSERT_TRUE(parsed_alias);
+ ASSERT_EQ(alias, std::string(reinterpret_cast<const char *>(parsed_alias),
+ static_cast<size_t>(alias_len)));
+}
diff --git a/src/crypto/pkcs8/pkcs8_x509.c b/src/crypto/pkcs8/pkcs8_x509.c
index e2a02e8..1ea83e7 100644
--- a/src/crypto/pkcs8/pkcs8_x509.c
+++ b/src/crypto/pkcs8/pkcs8_x509.c
@@ -993,8 +993,8 @@
// add_bag_attributes adds the bagAttributes field of a SafeBag structure,
// containing the specified friendlyName and localKeyId attributes.
-static int add_bag_attributes(CBB *bag, const char *name, const uint8_t *key_id,
- size_t key_id_len) {
+static int add_bag_attributes(CBB *bag, const char *name, size_t name_len,
+ const uint8_t *key_id, size_t key_id_len) {
if (name == NULL && key_id_len == 0) {
return 1; // Omit the OPTIONAL SET.
}
@@ -1003,7 +1003,7 @@
if (!CBB_add_asn1(bag, &attrs, CBS_ASN1_SET)) {
return 0;
}
- if (name != NULL) {
+ if (name_len != 0) {
// See https://tools.ietf.org/html/rfc2985, section 5.5.1.
if (!CBB_add_asn1(&attrs, &attr, CBS_ASN1_SEQUENCE) ||
!CBB_add_asn1(&attr, &oid, CBS_ASN1_OBJECT) ||
@@ -1014,7 +1014,7 @@
}
// Convert the friendly name to a BMPString.
CBS name_cbs;
- CBS_init(&name_cbs, (const uint8_t *)name, strlen(name));
+ CBS_init(&name_cbs, (const uint8_t *)name, name_len);
while (CBS_len(&name_cbs) != 0) {
uint32_t c;
if (!cbs_get_utf8(&name_cbs, &c) ||
@@ -1059,10 +1059,24 @@
}
uint8_t *buf;
int len = i2d_X509(cert, NULL);
+
+ int int_name_len = 0;
+ const char *cert_name = (const char *)X509_alias_get0(cert, &int_name_len);
+ size_t name_len = int_name_len;
+ if (name) {
+ if (name_len != 0) {
+ OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_AMBIGUOUS_FRIENDLY_NAME);
+ return 0;
+ }
+ name_len = strlen(name);
+ } else {
+ name = cert_name;
+ }
+
if (len < 0 ||
!CBB_add_space(&cert_value, &buf, (size_t)len) ||
i2d_X509(cert, &buf) < 0 ||
- !add_bag_attributes(&bag, name, key_id, key_id_len) ||
+ !add_bag_attributes(&bag, name, name_len, key_id, key_id_len) ||
!CBB_flush(cbb)) {
return 0;
}
@@ -1323,7 +1337,11 @@
goto err;
}
}
- if (!add_bag_attributes(&bag, name, key_id, key_id_len) ||
+ size_t name_len = 0;
+ if (name) {
+ name_len = strlen(name);
+ }
+ if (!add_bag_attributes(&bag, name, name_len, key_id, key_id_len) ||
!CBB_flush(&content_infos)) {
goto err;
}
diff --git a/src/crypto/test/abi_test.h b/src/crypto/test/abi_test.h
index ffe4479..1ba82b1 100644
--- a/src/crypto/test/abi_test.h
+++ b/src/crypto/test/abi_test.h
@@ -380,9 +380,9 @@
// CheckImpl implementation. It must be specialized for void returns because we
// call |func| directly.
template <typename R, typename... Args>
-inline typename std::enable_if<!std::is_void<R>::value, crypto_word_t>::type
-CheckImpl(Result *out, bool /* unwind */, R (*func)(Args...),
- typename DeductionGuard<Args>::Type... args) {
+inline std::enable_if_t<!std::is_void<R>::value, crypto_word_t> CheckImpl(
+ Result *out, bool /* unwind */, R (*func)(Args...),
+ typename DeductionGuard<Args>::Type... args) {
*out = Result();
return func(args...);
}
diff --git a/src/crypto/trust_token/trust_token_test.cc b/src/crypto/trust_token/trust_token_test.cc
index f9f183d..72d555b 100644
--- a/src/crypto/trust_token/trust_token_test.cc
+++ b/src/crypto/trust_token/trust_token_test.cc
@@ -854,7 +854,7 @@
&key->key.y1, &key->key.xs, &key->key.ys};
// Corrupt private key scalar.
- scalars[corrupted_key()]->bytes[0] ^= 42;
+ scalars[corrupted_key()]->words[0] ^= 42;
size_t tokens_issued;
ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
diff --git a/src/crypto/x509/internal.h b/src/crypto/x509/internal.h
index ff8288f..78275ae 100644
--- a/src/crypto/x509/internal.h
+++ b/src/crypto/x509/internal.h
@@ -221,8 +221,6 @@
ASN1_INTEGER *base_crl_number;
unsigned char crl_hash[SHA256_DIGEST_LENGTH];
STACK_OF(GENERAL_NAMES) *issuers;
- const X509_CRL_METHOD *meth;
- void *meth_data;
} /* X509_CRL */;
struct X509_VERIFY_PARAM_st {
diff --git a/src/crypto/x509/t_crl.c b/src/crypto/x509/t_crl.c
index 0e6140d..2aee83d 100644
--- a/src/crypto/x509/t_crl.c
+++ b/src/crypto/x509/t_crl.c
@@ -54,6 +54,8 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.] */
+#include <assert.h>
+
#include <openssl/asn1.h>
#include <openssl/err.h>
#include <openssl/mem.h>
@@ -76,13 +78,11 @@
int X509_CRL_print(BIO *out, X509_CRL *x)
{
long version = X509_CRL_get_version(x);
+ assert(X509_CRL_VERSION_1 <= version && version <= X509_CRL_VERSION_2);
const X509_ALGOR *sig_alg;
const ASN1_BIT_STRING *signature;
X509_CRL_get0_signature(x, &signature, &sig_alg);
if (BIO_printf(out, "Certificate Revocation List (CRL):\n") <= 0 ||
- // TODO(https://crbug.com/boringssl/467): This loses information on some
- // invalid versions, but we should fix this by making invalid versions
- // impossible.
BIO_printf(out, "%8sVersion %ld (0x%lx)\n", "", version + 1,
(unsigned long)version) <= 0 ||
// Note this and the other |X509_signature_print| call both print the
diff --git a/src/crypto/x509/t_req.c b/src/crypto/x509/t_req.c
index 92ded49..9e3ce26 100644
--- a/src/crypto/x509/t_req.c
+++ b/src/crypto/x509/t_req.c
@@ -54,6 +54,7 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.] */
+#include <assert.h>
#include <stdio.h>
#include <openssl/bn.h>
@@ -103,10 +104,8 @@
}
}
if (!(cflag & X509_FLAG_NO_VERSION)) {
- /* TODO(https://crbug.com/boringssl/467): This loses information on some
- * invalid versions, but we should fix this by making invalid versions
- * impossible. */
l = X509_REQ_get_version(x);
+ assert(l == X509_REQ_VERSION_1);
if (BIO_printf(bio, "%8sVersion: %ld (0x%lx)\n", "", l + 1,
(unsigned long)l) <= 0) {
goto err;
diff --git a/src/crypto/x509/t_x509.c b/src/crypto/x509/t_x509.c
index 4f9d409..955d1cd 100644
--- a/src/crypto/x509/t_x509.c
+++ b/src/crypto/x509/t_x509.c
@@ -119,10 +119,8 @@
goto err;
}
if (!(cflag & X509_FLAG_NO_VERSION)) {
- /* TODO(https://crbug.com/boringssl/467): This loses information on some
- * invalid versions, but we should fix this by making invalid versions
- * impossible. */
l = X509_get_version(x);
+ assert(X509_VERSION_1 <= l && l <= X509_VERSION_3);
if (BIO_printf(bp, "%8sVersion: %ld (0x%lx)\n", "", l + 1,
(unsigned long)l) <= 0) {
goto err;
@@ -142,6 +140,7 @@
goto err;
}
} else {
+ ERR_clear_error(); /* Clear |ASN1_INTEGER_get_uint64|'s error. */
neg = (serial->type == V_ASN1_NEG_INTEGER) ? " (Negative)" : "";
if (BIO_printf(bp, "\n%12s%s", "", neg) <= 0) {
goto err;
@@ -322,9 +321,7 @@
int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase)
{
char *s, *c, *b;
- int ret = 0, l, i;
-
- l = 80 - 2 - obase;
+ int ret = 0, i;
b = X509_NAME_oneline(name, NULL, 0);
if (!b)
@@ -351,12 +348,10 @@
if (BIO_write(bp, ", ", 2) != 2)
goto err;
}
- l--;
}
if (*s == '\0')
break;
s++;
- l--;
}
ret = 1;
diff --git a/src/crypto/x509/x509_cmp.c b/src/crypto/x509/x509_cmp.c
index e9e1d8c..80590e2 100644
--- a/src/crypto/x509/x509_cmp.c
+++ b/src/crypto/x509/x509_cmp.c
@@ -165,18 +165,7 @@
x509v3_cache_extensions((X509 *)a);
x509v3_cache_extensions((X509 *)b);
- int rv = OPENSSL_memcmp(a->cert_hash, b->cert_hash, SHA256_DIGEST_LENGTH);
- if (rv)
- return rv;
- /* Check for match against stored encoding too */
- if (!a->cert_info->enc.modified && !b->cert_info->enc.modified) {
- rv = (int)(a->cert_info->enc.len - b->cert_info->enc.len);
- if (rv)
- return rv;
- return OPENSSL_memcmp(a->cert_info->enc.enc, b->cert_info->enc.enc,
- a->cert_info->enc.len);
- }
- return rv;
+ return OPENSSL_memcmp(a->cert_hash, b->cert_hash, SHA256_DIGEST_LENGTH);
}
int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
diff --git a/src/crypto/x509/x509_req.c b/src/crypto/x509/x509_req.c
index 99eabfe..5a69a5f 100644
--- a/src/crypto/x509/x509_req.c
+++ b/src/crypto/x509/x509_req.c
@@ -68,48 +68,6 @@
#include "internal.h"
-X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
-{
- X509_REQ *ret;
- X509_REQ_INFO *ri;
- int i;
- EVP_PKEY *pktmp;
-
- ret = X509_REQ_new();
- if (ret == NULL) {
- OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
- goto err;
- }
-
- ri = ret->req_info;
-
- ri->version->length = 1;
- ri->version->data = (unsigned char *)OPENSSL_malloc(1);
- if (ri->version->data == NULL)
- goto err;
- ri->version->data[0] = 0; /* version == 0 */
-
- if (!X509_REQ_set_subject_name(ret, X509_get_subject_name(x)))
- goto err;
-
- pktmp = X509_get_pubkey(x);
- if (pktmp == NULL)
- goto err;
- i = X509_REQ_set_pubkey(ret, pktmp);
- EVP_PKEY_free(pktmp);
- if (!i)
- goto err;
-
- if (pkey != NULL) {
- if (!X509_REQ_sign(ret, pkey, md))
- goto err;
- }
- return (ret);
- err:
- X509_REQ_free(ret);
- return (NULL);
-}
-
long X509_REQ_get_version(const X509_REQ *req)
{
return ASN1_INTEGER_get(req->req_info->version);
diff --git a/src/crypto/x509/x509_set.c b/src/crypto/x509/x509_set.c
index 5cbd00d..6a58322 100644
--- a/src/crypto/x509/x509_set.c
+++ b/src/crypto/x509/x509_set.c
@@ -74,19 +74,29 @@
int X509_set_version(X509 *x, long version)
{
- // TODO(https://crbug.com/boringssl/467): Reject invalid version numbers.
- if (x == NULL)
- return (0);
- if (version == 0) {
+ if (x == NULL) {
+ return 0;
+ }
+
+ if (version < X509_VERSION_1 || version > X509_VERSION_3) {
+ OPENSSL_PUT_ERROR(X509, X509_R_INVALID_VERSION);
+ return 0;
+ }
+
+ /* v1(0) is default and is represented by omitting the version. */
+ if (version == X509_VERSION_1) {
ASN1_INTEGER_free(x->cert_info->version);
x->cert_info->version = NULL;
- return (1);
+ return 1;
}
+
if (x->cert_info->version == NULL) {
- if ((x->cert_info->version = ASN1_INTEGER_new()) == NULL)
- return (0);
+ x->cert_info->version = ASN1_INTEGER_new();
+ if (x->cert_info->version == NULL) {
+ return 0;
+ }
}
- return (ASN1_INTEGER_set(x->cert_info->version, version));
+ return ASN1_INTEGER_set(x->cert_info->version, version);
}
int X509_set_serialNumber(X509 *x, const ASN1_INTEGER *serial)
diff --git a/src/crypto/x509/x509_test.cc b/src/crypto/x509/x509_test.cc
index b201afe..ce70ae3 100644
--- a/src/crypto/x509/x509_test.cc
+++ b/src/crypto/x509/x509_test.cc
@@ -1047,7 +1047,7 @@
-----END CERTIFICATE-----
)";
-// CertFromPEM parses the given, NUL-terminated pem block and returns an
+// CertFromPEM parses the given, NUL-terminated PEM block and returns an
// |X509*|.
static bssl::UniquePtr<X509> CertFromPEM(const char *pem) {
bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
@@ -1055,7 +1055,7 @@
PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
}
-// CRLFromPEM parses the given, NUL-terminated pem block and returns an
+// CRLFromPEM parses the given, NUL-terminated PEM block and returns an
// |X509_CRL*|.
static bssl::UniquePtr<X509_CRL> CRLFromPEM(const char *pem) {
bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
@@ -1063,7 +1063,15 @@
PEM_read_bio_X509_CRL(bio.get(), nullptr, nullptr, nullptr));
}
-// PrivateKeyFromPEM parses the given, NUL-terminated pem block and returns an
+// CSRFromPEM parses the given, NUL-terminated PEM block and returns an
+// |X509_REQ*|.
+static bssl::UniquePtr<X509_REQ> CSRFromPEM(const char *pem) {
+ bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
+ return bssl::UniquePtr<X509_REQ>(
+ PEM_read_bio_X509_REQ(bio.get(), nullptr, nullptr, nullptr));
+}
+
+// PrivateKeyFromPEM parses the given, NUL-terminated PEM block and returns an
// |EVP_PKEY*|.
static bssl::UniquePtr<EVP_PKEY> PrivateKeyFromPEM(const char *pem) {
bssl::UniquePtr<BIO> bio(
@@ -2871,12 +2879,70 @@
-----END CERTIFICATE-----
)";
-// Test that the X.509 parser enforces versions are valid and match the fields
+// kV1CRLWithExtensionsPEM is a v1 CRL with extensions.
+static const char kV1CRLWithExtensionsPEM[] = R"(
+-----BEGIN X509 CRL-----
+MIIBpDCBjTANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UECAwK
+Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJQm9y
+aW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoA4wDDAKBgNVHRQE
+AwIBATANBgkqhkiG9w0BAQsFAAOCAQEAnrBKKgvd9x9zwK9rtUvVeFeJ7+LNZEAc
++a5oxpPNEsJx6hXoApYEbzXMxuWBQoCs5iEBycSGudct21L+MVf27M38KrWoeOkq
+0a2siqViQZO2Fb/SUFR0k9zb8xl86Zf65lgPplALun0bV/HT7MJcl04Tc4osdsAR
+eBs5nqTGNEd5AlC1iKHvQZkM//MD51DspKnDpsDiUVi54h9C1SpfZmX8H2Vvdiyu
+0fZ/bPAM3VAGawatf/SyWfBMyKpoPXEG39oAzmjjOj8en82psn7m474IGaho/vBb
+hl1ms5qQiLYPjm4YELtnXQoFyC72tBjbdFd/ZE9k4CNKDbxFUXFbkw==
+-----END X509 CRL-----
+)";
+
+// kExplicitDefaultVersionCRLPEM is a v1 CRL with an explicitly-encoded version
+// field.
+static const char kExplicitDefaultVersionCRLPEM[] = R"(
+-----BEGIN X509 CRL-----
+MIIBlzCBgAIBADANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ
+Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaMA0GCSqGSIb3
+DQEBCwUAA4IBAQCesEoqC933H3PAr2u1S9V4V4nv4s1kQBz5rmjGk80SwnHqFegC
+lgRvNczG5YFCgKzmIQHJxIa51y3bUv4xV/bszfwqtah46SrRrayKpWJBk7YVv9JQ
+VHST3NvzGXzpl/rmWA+mUAu6fRtX8dPswlyXThNziix2wBF4GzmepMY0R3kCULWI
+oe9BmQz/8wPnUOykqcOmwOJRWLniH0LVKl9mZfwfZW92LK7R9n9s8AzdUAZrBq1/
+9LJZ8EzIqmg9cQbf2gDOaOM6Px6fzamyfubjvggZqGj+8FuGXWazmpCItg+ObhgQ
+u2ddCgXILva0GNt0V39kT2TgI0oNvEVRcVuT
+-----END X509 CRL-----
+)";
+
+// kV3CRLPEM is a v3 CRL. CRL versions only go up to v2.
+static const char kV3CRLPEM[] = R"(
+-----BEGIN X509 CRL-----
+MIIBpzCBkAIBAjANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ
+Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoA4wDDAKBgNV
+HRQEAwIBATANBgkqhkiG9w0BAQsFAAOCAQEAnrBKKgvd9x9zwK9rtUvVeFeJ7+LN
+ZEAc+a5oxpPNEsJx6hXoApYEbzXMxuWBQoCs5iEBycSGudct21L+MVf27M38KrWo
+eOkq0a2siqViQZO2Fb/SUFR0k9zb8xl86Zf65lgPplALun0bV/HT7MJcl04Tc4os
+dsAReBs5nqTGNEd5AlC1iKHvQZkM//MD51DspKnDpsDiUVi54h9C1SpfZmX8H2Vv
+diyu0fZ/bPAM3VAGawatf/SyWfBMyKpoPXEG39oAzmjjOj8en82psn7m474IGaho
+/vBbhl1ms5qQiLYPjm4YELtnXQoFyC72tBjbdFd/ZE9k4CNKDbxFUXFbkw==
+-----END X509 CRL-----
+)";
+
+// kV2CSRPEM is a v2 CSR. CSR versions only go up to v1.
+static const char kV2CSRPEM[] = R"(
+-----BEGIN CERTIFICATE REQUEST-----
+MIHJMHECAQEwDzENMAsGA1UEAwwEVGVzdDBZMBMGByqGSM49AgEGCCqGSM49AwEH
+A0IABJjsayyAQod1J7UJYNT8AH4WWxLdKV0ozhrIz6hCzBAze7AqXWOSH8G+1EWC
+pSfL3oMQNtBdJS0kpXXaUqEAgTSgADAKBggqhkjOPQQDAgNIADBFAiAUXVaEYATg
+4Cc917T73KBImxh6xyhsA5pKuYpq1S4m9wIhAK+G93HR4ur7Ghel6+zUTvIAsj9e
+rsn4lSYsqI4OI4ei
+-----END CERTIFICATE REQUEST-----
+)";
+
+// Test that the library enforces versions are valid and match the fields
// present.
TEST(X509Test, InvalidVersion) {
// kExplicitDefaultVersionPEM is invalid but, for now, we accept it. See
// https://crbug.com/boringssl/364.
EXPECT_TRUE(CertFromPEM(kExplicitDefaultVersionPEM));
+ EXPECT_TRUE(CRLFromPEM(kExplicitDefaultVersionCRLPEM));
EXPECT_FALSE(CertFromPEM(kNegativeVersionPEM));
EXPECT_FALSE(CertFromPEM(kFutureVersionPEM));
@@ -2885,6 +2951,27 @@
EXPECT_FALSE(CertFromPEM(kV2WithExtensionsPEM));
EXPECT_FALSE(CertFromPEM(kV1WithIssuerUniqueIDPEM));
EXPECT_FALSE(CertFromPEM(kV1WithSubjectUniqueIDPEM));
+ EXPECT_FALSE(CRLFromPEM(kV1CRLWithExtensionsPEM));
+ EXPECT_FALSE(CRLFromPEM(kV3CRLPEM));
+ EXPECT_FALSE(CSRFromPEM(kV2CSRPEM));
+
+ bssl::UniquePtr<X509> x509(X509_new());
+ ASSERT_TRUE(x509);
+ EXPECT_FALSE(X509_set_version(x509.get(), -1));
+ EXPECT_FALSE(X509_set_version(x509.get(), X509_VERSION_3 + 1));
+ EXPECT_FALSE(X509_set_version(x509.get(), 9999));
+
+ bssl::UniquePtr<X509_CRL> crl(X509_CRL_new());
+ ASSERT_TRUE(crl);
+ EXPECT_FALSE(X509_CRL_set_version(crl.get(), -1));
+ EXPECT_FALSE(X509_CRL_set_version(crl.get(), X509_CRL_VERSION_2 + 1));
+ EXPECT_FALSE(X509_CRL_set_version(crl.get(), 9999));
+
+ bssl::UniquePtr<X509_REQ> req(X509_REQ_new());
+ ASSERT_TRUE(req);
+ EXPECT_FALSE(X509_REQ_set_version(req.get(), -1));
+ EXPECT_FALSE(X509_REQ_set_version(req.get(), X509_REQ_VERSION_1 + 1));
+ EXPECT_FALSE(X509_REQ_set_version(req.get(), 9999));
}
// Unlike upstream OpenSSL, we require a non-null store in
@@ -3911,3 +3998,378 @@
EXPECT_STREQ(hex.get(), t.hex);
}
}
+
+TEST(X509Test, NamePrint) {
+ // kTestName is a DER-encoded X.509 that covers many cases.
+ //
+ // SEQUENCE {
+ // SET {
+ // SEQUENCE {
+ // # countryName
+ // OBJECT_IDENTIFIER { 2.5.4.6 }
+ // PrintableString { "US" }
+ // }
+ // }
+ // # Sets may be multi-valued, with different attributes. Try to keep this
+ // # in DER set order, in case we ever enforce this in the parser.
+ // SET {
+ // SEQUENCE {
+ // # stateOrProvinceName
+ // OBJECT_IDENTIFIER { 2.5.4.8 }
+ // PrintableString { "Some State" }
+ // }
+ // SEQUENCE {
+ // # stateOrProvinceName
+ // OBJECT_IDENTIFIER { 2.5.4.8 }
+ // UTF8String { "Some Other State \xe2\x98\x83" }
+ // }
+ // SEQUENCE {
+ // # stateOrProvinceName
+ // OBJECT_IDENTIFIER { 2.5.4.8 }
+ // BMPString { u"Another State \u2603" }
+ // }
+ // SEQUENCE {
+ // # A custom OID
+ // OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2 }
+ // UniversalString { U"\u2603" }
+ // }
+ // }
+ // # Custom OIDs may have non-string values.
+ // SET {
+ // SEQUENCE {
+ // OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.3 }
+ // SEQUENCE { INTEGER { 1 } INTEGER { 2 } }
+ // }
+ // }
+ // SET {
+ // SEQUENCE {
+ // # organizationName
+ // OBJECT_IDENTIFIER { 2.5.4.10 }
+ // PrintableString { "Org Name" }
+ // }
+ // }
+ // SET {
+ // SEQUENCE {
+ // # commonName
+ // OBJECT_IDENTIFIER { 2.5.4.3 }
+ // # Embed common delimiter forms to test how well they get escaped.
+ // UTF8String { "Common
+ // Name/CN=A/CN=B,CN=A,CN=B+CN=A+CN=B;CN=A;CN=B\nCN=A\n" }
+ // }
+ // }
+ // SET {
+ // SEQUENCE {
+ // # commonName
+ // OBJECT_IDENTIFIER { 2.5.4.3 }
+ // # Test escaping of leading and trailing spaces.
+ // UTF8String { " spaces " }
+ // }
+ // }
+ static const uint8_t kTestName[] = {
+ 0x30, 0x82, 0x01, 0x00, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
+ 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x6d, 0x30, 0x11, 0x06, 0x03, 0x55,
+ 0x04, 0x08, 0x13, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x20, 0x53, 0x74, 0x61,
+ 0x74, 0x65, 0x30, 0x1b, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x14, 0x53,
+ 0x6f, 0x6d, 0x65, 0x20, 0x4f, 0x74, 0x68, 0x65, 0x72, 0x20, 0x53, 0x74,
+ 0x61, 0x74, 0x65, 0x20, 0xe2, 0x98, 0x83, 0x30, 0x25, 0x06, 0x03, 0x55,
+ 0x04, 0x08, 0x1e, 0x1e, 0x00, 0x41, 0x00, 0x6e, 0x00, 0x6f, 0x00, 0x74,
+ 0x00, 0x68, 0x00, 0x65, 0x00, 0x72, 0x00, 0x20, 0x00, 0x53, 0x00, 0x74,
+ 0x00, 0x61, 0x00, 0x74, 0x00, 0x65, 0x00, 0x20, 0x26, 0x03, 0x30, 0x14,
+ 0x06, 0x0c, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84, 0xb7,
+ 0x09, 0x02, 0x1c, 0x04, 0x00, 0x00, 0x26, 0x03, 0x31, 0x18, 0x30, 0x16,
+ 0x06, 0x0c, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84, 0xb7,
+ 0x09, 0x03, 0x30, 0x06, 0x02, 0x01, 0x01, 0x02, 0x01, 0x02, 0x31, 0x11,
+ 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x08, 0x4f, 0x72, 0x67,
+ 0x20, 0x4e, 0x61, 0x6d, 0x65, 0x31, 0x42, 0x30, 0x40, 0x06, 0x03, 0x55,
+ 0x04, 0x03, 0x0c, 0x39, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x20, 0x4e,
+ 0x61, 0x6d, 0x65, 0x2f, 0x43, 0x4e, 0x3d, 0x41, 0x2f, 0x43, 0x4e, 0x3d,
+ 0x42, 0x2c, 0x43, 0x4e, 0x3d, 0x41, 0x2c, 0x43, 0x4e, 0x3d, 0x42, 0x2b,
+ 0x43, 0x4e, 0x3d, 0x41, 0x2b, 0x43, 0x4e, 0x3d, 0x42, 0x3b, 0x43, 0x4e,
+ 0x3d, 0x41, 0x3b, 0x43, 0x4e, 0x3d, 0x42, 0x0a, 0x43, 0x4e, 0x3d, 0x41,
+ 0x0a, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08,
+ 0x20, 0x73, 0x70, 0x61, 0x63, 0x65, 0x73, 0x20};
+
+ const uint8_t *ptr = kTestName;
+ bssl::UniquePtr<X509_NAME> name(
+ d2i_X509_NAME(nullptr, &ptr, sizeof(kTestName)));
+ ASSERT_TRUE(name);
+ EXPECT_EQ(ptr, kTestName + sizeof(kTestName));
+
+ struct {
+ int indent;
+ unsigned long flags;
+ std::string printed;
+ } kTests[] = {
+ // RFC 2253 uses , and + separators and encodes the RDNs in reverse.
+ // OpenSSL's implementation additionally happens to reverse the values
+ // within each RDN. RFC 2253 says any order is permissible.
+ {/*indent=*/0,
+ /*flags=*/XN_FLAG_RFC2253,
+ "CN=\\ spaces\\ ,"
+ "CN=Common "
+ "Name/CN=A/CN=B\\,CN=A\\,CN=B\\+CN=A\\+CN=B\\;CN=A\\;CN=B\\0ACN=A\\0A,"
+ "O=Org Name,"
+ "1.2.840.113554.4.1.72585.3=#3006020101020102,"
+ "1.2.840.113554.4.1.72585.2=#1C0400002603+"
+ "ST=Another State \\E2\\98\\83+"
+ "ST=Some Other State \\E2\\98\\83+"
+ "ST=Some State,"
+ "C=US"},
+ {/*indent=*/2,
+ /*flags=*/XN_FLAG_RFC2253,
+ " "
+ "CN=\\ spaces\\ ,"
+ "CN=Common "
+ "Name/CN=A/CN=B\\,CN=A\\,CN=B\\+CN=A\\+CN=B\\;CN=A\\;CN=B\\0ACN=A\\0A,"
+ "O=Org Name,"
+ "1.2.840.113554.4.1.72585.3=#3006020101020102,"
+ "1.2.840.113554.4.1.72585.2=#1C0400002603+"
+ "ST=Another State \\E2\\98\\83+"
+ "ST=Some Other State \\E2\\98\\83+"
+ "ST=Some State,"
+ "C=US"},
+ // |XN_FLAG_ONELINE| is an OpenSSL-specific single-line format. It also
+ // omits |XN_FLAG_DUMP_UNKNOWN_FIELDS|, so unknown OIDs that use known
+ // string types will still be decoded. (This may drop important
+ // information if the unknown OID distinguishes between string types.) It
+ // also passes |ASN1_STRFLGS_ESC_QUOTE|.
+ {/*indent=*/0,
+ /*flags=*/XN_FLAG_ONELINE,
+ "C = US, "
+ "ST = Some State + "
+ "ST = Some Other State \\E2\\98\\83 + "
+ "ST = Another State \\E2\\98\\83 + "
+ "1.2.840.113554.4.1.72585.2 = \\E2\\98\\83, "
+ "1.2.840.113554.4.1.72585.3 = #3006020101020102, "
+ "O = Org Name, "
+ "CN = \"Common "
+ "Name/CN=A/CN=B,CN=A,CN=B+CN=A+CN=B;CN=A;CN=B\\0ACN=A\\0A\", "
+ "CN = \" spaces \""},
+ // |XN_FLAG_MULTILINE| is an OpenSSL-specific multi-line format that tries
+ // to vertically align the equal sizes. The vertical alignment doesn't
+ // quite handle multi-valued RDNs right and uses a non-RFC-2253 escaping.
+ {/*indent=*/0,
+ /*flags=*/XN_FLAG_MULTILINE,
+ "countryName = US\n"
+ "stateOrProvinceName = Some State + "
+ "stateOrProvinceName = Some Other State \\U2603 + "
+ "stateOrProvinceName = Another State \\U2603 + "
+ "1.2.840.113554.4.1.72585.2 = \\U2603\n"
+ "1.2.840.113554.4.1.72585.3 = 0\\06\\02\\01\\01\\02\\01\\02\n"
+ "organizationName = Org Name\n"
+ "commonName = Common "
+ "Name/CN=A/CN=B,CN=A,CN=B+CN=A+CN=B;CN=A;CN=B\\0ACN=A\\0A\n"
+ "commonName = spaces "},
+ // The multiline format indents every line.
+ {/*indent=*/2,
+ /*flags=*/XN_FLAG_MULTILINE,
+ " countryName = US\n"
+ " stateOrProvinceName = Some State + "
+ "stateOrProvinceName = Some Other State \\U2603 + "
+ "stateOrProvinceName = Another State \\U2603 + "
+ "1.2.840.113554.4.1.72585.2 = \\U2603\n"
+ " 1.2.840.113554.4.1.72585.3 = 0\\06\\02\\01\\01\\02\\01\\02\n"
+ " organizationName = Org Name\n"
+ " commonName = Common "
+ "Name/CN=A/CN=B,CN=A,CN=B+CN=A+CN=B;CN=A;CN=B\\0ACN=A\\0A\n"
+ " commonName = spaces "},
+ // Callers can also customize the output, wuith both |XN_FLAG_*| and
+ // |ASN1_STRFLGS_*|. |XN_FLAG_SEP_SPLUS_SPC| uses semicolon separators and
+ // |XN_FLAG_FN_OID| forces OIDs.
+ {/*indent=*/0,
+ /*flags=*/XN_FLAG_SEP_SPLUS_SPC | XN_FLAG_FN_OID | ASN1_STRFLGS_RFC2253 |
+ ASN1_STRFLGS_ESC_QUOTE,
+ "2.5.4.6=US; "
+ "2.5.4.8=Some State + "
+ "2.5.4.8=Some Other State \\E2\\98\\83 + "
+ "2.5.4.8=Another State \\E2\\98\\83 + "
+ "1.2.840.113554.4.1.72585.2=\\E2\\98\\83; "
+ "1.2.840.113554.4.1.72585.3=#3006020101020102; "
+ "2.5.4.10=Org Name; "
+ "2.5.4.3=\"Common "
+ "Name/CN=A/CN=B,CN=A,CN=B+CN=A+CN=B;CN=A;CN=B\\0ACN=A\\0A\"; "
+ "2.5.4.3=\" spaces \""},
+ // |XN_FLAG_COMPAT| matches |X509_NAME_print|, rather than
+ // |X509_NAME_print_ex|.
+ //
+ // TODO(davidben): This works by post-processing the output of
+ // |X509_NAME_oneline|, which uses "/"" separators, and replacing with
+ // ", ". The escaping is ambiguous and the post-processing is buggy, so
+ // some of the trailing slashes are still present and some internal
+ // slashes are mis-converted.
+ {/*indent=*/0,
+ /*flags=*/XN_FLAG_COMPAT,
+ "C=US, "
+ "ST=Some State, "
+ "ST=Some Other State \\xE2\\x98\\x83, "
+ "ST=\\x00A\\x00n\\x00o\\x00t\\x00h\\x00e\\x00r\\x00 "
+ "\\x00S\\x00t\\x00a\\x00t\\x00e\\x00 &\\x03/"
+ "1.2.840.113554.4.1.72585.2=\\x00\\x00&\\x03/"
+ "1.2.840.113554.4.1.72585.3=0\\x06\\x02\\x01\\x01\\x02\\x01\\x02, "
+ "O=Org Name, "
+ "CN=Common Name, "
+ "CN=A, CN=B,CN=A,CN=B+CN=A+CN=B;CN=A;CN=B\\x0ACN=A\\x0A, "
+ "CN= spaces "},
+ };
+ for (const auto &t : kTests) {
+ SCOPED_TRACE(t.printed);
+ bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
+ ASSERT_TRUE(bio);
+ int len = X509_NAME_print_ex(bio.get(), name.get(), t.indent, t.flags);
+ ASSERT_GT(len, 0);
+
+ const uint8_t *printed;
+ size_t printed_len;
+ ASSERT_TRUE(BIO_mem_contents(bio.get(), &printed, &printed_len));
+ EXPECT_EQ(std::string(printed, printed + printed_len), t.printed);
+ if (t.flags != XN_FLAG_COMPAT) {
+ // TODO(davidben): |XN_FLAG_COMPAT| does not return the length.
+ EXPECT_EQ(static_cast<size_t>(len), printed_len);
+
+ // Passing a null |BIO| measures the output instead.
+ len = X509_NAME_print_ex(nullptr, name.get(), t.indent, t.flags);
+ EXPECT_GT(len, 0);
+ EXPECT_EQ(static_cast<size_t>(len), printed_len);
+ }
+ }
+
+ // TODO(davidben): This escapes the underlying bytes in the string, but that
+ // is ambiguous without capturing the type. Should this escape like
+ // |ASN1_STRFLGS_UTF8_CONVERT| instead?
+ static const char *kOnelineComponents[] = {
+ "/C=US",
+ "/ST=Some State",
+ "/ST=Some Other State \\xE2\\x98\\x83",
+ "/ST=\\x00A\\x00n\\x00o\\x00t\\x00h\\x00e\\x00r\\x00 "
+ "\\x00S\\x00t\\x00a\\x00t\\x00e\\x00 &\\x03",
+ "/1.2.840.113554.4.1.72585.2=\\x00\\x00&\\x03",
+ "/1.2.840.113554.4.1.72585.3=0\\x06\\x02\\x01\\x01\\x02\\x01\\x02",
+ "/O=Org Name",
+ "/CN=Common Name/CN=A/CN=B,CN=A,CN=B+CN=A+CN=B;CN=A;CN=B\\x0ACN=A\\x0A",
+ "/CN= spaces ",
+ };
+ std::string oneline_expected;
+ for (const auto& component : kOnelineComponents) {
+ oneline_expected += component;
+ }
+
+ // Given null buffer, |X509_NAME_oneline| allocates a new output.
+ bssl::UniquePtr<char> oneline(X509_NAME_oneline(name.get(), nullptr, 0));
+ ASSERT_TRUE(oneline);
+ EXPECT_EQ(oneline.get(), oneline_expected);
+
+ // Otherwise it writes to the specified buffer. Note one extra byte is needed
+ // for the trailing NUL.
+ char buf[1024];
+ ASSERT_GE(sizeof(buf), oneline_expected.size() + 2);
+ ASSERT_EQ(buf,
+ X509_NAME_oneline(name.get(), buf, oneline_expected.size() + 1));
+ EXPECT_EQ(buf, oneline_expected);
+
+ memset(buf, 'a', sizeof(buf));
+ ASSERT_EQ(buf,
+ X509_NAME_oneline(name.get(), buf, oneline_expected.size() + 2));
+ EXPECT_EQ(buf, oneline_expected);
+
+ // If the length is too small, |X509_NAME_oneline| truncates at name
+ // entry boundaries.
+ EXPECT_EQ(nullptr, X509_NAME_oneline(name.get(), buf, 0));
+ for (size_t len = 1; len < oneline_expected.size(); len++) {
+ SCOPED_TRACE(len);
+ memset(buf, 'a', sizeof(buf));
+ EXPECT_EQ(buf, X509_NAME_oneline(name.get(), buf, len));
+
+ std::string truncated;
+ for (const auto& component : kOnelineComponents) {
+ if (truncated.size() + strlen(component) + 1 > len) {
+ break;
+ }
+ truncated += component;
+ }
+ EXPECT_EQ(buf, truncated);
+ }
+}
+
+// kLargeSerialPEM is a certificate with a large serial number.
+static const char kLargeSerialPEM[] = R"(
+-----BEGIN CERTIFICATE-----
+MIICZjCCAc+gAwIBAgIQASNFZ4mrze8BI0VniavN7zANBgkqhkiG9w0BAQsFADA2
+MRowGAYDVQQKExFCb3JpbmdTU0wgVEVTVElORzEYMBYGA1UEAxMPSW50ZXJtZWRp
+YXRlIENBMCAXDTE1MDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAyMRowGAYD
+VQQKExFCb3JpbmdTU0wgVEVTVElORzEUMBIGA1UEAxMLZXhhbXBsZS5jb20wgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMPRTRliCpKEnug6OzI0rJVcQep5p+aT
+9sCg+pj+HVyg/DYTwqZ6qJRKhM+MbkhdJuU7FyqlsBeCeM/OjwMjcY0yEB/xJg1i
+ygfuBztTLuPnHxtSuKwae5MeqSofp3j97sRMnuLcKlHxu8rXoOCAS9BO50uKnPwU
+Ee1iEVqR92FPAgMBAAGjdzB1MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggr
+BgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAZBgNVHQ4EEgQQo3mm9u6v
+uaVeN4wRgDTidTAbBgNVHSMEFDASgBCMGmiotXbbXVd7H40UsgajMA0GCSqGSIb3
+DQEBCwUAA4GBAGP+n4kKGn/8uddYLWTXbUsz+KLuEXNDMyu3vRufLjTpIbP2MCNo
+85fhLeC3fzKuGOk+6QGVLOBBcWDrrLqrmqnWdBMPULDo2QoF71a4GVjeJh+ax/tZ
+PyeGVPUK21TE0LDIxf2a11d1CJw582MgZQIPk4tXk+AcU9EqIceKgECG
+-----END CERTIFICATE-----
+)";
+
+TEST(X509Test, Print) {
+ bssl::UniquePtr<X509> cert(CertFromPEM(kLargeSerialPEM));
+ ASSERT_TRUE(cert);
+
+ bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
+ ASSERT_TRUE(bio);
+ EXPECT_TRUE(X509_print_ex(bio.get(), cert.get(), 0, 0));
+ // Nothing should be left in the error queue.
+ EXPECT_EQ(0u, ERR_peek_error());
+
+ // This output is not guaranteed to be stable, but we assert on it to make
+ // sure something is printed.
+ const uint8_t *data;
+ size_t data_len;
+ ASSERT_TRUE(BIO_mem_contents(bio.get(), &data, &data_len));
+ std::string print(reinterpret_cast<const char*>(data), data_len);
+ EXPECT_EQ(print, R"(Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: O=BoringSSL TESTING, CN=Intermediate CA
+ Validity
+ Not Before: Jan 1 00:00:00 2015 GMT
+ Not After : Jan 1 00:00:00 2100 GMT
+ Subject: O=BoringSSL TESTING, CN=example.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (1024 bit)
+ Modulus:
+ 00:c3:d1:4d:19:62:0a:92:84:9e:e8:3a:3b:32:34:
+ ac:95:5c:41:ea:79:a7:e6:93:f6:c0:a0:fa:98:fe:
+ 1d:5c:a0:fc:36:13:c2:a6:7a:a8:94:4a:84:cf:8c:
+ 6e:48:5d:26:e5:3b:17:2a:a5:b0:17:82:78:cf:ce:
+ 8f:03:23:71:8d:32:10:1f:f1:26:0d:62:ca:07:ee:
+ 07:3b:53:2e:e3:e7:1f:1b:52:b8:ac:1a:7b:93:1e:
+ a9:2a:1f:a7:78:fd:ee:c4:4c:9e:e2:dc:2a:51:f1:
+ bb:ca:d7:a0:e0:80:4b:d0:4e:e7:4b:8a:9c:fc:14:
+ 11:ed:62:11:5a:91:f7:61:4f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Key Usage: critical
+ Digital Signature, Key Encipherment
+ X509v3 Extended Key Usage:
+ TLS Web Server Authentication, TLS Web Client Authentication
+ X509v3 Basic Constraints: critical
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ A3:79:A6:F6:EE:AF:B9:A5:5E:37:8C:11:80:34:E2:75
+ X509v3 Authority Key Identifier:
+ keyid:8C:1A:68:A8:B5:76:DB:5D:57:7B:1F:8D:14:B2:06:A3
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 63:fe:9f:89:0a:1a:7f:fc:b9:d7:58:2d:64:d7:6d:4b:33:f8:
+ a2:ee:11:73:43:33:2b:b7:bd:1b:9f:2e:34:e9:21:b3:f6:30:
+ 23:68:f3:97:e1:2d:e0:b7:7f:32:ae:18:e9:3e:e9:01:95:2c:
+ e0:41:71:60:eb:ac:ba:ab:9a:a9:d6:74:13:0f:50:b0:e8:d9:
+ 0a:05:ef:56:b8:19:58:de:26:1f:9a:c7:fb:59:3f:27:86:54:
+ f5:0a:db:54:c4:d0:b0:c8:c5:fd:9a:d7:57:75:08:9c:39:f3:
+ 63:20:65:02:0f:93:8b:57:93:e0:1c:53:d1:2a:21:c7:8a:80:
+ 40:86
+)");
+}
diff --git a/src/crypto/x509/x509_vfy.c b/src/crypto/x509/x509_vfy.c
index 2dfdce2..f41ae6e 100644
--- a/src/crypto/x509/x509_vfy.c
+++ b/src/crypto/x509/x509_vfy.c
@@ -190,8 +190,8 @@
X509_VERIFY_PARAM *param = ctx->param;
int depth, i, ok = 0;
int num, j, retry, trust;
- int (*cb) (int xok, X509_STORE_CTX *xctx);
STACK_OF(X509) *sktmp = NULL;
+
if (ctx->cert == NULL) {
OPENSSL_PUT_ERROR(X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
ctx->error = X509_V_ERR_INVALID_CALL;
@@ -207,8 +207,6 @@
return -1;
}
- cb = ctx->verify_cb;
-
/*
* first we make sure the chain we are going to build is present and that
* the first entry is in place
@@ -331,7 +329,7 @@
if (ok == 1)
X509_free(xtmp);
bad_chain = 1;
- ok = cb(0, ctx);
+ ok = ctx->verify_cb(0, ctx);
if (!ok)
goto end;
} else {
@@ -457,7 +455,7 @@
ctx->error_depth = num - 1;
bad_chain = 1;
- ok = cb(0, ctx);
+ ok = ctx->verify_cb(0, ctx);
if (!ok)
goto end;
}
@@ -487,7 +485,7 @@
if (err != X509_V_OK) {
ctx->error = err;
ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth);
- ok = cb(0, ctx);
+ ok = ctx->verify_cb(0, ctx);
if (!ok)
goto end;
}
@@ -577,11 +575,9 @@
{
int i, ok = 0, plen = 0;
X509 *x;
- int (*cb) (int xok, X509_STORE_CTX *xctx);
int proxy_path_length = 0;
int purpose;
int allow_proxy_certs;
- cb = ctx->verify_cb;
enum {
// ca_or_leaf allows either type of certificate so that direct use of
@@ -612,7 +608,7 @@
ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
ctx->error_depth = i;
ctx->current_cert = x;
- ok = cb(0, ctx);
+ ok = ctx->verify_cb(0, ctx);
if (!ok)
goto end;
}
@@ -620,7 +616,7 @@
ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
ctx->error_depth = i;
ctx->current_cert = x;
- ok = cb(0, ctx);
+ ok = ctx->verify_cb(0, ctx);
if (!ok)
goto end;
}
@@ -651,7 +647,7 @@
if (ret == 0) {
ctx->error_depth = i;
ctx->current_cert = x;
- ok = cb(0, ctx);
+ ok = ctx->verify_cb(0, ctx);
if (!ok)
goto end;
}
@@ -662,7 +658,7 @@
ctx->error = X509_V_ERR_INVALID_PURPOSE;
ctx->error_depth = i;
ctx->current_cert = x;
- ok = cb(0, ctx);
+ ok = ctx->verify_cb(0, ctx);
if (!ok)
goto end;
}
@@ -674,7 +670,7 @@
ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
ctx->error_depth = i;
ctx->current_cert = x;
- ok = cb(0, ctx);
+ ok = ctx->verify_cb(0, ctx);
if (!ok)
goto end;
}
@@ -691,7 +687,7 @@
ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
ctx->error_depth = i;
ctx->current_cert = x;
- ok = cb(0, ctx);
+ ok = ctx->verify_cb(0, ctx);
if (!ok)
goto end;
}
@@ -859,8 +855,6 @@
size_t i;
int ok;
X509 *x = NULL;
- int (*cb) (int xok, X509_STORE_CTX *xctx);
- cb = ctx->verify_cb;
/* Check all trusted certificates in chain */
for (i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) {
x = sk_X509_value(ctx->chain, i);
@@ -876,7 +870,7 @@
ctx->error_depth = i;
ctx->current_cert = x;
ctx->error = X509_V_ERR_CERT_REJECTED;
- ok = cb(0, ctx);
+ ok = ctx->verify_cb(0, ctx);
if (!ok)
return X509_TRUST_REJECTED;
}
@@ -1792,9 +1786,6 @@
int ok = 0, n;
X509 *xs, *xi;
EVP_PKEY *pkey = NULL;
- int (*cb) (int xok, X509_STORE_CTX *xctx);
-
- cb = ctx->verify_cb;
n = sk_X509_num(ctx->chain);
ctx->error_depth = n - 1;
@@ -1811,7 +1802,7 @@
if (n <= 0) {
ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
ctx->current_cert = xi;
- ok = cb(0, ctx);
+ ok = ctx->verify_cb(0, ctx);
goto end;
} else {
n--;
@@ -1833,13 +1824,13 @@
if ((pkey = X509_get_pubkey(xi)) == NULL) {
ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
ctx->current_cert = xi;
- ok = (*cb) (0, ctx);
+ ok = ctx->verify_cb(0, ctx);
if (!ok)
goto end;
} else if (X509_verify(xs, pkey) <= 0) {
ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
ctx->current_cert = xs;
- ok = (*cb) (0, ctx);
+ ok = ctx->verify_cb(0, ctx);
if (!ok) {
EVP_PKEY_free(pkey);
goto end;
@@ -1857,7 +1848,7 @@
/* The last error (if any) is still in the error value */
ctx->current_issuer = xi;
ctx->current_cert = xs;
- ok = (*cb) (1, ctx);
+ ok = ctx->verify_cb(1, ctx);
if (!ok)
goto end;
diff --git a/src/crypto/x509/x509cset.c b/src/crypto/x509/x509cset.c
index de32e30..1671f35 100644
--- a/src/crypto/x509/x509cset.c
+++ b/src/crypto/x509/x509cset.c
@@ -64,16 +64,29 @@
int X509_CRL_set_version(X509_CRL *x, long version)
{
- /* TODO(https://crbug.com/boringssl/467): Reject invalid version
- * numbers. Also correctly handle |X509_CRL_VERSION_1|, which should omit
- * the encoding. */
- if (x == NULL)
- return (0);
- if (x->crl->version == NULL) {
- if ((x->crl->version = ASN1_INTEGER_new()) == NULL)
- return (0);
+ if (x == NULL) {
+ return 0;
}
- return (ASN1_INTEGER_set(x->crl->version, version));
+
+ if (version < X509_CRL_VERSION_1 || version > X509_CRL_VERSION_2) {
+ OPENSSL_PUT_ERROR(X509, X509_R_INVALID_VERSION);
+ return 0;
+ }
+
+ /* v1(0) is default and is represented by omitting the version. */
+ if (version == X509_CRL_VERSION_1) {
+ ASN1_INTEGER_free(x->crl->version);
+ x->crl->version = NULL;
+ return 1;
+ }
+
+ if (x->crl->version == NULL) {
+ x->crl->version = ASN1_INTEGER_new();
+ if (x->crl->version == NULL) {
+ return 0;
+ }
+ }
+ return ASN1_INTEGER_set(x->crl->version, version);
}
int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name)
diff --git a/src/crypto/x509/x509rset.c b/src/crypto/x509/x509rset.c
index 5526b23..c69f8cb 100644
--- a/src/crypto/x509/x509rset.c
+++ b/src/crypto/x509/x509rset.c
@@ -64,11 +64,14 @@
int X509_REQ_set_version(X509_REQ *x, long version)
{
- /* TODO(https://crbug.com/boringssl/467): Reject invalid version
- * numbers. */
- if (x == NULL)
- return (0);
- return (ASN1_INTEGER_set(x->req_info->version, version));
+ if (x == NULL) {
+ return 0;
+ }
+ if (version != X509_REQ_VERSION_1) {
+ OPENSSL_PUT_ERROR(X509, X509_R_INVALID_VERSION);
+ return 0;
+ }
+ return ASN1_INTEGER_set(x->req_info->version, version);
}
int X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name)
diff --git a/src/crypto/x509/x_crl.c b/src/crypto/x509/x_crl.c
index ab2a039..6701963 100644
--- a/src/crypto/x509/x_crl.c
+++ b/src/crypto/x509/x_crl.c
@@ -68,24 +68,6 @@
#include "../internal.h"
#include "internal.h"
-/*
- * Method to handle CRL access. In general a CRL could be very large (several
- * Mb) and can consume large amounts of resources if stored in memory by
- * multiple processes. This method allows general CRL operations to be
- * redirected to more efficient callbacks: for example a CRL entry database.
- */
-
-#define X509_CRL_METHOD_DYNAMIC 1
-
-struct x509_crl_method_st {
- int flags;
- int (*crl_init) (X509_CRL *crl);
- int (*crl_free) (X509_CRL *crl);
- int (*crl_lookup) (X509_CRL *crl, X509_REVOKED **ret,
- ASN1_INTEGER *ser, X509_NAME *issuer);
- int (*crl_verify) (X509_CRL *crl, EVP_PKEY *pk);
-};
-
static int X509_REVOKED_cmp(const X509_REVOKED **a, const X509_REVOKED **b);
static int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp);
@@ -95,19 +77,8 @@
ASN1_SEQUENCE_OF_OPT(X509_REVOKED,extensions, X509_EXTENSION)
} ASN1_SEQUENCE_END(X509_REVOKED)
-static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r);
-static int def_crl_lookup(X509_CRL *crl,
- X509_REVOKED **ret, ASN1_INTEGER *serial,
- X509_NAME *issuer);
-
-static const X509_CRL_METHOD int_crl_meth = {
- 0,
- 0, 0,
- def_crl_lookup,
- def_crl_verify
-};
-
-static const X509_CRL_METHOD *default_crl_method = &int_crl_meth;
+static int crl_lookup(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *serial,
+ X509_NAME *issuer);
/*
* The X509_CRL_INFO structure needs a bit of customisation. Since we cache
@@ -127,12 +98,6 @@
* affect the output of X509_CRL_print().
*/
case ASN1_OP_D2I_POST:
- /* TODO(https://crbug.com/boringssl/467): Reject invalid version
- * numbers.
- *
- * TODO(davidben): Check that default |versions| are never encoded and
- * that |extensions| is only present in v2. */
-
(void)sk_X509_REVOKED_set_cmp_func(a->revoked, X509_REVOKED_cmp);
break;
}
@@ -243,14 +208,31 @@
crl->flags = 0;
crl->idp_flags = 0;
crl->idp_reasons = CRLDP_ALL_REASONS;
- crl->meth = default_crl_method;
- crl->meth_data = NULL;
crl->issuers = NULL;
crl->crl_number = NULL;
crl->base_crl_number = NULL;
break;
- case ASN1_OP_D2I_POST:
+ case ASN1_OP_D2I_POST: {
+ /* The version must be one of v1(0) or v2(1). */
+ long version = X509_CRL_VERSION_1;
+ if (crl->crl->version != NULL) {
+ version = ASN1_INTEGER_get(crl->crl->version);
+ /* TODO(https://crbug.com/boringssl/364): |X509_CRL_VERSION_1|
+ * should also be rejected. This means an explicitly-encoded X.509v1
+ * version. v1 is DEFAULT, so DER requires it be omitted. */
+ if (version < X509_CRL_VERSION_1 || version > X509_CRL_VERSION_2) {
+ OPENSSL_PUT_ERROR(X509, X509_R_INVALID_VERSION);
+ return 0;
+ }
+ }
+
+ /* Per RFC 5280, section 5.1.2.1, extensions require v2. */
+ if (version != X509_CRL_VERSION_2 && crl->crl->extensions != NULL) {
+ OPENSSL_PUT_ERROR(X509, X509_R_INVALID_FIELD_FOR_VERSION);
+ return 0;
+ }
+
if (!X509_CRL_digest(crl, EVP_sha256(), crl->crl_hash, NULL)) {
return 0;
}
@@ -319,23 +301,12 @@
if (!crl_set_issuers(crl))
return 0;
- if (crl->meth->crl_init) {
- if (crl->meth->crl_init(crl) == 0)
- return 0;
- }
break;
+ }
case ASN1_OP_FREE_POST:
- /* |crl->meth| may be NULL if constructing the object failed before
- * |ASN1_OP_NEW_POST| was run. */
- if (crl->meth && crl->meth->crl_free) {
- if (!crl->meth->crl_free(crl))
- return 0;
- }
- if (crl->akid)
- AUTHORITY_KEYID_free(crl->akid);
- if (crl->idp)
- ISSUING_DIST_POINT_free(crl->idp);
+ AUTHORITY_KEYID_free(crl->akid);
+ ISSUING_DIST_POINT_free(crl->idp);
ASN1_INTEGER_free(crl->crl_number);
ASN1_INTEGER_free(crl->base_crl_number);
sk_GENERAL_NAMES_pop_free(crl->issuers, GENERAL_NAMES_free);
@@ -417,37 +388,25 @@
int X509_CRL_verify(X509_CRL *crl, EVP_PKEY *pkey)
{
- if (crl->meth->crl_verify)
- return crl->meth->crl_verify(crl, pkey);
- return 0;
-}
-
-int X509_CRL_get0_by_serial(X509_CRL *crl,
- X509_REVOKED **ret, ASN1_INTEGER *serial)
-{
- if (crl->meth->crl_lookup)
- return crl->meth->crl_lookup(crl, ret, serial, NULL);
- return 0;
-}
-
-int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x)
-{
- if (crl->meth->crl_lookup)
- return crl->meth->crl_lookup(crl, ret,
- X509_get_serialNumber(x),
- X509_get_issuer_name(x));
- return 0;
-}
-
-static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r)
-{
if (X509_ALGOR_cmp(crl->sig_alg, crl->crl->sig_alg) != 0) {
OPENSSL_PUT_ERROR(X509, X509_R_SIGNATURE_ALGORITHM_MISMATCH);
return 0;
}
- return (ASN1_item_verify(ASN1_ITEM_rptr(X509_CRL_INFO),
- crl->sig_alg, crl->signature, crl->crl, r));
+ return ASN1_item_verify(ASN1_ITEM_rptr(X509_CRL_INFO),
+ crl->sig_alg, crl->signature, crl->crl, pkey);
+}
+
+int X509_CRL_get0_by_serial(X509_CRL *crl,
+ X509_REVOKED **ret, ASN1_INTEGER *serial)
+{
+ return crl_lookup(crl, ret, serial, NULL);
+}
+
+int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x)
+{
+ return crl_lookup(crl, ret, X509_get_serialNumber(x),
+ X509_get_issuer_name(x));
}
static int crl_revoked_issuer_match(X509_CRL *crl, X509_NAME *nm,
@@ -479,9 +438,8 @@
static struct CRYPTO_STATIC_MUTEX g_crl_sort_lock = CRYPTO_STATIC_MUTEX_INIT;
-static int def_crl_lookup(X509_CRL *crl,
- X509_REVOKED **ret, ASN1_INTEGER *serial,
- X509_NAME *issuer)
+static int crl_lookup(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *serial,
+ X509_NAME *issuer)
{
X509_REVOKED rtmp, *rev;
size_t idx;
@@ -520,49 +478,3 @@
}
return 0;
}
-
-void X509_CRL_set_default_method(const X509_CRL_METHOD *meth)
-{
- if (meth == NULL)
- default_crl_method = &int_crl_meth;
- else
- default_crl_method = meth;
-}
-
-X509_CRL_METHOD *X509_CRL_METHOD_new(int (*crl_init) (X509_CRL *crl),
- int (*crl_free) (X509_CRL *crl),
- int (*crl_lookup) (X509_CRL *crl,
- X509_REVOKED **ret,
- ASN1_INTEGER *ser,
- X509_NAME *issuer),
- int (*crl_verify) (X509_CRL *crl,
- EVP_PKEY *pk))
-{
- X509_CRL_METHOD *m;
- m = OPENSSL_malloc(sizeof(X509_CRL_METHOD));
- if (!m)
- return NULL;
- m->crl_init = crl_init;
- m->crl_free = crl_free;
- m->crl_lookup = crl_lookup;
- m->crl_verify = crl_verify;
- m->flags = X509_CRL_METHOD_DYNAMIC;
- return m;
-}
-
-void X509_CRL_METHOD_free(X509_CRL_METHOD *m)
-{
- if (!(m->flags & X509_CRL_METHOD_DYNAMIC))
- return;
- OPENSSL_free(m);
-}
-
-void X509_CRL_set_meth_data(X509_CRL *crl, void *dat)
-{
- crl->meth_data = dat;
-}
-
-void *X509_CRL_get_meth_data(X509_CRL *crl)
-{
- return crl->meth_data;
-}
diff --git a/src/crypto/x509/x_req.c b/src/crypto/x509/x_req.c
index 590f84d..0893918 100644
--- a/src/crypto/x509/x_req.c
+++ b/src/crypto/x509/x_req.c
@@ -83,8 +83,13 @@
return 0;
}
- /* TODO(https://crbug.com/boringssl/467): Add an |ASN1_OP_D2I_POST| callback
- * and check the version. */
+ if (operation == ASN1_OP_D2I_POST) {
+ if (ASN1_INTEGER_get(rinf->version) != X509_REQ_VERSION_1) {
+ OPENSSL_PUT_ERROR(X509, X509_R_INVALID_VERSION);
+ return 0;
+ }
+ }
+
return 1;
}
diff --git a/src/crypto/x509/x_x509.c b/src/crypto/x509/x_x509.c
index 9d350bd..6586b4c 100644
--- a/src/crypto/x509/x_x509.c
+++ b/src/crypto/x509/x_x509.c
@@ -117,27 +117,27 @@
case ASN1_OP_D2I_POST: {
/* The version must be one of v1(0), v2(1), or v3(2). */
- long version = 0;
+ long version = X509_VERSION_1;
if (ret->cert_info->version != NULL) {
version = ASN1_INTEGER_get(ret->cert_info->version);
- /* TODO(https://crbug.com/boringssl/364): |version| = 0 should also
- * be rejected. This means an explicitly-encoded X.509v1 version.
- * v1 is DEFAULT, so DER requires it be omitted. */
- if (version < 0 || version > 2) {
+ /* TODO(https://crbug.com/boringssl/364): |X509_VERSION_1| should
+ * also be rejected here. This means an explicitly-encoded X.509v1
+ * version. v1 is DEFAULT, so DER requires it be omitted. */
+ if (version < X509_VERSION_1 || version > X509_VERSION_3) {
OPENSSL_PUT_ERROR(X509, X509_R_INVALID_VERSION);
return 0;
}
}
/* Per RFC 5280, section 4.1.2.8, these fields require v2 or v3. */
- if (version == 0 && (ret->cert_info->issuerUID != NULL ||
- ret->cert_info->subjectUID != NULL)) {
+ if (version == X509_VERSION_1 && (ret->cert_info->issuerUID != NULL ||
+ ret->cert_info->subjectUID != NULL)) {
OPENSSL_PUT_ERROR(X509, X509_R_INVALID_FIELD_FOR_VERSION);
return 0;
}
/* Per RFC 5280, section 4.1.2.9, extensions require v3. */
- if (version != 2 && ret->cert_info->extensions != NULL) {
+ if (version != X509_VERSION_3 && ret->cert_info->extensions != NULL) {
OPENSSL_PUT_ERROR(X509, X509_R_INVALID_FIELD_FOR_VERSION);
return 0;
}
diff --git a/src/include/openssl/aead.h b/src/include/openssl/aead.h
index 38eb076..5486b4b 100644
--- a/src/include/openssl/aead.h
+++ b/src/include/openssl/aead.h
@@ -212,15 +212,15 @@
uint64_t alignment;
};
-// An EVP_AEAD_CTX represents an AEAD algorithm configured with a specific key
-// and message-independent IV.
-typedef struct evp_aead_ctx_st {
+// An evp_aead_ctx_st (typedefed as |EVP_AEAD_CTX| in base.h) represents an AEAD
+// algorithm configured with a specific key and message-independent IV.
+struct evp_aead_ctx_st {
const EVP_AEAD *aead;
union evp_aead_ctx_st_state state;
// tag_len may contain the actual length of the authentication tag if it is
// known at initialization time.
uint8_t tag_len;
-} EVP_AEAD_CTX;
+};
// EVP_AEAD_MAX_KEY_LENGTH contains the maximum key length used by
// any AEAD defined in this header.
diff --git a/src/include/openssl/asn1.h b/src/include/openssl/asn1.h
index d6fa2f7..5ae0064 100644
--- a/src/include/openssl/asn1.h
+++ b/src/include/openssl/asn1.h
@@ -1650,6 +1650,8 @@
// replaced with '.'.
OPENSSL_EXPORT int ASN1_STRING_print(BIO *out, const ASN1_STRING *str);
+// The following flags must not collide with |XN_FLAG_*|.
+
// ASN1_STRFLGS_ESC_2253 causes characters to be escaped as in RFC 2253, section
// 2.4.
#define ASN1_STRFLGS_ESC_2253 1
diff --git a/src/include/openssl/asn1t.h b/src/include/openssl/asn1t.h
index b65272d..75bc6f0 100644
--- a/src/include/openssl/asn1t.h
+++ b/src/include/openssl/asn1t.h
@@ -509,19 +509,8 @@
#define ASN1_ITYPE_MSTRING 0x5
-/* Cache for ASN1 tag and length, so we
- * don't keep re-reading it for things
- * like CHOICE
- */
-
-struct ASN1_TLC_st{
- char valid; /* Values below are valid */
- int ret; /* return value */
- long plen; /* length */
- int ptag; /* class value */
- int pclass; /* class value */
- int hdrlen; /* header length */
-};
+/* Deprecated tag and length cache */
+struct ASN1_TLC_st;
/* Typedefs for ASN1 function pointers */
diff --git a/src/include/openssl/base.h b/src/include/openssl/base.h
index b630236..4ab9eca 100644
--- a/src/include/openssl/base.h
+++ b/src/include/openssl/base.h
@@ -402,6 +402,7 @@
typedef struct env_md_ctx_st EVP_MD_CTX;
typedef struct env_md_st EVP_MD;
typedef struct evp_aead_st EVP_AEAD;
+typedef struct evp_aead_ctx_st EVP_AEAD_CTX;
typedef struct evp_cipher_ctx_st EVP_CIPHER_CTX;
typedef struct evp_cipher_st EVP_CIPHER;
typedef struct evp_encode_ctx_st EVP_ENCODE_CTX;
@@ -448,7 +449,6 @@
typedef struct trust_token_method_st TRUST_TOKEN_METHOD;
typedef struct v3_ext_ctx X509V3_CTX;
typedef struct x509_attributes_st X509_ATTRIBUTE;
-typedef struct x509_crl_method_st X509_CRL_METHOD;
typedef struct x509_lookup_st X509_LOOKUP;
typedef struct x509_lookup_method_st X509_LOOKUP_METHOD;
typedef struct x509_object_st X509_OBJECT;
diff --git a/src/include/openssl/bytestring.h b/src/include/openssl/bytestring.h
index 199d89c..68c1ba4 100644
--- a/src/include/openssl/bytestring.h
+++ b/src/include/openssl/bytestring.h
@@ -265,6 +265,10 @@
// also true for empty elements so |*out_indefinite| should be checked). If
// |out_ber_found| is not NULL then it is set to one if any case of invalid DER
// but valid BER is found, and to zero otherwise.
+//
+// This function will not successfully parse an end-of-contents (EOC) as an
+// element. Callers parsing indefinite-length encoding must check for EOC
+// separately.
OPENSSL_EXPORT int CBS_get_any_ber_asn1_element(CBS *cbs, CBS *out,
unsigned *out_tag,
size_t *out_header_len,
diff --git a/src/include/openssl/crypto.h b/src/include/openssl/crypto.h
index 117b347..b1f696f 100644
--- a/src/include/openssl/crypto.h
+++ b/src/include/openssl/crypto.h
@@ -178,6 +178,9 @@
// |BORINGSSL_FIPS| and zero otherwise.
OPENSSL_EXPORT int FIPS_mode_set(int on);
+// FIPS_module_name returns the name of the FIPS module.
+OPENSSL_EXPORT const char *FIPS_module_name(void);
+
// FIPS_version returns the version of the FIPS module, or zero if the build
// isn't exactly at a verified version. The version, expressed in base 10, will
// be a date in the form yyyymmddXX where XX is often "00", but can be
diff --git a/src/include/openssl/pkcs8.h b/src/include/openssl/pkcs8.h
index 968640b..8774681 100644
--- a/src/include/openssl/pkcs8.h
+++ b/src/include/openssl/pkcs8.h
@@ -122,6 +122,8 @@
// and decrypts it using |password|, sets |*out_key| to the included private
// key and appends the included certificates to |out_certs|. It returns one on
// success and zero on error. The caller takes ownership of the outputs.
+// Any friendlyName attributes (RFC 2985) in the PKCS#12 structure will be
+// returned on the |X509| objects as aliases. See also |X509_alias_get0|.
OPENSSL_EXPORT int PKCS12_get_key_and_certs(EVP_PKEY **out_key,
STACK_OF(X509) *out_certs,
CBS *in, const char *password);
@@ -219,6 +221,11 @@
// implemented for compatibility with external packages. Note the output still
// requires a password for the MAC. Unencrypted keys in PKCS#12 are also not
// widely supported and may not open in other implementations.
+//
+// If |cert| or |chain| have associated aliases (see |X509_alias_set1|), they
+// will be included in the output as friendlyName attributes (RFC 2985). It is
+// an error to specify both an alias on |cert| and a non-NULL |name|
+// parameter.
OPENSSL_EXPORT PKCS12 *PKCS12_create(const char *password, const char *name,
const EVP_PKEY *pkey, X509 *cert,
const STACK_OF(X509) *chain, int key_nid,
@@ -278,5 +285,6 @@
#define PKCS8_R_UNSUPPORTED_PRF 130
#define PKCS8_R_INVALID_CHARACTERS 131
#define PKCS8_R_UNSUPPORTED_OPTIONS 132
+#define PKCS8_R_AMBIGUOUS_FRIENDLY_NAME 133
#endif // OPENSSL_HEADER_PKCS8_H
diff --git a/src/include/openssl/service_indicator.h b/src/include/openssl/service_indicator.h
new file mode 100644
index 0000000..33b38b2
--- /dev/null
+++ b/src/include/openssl/service_indicator.h
@@ -0,0 +1,96 @@
+/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_SERVICE_INDICATOR_H
+#define OPENSSL_HEADER_SERVICE_INDICATOR_H
+
+#include <openssl/base.h>
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+// FIPS_service_indicator_before_call and |FIPS_service_indicator_after_call|
+// both currently return the same local thread counter which is slowly
+// incremented whenever approved services are called. The
+// |CALL_SERVICE_AND_CHECK_APPROVED| macro is strongly recommended over calling
+// these functions directly.
+//
+// |FIPS_service_indicator_before_call| is intended to be called immediately
+// before an approved service, while |FIPS_service_indicator_after_call| should
+// be called immediately after. If the values returned from these two functions
+// are not equal, this means that the service called inbetween is deemed to be
+// approved. If the values are still the same, this means the counter has not
+// been incremented, and the service called is not approved for FIPS.
+//
+// In non-FIPS builds, |FIPS_service_indicator_before_call| always returns zero
+// and |FIPS_service_indicator_after_call| always returns one. Thus calls always
+// appear to be approved. This is intended to simplify testing.
+OPENSSL_EXPORT uint64_t FIPS_service_indicator_before_call(void);
+OPENSSL_EXPORT uint64_t FIPS_service_indicator_after_call(void);
+
+#if defined(__cplusplus)
+}
+
+#if !defined(BORINGSSL_NO_CXX)
+
+extern "C++" {
+
+// CALL_SERVICE_AND_CHECK_APPROVED runs |func| and sets |approved| to one of the
+// |FIPSStatus*| values, above, depending on whether |func| invoked an
+// approved service. The result of |func| becomes the result of this macro.
+#define CALL_SERVICE_AND_CHECK_APPROVED(approved, func) \
+ [&] { \
+ bssl::FIPSIndicatorHelper fips_indicator_helper(&approved); \
+ return func; \
+ }()
+
+namespace bssl {
+
+enum class FIPSStatus {
+ NOT_APPROVED = 0,
+ APPROVED = 1,
+};
+
+// FIPSIndicatorHelper records whether the service indicator counter advanced
+// during its lifetime.
+class FIPSIndicatorHelper {
+ public:
+ FIPSIndicatorHelper(FIPSStatus *result)
+ : result_(result), before_(FIPS_service_indicator_before_call()) {
+ *result_ = FIPSStatus::NOT_APPROVED;
+ }
+
+ ~FIPSIndicatorHelper() {
+ uint64_t after = FIPS_service_indicator_after_call();
+ if (after != before_) {
+ *result_ = FIPSStatus::APPROVED;
+ }
+ }
+
+ FIPSIndicatorHelper(const FIPSIndicatorHelper&) = delete;
+ FIPSIndicatorHelper &operator=(const FIPSIndicatorHelper &) = delete;
+
+ private:
+ FIPSStatus *const result_;
+ const uint64_t before_;
+};
+
+} // namespace bssl
+} // extern "C++"
+
+#endif // !BORINGSSL_NO_CXX
+#endif // __cplusplus
+
+#endif // OPENSSL_HEADER_SERVICE_INDICATOR_H
diff --git a/src/include/openssl/span.h b/src/include/openssl/span.h
index 38e9a96..67a1a5c 100644
--- a/src/include/openssl/span.h
+++ b/src/include/openssl/span.h
@@ -99,12 +99,11 @@
// Heuristically test whether C is a container type that can be converted into
// a Span by checking for data() and size() member functions.
//
- // TODO(davidben): Require C++14 support and switch to std::enable_if_t.
- // Perhaps even C++17 now?
+ // TODO(davidben): Require C++17 support for std::is_convertible_v, etc.
template <typename C>
- using EnableIfContainer = typename std::enable_if<
+ using EnableIfContainer = std::enable_if_t<
std::is_convertible<decltype(std::declval<C>().data()), T *>::value &&
- std::is_integral<decltype(std::declval<C>().size())>::value>::type;
+ std::is_integral<decltype(std::declval<C>().size())>::value>;
public:
constexpr Span() : Span(nullptr, 0) {}
@@ -113,14 +112,12 @@
template <size_t N>
constexpr Span(T (&array)[N]) : Span(array, N) {}
- template <
- typename C, typename = EnableIfContainer<C>,
- typename = typename std::enable_if<std::is_const<T>::value, C>::type>
+ template <typename C, typename = EnableIfContainer<C>,
+ typename = std::enable_if_t<std::is_const<T>::value, C>>
Span(const C &container) : data_(container.data()), size_(container.size()) {}
- template <
- typename C, typename = EnableIfContainer<C>,
- typename = typename std::enable_if<!std::is_const<T>::value, C>::type>
+ template <typename C, typename = EnableIfContainer<C>,
+ typename = std::enable_if_t<!std::is_const<T>::value, C>>
explicit Span(C &container)
: data_(container.data()), size_(container.size()) {}
diff --git a/src/include/openssl/ssl.h b/src/include/openssl/ssl.h
index a3b530e..f0ca7f7 100644
--- a/src/include/openssl/ssl.h
+++ b/src/include/openssl/ssl.h
@@ -2281,6 +2281,13 @@
OPENSSL_EXPORT SSL_SESSION *SSL_process_tls13_new_session_ticket(
SSL *ssl, const uint8_t *buf, size_t buf_len);
+// SSL_CTX_set_num_tickets configures |ctx| to send |num_tickets| immediately
+// after a successful TLS 1.3 handshake as a server. It returns one. Large
+// values of |num_tickets| will be capped within the library.
+//
+// By default, BoringSSL sends two tickets.
+OPENSSL_EXPORT int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets);
+
// Elliptic curve Diffie-Hellman.
//
diff --git a/src/include/openssl/stack.h b/src/include/openssl/stack.h
index 04e942c..df54713 100644
--- a/src/include/openssl/stack.h
+++ b/src/include/openssl/stack.h
@@ -443,16 +443,14 @@
// Stacks defined with |DEFINE_CONST_STACK_OF| are freed with |sk_free|.
template <typename Stack>
-struct DeleterImpl<
- Stack, typename std::enable_if<StackTraits<Stack>::kIsConst>::type> {
+struct DeleterImpl<Stack, std::enable_if_t<StackTraits<Stack>::kIsConst>> {
static void Free(Stack *sk) { sk_free(reinterpret_cast<_STACK *>(sk)); }
};
// Stacks defined with |DEFINE_STACK_OF| are freed with |sk_pop_free| and the
// corresponding type's deleter.
template <typename Stack>
-struct DeleterImpl<
- Stack, typename std::enable_if<!StackTraits<Stack>::kIsConst>::type> {
+struct DeleterImpl<Stack, std::enable_if_t<!StackTraits<Stack>::kIsConst>> {
static void Free(Stack *sk) {
// sk_FOO_pop_free is defined by macros and bound by name, so we cannot
// access it from C++ here.
@@ -502,18 +500,17 @@
};
template <typename Stack>
-using StackIterator = typename std::enable_if<StackTraits<Stack>::kIsStack,
- StackIteratorImpl<Stack>>::type;
+using StackIterator =
+ std::enable_if_t<StackTraits<Stack>::kIsStack, StackIteratorImpl<Stack>>;
} // namespace internal
// PushToStack pushes |elem| to |sk|. It returns true on success and false on
// allocation failure.
template <typename Stack>
-inline
- typename std::enable_if<!internal::StackTraits<Stack>::kIsConst, bool>::type
- PushToStack(Stack *sk,
- UniquePtr<typename internal::StackTraits<Stack>::Type> elem) {
+inline std::enable_if_t<!internal::StackTraits<Stack>::kIsConst, bool>
+PushToStack(Stack *sk,
+ UniquePtr<typename internal::StackTraits<Stack>::Type> elem) {
if (!sk_push(reinterpret_cast<_STACK *>(sk), elem.get())) {
return false;
}
diff --git a/src/include/openssl/type_check.h b/src/include/openssl/type_check.h
index c267938..41de895 100644
--- a/src/include/openssl/type_check.h
+++ b/src/include/openssl/type_check.h
@@ -71,7 +71,12 @@
// C11 defines the |_Static_assert| keyword and the |static_assert| macro in
// assert.h. While the former is available at all versions in Clang and GCC, the
// later depends on libc and, in glibc, depends on being built in C11 mode. We
-// do not require this, for now, so use |_Static_assert| directly.
+// require C11 mode to build the library but, for now, do not require it in
+// public headers. Use |_Static_assert| directly.
+//
+// TODO(davidben): In July 2022, if the C11 change has not been reverted, switch
+// all uses of this macro within the library to C11 |static_assert|. This macro
+// will only be necessary in public headers.
#define OPENSSL_STATIC_ASSERT(cond, msg) _Static_assert(cond, msg)
#endif
diff --git a/src/include/openssl/x509.h b/src/include/openssl/x509.h
index 3633186..4d312c7 100644
--- a/src/include/openssl/x509.h
+++ b/src/include/openssl/x509.h
@@ -199,7 +199,8 @@
#define X509_FLAG_NO_ATTRIBUTES (1L << 11)
#define X509_FLAG_NO_IDS (1L << 12)
-// Flags specific to X509_NAME_print_ex()
+// Flags specific to X509_NAME_print_ex(). These flags must not collide with
+// |ASN1_STRFLGS_*|.
// The field separator information
@@ -311,11 +312,8 @@
#define X509_VERSION_2 1
#define X509_VERSION_3 2
-// X509_get_version returns the numerical value of |x509|'s version. Callers may
-// compare the result to the |X509_VERSION_*| constants. Unknown versions are
-// rejected by the parser, but a manually-created |X509| object may encode
-// invalid versions. In that case, the function will return the invalid version,
-// or -1 on overflow.
+// X509_get_version returns the numerical value of |x509|'s version, which will
+// be one of the |X509_VERSION_*| constants.
OPENSSL_EXPORT long X509_get_version(const X509 *x509);
// X509_set_version sets |x509|'s version to |version|, which should be one of
@@ -393,15 +391,12 @@
// |EXFLAG_INVALID| bit.
OPENSSL_EXPORT long X509_get_pathlen(X509 *x509);
-// X509_REQ_VERSION_1 is the version constant for |X509_REQ| objects. Note no
-// other versions are defined.
+// X509_REQ_VERSION_1 is the version constant for |X509_REQ| objects. No other
+// versions are defined.
#define X509_REQ_VERSION_1 0
// X509_REQ_get_version returns the numerical value of |req|'s version. This
-// will be |X509_REQ_VERSION_1| for valid certificate requests. If |req| is
-// invalid, it may return another value, or -1 on overflow.
-//
-// TODO(davidben): Enforce the version number in the parser.
+// will always be |X509_REQ_VERSION_1|.
OPENSSL_EXPORT long X509_REQ_get_version(const X509_REQ *req);
// X509_REQ_get_subject_name returns |req|'s subject name. Note this function is
@@ -417,11 +412,8 @@
#define X509_CRL_VERSION_1 0
#define X509_CRL_VERSION_2 1
-// X509_CRL_get_version returns the numerical value of |crl|'s version. Callers
-// may compare the result to |X509_CRL_VERSION_*| constants. If |crl| is
-// invalid, it may return another value, or -1 on overflow.
-//
-// TODO(davidben): Enforce the version number in the parser.
+// X509_CRL_get_version returns the numerical value of |crl|'s version, which
+// will be one of the |X509_CRL_VERSION_*| constants.
OPENSSL_EXPORT long X509_CRL_get_version(const X509_CRL *crl);
// X509_CRL_get0_lastUpdate returns |crl|'s lastUpdate time.
@@ -480,17 +472,6 @@
OPENSSL_EXPORT void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **out_alg,
ASN1_OCTET_STRING **out_digest);
-OPENSSL_EXPORT void X509_CRL_set_default_method(const X509_CRL_METHOD *meth);
-OPENSSL_EXPORT X509_CRL_METHOD *X509_CRL_METHOD_new(
- int (*crl_init)(X509_CRL *crl), int (*crl_free)(X509_CRL *crl),
- int (*crl_lookup)(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *ser,
- X509_NAME *issuer),
- int (*crl_verify)(X509_CRL *crl, EVP_PKEY *pk));
-OPENSSL_EXPORT void X509_CRL_METHOD_free(X509_CRL_METHOD *m);
-
-OPENSSL_EXPORT void X509_CRL_set_meth_data(X509_CRL *crl, void *dat);
-OPENSSL_EXPORT void *X509_CRL_get_meth_data(X509_CRL *crl);
-
// X509_get_X509_PUBKEY returns the public key of |x509|. Note this function is
// not const-correct for legacy reasons. Callers should not modify the returned
// object.
@@ -816,9 +797,6 @@
OPENSSL_EXPORT const char *X509_get_default_cert_file_env(void);
OPENSSL_EXPORT const char *X509_get_default_private_dir(void);
-OPENSSL_EXPORT X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey,
- const EVP_MD *md);
-
DECLARE_ASN1_ENCODE_FUNCTIONS(X509_ALGORS, X509_ALGORS, X509_ALGORS)
DECLARE_ASN1_FUNCTIONS(X509_PUBKEY)
@@ -1087,7 +1065,8 @@
// X509_REQ_set_version sets |req|'s version to |version|, which should be
// |X509_REQ_VERSION_1|. It returns one on success and zero on error.
//
-// Note no versions other than |X509_REQ_VERSION_1| are defined for CSRs.
+// The only defined CSR version is |X509_REQ_VERSION_1|, so there is no need to
+// call this function.
OPENSSL_EXPORT int X509_REQ_set_version(X509_REQ *req, long version);
// X509_REQ_set_subject_name sets |req|'s subject to a copy of |name|. It
@@ -2398,7 +2377,6 @@
BORINGSSL_MAKE_DELETER(X509_ATTRIBUTE, X509_ATTRIBUTE_free)
BORINGSSL_MAKE_DELETER(X509_CRL, X509_CRL_free)
BORINGSSL_MAKE_UP_REF(X509_CRL, X509_CRL_up_ref)
-BORINGSSL_MAKE_DELETER(X509_CRL_METHOD, X509_CRL_METHOD_free)
BORINGSSL_MAKE_DELETER(X509_EXTENSION, X509_EXTENSION_free)
BORINGSSL_MAKE_DELETER(X509_INFO, X509_INFO_free)
BORINGSSL_MAKE_DELETER(X509_LOOKUP, X509_LOOKUP_free)
diff --git a/src/sources.cmake b/src/sources.cmake
index 3d3465f..4cbc4c5 100644
--- a/src/sources.cmake
+++ b/src/sources.cmake
@@ -38,18 +38,18 @@
crypto/cipher_extra/test/nist_cavp/tdes_cbc.txt
crypto/cipher_extra/test/nist_cavp/tdes_ecb.txt
crypto/curve25519/ed25519_tests.txt
- crypto/cmac/cavp_3des_cmac_tests.txt
- crypto/cmac/cavp_aes128_cmac_tests.txt
- crypto/cmac/cavp_aes192_cmac_tests.txt
- crypto/cmac/cavp_aes256_cmac_tests.txt
crypto/ecdh_extra/ecdh_tests.txt
crypto/evp/evp_tests.txt
crypto/evp/scrypt_tests.txt
crypto/fipsmodule/aes/aes_tests.txt
crypto/fipsmodule/bn/bn_tests.txt
crypto/fipsmodule/bn/miller_rabin_tests.txt
+ crypto/fipsmodule/cmac/cavp_3des_cmac_tests.txt
+ crypto/fipsmodule/cmac/cavp_aes128_cmac_tests.txt
+ crypto/fipsmodule/cmac/cavp_aes192_cmac_tests.txt
+ crypto/fipsmodule/cmac/cavp_aes256_cmac_tests.txt
crypto/fipsmodule/ec/ec_scalar_base_mult_tests.txt
- crypto/fipsmodule/ec/p256-x86_64_tests.txt
+ crypto/fipsmodule/ec/p256-nistz_tests.txt
crypto/fipsmodule/ecdsa/ecdsa_sign_tests.txt
crypto/fipsmodule/ecdsa/ecdsa_verify_tests.txt
crypto/fipsmodule/modes/gcm_tests.txt
diff --git a/src/ssl/CMakeLists.txt b/src/ssl/CMakeLists.txt
index 4f4abf8..67a72ae 100644
--- a/src/ssl/CMakeLists.txt
+++ b/src/ssl/CMakeLists.txt
@@ -41,6 +41,12 @@
tls13_enc.cc
tls13_server.cc
)
+target_include_directories(ssl INTERFACE
+ $<BUILD_INTERFACE:${CMAKE_SOURCE_DIR}/include>
+ $<INSTALL_INTERFACE:include>
+)
+install(TARGETS ssl EXPORT OpenSSLTargets DESTINATION ${CMAKE_INSTALL_LIBDIR})
+set_property(TARGET ssl PROPERTY EXPORT_NAME SSL)
add_dependencies(ssl global_target)
diff --git a/src/ssl/internal.h b/src/ssl/internal.h
index 0087e7f..fbf9745 100644
--- a/src/ssl/internal.h
+++ b/src/ssl/internal.h
@@ -216,7 +216,7 @@
// may be C structs which require a |BORINGSSL_MAKE_DELETER| registration.
namespace internal {
template <typename T>
-struct DeleterImpl<T, typename std::enable_if<T::kAllowUniquePtr>::type> {
+struct DeleterImpl<T, std::enable_if_t<T::kAllowUniquePtr>> {
static void Free(T *t) { Delete(t); }
};
} // namespace internal
@@ -2056,6 +2056,11 @@
uint8_t grease_seed[ssl_grease_last_index + 1] = {0};
};
+// kMaxTickets is the maximum number of tickets to send immediately after the
+// handshake. We use a one-byte ticket nonce, and there is no point in sending
+// so many tickets.
+constexpr size_t kMaxTickets = 16;
+
UniquePtr<SSL_HANDSHAKE> ssl_handshake_new(SSL *ssl);
// ssl_check_message_type checks if |msg| has type |type|. If so it returns
@@ -3416,6 +3421,11 @@
// and is further constrainted by |SSL_OP_NO_*|.
uint16_t conf_min_version = 0;
+ // num_tickets is the number of tickets to send immediately after the TLS 1.3
+ // handshake. TLS 1.3 recommends single-use tickets so, by default, issue two
+ /// in case the client makes several connections before getting a renewal.
+ uint8_t num_tickets = 2;
+
// quic_method is the method table corresponding to the QUIC hooks.
const SSL_QUIC_METHOD *quic_method = nullptr;
diff --git a/src/ssl/ssl_cipher.cc b/src/ssl/ssl_cipher.cc
index 60b3e2c..628dddc 100644
--- a/src/ssl/ssl_cipher.cc
+++ b/src/ssl/ssl_cipher.cc
@@ -1327,34 +1327,33 @@
using namespace bssl;
-static constexpr int ssl_cipher_id_cmp_inner(const SSL_CIPHER *a,
- const SSL_CIPHER *b) {
- // C++11's constexpr functions must have a body consisting of just a
- // return-statement.
- return (a->id > b->id) ? 1 : ((a->id < b->id) ? -1 : 0);
+static constexpr int ssl_cipher_id_cmp(const SSL_CIPHER *a,
+ const SSL_CIPHER *b) {
+ if (a->id > b->id) {
+ return 1;
+ }
+ if (a->id < b->id) {
+ return -1;
+ }
+ return 0;
}
-static int ssl_cipher_id_cmp(const void *in_a, const void *in_b) {
- return ssl_cipher_id_cmp_inner(reinterpret_cast<const SSL_CIPHER *>(in_a),
- reinterpret_cast<const SSL_CIPHER *>(in_b));
+static int ssl_cipher_id_cmp_void(const void *in_a, const void *in_b) {
+ return ssl_cipher_id_cmp(reinterpret_cast<const SSL_CIPHER *>(in_a),
+ reinterpret_cast<const SSL_CIPHER *>(in_b));
}
-template <typename T, size_t N>
-static constexpr size_t countof(T const (&)[N]) {
- return N;
+template <size_t N>
+static constexpr bool ssl_ciphers_sorted(const SSL_CIPHER (&ciphers)[N]) {
+ for (size_t i = 1; i < N; i++) {
+ if (ssl_cipher_id_cmp(&ciphers[i - 1], &ciphers[i]) >= 0) {
+ return false;
+ }
+ }
+ return true;
}
-template <typename T, size_t I>
-static constexpr int check_order(const T (&arr)[I], size_t N) {
- // C++11's constexpr functions must have a body consisting of just a
- // return-statement.
- return N > 1 ? ((ssl_cipher_id_cmp_inner(&arr[N - 2], &arr[N - 1]) < 0)
- ? check_order(arr, N - 1)
- : 0)
- : 1;
-}
-
-static_assert(check_order(kCiphers, countof(kCiphers)) == 1,
+static_assert(ssl_ciphers_sorted(kCiphers),
"Ciphers are not sorted, bsearch won't work");
const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) {
@@ -1363,7 +1362,7 @@
c.id = 0x03000000L | value;
return reinterpret_cast<const SSL_CIPHER *>(bsearch(
&c, kCiphers, OPENSSL_ARRAY_SIZE(kCiphers), sizeof(SSL_CIPHER),
- ssl_cipher_id_cmp));
+ ssl_cipher_id_cmp_void));
}
uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; }
diff --git a/src/ssl/ssl_lib.cc b/src/ssl/ssl_lib.cc
index e2e2436..5e96bef 100644
--- a/src/ssl/ssl_lib.cc
+++ b/src/ssl/ssl_lib.cc
@@ -140,6 +140,8 @@
#include <openssl/ssl.h>
+#include <algorithm>
+
#include <assert.h>
#include <stdlib.h>
#include <string.h>
@@ -3025,6 +3027,13 @@
return session.release();
}
+int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets) {
+ num_tickets = std::min(num_tickets, kMaxTickets);
+ static_assert(kMaxTickets <= 0xff, "Too many tickets.");
+ ctx->num_tickets = static_cast<uint8_t>(num_tickets);
+ return 1;
+}
+
int SSL_set_tlsext_status_type(SSL *ssl, int type) {
if (!ssl->config) {
return 0;
diff --git a/src/ssl/ssl_test.cc b/src/ssl/ssl_test.cc
index 567d206..e2db5a4 100644
--- a/src/ssl/ssl_test.cc
+++ b/src/ssl/ssl_test.cc
@@ -8113,5 +8113,51 @@
}
}
+TEST(SSLTest, NumTickets) {
+ bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
+ ASSERT_TRUE(server_ctx);
+ bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
+ ASSERT_TRUE(client_ctx);
+ bssl::UniquePtr<X509> cert = GetTestCertificate();
+ ASSERT_TRUE(cert);
+ bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
+ ASSERT_TRUE(key);
+ ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
+ ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
+ SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
+
+ SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
+ static size_t ticket_count;
+ SSL_CTX_sess_set_new_cb(client_ctx.get(), [](SSL *, SSL_SESSION *) -> int {
+ ticket_count++;
+ return 0;
+ });
+
+ auto count_tickets = [&]() -> size_t {
+ ticket_count = 0;
+ bssl::UniquePtr<SSL> client, server;
+ if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
+ server_ctx.get()) ||
+ !FlushNewSessionTickets(client.get(), server.get())) {
+ ADD_FAILURE() << "Could not run handshake";
+ return 0;
+ }
+ return ticket_count;
+ };
+
+ // By default, we should send two tickets.
+ EXPECT_EQ(count_tickets(), 2u);
+
+ for (size_t num_tickets : {0, 1, 2, 3, 4, 5}) {
+ SCOPED_TRACE(num_tickets);
+ ASSERT_TRUE(SSL_CTX_set_num_tickets(server_ctx.get(), num_tickets));
+ EXPECT_EQ(count_tickets(), num_tickets);
+ }
+
+ // Configuring too many tickets causes us to stop at some point.
+ ASSERT_TRUE(SSL_CTX_set_num_tickets(server_ctx.get(), 100000));
+ EXPECT_EQ(count_tickets(), 16u);
+}
+
} // namespace
BSSL_NAMESPACE_END
diff --git a/src/ssl/tls13_server.cc b/src/ssl/tls13_server.cc
index dbf239d..9a65e0f 100644
--- a/src/ssl/tls13_server.cc
+++ b/src/ssl/tls13_server.cc
@@ -131,15 +131,12 @@
return true;
}
- // TLS 1.3 recommends single-use tickets, so issue multiple tickets in case
- // the client makes several connections before getting a renewal.
- static const int kNumTickets = 2;
-
// Rebase the session timestamp so that it is measured from ticket
// issuance.
ssl_session_rebase_time(ssl, hs->new_session.get());
- for (int i = 0; i < kNumTickets; i++) {
+ assert(ssl->session_ctx->num_tickets <= kMaxTickets);
+ for (size_t i = 0; i < ssl->session_ctx->num_tickets; i++) {
UniquePtr<SSL_SESSION> session(
SSL_SESSION_dup(hs->new_session.get(), SSL_SESSION_INCLUDE_NONAUTH));
if (!session) {
@@ -160,7 +157,8 @@
ssl->quic_method != nullptr ? 0xffffffff : kMaxEarlyDataAccepted;
}
- static_assert(kNumTickets < 256, "Too many tickets");
+ static_assert(kMaxTickets < 256, "Too many tickets");
+ assert(i < 256);
uint8_t nonce[] = {static_cast<uint8_t>(i)};
ScopedCBB cbb;
diff --git a/src/tool/CMakeLists.txt b/src/tool/CMakeLists.txt
index a591b7d..f98e96e 100644
--- a/src/tool/CMakeLists.txt
+++ b/src/tool/CMakeLists.txt
@@ -21,6 +21,7 @@
tool.cc
transport_common.cc
)
+install(TARGETS bssl DESTINATION ${CMAKE_INSTALL_BINDIR})
add_dependencies(bssl global_target)
diff --git a/src/tool/digest.cc b/src/tool/digest.cc
index 3c8fd5a..d810928 100644
--- a/src/tool/digest.cc
+++ b/src/tool/digest.cc
@@ -226,7 +226,6 @@
unsigned bad_lines = 0;
unsigned parsed_lines = 0;
unsigned error_lines = 0;
- unsigned bad_hash_lines = 0;
unsigned line_no = 0;
bool ok = true;
bool draining_overlong_line = false;
@@ -297,7 +296,6 @@
}
if (calculated_hex_digest != std::string(line, hex_size)) {
- bad_hash_lines++;
if (!args.status) {
printf("%s: FAILED\n", target_filename.c_str());
}
diff --git a/src/util/BUILD.toplevel b/src/util/BUILD.toplevel
index cfa695a..1ec2bdf 100644
--- a/src/util/BUILD.toplevel
+++ b/src/util/BUILD.toplevel
@@ -137,9 +137,9 @@
"//conditions:default": [],
})
-# For C++ targets only (not C), compile with C++11 support.
+# For C++ targets only (not C), compile with C++14 support.
posix_copts_cxx = [
- "-std=c++11",
+ "-std=c++14",
"-Wmissing-declarations",
]
diff --git a/src/util/bot/DEPS b/src/util/bot/DEPS
index b9d42ef..1efc55a 100644
--- a/src/util/bot/DEPS
+++ b/src/util/bot/DEPS
@@ -25,14 +25,14 @@
# cipd describe PACKAGE_NAME -version latest
# infra/3pp/tools/cmake/linux-amd64
- 'cmake_version': 'version:2@3.21.3',
+ 'cmake_version': 'version:2@3.23.1',
# infra/3pp/tools/go/linux-amd64
- 'go_version': 'version:2@1.17.2',
+ 'go_version': 'version:2@1.18.2',
# Update the following from
- # https://chromium.googlesource.com/chromium/src/+/master/DEPS
+ # https://chromium.googlesource.com/chromium/src/+/main/DEPS
'android_sdk_platform-tools_version': 'g7n_-r6yJd_SGRklujGB1wEt8iyr77FZTUJVS9w6O34C',
- 'android_ndk_revision': '401019bf85744311b26c88ced255cd53401af8b7',
+ 'android_ndk_revision': '8388a2be5421311dc75c5f937aae13d821a27f3d',
'libfuzzer_revision': 'debe7d2d1982e540fbd6bd78604bf001753f9e74',
'libcxx_revision': '79a2e924d96e2fc1e4b937c42efd08898fa472d7',
'libcxxabi_revision': '9b8228b4a9be26e0881f36089d9a8d62df851acc',
@@ -53,7 +53,7 @@
'dep_type': 'cipd',
},
- # TODO(davidben): Merge cmake-linux64 and cmake-mac. Now that we use CIPD,
+ # TODO(davidben): Merge the three CMake directories. Now that we use CIPD,
# which supports a ${{platform}} marker, there is nothing platform-specific
# about this anymore. However, the recipe still expects CMake to be found at
# these directories, so this needs to be coordinated with a change there.
@@ -75,6 +75,15 @@
'dep_type': 'cipd',
},
+ 'boringssl/util/bot/cmake-win32': {
+ 'packages': [{
+ 'package': 'infra/3pp/tools/cmake/${{platform}}',
+ 'version': Var('cmake_version'),
+ }],
+ 'condition': 'host_os == "win"',
+ 'dep_type': 'cipd',
+ },
+
'boringssl/util/bot/golang': {
'packages': [{
'package': 'infra/3pp/tools/go/${{platform}}',
@@ -106,28 +115,6 @@
hooks = [
# TODO(https://crbug.com/1180257): Use CIPD for CMake on Windows.
{
- 'name': 'cmake_win32',
- 'pattern': '.',
- 'condition': 'host_os == "win"',
- 'action': [ 'download_from_google_storage',
- '--no_resume',
- '--platform=win32',
- '--no_auth',
- '--bucket', 'chromium-tools',
- '-s', 'boringssl/util/bot/cmake-win32.zip.sha1',
- ],
- },
- {
- 'name': 'cmake_win32_extract',
- 'pattern': '.',
- 'condition': 'host_os == "win"',
- 'action': [ 'python3',
- 'boringssl/util/bot/extract.py',
- 'boringssl/util/bot/cmake-win32.zip',
- 'boringssl/util/bot/cmake-win32/',
- ],
- },
- {
'name': 'perl_win32',
'pattern': '.',
'condition': 'host_os == "win"',
diff --git a/src/util/bot/UPDATING b/src/util/bot/UPDATING
index dad6192..1543ed6 100644
--- a/src/util/bot/UPDATING
+++ b/src/util/bot/UPDATING
@@ -12,10 +12,10 @@
update_clang.py: Set CLANG_REVISION and CLANG_SUB_REVISION to the values used in
Chromium, found at
- https://chromium.googlesource.com/chromium/src/+/master/tools/clang/scripts/update.py
+ https://chromium.googlesource.com/chromium/src/+/main/tools/clang/scripts/update.py
vs_toolchain.py: Update _GetDesiredVsToolchainHashes from Chromium, found at
- https://chromium.googlesource.com/chromium/src/+/master/build/vs_toolchain.py
+ https://chromium.googlesource.com/chromium/src/+/main/build/vs_toolchain.py
This may require taking other updates to that file. (Don't remove MSVC
versions if BoringSSL still needs to support them.)
@@ -24,15 +24,9 @@
upload_to_google_storage.py -b chromium-tools FILE
-cmake-win32.zip: Update to the latest prebuilt release of CMake, found at
- https://cmake.org/download/. Use the file labeled "Windows win64-x64
- ZIP". The download will be named cmake-VERSION-win64-x64.zip.
-
- The current revision is cmake-3.19.5-win64-x64.zip
-
nasm-win32.exe: Update to the appropriate release of NASM, found at
https://www.nasm.us/. Use the same version as Chromium, found at
- https://chromium.googlesource.com/chromium/src/+/master/third_party/nasm/README.chromium
+ https://chromium.googlesource.com/chromium/src/+/main/third_party/nasm/README.chromium
Extract nasm.exe from the download named nasm-VERSION-win64.zip.
The current revision is nasm-2.13.03-win64.zip.
diff --git a/src/util/bot/cmake-win32.zip.sha1 b/src/util/bot/cmake-win32.zip.sha1
deleted file mode 100644
index d641c17..0000000
--- a/src/util/bot/cmake-win32.zip.sha1
+++ /dev/null
@@ -1 +0,0 @@
-b106d66bcdc8a71ea2cdf5446091327bfdb1bcd7
\ No newline at end of file
diff --git a/src/util/bot/update_clang.py b/src/util/bot/update_clang.py
index 6d9f68b..59b0cad 100644
--- a/src/util/bot/update_clang.py
+++ b/src/util/bot/update_clang.py
@@ -28,7 +28,7 @@
# CLANG_REVISION and CLANG_SUB_REVISION determine the build of clang
# to use. These should be synced with tools/clang/scripts/update.py in
# Chromium.
-CLANG_REVISION = 'llvmorg-14-init-6722-g0fbd3aad'
+CLANG_REVISION = 'llvmorg-15-init-10168-gc2a7904a'
CLANG_SUB_REVISION = 2
PACKAGE_VERSION = '%s-%s' % (CLANG_REVISION, CLANG_SUB_REVISION)
diff --git a/src/util/bot/vs_toolchain.py b/src/util/bot/vs_toolchain.py
index 09f407d..df4637f 100644
--- a/src/util/bot/vs_toolchain.py
+++ b/src/util/bot/vs_toolchain.py
@@ -68,9 +68,9 @@
# libraries.
return ['418b3076791776573a815eb298c8aa590307af63']
if version == '2019':
- # VS 2019 16.61 with 10.0.19041 SDK, and 10.0.20348 version of
- # d3dcompiler_47.dll, with ARM64 libraries and UWP support.
- return ['3bda71a11e']
+ # VS 2019 16.61 with 10.0.20348.0 SDK, 10.0.19041 version of Debuggers
+ # with ARM64 libraries and UWP support.
+ return ['1023ce2e82']
raise Exception('Unsupported VS version %s' % version)
diff --git a/src/util/fipstools/acvp/acvptool/acvp.go b/src/util/fipstools/acvp/acvptool/acvp.go
index f477d65..4c7e07c 100644
--- a/src/util/fipstools/acvp/acvptool/acvp.go
+++ b/src/util/fipstools/acvp/acvptool/acvp.go
@@ -185,7 +185,7 @@
// it's a header.
func looksLikeHeaderElement(element json.RawMessage) bool {
var headerFields struct {
- URL string `json:"url"`
+ URL string `json:"url"`
Algorithm string `json:"algorithm"`
}
if err := json.Unmarshal(element, &headerFields); err != nil {
diff --git a/src/util/fipstools/acvp/acvptool/acvp/acvp.go b/src/util/fipstools/acvp/acvptool/acvp/acvp.go
index 9419508..d70f98c 100644
--- a/src/util/fipstools/acvp/acvptool/acvp/acvp.go
+++ b/src/util/fipstools/acvp/acvptool/acvp/acvp.go
@@ -91,7 +91,7 @@
return conn, err
},
},
- Timeout: 30 * time.Second,
+ Timeout: 120 * time.Second,
}
return &Server{client: client, prefix: prefix, totpFunc: totp, PrefixTokens: make(map[string]string)}
diff --git a/src/util/fipstools/acvp/acvptool/interactive.go b/src/util/fipstools/acvp/acvptool/interactive.go
index b13a549..ee992f1 100644
--- a/src/util/fipstools/acvp/acvptool/interactive.go
+++ b/src/util/fipstools/acvp/acvptool/interactive.go
@@ -12,6 +12,7 @@
// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+//go:build interactive
// +build interactive
package main
diff --git a/src/util/fipstools/acvp/acvptool/nointeractive.go b/src/util/fipstools/acvp/acvptool/nointeractive.go
index 06c8890..8aa0839 100644
--- a/src/util/fipstools/acvp/acvptool/nointeractive.go
+++ b/src/util/fipstools/acvp/acvptool/nointeractive.go
@@ -12,6 +12,7 @@
// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+//go:build !interactive
// +build !interactive
package main
diff --git a/src/util/fipstools/acvp/acvptool/subprocess/block.go b/src/util/fipstools/acvp/acvptool/subprocess/block.go
index 1b1e93b..f979c86 100644
--- a/src/util/fipstools/acvp/acvptool/subprocess/block.go
+++ b/src/util/fipstools/acvp/acvptool/subprocess/block.go
@@ -18,7 +18,6 @@
"encoding/hex"
"encoding/json"
"fmt"
- "math/bits"
)
// aesKeyShuffle is the "AES Monte Carlo Key Shuffle" from the ACVP
@@ -119,113 +118,6 @@
return mctResults
}
-// xorKeyWithOddParityLSB XORs value into key while setting the LSB of each bit
-// to establish odd parity. This embedding of a parity check in a DES key is an
-// old tradition and something that NIST's tests require (despite being
-// undocumented).
-func xorKeyWithOddParityLSB(key, value []byte) {
- for i := range key {
- v := key[i] ^ value[i]
- // Use LSB to establish odd parity.
- v ^= byte((bits.OnesCount8(v) & 1)) ^ 1
- key[i] = v
- }
-}
-
-// desKeyShuffle implements the manipulation of the Key arrays in the "TDES
-// Monte Carlo Test - ECB mode" algorithm from the ACVP specification.
-func keyShuffle3DES(key, result, prevResult, prevPrevResult []byte) {
- xorKeyWithOddParityLSB(key[:8], result)
- xorKeyWithOddParityLSB(key[8:16], prevResult)
- xorKeyWithOddParityLSB(key[16:], prevPrevResult)
-}
-
-// iterate3DES implements "TDES Monte Carlo Test - ECB mode" from the ACVP
-// specification.
-func iterate3DES(transact func(n int, args ...[]byte) ([][]byte, error), encrypt bool, key, input, iv []byte) (mctResults []blockCipherMCTResult) {
- for i := 0; i < 400; i++ {
- var iteration blockCipherMCTResult
- keyHex := hex.EncodeToString(key)
- iteration.Key1Hex = keyHex[:16]
- iteration.Key2Hex = keyHex[16:32]
- iteration.Key3Hex = keyHex[32:]
-
- if encrypt {
- iteration.PlaintextHex = hex.EncodeToString(input)
- } else {
- iteration.CiphertextHex = hex.EncodeToString(input)
- }
-
- results, err := transact(3, key, input, uint32le(10000))
- if err != nil {
- panic("block operation failed")
- }
- result := results[0]
- prevResult := results[1]
- prevPrevResult := results[2]
-
- if encrypt {
- iteration.CiphertextHex = hex.EncodeToString(result)
- } else {
- iteration.PlaintextHex = hex.EncodeToString(result)
- }
-
- keyShuffle3DES(key, result, prevResult, prevPrevResult)
- mctResults = append(mctResults, iteration)
- input = result
- }
-
- return mctResults
-}
-
-// iterate3DESCBC implements "TDES Monte Carlo Test - CBC mode" from the ACVP
-// specification.
-func iterate3DESCBC(transact func(n int, args ...[]byte) ([][]byte, error), encrypt bool, key, input, iv []byte) (mctResults []blockCipherMCTResult) {
- for i := 0; i < 400; i++ {
- var iteration blockCipherMCTResult
- keyHex := hex.EncodeToString(key)
- iteration.Key1Hex = keyHex[:16]
- iteration.Key2Hex = keyHex[16:32]
- iteration.Key3Hex = keyHex[32:]
-
- if encrypt {
- iteration.PlaintextHex = hex.EncodeToString(input)
- } else {
- iteration.CiphertextHex = hex.EncodeToString(input)
- }
- iteration.IVHex = hex.EncodeToString(iv)
-
- results, err := transact(3, key, input, iv, uint32le(10000))
- if err != nil {
- panic("block operation failed")
- }
-
- result := results[0]
- prevResult := results[1]
- prevPrevResult := results[2]
-
- if encrypt {
- iteration.CiphertextHex = hex.EncodeToString(result)
- } else {
- iteration.PlaintextHex = hex.EncodeToString(result)
- }
-
- keyShuffle3DES(key, result, prevResult, prevPrevResult)
-
- if encrypt {
- input = prevResult
- iv = result
- } else {
- iv = prevResult
- input = result
- }
-
- mctResults = append(mctResults, iteration)
- }
-
- return mctResults
-}
-
// blockCipher implements an ACVP algorithm by making requests to the subprocess
// to encrypt and decrypt with a block cipher.
type blockCipher struct {
@@ -256,11 +148,6 @@
CiphertextHex string `json:"ct"`
IVHex string `json:"iv"`
KeyHex string `json:"key"`
-
- // 3DES tests serialise the key differently.
- Key1Hex string `json:"key1"`
- Key2Hex string `json:"key2"`
- Key3Hex string `json:"key3"`
} `json:"tests"`
}
@@ -281,11 +168,6 @@
PlaintextHex string `json:"pt"`
CiphertextHex string `json:"ct"`
IVHex string `json:"iv,omitempty"`
-
- // 3DES tests serialise the key differently.
- Key1Hex string `json:"key1,omitempty"`
- Key2Hex string `json:"key2,omitempty"`
- Key3Hex string `json:"key3,omitempty"`
}
func (b *blockCipher) Process(vectorSet []byte, m Transactable) (interface{}, error) {
@@ -331,11 +213,6 @@
return nil, fmt.Errorf("test group %d has unknown type %q", group.ID, group.Type)
}
- if group.KeyBits == 0 {
- // 3DES tests fail to set this parameter.
- group.KeyBits = 192
- }
-
if group.KeyBits%8 != 0 {
return nil, fmt.Errorf("test group %d contains non-byte-multiple key length %d", group.ID, group.KeyBits)
}
@@ -346,11 +223,6 @@
}
for _, test := range group.Tests {
- if len(test.KeyHex) == 0 && len(test.Key1Hex) > 0 {
- // 3DES encodes the key differently.
- test.KeyHex = test.Key1Hex + test.Key2Hex + test.Key3Hex
- }
-
if len(test.KeyHex) != keyBytes*2 {
return nil, fmt.Errorf("test case %d/%d contains key %q of length %d, but expected %d-bit key", group.ID, test.ID, test.KeyHex, len(test.KeyHex), group.KeyBits)
}
diff --git a/src/util/fipstools/acvp/acvptool/subprocess/subprocess.go b/src/util/fipstools/acvp/acvptool/subprocess/subprocess.go
index 844c9c4..c5003e1 100644
--- a/src/util/fipstools/acvp/acvptool/subprocess/subprocess.go
+++ b/src/util/fipstools/acvp/acvptool/subprocess/subprocess.go
@@ -71,38 +71,37 @@
}
m.primitives = map[string]primitive{
- "SHA-1": &hashPrimitive{"SHA-1", 20},
- "SHA2-224": &hashPrimitive{"SHA2-224", 28},
- "SHA2-256": &hashPrimitive{"SHA2-256", 32},
- "SHA2-384": &hashPrimitive{"SHA2-384", 48},
- "SHA2-512": &hashPrimitive{"SHA2-512", 64},
- "SHA2-512/256": &hashPrimitive{"SHA2-512/256", 32},
- "ACVP-AES-ECB": &blockCipher{"AES", 16, 2, true, false, iterateAES},
- "ACVP-AES-CBC": &blockCipher{"AES-CBC", 16, 2, true, true, iterateAESCBC},
- "ACVP-AES-CBC-CS3": &blockCipher{"AES-CBC-CS3", 16, 1, false, true, iterateAESCBC},
- "ACVP-AES-CTR": &blockCipher{"AES-CTR", 16, 1, false, true, nil},
- "ACVP-AES-XTS": &xts{},
- "ACVP-TDES-ECB": &blockCipher{"3DES-ECB", 8, 3, true, false, iterate3DES},
- "ACVP-TDES-CBC": &blockCipher{"3DES-CBC", 8, 3, true, true, iterate3DESCBC},
- "ACVP-AES-GCM": &aead{"AES-GCM", false},
- "ACVP-AES-GMAC": &aead{"AES-GCM", false},
- "ACVP-AES-CCM": &aead{"AES-CCM", true},
- "ACVP-AES-KW": &aead{"AES-KW", false},
- "ACVP-AES-KWP": &aead{"AES-KWP", false},
- "HMAC-SHA-1": &hmacPrimitive{"HMAC-SHA-1", 20},
- "HMAC-SHA2-224": &hmacPrimitive{"HMAC-SHA2-224", 28},
- "HMAC-SHA2-256": &hmacPrimitive{"HMAC-SHA2-256", 32},
- "HMAC-SHA2-384": &hmacPrimitive{"HMAC-SHA2-384", 48},
- "HMAC-SHA2-512": &hmacPrimitive{"HMAC-SHA2-512", 64},
- "ctrDRBG": &drbg{"ctrDRBG", map[string]bool{"AES-128": true, "AES-192": true, "AES-256": true}},
- "hmacDRBG": &drbg{"hmacDRBG", map[string]bool{"SHA-1": true, "SHA2-224": true, "SHA2-256": true, "SHA2-384": true, "SHA2-512": true}},
- "KDF": &kdfPrimitive{},
- "KAS-KDF": &hkdf{},
- "CMAC-AES": &keyedMACPrimitive{"CMAC-AES"},
- "RSA": &rsa{},
- "kdf-components": &tlsKDF{},
- "KAS-ECC-SSC": &kas{},
- "KAS-FFC-SSC": &kasDH{},
+ "SHA-1": &hashPrimitive{"SHA-1", 20},
+ "SHA2-224": &hashPrimitive{"SHA2-224", 28},
+ "SHA2-256": &hashPrimitive{"SHA2-256", 32},
+ "SHA2-384": &hashPrimitive{"SHA2-384", 48},
+ "SHA2-512": &hashPrimitive{"SHA2-512", 64},
+ "SHA2-512/256": &hashPrimitive{"SHA2-512/256", 32},
+ "ACVP-AES-ECB": &blockCipher{"AES", 16, 2, true, false, iterateAES},
+ "ACVP-AES-CBC": &blockCipher{"AES-CBC", 16, 2, true, true, iterateAESCBC},
+ "ACVP-AES-CBC-CS3": &blockCipher{"AES-CBC-CS3", 16, 1, false, true, iterateAESCBC},
+ "ACVP-AES-CTR": &blockCipher{"AES-CTR", 16, 1, false, true, nil},
+ "ACVP-AES-XTS": &xts{},
+ "ACVP-AES-GCM": &aead{"AES-GCM", false},
+ "ACVP-AES-GMAC": &aead{"AES-GCM", false},
+ "ACVP-AES-CCM": &aead{"AES-CCM", true},
+ "ACVP-AES-KW": &aead{"AES-KW", false},
+ "ACVP-AES-KWP": &aead{"AES-KWP", false},
+ "HMAC-SHA-1": &hmacPrimitive{"HMAC-SHA-1", 20},
+ "HMAC-SHA2-224": &hmacPrimitive{"HMAC-SHA2-224", 28},
+ "HMAC-SHA2-256": &hmacPrimitive{"HMAC-SHA2-256", 32},
+ "HMAC-SHA2-384": &hmacPrimitive{"HMAC-SHA2-384", 48},
+ "HMAC-SHA2-512": &hmacPrimitive{"HMAC-SHA2-512", 64},
+ "HMAC-SHA2-512/256": &hmacPrimitive{"HMAC-SHA2-512/256", 32},
+ "ctrDRBG": &drbg{"ctrDRBG", map[string]bool{"AES-128": true, "AES-192": true, "AES-256": true}},
+ "hmacDRBG": &drbg{"hmacDRBG", map[string]bool{"SHA-1": true, "SHA2-224": true, "SHA2-256": true, "SHA2-384": true, "SHA2-512": true}},
+ "KDF": &kdfPrimitive{},
+ "KAS-KDF": &hkdf{},
+ "CMAC-AES": &keyedMACPrimitive{"CMAC-AES"},
+ "RSA": &rsa{},
+ "kdf-components": &tlsKDF{},
+ "KAS-ECC-SSC": &kas{},
+ "KAS-FFC-SSC": &kasDH{},
}
m.primitives["ECDSA"] = &ecdsa{"ECDSA", map[string]bool{"P-224": true, "P-256": true, "P-384": true, "P-521": true}, m.primitives}
diff --git a/src/util/fipstools/acvp/acvptool/test/expected/ACVP-TDES-CBC.bz2 b/src/util/fipstools/acvp/acvptool/test/expected/ACVP-TDES-CBC.bz2
deleted file mode 100644
index 4c2832c..0000000
--- a/src/util/fipstools/acvp/acvptool/test/expected/ACVP-TDES-CBC.bz2
+++ /dev/null
Binary files differ
diff --git a/src/util/fipstools/acvp/acvptool/test/expected/ACVP-TDES-ECB.bz2 b/src/util/fipstools/acvp/acvptool/test/expected/ACVP-TDES-ECB.bz2
deleted file mode 100644
index 1128b49..0000000
--- a/src/util/fipstools/acvp/acvptool/test/expected/ACVP-TDES-ECB.bz2
+++ /dev/null
Binary files differ
diff --git a/src/util/fipstools/acvp/acvptool/test/expected/HMAC-SHA2-512-256.bz2 b/src/util/fipstools/acvp/acvptool/test/expected/HMAC-SHA2-512-256.bz2
new file mode 100644
index 0000000..6984115
--- /dev/null
+++ b/src/util/fipstools/acvp/acvptool/test/expected/HMAC-SHA2-512-256.bz2
Binary files differ
diff --git a/src/util/fipstools/acvp/acvptool/test/expected/ctrDRBG.bz2 b/src/util/fipstools/acvp/acvptool/test/expected/ctrDRBG.bz2
index 9f6e487..c3bd2a1 100644
--- a/src/util/fipstools/acvp/acvptool/test/expected/ctrDRBG.bz2
+++ b/src/util/fipstools/acvp/acvptool/test/expected/ctrDRBG.bz2
Binary files differ
diff --git a/src/util/fipstools/acvp/acvptool/test/tests.json b/src/util/fipstools/acvp/acvptool/test/tests.json
index f613917..5765de1 100644
--- a/src/util/fipstools/acvp/acvptool/test/tests.json
+++ b/src/util/fipstools/acvp/acvptool/test/tests.json
@@ -9,8 +9,6 @@
{"Wrapper": "modulewrapper", "In": "vectors/ACVP-AES-KW.bz2", "Out": "expected/ACVP-AES-KW.bz2"},
{"Wrapper": "modulewrapper", "In": "vectors/ACVP-AES-KWP.bz2", "Out": "expected/ACVP-AES-KWP.bz2"},
{"Wrapper": "testmodulewrapper", "In": "vectors/ACVP-AES-XTS.bz2", "Out": "expected/ACVP-AES-XTS.bz2"},
-{"Wrapper": "modulewrapper", "In": "vectors/ACVP-TDES-CBC.bz2", "Out": "expected/ACVP-TDES-CBC.bz2"},
-{"Wrapper": "modulewrapper", "In": "vectors/ACVP-TDES-ECB.bz2", "Out": "expected/ACVP-TDES-ECB.bz2"},
{"Wrapper": "modulewrapper", "In": "vectors/CMAC-AES.bz2", "Out": "expected/CMAC-AES.bz2"},
{"Wrapper": "modulewrapper", "In": "vectors/ctrDRBG.bz2", "Out": "expected/ctrDRBG.bz2"},
{"Wrapper": "modulewrapper", "In": "vectors/ECDSA.bz2", "Out": "expected/ECDSA.bz2"},
@@ -19,6 +17,7 @@
{"Wrapper": "modulewrapper", "In": "vectors/HMAC-SHA2-256.bz2", "Out": "expected/HMAC-SHA2-256.bz2"},
{"Wrapper": "modulewrapper", "In": "vectors/HMAC-SHA2-384.bz2", "Out": "expected/HMAC-SHA2-384.bz2"},
{"Wrapper": "modulewrapper", "In": "vectors/HMAC-SHA2-512.bz2", "Out": "expected/HMAC-SHA2-512.bz2"},
+{"Wrapper": "modulewrapper", "In": "vectors/HMAC-SHA2-512-256.bz2", "Out": "expected/HMAC-SHA2-512-256.bz2"},
{"Wrapper": "testmodulewrapper", "In": "vectors/hmacDRBG.bz2", "Out": "expected/hmacDRBG.bz2"},
{"Wrapper": "testmodulewrapper", "In": "vectors/KAS-KDF.bz2", "Out": "expected/KAS-KDF.bz2"},
{"Wrapper": "modulewrapper", "In": "vectors/KAS-ECC-SSC.bz2"},
diff --git a/src/util/fipstools/acvp/acvptool/test/vectors/ACVP-TDES-CBC.bz2 b/src/util/fipstools/acvp/acvptool/test/vectors/ACVP-TDES-CBC.bz2
deleted file mode 100644
index 33fdbf3..0000000
--- a/src/util/fipstools/acvp/acvptool/test/vectors/ACVP-TDES-CBC.bz2
+++ /dev/null
Binary files differ
diff --git a/src/util/fipstools/acvp/acvptool/test/vectors/ACVP-TDES-ECB.bz2 b/src/util/fipstools/acvp/acvptool/test/vectors/ACVP-TDES-ECB.bz2
deleted file mode 100644
index c8853ed..0000000
--- a/src/util/fipstools/acvp/acvptool/test/vectors/ACVP-TDES-ECB.bz2
+++ /dev/null
Binary files differ
diff --git a/src/util/fipstools/acvp/acvptool/test/vectors/HMAC-SHA2-512-256.bz2 b/src/util/fipstools/acvp/acvptool/test/vectors/HMAC-SHA2-512-256.bz2
new file mode 100644
index 0000000..d981300
--- /dev/null
+++ b/src/util/fipstools/acvp/acvptool/test/vectors/HMAC-SHA2-512-256.bz2
Binary files differ
diff --git a/src/util/fipstools/acvp/acvptool/test/vectors/ctrDRBG.bz2 b/src/util/fipstools/acvp/acvptool/test/vectors/ctrDRBG.bz2
index 16f447f..1231272 100644
--- a/src/util/fipstools/acvp/acvptool/test/vectors/ctrDRBG.bz2
+++ b/src/util/fipstools/acvp/acvptool/test/vectors/ctrDRBG.bz2
Binary files differ
diff --git a/src/util/fipstools/acvp/modulewrapper/CMakeLists.txt b/src/util/fipstools/acvp/modulewrapper/CMakeLists.txt
index 267f82c..f13f6df 100644
--- a/src/util/fipstools/acvp/modulewrapper/CMakeLists.txt
+++ b/src/util/fipstools/acvp/modulewrapper/CMakeLists.txt
@@ -7,6 +7,7 @@
main.cc
modulewrapper.cc
)
+ install(TARGETS modulewrapper)
add_dependencies(modulewrapper global_target)
diff --git a/src/util/fipstools/acvp/modulewrapper/modulewrapper.cc b/src/util/fipstools/acvp/modulewrapper/modulewrapper.cc
index 7188029..f3e583d 100644
--- a/src/util/fipstools/acvp/modulewrapper/modulewrapper.cc
+++ b/src/util/fipstools/acvp/modulewrapper/modulewrapper.cc
@@ -297,10 +297,10 @@
"direction": ["encrypt", "decrypt"],
"keyLen": [128, 192, 256],
"payloadLen": [{
- "min": 0, "max": 256, "increment": 8
+ "min": 0, "max": 65536, "increment": 8
}],
"aadLen": [{
- "min": 0, "max": 320, "increment": 8
+ "min": 0, "max": 65536, "increment": 8
}],
"tagLen": [32, 64, 96, 104, 112, 120, 128],
"ivLen": [96],
@@ -312,10 +312,10 @@
"direction": ["encrypt", "decrypt"],
"keyLen": [128, 192, 256],
"payloadLen": [{
- "min": 0, "max": 256, "increment": 8
+ "min": 0, "max": 65536, "increment": 8
}],
"aadLen": [{
- "min": 0, "max": 320, "increment": 8
+ "min": 0, "max": 65536, "increment": 8
}],
"tagLen": [32, 64, 96, 104, 112, 120, 128],
"ivLen": [96],
@@ -334,7 +334,7 @@
"keyLen": [
128, 192, 256
],
- "payloadLen": [{"min": 128, "max": 1024, "increment": 64}]
+ "payloadLen": [{"min": 128, "max": 4096, "increment": 64}]
},
{
"algorithm": "ACVP-AES-KWP",
@@ -363,28 +363,14 @@
],
"payloadLen": [{"min": 0, "max": 256, "increment": 8}],
"ivLen": [104],
- "tagLen": [32],
- "aadLen": [{"min": 0, "max": 1024, "increment": 8}]
- },
- {
- "algorithm": "ACVP-TDES-ECB",
- "revision": "1.0",
- "direction": ["encrypt", "decrypt"],
- "keyLen": [192],
- "keyingOption": [1]
- },
- {
- "algorithm": "ACVP-TDES-CBC",
- "revision": "1.0",
- "direction": ["encrypt", "decrypt"],
- "keyLen": [192],
- "keyingOption": [1]
+ "tagLen": [32, 64],
+ "aadLen": [{"min": 0, "max": 524288, "increment": 8}]
},
{
"algorithm": "HMAC-SHA-1",
"revision": "1.0",
"keyLen": [{
- "min": 8, "max": 2048, "increment": 8
+ "min": 8, "max": 524288, "increment": 8
}],
"macLen": [{
"min": 32, "max": 160, "increment": 8
@@ -394,7 +380,7 @@
"algorithm": "HMAC-SHA2-224",
"revision": "1.0",
"keyLen": [{
- "min": 8, "max": 2048, "increment": 8
+ "min": 8, "max": 524288, "increment": 8
}],
"macLen": [{
"min": 32, "max": 224, "increment": 8
@@ -404,7 +390,7 @@
"algorithm": "HMAC-SHA2-256",
"revision": "1.0",
"keyLen": [{
- "min": 8, "max": 2048, "increment": 8
+ "min": 8, "max": 524288, "increment": 8
}],
"macLen": [{
"min": 32, "max": 256, "increment": 8
@@ -414,7 +400,7 @@
"algorithm": "HMAC-SHA2-384",
"revision": "1.0",
"keyLen": [{
- "min": 8, "max": 2048, "increment": 8
+ "min": 8, "max": 524288, "increment": 8
}],
"macLen": [{
"min": 32, "max": 384, "increment": 8
@@ -424,17 +410,27 @@
"algorithm": "HMAC-SHA2-512",
"revision": "1.0",
"keyLen": [{
- "min": 8, "max": 2048, "increment": 8
+ "min": 8, "max": 524288, "increment": 8
}],
"macLen": [{
"min": 32, "max": 512, "increment": 8
}]
},
{
+ "algorithm": "HMAC-SHA2-512/256",
+ "revision": "1.0",
+ "keyLen": [{
+ "min": 8, "max": 524288, "increment": 8
+ }],
+ "macLen": [{
+ "min": 32, "max": 256, "increment": 8
+ }]
+ },
+ {
"algorithm": "ctrDRBG",
"revision": "1.0",
"predResistanceEnabled": [false],
- "reseedImplemented": false,
+ "reseedImplemented": true,
"capabilities": [{
"mode": "AES-256",
"derFuncEnabled": false,
@@ -487,7 +483,8 @@
"SHA2-224",
"SHA2-256",
"SHA2-384",
- "SHA2-512"
+ "SHA2-512",
+ "SHA2-512/256"
]
}]
},
@@ -507,7 +504,8 @@
"SHA2-224",
"SHA2-256",
"SHA2-384",
- "SHA2-512"
+ "SHA2-512",
+ "SHA2-512/256"
]
}]
},
@@ -601,6 +599,9 @@
}, {
"hashAlg": "SHA2-512",
"saltLen": 64
+ }, {
+ "hashAlg": "SHA2-512/256",
+ "saltLen": 32
}]
}]
},{
@@ -619,6 +620,9 @@
}, {
"hashAlg": "SHA2-512",
"saltLen": 64
+ }, {
+ "hashAlg": "SHA2-512/256",
+ "saltLen": 32
}]
}]
},{
@@ -637,6 +641,9 @@
}, {
"hashAlg": "SHA2-512",
"saltLen": 64
+ }, {
+ "hashAlg": "SHA2-512/256",
+ "saltLen": 32
}]
}]
}]
@@ -714,6 +721,27 @@
},{
"sigType": "pss",
"properties": [{
+ "modulo": 1024,
+ "hashPair": [{
+ "hashAlg": "SHA2-224",
+ "saltLen": 28
+ }, {
+ "hashAlg": "SHA2-256",
+ "saltLen": 32
+ }, {
+ "hashAlg": "SHA2-384",
+ "saltLen": 48
+ }, {
+ "hashAlg": "SHA2-512/256",
+ "saltLen": 32
+ }, {
+ "hashAlg": "SHA-1",
+ "saltLen": 20
+ }]
+ }]
+ },{
+ "sigType": "pss",
+ "properties": [{
"modulo": 2048,
"hashPair": [{
"hashAlg": "SHA2-224",
@@ -728,6 +756,9 @@
"hashAlg": "SHA2-512",
"saltLen": 64
}, {
+ "hashAlg": "SHA2-512/256",
+ "saltLen": 32
+ }, {
"hashAlg": "SHA-1",
"saltLen": 20
}]
@@ -749,6 +780,9 @@
"hashAlg": "SHA2-512",
"saltLen": 64
}, {
+ "hashAlg": "SHA2-512/256",
+ "saltLen": 32
+ }, {
"hashAlg": "SHA-1",
"saltLen": 20
}]
@@ -770,6 +804,9 @@
"hashAlg": "SHA2-512",
"saltLen": 64
}, {
+ "hashAlg": "SHA2-512/256",
+ "saltLen": 32
+ }, {
"hashAlg": "SHA-1",
"saltLen": 20
}]
@@ -784,12 +821,12 @@
"direction": ["gen", "ver"],
"msgLen": [{
"min": 0,
- "max": 65536,
+ "max": 524288,
"increment": 8
}],
"keyLen": [128, 256],
"macLen": [{
- "min": 32,
+ "min": 8,
"max": 128,
"increment": 8
}]
@@ -1059,10 +1096,21 @@
return false;
}
memcpy(&tag_len_32, tag_len_span.data(), sizeof(tag_len_32));
- if (tag_len_32 != 4) {
- LOG_ERROR("AES-CCM only supports 4-byte tags, but %u was requested\n",
- static_cast<unsigned>(tag_len_32));
- return false;
+ const EVP_AEAD *aead;
+ switch (tag_len_32) {
+ case 4:
+ aead = EVP_aead_aes_128_ccm_bluetooth();
+ break;
+
+ case 8:
+ aead = EVP_aead_aes_128_ccm_bluetooth_8();
+ break;
+
+ default:
+ LOG_ERROR(
+ "AES-CCM only supports 4- and 8-byte tags, but %u was requested\n",
+ static_cast<unsigned>(tag_len_32));
+ return false;
}
if (key.size() != 16) {
@@ -1071,8 +1119,8 @@
return false;
}
- if (!EVP_AEAD_CTX_init(ctx, EVP_aead_aes_128_ccm_bluetooth(), key.data(),
- key.size(), tag_len_32, nullptr)) {
+ if (!EVP_AEAD_CTX_init(ctx, aead, key.data(), key.size(), tag_len_32,
+ nullptr)) {
LOG_ERROR("Failed to setup AES-CCM with tag length %u\n",
static_cast<unsigned>(tag_len_32));
return false;
@@ -1382,17 +1430,31 @@
return write_reply({Span<const uint8_t>(digest, digest_len)});
}
+template <bool WithReseed>
static bool DRBG(const Span<const uint8_t> args[], ReplyCallback write_reply) {
const auto out_len_bytes = args[0];
const auto entropy = args[1];
const auto personalisation = args[2];
- const auto additional_data1 = args[3];
- const auto additional_data2 = args[4];
- const auto nonce = args[5];
+
+ Span<const uint8_t> reseed_additional_data, reseed_entropy, additional_data1,
+ additional_data2, nonce;
+ if (!WithReseed) {
+ additional_data1 = args[3];
+ additional_data2 = args[4];
+ nonce = args[5];
+ } else {
+ reseed_additional_data = args[3];
+ reseed_entropy = args[4];
+ additional_data1 = args[5];
+ additional_data2 = args[6];
+ nonce = args[7];
+ }
uint32_t out_len;
if (out_len_bytes.size() != sizeof(out_len) ||
entropy.size() != CTR_DRBG_ENTROPY_LEN ||
+ (!reseed_entropy.empty() &&
+ reseed_entropy.size() != CTR_DRBG_ENTROPY_LEN) ||
// nonces are not supported
nonce.size() != 0) {
return false;
@@ -1406,6 +1468,10 @@
CTR_DRBG_STATE drbg;
if (!CTR_DRBG_init(&drbg, entropy.data(), personalisation.data(),
personalisation.size()) ||
+ (!reseed_entropy.empty() &&
+ !CTR_DRBG_reseed(&drbg, reseed_entropy.data(),
+ reseed_additional_data.data(),
+ reseed_additional_data.size())) ||
!CTR_DRBG_generate(&drbg, out.data(), out_len, additional_data1.data(),
additional_data1.size()) ||
!CTR_DRBG_generate(&drbg, out.data(), out_len, additional_data2.data(),
@@ -1517,6 +1583,8 @@
return EVP_sha384();
} else if (StringEq(name, "SHA2-512")) {
return EVP_sha512();
+ } else if (StringEq(name, "SHA2-512/256")) {
+ return EVP_sha512_256();
} else {
return nullptr;
}
@@ -1915,7 +1983,9 @@
{"HMAC-SHA2-256", 2, HMAC<EVP_sha256>},
{"HMAC-SHA2-384", 2, HMAC<EVP_sha384>},
{"HMAC-SHA2-512", 2, HMAC<EVP_sha512>},
- {"ctrDRBG/AES-256", 6, DRBG},
+ {"HMAC-SHA2-512/256", 2, HMAC<EVP_sha512_256>},
+ {"ctrDRBG/AES-256", 6, DRBG<false>},
+ {"ctrDRBG-reseed/AES-256", 8, DRBG<true>},
{"ECDSA/keyGen", 1, ECDSAKeyGen},
{"ECDSA/keyVer", 3, ECDSAKeyVer},
{"ECDSA/sigGen", 4, ECDSASigGen},
@@ -1932,6 +2002,7 @@
{"RSA/sigGen/SHA2-256/pss", 2, RSASigGen<EVP_sha256, true>},
{"RSA/sigGen/SHA2-384/pss", 2, RSASigGen<EVP_sha384, true>},
{"RSA/sigGen/SHA2-512/pss", 2, RSASigGen<EVP_sha512, true>},
+ {"RSA/sigGen/SHA2-512/256/pss", 2, RSASigGen<EVP_sha512_256, true>},
{"RSA/sigGen/SHA-1/pss", 2, RSASigGen<EVP_sha1, true>},
{"RSA/sigVer/SHA2-224/pkcs1v1.5", 4, RSASigVer<EVP_sha224, false>},
{"RSA/sigVer/SHA2-256/pkcs1v1.5", 4, RSASigVer<EVP_sha256, false>},
@@ -1942,6 +2013,7 @@
{"RSA/sigVer/SHA2-256/pss", 4, RSASigVer<EVP_sha256, true>},
{"RSA/sigVer/SHA2-384/pss", 4, RSASigVer<EVP_sha384, true>},
{"RSA/sigVer/SHA2-512/pss", 4, RSASigVer<EVP_sha512, true>},
+ {"RSA/sigVer/SHA2-512/256/pss", 4, RSASigVer<EVP_sha512_256, true>},
{"RSA/sigVer/SHA-1/pss", 4, RSASigVer<EVP_sha1, true>},
{"TLSKDF/1.0/SHA-1", 5, TLSKDF<EVP_md5_sha1>},
{"TLSKDF/1.2/SHA2-256", 5, TLSKDF<EVP_sha256>},
diff --git a/src/util/fipstools/acvp/modulewrapper/modulewrapper.h b/src/util/fipstools/acvp/modulewrapper/modulewrapper.h
index 0472800..cb8f9f3 100644
--- a/src/util/fipstools/acvp/modulewrapper/modulewrapper.h
+++ b/src/util/fipstools/acvp/modulewrapper/modulewrapper.h
@@ -26,7 +26,7 @@
// kMaxArgs is the maximum number of arguments (including the function name)
// that an ACVP request can contain.
-constexpr size_t kMaxArgs = 8;
+constexpr size_t kMaxArgs = 9;
// kMaxNameLength is the maximum length of a function name in an ACVP request.
constexpr size_t kMaxNameLength = 30;
diff --git a/src/util/fipstools/delocate/delocate.go b/src/util/fipstools/delocate/delocate.go
index 2d92520..55c8671 100644
--- a/src/util/fipstools/delocate/delocate.go
+++ b/src/util/fipstools/delocate/delocate.go
@@ -509,7 +509,7 @@
// This is a branch. Either the target needs to be written to a local
// version of the symbol to ensure that no relocations are emitted, or
// it needs to jump to a redirector function.
- symbol, _, _, didChange, symbolIsLocal, _ := d.parseMemRef(arg.up)
+ symbol, offset, _, didChange, symbolIsLocal, _ := d.parseMemRef(arg.up)
changed = didChange
if _, knownSymbol := d.symbols[symbol]; knownSymbol {
@@ -520,6 +520,13 @@
d.redirectors[symbol] = redirector
symbol = redirector
changed = true
+ } else if didChange && symbolIsLocal && len(offset) > 0 {
+ // didChange is set when the inputFile index is not 0; which is the index of the
+ // first file copied to the output, which is the generated assembly of bcm.c.
+ // In subsequently copied assembly files, local symbols are changed by appending (BCM_ + index)
+ // in order to ensure they don't collide. `index` gets incremented per file.
+ // If there is offset after the symbol, append the `offset`.
+ symbol = symbol + offset
}
args = append(args, symbol)
@@ -1940,7 +1947,7 @@
}
w.WriteString(".type BORINGSSL_bcm_text_hash, @object\n")
- w.WriteString(".size BORINGSSL_bcm_text_hash, 64\n")
+ w.WriteString(".size BORINGSSL_bcm_text_hash, 32\n")
w.WriteString("BORINGSSL_bcm_text_hash:\n")
for _, b := range fipscommon.UninitHashValue {
w.WriteString(".byte 0x" + strconv.FormatUint(uint64(b), 16) + "\n")
diff --git a/src/util/fipstools/delocate/delocate.peg b/src/util/fipstools/delocate/delocate.peg
index c253a48..8267065 100644
--- a/src/util/fipstools/delocate/delocate.peg
+++ b/src/util/fipstools/delocate/delocate.peg
@@ -94,7 +94,7 @@
BaseIndexScale)
SymbolRef <- (Offset* '+')? (LocalSymbol / SymbolName) Offset* ('@' Section Offset*)?
Low12BitsSymbolRef <- ":lo12:" (LocalSymbol / SymbolName) Offset?
-ARMBaseIndexScale <- '[' ARMRegister (',' WS? (('#' Offset ('*' [0-9]+)? ) / ARMGOTLow12 / Low12BitsSymbolRef / ARMRegister) (',' WS? ARMConstantTweak)?)? ']' ARMPostincrement?
+ARMBaseIndexScale <- '[' ARMRegister (',' WS? (('#' Offset (('*' [0-9]+) / ('*' '(' [0-9]+ Operator [0-9]+ ')') / (('+' [0-9]+)*))? ) / ARMGOTLow12 / Low12BitsSymbolRef / ARMRegister) (',' WS? ARMConstantTweak)?)? ']' ARMPostincrement?
ARMGOTLow12 <- ":got_lo12:" SymbolName
ARMPostincrement <- '!'
BaseIndexScale <- '(' RegisterOrConstant? WS? (',' WS? RegisterOrConstant WS? (',' [0-9]+)? )? ')'
diff --git a/src/util/fipstools/delocate/delocate.peg.go b/src/util/fipstools/delocate/delocate.peg.go
index ea7c195..6f5c654 100644
--- a/src/util/fipstools/delocate/delocate.peg.go
+++ b/src/util/fipstools/delocate/delocate.peg.go
@@ -1,10 +1,14 @@
package main
+// Code generated by ./peg/peg delocate.peg DO NOT EDIT.
+
import (
"fmt"
- "math"
+ "io"
+ "os"
"sort"
"strconv"
+ "strings"
)
const endSymbol rune = 1114112
@@ -142,19 +146,19 @@
up, next *node32
}
-func (node *node32) print(pretty bool, buffer string) {
+func (node *node32) print(w io.Writer, pretty bool, buffer string) {
var print func(node *node32, depth int)
print = func(node *node32, depth int) {
for node != nil {
for c := 0; c < depth; c++ {
- fmt.Printf(" ")
+ fmt.Fprintf(w, " ")
}
rule := rul3s[node.pegRule]
quote := strconv.Quote(string(([]rune(buffer)[node.begin:node.end])))
if !pretty {
- fmt.Printf("%v %v\n", rule, quote)
+ fmt.Fprintf(w, "%v %v\n", rule, quote)
} else {
- fmt.Printf("\x1B[34m%v\x1B[m %v\n", rule, quote)
+ fmt.Fprintf(w, "\x1B[36m%v\x1B[m %v\n", rule, quote)
}
if node.up != nil {
print(node.up, depth+1)
@@ -165,12 +169,12 @@
print(node, 0)
}
-func (node *node32) Print(buffer string) {
- node.print(false, buffer)
+func (node *node32) Print(w io.Writer, buffer string) {
+ node.print(w, false, buffer)
}
-func (node *node32) PrettyPrint(buffer string) {
- node.print(true, buffer)
+func (node *node32) PrettyPrint(w io.Writer, buffer string) {
+ node.print(w, true, buffer)
}
type tokens32 struct {
@@ -213,24 +217,24 @@
}
func (t *tokens32) PrintSyntaxTree(buffer string) {
- t.AST().Print(buffer)
+ t.AST().Print(os.Stdout, buffer)
+}
+
+func (t *tokens32) WriteSyntaxTree(w io.Writer, buffer string) {
+ t.AST().Print(w, buffer)
}
func (t *tokens32) PrettyPrintSyntaxTree(buffer string) {
- t.AST().PrettyPrint(buffer)
+ t.AST().PrettyPrint(os.Stdout, buffer)
}
func (t *tokens32) Add(rule pegRule, begin, end, index uint32) {
- if tree := t.tree; int(index) >= len(tree) {
- expanded := make([]token32, 2*len(tree))
- copy(expanded, tree)
- t.tree = expanded
+ tree, i := t.tree, int(index)
+ if i >= len(tree) {
+ t.tree = append(tree, token32{pegRule: rule, begin: begin, end: end})
+ return
}
- t.tree[index] = token32{
- pegRule: rule,
- begin: begin,
- end: end,
- }
+ tree[i] = token32{pegRule: rule, begin: begin, end: end}
}
func (t *tokens32) Tokens() []token32 {
@@ -292,7 +296,7 @@
}
func (e *parseError) Error() string {
- tokens, error := []token32{e.max}, "\n"
+ tokens, err := []token32{e.max}, "\n"
positions, p := make([]int, 2*len(tokens)), 0
for _, token := range tokens {
positions[p], p = int(token.begin), p+1
@@ -305,14 +309,14 @@
}
for _, token := range tokens {
begin, end := int(token.begin), int(token.end)
- error += fmt.Sprintf(format,
+ err += fmt.Sprintf(format,
rul3s[token.pegRule],
translations[begin].line, translations[begin].symbol,
translations[end].line, translations[end].symbol,
strconv.Quote(string(e.p.buffer[begin:end])))
}
- return error
+ return err
}
func (p *Asm) PrintSyntaxTree() {
@@ -323,12 +327,41 @@
}
}
-func (p *Asm) Init() {
+func (p *Asm) WriteSyntaxTree(w io.Writer) {
+ p.tokens32.WriteSyntaxTree(w, p.Buffer)
+}
+
+func (p *Asm) SprintSyntaxTree() string {
+ var bldr strings.Builder
+ p.WriteSyntaxTree(&bldr)
+ return bldr.String()
+}
+
+func Pretty(pretty bool) func(*Asm) error {
+ return func(p *Asm) error {
+ p.Pretty = pretty
+ return nil
+ }
+}
+
+func Size(size int) func(*Asm) error {
+ return func(p *Asm) error {
+ p.tokens32 = tokens32{tree: make([]token32, 0, size)}
+ return nil
+ }
+}
+func (p *Asm) Init(options ...func(*Asm) error) error {
var (
max token32
position, tokenIndex uint32
buffer []rune
)
+ for _, option := range options {
+ err := option(p)
+ if err != nil {
+ return err
+ }
+ }
p.reset = func() {
max = token32{}
position, tokenIndex = 0, 0
@@ -342,7 +375,7 @@
p.reset()
_rules := p.rules
- tree := tokens32{tree: make([]token32, math.MaxInt16)}
+ tree := p.tokens32
p.parse = func(rule ...int) error {
r := 1
if len(rule) > 0 {
@@ -5708,7 +5741,7 @@
position, tokenIndex = position727, tokenIndex727
return false
},
- /* 46 ARMBaseIndexScale <- <('[' ARMRegister (',' WS? (('#' Offset ('*' [0-9]+)?) / ARMGOTLow12 / Low12BitsSymbolRef / ARMRegister) (',' WS? ARMConstantTweak)?)? ']' ARMPostincrement?)> */
+ /* 46 ARMBaseIndexScale <- <('[' ARMRegister (',' WS? (('#' Offset (('*' [0-9]+) / ('*' '(' [0-9]+ Operator [0-9]+ ')') / ('+' [0-9]+)*)?) / ARMGOTLow12 / Low12BitsSymbolRef / ARMRegister) (',' WS? ARMConstantTweak)?)? ']' ARMPostincrement?)> */
func() bool {
position737, tokenIndex737 := position, tokenIndex
{
@@ -5747,27 +5780,108 @@
}
{
position745, tokenIndex745 := position, tokenIndex
- if buffer[position] != rune('*') {
- goto l745
- }
- position++
- if c := buffer[position]; c < rune('0') || c > rune('9') {
- goto l745
- }
- position++
- l747:
{
- position748, tokenIndex748 := position, tokenIndex
+ position747, tokenIndex747 := position, tokenIndex
+ if buffer[position] != rune('*') {
+ goto l748
+ }
+ position++
if c := buffer[position]; c < rune('0') || c > rune('9') {
goto l748
}
position++
+ l749:
+ {
+ position750, tokenIndex750 := position, tokenIndex
+ if c := buffer[position]; c < rune('0') || c > rune('9') {
+ goto l750
+ }
+ position++
+ goto l749
+ l750:
+ position, tokenIndex = position750, tokenIndex750
+ }
goto l747
l748:
- position, tokenIndex = position748, tokenIndex748
+ position, tokenIndex = position747, tokenIndex747
+ if buffer[position] != rune('*') {
+ goto l751
+ }
+ position++
+ if buffer[position] != rune('(') {
+ goto l751
+ }
+ position++
+ if c := buffer[position]; c < rune('0') || c > rune('9') {
+ goto l751
+ }
+ position++
+ l752:
+ {
+ position753, tokenIndex753 := position, tokenIndex
+ if c := buffer[position]; c < rune('0') || c > rune('9') {
+ goto l753
+ }
+ position++
+ goto l752
+ l753:
+ position, tokenIndex = position753, tokenIndex753
+ }
+ if !_rules[ruleOperator]() {
+ goto l751
+ }
+ if c := buffer[position]; c < rune('0') || c > rune('9') {
+ goto l751
+ }
+ position++
+ l754:
+ {
+ position755, tokenIndex755 := position, tokenIndex
+ if c := buffer[position]; c < rune('0') || c > rune('9') {
+ goto l755
+ }
+ position++
+ goto l754
+ l755:
+ position, tokenIndex = position755, tokenIndex755
+ }
+ if buffer[position] != rune(')') {
+ goto l751
+ }
+ position++
+ goto l747
+ l751:
+ position, tokenIndex = position747, tokenIndex747
+ l756:
+ {
+ position757, tokenIndex757 := position, tokenIndex
+ if buffer[position] != rune('+') {
+ goto l757
+ }
+ position++
+ if c := buffer[position]; c < rune('0') || c > rune('9') {
+ goto l757
+ }
+ position++
+ l758:
+ {
+ position759, tokenIndex759 := position, tokenIndex
+ if c := buffer[position]; c < rune('0') || c > rune('9') {
+ goto l759
+ }
+ position++
+ goto l758
+ l759:
+ position, tokenIndex = position759, tokenIndex759
+ }
+ goto l756
+ l757:
+ position, tokenIndex = position757, tokenIndex757
+ }
}
+ l747:
goto l746
- l745:
+
position, tokenIndex = position745, tokenIndex745
}
l746:
@@ -5775,16 +5889,16 @@
l744:
position, tokenIndex = position743, tokenIndex743
if !_rules[ruleARMGOTLow12]() {
- goto l749
+ goto l760
}
goto l743
- l749:
+ l760:
position, tokenIndex = position743, tokenIndex743
if !_rules[ruleLow12BitsSymbolRef]() {
- goto l750
+ goto l761
}
goto l743
- l750:
+ l761:
position, tokenIndex = position743, tokenIndex743
if !_rules[ruleARMRegister]() {
goto l739
@@ -5792,29 +5906,29 @@
}
l743:
{
- position751, tokenIndex751 := position, tokenIndex
+ position762, tokenIndex762 := position, tokenIndex
if buffer[position] != rune(',') {
- goto l751
+ goto l762
}
position++
{
- position753, tokenIndex753 := position, tokenIndex
+ position764, tokenIndex764 := position, tokenIndex
if !_rules[ruleWS]() {
- goto l753
+ goto l764
}
- goto l754
- l753:
- position, tokenIndex = position753, tokenIndex753
+ goto l765
+ l764:
+ position, tokenIndex = position764, tokenIndex764
}
- l754:
+ l765:
if !_rules[ruleARMConstantTweak]() {
- goto l751
+ goto l762
}
- goto l752
- l751:
- position, tokenIndex = position751, tokenIndex751
+ goto l763
+ l762:
+ position, tokenIndex = position762, tokenIndex762
}
- l752:
+ l763:
goto l740
l739:
position, tokenIndex = position739, tokenIndex739
@@ -5825,15 +5939,15 @@
}
position++
{
- position755, tokenIndex755 := position, tokenIndex
+ position766, tokenIndex766 := position, tokenIndex
if !_rules[ruleARMPostincrement]() {
- goto l755
+ goto l766
}
- goto l756
- l755:
- position, tokenIndex = position755, tokenIndex755
+ goto l767
+ l766:
+ position, tokenIndex = position766, tokenIndex766
}
- l756:
+ l767:
add(ruleARMBaseIndexScale, position738)
}
return true
@@ -5843,566 +5957,567 @@
},
/* 47 ARMGOTLow12 <- <(':' ('g' / 'G') ('o' / 'O') ('t' / 'T') '_' ('l' / 'L') ('o' / 'O') '1' '2' ':' SymbolName)> */
func() bool {
- position757, tokenIndex757 := position, tokenIndex
+ position768, tokenIndex768 := position, tokenIndex
{
- position758 := position
+ position769 := position
if buffer[position] != rune(':') {
- goto l757
+ goto l768
}
position++
{
- position759, tokenIndex759 := position, tokenIndex
+ position770, tokenIndex770 := position, tokenIndex
if buffer[position] != rune('g') {
- goto l760
+ goto l771
}
position++
- goto l759
- l760:
- position, tokenIndex = position759, tokenIndex759
+ goto l770
+ l771:
+ position, tokenIndex = position770, tokenIndex770
if buffer[position] != rune('G') {
- goto l757
- }
- position++
- }
- l759:
- {
- position761, tokenIndex761 := position, tokenIndex
- if buffer[position] != rune('o') {
- goto l762
- }
- position++
- goto l761
- l762:
- position, tokenIndex = position761, tokenIndex761
- if buffer[position] != rune('O') {
- goto l757
- }
- position++
- }
- l761:
- {
- position763, tokenIndex763 := position, tokenIndex
- if buffer[position] != rune('t') {
- goto l764
- }
- position++
- goto l763
- l764:
- position, tokenIndex = position763, tokenIndex763
- if buffer[position] != rune('T') {
- goto l757
- }
- position++
- }
- l763:
- if buffer[position] != rune('_') {
- goto l757
- }
- position++
- {
- position765, tokenIndex765 := position, tokenIndex
- if buffer[position] != rune('l') {
- goto l766
- }
- position++
- goto l765
- l766:
- position, tokenIndex = position765, tokenIndex765
- if buffer[position] != rune('L') {
- goto l757
- }
- position++
- }
- l765:
- {
- position767, tokenIndex767 := position, tokenIndex
- if buffer[position] != rune('o') {
goto l768
}
position++
- goto l767
- l768:
- position, tokenIndex = position767, tokenIndex767
+ }
+ l770:
+ {
+ position772, tokenIndex772 := position, tokenIndex
+ if buffer[position] != rune('o') {
+ goto l773
+ }
+ position++
+ goto l772
+ l773:
+ position, tokenIndex = position772, tokenIndex772
if buffer[position] != rune('O') {
- goto l757
+ goto l768
}
position++
}
- l767:
+ l772:
+ {
+ position774, tokenIndex774 := position, tokenIndex
+ if buffer[position] != rune('t') {
+ goto l775
+ }
+ position++
+ goto l774
+ l775:
+ position, tokenIndex = position774, tokenIndex774
+ if buffer[position] != rune('T') {
+ goto l768
+ }
+ position++
+ }
+ l774:
+ if buffer[position] != rune('_') {
+ goto l768
+ }
+ position++
+ {
+ position776, tokenIndex776 := position, tokenIndex
+ if buffer[position] != rune('l') {
+ goto l777
+ }
+ position++
+ goto l776
+ l777:
+ position, tokenIndex = position776, tokenIndex776
+ if buffer[position] != rune('L') {
+ goto l768
+ }
+ position++
+ }
+ l776:
+ {
+ position778, tokenIndex778 := position, tokenIndex
+ if buffer[position] != rune('o') {
+ goto l779
+ }
+ position++
+ goto l778
+ l779:
+ position, tokenIndex = position778, tokenIndex778
+ if buffer[position] != rune('O') {
+ goto l768
+ }
+ position++
+ }
+ l778:
if buffer[position] != rune('1') {
- goto l757
+ goto l768
}
position++
if buffer[position] != rune('2') {
- goto l757
+ goto l768
}
position++
if buffer[position] != rune(':') {
- goto l757
+ goto l768
}
position++
if !_rules[ruleSymbolName]() {
- goto l757
+ goto l768
}
- add(ruleARMGOTLow12, position758)
+ add(ruleARMGOTLow12, position769)
}
return true
- l757:
- position, tokenIndex = position757, tokenIndex757
+ l768:
+ position, tokenIndex = position768, tokenIndex768
return false
},
/* 48 ARMPostincrement <- <'!'> */
func() bool {
- position769, tokenIndex769 := position, tokenIndex
+ position780, tokenIndex780 := position, tokenIndex
{
- position770 := position
+ position781 := position
if buffer[position] != rune('!') {
- goto l769
+ goto l780
}
position++
- add(ruleARMPostincrement, position770)
+ add(ruleARMPostincrement, position781)
}
return true
- l769:
- position, tokenIndex = position769, tokenIndex769
+ l780:
+ position, tokenIndex = position780, tokenIndex780
return false
},
/* 49 BaseIndexScale <- <('(' RegisterOrConstant? WS? (',' WS? RegisterOrConstant WS? (',' [0-9]+)?)? ')')> */
func() bool {
- position771, tokenIndex771 := position, tokenIndex
+ position782, tokenIndex782 := position, tokenIndex
{
- position772 := position
+ position783 := position
if buffer[position] != rune('(') {
- goto l771
+ goto l782
}
position++
{
- position773, tokenIndex773 := position, tokenIndex
+ position784, tokenIndex784 := position, tokenIndex
if !_rules[ruleRegisterOrConstant]() {
- goto l773
+ goto l784
}
- goto l774
- l773:
- position, tokenIndex = position773, tokenIndex773
+ goto l785
+ l784:
+ position, tokenIndex = position784, tokenIndex784
}
- l774:
+ l785:
{
- position775, tokenIndex775 := position, tokenIndex
+ position786, tokenIndex786 := position, tokenIndex
if !_rules[ruleWS]() {
- goto l775
+ goto l786
}
- goto l776
- l775:
- position, tokenIndex = position775, tokenIndex775
+ goto l787
+ l786:
+ position, tokenIndex = position786, tokenIndex786
}
- l776:
+ l787:
{
- position777, tokenIndex777 := position, tokenIndex
+ position788, tokenIndex788 := position, tokenIndex
if buffer[position] != rune(',') {
- goto l777
+ goto l788
}
position++
{
- position779, tokenIndex779 := position, tokenIndex
+ position790, tokenIndex790 := position, tokenIndex
if !_rules[ruleWS]() {
- goto l779
+ goto l790
}
- goto l780
- l779:
- position, tokenIndex = position779, tokenIndex779
+ goto l791
+ l790:
+ position, tokenIndex = position790, tokenIndex790
}
- l780:
+ l791:
if !_rules[ruleRegisterOrConstant]() {
- goto l777
+ goto l788
}
{
- position781, tokenIndex781 := position, tokenIndex
+ position792, tokenIndex792 := position, tokenIndex
if !_rules[ruleWS]() {
- goto l781
+ goto l792
}
- goto l782
- l781:
- position, tokenIndex = position781, tokenIndex781
+ goto l793
+ l792:
+ position, tokenIndex = position792, tokenIndex792
}
- l782:
+ l793:
{
- position783, tokenIndex783 := position, tokenIndex
+ position794, tokenIndex794 := position, tokenIndex
if buffer[position] != rune(',') {
- goto l783
+ goto l794
}
position++
if c := buffer[position]; c < rune('0') || c > rune('9') {
- goto l783
+ goto l794
}
position++
- l785:
+ l796:
{
- position786, tokenIndex786 := position, tokenIndex
+ position797, tokenIndex797 := position, tokenIndex
if c := buffer[position]; c < rune('0') || c > rune('9') {
- goto l786
+ goto l797
}
position++
- goto l785
- l786:
- position, tokenIndex = position786, tokenIndex786
+ goto l796
+ l797:
+ position, tokenIndex = position797, tokenIndex797
}
- goto l784
- l783:
- position, tokenIndex = position783, tokenIndex783
+ goto l795
+ l794:
+ position, tokenIndex = position794, tokenIndex794
}
- l784:
- goto l778
- l777:
- position, tokenIndex = position777, tokenIndex777
+ l795:
+ goto l789
+ l788:
+ position, tokenIndex = position788, tokenIndex788
}
- l778:
+ l789:
if buffer[position] != rune(')') {
- goto l771
+ goto l782
}
position++
- add(ruleBaseIndexScale, position772)
+ add(ruleBaseIndexScale, position783)
}
return true
- l771:
- position, tokenIndex = position771, tokenIndex771
+ l782:
+ position, tokenIndex = position782, tokenIndex782
return false
},
/* 50 Operator <- <('+' / '-')> */
func() bool {
- position787, tokenIndex787 := position, tokenIndex
+ position798, tokenIndex798 := position, tokenIndex
{
- position788 := position
+ position799 := position
{
- position789, tokenIndex789 := position, tokenIndex
+ position800, tokenIndex800 := position, tokenIndex
if buffer[position] != rune('+') {
- goto l790
+ goto l801
}
position++
- goto l789
- l790:
- position, tokenIndex = position789, tokenIndex789
+ goto l800
+ l801:
+ position, tokenIndex = position800, tokenIndex800
if buffer[position] != rune('-') {
- goto l787
+ goto l798
}
position++
}
- l789:
- add(ruleOperator, position788)
+ l800:
+ add(ruleOperator, position799)
}
return true
- l787:
- position, tokenIndex = position787, tokenIndex787
+ l798:
+ position, tokenIndex = position798, tokenIndex798
return false
},
/* 51 Offset <- <('+'? '-'? (('0' ('b' / 'B') ('0' / '1')+) / ('0' ('x' / 'X') ([0-9] / [0-9] / ([a-f] / [A-F]))+) / [0-9]+))> */
func() bool {
- position791, tokenIndex791 := position, tokenIndex
+ position802, tokenIndex802 := position, tokenIndex
{
- position792 := position
+ position803 := position
{
- position793, tokenIndex793 := position, tokenIndex
+ position804, tokenIndex804 := position, tokenIndex
if buffer[position] != rune('+') {
- goto l793
+ goto l804
}
position++
- goto l794
- l793:
- position, tokenIndex = position793, tokenIndex793
+ goto l805
+ l804:
+ position, tokenIndex = position804, tokenIndex804
}
- l794:
+ l805:
{
- position795, tokenIndex795 := position, tokenIndex
+ position806, tokenIndex806 := position, tokenIndex
if buffer[position] != rune('-') {
- goto l795
+ goto l806
}
position++
- goto l796
- l795:
- position, tokenIndex = position795, tokenIndex795
+ goto l807
+ l806:
+ position, tokenIndex = position806, tokenIndex806
}
- l796:
+ l807:
{
- position797, tokenIndex797 := position, tokenIndex
+ position808, tokenIndex808 := position, tokenIndex
if buffer[position] != rune('0') {
- goto l798
+ goto l809
}
position++
{
- position799, tokenIndex799 := position, tokenIndex
+ position810, tokenIndex810 := position, tokenIndex
if buffer[position] != rune('b') {
- goto l800
+ goto l811
}
position++
- goto l799
- l800:
- position, tokenIndex = position799, tokenIndex799
+ goto l810
+ l811:
+ position, tokenIndex = position810, tokenIndex810
if buffer[position] != rune('B') {
- goto l798
- }
- position++
- }
- l799:
- {
- position803, tokenIndex803 := position, tokenIndex
- if buffer[position] != rune('0') {
- goto l804
- }
- position++
- goto l803
- l804:
- position, tokenIndex = position803, tokenIndex803
- if buffer[position] != rune('1') {
- goto l798
- }
- position++
- }
- l803:
- l801:
- {
- position802, tokenIndex802 := position, tokenIndex
- {
- position805, tokenIndex805 := position, tokenIndex
- if buffer[position] != rune('0') {
- goto l806
- }
- position++
- goto l805
- l806:
- position, tokenIndex = position805, tokenIndex805
- if buffer[position] != rune('1') {
- goto l802
- }
- position++
- }
- l805:
- goto l801
- l802:
- position, tokenIndex = position802, tokenIndex802
- }
- goto l797
- l798:
- position, tokenIndex = position797, tokenIndex797
- if buffer[position] != rune('0') {
- goto l807
- }
- position++
- {
- position808, tokenIndex808 := position, tokenIndex
- if buffer[position] != rune('x') {
goto l809
}
position++
- goto l808
- l809:
- position, tokenIndex = position808, tokenIndex808
- if buffer[position] != rune('X') {
- goto l807
- }
- position++
}
- l808:
- {
- position812, tokenIndex812 := position, tokenIndex
- if c := buffer[position]; c < rune('0') || c > rune('9') {
- goto l813
- }
- position++
- goto l812
- l813:
- position, tokenIndex = position812, tokenIndex812
- if c := buffer[position]; c < rune('0') || c > rune('9') {
- goto l814
- }
- position++
- goto l812
- l814:
- position, tokenIndex = position812, tokenIndex812
- {
- position815, tokenIndex815 := position, tokenIndex
- if c := buffer[position]; c < rune('a') || c > rune('f') {
- goto l816
- }
- position++
- goto l815
- l816:
- position, tokenIndex = position815, tokenIndex815
- if c := buffer[position]; c < rune('A') || c > rune('F') {
- goto l807
- }
- position++
- }
- l815:
- }
- l812:
l810:
{
- position811, tokenIndex811 := position, tokenIndex
- {
- position817, tokenIndex817 := position, tokenIndex
- if c := buffer[position]; c < rune('0') || c > rune('9') {
- goto l818
- }
- position++
- goto l817
- l818:
- position, tokenIndex = position817, tokenIndex817
- if c := buffer[position]; c < rune('0') || c > rune('9') {
- goto l819
- }
- position++
- goto l817
- l819:
- position, tokenIndex = position817, tokenIndex817
- {
- position820, tokenIndex820 := position, tokenIndex
- if c := buffer[position]; c < rune('a') || c > rune('f') {
- goto l821
- }
- position++
- goto l820
- l821:
- position, tokenIndex = position820, tokenIndex820
- if c := buffer[position]; c < rune('A') || c > rune('F') {
- goto l811
- }
- position++
- }
- l820:
+ position814, tokenIndex814 := position, tokenIndex
+ if buffer[position] != rune('0') {
+ goto l815
}
- l817:
- goto l810
- l811:
- position, tokenIndex = position811, tokenIndex811
+ position++
+ goto l814
+ l815:
+ position, tokenIndex = position814, tokenIndex814
+ if buffer[position] != rune('1') {
+ goto l809
+ }
+ position++
}
- goto l797
- l807:
- position, tokenIndex = position797, tokenIndex797
- if c := buffer[position]; c < rune('0') || c > rune('9') {
- goto l791
+ l814:
+ l812:
+ {
+ position813, tokenIndex813 := position, tokenIndex
+ {
+ position816, tokenIndex816 := position, tokenIndex
+ if buffer[position] != rune('0') {
+ goto l817
+ }
+ position++
+ goto l816
+ l817:
+ position, tokenIndex = position816, tokenIndex816
+ if buffer[position] != rune('1') {
+ goto l813
+ }
+ position++
+ }
+ l816:
+ goto l812
+ l813:
+ position, tokenIndex = position813, tokenIndex813
+ }
+ goto l808
+ l809:
+ position, tokenIndex = position808, tokenIndex808
+ if buffer[position] != rune('0') {
+ goto l818
}
position++
- l822:
+ {
+ position819, tokenIndex819 := position, tokenIndex
+ if buffer[position] != rune('x') {
+ goto l820
+ }
+ position++
+ goto l819
+ l820:
+ position, tokenIndex = position819, tokenIndex819
+ if buffer[position] != rune('X') {
+ goto l818
+ }
+ position++
+ }
+ l819:
{
position823, tokenIndex823 := position, tokenIndex
if c := buffer[position]; c < rune('0') || c > rune('9') {
- goto l823
+ goto l824
}
position++
- goto l822
- l823:
+ goto l823
+ l824:
position, tokenIndex = position823, tokenIndex823
+ if c := buffer[position]; c < rune('0') || c > rune('9') {
+ goto l825
+ }
+ position++
+ goto l823
+ l825:
+ position, tokenIndex = position823, tokenIndex823
+ {
+ position826, tokenIndex826 := position, tokenIndex
+ if c := buffer[position]; c < rune('a') || c > rune('f') {
+ goto l827
+ }
+ position++
+ goto l826
+ l827:
+ position, tokenIndex = position826, tokenIndex826
+ if c := buffer[position]; c < rune('A') || c > rune('F') {
+ goto l818
+ }
+ position++
+ }
+ l826:
+ }
+ l823:
+ l821:
+ {
+ position822, tokenIndex822 := position, tokenIndex
+ {
+ position828, tokenIndex828 := position, tokenIndex
+ if c := buffer[position]; c < rune('0') || c > rune('9') {
+ goto l829
+ }
+ position++
+ goto l828
+ l829:
+ position, tokenIndex = position828, tokenIndex828
+ if c := buffer[position]; c < rune('0') || c > rune('9') {
+ goto l830
+ }
+ position++
+ goto l828
+ l830:
+ position, tokenIndex = position828, tokenIndex828
+ {
+ position831, tokenIndex831 := position, tokenIndex
+ if c := buffer[position]; c < rune('a') || c > rune('f') {
+ goto l832
+ }
+ position++
+ goto l831
+ l832:
+ position, tokenIndex = position831, tokenIndex831
+ if c := buffer[position]; c < rune('A') || c > rune('F') {
+ goto l822
+ }
+ position++
+ }
+ l831:
+ }
+ l828:
+ goto l821
+ l822:
+ position, tokenIndex = position822, tokenIndex822
+ }
+ goto l808
+ l818:
+ position, tokenIndex = position808, tokenIndex808
+ if c := buffer[position]; c < rune('0') || c > rune('9') {
+ goto l802
+ }
+ position++
+ l833:
+ {
+ position834, tokenIndex834 := position, tokenIndex
+ if c := buffer[position]; c < rune('0') || c > rune('9') {
+ goto l834
+ }
+ position++
+ goto l833
+ l834:
+ position, tokenIndex = position834, tokenIndex834
}
}
- l797:
- add(ruleOffset, position792)
+ l808:
+ add(ruleOffset, position803)
}
return true
- l791:
- position, tokenIndex = position791, tokenIndex791
+ l802:
+ position, tokenIndex = position802, tokenIndex802
return false
},
/* 52 Section <- <([a-z] / [A-Z] / '@')+> */
func() bool {
- position824, tokenIndex824 := position, tokenIndex
+ position835, tokenIndex835 := position, tokenIndex
{
- position825 := position
+ position836 := position
{
- position828, tokenIndex828 := position, tokenIndex
+ position839, tokenIndex839 := position, tokenIndex
if c := buffer[position]; c < rune('a') || c > rune('z') {
- goto l829
+ goto l840
}
position++
- goto l828
- l829:
- position, tokenIndex = position828, tokenIndex828
+ goto l839
+ l840:
+ position, tokenIndex = position839, tokenIndex839
if c := buffer[position]; c < rune('A') || c > rune('Z') {
- goto l830
+ goto l841
}
position++
- goto l828
- l830:
- position, tokenIndex = position828, tokenIndex828
+ goto l839
+ l841:
+ position, tokenIndex = position839, tokenIndex839
if buffer[position] != rune('@') {
- goto l824
+ goto l835
}
position++
}
- l828:
- l826:
+ l839:
+ l837:
{
- position827, tokenIndex827 := position, tokenIndex
+ position838, tokenIndex838 := position, tokenIndex
{
- position831, tokenIndex831 := position, tokenIndex
+ position842, tokenIndex842 := position, tokenIndex
if c := buffer[position]; c < rune('a') || c > rune('z') {
- goto l832
+ goto l843
}
position++
- goto l831
- l832:
- position, tokenIndex = position831, tokenIndex831
+ goto l842
+ l843:
+ position, tokenIndex = position842, tokenIndex842
if c := buffer[position]; c < rune('A') || c > rune('Z') {
- goto l833
+ goto l844
}
position++
- goto l831
- l833:
- position, tokenIndex = position831, tokenIndex831
+ goto l842
+ l844:
+ position, tokenIndex = position842, tokenIndex842
if buffer[position] != rune('@') {
- goto l827
+ goto l838
}
position++
}
- l831:
- goto l826
- l827:
- position, tokenIndex = position827, tokenIndex827
+ l842:
+ goto l837
+ l838:
+ position, tokenIndex = position838, tokenIndex838
}
- add(ruleSection, position825)
+ add(ruleSection, position836)
}
return true
- l824:
- position, tokenIndex = position824, tokenIndex824
+ l835:
+ position, tokenIndex = position835, tokenIndex835
return false
},
/* 53 SegmentRegister <- <('%' ([c-g] / 's') ('s' ':'))> */
func() bool {
- position834, tokenIndex834 := position, tokenIndex
+ position845, tokenIndex845 := position, tokenIndex
{
- position835 := position
+ position846 := position
if buffer[position] != rune('%') {
- goto l834
+ goto l845
}
position++
{
- position836, tokenIndex836 := position, tokenIndex
+ position847, tokenIndex847 := position, tokenIndex
if c := buffer[position]; c < rune('c') || c > rune('g') {
- goto l837
+ goto l848
}
position++
- goto l836
- l837:
- position, tokenIndex = position836, tokenIndex836
+ goto l847
+ l848:
+ position, tokenIndex = position847, tokenIndex847
if buffer[position] != rune('s') {
- goto l834
+ goto l845
}
position++
}
- l836:
+ l847:
if buffer[position] != rune('s') {
- goto l834
+ goto l845
}
position++
if buffer[position] != rune(':') {
- goto l834
+ goto l845
}
position++
- add(ruleSegmentRegister, position835)
+ add(ruleSegmentRegister, position846)
}
return true
- l834:
- position, tokenIndex = position834, tokenIndex834
+ l845:
+ position, tokenIndex = position845, tokenIndex845
return false
},
}
p.rules = _rules
+ return nil
}
diff --git a/src/util/fipstools/delocate/testdata/aarch64-Basic/out.s b/src/util/fipstools/delocate/testdata/aarch64-Basic/out.s
index 12b408d..96eb778 100644
--- a/src/util/fipstools/delocate/testdata/aarch64-Basic/out.s
+++ b/src/util/fipstools/delocate/testdata/aarch64-Basic/out.s
@@ -145,7 +145,7 @@
.cfi_endproc
.size .LOPENSSL_armcap_P_addr, .-.LOPENSSL_armcap_P_addr
.type BORINGSSL_bcm_text_hash, @object
-.size BORINGSSL_bcm_text_hash, 64
+.size BORINGSSL_bcm_text_hash, 32
BORINGSSL_bcm_text_hash:
.byte 0xae
.byte 0x2c
@@ -179,35 +179,3 @@
.byte 0xff
.byte 0x31
.byte 0x80
-.byte 0xa2
-.byte 0xd4
-.byte 0xc3
-.byte 0x66
-.byte 0xf
-.byte 0xc2
-.byte 0x6a
-.byte 0x7b
-.byte 0xf4
-.byte 0xbe
-.byte 0x39
-.byte 0xa2
-.byte 0xd7
-.byte 0x25
-.byte 0xdb
-.byte 0x21
-.byte 0x98
-.byte 0xe9
-.byte 0xd5
-.byte 0x53
-.byte 0xbf
-.byte 0x5c
-.byte 0x32
-.byte 0x6
-.byte 0x83
-.byte 0x34
-.byte 0xc
-.byte 0x65
-.byte 0x89
-.byte 0x52
-.byte 0xbd
-.byte 0x1f
diff --git a/src/util/fipstools/delocate/testdata/generic-FileDirectives/out.s b/src/util/fipstools/delocate/testdata/generic-FileDirectives/out.s
index bb33e52..84b5134 100644
--- a/src/util/fipstools/delocate/testdata/generic-FileDirectives/out.s
+++ b/src/util/fipstools/delocate/testdata/generic-FileDirectives/out.s
@@ -23,7 +23,7 @@
OPENSSL_ia32cap_addr_delta:
.quad OPENSSL_ia32cap_P-OPENSSL_ia32cap_addr_delta
.type BORINGSSL_bcm_text_hash, @object
-.size BORINGSSL_bcm_text_hash, 64
+.size BORINGSSL_bcm_text_hash, 32
BORINGSSL_bcm_text_hash:
.byte 0xae
.byte 0x2c
@@ -57,35 +57,3 @@
.byte 0xff
.byte 0x31
.byte 0x80
-.byte 0xa2
-.byte 0xd4
-.byte 0xc3
-.byte 0x66
-.byte 0xf
-.byte 0xc2
-.byte 0x6a
-.byte 0x7b
-.byte 0xf4
-.byte 0xbe
-.byte 0x39
-.byte 0xa2
-.byte 0xd7
-.byte 0x25
-.byte 0xdb
-.byte 0x21
-.byte 0x98
-.byte 0xe9
-.byte 0xd5
-.byte 0x53
-.byte 0xbf
-.byte 0x5c
-.byte 0x32
-.byte 0x6
-.byte 0x83
-.byte 0x34
-.byte 0xc
-.byte 0x65
-.byte 0x89
-.byte 0x52
-.byte 0xbd
-.byte 0x1f
diff --git a/src/util/fipstools/delocate/testdata/ppc64le-GlobalEntry/out.s b/src/util/fipstools/delocate/testdata/ppc64le-GlobalEntry/out.s
index 304f697..d75e2c7 100644
--- a/src/util/fipstools/delocate/testdata/ppc64le-GlobalEntry/out.s
+++ b/src/util/fipstools/delocate/testdata/ppc64le-GlobalEntry/out.s
@@ -26,7 +26,7 @@
.LBORINGSSL_external_toc:
.quad .TOC.-.LBORINGSSL_external_toc
.type BORINGSSL_bcm_text_hash, @object
-.size BORINGSSL_bcm_text_hash, 64
+.size BORINGSSL_bcm_text_hash, 32
BORINGSSL_bcm_text_hash:
.byte 0xae
.byte 0x2c
@@ -60,35 +60,3 @@
.byte 0xff
.byte 0x31
.byte 0x80
-.byte 0xa2
-.byte 0xd4
-.byte 0xc3
-.byte 0x66
-.byte 0xf
-.byte 0xc2
-.byte 0x6a
-.byte 0x7b
-.byte 0xf4
-.byte 0xbe
-.byte 0x39
-.byte 0xa2
-.byte 0xd7
-.byte 0x25
-.byte 0xdb
-.byte 0x21
-.byte 0x98
-.byte 0xe9
-.byte 0xd5
-.byte 0x53
-.byte 0xbf
-.byte 0x5c
-.byte 0x32
-.byte 0x6
-.byte 0x83
-.byte 0x34
-.byte 0xc
-.byte 0x65
-.byte 0x89
-.byte 0x52
-.byte 0xbd
-.byte 0x1f
diff --git a/src/util/fipstools/delocate/testdata/ppc64le-LoadToR0/out.s b/src/util/fipstools/delocate/testdata/ppc64le-LoadToR0/out.s
index 5fdbeb8..dad7603 100644
--- a/src/util/fipstools/delocate/testdata/ppc64le-LoadToR0/out.s
+++ b/src/util/fipstools/delocate/testdata/ppc64le-LoadToR0/out.s
@@ -36,7 +36,7 @@
.LBORINGSSL_external_toc:
.quad .TOC.-.LBORINGSSL_external_toc
.type BORINGSSL_bcm_text_hash, @object
-.size BORINGSSL_bcm_text_hash, 64
+.size BORINGSSL_bcm_text_hash, 32
BORINGSSL_bcm_text_hash:
.byte 0xae
.byte 0x2c
@@ -70,35 +70,3 @@
.byte 0xff
.byte 0x31
.byte 0x80
-.byte 0xa2
-.byte 0xd4
-.byte 0xc3
-.byte 0x66
-.byte 0xf
-.byte 0xc2
-.byte 0x6a
-.byte 0x7b
-.byte 0xf4
-.byte 0xbe
-.byte 0x39
-.byte 0xa2
-.byte 0xd7
-.byte 0x25
-.byte 0xdb
-.byte 0x21
-.byte 0x98
-.byte 0xe9
-.byte 0xd5
-.byte 0x53
-.byte 0xbf
-.byte 0x5c
-.byte 0x32
-.byte 0x6
-.byte 0x83
-.byte 0x34
-.byte 0xc
-.byte 0x65
-.byte 0x89
-.byte 0x52
-.byte 0xbd
-.byte 0x1f
diff --git a/src/util/fipstools/delocate/testdata/ppc64le-Sample/out.s b/src/util/fipstools/delocate/testdata/ppc64le-Sample/out.s
index e3d682e..798bcf5 100644
--- a/src/util/fipstools/delocate/testdata/ppc64le-Sample/out.s
+++ b/src/util/fipstools/delocate/testdata/ppc64le-Sample/out.s
@@ -516,7 +516,7 @@
.LBORINGSSL_external_toc:
.quad .TOC.-.LBORINGSSL_external_toc
.type BORINGSSL_bcm_text_hash, @object
-.size BORINGSSL_bcm_text_hash, 64
+.size BORINGSSL_bcm_text_hash, 32
BORINGSSL_bcm_text_hash:
.byte 0xae
.byte 0x2c
@@ -550,35 +550,3 @@
.byte 0xff
.byte 0x31
.byte 0x80
-.byte 0xa2
-.byte 0xd4
-.byte 0xc3
-.byte 0x66
-.byte 0xf
-.byte 0xc2
-.byte 0x6a
-.byte 0x7b
-.byte 0xf4
-.byte 0xbe
-.byte 0x39
-.byte 0xa2
-.byte 0xd7
-.byte 0x25
-.byte 0xdb
-.byte 0x21
-.byte 0x98
-.byte 0xe9
-.byte 0xd5
-.byte 0x53
-.byte 0xbf
-.byte 0x5c
-.byte 0x32
-.byte 0x6
-.byte 0x83
-.byte 0x34
-.byte 0xc
-.byte 0x65
-.byte 0x89
-.byte 0x52
-.byte 0xbd
-.byte 0x1f
diff --git a/src/util/fipstools/delocate/testdata/ppc64le-Sample2/out.s b/src/util/fipstools/delocate/testdata/ppc64le-Sample2/out.s
index 54cbd6f..6439740 100644
--- a/src/util/fipstools/delocate/testdata/ppc64le-Sample2/out.s
+++ b/src/util/fipstools/delocate/testdata/ppc64le-Sample2/out.s
@@ -641,7 +641,7 @@
.LBORINGSSL_external_toc:
.quad .TOC.-.LBORINGSSL_external_toc
.type BORINGSSL_bcm_text_hash, @object
-.size BORINGSSL_bcm_text_hash, 64
+.size BORINGSSL_bcm_text_hash, 32
BORINGSSL_bcm_text_hash:
.byte 0xae
.byte 0x2c
@@ -675,35 +675,3 @@
.byte 0xff
.byte 0x31
.byte 0x80
-.byte 0xa2
-.byte 0xd4
-.byte 0xc3
-.byte 0x66
-.byte 0xf
-.byte 0xc2
-.byte 0x6a
-.byte 0x7b
-.byte 0xf4
-.byte 0xbe
-.byte 0x39
-.byte 0xa2
-.byte 0xd7
-.byte 0x25
-.byte 0xdb
-.byte 0x21
-.byte 0x98
-.byte 0xe9
-.byte 0xd5
-.byte 0x53
-.byte 0xbf
-.byte 0x5c
-.byte 0x32
-.byte 0x6
-.byte 0x83
-.byte 0x34
-.byte 0xc
-.byte 0x65
-.byte 0x89
-.byte 0x52
-.byte 0xbd
-.byte 0x1f
diff --git a/src/util/fipstools/delocate/testdata/ppc64le-TOCWithOffset/out.s b/src/util/fipstools/delocate/testdata/ppc64le-TOCWithOffset/out.s
index 2fff0ef..fc55ef2 100644
--- a/src/util/fipstools/delocate/testdata/ppc64le-TOCWithOffset/out.s
+++ b/src/util/fipstools/delocate/testdata/ppc64le-TOCWithOffset/out.s
@@ -142,7 +142,7 @@
.LBORINGSSL_external_toc:
.quad .TOC.-.LBORINGSSL_external_toc
.type BORINGSSL_bcm_text_hash, @object
-.size BORINGSSL_bcm_text_hash, 64
+.size BORINGSSL_bcm_text_hash, 32
BORINGSSL_bcm_text_hash:
.byte 0xae
.byte 0x2c
@@ -176,35 +176,3 @@
.byte 0xff
.byte 0x31
.byte 0x80
-.byte 0xa2
-.byte 0xd4
-.byte 0xc3
-.byte 0x66
-.byte 0xf
-.byte 0xc2
-.byte 0x6a
-.byte 0x7b
-.byte 0xf4
-.byte 0xbe
-.byte 0x39
-.byte 0xa2
-.byte 0xd7
-.byte 0x25
-.byte 0xdb
-.byte 0x21
-.byte 0x98
-.byte 0xe9
-.byte 0xd5
-.byte 0x53
-.byte 0xbf
-.byte 0x5c
-.byte 0x32
-.byte 0x6
-.byte 0x83
-.byte 0x34
-.byte 0xc
-.byte 0x65
-.byte 0x89
-.byte 0x52
-.byte 0xbd
-.byte 0x1f
diff --git a/src/util/fipstools/delocate/testdata/x86_64-BSS/out.s b/src/util/fipstools/delocate/testdata/x86_64-BSS/out.s
index e8cd56e..2bb54a8 100644
--- a/src/util/fipstools/delocate/testdata/x86_64-BSS/out.s
+++ b/src/util/fipstools/delocate/testdata/x86_64-BSS/out.s
@@ -77,7 +77,7 @@
OPENSSL_ia32cap_addr_delta:
.quad OPENSSL_ia32cap_P-OPENSSL_ia32cap_addr_delta
.type BORINGSSL_bcm_text_hash, @object
-.size BORINGSSL_bcm_text_hash, 64
+.size BORINGSSL_bcm_text_hash, 32
BORINGSSL_bcm_text_hash:
.byte 0xae
.byte 0x2c
@@ -111,35 +111,3 @@
.byte 0xff
.byte 0x31
.byte 0x80
-.byte 0xa2
-.byte 0xd4
-.byte 0xc3
-.byte 0x66
-.byte 0xf
-.byte 0xc2
-.byte 0x6a
-.byte 0x7b
-.byte 0xf4
-.byte 0xbe
-.byte 0x39
-.byte 0xa2
-.byte 0xd7
-.byte 0x25
-.byte 0xdb
-.byte 0x21
-.byte 0x98
-.byte 0xe9
-.byte 0xd5
-.byte 0x53
-.byte 0xbf
-.byte 0x5c
-.byte 0x32
-.byte 0x6
-.byte 0x83
-.byte 0x34
-.byte 0xc
-.byte 0x65
-.byte 0x89
-.byte 0x52
-.byte 0xbd
-.byte 0x1f
diff --git a/src/util/fipstools/delocate/testdata/x86_64-Basic/out.s b/src/util/fipstools/delocate/testdata/x86_64-Basic/out.s
index a55e852..657d090 100644
--- a/src/util/fipstools/delocate/testdata/x86_64-Basic/out.s
+++ b/src/util/fipstools/delocate/testdata/x86_64-Basic/out.s
@@ -71,7 +71,7 @@
OPENSSL_ia32cap_addr_delta:
.quad OPENSSL_ia32cap_P-OPENSSL_ia32cap_addr_delta
.type BORINGSSL_bcm_text_hash, @object
-.size BORINGSSL_bcm_text_hash, 64
+.size BORINGSSL_bcm_text_hash, 32
BORINGSSL_bcm_text_hash:
.byte 0xae
.byte 0x2c
@@ -105,35 +105,3 @@
.byte 0xff
.byte 0x31
.byte 0x80
-.byte 0xa2
-.byte 0xd4
-.byte 0xc3
-.byte 0x66
-.byte 0xf
-.byte 0xc2
-.byte 0x6a
-.byte 0x7b
-.byte 0xf4
-.byte 0xbe
-.byte 0x39
-.byte 0xa2
-.byte 0xd7
-.byte 0x25
-.byte 0xdb
-.byte 0x21
-.byte 0x98
-.byte 0xe9
-.byte 0xd5
-.byte 0x53
-.byte 0xbf
-.byte 0x5c
-.byte 0x32
-.byte 0x6
-.byte 0x83
-.byte 0x34
-.byte 0xc
-.byte 0x65
-.byte 0x89
-.byte 0x52
-.byte 0xbd
-.byte 0x1f
diff --git a/src/util/fipstools/delocate/testdata/x86_64-GOTRewrite/out.s b/src/util/fipstools/delocate/testdata/x86_64-GOTRewrite/out.s
index 467db65..f118e4f 100644
--- a/src/util/fipstools/delocate/testdata/x86_64-GOTRewrite/out.s
+++ b/src/util/fipstools/delocate/testdata/x86_64-GOTRewrite/out.s
@@ -303,7 +303,7 @@
OPENSSL_ia32cap_addr_delta:
.quad OPENSSL_ia32cap_P-OPENSSL_ia32cap_addr_delta
.type BORINGSSL_bcm_text_hash, @object
-.size BORINGSSL_bcm_text_hash, 64
+.size BORINGSSL_bcm_text_hash, 32
BORINGSSL_bcm_text_hash:
.byte 0xae
.byte 0x2c
@@ -337,35 +337,3 @@
.byte 0xff
.byte 0x31
.byte 0x80
-.byte 0xa2
-.byte 0xd4
-.byte 0xc3
-.byte 0x66
-.byte 0xf
-.byte 0xc2
-.byte 0x6a
-.byte 0x7b
-.byte 0xf4
-.byte 0xbe
-.byte 0x39
-.byte 0xa2
-.byte 0xd7
-.byte 0x25
-.byte 0xdb
-.byte 0x21
-.byte 0x98
-.byte 0xe9
-.byte 0xd5
-.byte 0x53
-.byte 0xbf
-.byte 0x5c
-.byte 0x32
-.byte 0x6
-.byte 0x83
-.byte 0x34
-.byte 0xc
-.byte 0x65
-.byte 0x89
-.byte 0x52
-.byte 0xbd
-.byte 0x1f
diff --git a/src/util/fipstools/delocate/testdata/x86_64-LabelRewrite/out.s b/src/util/fipstools/delocate/testdata/x86_64-LabelRewrite/out.s
index feb9a43..6549db7 100644
--- a/src/util/fipstools/delocate/testdata/x86_64-LabelRewrite/out.s
+++ b/src/util/fipstools/delocate/testdata/x86_64-LabelRewrite/out.s
@@ -113,7 +113,7 @@
OPENSSL_ia32cap_addr_delta:
.quad OPENSSL_ia32cap_P-OPENSSL_ia32cap_addr_delta
.type BORINGSSL_bcm_text_hash, @object
-.size BORINGSSL_bcm_text_hash, 64
+.size BORINGSSL_bcm_text_hash, 32
BORINGSSL_bcm_text_hash:
.byte 0xae
.byte 0x2c
@@ -147,35 +147,3 @@
.byte 0xff
.byte 0x31
.byte 0x80
-.byte 0xa2
-.byte 0xd4
-.byte 0xc3
-.byte 0x66
-.byte 0xf
-.byte 0xc2
-.byte 0x6a
-.byte 0x7b
-.byte 0xf4
-.byte 0xbe
-.byte 0x39
-.byte 0xa2
-.byte 0xd7
-.byte 0x25
-.byte 0xdb
-.byte 0x21
-.byte 0x98
-.byte 0xe9
-.byte 0xd5
-.byte 0x53
-.byte 0xbf
-.byte 0x5c
-.byte 0x32
-.byte 0x6
-.byte 0x83
-.byte 0x34
-.byte 0xc
-.byte 0x65
-.byte 0x89
-.byte 0x52
-.byte 0xbd
-.byte 0x1f
diff --git a/src/util/fipstools/delocate/testdata/x86_64-LargeMemory/out.s b/src/util/fipstools/delocate/testdata/x86_64-LargeMemory/out.s
index d4534f8..091e8b7 100644
--- a/src/util/fipstools/delocate/testdata/x86_64-LargeMemory/out.s
+++ b/src/util/fipstools/delocate/testdata/x86_64-LargeMemory/out.s
@@ -59,7 +59,7 @@
.Lboringssl_gotoff__Z1gv:
.quad _Z1gv@GOTOFF
.type BORINGSSL_bcm_text_hash, @object
-.size BORINGSSL_bcm_text_hash, 64
+.size BORINGSSL_bcm_text_hash, 32
BORINGSSL_bcm_text_hash:
.byte 0xae
.byte 0x2c
@@ -93,35 +93,3 @@
.byte 0xff
.byte 0x31
.byte 0x80
-.byte 0xa2
-.byte 0xd4
-.byte 0xc3
-.byte 0x66
-.byte 0xf
-.byte 0xc2
-.byte 0x6a
-.byte 0x7b
-.byte 0xf4
-.byte 0xbe
-.byte 0x39
-.byte 0xa2
-.byte 0xd7
-.byte 0x25
-.byte 0xdb
-.byte 0x21
-.byte 0x98
-.byte 0xe9
-.byte 0xd5
-.byte 0x53
-.byte 0xbf
-.byte 0x5c
-.byte 0x32
-.byte 0x6
-.byte 0x83
-.byte 0x34
-.byte 0xc
-.byte 0x65
-.byte 0x89
-.byte 0x52
-.byte 0xbd
-.byte 0x1f
diff --git a/src/util/fipstools/delocate/testdata/x86_64-Sections/out.s b/src/util/fipstools/delocate/testdata/x86_64-Sections/out.s
index ab3e3d9..1112387 100644
--- a/src/util/fipstools/delocate/testdata/x86_64-Sections/out.s
+++ b/src/util/fipstools/delocate/testdata/x86_64-Sections/out.s
@@ -59,7 +59,7 @@
OPENSSL_ia32cap_addr_delta:
.quad OPENSSL_ia32cap_P-OPENSSL_ia32cap_addr_delta
.type BORINGSSL_bcm_text_hash, @object
-.size BORINGSSL_bcm_text_hash, 64
+.size BORINGSSL_bcm_text_hash, 32
BORINGSSL_bcm_text_hash:
.byte 0xae
.byte 0x2c
@@ -93,35 +93,3 @@
.byte 0xff
.byte 0x31
.byte 0x80
-.byte 0xa2
-.byte 0xd4
-.byte 0xc3
-.byte 0x66
-.byte 0xf
-.byte 0xc2
-.byte 0x6a
-.byte 0x7b
-.byte 0xf4
-.byte 0xbe
-.byte 0x39
-.byte 0xa2
-.byte 0xd7
-.byte 0x25
-.byte 0xdb
-.byte 0x21
-.byte 0x98
-.byte 0xe9
-.byte 0xd5
-.byte 0x53
-.byte 0xbf
-.byte 0x5c
-.byte 0x32
-.byte 0x6
-.byte 0x83
-.byte 0x34
-.byte 0xc
-.byte 0x65
-.byte 0x89
-.byte 0x52
-.byte 0xbd
-.byte 0x1f
diff --git a/src/util/fipstools/delocate/testdata/x86_64-ThreeArg/out.s b/src/util/fipstools/delocate/testdata/x86_64-ThreeArg/out.s
index 7ad8f76..7a57ed4 100644
--- a/src/util/fipstools/delocate/testdata/x86_64-ThreeArg/out.s
+++ b/src/util/fipstools/delocate/testdata/x86_64-ThreeArg/out.s
@@ -46,7 +46,7 @@
OPENSSL_ia32cap_addr_delta:
.quad OPENSSL_ia32cap_P-OPENSSL_ia32cap_addr_delta
.type BORINGSSL_bcm_text_hash, @object
-.size BORINGSSL_bcm_text_hash, 64
+.size BORINGSSL_bcm_text_hash, 32
BORINGSSL_bcm_text_hash:
.byte 0xae
.byte 0x2c
@@ -80,35 +80,3 @@
.byte 0xff
.byte 0x31
.byte 0x80
-.byte 0xa2
-.byte 0xd4
-.byte 0xc3
-.byte 0x66
-.byte 0xf
-.byte 0xc2
-.byte 0x6a
-.byte 0x7b
-.byte 0xf4
-.byte 0xbe
-.byte 0x39
-.byte 0xa2
-.byte 0xd7
-.byte 0x25
-.byte 0xdb
-.byte 0x21
-.byte 0x98
-.byte 0xe9
-.byte 0xd5
-.byte 0x53
-.byte 0xbf
-.byte 0x5c
-.byte 0x32
-.byte 0x6
-.byte 0x83
-.byte 0x34
-.byte 0xc
-.byte 0x65
-.byte 0x89
-.byte 0x52
-.byte 0xbd
-.byte 0x1f
diff --git a/src/util/fipstools/fipscommon/const.go b/src/util/fipstools/fipscommon/const.go
index 5693414..f4c0b75 100644
--- a/src/util/fipstools/fipscommon/const.go
+++ b/src/util/fipstools/fipscommon/const.go
@@ -17,6 +17,6 @@
// UninitHashValue is the default hash value that we inject into the module.
// This value need only be distinct, i.e. so that we can safely
// search-and-replace it in an object file.
-var UninitHashValue = [64]byte{
- 0xae, 0x2c, 0xea, 0x2a, 0xbd, 0xa6, 0xf3, 0xec, 0x97, 0x7f, 0x9b, 0xf6, 0x94, 0x9a, 0xfc, 0x83, 0x68, 0x27, 0xcb, 0xa0, 0xa0, 0x9f, 0x6b, 0x6f, 0xde, 0x52, 0xcd, 0xe2, 0xcd, 0xff, 0x31, 0x80, 0xa2, 0xd4, 0xc3, 0x66, 0x0f, 0xc2, 0x6a, 0x7b, 0xf4, 0xbe, 0x39, 0xa2, 0xd7, 0x25, 0xdb, 0x21, 0x98, 0xe9, 0xd5, 0x53, 0xbf, 0x5c, 0x32, 0x06, 0x83, 0x34, 0x0c, 0x65, 0x89, 0x52, 0xbd, 0x1f,
+var UninitHashValue = [32]byte{
+ 0xae, 0x2c, 0xea, 0x2a, 0xbd, 0xa6, 0xf3, 0xec, 0x97, 0x7f, 0x9b, 0xf6, 0x94, 0x9a, 0xfc, 0x83, 0x68, 0x27, 0xcb, 0xa0, 0xa0, 0x9f, 0x6b, 0x6f, 0xde, 0x52, 0xcd, 0xe2, 0xcd, 0xff, 0x31, 0x80,
}
diff --git a/src/util/fipstools/inject_hash/inject_hash.go b/src/util/fipstools/inject_hash/inject_hash.go
index dbd5fb7..6f14982 100644
--- a/src/util/fipstools/inject_hash/inject_hash.go
+++ b/src/util/fipstools/inject_hash/inject_hash.go
@@ -21,7 +21,6 @@
"bytes"
"crypto/hmac"
"crypto/sha256"
- "crypto/sha512"
"debug/elf"
"encoding/binary"
"errors"
@@ -36,7 +35,7 @@
"boringssl.googlesource.com/boringssl/util/fipstools/fipscommon"
)
-func do(outPath, oInput string, arInput string, useSHA256 bool) error {
+func do(outPath, oInput string, arInput string) error {
var objectBytes []byte
var isStatic bool
var perm os.FileMode
@@ -216,11 +215,7 @@
}
var zeroKey [64]byte
- hashFunc := sha512.New
- if useSHA256 {
- hashFunc = sha256.New
- }
- mac := hmac.New(hashFunc, zeroKey[:])
+ mac := hmac.New(sha256.New, zeroKey[:])
if moduleROData != nil {
var lengthBytes [8]byte
@@ -257,11 +252,10 @@
arInput := flag.String("in-archive", "", "Path to a .a file")
oInput := flag.String("in-object", "", "Path to a .o file")
outPath := flag.String("o", "", "Path to output object")
- sha256 := flag.Bool("sha256", false, "Whether to use SHA-256 over SHA-512. This must match what the compiled module expects.")
flag.Parse()
- if err := do(*outPath, *oInput, *arInput, *sha256); err != nil {
+ if err := do(*outPath, *oInput, *arInput); err != nil {
fmt.Fprintf(os.Stderr, "%s\n", err)
os.Exit(1)
}
diff --git a/src/util/generate_build_files.py b/src/util/generate_build_files.py
index 3263d9b..186fb59 100644
--- a/src/util/generate_build_files.py
+++ b/src/util/generate_build_files.py
@@ -437,7 +437,7 @@
endif()
if(CMAKE_COMPILER_IS_GNUCXX OR CLANG)
- set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11 -fvisibility=hidden -fno-common -fno-exceptions -fno-rtti")
+ set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++14 -fvisibility=hidden -fno-common -fno-exceptions -fno-rtti")
if(APPLE)
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -stdlib=libc++")
endif()
diff --git a/win-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S b/win-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S
new file mode 100644
index 0000000..c647223
--- /dev/null
+++ b/win-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S
@@ -0,0 +1,3025 @@
+// This file is generated from a similarly-named Perl script in the BoringSSL
+// source tree. Do not edit by hand.
+
+#if !defined(__has_feature)
+#define __has_feature(x) 0
+#endif
+#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM)
+#define OPENSSL_NO_ASM
+#endif
+
+#if !defined(OPENSSL_NO_ASM)
+#if defined(__aarch64__)
+#if defined(BORINGSSL_PREFIX)
+#include <boringssl_prefix_symbols_asm.h>
+#endif
+#include <openssl/arm_arch.h>
+.section .rodata
+
+.align 7
+Lchacha20_consts:
+.byte 'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k'
+Linc:
+.long 1,2,3,4
+Lrol8:
+.byte 3,0,1,2, 7,4,5,6, 11,8,9,10, 15,12,13,14
+Lclamp:
+.quad 0x0FFFFFFC0FFFFFFF, 0x0FFFFFFC0FFFFFFC
+
+.text
+
+.def Lpoly_hash_ad_internal
+ .type 32
+.endef
+.align 6
+Lpoly_hash_ad_internal:
+.cfi_startproc
+ cbnz x4, Lpoly_hash_intro
+ ret
+
+Lpoly_hash_intro:
+ cmp x4, #16
+ b.lt Lpoly_hash_ad_tail
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ sub x4, x4, #16
+ b Lpoly_hash_ad_internal
+
+Lpoly_hash_ad_tail:
+ cbz x4, Lpoly_hash_ad_ret
+
+ eor v20.16b, v20.16b, v20.16b // Use T0 to load the AAD
+ sub x4, x4, #1
+
+Lpoly_hash_tail_16_compose:
+ ext v20.16b, v20.16b, v20.16b, #15
+ ldrb w11, [x3, x4]
+ mov v20.b[0], w11
+ subs x4, x4, #1
+ b.ge Lpoly_hash_tail_16_compose
+ mov x11, v20.d[0]
+ mov x12, v20.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+
+Lpoly_hash_ad_ret:
+ ret
+.cfi_endproc
+
+
+/////////////////////////////////
+//
+// void chacha20_poly1305_seal(uint8_t *pt, uint8_t *ct, size_t len_in, uint8_t *ad, size_t len_ad, union open_data *seal_data);
+//
+.globl chacha20_poly1305_seal
+
+.def chacha20_poly1305_seal
+ .type 32
+.endef
+.align 6
+chacha20_poly1305_seal:
+ AARCH64_SIGN_LINK_REGISTER
+.cfi_startproc
+ stp x29, x30, [sp, #-80]!
+.cfi_def_cfa_offset 80
+.cfi_offset w30, -72
+.cfi_offset w29, -80
+ mov x29, sp
+# We probably could do .cfi_def_cfa w29, 80 at this point, but since
+# we don't actually use the frame pointer like that, it's probably not
+# worth bothering.
+ stp d8, d9, [sp, #16]
+ stp d10, d11, [sp, #32]
+ stp d12, d13, [sp, #48]
+ stp d14, d15, [sp, #64]
+.cfi_offset b15, -8
+.cfi_offset b14, -16
+.cfi_offset b13, -24
+.cfi_offset b12, -32
+.cfi_offset b11, -40
+.cfi_offset b10, -48
+.cfi_offset b9, -56
+.cfi_offset b8, -64
+
+ adrp x11, Lchacha20_consts
+ add x11, x11, :lo12:Lchacha20_consts
+
+ ld1 {v24.16b - v27.16b}, [x11] // Load the CONSTS, INC, ROL8 and CLAMP values
+ ld1 {v28.16b - v30.16b}, [x5]
+
+ mov x15, #1 // Prepare the Poly1305 state
+ mov x8, #0
+ mov x9, #0
+ mov x10, #0
+
+ ldr x12, [x5, #56] // The total cipher text length includes extra_in_len
+ add x12, x12, x2
+ mov v31.d[0], x4 // Store the input and aad lengths
+ mov v31.d[1], x12
+
+ cmp x2, #128
+ b.le Lseal_128 // Optimization for smaller buffers
+
+ // Initially we prepare 5 ChaCha20 blocks. Four to encrypt up to 4 blocks (256 bytes) of plaintext,
+ // and one for the Poly1305 R and S keys. The first four blocks (A0-A3..D0-D3) are computed vertically,
+ // the fifth block (A4-D4) horizontally.
+ ld4r {v0.4s,v1.4s,v2.4s,v3.4s}, [x11]
+ mov v4.16b, v24.16b
+
+ ld4r {v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16
+ mov v9.16b, v28.16b
+
+ ld4r {v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16
+ mov v14.16b, v29.16b
+
+ ld4r {v15.4s,v16.4s,v17.4s,v18.4s}, [x5]
+ add v15.4s, v15.4s, v25.4s
+ mov v19.16b, v30.16b
+
+ sub x5, x5, #32
+
+ mov x6, #10
+
+.align 5
+Lseal_init_rounds:
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ add v3.4s, v3.4s, v8.4s
+ add v4.4s, v4.4s, v9.4s
+
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ eor v18.16b, v18.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+ rev32 v18.8h, v18.8h
+ rev32 v19.8h, v19.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ add v13.4s, v13.4s, v18.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ eor v8.16b, v8.16b, v13.16b
+ eor v9.16b, v9.16b, v14.16b
+
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+ ushr v7.4s, v8.4s, #20
+ sli v7.4s, v8.4s, #12
+ ushr v8.4s, v9.4s, #20
+ sli v8.4s, v9.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ add v3.4s, v3.4s, v7.4s
+ add v4.4s, v4.4s, v8.4s
+
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ eor v18.16b, v18.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+ tbl v18.16b, {v18.16b}, v26.16b
+ tbl v19.16b, {v19.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ add v13.4s, v13.4s, v18.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ eor v7.16b, v7.16b, v13.16b
+ eor v8.16b, v8.16b, v14.16b
+
+ ushr v9.4s, v8.4s, #25
+ sli v9.4s, v8.4s, #7
+ ushr v8.4s, v7.4s, #25
+ sli v8.4s, v7.4s, #7
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v9.16b, v9.16b, v9.16b, #4
+ ext v14.16b, v14.16b, v14.16b, #8
+ ext v19.16b, v19.16b, v19.16b, #12
+ add v0.4s, v0.4s, v6.4s
+ add v1.4s, v1.4s, v7.4s
+ add v2.4s, v2.4s, v8.4s
+ add v3.4s, v3.4s, v5.4s
+ add v4.4s, v4.4s, v9.4s
+
+ eor v18.16b, v18.16b, v0.16b
+ eor v15.16b, v15.16b, v1.16b
+ eor v16.16b, v16.16b, v2.16b
+ eor v17.16b, v17.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ rev32 v18.8h, v18.8h
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+ rev32 v19.8h, v19.8h
+
+ add v12.4s, v12.4s, v18.4s
+ add v13.4s, v13.4s, v15.4s
+ add v10.4s, v10.4s, v16.4s
+ add v11.4s, v11.4s, v17.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v6.16b, v6.16b, v12.16b
+ eor v7.16b, v7.16b, v13.16b
+ eor v8.16b, v8.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v9.16b, v9.16b, v14.16b
+
+ ushr v20.4s, v6.4s, #20
+ sli v20.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+ ushr v7.4s, v8.4s, #20
+ sli v7.4s, v8.4s, #12
+ ushr v8.4s, v5.4s, #20
+ sli v8.4s, v5.4s, #12
+ ushr v5.4s, v9.4s, #20
+ sli v5.4s, v9.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ add v3.4s, v3.4s, v8.4s
+ add v4.4s, v4.4s, v5.4s
+
+ eor v18.16b, v18.16b, v0.16b
+ eor v15.16b, v15.16b, v1.16b
+ eor v16.16b, v16.16b, v2.16b
+ eor v17.16b, v17.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ tbl v18.16b, {v18.16b}, v26.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+ tbl v19.16b, {v19.16b}, v26.16b
+
+ add v12.4s, v12.4s, v18.4s
+ add v13.4s, v13.4s, v15.4s
+ add v10.4s, v10.4s, v16.4s
+ add v11.4s, v11.4s, v17.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v20.16b, v20.16b, v12.16b
+ eor v6.16b, v6.16b, v13.16b
+ eor v7.16b, v7.16b, v10.16b
+ eor v8.16b, v8.16b, v11.16b
+ eor v5.16b, v5.16b, v14.16b
+
+ ushr v9.4s, v5.4s, #25
+ sli v9.4s, v5.4s, #7
+ ushr v5.4s, v8.4s, #25
+ sli v5.4s, v8.4s, #7
+ ushr v8.4s, v7.4s, #25
+ sli v8.4s, v7.4s, #7
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v20.4s, #25
+ sli v6.4s, v20.4s, #7
+
+ ext v9.16b, v9.16b, v9.16b, #12
+ ext v14.16b, v14.16b, v14.16b, #8
+ ext v19.16b, v19.16b, v19.16b, #4
+ subs x6, x6, #1
+ b.hi Lseal_init_rounds
+
+ add v15.4s, v15.4s, v25.4s
+ mov x11, #4
+ dup v20.4s, w11
+ add v25.4s, v25.4s, v20.4s
+
+ zip1 v20.4s, v0.4s, v1.4s
+ zip2 v21.4s, v0.4s, v1.4s
+ zip1 v22.4s, v2.4s, v3.4s
+ zip2 v23.4s, v2.4s, v3.4s
+
+ zip1 v0.2d, v20.2d, v22.2d
+ zip2 v1.2d, v20.2d, v22.2d
+ zip1 v2.2d, v21.2d, v23.2d
+ zip2 v3.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v5.4s, v6.4s
+ zip2 v21.4s, v5.4s, v6.4s
+ zip1 v22.4s, v7.4s, v8.4s
+ zip2 v23.4s, v7.4s, v8.4s
+
+ zip1 v5.2d, v20.2d, v22.2d
+ zip2 v6.2d, v20.2d, v22.2d
+ zip1 v7.2d, v21.2d, v23.2d
+ zip2 v8.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v10.4s, v11.4s
+ zip2 v21.4s, v10.4s, v11.4s
+ zip1 v22.4s, v12.4s, v13.4s
+ zip2 v23.4s, v12.4s, v13.4s
+
+ zip1 v10.2d, v20.2d, v22.2d
+ zip2 v11.2d, v20.2d, v22.2d
+ zip1 v12.2d, v21.2d, v23.2d
+ zip2 v13.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v15.4s, v16.4s
+ zip2 v21.4s, v15.4s, v16.4s
+ zip1 v22.4s, v17.4s, v18.4s
+ zip2 v23.4s, v17.4s, v18.4s
+
+ zip1 v15.2d, v20.2d, v22.2d
+ zip2 v16.2d, v20.2d, v22.2d
+ zip1 v17.2d, v21.2d, v23.2d
+ zip2 v18.2d, v21.2d, v23.2d
+
+ add v4.4s, v4.4s, v24.4s
+ add v9.4s, v9.4s, v28.4s
+ and v4.16b, v4.16b, v27.16b
+
+ add v0.4s, v0.4s, v24.4s
+ add v5.4s, v5.4s, v28.4s
+ add v10.4s, v10.4s, v29.4s
+ add v15.4s, v15.4s, v30.4s
+
+ add v1.4s, v1.4s, v24.4s
+ add v6.4s, v6.4s, v28.4s
+ add v11.4s, v11.4s, v29.4s
+ add v16.4s, v16.4s, v30.4s
+
+ add v2.4s, v2.4s, v24.4s
+ add v7.4s, v7.4s, v28.4s
+ add v12.4s, v12.4s, v29.4s
+ add v17.4s, v17.4s, v30.4s
+
+ add v3.4s, v3.4s, v24.4s
+ add v8.4s, v8.4s, v28.4s
+ add v13.4s, v13.4s, v29.4s
+ add v18.4s, v18.4s, v30.4s
+
+ mov x16, v4.d[0] // Move the R key to GPRs
+ mov x17, v4.d[1]
+ mov v27.16b, v9.16b // Store the S key
+
+ bl Lpoly_hash_ad_internal
+
+ mov x3, x0
+ cmp x2, #256
+ b.le Lseal_tail
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v0.16b
+ eor v21.16b, v21.16b, v5.16b
+ eor v22.16b, v22.16b, v10.16b
+ eor v23.16b, v23.16b, v15.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v1.16b
+ eor v21.16b, v21.16b, v6.16b
+ eor v22.16b, v22.16b, v11.16b
+ eor v23.16b, v23.16b, v16.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v2.16b
+ eor v21.16b, v21.16b, v7.16b
+ eor v22.16b, v22.16b, v12.16b
+ eor v23.16b, v23.16b, v17.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v3.16b
+ eor v21.16b, v21.16b, v8.16b
+ eor v22.16b, v22.16b, v13.16b
+ eor v23.16b, v23.16b, v18.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ sub x2, x2, #256
+
+ mov x6, #4 // In the first run of the loop we need to hash 256 bytes, therefore we hash one block for the first 4 rounds
+ mov x7, #6 // and two blocks for the remaining 6, for a total of (1 * 4 + 2 * 6) * 16 = 256
+
+Lseal_main_loop:
+ adrp x11, Lchacha20_consts
+ add x11, x11, :lo12:Lchacha20_consts
+
+ ld4r {v0.4s,v1.4s,v2.4s,v3.4s}, [x11]
+ mov v4.16b, v24.16b
+
+ ld4r {v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16
+ mov v9.16b, v28.16b
+
+ ld4r {v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16
+ mov v14.16b, v29.16b
+
+ ld4r {v15.4s,v16.4s,v17.4s,v18.4s}, [x5]
+ add v15.4s, v15.4s, v25.4s
+ mov v19.16b, v30.16b
+
+ eor v20.16b, v20.16b, v20.16b //zero
+ not v21.16b, v20.16b // -1
+ sub v21.4s, v25.4s, v21.4s // Add +1
+ ext v20.16b, v21.16b, v20.16b, #12 // Get the last element (counter)
+ add v19.4s, v19.4s, v20.4s
+
+ sub x5, x5, #32
+.align 5
+Lseal_main_loop_rounds:
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ add v3.4s, v3.4s, v8.4s
+ add v4.4s, v4.4s, v9.4s
+
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ eor v18.16b, v18.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+ rev32 v18.8h, v18.8h
+ rev32 v19.8h, v19.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ add v13.4s, v13.4s, v18.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ eor v8.16b, v8.16b, v13.16b
+ eor v9.16b, v9.16b, v14.16b
+
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+ ushr v7.4s, v8.4s, #20
+ sli v7.4s, v8.4s, #12
+ ushr v8.4s, v9.4s, #20
+ sli v8.4s, v9.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ add v3.4s, v3.4s, v7.4s
+ add v4.4s, v4.4s, v8.4s
+
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ eor v18.16b, v18.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+ tbl v18.16b, {v18.16b}, v26.16b
+ tbl v19.16b, {v19.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ add v13.4s, v13.4s, v18.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ eor v7.16b, v7.16b, v13.16b
+ eor v8.16b, v8.16b, v14.16b
+
+ ushr v9.4s, v8.4s, #25
+ sli v9.4s, v8.4s, #7
+ ushr v8.4s, v7.4s, #25
+ sli v8.4s, v7.4s, #7
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v9.16b, v9.16b, v9.16b, #4
+ ext v14.16b, v14.16b, v14.16b, #8
+ ext v19.16b, v19.16b, v19.16b, #12
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ add v0.4s, v0.4s, v6.4s
+ add v1.4s, v1.4s, v7.4s
+ add v2.4s, v2.4s, v8.4s
+ add v3.4s, v3.4s, v5.4s
+ add v4.4s, v4.4s, v9.4s
+
+ eor v18.16b, v18.16b, v0.16b
+ eor v15.16b, v15.16b, v1.16b
+ eor v16.16b, v16.16b, v2.16b
+ eor v17.16b, v17.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ rev32 v18.8h, v18.8h
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+ rev32 v19.8h, v19.8h
+
+ add v12.4s, v12.4s, v18.4s
+ add v13.4s, v13.4s, v15.4s
+ add v10.4s, v10.4s, v16.4s
+ add v11.4s, v11.4s, v17.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v6.16b, v6.16b, v12.16b
+ eor v7.16b, v7.16b, v13.16b
+ eor v8.16b, v8.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v9.16b, v9.16b, v14.16b
+
+ ushr v20.4s, v6.4s, #20
+ sli v20.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+ ushr v7.4s, v8.4s, #20
+ sli v7.4s, v8.4s, #12
+ ushr v8.4s, v5.4s, #20
+ sli v8.4s, v5.4s, #12
+ ushr v5.4s, v9.4s, #20
+ sli v5.4s, v9.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ add v3.4s, v3.4s, v8.4s
+ add v4.4s, v4.4s, v5.4s
+
+ eor v18.16b, v18.16b, v0.16b
+ eor v15.16b, v15.16b, v1.16b
+ eor v16.16b, v16.16b, v2.16b
+ eor v17.16b, v17.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ tbl v18.16b, {v18.16b}, v26.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+ tbl v19.16b, {v19.16b}, v26.16b
+
+ add v12.4s, v12.4s, v18.4s
+ add v13.4s, v13.4s, v15.4s
+ add v10.4s, v10.4s, v16.4s
+ add v11.4s, v11.4s, v17.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v20.16b, v20.16b, v12.16b
+ eor v6.16b, v6.16b, v13.16b
+ eor v7.16b, v7.16b, v10.16b
+ eor v8.16b, v8.16b, v11.16b
+ eor v5.16b, v5.16b, v14.16b
+
+ ushr v9.4s, v5.4s, #25
+ sli v9.4s, v5.4s, #7
+ ushr v5.4s, v8.4s, #25
+ sli v5.4s, v8.4s, #7
+ ushr v8.4s, v7.4s, #25
+ sli v8.4s, v7.4s, #7
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v20.4s, #25
+ sli v6.4s, v20.4s, #7
+
+ ext v9.16b, v9.16b, v9.16b, #12
+ ext v14.16b, v14.16b, v14.16b, #8
+ ext v19.16b, v19.16b, v19.16b, #4
+ subs x6, x6, #1
+ b.ge Lseal_main_loop_rounds
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ subs x7, x7, #1
+ b.gt Lseal_main_loop_rounds
+
+ eor v20.16b, v20.16b, v20.16b //zero
+ not v21.16b, v20.16b // -1
+ sub v21.4s, v25.4s, v21.4s // Add +1
+ ext v20.16b, v21.16b, v20.16b, #12 // Get the last element (counter)
+ add v19.4s, v19.4s, v20.4s
+
+ add v15.4s, v15.4s, v25.4s
+ mov x11, #5
+ dup v20.4s, w11
+ add v25.4s, v25.4s, v20.4s
+
+ zip1 v20.4s, v0.4s, v1.4s
+ zip2 v21.4s, v0.4s, v1.4s
+ zip1 v22.4s, v2.4s, v3.4s
+ zip2 v23.4s, v2.4s, v3.4s
+
+ zip1 v0.2d, v20.2d, v22.2d
+ zip2 v1.2d, v20.2d, v22.2d
+ zip1 v2.2d, v21.2d, v23.2d
+ zip2 v3.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v5.4s, v6.4s
+ zip2 v21.4s, v5.4s, v6.4s
+ zip1 v22.4s, v7.4s, v8.4s
+ zip2 v23.4s, v7.4s, v8.4s
+
+ zip1 v5.2d, v20.2d, v22.2d
+ zip2 v6.2d, v20.2d, v22.2d
+ zip1 v7.2d, v21.2d, v23.2d
+ zip2 v8.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v10.4s, v11.4s
+ zip2 v21.4s, v10.4s, v11.4s
+ zip1 v22.4s, v12.4s, v13.4s
+ zip2 v23.4s, v12.4s, v13.4s
+
+ zip1 v10.2d, v20.2d, v22.2d
+ zip2 v11.2d, v20.2d, v22.2d
+ zip1 v12.2d, v21.2d, v23.2d
+ zip2 v13.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v15.4s, v16.4s
+ zip2 v21.4s, v15.4s, v16.4s
+ zip1 v22.4s, v17.4s, v18.4s
+ zip2 v23.4s, v17.4s, v18.4s
+
+ zip1 v15.2d, v20.2d, v22.2d
+ zip2 v16.2d, v20.2d, v22.2d
+ zip1 v17.2d, v21.2d, v23.2d
+ zip2 v18.2d, v21.2d, v23.2d
+
+ add v0.4s, v0.4s, v24.4s
+ add v5.4s, v5.4s, v28.4s
+ add v10.4s, v10.4s, v29.4s
+ add v15.4s, v15.4s, v30.4s
+
+ add v1.4s, v1.4s, v24.4s
+ add v6.4s, v6.4s, v28.4s
+ add v11.4s, v11.4s, v29.4s
+ add v16.4s, v16.4s, v30.4s
+
+ add v2.4s, v2.4s, v24.4s
+ add v7.4s, v7.4s, v28.4s
+ add v12.4s, v12.4s, v29.4s
+ add v17.4s, v17.4s, v30.4s
+
+ add v3.4s, v3.4s, v24.4s
+ add v8.4s, v8.4s, v28.4s
+ add v13.4s, v13.4s, v29.4s
+ add v18.4s, v18.4s, v30.4s
+
+ add v4.4s, v4.4s, v24.4s
+ add v9.4s, v9.4s, v28.4s
+ add v14.4s, v14.4s, v29.4s
+ add v19.4s, v19.4s, v30.4s
+
+ cmp x2, #320
+ b.le Lseal_tail
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v0.16b
+ eor v21.16b, v21.16b, v5.16b
+ eor v22.16b, v22.16b, v10.16b
+ eor v23.16b, v23.16b, v15.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v1.16b
+ eor v21.16b, v21.16b, v6.16b
+ eor v22.16b, v22.16b, v11.16b
+ eor v23.16b, v23.16b, v16.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v2.16b
+ eor v21.16b, v21.16b, v7.16b
+ eor v22.16b, v22.16b, v12.16b
+ eor v23.16b, v23.16b, v17.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v3.16b
+ eor v21.16b, v21.16b, v8.16b
+ eor v22.16b, v22.16b, v13.16b
+ eor v23.16b, v23.16b, v18.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v4.16b
+ eor v21.16b, v21.16b, v9.16b
+ eor v22.16b, v22.16b, v14.16b
+ eor v23.16b, v23.16b, v19.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ sub x2, x2, #320
+
+ mov x6, #0
+ mov x7, #10 // For the remainder of the loop we always hash and encrypt 320 bytes per iteration
+
+ b Lseal_main_loop
+
+Lseal_tail:
+ // This part of the function handles the storage and authentication of the last [0,320) bytes
+ // We assume A0-A4 ... D0-D4 hold at least inl (320 max) bytes of the stream data.
+ cmp x2, #64
+ b.lt Lseal_tail_64
+
+ // Store and authenticate 64B blocks per iteration
+ ld1 {v20.16b - v23.16b}, [x1], #64
+
+ eor v20.16b, v20.16b, v0.16b
+ eor v21.16b, v21.16b, v5.16b
+ eor v22.16b, v22.16b, v10.16b
+ eor v23.16b, v23.16b, v15.16b
+ mov x11, v20.d[0]
+ mov x12, v20.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ mov x11, v21.d[0]
+ mov x12, v21.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ mov x11, v22.d[0]
+ mov x12, v22.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ mov x11, v23.d[0]
+ mov x12, v23.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ st1 {v20.16b - v23.16b}, [x0], #64
+ sub x2, x2, #64
+
+ // Shift the state left by 64 bytes for the next iteration of the loop
+ mov v0.16b, v1.16b
+ mov v5.16b, v6.16b
+ mov v10.16b, v11.16b
+ mov v15.16b, v16.16b
+
+ mov v1.16b, v2.16b
+ mov v6.16b, v7.16b
+ mov v11.16b, v12.16b
+ mov v16.16b, v17.16b
+
+ mov v2.16b, v3.16b
+ mov v7.16b, v8.16b
+ mov v12.16b, v13.16b
+ mov v17.16b, v18.16b
+
+ mov v3.16b, v4.16b
+ mov v8.16b, v9.16b
+ mov v13.16b, v14.16b
+ mov v18.16b, v19.16b
+
+ b Lseal_tail
+
+Lseal_tail_64:
+ ldp x3, x4, [x5, #48] // extra_in_len and extra_in_ptr
+
+ // Here we handle the last [0,64) bytes of plaintext
+ cmp x2, #16
+ b.lt Lseal_tail_16
+ // Each iteration encrypt and authenticate a 16B block
+ ld1 {v20.16b}, [x1], #16
+ eor v20.16b, v20.16b, v0.16b
+ mov x11, v20.d[0]
+ mov x12, v20.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ st1 {v20.16b}, [x0], #16
+
+ sub x2, x2, #16
+
+ // Shift the state left by 16 bytes for the next iteration of the loop
+ mov v0.16b, v5.16b
+ mov v5.16b, v10.16b
+ mov v10.16b, v15.16b
+
+ b Lseal_tail_64
+
+Lseal_tail_16:
+ // Here we handle the last [0,16) bytes of ciphertext that require a padded block
+ cbz x2, Lseal_hash_extra
+
+ eor v20.16b, v20.16b, v20.16b // Use T0 to load the plaintext/extra in
+ eor v21.16b, v21.16b, v21.16b // Use T1 to generate an AND mask that will only mask the ciphertext bytes
+ not v22.16b, v20.16b
+
+ mov x6, x2
+ add x1, x1, x2
+
+ cbz x4, Lseal_tail_16_compose // No extra data to pad with, zero padding
+
+ mov x7, #16 // We need to load some extra_in first for padding
+ sub x7, x7, x2
+ cmp x4, x7
+ csel x7, x4, x7, lt // Load the minimum of extra_in_len and the amount needed to fill the register
+ mov x12, x7
+ add x3, x3, x7
+ sub x4, x4, x7
+
+Lseal_tail16_compose_extra_in:
+ ext v20.16b, v20.16b, v20.16b, #15
+ ldrb w11, [x3, #-1]!
+ mov v20.b[0], w11
+ subs x7, x7, #1
+ b.gt Lseal_tail16_compose_extra_in
+
+ add x3, x3, x12
+
+Lseal_tail_16_compose:
+ ext v20.16b, v20.16b, v20.16b, #15
+ ldrb w11, [x1, #-1]!
+ mov v20.b[0], w11
+ ext v21.16b, v22.16b, v21.16b, #15
+ subs x2, x2, #1
+ b.gt Lseal_tail_16_compose
+
+ and v0.16b, v0.16b, v21.16b
+ eor v20.16b, v20.16b, v0.16b
+ mov v21.16b, v20.16b
+
+Lseal_tail_16_store:
+ umov w11, v20.b[0]
+ strb w11, [x0], #1
+ ext v20.16b, v20.16b, v20.16b, #1
+ subs x6, x6, #1
+ b.gt Lseal_tail_16_store
+
+ // Hash in the final ct block concatenated with extra_in
+ mov x11, v21.d[0]
+ mov x12, v21.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+
+Lseal_hash_extra:
+ cbz x4, Lseal_finalize
+
+Lseal_hash_extra_loop:
+ cmp x4, #16
+ b.lt Lseal_hash_extra_tail
+ ld1 {v20.16b}, [x3], #16
+ mov x11, v20.d[0]
+ mov x12, v20.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ sub x4, x4, #16
+ b Lseal_hash_extra_loop
+
+Lseal_hash_extra_tail:
+ cbz x4, Lseal_finalize
+ eor v20.16b, v20.16b, v20.16b // Use T0 to load the remaining extra ciphertext
+ add x3, x3, x4
+
+Lseal_hash_extra_load:
+ ext v20.16b, v20.16b, v20.16b, #15
+ ldrb w11, [x3, #-1]!
+ mov v20.b[0], w11
+ subs x4, x4, #1
+ b.gt Lseal_hash_extra_load
+
+ // Hash in the final padded extra_in blcok
+ mov x11, v20.d[0]
+ mov x12, v20.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+
+Lseal_finalize:
+ mov x11, v31.d[0]
+ mov x12, v31.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ # Final reduction step
+ sub x12, xzr, x15
+ orr x13, xzr, #3
+ subs x11, x8, #-5
+ sbcs x12, x9, x12
+ sbcs x13, x10, x13
+ csel x8, x11, x8, cs
+ csel x9, x12, x9, cs
+ csel x10, x13, x10, cs
+ mov x11, v27.d[0]
+ mov x12, v27.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+
+ stp x8, x9, [x5]
+
+ ldp d8, d9, [sp, #16]
+ ldp d10, d11, [sp, #32]
+ ldp d12, d13, [sp, #48]
+ ldp d14, d15, [sp, #64]
+.cfi_restore b15
+.cfi_restore b14
+.cfi_restore b13
+.cfi_restore b12
+.cfi_restore b11
+.cfi_restore b10
+.cfi_restore b9
+.cfi_restore b8
+ ldp x29, x30, [sp], 80
+.cfi_restore w29
+.cfi_restore w30
+.cfi_def_cfa_offset 0
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+Lseal_128:
+ // On some architectures preparing 5 blocks for small buffers is wasteful
+ eor v25.16b, v25.16b, v25.16b
+ mov x11, #1
+ mov v25.s[0], w11
+ mov v0.16b, v24.16b
+ mov v1.16b, v24.16b
+ mov v2.16b, v24.16b
+ mov v5.16b, v28.16b
+ mov v6.16b, v28.16b
+ mov v7.16b, v28.16b
+ mov v10.16b, v29.16b
+ mov v11.16b, v29.16b
+ mov v12.16b, v29.16b
+ mov v17.16b, v30.16b
+ add v15.4s, v17.4s, v25.4s
+ add v16.4s, v15.4s, v25.4s
+
+ mov x6, #10
+
+Lseal_128_rounds:
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v5.16b, v5.16b, v5.16b, #4
+ ext v6.16b, v6.16b, v6.16b, #4
+ ext v7.16b, v7.16b, v7.16b, #4
+
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v11.16b, v11.16b, v11.16b, #8
+ ext v12.16b, v12.16b, v12.16b, #8
+
+ ext v15.16b, v15.16b, v15.16b, #12
+ ext v16.16b, v16.16b, v16.16b, #12
+ ext v17.16b, v17.16b, v17.16b, #12
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v5.16b, v5.16b, v5.16b, #12
+ ext v6.16b, v6.16b, v6.16b, #12
+ ext v7.16b, v7.16b, v7.16b, #12
+
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v11.16b, v11.16b, v11.16b, #8
+ ext v12.16b, v12.16b, v12.16b, #8
+
+ ext v15.16b, v15.16b, v15.16b, #4
+ ext v16.16b, v16.16b, v16.16b, #4
+ ext v17.16b, v17.16b, v17.16b, #4
+ subs x6, x6, #1
+ b.hi Lseal_128_rounds
+
+ add v0.4s, v0.4s, v24.4s
+ add v1.4s, v1.4s, v24.4s
+ add v2.4s, v2.4s, v24.4s
+
+ add v5.4s, v5.4s, v28.4s
+ add v6.4s, v6.4s, v28.4s
+ add v7.4s, v7.4s, v28.4s
+
+ // Only the first 32 bytes of the third block (counter = 0) are needed,
+ // so skip updating v12 and v17.
+ add v10.4s, v10.4s, v29.4s
+ add v11.4s, v11.4s, v29.4s
+
+ add v30.4s, v30.4s, v25.4s
+ add v15.4s, v15.4s, v30.4s
+ add v30.4s, v30.4s, v25.4s
+ add v16.4s, v16.4s, v30.4s
+
+ and v2.16b, v2.16b, v27.16b
+ mov x16, v2.d[0] // Move the R key to GPRs
+ mov x17, v2.d[1]
+ mov v27.16b, v7.16b // Store the S key
+
+ bl Lpoly_hash_ad_internal
+ b Lseal_tail
+.cfi_endproc
+
+
+/////////////////////////////////
+//
+// void chacha20_poly1305_open(uint8_t *pt, uint8_t *ct, size_t len_in, uint8_t *ad, size_t len_ad, union open_data *aead_data);
+//
+.globl chacha20_poly1305_open
+
+.def chacha20_poly1305_open
+ .type 32
+.endef
+.align 6
+chacha20_poly1305_open:
+ AARCH64_SIGN_LINK_REGISTER
+.cfi_startproc
+ stp x29, x30, [sp, #-80]!
+.cfi_def_cfa_offset 80
+.cfi_offset w30, -72
+.cfi_offset w29, -80
+ mov x29, sp
+# We probably could do .cfi_def_cfa w29, 80 at this point, but since
+# we don't actually use the frame pointer like that, it's probably not
+# worth bothering.
+ stp d8, d9, [sp, #16]
+ stp d10, d11, [sp, #32]
+ stp d12, d13, [sp, #48]
+ stp d14, d15, [sp, #64]
+.cfi_offset b15, -8
+.cfi_offset b14, -16
+.cfi_offset b13, -24
+.cfi_offset b12, -32
+.cfi_offset b11, -40
+.cfi_offset b10, -48
+.cfi_offset b9, -56
+.cfi_offset b8, -64
+
+ adrp x11, Lchacha20_consts
+ add x11, x11, :lo12:Lchacha20_consts
+
+ ld1 {v24.16b - v27.16b}, [x11] // Load the CONSTS, INC, ROL8 and CLAMP values
+ ld1 {v28.16b - v30.16b}, [x5]
+
+ mov x15, #1 // Prepare the Poly1305 state
+ mov x8, #0
+ mov x9, #0
+ mov x10, #0
+
+ mov v31.d[0], x4 // Store the input and aad lengths
+ mov v31.d[1], x2
+
+ cmp x2, #128
+ b.le Lopen_128 // Optimization for smaller buffers
+
+ // Initially we prepare a single ChaCha20 block for the Poly1305 R and S keys
+ mov v0.16b, v24.16b
+ mov v5.16b, v28.16b
+ mov v10.16b, v29.16b
+ mov v15.16b, v30.16b
+
+ mov x6, #10
+
+.align 5
+Lopen_init_rounds:
+ add v0.4s, v0.4s, v5.4s
+ eor v15.16b, v15.16b, v0.16b
+ rev32 v15.8h, v15.8h
+
+ add v10.4s, v10.4s, v15.4s
+ eor v5.16b, v5.16b, v10.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ add v0.4s, v0.4s, v20.4s
+ eor v15.16b, v15.16b, v0.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ eor v20.16b, v20.16b, v10.16b
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+ ext v5.16b, v5.16b, v5.16b, #4
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v15.16b, v15.16b, v15.16b, #12
+ add v0.4s, v0.4s, v5.4s
+ eor v15.16b, v15.16b, v0.16b
+ rev32 v15.8h, v15.8h
+
+ add v10.4s, v10.4s, v15.4s
+ eor v5.16b, v5.16b, v10.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ add v0.4s, v0.4s, v20.4s
+ eor v15.16b, v15.16b, v0.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ eor v20.16b, v20.16b, v10.16b
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+ ext v5.16b, v5.16b, v5.16b, #12
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v15.16b, v15.16b, v15.16b, #4
+ subs x6, x6, #1
+ b.hi Lopen_init_rounds
+
+ add v0.4s, v0.4s, v24.4s
+ add v5.4s, v5.4s, v28.4s
+
+ and v0.16b, v0.16b, v27.16b
+ mov x16, v0.d[0] // Move the R key to GPRs
+ mov x17, v0.d[1]
+ mov v27.16b, v5.16b // Store the S key
+
+ bl Lpoly_hash_ad_internal
+
+Lopen_ad_done:
+ mov x3, x1
+
+// Each iteration of the loop hash 320 bytes, and prepare stream for 320 bytes
+Lopen_main_loop:
+
+ cmp x2, #192
+ b.lt Lopen_tail
+
+ adrp x11, Lchacha20_consts
+ add x11, x11, :lo12:Lchacha20_consts
+
+ ld4r {v0.4s,v1.4s,v2.4s,v3.4s}, [x11]
+ mov v4.16b, v24.16b
+
+ ld4r {v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16
+ mov v9.16b, v28.16b
+
+ ld4r {v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16
+ mov v14.16b, v29.16b
+
+ ld4r {v15.4s,v16.4s,v17.4s,v18.4s}, [x5]
+ sub x5, x5, #32
+ add v15.4s, v15.4s, v25.4s
+ mov v19.16b, v30.16b
+
+ eor v20.16b, v20.16b, v20.16b //zero
+ not v21.16b, v20.16b // -1
+ sub v21.4s, v25.4s, v21.4s // Add +1
+ ext v20.16b, v21.16b, v20.16b, #12 // Get the last element (counter)
+ add v19.4s, v19.4s, v20.4s
+
+ lsr x4, x2, #4 // How many whole blocks we have to hash, will always be at least 12
+ sub x4, x4, #10
+
+ mov x7, #10
+ subs x6, x7, x4
+ subs x6, x7, x4 // itr1 can be negative if we have more than 320 bytes to hash
+ csel x7, x7, x4, le // if itr1 is zero or less, itr2 should be 10 to indicate all 10 rounds are full
+
+ cbz x7, Lopen_main_loop_rounds_short
+
+.align 5
+Lopen_main_loop_rounds:
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+Lopen_main_loop_rounds_short:
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ add v3.4s, v3.4s, v8.4s
+ add v4.4s, v4.4s, v9.4s
+
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ eor v18.16b, v18.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+ rev32 v18.8h, v18.8h
+ rev32 v19.8h, v19.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ add v13.4s, v13.4s, v18.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ eor v8.16b, v8.16b, v13.16b
+ eor v9.16b, v9.16b, v14.16b
+
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+ ushr v7.4s, v8.4s, #20
+ sli v7.4s, v8.4s, #12
+ ushr v8.4s, v9.4s, #20
+ sli v8.4s, v9.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ add v3.4s, v3.4s, v7.4s
+ add v4.4s, v4.4s, v8.4s
+
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ eor v18.16b, v18.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+ tbl v18.16b, {v18.16b}, v26.16b
+ tbl v19.16b, {v19.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ add v13.4s, v13.4s, v18.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ eor v7.16b, v7.16b, v13.16b
+ eor v8.16b, v8.16b, v14.16b
+
+ ushr v9.4s, v8.4s, #25
+ sli v9.4s, v8.4s, #7
+ ushr v8.4s, v7.4s, #25
+ sli v8.4s, v7.4s, #7
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v9.16b, v9.16b, v9.16b, #4
+ ext v14.16b, v14.16b, v14.16b, #8
+ ext v19.16b, v19.16b, v19.16b, #12
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ add v0.4s, v0.4s, v6.4s
+ add v1.4s, v1.4s, v7.4s
+ add v2.4s, v2.4s, v8.4s
+ add v3.4s, v3.4s, v5.4s
+ add v4.4s, v4.4s, v9.4s
+
+ eor v18.16b, v18.16b, v0.16b
+ eor v15.16b, v15.16b, v1.16b
+ eor v16.16b, v16.16b, v2.16b
+ eor v17.16b, v17.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ rev32 v18.8h, v18.8h
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+ rev32 v19.8h, v19.8h
+
+ add v12.4s, v12.4s, v18.4s
+ add v13.4s, v13.4s, v15.4s
+ add v10.4s, v10.4s, v16.4s
+ add v11.4s, v11.4s, v17.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v6.16b, v6.16b, v12.16b
+ eor v7.16b, v7.16b, v13.16b
+ eor v8.16b, v8.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v9.16b, v9.16b, v14.16b
+
+ ushr v20.4s, v6.4s, #20
+ sli v20.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+ ushr v7.4s, v8.4s, #20
+ sli v7.4s, v8.4s, #12
+ ushr v8.4s, v5.4s, #20
+ sli v8.4s, v5.4s, #12
+ ushr v5.4s, v9.4s, #20
+ sli v5.4s, v9.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ add v3.4s, v3.4s, v8.4s
+ add v4.4s, v4.4s, v5.4s
+
+ eor v18.16b, v18.16b, v0.16b
+ eor v15.16b, v15.16b, v1.16b
+ eor v16.16b, v16.16b, v2.16b
+ eor v17.16b, v17.16b, v3.16b
+ eor v19.16b, v19.16b, v4.16b
+
+ tbl v18.16b, {v18.16b}, v26.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+ tbl v19.16b, {v19.16b}, v26.16b
+
+ add v12.4s, v12.4s, v18.4s
+ add v13.4s, v13.4s, v15.4s
+ add v10.4s, v10.4s, v16.4s
+ add v11.4s, v11.4s, v17.4s
+ add v14.4s, v14.4s, v19.4s
+
+ eor v20.16b, v20.16b, v12.16b
+ eor v6.16b, v6.16b, v13.16b
+ eor v7.16b, v7.16b, v10.16b
+ eor v8.16b, v8.16b, v11.16b
+ eor v5.16b, v5.16b, v14.16b
+
+ ushr v9.4s, v5.4s, #25
+ sli v9.4s, v5.4s, #7
+ ushr v5.4s, v8.4s, #25
+ sli v5.4s, v8.4s, #7
+ ushr v8.4s, v7.4s, #25
+ sli v8.4s, v7.4s, #7
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v20.4s, #25
+ sli v6.4s, v20.4s, #7
+
+ ext v9.16b, v9.16b, v9.16b, #12
+ ext v14.16b, v14.16b, v14.16b, #8
+ ext v19.16b, v19.16b, v19.16b, #4
+ subs x7, x7, #1
+ b.gt Lopen_main_loop_rounds
+ subs x6, x6, #1
+ b.ge Lopen_main_loop_rounds_short
+
+ eor v20.16b, v20.16b, v20.16b //zero
+ not v21.16b, v20.16b // -1
+ sub v21.4s, v25.4s, v21.4s // Add +1
+ ext v20.16b, v21.16b, v20.16b, #12 // Get the last element (counter)
+ add v19.4s, v19.4s, v20.4s
+
+ add v15.4s, v15.4s, v25.4s
+ mov x11, #5
+ dup v20.4s, w11
+ add v25.4s, v25.4s, v20.4s
+
+ zip1 v20.4s, v0.4s, v1.4s
+ zip2 v21.4s, v0.4s, v1.4s
+ zip1 v22.4s, v2.4s, v3.4s
+ zip2 v23.4s, v2.4s, v3.4s
+
+ zip1 v0.2d, v20.2d, v22.2d
+ zip2 v1.2d, v20.2d, v22.2d
+ zip1 v2.2d, v21.2d, v23.2d
+ zip2 v3.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v5.4s, v6.4s
+ zip2 v21.4s, v5.4s, v6.4s
+ zip1 v22.4s, v7.4s, v8.4s
+ zip2 v23.4s, v7.4s, v8.4s
+
+ zip1 v5.2d, v20.2d, v22.2d
+ zip2 v6.2d, v20.2d, v22.2d
+ zip1 v7.2d, v21.2d, v23.2d
+ zip2 v8.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v10.4s, v11.4s
+ zip2 v21.4s, v10.4s, v11.4s
+ zip1 v22.4s, v12.4s, v13.4s
+ zip2 v23.4s, v12.4s, v13.4s
+
+ zip1 v10.2d, v20.2d, v22.2d
+ zip2 v11.2d, v20.2d, v22.2d
+ zip1 v12.2d, v21.2d, v23.2d
+ zip2 v13.2d, v21.2d, v23.2d
+
+ zip1 v20.4s, v15.4s, v16.4s
+ zip2 v21.4s, v15.4s, v16.4s
+ zip1 v22.4s, v17.4s, v18.4s
+ zip2 v23.4s, v17.4s, v18.4s
+
+ zip1 v15.2d, v20.2d, v22.2d
+ zip2 v16.2d, v20.2d, v22.2d
+ zip1 v17.2d, v21.2d, v23.2d
+ zip2 v18.2d, v21.2d, v23.2d
+
+ add v0.4s, v0.4s, v24.4s
+ add v5.4s, v5.4s, v28.4s
+ add v10.4s, v10.4s, v29.4s
+ add v15.4s, v15.4s, v30.4s
+
+ add v1.4s, v1.4s, v24.4s
+ add v6.4s, v6.4s, v28.4s
+ add v11.4s, v11.4s, v29.4s
+ add v16.4s, v16.4s, v30.4s
+
+ add v2.4s, v2.4s, v24.4s
+ add v7.4s, v7.4s, v28.4s
+ add v12.4s, v12.4s, v29.4s
+ add v17.4s, v17.4s, v30.4s
+
+ add v3.4s, v3.4s, v24.4s
+ add v8.4s, v8.4s, v28.4s
+ add v13.4s, v13.4s, v29.4s
+ add v18.4s, v18.4s, v30.4s
+
+ add v4.4s, v4.4s, v24.4s
+ add v9.4s, v9.4s, v28.4s
+ add v14.4s, v14.4s, v29.4s
+ add v19.4s, v19.4s, v30.4s
+
+ // We can always safely store 192 bytes
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v0.16b
+ eor v21.16b, v21.16b, v5.16b
+ eor v22.16b, v22.16b, v10.16b
+ eor v23.16b, v23.16b, v15.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v1.16b
+ eor v21.16b, v21.16b, v6.16b
+ eor v22.16b, v22.16b, v11.16b
+ eor v23.16b, v23.16b, v16.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v2.16b
+ eor v21.16b, v21.16b, v7.16b
+ eor v22.16b, v22.16b, v12.16b
+ eor v23.16b, v23.16b, v17.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ sub x2, x2, #192
+
+ mov v0.16b, v3.16b
+ mov v5.16b, v8.16b
+ mov v10.16b, v13.16b
+ mov v15.16b, v18.16b
+
+ cmp x2, #64
+ b.lt Lopen_tail_64_store
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v3.16b
+ eor v21.16b, v21.16b, v8.16b
+ eor v22.16b, v22.16b, v13.16b
+ eor v23.16b, v23.16b, v18.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ sub x2, x2, #64
+
+ mov v0.16b, v4.16b
+ mov v5.16b, v9.16b
+ mov v10.16b, v14.16b
+ mov v15.16b, v19.16b
+
+ cmp x2, #64
+ b.lt Lopen_tail_64_store
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+ eor v20.16b, v20.16b, v4.16b
+ eor v21.16b, v21.16b, v9.16b
+ eor v22.16b, v22.16b, v14.16b
+ eor v23.16b, v23.16b, v19.16b
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ sub x2, x2, #64
+ b Lopen_main_loop
+
+Lopen_tail:
+
+ cbz x2, Lopen_finalize
+
+ lsr x4, x2, #4 // How many whole blocks we have to hash
+
+ cmp x2, #64
+ b.le Lopen_tail_64
+ cmp x2, #128
+ b.le Lopen_tail_128
+
+Lopen_tail_192:
+ // We need three more blocks
+ mov v0.16b, v24.16b
+ mov v1.16b, v24.16b
+ mov v2.16b, v24.16b
+ mov v5.16b, v28.16b
+ mov v6.16b, v28.16b
+ mov v7.16b, v28.16b
+ mov v10.16b, v29.16b
+ mov v11.16b, v29.16b
+ mov v12.16b, v29.16b
+ mov v15.16b, v30.16b
+ mov v16.16b, v30.16b
+ mov v17.16b, v30.16b
+ eor v23.16b, v23.16b, v23.16b
+ eor v21.16b, v21.16b, v21.16b
+ ins v23.s[0], v25.s[0]
+ ins v21.d[0], x15
+
+ add v22.4s, v23.4s, v21.4s
+ add v21.4s, v22.4s, v21.4s
+
+ add v15.4s, v15.4s, v21.4s
+ add v16.4s, v16.4s, v23.4s
+ add v17.4s, v17.4s, v22.4s
+
+ mov x7, #10
+ subs x6, x7, x4 // itr1 can be negative if we have more than 160 bytes to hash
+ csel x7, x7, x4, le // if itr1 is zero or less, itr2 should be 10 to indicate all 10 rounds are hashing
+ sub x4, x4, x7
+
+ cbz x7, Lopen_tail_192_rounds_no_hash
+
+Lopen_tail_192_rounds:
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+Lopen_tail_192_rounds_no_hash:
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v5.16b, v5.16b, v5.16b, #4
+ ext v6.16b, v6.16b, v6.16b, #4
+ ext v7.16b, v7.16b, v7.16b, #4
+
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v11.16b, v11.16b, v11.16b, #8
+ ext v12.16b, v12.16b, v12.16b, #8
+
+ ext v15.16b, v15.16b, v15.16b, #12
+ ext v16.16b, v16.16b, v16.16b, #12
+ ext v17.16b, v17.16b, v17.16b, #12
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v5.16b, v5.16b, v5.16b, #12
+ ext v6.16b, v6.16b, v6.16b, #12
+ ext v7.16b, v7.16b, v7.16b, #12
+
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v11.16b, v11.16b, v11.16b, #8
+ ext v12.16b, v12.16b, v12.16b, #8
+
+ ext v15.16b, v15.16b, v15.16b, #4
+ ext v16.16b, v16.16b, v16.16b, #4
+ ext v17.16b, v17.16b, v17.16b, #4
+ subs x7, x7, #1
+ b.gt Lopen_tail_192_rounds
+ subs x6, x6, #1
+ b.ge Lopen_tail_192_rounds_no_hash
+
+ // We hashed 160 bytes at most, may still have 32 bytes left
+Lopen_tail_192_hash:
+ cbz x4, Lopen_tail_192_hash_done
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ sub x4, x4, #1
+ b Lopen_tail_192_hash
+
+Lopen_tail_192_hash_done:
+
+ add v0.4s, v0.4s, v24.4s
+ add v1.4s, v1.4s, v24.4s
+ add v2.4s, v2.4s, v24.4s
+ add v5.4s, v5.4s, v28.4s
+ add v6.4s, v6.4s, v28.4s
+ add v7.4s, v7.4s, v28.4s
+ add v10.4s, v10.4s, v29.4s
+ add v11.4s, v11.4s, v29.4s
+ add v12.4s, v12.4s, v29.4s
+ add v15.4s, v15.4s, v30.4s
+ add v16.4s, v16.4s, v30.4s
+ add v17.4s, v17.4s, v30.4s
+
+ add v15.4s, v15.4s, v21.4s
+ add v16.4s, v16.4s, v23.4s
+ add v17.4s, v17.4s, v22.4s
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+
+ eor v20.16b, v20.16b, v1.16b
+ eor v21.16b, v21.16b, v6.16b
+ eor v22.16b, v22.16b, v11.16b
+ eor v23.16b, v23.16b, v16.16b
+
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+
+ eor v20.16b, v20.16b, v2.16b
+ eor v21.16b, v21.16b, v7.16b
+ eor v22.16b, v22.16b, v12.16b
+ eor v23.16b, v23.16b, v17.16b
+
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ sub x2, x2, #128
+ b Lopen_tail_64_store
+
+Lopen_tail_128:
+ // We need two more blocks
+ mov v0.16b, v24.16b
+ mov v1.16b, v24.16b
+ mov v5.16b, v28.16b
+ mov v6.16b, v28.16b
+ mov v10.16b, v29.16b
+ mov v11.16b, v29.16b
+ mov v15.16b, v30.16b
+ mov v16.16b, v30.16b
+ eor v23.16b, v23.16b, v23.16b
+ eor v22.16b, v22.16b, v22.16b
+ ins v23.s[0], v25.s[0]
+ ins v22.d[0], x15
+ add v22.4s, v22.4s, v23.4s
+
+ add v15.4s, v15.4s, v22.4s
+ add v16.4s, v16.4s, v23.4s
+
+ mov x6, #10
+ sub x6, x6, x4
+
+Lopen_tail_128_rounds:
+ add v0.4s, v0.4s, v5.4s
+ eor v15.16b, v15.16b, v0.16b
+ rev32 v15.8h, v15.8h
+
+ add v10.4s, v10.4s, v15.4s
+ eor v5.16b, v5.16b, v10.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ add v0.4s, v0.4s, v20.4s
+ eor v15.16b, v15.16b, v0.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ eor v20.16b, v20.16b, v10.16b
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+ ext v5.16b, v5.16b, v5.16b, #4
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v15.16b, v15.16b, v15.16b, #12
+ add v1.4s, v1.4s, v6.4s
+ eor v16.16b, v16.16b, v1.16b
+ rev32 v16.8h, v16.8h
+
+ add v11.4s, v11.4s, v16.4s
+ eor v6.16b, v6.16b, v11.16b
+ ushr v20.4s, v6.4s, #20
+ sli v20.4s, v6.4s, #12
+ add v1.4s, v1.4s, v20.4s
+ eor v16.16b, v16.16b, v1.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+
+ add v11.4s, v11.4s, v16.4s
+ eor v20.16b, v20.16b, v11.16b
+ ushr v6.4s, v20.4s, #25
+ sli v6.4s, v20.4s, #7
+ ext v6.16b, v6.16b, v6.16b, #4
+ ext v11.16b, v11.16b, v11.16b, #8
+ ext v16.16b, v16.16b, v16.16b, #12
+ add v0.4s, v0.4s, v5.4s
+ eor v15.16b, v15.16b, v0.16b
+ rev32 v15.8h, v15.8h
+
+ add v10.4s, v10.4s, v15.4s
+ eor v5.16b, v5.16b, v10.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ add v0.4s, v0.4s, v20.4s
+ eor v15.16b, v15.16b, v0.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ eor v20.16b, v20.16b, v10.16b
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+ ext v5.16b, v5.16b, v5.16b, #12
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v15.16b, v15.16b, v15.16b, #4
+ add v1.4s, v1.4s, v6.4s
+ eor v16.16b, v16.16b, v1.16b
+ rev32 v16.8h, v16.8h
+
+ add v11.4s, v11.4s, v16.4s
+ eor v6.16b, v6.16b, v11.16b
+ ushr v20.4s, v6.4s, #20
+ sli v20.4s, v6.4s, #12
+ add v1.4s, v1.4s, v20.4s
+ eor v16.16b, v16.16b, v1.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+
+ add v11.4s, v11.4s, v16.4s
+ eor v20.16b, v20.16b, v11.16b
+ ushr v6.4s, v20.4s, #25
+ sli v6.4s, v20.4s, #7
+ ext v6.16b, v6.16b, v6.16b, #12
+ ext v11.16b, v11.16b, v11.16b, #8
+ ext v16.16b, v16.16b, v16.16b, #4
+ subs x6, x6, #1
+ b.gt Lopen_tail_128_rounds
+ cbz x4, Lopen_tail_128_rounds_done
+ subs x4, x4, #1
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ b Lopen_tail_128_rounds
+
+Lopen_tail_128_rounds_done:
+ add v0.4s, v0.4s, v24.4s
+ add v1.4s, v1.4s, v24.4s
+ add v5.4s, v5.4s, v28.4s
+ add v6.4s, v6.4s, v28.4s
+ add v10.4s, v10.4s, v29.4s
+ add v11.4s, v11.4s, v29.4s
+ add v15.4s, v15.4s, v30.4s
+ add v16.4s, v16.4s, v30.4s
+ add v15.4s, v15.4s, v22.4s
+ add v16.4s, v16.4s, v23.4s
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+
+ eor v20.16b, v20.16b, v1.16b
+ eor v21.16b, v21.16b, v6.16b
+ eor v22.16b, v22.16b, v11.16b
+ eor v23.16b, v23.16b, v16.16b
+
+ st1 {v20.16b - v23.16b}, [x0], #64
+ sub x2, x2, #64
+
+ b Lopen_tail_64_store
+
+Lopen_tail_64:
+ // We just need a single block
+ mov v0.16b, v24.16b
+ mov v5.16b, v28.16b
+ mov v10.16b, v29.16b
+ mov v15.16b, v30.16b
+ eor v23.16b, v23.16b, v23.16b
+ ins v23.s[0], v25.s[0]
+ add v15.4s, v15.4s, v23.4s
+
+ mov x6, #10
+ sub x6, x6, x4
+
+Lopen_tail_64_rounds:
+ add v0.4s, v0.4s, v5.4s
+ eor v15.16b, v15.16b, v0.16b
+ rev32 v15.8h, v15.8h
+
+ add v10.4s, v10.4s, v15.4s
+ eor v5.16b, v5.16b, v10.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ add v0.4s, v0.4s, v20.4s
+ eor v15.16b, v15.16b, v0.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ eor v20.16b, v20.16b, v10.16b
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+ ext v5.16b, v5.16b, v5.16b, #4
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v15.16b, v15.16b, v15.16b, #12
+ add v0.4s, v0.4s, v5.4s
+ eor v15.16b, v15.16b, v0.16b
+ rev32 v15.8h, v15.8h
+
+ add v10.4s, v10.4s, v15.4s
+ eor v5.16b, v5.16b, v10.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ add v0.4s, v0.4s, v20.4s
+ eor v15.16b, v15.16b, v0.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ eor v20.16b, v20.16b, v10.16b
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+ ext v5.16b, v5.16b, v5.16b, #12
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v15.16b, v15.16b, v15.16b, #4
+ subs x6, x6, #1
+ b.gt Lopen_tail_64_rounds
+ cbz x4, Lopen_tail_64_rounds_done
+ subs x4, x4, #1
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ b Lopen_tail_64_rounds
+
+Lopen_tail_64_rounds_done:
+ add v0.4s, v0.4s, v24.4s
+ add v5.4s, v5.4s, v28.4s
+ add v10.4s, v10.4s, v29.4s
+ add v15.4s, v15.4s, v30.4s
+ add v15.4s, v15.4s, v23.4s
+
+Lopen_tail_64_store:
+ cmp x2, #16
+ b.lt Lopen_tail_16
+
+ ld1 {v20.16b}, [x1], #16
+ eor v20.16b, v20.16b, v0.16b
+ st1 {v20.16b}, [x0], #16
+ mov v0.16b, v5.16b
+ mov v5.16b, v10.16b
+ mov v10.16b, v15.16b
+ sub x2, x2, #16
+ b Lopen_tail_64_store
+
+Lopen_tail_16:
+ // Here we handle the last [0,16) bytes that require a padded block
+ cbz x2, Lopen_finalize
+
+ eor v20.16b, v20.16b, v20.16b // Use T0 to load the ciphertext
+ eor v21.16b, v21.16b, v21.16b // Use T1 to generate an AND mask
+ not v22.16b, v20.16b
+
+ add x7, x1, x2
+ mov x6, x2
+
+Lopen_tail_16_compose:
+ ext v20.16b, v20.16b, v20.16b, #15
+ ldrb w11, [x7, #-1]!
+ mov v20.b[0], w11
+ ext v21.16b, v22.16b, v21.16b, #15
+ subs x2, x2, #1
+ b.gt Lopen_tail_16_compose
+
+ and v20.16b, v20.16b, v21.16b
+ // Hash in the final padded block
+ mov x11, v20.d[0]
+ mov x12, v20.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ eor v20.16b, v20.16b, v0.16b
+
+Lopen_tail_16_store:
+ umov w11, v20.b[0]
+ strb w11, [x0], #1
+ ext v20.16b, v20.16b, v20.16b, #1
+ subs x6, x6, #1
+ b.gt Lopen_tail_16_store
+
+Lopen_finalize:
+ mov x11, v31.d[0]
+ mov x12, v31.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ # Final reduction step
+ sub x12, xzr, x15
+ orr x13, xzr, #3
+ subs x11, x8, #-5
+ sbcs x12, x9, x12
+ sbcs x13, x10, x13
+ csel x8, x11, x8, cs
+ csel x9, x12, x9, cs
+ csel x10, x13, x10, cs
+ mov x11, v27.d[0]
+ mov x12, v27.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+
+ stp x8, x9, [x5]
+
+ ldp d8, d9, [sp, #16]
+ ldp d10, d11, [sp, #32]
+ ldp d12, d13, [sp, #48]
+ ldp d14, d15, [sp, #64]
+.cfi_restore b15
+.cfi_restore b14
+.cfi_restore b13
+.cfi_restore b12
+.cfi_restore b11
+.cfi_restore b10
+.cfi_restore b9
+.cfi_restore b8
+ ldp x29, x30, [sp], 80
+.cfi_restore w29
+.cfi_restore w30
+.cfi_def_cfa_offset 0
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+Lopen_128:
+ // On some architectures preparing 5 blocks for small buffers is wasteful
+ eor v25.16b, v25.16b, v25.16b
+ mov x11, #1
+ mov v25.s[0], w11
+ mov v0.16b, v24.16b
+ mov v1.16b, v24.16b
+ mov v2.16b, v24.16b
+ mov v5.16b, v28.16b
+ mov v6.16b, v28.16b
+ mov v7.16b, v28.16b
+ mov v10.16b, v29.16b
+ mov v11.16b, v29.16b
+ mov v12.16b, v29.16b
+ mov v17.16b, v30.16b
+ add v15.4s, v17.4s, v25.4s
+ add v16.4s, v15.4s, v25.4s
+
+ mov x6, #10
+
+Lopen_128_rounds:
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v5.16b, v5.16b, v5.16b, #4
+ ext v6.16b, v6.16b, v6.16b, #4
+ ext v7.16b, v7.16b, v7.16b, #4
+
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v11.16b, v11.16b, v11.16b, #8
+ ext v12.16b, v12.16b, v12.16b, #8
+
+ ext v15.16b, v15.16b, v15.16b, #12
+ ext v16.16b, v16.16b, v16.16b, #12
+ ext v17.16b, v17.16b, v17.16b, #12
+ add v0.4s, v0.4s, v5.4s
+ add v1.4s, v1.4s, v6.4s
+ add v2.4s, v2.4s, v7.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ rev32 v15.8h, v15.8h
+ rev32 v16.8h, v16.8h
+ rev32 v17.8h, v17.8h
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v5.16b, v5.16b, v10.16b
+ eor v6.16b, v6.16b, v11.16b
+ eor v7.16b, v7.16b, v12.16b
+ ushr v20.4s, v5.4s, #20
+ sli v20.4s, v5.4s, #12
+ ushr v5.4s, v6.4s, #20
+ sli v5.4s, v6.4s, #12
+ ushr v6.4s, v7.4s, #20
+ sli v6.4s, v7.4s, #12
+
+ add v0.4s, v0.4s, v20.4s
+ add v1.4s, v1.4s, v5.4s
+ add v2.4s, v2.4s, v6.4s
+ eor v15.16b, v15.16b, v0.16b
+ eor v16.16b, v16.16b, v1.16b
+ eor v17.16b, v17.16b, v2.16b
+ tbl v15.16b, {v15.16b}, v26.16b
+ tbl v16.16b, {v16.16b}, v26.16b
+ tbl v17.16b, {v17.16b}, v26.16b
+
+ add v10.4s, v10.4s, v15.4s
+ add v11.4s, v11.4s, v16.4s
+ add v12.4s, v12.4s, v17.4s
+ eor v20.16b, v20.16b, v10.16b
+ eor v5.16b, v5.16b, v11.16b
+ eor v6.16b, v6.16b, v12.16b
+ ushr v7.4s, v6.4s, #25
+ sli v7.4s, v6.4s, #7
+ ushr v6.4s, v5.4s, #25
+ sli v6.4s, v5.4s, #7
+ ushr v5.4s, v20.4s, #25
+ sli v5.4s, v20.4s, #7
+
+ ext v5.16b, v5.16b, v5.16b, #12
+ ext v6.16b, v6.16b, v6.16b, #12
+ ext v7.16b, v7.16b, v7.16b, #12
+
+ ext v10.16b, v10.16b, v10.16b, #8
+ ext v11.16b, v11.16b, v11.16b, #8
+ ext v12.16b, v12.16b, v12.16b, #8
+
+ ext v15.16b, v15.16b, v15.16b, #4
+ ext v16.16b, v16.16b, v16.16b, #4
+ ext v17.16b, v17.16b, v17.16b, #4
+ subs x6, x6, #1
+ b.hi Lopen_128_rounds
+
+ add v0.4s, v0.4s, v24.4s
+ add v1.4s, v1.4s, v24.4s
+ add v2.4s, v2.4s, v24.4s
+
+ add v5.4s, v5.4s, v28.4s
+ add v6.4s, v6.4s, v28.4s
+ add v7.4s, v7.4s, v28.4s
+
+ add v10.4s, v10.4s, v29.4s
+ add v11.4s, v11.4s, v29.4s
+
+ add v30.4s, v30.4s, v25.4s
+ add v15.4s, v15.4s, v30.4s
+ add v30.4s, v30.4s, v25.4s
+ add v16.4s, v16.4s, v30.4s
+
+ and v2.16b, v2.16b, v27.16b
+ mov x16, v2.d[0] // Move the R key to GPRs
+ mov x17, v2.d[1]
+ mov v27.16b, v7.16b // Store the S key
+
+ bl Lpoly_hash_ad_internal
+
+Lopen_128_store:
+ cmp x2, #64
+ b.lt Lopen_128_store_64
+
+ ld1 {v20.16b - v23.16b}, [x1], #64
+
+ mov x11, v20.d[0]
+ mov x12, v20.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ mov x11, v21.d[0]
+ mov x12, v21.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ mov x11, v22.d[0]
+ mov x12, v22.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ mov x11, v23.d[0]
+ mov x12, v23.d[1]
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+
+ eor v20.16b, v20.16b, v0.16b
+ eor v21.16b, v21.16b, v5.16b
+ eor v22.16b, v22.16b, v10.16b
+ eor v23.16b, v23.16b, v15.16b
+
+ st1 {v20.16b - v23.16b}, [x0], #64
+
+ sub x2, x2, #64
+
+ mov v0.16b, v1.16b
+ mov v5.16b, v6.16b
+ mov v10.16b, v11.16b
+ mov v15.16b, v16.16b
+
+Lopen_128_store_64:
+
+ lsr x4, x2, #4
+ mov x3, x1
+
+Lopen_128_hash_64:
+ cbz x4, Lopen_tail_64_store
+ ldp x11, x12, [x3], 16
+ adds x8, x8, x11
+ adcs x9, x9, x12
+ adc x10, x10, x15
+ mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0
+ umulh x12, x8, x16
+ mul x13, x9, x16
+ umulh x14, x9, x16
+ adds x12, x12, x13
+ mul x13, x10, x16
+ adc x13, x13, x14
+ mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]
+ umulh x8, x8, x17
+ adds x12, x12, x14
+ mul x14, x9, x17
+ umulh x9, x9, x17
+ adcs x14, x14, x8
+ mul x10, x10, x17
+ adc x10, x10, x9
+ adds x13, x13, x14
+ adc x14, x10, xzr
+ and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)
+ and x8, x13, #-4
+ extr x13, x14, x13, #2
+ adds x8, x8, x11
+ lsr x11, x14, #2
+ adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits
+ adds x8, x8, x13
+ adcs x9, x9, x12
+ adc x10, x10, xzr // At this point acc2 has the value of 4 at most
+ sub x4, x4, #1
+ b Lopen_128_hash_64
+.cfi_endproc
+
+#endif
+#endif // !OPENSSL_NO_ASM
diff --git a/win-aarch64/crypto/fipsmodule/p256-armv8-asm.S b/win-aarch64/crypto/fipsmodule/p256-armv8-asm.S
new file mode 100644
index 0000000..4ebf3ab
--- /dev/null
+++ b/win-aarch64/crypto/fipsmodule/p256-armv8-asm.S
@@ -0,0 +1,1808 @@
+// This file is generated from a similarly-named Perl script in the BoringSSL
+// source tree. Do not edit by hand.
+
+#if !defined(__has_feature)
+#define __has_feature(x) 0
+#endif
+#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM)
+#define OPENSSL_NO_ASM
+#endif
+
+#if !defined(OPENSSL_NO_ASM)
+#if defined(__aarch64__)
+#if defined(BORINGSSL_PREFIX)
+#include <boringssl_prefix_symbols_asm.h>
+#endif
+#include "openssl/arm_arch.h"
+
+.text
+.align 5
+Lpoly:
+.quad 0xffffffffffffffff,0x00000000ffffffff,0x0000000000000000,0xffffffff00000001
+LRR: // 2^512 mod P precomputed for NIST P256 polynomial
+.quad 0x0000000000000003,0xfffffffbffffffff,0xfffffffffffffffe,0x00000004fffffffd
+Lone_mont:
+.quad 0x0000000000000001,0xffffffff00000000,0xffffffffffffffff,0x00000000fffffffe
+Lone:
+.quad 1,0,0,0
+Lord:
+.quad 0xf3b9cac2fc632551,0xbce6faada7179e84,0xffffffffffffffff,0xffffffff00000000
+LordK:
+.quad 0xccd1c8aaee00bc4f
+.byte 69,67,80,95,78,73,83,84,90,50,53,54,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0
+.align 2
+
+// void ecp_nistz256_to_mont(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl ecp_nistz256_to_mont
+
+.def ecp_nistz256_to_mont
+ .type 32
+.endef
+.align 6
+ecp_nistz256_to_mont:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-32]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+
+ ldr x3,LRR // bp[0]
+ ldp x4,x5,[x1]
+ ldp x6,x7,[x1,#16]
+ ldr x12,Lpoly+8
+ ldr x13,Lpoly+24
+ adr x2,LRR // &bp[0]
+
+ bl __ecp_nistz256_mul_mont
+
+ ldp x19,x20,[sp,#16]
+ ldp x29,x30,[sp],#32
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+
+// void ecp_nistz256_from_mont(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl ecp_nistz256_from_mont
+
+.def ecp_nistz256_from_mont
+ .type 32
+.endef
+.align 4
+ecp_nistz256_from_mont:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-32]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+
+ mov x3,#1 // bp[0]
+ ldp x4,x5,[x1]
+ ldp x6,x7,[x1,#16]
+ ldr x12,Lpoly+8
+ ldr x13,Lpoly+24
+ adr x2,Lone // &bp[0]
+
+ bl __ecp_nistz256_mul_mont
+
+ ldp x19,x20,[sp,#16]
+ ldp x29,x30,[sp],#32
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+
+// void ecp_nistz256_mul_mont(BN_ULONG x0[4],const BN_ULONG x1[4],
+// const BN_ULONG x2[4]);
+.globl ecp_nistz256_mul_mont
+
+.def ecp_nistz256_mul_mont
+ .type 32
+.endef
+.align 4
+ecp_nistz256_mul_mont:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-32]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+
+ ldr x3,[x2] // bp[0]
+ ldp x4,x5,[x1]
+ ldp x6,x7,[x1,#16]
+ ldr x12,Lpoly+8
+ ldr x13,Lpoly+24
+
+ bl __ecp_nistz256_mul_mont
+
+ ldp x19,x20,[sp,#16]
+ ldp x29,x30,[sp],#32
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+
+// void ecp_nistz256_sqr_mont(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl ecp_nistz256_sqr_mont
+
+.def ecp_nistz256_sqr_mont
+ .type 32
+.endef
+.align 4
+ecp_nistz256_sqr_mont:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-32]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+
+ ldp x4,x5,[x1]
+ ldp x6,x7,[x1,#16]
+ ldr x12,Lpoly+8
+ ldr x13,Lpoly+24
+
+ bl __ecp_nistz256_sqr_mont
+
+ ldp x19,x20,[sp,#16]
+ ldp x29,x30,[sp],#32
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+
+// void ecp_nistz256_div_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl ecp_nistz256_div_by_2
+
+.def ecp_nistz256_div_by_2
+ .type 32
+.endef
+.align 4
+ecp_nistz256_div_by_2:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+ ldp x14,x15,[x1]
+ ldp x16,x17,[x1,#16]
+ ldr x12,Lpoly+8
+ ldr x13,Lpoly+24
+
+ bl __ecp_nistz256_div_by_2
+
+ ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+
+// void ecp_nistz256_mul_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl ecp_nistz256_mul_by_2
+
+.def ecp_nistz256_mul_by_2
+ .type 32
+.endef
+.align 4
+ecp_nistz256_mul_by_2:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+ ldp x14,x15,[x1]
+ ldp x16,x17,[x1,#16]
+ ldr x12,Lpoly+8
+ ldr x13,Lpoly+24
+ mov x8,x14
+ mov x9,x15
+ mov x10,x16
+ mov x11,x17
+
+ bl __ecp_nistz256_add_to // ret = a+a // 2*a
+
+ ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+
+// void ecp_nistz256_mul_by_3(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl ecp_nistz256_mul_by_3
+
+.def ecp_nistz256_mul_by_3
+ .type 32
+.endef
+.align 4
+ecp_nistz256_mul_by_3:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+ ldp x14,x15,[x1]
+ ldp x16,x17,[x1,#16]
+ ldr x12,Lpoly+8
+ ldr x13,Lpoly+24
+ mov x8,x14
+ mov x9,x15
+ mov x10,x16
+ mov x11,x17
+ mov x4,x14
+ mov x5,x15
+ mov x6,x16
+ mov x7,x17
+
+ bl __ecp_nistz256_add_to // ret = a+a // 2*a
+
+ mov x8,x4
+ mov x9,x5
+ mov x10,x6
+ mov x11,x7
+
+ bl __ecp_nistz256_add_to // ret += a // 2*a+a=3*a
+
+ ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+
+// void ecp_nistz256_sub(BN_ULONG x0[4],const BN_ULONG x1[4],
+// const BN_ULONG x2[4]);
+.globl ecp_nistz256_sub
+
+.def ecp_nistz256_sub
+ .type 32
+.endef
+.align 4
+ecp_nistz256_sub:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+ ldp x14,x15,[x1]
+ ldp x16,x17,[x1,#16]
+ ldr x12,Lpoly+8
+ ldr x13,Lpoly+24
+
+ bl __ecp_nistz256_sub_from
+
+ ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+
+// void ecp_nistz256_neg(BN_ULONG x0[4],const BN_ULONG x1[4]);
+.globl ecp_nistz256_neg
+
+.def ecp_nistz256_neg
+ .type 32
+.endef
+.align 4
+ecp_nistz256_neg:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+ mov x2,x1
+ mov x14,xzr // a = 0
+ mov x15,xzr
+ mov x16,xzr
+ mov x17,xzr
+ ldr x12,Lpoly+8
+ ldr x13,Lpoly+24
+
+ bl __ecp_nistz256_sub_from
+
+ ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+
+// note that __ecp_nistz256_mul_mont expects a[0-3] input pre-loaded
+// to x4-x7 and b[0] - to x3
+.def __ecp_nistz256_mul_mont
+ .type 32
+.endef
+.align 4
+__ecp_nistz256_mul_mont:
+ mul x14,x4,x3 // a[0]*b[0]
+ umulh x8,x4,x3
+
+ mul x15,x5,x3 // a[1]*b[0]
+ umulh x9,x5,x3
+
+ mul x16,x6,x3 // a[2]*b[0]
+ umulh x10,x6,x3
+
+ mul x17,x7,x3 // a[3]*b[0]
+ umulh x11,x7,x3
+ ldr x3,[x2,#8] // b[1]
+
+ adds x15,x15,x8 // accumulate high parts of multiplication
+ lsl x8,x14,#32
+ adcs x16,x16,x9
+ lsr x9,x14,#32
+ adcs x17,x17,x10
+ adc x19,xzr,x11
+ mov x20,xzr
+ subs x10,x14,x8 // "*0xffff0001"
+ sbc x11,x14,x9
+ adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0]
+ mul x8,x4,x3 // lo(a[0]*b[i])
+ adcs x15,x16,x9
+ mul x9,x5,x3 // lo(a[1]*b[i])
+ adcs x16,x17,x10 // +=acc[0]*0xffff0001
+ mul x10,x6,x3 // lo(a[2]*b[i])
+ adcs x17,x19,x11
+ mul x11,x7,x3 // lo(a[3]*b[i])
+ adc x19,x20,xzr
+
+ adds x14,x14,x8 // accumulate low parts of multiplication
+ umulh x8,x4,x3 // hi(a[0]*b[i])
+ adcs x15,x15,x9
+ umulh x9,x5,x3 // hi(a[1]*b[i])
+ adcs x16,x16,x10
+ umulh x10,x6,x3 // hi(a[2]*b[i])
+ adcs x17,x17,x11
+ umulh x11,x7,x3 // hi(a[3]*b[i])
+ adc x19,x19,xzr
+ ldr x3,[x2,#8*(1+1)] // b[1+1]
+ adds x15,x15,x8 // accumulate high parts of multiplication
+ lsl x8,x14,#32
+ adcs x16,x16,x9
+ lsr x9,x14,#32
+ adcs x17,x17,x10
+ adcs x19,x19,x11
+ adc x20,xzr,xzr
+ subs x10,x14,x8 // "*0xffff0001"
+ sbc x11,x14,x9
+ adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0]
+ mul x8,x4,x3 // lo(a[0]*b[i])
+ adcs x15,x16,x9
+ mul x9,x5,x3 // lo(a[1]*b[i])
+ adcs x16,x17,x10 // +=acc[0]*0xffff0001
+ mul x10,x6,x3 // lo(a[2]*b[i])
+ adcs x17,x19,x11
+ mul x11,x7,x3 // lo(a[3]*b[i])
+ adc x19,x20,xzr
+
+ adds x14,x14,x8 // accumulate low parts of multiplication
+ umulh x8,x4,x3 // hi(a[0]*b[i])
+ adcs x15,x15,x9
+ umulh x9,x5,x3 // hi(a[1]*b[i])
+ adcs x16,x16,x10
+ umulh x10,x6,x3 // hi(a[2]*b[i])
+ adcs x17,x17,x11
+ umulh x11,x7,x3 // hi(a[3]*b[i])
+ adc x19,x19,xzr
+ ldr x3,[x2,#8*(2+1)] // b[2+1]
+ adds x15,x15,x8 // accumulate high parts of multiplication
+ lsl x8,x14,#32
+ adcs x16,x16,x9
+ lsr x9,x14,#32
+ adcs x17,x17,x10
+ adcs x19,x19,x11
+ adc x20,xzr,xzr
+ subs x10,x14,x8 // "*0xffff0001"
+ sbc x11,x14,x9
+ adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0]
+ mul x8,x4,x3 // lo(a[0]*b[i])
+ adcs x15,x16,x9
+ mul x9,x5,x3 // lo(a[1]*b[i])
+ adcs x16,x17,x10 // +=acc[0]*0xffff0001
+ mul x10,x6,x3 // lo(a[2]*b[i])
+ adcs x17,x19,x11
+ mul x11,x7,x3 // lo(a[3]*b[i])
+ adc x19,x20,xzr
+
+ adds x14,x14,x8 // accumulate low parts of multiplication
+ umulh x8,x4,x3 // hi(a[0]*b[i])
+ adcs x15,x15,x9
+ umulh x9,x5,x3 // hi(a[1]*b[i])
+ adcs x16,x16,x10
+ umulh x10,x6,x3 // hi(a[2]*b[i])
+ adcs x17,x17,x11
+ umulh x11,x7,x3 // hi(a[3]*b[i])
+ adc x19,x19,xzr
+ adds x15,x15,x8 // accumulate high parts of multiplication
+ lsl x8,x14,#32
+ adcs x16,x16,x9
+ lsr x9,x14,#32
+ adcs x17,x17,x10
+ adcs x19,x19,x11
+ adc x20,xzr,xzr
+ // last reduction
+ subs x10,x14,x8 // "*0xffff0001"
+ sbc x11,x14,x9
+ adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0]
+ adcs x15,x16,x9
+ adcs x16,x17,x10 // +=acc[0]*0xffff0001
+ adcs x17,x19,x11
+ adc x19,x20,xzr
+
+ adds x8,x14,#1 // subs x8,x14,#-1 // tmp = ret-modulus
+ sbcs x9,x15,x12
+ sbcs x10,x16,xzr
+ sbcs x11,x17,x13
+ sbcs xzr,x19,xzr // did it borrow?
+
+ csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus
+ csel x15,x15,x9,lo
+ csel x16,x16,x10,lo
+ stp x14,x15,[x0]
+ csel x17,x17,x11,lo
+ stp x16,x17,[x0,#16]
+
+ ret
+
+
+// note that __ecp_nistz256_sqr_mont expects a[0-3] input pre-loaded
+// to x4-x7
+.def __ecp_nistz256_sqr_mont
+ .type 32
+.endef
+.align 4
+__ecp_nistz256_sqr_mont:
+ // | | | | | |a1*a0| |
+ // | | | | |a2*a0| | |
+ // | |a3*a2|a3*a0| | | |
+ // | | | |a2*a1| | | |
+ // | | |a3*a1| | | | |
+ // *| | | | | | | | 2|
+ // +|a3*a3|a2*a2|a1*a1|a0*a0|
+ // |--+--+--+--+--+--+--+--|
+ // |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is , i.e. follow
+ //
+ // "can't overflow" below mark carrying into high part of
+ // multiplication result, which can't overflow, because it
+ // can never be all ones.
+
+ mul x15,x5,x4 // a[1]*a[0]
+ umulh x9,x5,x4
+ mul x16,x6,x4 // a[2]*a[0]
+ umulh x10,x6,x4
+ mul x17,x7,x4 // a[3]*a[0]
+ umulh x19,x7,x4
+
+ adds x16,x16,x9 // accumulate high parts of multiplication
+ mul x8,x6,x5 // a[2]*a[1]
+ umulh x9,x6,x5
+ adcs x17,x17,x10
+ mul x10,x7,x5 // a[3]*a[1]
+ umulh x11,x7,x5
+ adc x19,x19,xzr // can't overflow
+
+ mul x20,x7,x6 // a[3]*a[2]
+ umulh x1,x7,x6
+
+ adds x9,x9,x10 // accumulate high parts of multiplication
+ mul x14,x4,x4 // a[0]*a[0]
+ adc x10,x11,xzr // can't overflow
+
+ adds x17,x17,x8 // accumulate low parts of multiplication
+ umulh x4,x4,x4
+ adcs x19,x19,x9
+ mul x9,x5,x5 // a[1]*a[1]
+ adcs x20,x20,x10
+ umulh x5,x5,x5
+ adc x1,x1,xzr // can't overflow
+
+ adds x15,x15,x15 // acc[1-6]*=2
+ mul x10,x6,x6 // a[2]*a[2]
+ adcs x16,x16,x16
+ umulh x6,x6,x6
+ adcs x17,x17,x17
+ mul x11,x7,x7 // a[3]*a[3]
+ adcs x19,x19,x19
+ umulh x7,x7,x7
+ adcs x20,x20,x20
+ adcs x1,x1,x1
+ adc x2,xzr,xzr
+
+ adds x15,x15,x4 // +a[i]*a[i]
+ adcs x16,x16,x9
+ adcs x17,x17,x5
+ adcs x19,x19,x10
+ adcs x20,x20,x6
+ lsl x8,x14,#32
+ adcs x1,x1,x11
+ lsr x9,x14,#32
+ adc x2,x2,x7
+ subs x10,x14,x8 // "*0xffff0001"
+ sbc x11,x14,x9
+ adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0]
+ adcs x15,x16,x9
+ lsl x8,x14,#32
+ adcs x16,x17,x10 // +=acc[0]*0xffff0001
+ lsr x9,x14,#32
+ adc x17,x11,xzr // can't overflow
+ subs x10,x14,x8 // "*0xffff0001"
+ sbc x11,x14,x9
+ adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0]
+ adcs x15,x16,x9
+ lsl x8,x14,#32
+ adcs x16,x17,x10 // +=acc[0]*0xffff0001
+ lsr x9,x14,#32
+ adc x17,x11,xzr // can't overflow
+ subs x10,x14,x8 // "*0xffff0001"
+ sbc x11,x14,x9
+ adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0]
+ adcs x15,x16,x9
+ lsl x8,x14,#32
+ adcs x16,x17,x10 // +=acc[0]*0xffff0001
+ lsr x9,x14,#32
+ adc x17,x11,xzr // can't overflow
+ subs x10,x14,x8 // "*0xffff0001"
+ sbc x11,x14,x9
+ adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0]
+ adcs x15,x16,x9
+ adcs x16,x17,x10 // +=acc[0]*0xffff0001
+ adc x17,x11,xzr // can't overflow
+
+ adds x14,x14,x19 // accumulate upper half
+ adcs x15,x15,x20
+ adcs x16,x16,x1
+ adcs x17,x17,x2
+ adc x19,xzr,xzr
+
+ adds x8,x14,#1 // subs x8,x14,#-1 // tmp = ret-modulus
+ sbcs x9,x15,x12
+ sbcs x10,x16,xzr
+ sbcs x11,x17,x13
+ sbcs xzr,x19,xzr // did it borrow?
+
+ csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus
+ csel x15,x15,x9,lo
+ csel x16,x16,x10,lo
+ stp x14,x15,[x0]
+ csel x17,x17,x11,lo
+ stp x16,x17,[x0,#16]
+
+ ret
+
+
+// Note that __ecp_nistz256_add_to expects both input vectors pre-loaded to
+// x4-x7 and x8-x11. This is done because it's used in multiple
+// contexts, e.g. in multiplication by 2 and 3...
+.def __ecp_nistz256_add_to
+ .type 32
+.endef
+.align 4
+__ecp_nistz256_add_to:
+ adds x14,x14,x8 // ret = a+b
+ adcs x15,x15,x9
+ adcs x16,x16,x10
+ adcs x17,x17,x11
+ adc x1,xzr,xzr // zap x1
+
+ adds x8,x14,#1 // subs x8,x4,#-1 // tmp = ret-modulus
+ sbcs x9,x15,x12
+ sbcs x10,x16,xzr
+ sbcs x11,x17,x13
+ sbcs xzr,x1,xzr // did subtraction borrow?
+
+ csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus
+ csel x15,x15,x9,lo
+ csel x16,x16,x10,lo
+ stp x14,x15,[x0]
+ csel x17,x17,x11,lo
+ stp x16,x17,[x0,#16]
+
+ ret
+
+
+.def __ecp_nistz256_sub_from
+ .type 32
+.endef
+.align 4
+__ecp_nistz256_sub_from:
+ ldp x8,x9,[x2]
+ ldp x10,x11,[x2,#16]
+ subs x14,x14,x8 // ret = a-b
+ sbcs x15,x15,x9
+ sbcs x16,x16,x10
+ sbcs x17,x17,x11
+ sbc x1,xzr,xzr // zap x1
+
+ subs x8,x14,#1 // adds x8,x4,#-1 // tmp = ret+modulus
+ adcs x9,x15,x12
+ adcs x10,x16,xzr
+ adc x11,x17,x13
+ cmp x1,xzr // did subtraction borrow?
+
+ csel x14,x14,x8,eq // ret = borrow ? ret+modulus : ret
+ csel x15,x15,x9,eq
+ csel x16,x16,x10,eq
+ stp x14,x15,[x0]
+ csel x17,x17,x11,eq
+ stp x16,x17,[x0,#16]
+
+ ret
+
+
+.def __ecp_nistz256_sub_morf
+ .type 32
+.endef
+.align 4
+__ecp_nistz256_sub_morf:
+ ldp x8,x9,[x2]
+ ldp x10,x11,[x2,#16]
+ subs x14,x8,x14 // ret = b-a
+ sbcs x15,x9,x15
+ sbcs x16,x10,x16
+ sbcs x17,x11,x17
+ sbc x1,xzr,xzr // zap x1
+
+ subs x8,x14,#1 // adds x8,x4,#-1 // tmp = ret+modulus
+ adcs x9,x15,x12
+ adcs x10,x16,xzr
+ adc x11,x17,x13
+ cmp x1,xzr // did subtraction borrow?
+
+ csel x14,x14,x8,eq // ret = borrow ? ret+modulus : ret
+ csel x15,x15,x9,eq
+ csel x16,x16,x10,eq
+ stp x14,x15,[x0]
+ csel x17,x17,x11,eq
+ stp x16,x17,[x0,#16]
+
+ ret
+
+
+.def __ecp_nistz256_div_by_2
+ .type 32
+.endef
+.align 4
+__ecp_nistz256_div_by_2:
+ subs x8,x14,#1 // adds x8,x4,#-1 // tmp = a+modulus
+ adcs x9,x15,x12
+ adcs x10,x16,xzr
+ adcs x11,x17,x13
+ adc x1,xzr,xzr // zap x1
+ tst x14,#1 // is a even?
+
+ csel x14,x14,x8,eq // ret = even ? a : a+modulus
+ csel x15,x15,x9,eq
+ csel x16,x16,x10,eq
+ csel x17,x17,x11,eq
+ csel x1,xzr,x1,eq
+
+ lsr x14,x14,#1 // ret >>= 1
+ orr x14,x14,x15,lsl#63
+ lsr x15,x15,#1
+ orr x15,x15,x16,lsl#63
+ lsr x16,x16,#1
+ orr x16,x16,x17,lsl#63
+ lsr x17,x17,#1
+ stp x14,x15,[x0]
+ orr x17,x17,x1,lsl#63
+ stp x16,x17,[x0,#16]
+
+ ret
+
+.globl ecp_nistz256_point_double
+
+.def ecp_nistz256_point_double
+ .type 32
+.endef
+.align 5
+ecp_nistz256_point_double:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-96]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+ stp x21,x22,[sp,#32]
+ sub sp,sp,#32*4
+
+Ldouble_shortcut:
+ ldp x14,x15,[x1,#32]
+ mov x21,x0
+ ldp x16,x17,[x1,#48]
+ mov x22,x1
+ ldr x12,Lpoly+8
+ mov x8,x14
+ ldr x13,Lpoly+24
+ mov x9,x15
+ ldp x4,x5,[x22,#64] // forward load for p256_sqr_mont
+ mov x10,x16
+ mov x11,x17
+ ldp x6,x7,[x22,#64+16]
+ add x0,sp,#0
+ bl __ecp_nistz256_add_to // p256_mul_by_2(S, in_y);
+
+ add x0,sp,#64
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Zsqr, in_z);
+
+ ldp x8,x9,[x22]
+ ldp x10,x11,[x22,#16]
+ mov x4,x14 // put Zsqr aside for p256_sub
+ mov x5,x15
+ mov x6,x16
+ mov x7,x17
+ add x0,sp,#32
+ bl __ecp_nistz256_add_to // p256_add(M, Zsqr, in_x);
+
+ add x2,x22,#0
+ mov x14,x4 // restore Zsqr
+ mov x15,x5
+ ldp x4,x5,[sp,#0] // forward load for p256_sqr_mont
+ mov x16,x6
+ mov x17,x7
+ ldp x6,x7,[sp,#0+16]
+ add x0,sp,#64
+ bl __ecp_nistz256_sub_morf // p256_sub(Zsqr, in_x, Zsqr);
+
+ add x0,sp,#0
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(S, S);
+
+ ldr x3,[x22,#32]
+ ldp x4,x5,[x22,#64]
+ ldp x6,x7,[x22,#64+16]
+ add x2,x22,#32
+ add x0,sp,#96
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(tmp0, in_z, in_y);
+
+ mov x8,x14
+ mov x9,x15
+ ldp x4,x5,[sp,#0] // forward load for p256_sqr_mont
+ mov x10,x16
+ mov x11,x17
+ ldp x6,x7,[sp,#0+16]
+ add x0,x21,#64
+ bl __ecp_nistz256_add_to // p256_mul_by_2(res_z, tmp0);
+
+ add x0,sp,#96
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(tmp0, S);
+
+ ldr x3,[sp,#64] // forward load for p256_mul_mont
+ ldp x4,x5,[sp,#32]
+ ldp x6,x7,[sp,#32+16]
+ add x0,x21,#32
+ bl __ecp_nistz256_div_by_2 // p256_div_by_2(res_y, tmp0);
+
+ add x2,sp,#64
+ add x0,sp,#32
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(M, M, Zsqr);
+
+ mov x8,x14 // duplicate M
+ mov x9,x15
+ mov x10,x16
+ mov x11,x17
+ mov x4,x14 // put M aside
+ mov x5,x15
+ mov x6,x16
+ mov x7,x17
+ add x0,sp,#32
+ bl __ecp_nistz256_add_to
+ mov x8,x4 // restore M
+ mov x9,x5
+ ldr x3,[x22] // forward load for p256_mul_mont
+ mov x10,x6
+ ldp x4,x5,[sp,#0]
+ mov x11,x7
+ ldp x6,x7,[sp,#0+16]
+ bl __ecp_nistz256_add_to // p256_mul_by_3(M, M);
+
+ add x2,x22,#0
+ add x0,sp,#0
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, in_x);
+
+ mov x8,x14
+ mov x9,x15
+ ldp x4,x5,[sp,#32] // forward load for p256_sqr_mont
+ mov x10,x16
+ mov x11,x17
+ ldp x6,x7,[sp,#32+16]
+ add x0,sp,#96
+ bl __ecp_nistz256_add_to // p256_mul_by_2(tmp0, S);
+
+ add x0,x21,#0
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(res_x, M);
+
+ add x2,sp,#96
+ bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, tmp0);
+
+ add x2,sp,#0
+ add x0,sp,#0
+ bl __ecp_nistz256_sub_morf // p256_sub(S, S, res_x);
+
+ ldr x3,[sp,#32]
+ mov x4,x14 // copy S
+ mov x5,x15
+ mov x6,x16
+ mov x7,x17
+ add x2,sp,#32
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, M);
+
+ add x2,x21,#32
+ add x0,x21,#32
+ bl __ecp_nistz256_sub_from // p256_sub(res_y, S, res_y);
+
+ add sp,x29,#0 // destroy frame
+ ldp x19,x20,[x29,#16]
+ ldp x21,x22,[x29,#32]
+ ldp x29,x30,[sp],#96
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+.globl ecp_nistz256_point_add
+
+.def ecp_nistz256_point_add
+ .type 32
+.endef
+.align 5
+ecp_nistz256_point_add:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-96]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+ stp x21,x22,[sp,#32]
+ stp x23,x24,[sp,#48]
+ stp x25,x26,[sp,#64]
+ stp x27,x28,[sp,#80]
+ sub sp,sp,#32*12
+
+ ldp x4,x5,[x2,#64] // in2_z
+ ldp x6,x7,[x2,#64+16]
+ mov x21,x0
+ mov x22,x1
+ mov x23,x2
+ ldr x12,Lpoly+8
+ ldr x13,Lpoly+24
+ orr x8,x4,x5
+ orr x10,x6,x7
+ orr x25,x8,x10
+ cmp x25,#0
+ csetm x25,ne // ~in2infty
+ add x0,sp,#192
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z2sqr, in2_z);
+
+ ldp x4,x5,[x22,#64] // in1_z
+ ldp x6,x7,[x22,#64+16]
+ orr x8,x4,x5
+ orr x10,x6,x7
+ orr x24,x8,x10
+ cmp x24,#0
+ csetm x24,ne // ~in1infty
+ add x0,sp,#128
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z);
+
+ ldr x3,[x23,#64]
+ ldp x4,x5,[sp,#192]
+ ldp x6,x7,[sp,#192+16]
+ add x2,x23,#64
+ add x0,sp,#320
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, Z2sqr, in2_z);
+
+ ldr x3,[x22,#64]
+ ldp x4,x5,[sp,#128]
+ ldp x6,x7,[sp,#128+16]
+ add x2,x22,#64
+ add x0,sp,#352
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z);
+
+ ldr x3,[x22,#32]
+ ldp x4,x5,[sp,#320]
+ ldp x6,x7,[sp,#320+16]
+ add x2,x22,#32
+ add x0,sp,#320
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, S1, in1_y);
+
+ ldr x3,[x23,#32]
+ ldp x4,x5,[sp,#352]
+ ldp x6,x7,[sp,#352+16]
+ add x2,x23,#32
+ add x0,sp,#352
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y);
+
+ add x2,sp,#320
+ ldr x3,[sp,#192] // forward load for p256_mul_mont
+ ldp x4,x5,[x22]
+ ldp x6,x7,[x22,#16]
+ add x0,sp,#160
+ bl __ecp_nistz256_sub_from // p256_sub(R, S2, S1);
+
+ orr x14,x14,x15 // see if result is zero
+ orr x16,x16,x17
+ orr x26,x14,x16 // ~is_equal(S1,S2)
+
+ add x2,sp,#192
+ add x0,sp,#256
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(U1, in1_x, Z2sqr);
+
+ ldr x3,[sp,#128]
+ ldp x4,x5,[x23]
+ ldp x6,x7,[x23,#16]
+ add x2,sp,#128
+ add x0,sp,#288
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in2_x, Z1sqr);
+
+ add x2,sp,#256
+ ldp x4,x5,[sp,#160] // forward load for p256_sqr_mont
+ ldp x6,x7,[sp,#160+16]
+ add x0,sp,#96
+ bl __ecp_nistz256_sub_from // p256_sub(H, U2, U1);
+
+ orr x14,x14,x15 // see if result is zero
+ orr x16,x16,x17
+ orr x14,x14,x16 // ~is_equal(U1,U2)
+
+ mvn x27,x24 // -1/0 -> 0/-1
+ mvn x28,x25 // -1/0 -> 0/-1
+ orr x14,x14,x27
+ orr x14,x14,x28
+ orr x14,x14,x26
+ cbnz x14,Ladd_proceed // if(~is_equal(U1,U2) | in1infty | in2infty | ~is_equal(S1,S2))
+
+Ladd_double:
+ mov x1,x22
+ mov x0,x21
+ ldp x23,x24,[x29,#48]
+ ldp x25,x26,[x29,#64]
+ ldp x27,x28,[x29,#80]
+ add sp,sp,#256 // #256 is from #32*(12-4). difference in stack frames
+ b Ldouble_shortcut
+
+.align 4
+Ladd_proceed:
+ add x0,sp,#192
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R);
+
+ ldr x3,[x22,#64]
+ ldp x4,x5,[sp,#96]
+ ldp x6,x7,[sp,#96+16]
+ add x2,x22,#64
+ add x0,sp,#64
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z);
+
+ ldp x4,x5,[sp,#96]
+ ldp x6,x7,[sp,#96+16]
+ add x0,sp,#128
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H);
+
+ ldr x3,[x23,#64]
+ ldp x4,x5,[sp,#64]
+ ldp x6,x7,[sp,#64+16]
+ add x2,x23,#64
+ add x0,sp,#64
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, res_z, in2_z);
+
+ ldr x3,[sp,#96]
+ ldp x4,x5,[sp,#128]
+ ldp x6,x7,[sp,#128+16]
+ add x2,sp,#96
+ add x0,sp,#224
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H);
+
+ ldr x3,[sp,#128]
+ ldp x4,x5,[sp,#256]
+ ldp x6,x7,[sp,#256+16]
+ add x2,sp,#128
+ add x0,sp,#288
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, U1, Hsqr);
+
+ mov x8,x14
+ mov x9,x15
+ mov x10,x16
+ mov x11,x17
+ add x0,sp,#128
+ bl __ecp_nistz256_add_to // p256_mul_by_2(Hsqr, U2);
+
+ add x2,sp,#192
+ add x0,sp,#0
+ bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr);
+
+ add x2,sp,#224
+ bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub);
+
+ add x2,sp,#288
+ ldr x3,[sp,#224] // forward load for p256_mul_mont
+ ldp x4,x5,[sp,#320]
+ ldp x6,x7,[sp,#320+16]
+ add x0,sp,#32
+ bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x);
+
+ add x2,sp,#224
+ add x0,sp,#352
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S1, Hcub);
+
+ ldr x3,[sp,#160]
+ ldp x4,x5,[sp,#32]
+ ldp x6,x7,[sp,#32+16]
+ add x2,sp,#160
+ add x0,sp,#32
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R);
+
+ add x2,sp,#352
+ bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2);
+
+ ldp x4,x5,[sp,#0] // res
+ ldp x6,x7,[sp,#0+16]
+ ldp x8,x9,[x23] // in2
+ ldp x10,x11,[x23,#16]
+ ldp x14,x15,[x22,#0] // in1
+ cmp x24,#0 // ~, remember?
+ ldp x16,x17,[x22,#0+16]
+ csel x8,x4,x8,ne
+ csel x9,x5,x9,ne
+ ldp x4,x5,[sp,#0+0+32] // res
+ csel x10,x6,x10,ne
+ csel x11,x7,x11,ne
+ cmp x25,#0 // ~, remember?
+ ldp x6,x7,[sp,#0+0+48]
+ csel x14,x8,x14,ne
+ csel x15,x9,x15,ne
+ ldp x8,x9,[x23,#0+32] // in2
+ csel x16,x10,x16,ne
+ csel x17,x11,x17,ne
+ ldp x10,x11,[x23,#0+48]
+ stp x14,x15,[x21,#0]
+ stp x16,x17,[x21,#0+16]
+ ldp x14,x15,[x22,#32] // in1
+ cmp x24,#0 // ~, remember?
+ ldp x16,x17,[x22,#32+16]
+ csel x8,x4,x8,ne
+ csel x9,x5,x9,ne
+ ldp x4,x5,[sp,#0+32+32] // res
+ csel x10,x6,x10,ne
+ csel x11,x7,x11,ne
+ cmp x25,#0 // ~, remember?
+ ldp x6,x7,[sp,#0+32+48]
+ csel x14,x8,x14,ne
+ csel x15,x9,x15,ne
+ ldp x8,x9,[x23,#32+32] // in2
+ csel x16,x10,x16,ne
+ csel x17,x11,x17,ne
+ ldp x10,x11,[x23,#32+48]
+ stp x14,x15,[x21,#32]
+ stp x16,x17,[x21,#32+16]
+ ldp x14,x15,[x22,#64] // in1
+ cmp x24,#0 // ~, remember?
+ ldp x16,x17,[x22,#64+16]
+ csel x8,x4,x8,ne
+ csel x9,x5,x9,ne
+ csel x10,x6,x10,ne
+ csel x11,x7,x11,ne
+ cmp x25,#0 // ~, remember?
+ csel x14,x8,x14,ne
+ csel x15,x9,x15,ne
+ csel x16,x10,x16,ne
+ csel x17,x11,x17,ne
+ stp x14,x15,[x21,#64]
+ stp x16,x17,[x21,#64+16]
+
+Ladd_done:
+ add sp,x29,#0 // destroy frame
+ ldp x19,x20,[x29,#16]
+ ldp x21,x22,[x29,#32]
+ ldp x23,x24,[x29,#48]
+ ldp x25,x26,[x29,#64]
+ ldp x27,x28,[x29,#80]
+ ldp x29,x30,[sp],#96
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+.globl ecp_nistz256_point_add_affine
+
+.def ecp_nistz256_point_add_affine
+ .type 32
+.endef
+.align 5
+ecp_nistz256_point_add_affine:
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-80]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+ stp x21,x22,[sp,#32]
+ stp x23,x24,[sp,#48]
+ stp x25,x26,[sp,#64]
+ sub sp,sp,#32*10
+
+ mov x21,x0
+ mov x22,x1
+ mov x23,x2
+ ldr x12,Lpoly+8
+ ldr x13,Lpoly+24
+
+ ldp x4,x5,[x1,#64] // in1_z
+ ldp x6,x7,[x1,#64+16]
+ orr x8,x4,x5
+ orr x10,x6,x7
+ orr x24,x8,x10
+ cmp x24,#0
+ csetm x24,ne // ~in1infty
+
+ ldp x14,x15,[x2] // in2_x
+ ldp x16,x17,[x2,#16]
+ ldp x8,x9,[x2,#32] // in2_y
+ ldp x10,x11,[x2,#48]
+ orr x14,x14,x15
+ orr x16,x16,x17
+ orr x8,x8,x9
+ orr x10,x10,x11
+ orr x14,x14,x16
+ orr x8,x8,x10
+ orr x25,x14,x8
+ cmp x25,#0
+ csetm x25,ne // ~in2infty
+
+ add x0,sp,#128
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z);
+
+ mov x4,x14
+ mov x5,x15
+ mov x6,x16
+ mov x7,x17
+ ldr x3,[x23]
+ add x2,x23,#0
+ add x0,sp,#96
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, Z1sqr, in2_x);
+
+ add x2,x22,#0
+ ldr x3,[x22,#64] // forward load for p256_mul_mont
+ ldp x4,x5,[sp,#128]
+ ldp x6,x7,[sp,#128+16]
+ add x0,sp,#160
+ bl __ecp_nistz256_sub_from // p256_sub(H, U2, in1_x);
+
+ add x2,x22,#64
+ add x0,sp,#128
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z);
+
+ ldr x3,[x22,#64]
+ ldp x4,x5,[sp,#160]
+ ldp x6,x7,[sp,#160+16]
+ add x2,x22,#64
+ add x0,sp,#64
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z);
+
+ ldr x3,[x23,#32]
+ ldp x4,x5,[sp,#128]
+ ldp x6,x7,[sp,#128+16]
+ add x2,x23,#32
+ add x0,sp,#128
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y);
+
+ add x2,x22,#32
+ ldp x4,x5,[sp,#160] // forward load for p256_sqr_mont
+ ldp x6,x7,[sp,#160+16]
+ add x0,sp,#192
+ bl __ecp_nistz256_sub_from // p256_sub(R, S2, in1_y);
+
+ add x0,sp,#224
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H);
+
+ ldp x4,x5,[sp,#192]
+ ldp x6,x7,[sp,#192+16]
+ add x0,sp,#288
+ bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R);
+
+ ldr x3,[sp,#160]
+ ldp x4,x5,[sp,#224]
+ ldp x6,x7,[sp,#224+16]
+ add x2,sp,#160
+ add x0,sp,#256
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H);
+
+ ldr x3,[x22]
+ ldp x4,x5,[sp,#224]
+ ldp x6,x7,[sp,#224+16]
+ add x2,x22,#0
+ add x0,sp,#96
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in1_x, Hsqr);
+
+ mov x8,x14
+ mov x9,x15
+ mov x10,x16
+ mov x11,x17
+ add x0,sp,#224
+ bl __ecp_nistz256_add_to // p256_mul_by_2(Hsqr, U2);
+
+ add x2,sp,#288
+ add x0,sp,#0
+ bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr);
+
+ add x2,sp,#256
+ bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub);
+
+ add x2,sp,#96
+ ldr x3,[x22,#32] // forward load for p256_mul_mont
+ ldp x4,x5,[sp,#256]
+ ldp x6,x7,[sp,#256+16]
+ add x0,sp,#32
+ bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x);
+
+ add x2,x22,#32
+ add x0,sp,#128
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, in1_y, Hcub);
+
+ ldr x3,[sp,#192]
+ ldp x4,x5,[sp,#32]
+ ldp x6,x7,[sp,#32+16]
+ add x2,sp,#192
+ add x0,sp,#32
+ bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R);
+
+ add x2,sp,#128
+ bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2);
+
+ ldp x4,x5,[sp,#0] // res
+ ldp x6,x7,[sp,#0+16]
+ ldp x8,x9,[x23] // in2
+ ldp x10,x11,[x23,#16]
+ ldp x14,x15,[x22,#0] // in1
+ cmp x24,#0 // ~, remember?
+ ldp x16,x17,[x22,#0+16]
+ csel x8,x4,x8,ne
+ csel x9,x5,x9,ne
+ ldp x4,x5,[sp,#0+0+32] // res
+ csel x10,x6,x10,ne
+ csel x11,x7,x11,ne
+ cmp x25,#0 // ~, remember?
+ ldp x6,x7,[sp,#0+0+48]
+ csel x14,x8,x14,ne
+ csel x15,x9,x15,ne
+ ldp x8,x9,[x23,#0+32] // in2
+ csel x16,x10,x16,ne
+ csel x17,x11,x17,ne
+ ldp x10,x11,[x23,#0+48]
+ stp x14,x15,[x21,#0]
+ stp x16,x17,[x21,#0+16]
+ adr x23,Lone_mont-64
+ ldp x14,x15,[x22,#32] // in1
+ cmp x24,#0 // ~, remember?
+ ldp x16,x17,[x22,#32+16]
+ csel x8,x4,x8,ne
+ csel x9,x5,x9,ne
+ ldp x4,x5,[sp,#0+32+32] // res
+ csel x10,x6,x10,ne
+ csel x11,x7,x11,ne
+ cmp x25,#0 // ~, remember?
+ ldp x6,x7,[sp,#0+32+48]
+ csel x14,x8,x14,ne
+ csel x15,x9,x15,ne
+ ldp x8,x9,[x23,#32+32] // in2
+ csel x16,x10,x16,ne
+ csel x17,x11,x17,ne
+ ldp x10,x11,[x23,#32+48]
+ stp x14,x15,[x21,#32]
+ stp x16,x17,[x21,#32+16]
+ ldp x14,x15,[x22,#64] // in1
+ cmp x24,#0 // ~, remember?
+ ldp x16,x17,[x22,#64+16]
+ csel x8,x4,x8,ne
+ csel x9,x5,x9,ne
+ csel x10,x6,x10,ne
+ csel x11,x7,x11,ne
+ cmp x25,#0 // ~, remember?
+ csel x14,x8,x14,ne
+ csel x15,x9,x15,ne
+ csel x16,x10,x16,ne
+ csel x17,x11,x17,ne
+ stp x14,x15,[x21,#64]
+ stp x16,x17,[x21,#64+16]
+
+ add sp,x29,#0 // destroy frame
+ ldp x19,x20,[x29,#16]
+ ldp x21,x22,[x29,#32]
+ ldp x23,x24,[x29,#48]
+ ldp x25,x26,[x29,#64]
+ ldp x29,x30,[sp],#80
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+////////////////////////////////////////////////////////////////////////
+// void ecp_nistz256_ord_mul_mont(uint64_t res[4], uint64_t a[4],
+// uint64_t b[4]);
+.globl ecp_nistz256_ord_mul_mont
+
+.def ecp_nistz256_ord_mul_mont
+ .type 32
+.endef
+.align 4
+ecp_nistz256_ord_mul_mont:
+ AARCH64_VALID_CALL_TARGET
+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
+ stp x29,x30,[sp,#-64]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+ stp x21,x22,[sp,#32]
+ stp x23,x24,[sp,#48]
+
+ adr x23,Lord
+ ldr x3,[x2] // bp[0]
+ ldp x4,x5,[x1]
+ ldp x6,x7,[x1,#16]
+
+ ldp x12,x13,[x23,#0]
+ ldp x21,x22,[x23,#16]
+ ldr x23,[x23,#32]
+
+ mul x14,x4,x3 // a[0]*b[0]
+ umulh x8,x4,x3
+
+ mul x15,x5,x3 // a[1]*b[0]
+ umulh x9,x5,x3
+
+ mul x16,x6,x3 // a[2]*b[0]
+ umulh x10,x6,x3
+
+ mul x17,x7,x3 // a[3]*b[0]
+ umulh x19,x7,x3
+
+ mul x24,x14,x23
+
+ adds x15,x15,x8 // accumulate high parts of multiplication
+ adcs x16,x16,x9
+ adcs x17,x17,x10
+ adc x19,x19,xzr
+ mov x20,xzr
+ ldr x3,[x2,#8*1] // b[i]
+
+ lsl x8,x24,#32
+ subs x16,x16,x24
+ lsr x9,x24,#32
+ sbcs x17,x17,x8
+ sbcs x19,x19,x9
+ sbc x20,x20,xzr
+
+ subs xzr,x14,#1
+ umulh x9,x12,x24
+ mul x10,x13,x24
+ umulh x11,x13,x24
+
+ adcs x10,x10,x9
+ mul x8,x4,x3
+ adc x11,x11,xzr
+ mul x9,x5,x3
+
+ adds x14,x15,x10
+ mul x10,x6,x3
+ adcs x15,x16,x11
+ mul x11,x7,x3
+ adcs x16,x17,x24
+ adcs x17,x19,x24
+ adc x19,x20,xzr
+
+ adds x14,x14,x8 // accumulate low parts
+ umulh x8,x4,x3
+ adcs x15,x15,x9
+ umulh x9,x5,x3
+ adcs x16,x16,x10
+ umulh x10,x6,x3
+ adcs x17,x17,x11
+ umulh x11,x7,x3
+ adc x19,x19,xzr
+ mul x24,x14,x23
+ adds x15,x15,x8 // accumulate high parts
+ adcs x16,x16,x9
+ adcs x17,x17,x10
+ adcs x19,x19,x11
+ adc x20,xzr,xzr
+ ldr x3,[x2,#8*2] // b[i]
+
+ lsl x8,x24,#32
+ subs x16,x16,x24
+ lsr x9,x24,#32
+ sbcs x17,x17,x8
+ sbcs x19,x19,x9
+ sbc x20,x20,xzr
+
+ subs xzr,x14,#1
+ umulh x9,x12,x24
+ mul x10,x13,x24
+ umulh x11,x13,x24
+
+ adcs x10,x10,x9
+ mul x8,x4,x3
+ adc x11,x11,xzr
+ mul x9,x5,x3
+
+ adds x14,x15,x10
+ mul x10,x6,x3
+ adcs x15,x16,x11
+ mul x11,x7,x3
+ adcs x16,x17,x24
+ adcs x17,x19,x24
+ adc x19,x20,xzr
+
+ adds x14,x14,x8 // accumulate low parts
+ umulh x8,x4,x3
+ adcs x15,x15,x9
+ umulh x9,x5,x3
+ adcs x16,x16,x10
+ umulh x10,x6,x3
+ adcs x17,x17,x11
+ umulh x11,x7,x3
+ adc x19,x19,xzr
+ mul x24,x14,x23
+ adds x15,x15,x8 // accumulate high parts
+ adcs x16,x16,x9
+ adcs x17,x17,x10
+ adcs x19,x19,x11
+ adc x20,xzr,xzr
+ ldr x3,[x2,#8*3] // b[i]
+
+ lsl x8,x24,#32
+ subs x16,x16,x24
+ lsr x9,x24,#32
+ sbcs x17,x17,x8
+ sbcs x19,x19,x9
+ sbc x20,x20,xzr
+
+ subs xzr,x14,#1
+ umulh x9,x12,x24
+ mul x10,x13,x24
+ umulh x11,x13,x24
+
+ adcs x10,x10,x9
+ mul x8,x4,x3
+ adc x11,x11,xzr
+ mul x9,x5,x3
+
+ adds x14,x15,x10
+ mul x10,x6,x3
+ adcs x15,x16,x11
+ mul x11,x7,x3
+ adcs x16,x17,x24
+ adcs x17,x19,x24
+ adc x19,x20,xzr
+
+ adds x14,x14,x8 // accumulate low parts
+ umulh x8,x4,x3
+ adcs x15,x15,x9
+ umulh x9,x5,x3
+ adcs x16,x16,x10
+ umulh x10,x6,x3
+ adcs x17,x17,x11
+ umulh x11,x7,x3
+ adc x19,x19,xzr
+ mul x24,x14,x23
+ adds x15,x15,x8 // accumulate high parts
+ adcs x16,x16,x9
+ adcs x17,x17,x10
+ adcs x19,x19,x11
+ adc x20,xzr,xzr
+ lsl x8,x24,#32 // last reduction
+ subs x16,x16,x24
+ lsr x9,x24,#32
+ sbcs x17,x17,x8
+ sbcs x19,x19,x9
+ sbc x20,x20,xzr
+
+ subs xzr,x14,#1
+ umulh x9,x12,x24
+ mul x10,x13,x24
+ umulh x11,x13,x24
+
+ adcs x10,x10,x9
+ adc x11,x11,xzr
+
+ adds x14,x15,x10
+ adcs x15,x16,x11
+ adcs x16,x17,x24
+ adcs x17,x19,x24
+ adc x19,x20,xzr
+
+ subs x8,x14,x12 // ret -= modulus
+ sbcs x9,x15,x13
+ sbcs x10,x16,x21
+ sbcs x11,x17,x22
+ sbcs xzr,x19,xzr
+
+ csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus
+ csel x15,x15,x9,lo
+ csel x16,x16,x10,lo
+ stp x14,x15,[x0]
+ csel x17,x17,x11,lo
+ stp x16,x17,[x0,#16]
+
+ ldp x19,x20,[sp,#16]
+ ldp x21,x22,[sp,#32]
+ ldp x23,x24,[sp,#48]
+ ldr x29,[sp],#64
+ ret
+
+
+////////////////////////////////////////////////////////////////////////
+// void ecp_nistz256_ord_sqr_mont(uint64_t res[4], uint64_t a[4],
+// int rep);
+.globl ecp_nistz256_ord_sqr_mont
+
+.def ecp_nistz256_ord_sqr_mont
+ .type 32
+.endef
+.align 4
+ecp_nistz256_ord_sqr_mont:
+ AARCH64_VALID_CALL_TARGET
+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
+ stp x29,x30,[sp,#-64]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+ stp x21,x22,[sp,#32]
+ stp x23,x24,[sp,#48]
+
+ adr x23,Lord
+ ldp x4,x5,[x1]
+ ldp x6,x7,[x1,#16]
+
+ ldp x12,x13,[x23,#0]
+ ldp x21,x22,[x23,#16]
+ ldr x23,[x23,#32]
+ b Loop_ord_sqr
+
+.align 4
+Loop_ord_sqr:
+ sub x2,x2,#1
+ ////////////////////////////////////////////////////////////////
+ // | | | | | |a1*a0| |
+ // | | | | |a2*a0| | |
+ // | |a3*a2|a3*a0| | | |
+ // | | | |a2*a1| | | |
+ // | | |a3*a1| | | | |
+ // *| | | | | | | | 2|
+ // +|a3*a3|a2*a2|a1*a1|a0*a0|
+ // |--+--+--+--+--+--+--+--|
+ // |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is , i.e. follow
+ //
+ // "can't overflow" below mark carrying into high part of
+ // multiplication result, which can't overflow, because it
+ // can never be all ones.
+
+ mul x15,x5,x4 // a[1]*a[0]
+ umulh x9,x5,x4
+ mul x16,x6,x4 // a[2]*a[0]
+ umulh x10,x6,x4
+ mul x17,x7,x4 // a[3]*a[0]
+ umulh x19,x7,x4
+
+ adds x16,x16,x9 // accumulate high parts of multiplication
+ mul x8,x6,x5 // a[2]*a[1]
+ umulh x9,x6,x5
+ adcs x17,x17,x10
+ mul x10,x7,x5 // a[3]*a[1]
+ umulh x11,x7,x5
+ adc x19,x19,xzr // can't overflow
+
+ mul x20,x7,x6 // a[3]*a[2]
+ umulh x1,x7,x6
+
+ adds x9,x9,x10 // accumulate high parts of multiplication
+ mul x14,x4,x4 // a[0]*a[0]
+ adc x10,x11,xzr // can't overflow
+
+ adds x17,x17,x8 // accumulate low parts of multiplication
+ umulh x4,x4,x4
+ adcs x19,x19,x9
+ mul x9,x5,x5 // a[1]*a[1]
+ adcs x20,x20,x10
+ umulh x5,x5,x5
+ adc x1,x1,xzr // can't overflow
+
+ adds x15,x15,x15 // acc[1-6]*=2
+ mul x10,x6,x6 // a[2]*a[2]
+ adcs x16,x16,x16
+ umulh x6,x6,x6
+ adcs x17,x17,x17
+ mul x11,x7,x7 // a[3]*a[3]
+ adcs x19,x19,x19
+ umulh x7,x7,x7
+ adcs x20,x20,x20
+ adcs x1,x1,x1
+ adc x3,xzr,xzr
+
+ adds x15,x15,x4 // +a[i]*a[i]
+ mul x24,x14,x23
+ adcs x16,x16,x9
+ adcs x17,x17,x5
+ adcs x19,x19,x10
+ adcs x20,x20,x6
+ adcs x1,x1,x11
+ adc x3,x3,x7
+ subs xzr,x14,#1
+ umulh x9,x12,x24
+ mul x10,x13,x24
+ umulh x11,x13,x24
+
+ adcs x10,x10,x9
+ adc x11,x11,xzr
+
+ adds x14,x15,x10
+ adcs x15,x16,x11
+ adcs x16,x17,x24
+ adc x17,xzr,x24 // can't overflow
+ mul x11,x14,x23
+ lsl x8,x24,#32
+ subs x15,x15,x24
+ lsr x9,x24,#32
+ sbcs x16,x16,x8
+ sbc x17,x17,x9 // can't borrow
+ subs xzr,x14,#1
+ umulh x9,x12,x11
+ mul x10,x13,x11
+ umulh x24,x13,x11
+
+ adcs x10,x10,x9
+ adc x24,x24,xzr
+
+ adds x14,x15,x10
+ adcs x15,x16,x24
+ adcs x16,x17,x11
+ adc x17,xzr,x11 // can't overflow
+ mul x24,x14,x23
+ lsl x8,x11,#32
+ subs x15,x15,x11
+ lsr x9,x11,#32
+ sbcs x16,x16,x8
+ sbc x17,x17,x9 // can't borrow
+ subs xzr,x14,#1
+ umulh x9,x12,x24
+ mul x10,x13,x24
+ umulh x11,x13,x24
+
+ adcs x10,x10,x9
+ adc x11,x11,xzr
+
+ adds x14,x15,x10
+ adcs x15,x16,x11
+ adcs x16,x17,x24
+ adc x17,xzr,x24 // can't overflow
+ mul x11,x14,x23
+ lsl x8,x24,#32
+ subs x15,x15,x24
+ lsr x9,x24,#32
+ sbcs x16,x16,x8
+ sbc x17,x17,x9 // can't borrow
+ subs xzr,x14,#1
+ umulh x9,x12,x11
+ mul x10,x13,x11
+ umulh x24,x13,x11
+
+ adcs x10,x10,x9
+ adc x24,x24,xzr
+
+ adds x14,x15,x10
+ adcs x15,x16,x24
+ adcs x16,x17,x11
+ adc x17,xzr,x11 // can't overflow
+ lsl x8,x11,#32
+ subs x15,x15,x11
+ lsr x9,x11,#32
+ sbcs x16,x16,x8
+ sbc x17,x17,x9 // can't borrow
+ adds x14,x14,x19 // accumulate upper half
+ adcs x15,x15,x20
+ adcs x16,x16,x1
+ adcs x17,x17,x3
+ adc x19,xzr,xzr
+
+ subs x8,x14,x12 // ret -= modulus
+ sbcs x9,x15,x13
+ sbcs x10,x16,x21
+ sbcs x11,x17,x22
+ sbcs xzr,x19,xzr
+
+ csel x4,x14,x8,lo // ret = borrow ? ret : ret-modulus
+ csel x5,x15,x9,lo
+ csel x6,x16,x10,lo
+ csel x7,x17,x11,lo
+
+ cbnz x2,Loop_ord_sqr
+
+ stp x4,x5,[x0]
+ stp x6,x7,[x0,#16]
+
+ ldp x19,x20,[sp,#16]
+ ldp x21,x22,[sp,#32]
+ ldp x23,x24,[sp,#48]
+ ldr x29,[sp],#64
+ ret
+
+////////////////////////////////////////////////////////////////////////
+// void ecp_nistz256_select_w5(uint64_t *val, uint64_t *in_t, int index);
+.globl ecp_nistz256_select_w5
+
+.def ecp_nistz256_select_w5
+ .type 32
+.endef
+.align 4
+ecp_nistz256_select_w5:
+ AARCH64_VALID_CALL_TARGET
+
+ // x10 := x0
+ // w9 := 0; loop counter and incremented internal index
+ mov x10, x0
+ mov w9, #0
+
+ // [v16-v21] := 0
+ movi v16.16b, #0
+ movi v17.16b, #0
+ movi v18.16b, #0
+ movi v19.16b, #0
+ movi v20.16b, #0
+ movi v21.16b, #0
+
+Lselect_w5_loop:
+ // Loop 16 times.
+
+ // Increment index (loop counter); tested at the end of the loop
+ add w9, w9, #1
+
+ // [v22-v27] := Load a (3*256-bit = 6*128-bit) table entry starting at x1
+ // and advance x1 to point to the next entry
+ ld1 {v22.2d, v23.2d, v24.2d, v25.2d}, [x1],#64
+
+ // x11 := (w9 == w2)? All 1s : All 0s
+ cmp w9, w2
+ csetm x11, eq
+
+ // continue loading ...
+ ld1 {v26.2d, v27.2d}, [x1],#32
+
+ // duplicate mask_64 into Mask (all 0s or all 1s)
+ dup v3.2d, x11
+
+ // [v16-v19] := (Mask == all 1s)? [v22-v25] : [v16-v19]
+ // i.e., values in output registers will remain the same if w9 != w2
+ bit v16.16b, v22.16b, v3.16b
+ bit v17.16b, v23.16b, v3.16b
+
+ bit v18.16b, v24.16b, v3.16b
+ bit v19.16b, v25.16b, v3.16b
+
+ bit v20.16b, v26.16b, v3.16b
+ bit v21.16b, v27.16b, v3.16b
+
+ // If bit #4 is not 0 (i.e. idx_ctr < 16) loop back
+ tbz w9, #4, Lselect_w5_loop
+
+ // Write [v16-v21] to memory at the output pointer
+ st1 {v16.2d, v17.2d, v18.2d, v19.2d}, [x10],#64
+ st1 {v20.2d, v21.2d}, [x10]
+
+ ret
+
+
+
+////////////////////////////////////////////////////////////////////////
+// void ecp_nistz256_select_w7(uint64_t *val, uint64_t *in_t, int index);
+.globl ecp_nistz256_select_w7
+
+.def ecp_nistz256_select_w7
+ .type 32
+.endef
+.align 4
+ecp_nistz256_select_w7:
+ AARCH64_VALID_CALL_TARGET
+
+ // w9 := 0; loop counter and incremented internal index
+ mov w9, #0
+
+ // [v16-v21] := 0
+ movi v16.16b, #0
+ movi v17.16b, #0
+ movi v18.16b, #0
+ movi v19.16b, #0
+
+Lselect_w7_loop:
+ // Loop 64 times.
+
+ // Increment index (loop counter); tested at the end of the loop
+ add w9, w9, #1
+
+ // [v22-v25] := Load a (2*256-bit = 4*128-bit) table entry starting at x1
+ // and advance x1 to point to the next entry
+ ld1 {v22.2d, v23.2d, v24.2d, v25.2d}, [x1],#64
+
+ // x11 := (w9 == w2)? All 1s : All 0s
+ cmp w9, w2
+ csetm x11, eq
+
+ // duplicate mask_64 into Mask (all 0s or all 1s)
+ dup v3.2d, x11
+
+ // [v16-v19] := (Mask == all 1s)? [v22-v25] : [v16-v19]
+ // i.e., values in output registers will remain the same if w9 != w2
+ bit v16.16b, v22.16b, v3.16b
+ bit v17.16b, v23.16b, v3.16b
+
+ bit v18.16b, v24.16b, v3.16b
+ bit v19.16b, v25.16b, v3.16b
+
+ // If bit #6 is not 0 (i.e. idx_ctr < 64) loop back
+ tbz w9, #6, Lselect_w7_loop
+
+ // Write [v16-v19] to memory at the output pointer
+ st1 {v16.2d, v17.2d, v18.2d, v19.2d}, [x0]
+
+ ret
+
+#endif
+#endif // !OPENSSL_NO_ASM
diff --git a/win-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S b/win-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S
new file mode 100644
index 0000000..0a3121f
--- /dev/null
+++ b/win-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S
@@ -0,0 +1,319 @@
+// This file is generated from a similarly-named Perl script in the BoringSSL
+// source tree. Do not edit by hand.
+
+#if !defined(__has_feature)
+#define __has_feature(x) 0
+#endif
+#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM)
+#define OPENSSL_NO_ASM
+#endif
+
+#if !defined(OPENSSL_NO_ASM)
+#if defined(__aarch64__)
+#if defined(BORINGSSL_PREFIX)
+#include <boringssl_prefix_symbols_asm.h>
+#endif
+#include "openssl/arm_arch.h"
+
+.text
+.globl beeu_mod_inverse_vartime
+
+
+.align 4
+beeu_mod_inverse_vartime:
+ // Reserve enough space for 14 8-byte registers on the stack
+ // in the first stp call for x29, x30.
+ // Then store the remaining callee-saved registers.
+ //
+ // | x29 | x30 | x19 | x20 | ... | x27 | x28 | x0 | x2 |
+ // ^ ^
+ // sp <------------------- 112 bytes ----------------> old sp
+ // x29 (FP)
+ //
+ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-112]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+ stp x21,x22,[sp,#32]
+ stp x23,x24,[sp,#48]
+ stp x25,x26,[sp,#64]
+ stp x27,x28,[sp,#80]
+ stp x0,x2,[sp,#96]
+
+ // B = b3..b0 := a
+ ldp x25,x26,[x1]
+ ldp x27,x28,[x1,#16]
+
+ // n3..n0 := n
+ // Note: the value of input params are changed in the following.
+ ldp x0,x1,[x2]
+ ldp x2,x30,[x2,#16]
+
+ // A = a3..a0 := n
+ mov x21, x0
+ mov x22, x1
+ mov x23, x2
+ mov x24, x30
+
+ // X = x4..x0 := 1
+ mov x3, #1
+ eor x4, x4, x4
+ eor x5, x5, x5
+ eor x6, x6, x6
+ eor x7, x7, x7
+
+ // Y = y4..y0 := 0
+ eor x8, x8, x8
+ eor x9, x9, x9
+ eor x10, x10, x10
+ eor x11, x11, x11
+ eor x12, x12, x12
+
+Lbeeu_loop:
+ // if B == 0, jump to .Lbeeu_loop_end
+ orr x14, x25, x26
+ orr x14, x14, x27
+
+ // reverse the bit order of x25. This is needed for clz after this macro
+ rbit x15, x25
+
+ orr x14, x14, x28
+ cbz x14,Lbeeu_loop_end
+
+
+ // 0 < B < |n|,
+ // 0 < A <= |n|,
+ // (1) X*a == B (mod |n|),
+ // (2) (-1)*Y*a == A (mod |n|)
+
+ // Now divide B by the maximum possible power of two in the
+ // integers, and divide X by the same value mod |n|.
+ // When we're done, (1) still holds.
+
+ // shift := number of trailing 0s in x25
+ // ( = number of leading 0s in x15; see the "rbit" instruction in TEST_B_ZERO)
+ clz x13, x15
+
+ // If there is no shift, goto shift_A_Y
+ cbz x13, Lbeeu_shift_A_Y
+
+ // Shift B right by "x13" bits
+ neg x14, x13
+ lsr x25, x25, x13
+ lsl x15, x26, x14
+
+ lsr x26, x26, x13
+ lsl x19, x27, x14
+
+ orr x25, x25, x15
+
+ lsr x27, x27, x13
+ lsl x20, x28, x14
+
+ orr x26, x26, x19
+
+ lsr x28, x28, x13
+
+ orr x27, x27, x20
+
+
+ // Shift X right by "x13" bits, adding n whenever X becomes odd.
+ // x13--;
+ // x14 := 0; needed in the addition to the most significant word in SHIFT1
+ eor x14, x14, x14
+Lbeeu_shift_loop_X:
+ tbz x3, #0, Lshift1_0
+ adds x3, x3, x0
+ adcs x4, x4, x1
+ adcs x5, x5, x2
+ adcs x6, x6, x30
+ adc x7, x7, x14
+Lshift1_0:
+ // var0 := [var1|var0]<64..1>;
+ // i.e. concatenate var1 and var0,
+ // extract bits <64..1> from the resulting 128-bit value
+ // and put them in var0
+ extr x3, x4, x3, #1
+ extr x4, x5, x4, #1
+ extr x5, x6, x5, #1
+ extr x6, x7, x6, #1
+ lsr x7, x7, #1
+
+ subs x13, x13, #1
+ bne Lbeeu_shift_loop_X
+
+ // Note: the steps above perform the same sequence as in p256_beeu-x86_64-asm.pl
+ // with the following differences:
+ // - "x13" is set directly to the number of trailing 0s in B
+ // (using rbit and clz instructions)
+ // - The loop is only used to call SHIFT1(X)
+ // and x13 is decreased while executing the X loop.
+ // - SHIFT256(B, x13) is performed before right-shifting X; they are independent
+
+Lbeeu_shift_A_Y:
+ // Same for A and Y.
+ // Afterwards, (2) still holds.
+ // Reverse the bit order of x21
+ // x13 := number of trailing 0s in x21 (= number of leading 0s in x15)
+ rbit x15, x21
+ clz x13, x15
+
+ // If there is no shift, goto |B-A|, X+Y update
+ cbz x13, Lbeeu_update_B_X_or_A_Y
+
+ // Shift A right by "x13" bits
+ neg x14, x13
+ lsr x21, x21, x13
+ lsl x15, x22, x14
+
+ lsr x22, x22, x13
+ lsl x19, x23, x14
+
+ orr x21, x21, x15
+
+ lsr x23, x23, x13
+ lsl x20, x24, x14
+
+ orr x22, x22, x19
+
+ lsr x24, x24, x13
+
+ orr x23, x23, x20
+
+
+ // Shift Y right by "x13" bits, adding n whenever Y becomes odd.
+ // x13--;
+ // x14 := 0; needed in the addition to the most significant word in SHIFT1
+ eor x14, x14, x14
+Lbeeu_shift_loop_Y:
+ tbz x8, #0, Lshift1_1
+ adds x8, x8, x0
+ adcs x9, x9, x1
+ adcs x10, x10, x2
+ adcs x11, x11, x30
+ adc x12, x12, x14
+Lshift1_1:
+ // var0 := [var1|var0]<64..1>;
+ // i.e. concatenate var1 and var0,
+ // extract bits <64..1> from the resulting 128-bit value
+ // and put them in var0
+ extr x8, x9, x8, #1
+ extr x9, x10, x9, #1
+ extr x10, x11, x10, #1
+ extr x11, x12, x11, #1
+ lsr x12, x12, #1
+
+ subs x13, x13, #1
+ bne Lbeeu_shift_loop_Y
+
+Lbeeu_update_B_X_or_A_Y:
+ // Try T := B - A; if cs, continue with B > A (cs: carry set = no borrow)
+ // Note: this is a case of unsigned arithmetic, where T fits in 4 64-bit words
+ // without taking a sign bit if generated. The lack of a carry would
+ // indicate a negative result. See, for example,
+ // https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/condition-codes-1-condition-flags-and-codes
+ subs x14, x25, x21
+ sbcs x15, x26, x22
+ sbcs x19, x27, x23
+ sbcs x20, x28, x24
+ bcs Lbeeu_B_greater_than_A
+
+ // Else A > B =>
+ // A := A - B; Y := Y + X; goto beginning of the loop
+ subs x21, x21, x25
+ sbcs x22, x22, x26
+ sbcs x23, x23, x27
+ sbcs x24, x24, x28
+
+ adds x8, x8, x3
+ adcs x9, x9, x4
+ adcs x10, x10, x5
+ adcs x11, x11, x6
+ adc x12, x12, x7
+ b Lbeeu_loop
+
+Lbeeu_B_greater_than_A:
+ // Continue with B > A =>
+ // B := B - A; X := X + Y; goto beginning of the loop
+ mov x25, x14
+ mov x26, x15
+ mov x27, x19
+ mov x28, x20
+
+ adds x3, x3, x8
+ adcs x4, x4, x9
+ adcs x5, x5, x10
+ adcs x6, x6, x11
+ adc x7, x7, x12
+ b Lbeeu_loop
+
+Lbeeu_loop_end:
+ // The Euclid's algorithm loop ends when A == gcd(a,n);
+ // this would be 1, when a and n are co-prime (i.e. do not have a common factor).
+ // Since (-1)*Y*a == A (mod |n|), Y>0
+ // then out = -Y mod n
+
+ // Verify that A = 1 ==> (-1)*Y*a = A = 1 (mod |n|)
+ // Is A-1 == 0?
+ // If not, fail.
+ sub x14, x21, #1
+ orr x14, x14, x22
+ orr x14, x14, x23
+ orr x14, x14, x24
+ cbnz x14, Lbeeu_err
+
+ // If Y>n ==> Y:=Y-n
+Lbeeu_reduction_loop:
+ // x_i := y_i - n_i (X is no longer needed, use it as temp)
+ // (x14 = 0 from above)
+ subs x3, x8, x0
+ sbcs x4, x9, x1
+ sbcs x5, x10, x2
+ sbcs x6, x11, x30
+ sbcs x7, x12, x14
+
+ // If result is non-negative (i.e., cs = carry set = no borrow),
+ // y_i := x_i; goto reduce again
+ // else
+ // y_i := y_i; continue
+ csel x8, x3, x8, cs
+ csel x9, x4, x9, cs
+ csel x10, x5, x10, cs
+ csel x11, x6, x11, cs
+ csel x12, x7, x12, cs
+ bcs Lbeeu_reduction_loop
+
+ // Now Y < n (Y cannot be equal to n, since the inverse cannot be 0)
+ // out = -Y = n-Y
+ subs x8, x0, x8
+ sbcs x9, x1, x9
+ sbcs x10, x2, x10
+ sbcs x11, x30, x11
+
+ // Save Y in output (out (x0) was saved on the stack)
+ ldr x3, [sp,#96]
+ stp x8, x9, [x3]
+ stp x10, x11, [x3,#16]
+ // return 1 (success)
+ mov x0, #1
+ b Lbeeu_finish
+
+Lbeeu_err:
+ // return 0 (error)
+ eor x0, x0, x0
+
+Lbeeu_finish:
+ // Restore callee-saved registers, except x0, x2
+ add sp,x29,#0
+ ldp x19,x20,[sp,#16]
+ ldp x21,x22,[sp,#32]
+ ldp x23,x24,[sp,#48]
+ ldp x25,x26,[sp,#64]
+ ldp x27,x28,[sp,#80]
+ ldp x29,x30,[sp],#112
+
+ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+#endif
+#endif // !OPENSSL_NO_ASM
diff --git a/win-x86_64/crypto/fipsmodule/x86_64-mont5.asm b/win-x86_64/crypto/fipsmodule/x86_64-mont5.asm
index 7a1d5db..b60f662 100644
--- a/win-x86_64/crypto/fipsmodule/x86_64-mont5.asm
+++ b/win-x86_64/crypto/fipsmodule/x86_64-mont5.asm
@@ -2104,200 +2104,6 @@
DB 0F3h,0C3h ;repret
-global bn_from_montgomery
-
-ALIGN 32
-bn_from_montgomery:
-
- test DWORD[48+rsp],7
- jz NEAR bn_from_mont8x
- xor eax,eax
- DB 0F3h,0C3h ;repret
-
-
-
-
-ALIGN 32
-bn_from_mont8x:
- mov QWORD[8+rsp],rdi ;WIN64 prologue
- mov QWORD[16+rsp],rsi
- mov rax,rsp
-$L$SEH_begin_bn_from_mont8x:
- mov rdi,rcx
- mov rsi,rdx
- mov rdx,r8
- mov rcx,r9
- mov r8,QWORD[40+rsp]
- mov r9,QWORD[48+rsp]
-
-
-
-DB 0x67
- mov rax,rsp
-
- push rbx
-
- push rbp
-
- push r12
-
- push r13
-
- push r14
-
- push r15
-
-$L$from_prologue:
-
- shl r9d,3
- lea r10,[r9*2+r9]
- neg r9
- mov r8,QWORD[r8]
-
-
-
-
-
-
-
-
- lea r11,[((-320))+r9*2+rsp]
- mov rbp,rsp
- sub r11,rdi
- and r11,4095
- cmp r10,r11
- jb NEAR $L$from_sp_alt
- sub rbp,r11
- lea rbp,[((-320))+r9*2+rbp]
- jmp NEAR $L$from_sp_done
-
-ALIGN 32
-$L$from_sp_alt:
- lea r10,[((4096-320))+r9*2]
- lea rbp,[((-320))+r9*2+rbp]
- sub r11,r10
- mov r10,0
- cmovc r11,r10
- sub rbp,r11
-$L$from_sp_done:
- and rbp,-64
- mov r11,rsp
- sub r11,rbp
- and r11,-4096
- lea rsp,[rbp*1+r11]
- mov r10,QWORD[rsp]
- cmp rsp,rbp
- ja NEAR $L$from_page_walk
- jmp NEAR $L$from_page_walk_done
-
-$L$from_page_walk:
- lea rsp,[((-4096))+rsp]
- mov r10,QWORD[rsp]
- cmp rsp,rbp
- ja NEAR $L$from_page_walk
-$L$from_page_walk_done:
-
- mov r10,r9
- neg r9
-
-
-
-
-
-
-
-
-
-
- mov QWORD[32+rsp],r8
- mov QWORD[40+rsp],rax
-
-$L$from_body:
- mov r11,r9
- lea rax,[48+rsp]
- pxor xmm0,xmm0
- jmp NEAR $L$mul_by_1
-
-ALIGN 32
-$L$mul_by_1:
- movdqu xmm1,XMMWORD[rsi]
- movdqu xmm2,XMMWORD[16+rsi]
- movdqu xmm3,XMMWORD[32+rsi]
- movdqa XMMWORD[r9*1+rax],xmm0
- movdqu xmm4,XMMWORD[48+rsi]
- movdqa XMMWORD[16+r9*1+rax],xmm0
-DB 0x48,0x8d,0xb6,0x40,0x00,0x00,0x00
- movdqa XMMWORD[rax],xmm1
- movdqa XMMWORD[32+r9*1+rax],xmm0
- movdqa XMMWORD[16+rax],xmm2
- movdqa XMMWORD[48+r9*1+rax],xmm0
- movdqa XMMWORD[32+rax],xmm3
- movdqa XMMWORD[48+rax],xmm4
- lea rax,[64+rax]
- sub r11,64
- jnz NEAR $L$mul_by_1
-
-DB 102,72,15,110,207
-DB 102,72,15,110,209
-DB 0x67
- mov rbp,rcx
-DB 102,73,15,110,218
- lea r11,[OPENSSL_ia32cap_P]
- mov r11d,DWORD[8+r11]
- and r11d,0x80108
- cmp r11d,0x80108
- jne NEAR $L$from_mont_nox
-
- lea rdi,[r9*1+rax]
- call __bn_sqrx8x_reduction
- call __bn_postx4x_internal
-
- pxor xmm0,xmm0
- lea rax,[48+rsp]
- jmp NEAR $L$from_mont_zero
-
-ALIGN 32
-$L$from_mont_nox:
- call __bn_sqr8x_reduction
- call __bn_post4x_internal
-
- pxor xmm0,xmm0
- lea rax,[48+rsp]
- jmp NEAR $L$from_mont_zero
-
-ALIGN 32
-$L$from_mont_zero:
- mov rsi,QWORD[40+rsp]
-
- movdqa XMMWORD[rax],xmm0
- movdqa XMMWORD[16+rax],xmm0
- movdqa XMMWORD[32+rax],xmm0
- movdqa XMMWORD[48+rax],xmm0
- lea rax,[64+rax]
- sub r9,32
- jnz NEAR $L$from_mont_zero
-
- mov rax,1
- mov r15,QWORD[((-48))+rsi]
-
- mov r14,QWORD[((-40))+rsi]
-
- mov r13,QWORD[((-32))+rsi]
-
- mov r12,QWORD[((-24))+rsi]
-
- mov rbp,QWORD[((-16))+rsi]
-
- mov rbx,QWORD[((-8))+rsi]
-
- lea rsp,[rsi]
-
-$L$from_epilogue:
- mov rdi,QWORD[8+rsp] ;WIN64 epilogue
- mov rsi,QWORD[16+rsp]
- DB 0F3h,0C3h ;repret
-
-$L$SEH_end_bn_from_mont8x:
ALIGN 32
bn_mulx4x_mont_gather5:
@@ -3982,10 +3788,6 @@
DD $L$SEH_begin_bn_power5 wrt ..imagebase
DD $L$SEH_end_bn_power5 wrt ..imagebase
DD $L$SEH_info_bn_power5 wrt ..imagebase
-
- DD $L$SEH_begin_bn_from_mont8x wrt ..imagebase
- DD $L$SEH_end_bn_from_mont8x wrt ..imagebase
- DD $L$SEH_info_bn_from_mont8x wrt ..imagebase
DD $L$SEH_begin_bn_mulx4x_mont_gather5 wrt ..imagebase
DD $L$SEH_end_bn_mulx4x_mont_gather5 wrt ..imagebase
DD $L$SEH_info_bn_mulx4x_mont_gather5 wrt ..imagebase
@@ -4014,11 +3816,6 @@
DD mul_handler wrt ..imagebase
DD $L$power5_prologue wrt ..imagebase,$L$power5_body wrt ..imagebase,$L$power5_epilogue wrt ..imagebase
ALIGN 8
-$L$SEH_info_bn_from_mont8x:
-DB 9,0,0,0
- DD mul_handler wrt ..imagebase
- DD $L$from_prologue wrt ..imagebase,$L$from_body wrt ..imagebase,$L$from_epilogue wrt ..imagebase
-ALIGN 8
$L$SEH_info_bn_mulx4x_mont_gather5:
DB 9,0,0,0
DD mul_handler wrt ..imagebase