1 /* $NetBSD: adiantum.c,v 1.7 2021/10/17 14:45:45 jmcneill Exp $ */
2
3 /*-
4 * Copyright (c) 2020 The NetBSD Foundation, Inc.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
17 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
18 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
19 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
20 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 * POSSIBILITY OF SUCH DAMAGE.
27 */
28
29 /*
30 * The Adiantum wide-block cipher, from
31 *
32 * Paul Crowley and Eric Biggers, `Adiantum: length-preserving
33 * encryption for entry-level processors', IACR Transactions on
34 * Symmetric Cryptology 2018(4), pp. 39--61.
35 *
36 * https://doi.org/10.13154/tosc.v2018.i4.39-61
37 */
38
39 #include <sys/cdefs.h>
40 __KERNEL_RCSID(1, "$NetBSD: adiantum.c,v 1.7 2021/10/17 14:45:45 jmcneill Exp $");
41
42 #include <sys/types.h>
43 #include <sys/endian.h>
44
45 #ifdef _KERNEL
46
47 #include <sys/module.h>
48 #include <sys/systm.h>
49
50 #include <lib/libkern/libkern.h>
51
52 #include <crypto/adiantum/adiantum.h>
53 #include <crypto/aes/aes.h>
54 #include <crypto/chacha/chacha.h>
55
56 #else /* !defined(_KERNEL) */
57
58 #include <sys/cdefs.h>
59
60 #include <assert.h>
61 #include <stdint.h>
62 #include <stdio.h>
63 #include <string.h>
64
65 #include <openssl/aes.h>
66
67 struct aesenc {
68 AES_KEY enckey;
69 };
70
71 struct aesdec {
72 AES_KEY deckey;
73 };
74
75 #define AES_256_NROUNDS 14
76 #define aes_setenckey256(E, K) AES_set_encrypt_key((K), 256, &(E)->enckey)
77 #define aes_setdeckey256(D, K) AES_set_decrypt_key((K), 256, &(D)->deckey)
78 #define aes_enc(E, P, C, NR) AES_encrypt(P, C, &(E)->enckey)
79 #define aes_dec(D, C, P, NR) AES_decrypt(C, P, &(D)->deckey)
80
81 #include "adiantum.h"
82
83 #define CTASSERT __CTASSERT
84 #define KASSERT assert
85 #define MIN(x,y) ((x) < (y) ? (x) : (y))
86
87 static void
88 hexdump(int (*prf)(const char *, ...) __printflike(1,2), const char *prefix,
89 const void *buf, size_t len)
90 {
91 const uint8_t *p = buf;
92 size_t i;
93
94 (*prf)("%s (%zu bytes)\n", prefix, len);
95 for (i = 0; i < len; i++) {
96 if (i % 16 == 8)
97 (*prf)(" ");
98 else
99 (*prf)(" ");
100 (*prf)("%02hhx", p[i]);
101 if ((i + 1) % 16 == 0)
102 (*prf)("\n");
103 }
104 if (i % 16)
105 (*prf)("\n");
106 }
107
108 #endif /* _KERNEL */
109
110 /* Arithmetic modulo 2^128, represented by 16-digit strings in radix 2^8. */
111
112 /* s := a + b (mod 2^128) */
113 static inline void
add128(uint8_t s[restrict static16],const uint8_t a[static16],const uint8_t b[static16])114 add128(uint8_t s[restrict static 16],
115 const uint8_t a[static 16], const uint8_t b[static 16])
116 {
117 unsigned i, c;
118
119 c = 0;
120 for (i = 0; i < 16; i++) {
121 c = a[i] + b[i] + c;
122 s[i] = c & 0xff;
123 c >>= 8;
124 }
125 }
126
127 /* s := a - b (mod 2^128) */
128 static inline void
sub128(uint8_t d[restrict static16],const uint8_t a[static16],const uint8_t b[static16])129 sub128(uint8_t d[restrict static 16],
130 const uint8_t a[static 16], const uint8_t b[static 16])
131 {
132 unsigned i, c;
133
134 c = 0;
135 for (i = 0; i < 16; i++) {
136 c = a[i] - b[i] - c;
137 d[i] = c & 0xff;
138 c = 1 & (c >> 8);
139 }
140 }
141
142 static int
addsub128_selftest(void)143 addsub128_selftest(void)
144 {
145 static const uint8_t zero[16] = {
146 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,
147 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,
148 };
149 static const uint8_t one[16] = {
150 0x01,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,
151 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,
152 };
153 static const uint8_t negativeone[16] = {
154 0xff,0xff,0xff,0xff, 0xff,0xff,0xff,0xff,
155 0xff,0xff,0xff,0xff, 0xff,0xff,0xff,0xff,
156 };
157 static const uint8_t a[16] = {
158 0x03,0x80,0x00,0x00, 0x00,0x00,0x00,0x00,
159 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,
160 };
161 static const uint8_t b[16] = {
162 0x01,0x82,0x00,0x00, 0x00,0x00,0x00,0x00,
163 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,
164 };
165 static const uint8_t c[16] = {
166 0x02,0xfe,0xff,0xff, 0xff,0xff,0xff,0xff,
167 0xff,0xff,0xff,0xff, 0xff,0xff,0xff,0xff,
168 };
169 uint8_t r[16];
170 int result = 0;
171
172 sub128(r, zero, one);
173 if (memcmp(r, negativeone, 16)) {
174 hexdump(printf, "sub128 1", r, sizeof r);
175 result = -1;
176 }
177
178 sub128(r, a, b);
179 if (memcmp(r, c, 16)) {
180 hexdump(printf, "sub128 2", r, sizeof r);
181 result = -1;
182 }
183
184 return result;
185 }
186
187 /* Poly1305 */
188
189 struct poly1305 {
190 uint32_t r[5]; /* evaluation point */
191 uint32_t h[5]; /* value */
192 };
193
194 static void
poly1305_init(struct poly1305 * P,const uint8_t key[static16])195 poly1305_init(struct poly1305 *P, const uint8_t key[static 16])
196 {
197
198 /* clamp */
199 P->r[0] = (le32dec(key + 0) >> 0) & 0x03ffffff;
200 P->r[1] = (le32dec(key + 3) >> 2) & 0x03ffff03;
201 P->r[2] = (le32dec(key + 6) >> 4) & 0x03ffc0ff;
202 P->r[3] = (le32dec(key + 9) >> 6) & 0x03f03fff;
203 P->r[4] = (le32dec(key + 12) >> 8) & 0x000fffff;
204
205 /* initialize polynomial evaluation */
206 P->h[0] = P->h[1] = P->h[2] = P->h[3] = P->h[4] = 0;
207 }
208
209 static void
poly1305_update_blocks(struct poly1305 * P,const uint8_t * m,size_t mlen)210 poly1305_update_blocks(struct poly1305 *P, const uint8_t *m, size_t mlen)
211 {
212 uint32_t r0 = P->r[0];
213 uint32_t r1 = P->r[1];
214 uint32_t r2 = P->r[2];
215 uint32_t r3 = P->r[3];
216 uint32_t r4 = P->r[4];
217 uint32_t h0 = P->h[0];
218 uint32_t h1 = P->h[1];
219 uint32_t h2 = P->h[2];
220 uint32_t h3 = P->h[3];
221 uint32_t h4 = P->h[4];
222 uint32_t m0, m1, m2, m3, m4; /* 26-bit message chunks */
223 uint64_t k0, k1, k2, k3, k4; /* 64-bit extension of h */
224 uint64_t p0, p1, p2, p3, p4; /* columns of product */
225 uint32_t c; /* carry */
226
227 while (mlen) {
228 if (__predict_false(mlen < 16)) {
229 /* Handle padding for uneven last block. */
230 uint8_t buf[16];
231 unsigned i;
232
233 for (i = 0; i < mlen; i++)
234 buf[i] = m[i];
235 buf[i++] = 1;
236 for (; i < 16; i++)
237 buf[i] = 0;
238 m0 = le32dec(buf + 0) >> 0;
239 m1 = le32dec(buf + 3) >> 2;
240 m2 = le32dec(buf + 6) >> 4;
241 m3 = le32dec(buf + 9) >> 6;
242 m4 = le32dec(buf + 12) >> 8;
243 mlen = 0;
244
245 explicit_memset(buf, 0, sizeof buf);
246 } else {
247 m0 = le32dec(m + 0) >> 0;
248 m1 = le32dec(m + 3) >> 2;
249 m2 = le32dec(m + 6) >> 4;
250 m3 = le32dec(m + 9) >> 6;
251 m4 = le32dec(m + 12) >> 8;
252 m4 |= 1u << 24;
253 m += 16;
254 mlen -= 16;
255 }
256
257 /* k := h + m, extended to 64 bits */
258 k0 = h0 + (m0 & 0x03ffffff);
259 k1 = h1 + (m1 & 0x03ffffff);
260 k2 = h2 + (m2 & 0x03ffffff);
261 k3 = h3 + m3;
262 k4 = h4 + m4;
263
264 /* p := k * r = (h + m)*r mod 2^130 - 5 */
265 p0 = r0*k0 + 5*r4*k1 + 5*r3*k2 + 5*r2*k3 + 5*r1*k4;
266 p1 = r1*k0 + r0*k1 + 5*r4*k2 + 5*r3*k3 + 5*r2*k4;
267 p2 = r2*k0 + r1*k1 + r0*k2 + 5*r4*k3 + 5*r3*k4;
268 p3 = r3*k0 + r2*k1 + r1*k2 + r0*k3 + 5*r4*k4;
269 p4 = r4*k0 + r3*k1 + r2*k2 + r1*k3 + r0*k4;
270
271 /* propagate carries and update h */
272 p0 += 0; c = p0 >> 26; h0 = p0 & 0x03ffffff;
273 p1 += c; c = p1 >> 26; h1 = p1 & 0x03ffffff;
274 p2 += c; c = p2 >> 26; h2 = p2 & 0x03ffffff;
275 p3 += c; c = p3 >> 26; h3 = p3 & 0x03ffffff;
276 p4 += c; c = p4 >> 26; h4 = p4 & 0x03ffffff;
277
278 /* reduce 2^130 = 5 */
279 h0 += c*5; c = h0 >> 26; h0 &= 0x03ffffff;
280 h1 += c;
281 }
282
283 /* update hash values */
284 P->h[0] = h0;
285 P->h[1] = h1;
286 P->h[2] = h2;
287 P->h[3] = h3;
288 P->h[4] = h4;
289 }
290
291 static void
poly1305_final(uint8_t h[static16],struct poly1305 * P)292 poly1305_final(uint8_t h[static 16], struct poly1305 *P)
293 {
294 uint32_t h0 = P->h[0];
295 uint32_t h1 = P->h[1];
296 uint32_t h2 = P->h[2];
297 uint32_t h3 = P->h[3];
298 uint32_t h4 = P->h[4];
299 uint32_t s0, s1, s2, s3, s4; /* h - (2^130 - 5) */
300 uint32_t m; /* mask */
301 uint32_t c;
302
303 /* propagate carries */
304 h1 += 0; c = h1 >> 26; h1 &= 0x03ffffff;
305 h2 += c; c = h2 >> 26; h2 &= 0x03ffffff;
306 h3 += c; c = h3 >> 26; h3 &= 0x03ffffff;
307 h4 += c; c = h4 >> 26; h4 &= 0x03ffffff;
308
309 /* reduce 2^130 = 5 */
310 h0 += c*5; c = h0 >> 26; h0 &= 0x03ffffff;
311 h1 += c;
312
313 /* s := h - (2^130 - 5) */
314 c = 5;
315 s0 = h0 + c; c = s0 >> 26; s0 &= 0x03ffffff;
316 s1 = h1 + c; c = s1 >> 26; s1 &= 0x03ffffff;
317 s2 = h2 + c; c = s2 >> 26; s2 &= 0x03ffffff;
318 s3 = h3 + c; c = s3 >> 26; s3 &= 0x03ffffff;
319 s4 = h4 + c;
320 s4 -= 0x04000000;
321
322 /* m := -1 if h < 2^130 - 5 else 0 */
323 m = -(s4 >> 31);
324
325 /* conditional subtract */
326 h0 = (m & h0) | (~m & s0);
327 h1 = (m & h1) | (~m & s1);
328 h2 = (m & h2) | (~m & s2);
329 h3 = (m & h3) | (~m & s3);
330 h4 = (m & h4) | (~m & s4);
331
332 /* reduce modulo 2^128 */
333 le32enc(h + 0, ((h1 << 26) | (h0 >> 0)) & 0xffffffff);
334 le32enc(h + 4, ((h2 << 20) | (h1 >> 6)) & 0xffffffff);
335 le32enc(h + 8, ((h3 << 14) | (h2 >> 12)) & 0xffffffff);
336 le32enc(h + 12, ((h4 << 8) | (h3 >> 18)) & 0xffffffff);
337 }
338
339 static void
poly1305(uint8_t h[static16],const uint8_t * m,size_t mlen,const uint8_t k[static16])340 poly1305(uint8_t h[static 16], const uint8_t *m, size_t mlen,
341 const uint8_t k[static 16])
342 {
343 struct poly1305 P;
344
345 poly1305_init(&P, k);
346 poly1305_update_blocks(&P, m, mlen);
347 poly1305_final(h, &P);
348 }
349
350 static int
poly1305_selftest(void)351 poly1305_selftest(void)
352 {
353 /* https://tools.ietf.org/html/rfc7539#section-2.5.2 */
354 static const uint8_t r[16] = {
355 0x85,0xd6,0xbe,0x78, 0x57,0x55,0x6d,0x33,
356 0x7f,0x44,0x52,0xfe, 0x42,0xd5,0x06,0xa8,
357 };
358 static const uint8_t s[16] = {
359 0x01,0x03,0x80,0x8a, 0xfb,0x0d,0xb2,0xfd,
360 0x4a,0xbf,0xf6,0xaf, 0x41,0x49,0xf5,0x1b,
361 };
362 static const uint8_t m[] = {
363 0x43,0x72,0x79,0x70, 0x74,0x6f,0x67,0x72,
364 0x61,0x70,0x68,0x69, 0x63,0x20,0x46,0x6f,
365 0x72,0x75,0x6d,0x20, 0x52,0x65,0x73,0x65,
366 0x61,0x72,0x63,0x68, 0x20,0x47,0x72,0x6f,
367 0x75,0x70,
368 };
369 static const uint8_t expected[16] = {
370 0xa8,0x06,0x1d,0xc1, 0x30,0x51,0x36,0xc6,
371 0xc2,0x2b,0x8b,0xaf, 0x0c,0x01,0x27,0xa9,
372 };
373 uint8_t h[16], t[16];
374 int result = 0;
375
376 poly1305(h, m, sizeof m, r);
377 add128(t, h, s);
378 if (memcmp(t, expected, 16)) {
379 hexdump(printf, "poly1305 h", h, sizeof h);
380 hexdump(printf, "poly1305 t", t, sizeof t);
381 result = -1;
382 }
383
384 return result;
385 }
386
387 /* NHPoly1305 */
388
389 static void
nh(uint8_t h[static32],const uint8_t * m,size_t mlen,const uint32_t k[static268])390 nh(uint8_t h[static 32], const uint8_t *m, size_t mlen,
391 const uint32_t k[static 268 /* u/w + 2s(r - 1) */])
392 {
393 enum {
394 s = 2, /* stride */
395 r = 4, /* rounds */
396 w = 32, /* word size */
397 u = 8192 /* unit count (bits per msg unit) */
398 };
399 uint64_t h0 = 0, h1 = 0, h2 = 0, h3 = 0;
400 unsigned i;
401
402 CTASSERT(r*w/8 == 16);
403 CTASSERT(u/w + 2*s*(r - 1) == 268);
404
405 KASSERT(mlen <= u/8);
406 KASSERT(mlen % 16 == 0);
407
408 for (i = 0; i < mlen/16; i++) {
409 uint32_t m0 = le32dec(m + 16*i + 4*0);
410 uint32_t m1 = le32dec(m + 16*i + 4*1);
411 uint32_t m2 = le32dec(m + 16*i + 4*2);
412 uint32_t m3 = le32dec(m + 16*i + 4*3);
413
414 uint32_t k00 = k[4*i + 4*0 + 0];
415 uint32_t k01 = k[4*i + 4*0 + 1];
416 uint32_t k02 = k[4*i + 4*0 + 2];
417 uint32_t k03 = k[4*i + 4*0 + 3];
418 uint32_t k10 = k[4*i + 4*1 + 0];
419 uint32_t k11 = k[4*i + 4*1 + 1];
420 uint32_t k12 = k[4*i + 4*1 + 2];
421 uint32_t k13 = k[4*i + 4*1 + 3];
422 uint32_t k20 = k[4*i + 4*2 + 0];
423 uint32_t k21 = k[4*i + 4*2 + 1];
424 uint32_t k22 = k[4*i + 4*2 + 2];
425 uint32_t k23 = k[4*i + 4*2 + 3];
426 uint32_t k30 = k[4*i + 4*3 + 0];
427 uint32_t k31 = k[4*i + 4*3 + 1];
428 uint32_t k32 = k[4*i + 4*3 + 2];
429 uint32_t k33 = k[4*i + 4*3 + 3];
430
431 CTASSERT(s == 2);
432 h0 += (uint64_t)(m0 + k00) * (m2 + k02);
433 h1 += (uint64_t)(m0 + k10) * (m2 + k12);
434 h2 += (uint64_t)(m0 + k20) * (m2 + k22);
435 h3 += (uint64_t)(m0 + k30) * (m2 + k32);
436 h0 += (uint64_t)(m1 + k01) * (m3 + k03);
437 h1 += (uint64_t)(m1 + k11) * (m3 + k13);
438 h2 += (uint64_t)(m1 + k21) * (m3 + k23);
439 h3 += (uint64_t)(m1 + k31) * (m3 + k33);
440 }
441
442 le64enc(h + 8*0, h0);
443 le64enc(h + 8*1, h1);
444 le64enc(h + 8*2, h2);
445 le64enc(h + 8*3, h3);
446 }
447
448 static void
nhpoly1305(uint8_t h[static16],const uint8_t * m,size_t mlen,const uint8_t pk[static16],const uint32_t nhk[static268])449 nhpoly1305(uint8_t h[static 16], const uint8_t *m, size_t mlen,
450 const uint8_t pk[static 16],
451 const uint32_t nhk[static 268 /* u/w + 2s(r - 1) */])
452 {
453 struct poly1305 P;
454 uint8_t h0[32];
455
456 /*
457 * In principle NHPoly1305 is defined on uneven message
458 * lengths, but that's a pain in the patootie.
459 */
460 KASSERT(mlen % 16 == 0);
461
462 poly1305_init(&P, pk);
463 for (; mlen; m += MIN(mlen, 1024), mlen -= MIN(mlen, 1024)) {
464 nh(h0, m, MIN(mlen, 1024), nhk);
465 poly1305_update_blocks(&P, h0, 32);
466 }
467 poly1305_final(h, &P);
468 }
469
470 /* https://github.com/google/adiantum/blob/68971e9c6684121b2203b4b05a22768b84051b58/test_vectors/ours/NH/NH.json */
471 static int
nh_selftest(void)472 nh_selftest(void)
473 {
474 static const struct {
475 uint8_t k[1072];
476 unsigned mlen;
477 uint8_t m[1024];
478 uint8_t h[32];
479 } C[] = {
480 [0] = { /* 16-byte message */
481 .k = {
482 0x22,0x5b,0x80,0xc8, 0x18,0x05,0x37,0x09,
483 0x76,0x14,0x4b,0x67, 0xc4,0x50,0x7f,0x2b,
484 0x2c,0xff,0x56,0xc5, 0xd5,0x66,0x45,0x68,
485 0x35,0xe6,0xd2,0x9a, 0xe5,0xd0,0xc1,0xfb,
486 0xac,0x59,0x81,0x1a, 0x60,0xb0,0x3d,0x81,
487 0x4b,0xa3,0x5b,0xa9, 0xcc,0xb3,0xfe,0x2d,
488 0xc2,0x4d,0xd9,0x26, 0xad,0x36,0xcf,0x8c,
489 0x05,0x11,0x3b,0x8a, 0x99,0x15,0x81,0xc8,
490 0x23,0xf5,0x5a,0x94, 0x10,0x2f,0x92,0x80,
491 0x38,0xc5,0xb2,0x63, 0x80,0xd5,0xdc,0xa3,
492 0x6c,0x2f,0xaa,0x03, 0x96,0x4a,0x75,0x33,
493 0x4c,0xa8,0x60,0x05, 0x96,0xbf,0xe5,0x7a,
494 0xc8,0x4f,0x5c,0x22, 0xf9,0x92,0x74,0x4a,
495 0x75,0x5f,0xa2,0x2a, 0x8d,0x3f,0xe2,0x43,
496 0xfd,0xd9,0x04,0x8c, 0x8e,0xea,0x84,0xcc,
497 0x4d,0x3f,0x94,0x96, 0xed,0x1a,0x51,0xbb,
498 0x2f,0xc4,0x63,0x28, 0x31,0x0b,0xda,0x92,
499 0x1e,0x4d,0xe2,0x1d, 0x82,0xb5,0x65,0xb4,
500 0x75,0x69,0xd7,0x6f, 0x29,0xe4,0xbe,0x7e,
501 0xcc,0xbd,0x95,0xbd, 0x7a,0x62,0xea,0xfa,
502 0x33,0x34,0x80,0x58, 0xbf,0xfa,0x00,0x7e,
503 0xa7,0xb4,0xc9,0x32, 0x7c,0xc7,0x8f,0x8a,
504 0x28,0x27,0xdd,0xeb, 0xb9,0x1c,0x01,0xad,
505 0xec,0xf4,0x30,0x5e, 0xce,0x3b,0xaa,0x22,
506 0x60,0xbd,0x84,0xd9, 0x9e,0xaf,0xe8,0x4c,
507 0x44,0xb6,0x84,0x2d, 0x5c,0xe6,0x26,0xee,
508 0x8a,0xa2,0x0d,0xe3, 0x97,0xed,0xf5,0x47,
509 0xdb,0x50,0x72,0x4a, 0x5e,0x9a,0x8d,0x10,
510 0xc2,0x25,0xdd,0x5b, 0xd0,0x39,0xc4,0x5b,
511 0x2a,0x79,0x81,0xb7, 0x5c,0xda,0xed,0x77,
512 0x17,0x53,0xb5,0x8b, 0x1e,0x5f,0xf3,0x48,
513 0x30,0xac,0x97,0x7d, 0x29,0xe3,0xc9,0x18,
514 0xe1,0x2b,0x31,0xa0, 0x08,0xe9,0x15,0x59,
515 0x29,0xdb,0x84,0x2a, 0x33,0x98,0x8a,0xd4,
516 0xc3,0xfc,0xf7,0xca, 0x65,0x02,0x4d,0x9f,
517 0xe2,0xb1,0x5e,0xa6, 0x6a,0x01,0xf9,0xcf,
518 0x7e,0xa6,0x09,0xd9, 0x16,0x90,0x14,0x5f,
519 0x3a,0xf8,0xd8,0x34, 0x38,0xd6,0x1f,0x89,
520 0x0c,0x81,0xc2,0x68, 0xc4,0x65,0x78,0xf3,
521 0xfe,0x27,0x48,0x70, 0x38,0x43,0x48,0x5a,
522 0xc1,0x24,0xc5,0x6f, 0x65,0x63,0x1b,0xb0,
523 0x5b,0xb4,0x07,0x1e, 0x69,0x08,0x8f,0xfc,
524 0x93,0x29,0x04,0x16, 0x6a,0x8b,0xb3,0x3d,
525 0x0f,0xba,0x5f,0x46, 0xff,0xfe,0x77,0xa1,
526 0xb9,0xdc,0x29,0x66, 0x9a,0xd1,0x08,0xdd,
527 0x32,0xe3,0x21,0x7b, 0xcc,0x2e,0x5c,0xf7,
528 0x79,0x68,0xd4,0xc1, 0x8b,0x3c,0x5d,0x0e,
529 0xd4,0x26,0xa6,0x19, 0x92,0x45,0xf7,0x19,
530 0x0e,0xa2,0x17,0xd8, 0x1c,0x7f,0x8d,0xd6,
531 0x68,0x37,0x6c,0xbf, 0xb1,0x8a,0x5e,0x36,
532 0x4b,0xc0,0xca,0x21, 0x02,0x24,0x69,0x9b,
533 0x2b,0x19,0x0a,0x1b, 0xe3,0x17,0x30,0x57,
534 0xf6,0xfc,0xd6,0x66, 0x36,0x30,0xc2,0x11,
535 0x08,0x8d,0xc5,0x84, 0x67,0xa0,0x89,0xc3,
536 0x74,0x48,0x15,0xca, 0x6e,0x0c,0x6d,0x78,
537 0x66,0x15,0x73,0x85, 0xf9,0x8b,0xba,0xb2,
538 0x09,0xda,0x79,0xe6, 0x00,0x08,0x2a,0xda,
539 0x6b,0xd7,0xd1,0xa7, 0x8b,0x5f,0x11,0x87,
540 0x96,0x1b,0x23,0xb0, 0x6c,0x55,0xb6,0x86,
541 0xfb,0xff,0xe3,0x69, 0xac,0x43,0xcd,0x8f,
542 0x8a,0xe7,0x1c,0x3c, 0xa0,0x6a,0xd5,0x63,
543 0x80,0x66,0xd8,0x7f, 0xb5,0xb8,0x96,0xd4,
544 0xe2,0x20,0x40,0x53, 0x6d,0x0d,0x8b,0x6d,
545 0xd5,0x5d,0x51,0xfb, 0x4d,0x80,0x82,0x01,
546 0x14,0x97,0x96,0x9b, 0x13,0xb8,0x1d,0x76,
547 0x7a,0xa1,0xca,0x19, 0x90,0xec,0x7b,0xe0,
548 0x8e,0xa8,0xb4,0xf2, 0x33,0x67,0x0e,0x10,
549 0xb1,0xa2,0x82,0xea, 0x81,0x82,0xa2,0xc6,
550 0x78,0x51,0xa6,0xd3, 0x25,0xe4,0x9c,0xf2,
551 0x6b,0xa8,0xec,0xfb, 0xd4,0x1d,0x5b,0xa4,
552 0x79,0x66,0x62,0xb8, 0x2b,0x6f,0x9e,0x0f,
553 0xcc,0xcb,0x9e,0x92, 0x6f,0x06,0xdb,0xf0,
554 0x97,0xce,0x3f,0x90, 0xa2,0x1f,0xbe,0x3b,
555 0x7b,0x10,0xf0,0x23, 0x30,0x0c,0xc5,0x0c,
556 0x6c,0x78,0xfc,0xa8, 0x71,0x62,0xcf,0x98,
557 0xa2,0xb1,0x44,0xb5, 0xc6,0x3b,0x5c,0x63,
558 0x83,0x1d,0x35,0xf2, 0xc7,0x42,0x67,0x5d,
559 0xc1,0x26,0x36,0xc8, 0x6e,0x1d,0xf6,0xd5,
560 0x52,0x35,0xa4,0x9e, 0xce,0x4c,0x3b,0x92,
561 0x20,0x86,0xb7,0x89, 0x63,0x73,0x1a,0x8b,
562 0xa6,0x35,0xfe,0xb9, 0xdf,0x5e,0x0e,0x53,
563 0x0b,0xf2,0xb3,0x4d, 0x34,0x1d,0x66,0x33,
564 0x1f,0x08,0xf5,0xf5, 0x0a,0xab,0x76,0x19,
565 0xde,0x82,0x2f,0xcf, 0x11,0xa6,0xcb,0xb3,
566 0x17,0xec,0x8d,0xaf, 0xcb,0xf0,0x92,0x1e,
567 0xb8,0xa3,0x04,0x0a, 0xac,0x2c,0xae,0xc5,
568 0x0b,0xc4,0x4e,0xef, 0x0a,0xe2,0xda,0xe9,
569 0xd7,0x75,0x2d,0x95, 0xc7,0x1b,0xf3,0x0b,
570 0x43,0x19,0x16,0xd7, 0xc6,0x90,0x2d,0x6b,
571 0xe1,0xb2,0xce,0xbe, 0xd0,0x7d,0x15,0x99,
572 0x24,0x37,0xbc,0xb6, 0x8c,0x89,0x7a,0x8c,
573 0xcb,0xa7,0xf7,0x0b, 0x5f,0xd4,0x96,0x8d,
574 0xf5,0x80,0xa3,0xce, 0xf5,0x9e,0xed,0x60,
575 0x00,0x92,0xa5,0x67, 0xc9,0x21,0x79,0x0b,
576 0xfb,0xe2,0x57,0x0e, 0xdf,0xb6,0x16,0x90,
577 0xd3,0x75,0xf6,0xb0, 0xa3,0x4e,0x43,0x9a,
578 0xb7,0xf4,0x73,0xd8, 0x34,0x46,0xc6,0xbe,
579 0x80,0xec,0x4a,0xc0, 0x7f,0x9e,0xb6,0xb0,
580 0x58,0xc2,0xae,0xa1, 0xf3,0x60,0x04,0x62,
581 0x11,0xea,0x0f,0x90, 0xa9,0xea,0x6f,0x0c,
582 0x4c,0xcf,0xe8,0xd0, 0xea,0xbf,0xdb,0xf2,
583 0x53,0x0c,0x09,0x4d, 0xd4,0xed,0xf3,0x22,
584 0x10,0x99,0xc6,0x4f, 0xcf,0xcf,0x96,0xc9,
585 0xd9,0x6b,0x08,0x3b, 0xf0,0x62,0x2d,0xac,
586 0x55,0x38,0xd5,0x5c, 0x57,0xad,0x51,0xc3,
587 0xf5,0xd2,0x37,0x45, 0xb3,0x3f,0x6d,0xaf,
588 0x10,0x62,0x57,0xb9, 0x58,0x40,0xb3,0x3c,
589 0x6a,0x98,0x97,0x1a, 0x9c,0xeb,0x66,0xf1,
590 0xa5,0x93,0x0b,0xe7, 0x8b,0x29,0x0f,0xff,
591 0x2c,0xd0,0x90,0xf2, 0x67,0xa0,0x69,0xcd,
592 0xd3,0x59,0xad,0xad, 0xf1,0x1f,0xd7,0xad,
593 0x24,0x74,0x29,0xcd, 0x06,0xd5,0x42,0x90,
594 0xf9,0x96,0x4a,0xd9, 0xa0,0x37,0xe4,0x64,
595 0x8e,0x13,0x2a,0x2a, 0xe7,0xc2,0x1e,0xf6,
596 0xb2,0xd3,0xdc,0x9f, 0x33,0x32,0x0c,0x50,
597 0x88,0x37,0x8b,0x9b, 0xfe,0x6f,0xfd,0x05,
598 0x96,0x26,0x6c,0x96, 0x73,0x73,0xe1,0x09,
599 0x28,0xf3,0x7f,0xa6, 0x59,0xc5,0x2e,0xf4,
600 0xd3,0xd5,0xda,0x6b, 0xca,0x42,0x05,0xe5,
601 0xed,0x13,0xe2,0x4e, 0xcd,0xd5,0xd0,0xfb,
602 0x6e,0xf7,0x8a,0x3e, 0x91,0x9d,0x6b,0xc5,
603 0x33,0x05,0x07,0x86, 0xb2,0x26,0x41,0x6e,
604 0xf8,0x38,0x38,0x7a, 0xf0,0x6c,0x27,0x5a,
605 0x01,0xd8,0x03,0xe5, 0x91,0x33,0xaa,0x20,
606 0xcd,0xa7,0x4f,0x18, 0xa0,0x91,0x28,0x74,
607 0xc0,0x58,0x27,0x0f, 0x9b,0xa8,0x85,0xb0,
608 0xe0,0xfd,0x5b,0xdb, 0x5b,0xb8,0x86,0x79,
609 0x94,0x6d,0xde,0x26, 0x64,0x2d,0x6c,0xb9,
610 0xba,0xc7,0xf0,0xd7, 0xaa,0x68,0x68,0xd0,
611 0x40,0x71,0xdb,0x94, 0x54,0x62,0xa5,0x7f,
612 0x98,0xea,0xe3,0x4c, 0xe4,0x44,0x9a,0x03,
613 0xf9,0x1c,0x20,0x36, 0xeb,0x0d,0xa4,0x41,
614 0x24,0x06,0xcb,0x94, 0x86,0x35,0x22,0x62,
615 0x80,0x19,0x16,0xba, 0x2c,0x10,0x38,0x96,
616 },
617 .mlen = 16,
618 .m = {
619 0xd3,0x82,0xe7,0x04, 0x35,0xcc,0xf7,0xa4,
620 0xf9,0xb2,0xc5,0xed, 0x5a,0xd9,0x58,0xeb,
621 },
622 .h = {
623 0x41,0xd9,0xad,0x54, 0x5a,0x0d,0xcc,0x53,
624 0x48,0xf6,0x4c,0x75, 0x43,0x5d,0xdd,0x77,
625 0xda,0xca,0x7d,0xec, 0x91,0x3b,0x53,0x16,
626 0x5c,0x4b,0x58,0xdc, 0x70,0x0a,0x7b,0x37,
627 },
628 },
629 [1] = { /* 1008-byte message */
630 .k = {
631 0xd9,0x94,0x65,0xda, 0xc2,0x60,0xdd,0xa9,
632 0x39,0xe5,0x37,0x11, 0xf6,0x74,0xa5,0x95,
633 0x36,0x07,0x24,0x99, 0x64,0x6b,0xda,0xe2,
634 0xd5,0xd1,0xd2,0xd9, 0x25,0xd5,0xcc,0x48,
635 0xf8,0xa5,0x9e,0xff, 0x84,0x5a,0xd1,0x6f,
636 0xb7,0x6a,0x4d,0xd2, 0xc8,0x13,0x3d,0xde,
637 0x17,0xed,0x64,0xf1, 0x2b,0xcc,0xdd,0x65,
638 0x11,0x16,0xf2,0xaf, 0x34,0xd2,0xc5,0x31,
639 0xaa,0x69,0x33,0x0a, 0x0b,0xc1,0xb4,0x6d,
640 0xaa,0xcd,0x43,0xc4, 0x0b,0xef,0xf9,0x7d,
641 0x97,0x3c,0xa7,0x22, 0xda,0xa6,0x6a,0xf0,
642 0xad,0xe3,0x6f,0xde, 0xfb,0x33,0xf3,0xd8,
643 0x96,0x5f,0xca,0xda, 0x18,0x63,0x03,0xd0,
644 0x8f,0xb6,0xc4,0x62, 0x9d,0x50,0x6c,0x8f,
645 0x85,0xdd,0x6d,0x52, 0x2d,0x45,0x01,0x36,
646 0x57,0x9f,0x51,0xf0, 0x70,0xe0,0xb2,0x99,
647 0x3a,0x11,0x68,0xbd, 0xe5,0xfa,0x7c,0x59,
648 0x12,0x5a,0xbc,0xd9, 0xd6,0x9a,0x09,0xe6,
649 0xa2,0x80,0x1f,0xd6, 0x47,0x20,0x82,0x4e,
650 0xac,0xb5,0x6d,0xde, 0x5b,0xff,0x9c,0xd4,
651 0x2a,0xae,0x27,0x7c, 0x0f,0x5a,0x5d,0x35,
652 0x2d,0xff,0x07,0xf9, 0x79,0x6a,0xf9,0x3e,
653 0xd9,0x22,0x62,0x30, 0x40,0xce,0xe1,0xf4,
654 0x46,0x0a,0x24,0xca, 0x7a,0x3e,0xa1,0x92,
655 0x1a,0x29,0xa0,0xbf, 0x23,0x95,0x99,0x31,
656 0xe3,0x51,0x25,0x3d, 0xaf,0x1e,0xfc,0xb3,
657 0x65,0xa2,0x10,0x37, 0xe6,0xa7,0x20,0xa0,
658 0xe3,0x6a,0xd4,0x81, 0x2c,0x8d,0xa0,0x87,
659 0xec,0xae,0x9f,0x44, 0x10,0xda,0x2e,0x17,
660 0xba,0xb2,0xa5,0x5c, 0x89,0xc6,0xfa,0x70,
661 0x7e,0xc2,0xe3,0xb6, 0xa0,0x98,0x9c,0xb8,
662 0x14,0x33,0x27,0x3a, 0x6e,0x4d,0x94,0x72,
663 0x4b,0xc8,0xac,0x24, 0x2f,0x85,0xd9,0xa4,
664 0xda,0x22,0x95,0xc5, 0xb3,0xfc,0xbe,0xd2,
665 0x96,0x57,0x91,0xf9, 0xfd,0x18,0x9c,0x56,
666 0x70,0x15,0x5f,0xe7, 0x40,0x45,0x28,0xb3,
667 0x2b,0x56,0x44,0xca, 0x6a,0x2b,0x0e,0x25,
668 0x66,0x3e,0x32,0x04, 0xe2,0xb7,0x91,0xc8,
669 0xd2,0x02,0x79,0x0f, 0x7e,0xa9,0xb3,0x86,
670 0xb2,0x76,0x74,0x18, 0x57,0x16,0x63,0x06,
671 0x6e,0x16,0xfa,0xef, 0x52,0x3c,0x5e,0x0d,
672 0x33,0x55,0xd2,0x8d, 0x57,0x4d,0xfe,0x54,
673 0x65,0x7a,0x54,0x52, 0xf0,0x7b,0x2c,0xf8,
674 0xd5,0x43,0xba,0x92, 0xa5,0x2e,0xbe,0x1a,
675 0xce,0x25,0x4f,0x34, 0x31,0xe7,0xa3,0xff,
676 0x90,0xf6,0xbc,0x0c, 0xbc,0x98,0xdf,0x4a,
677 0xc3,0xeb,0xb6,0x27, 0x68,0xa9,0xb5,0x33,
678 0xbc,0x13,0xe8,0x13, 0x7c,0x6b,0xec,0x31,
679 0xd9,0x79,0x2a,0xa7, 0xe4,0x02,0x4f,0x02,
680 0xd4,0x5c,0x57,0x4f, 0xa4,0xbc,0xa3,0xe1,
681 0x7e,0x36,0x8a,0xde, 0x11,0x55,0xec,0xb3,
682 0x8b,0x65,0x06,0x02, 0x9a,0x68,0x06,0x64,
683 0x63,0xc7,0x9a,0x67, 0xdc,0x70,0xbf,0xb5,
684 0xf8,0x49,0x2a,0xe1, 0x59,0x4c,0xe4,0x1e,
685 0xb5,0x56,0xa5,0xad, 0x24,0x82,0x8c,0xd0,
686 0x66,0xe4,0x72,0x79, 0x02,0x5d,0x0d,0xf9,
687 0x19,0x44,0xe3,0x86, 0x1a,0xda,0xda,0xf0,
688 0x2d,0x47,0xc0,0x07, 0x47,0x0b,0xf8,0x06,
689 0xf6,0x45,0x8a,0x7f, 0xb9,0xf9,0x33,0x2e,
690 0xc2,0xf1,0xf1,0x81, 0x41,0x99,0xcd,0xf6,
691 0xb1,0x71,0x1b,0xfa, 0x21,0x53,0x7c,0xa1,
692 0xeb,0x2a,0x38,0x5b, 0x9b,0xfe,0x96,0xa5,
693 0xe3,0x78,0x77,0x47, 0x98,0x0f,0x7d,0xef,
694 0xf6,0x05,0x37,0x88, 0x79,0x0c,0x21,0x8d,
695 0x87,0x1f,0xae,0xce, 0x83,0xaf,0xa3,0xd6,
696 0x6e,0xc5,0x3c,0x47, 0xc6,0xd6,0x4a,0xdc,
697 0x7c,0xcc,0xdc,0x11, 0x7c,0x7d,0x0f,0x03,
698 0xc1,0x80,0x75,0x2a, 0x64,0x76,0xf0,0x08,
699 0x0c,0x11,0x4b,0xe4, 0x05,0x41,0x78,0x0f,
700 0x86,0xa0,0xd6,0x61, 0xb0,0xfb,0x15,0x3d,
701 0x3c,0xc3,0xd5,0x1b, 0x72,0x0e,0x79,0x53,
702 0x07,0xd2,0x2c,0x6e, 0x83,0xbd,0x72,0x88,
703 0x41,0x07,0x4b,0xd2, 0xe9,0xcc,0x2a,0x9d,
704 0x5b,0x82,0x0d,0x02, 0x29,0x6e,0xf3,0xbc,
705 0x34,0x31,0x62,0x8d, 0x83,0xc1,0x7e,0x94,
706 0x21,0xd5,0xfd,0xa6, 0x6a,0x2b,0xe8,0x86,
707 0x05,0x48,0x97,0x41, 0xad,0xca,0xef,0x79,
708 0x5e,0xd8,0x51,0xc4, 0xae,0xf7,0xfa,0xac,
709 0x3d,0x74,0x2e,0xf4, 0x41,0x3b,0x19,0xc2,
710 0x04,0xf3,0x40,0xfe, 0x77,0x7c,0x6a,0x4c,
711 0x8e,0x24,0x84,0xe0, 0x70,0xe4,0xb2,0x19,
712 0x6c,0x0c,0x85,0x9e, 0xe1,0xad,0xa4,0x73,
713 0x90,0xdd,0xbf,0x7d, 0x1b,0x6f,0x8b,0x4d,
714 0x3b,0xec,0xd7,0xb0, 0xd9,0x90,0xf1,0xf5,
715 0xb9,0x32,0xe3,0x79, 0x15,0x08,0x3e,0x71,
716 0xed,0x91,0xc4,0x5c, 0x18,0xe8,0x16,0x52,
717 0xae,0x9d,0xf3,0x09, 0xac,0x57,0x11,0xf8,
718 0x16,0x55,0xd0,0x28, 0x60,0xc1,0x7e,0x6d,
719 0x87,0xc1,0x7a,0xe8, 0x5d,0xc5,0x12,0x68,
720 0x6d,0x63,0x39,0x27, 0x49,0xb8,0x0c,0x78,
721 0x92,0xea,0x6f,0x52, 0xeb,0x43,0xc2,0x0b,
722 0xd8,0x28,0x77,0xe5, 0x43,0x5f,0xb8,0xa6,
723 0x32,0xb7,0xaa,0x01, 0x1e,0xa6,0xde,0xe4,
724 0x9b,0x0f,0xb6,0x49, 0xcc,0x6f,0x2c,0x04,
725 0x41,0xcb,0xd8,0x80, 0xd1,0x15,0x5e,0x57,
726 0x1e,0x4a,0x77,0xbf, 0xc4,0xcb,0x09,0x7c,
727 0x6e,0x81,0xb8,0x64, 0x51,0x6a,0xf2,0x71,
728 0x06,0xf6,0x00,0xac, 0x79,0x2c,0x83,0x7a,
729 0x6c,0xa4,0x85,0x89, 0x69,0x06,0x26,0x72,
730 0xe1,0x00,0x66,0xc0, 0xc5,0x8e,0xc8,0x51,
731 0x6e,0x25,0xdd,0xc9, 0x54,0x98,0x45,0x64,
732 0xaa,0x51,0x18,0x1b, 0xe4,0xbe,0x1b,0xee,
733 0x13,0xd6,0x34,0x50, 0x4c,0xcf,0x3c,0x31,
734 0x9b,0xd2,0x6f,0x07, 0x79,0xf4,0x63,0x3f,
735 0x09,0x01,0x64,0xf1, 0xc1,0xf1,0xae,0xa9,
736 0x0c,0x60,0xc9,0x62, 0x84,0xf6,0xe8,0x15,
737 0x55,0xdf,0xdd,0x71, 0x95,0xa9,0x0f,0x65,
738 0x97,0x40,0x79,0x86, 0x95,0xd9,0x57,0x23,
739 0x2f,0x61,0x51,0xb5, 0x16,0x18,0x62,0xd2,
740 0x1a,0xd9,0x8b,0x88, 0x84,0xa9,0x9b,0x47,
741 0xd7,0x22,0x68,0xe9, 0x9c,0x69,0x68,0x74,
742 0x13,0x95,0xd3,0x99, 0x33,0xdb,0x30,0x96,
743 0xbf,0x01,0xc6,0x68, 0xbd,0x19,0x32,0xc1,
744 0xf8,0xa9,0x7f,0x2b, 0xc5,0x69,0x2f,0xa2,
745 0xce,0x5a,0x46,0x43, 0x8d,0x36,0x9c,0xfa,
746 0x5c,0x7f,0x03,0xe0, 0x80,0xaa,0xc7,0x9e,
747 0x3b,0xa3,0x27,0x6b, 0x2e,0xc6,0x59,0x0a,
748 0xf6,0x36,0x37,0xa6, 0xc0,0xd1,0xa1,0xa1,
749 0x7e,0xc1,0xf8,0x5b, 0x0f,0x9b,0xdd,0x6d,
750 0x9f,0x54,0x16,0x6b, 0x6e,0x53,0xfd,0xe8,
751 0x72,0xd0,0x3e,0x46, 0xce,0xaf,0x94,0x36,
752 0x85,0xa8,0xae,0x4c, 0x8d,0xb5,0xc2,0x1b,
753 0x5d,0x29,0x46,0x40, 0x87,0x50,0x59,0xdd,
754 0x04,0xbe,0xba,0x8f, 0x0b,0x9b,0xd2,0x50,
755 0x67,0x19,0x83,0x80, 0x87,0x5c,0x58,0x86,
756 0x20,0x39,0xbf,0xdf, 0xd2,0xc8,0xbb,0xe8,
757 0xc8,0xd8,0xe8,0x8d, 0xcc,0x97,0xe0,0xc9,
758 0x6c,0x2f,0x47,0xb6, 0x75,0x8f,0x0d,0x37,
759 0x5a,0x83,0xb0,0xce, 0x59,0xc2,0x0b,0x84,
760 0xa2,0x54,0xe5,0x38, 0x59,0x29,0x0f,0xa8,
761 0x26,0x2d,0x11,0xa9, 0x89,0x0e,0x0b,0x75,
762 0xe0,0xbc,0xf0,0xf8, 0x92,0x1f,0x29,0x71,
763 0x91,0xc4,0x63,0xcc, 0xf8,0x52,0xb5,0xd4,
764 0xb8,0x94,0x6a,0x30, 0x90,0xf7,0x44,0xbe,
765 },
766 .mlen = 1008,
767 .m = {
768 0x05,0xe3,0x6f,0x44, 0xa4,0x40,0x35,0xf6,
769 0xeb,0x86,0xa9,0x6d, 0xed,0x16,0xdb,0xb6,
770 0x5b,0x59,0xda,0x30, 0x54,0x6c,0x59,0x35,
771 0x42,0x59,0x56,0x45, 0x9a,0x85,0x20,0x73,
772 0xcf,0x21,0xf5,0x98, 0x58,0x07,0x0e,0x7f,
773 0x44,0x1f,0xf1,0x53, 0x92,0xc7,0x81,0x53,
774 0x5e,0x97,0x8a,0x23, 0x1d,0xe8,0xad,0xca,
775 0x19,0x55,0x96,0x9d, 0x9b,0xfd,0x0a,0x0a,
776 0xad,0xa8,0x0f,0x76, 0xe2,0x6a,0x8f,0x33,
777 0x36,0xbf,0xcb,0x7a, 0xfd,0x61,0xc6,0xfb,
778 0x75,0xea,0xd4,0x09, 0x5e,0x70,0xfb,0x32,
779 0x54,0xe3,0x47,0x48, 0xd4,0x8c,0xa9,0x7c,
780 0x72,0xdb,0xdb,0xf7, 0x09,0x6d,0x58,0xa6,
781 0x42,0xb5,0x74,0x8c, 0x98,0x66,0x83,0x7a,
782 0x6d,0xeb,0x91,0xfb, 0x22,0x1c,0x78,0x3d,
783 0x22,0xa6,0xf8,0xb0, 0xd1,0x9f,0xc8,0x69,
784 0x8a,0xba,0xd3,0x78, 0x21,0xb0,0x7b,0x9f,
785 0xb8,0xed,0xe0,0x65, 0xff,0xa0,0x8b,0x4c,
786 0x17,0x9e,0xf7,0x3e, 0xa2,0x5f,0x82,0x77,
787 0xce,0x2a,0xda,0x41, 0x76,0x07,0x68,0xa4,
788 0xa1,0xbb,0xe0,0x1d, 0x7b,0xab,0x9c,0x03,
789 0x90,0x2c,0xd2,0x93, 0x46,0x43,0x3a,0x44,
790 0x29,0xe8,0xb5,0x7a, 0x23,0xbb,0xe9,0xaf,
791 0x2b,0x17,0x88,0x8f, 0x7a,0x81,0x7a,0x25,
792 0x3b,0xc7,0x1e,0x6e, 0xde,0x3e,0x54,0xbc,
793 0xc6,0xff,0x07,0xdc, 0xe6,0x29,0x02,0x4c,
794 0x95,0x57,0x0e,0x44, 0xc4,0x9c,0xc7,0x45,
795 0x01,0xd7,0x17,0xfd, 0x0f,0x1a,0x83,0x74,
796 0xa0,0xd5,0xb3,0x1a, 0xc0,0x97,0xdc,0xc3,
797 0x0f,0x3d,0x5d,0x8c, 0x02,0x58,0xc6,0x4d,
798 0x43,0x10,0xae,0xc9, 0x94,0xe2,0x9b,0xcd,
799 0xf9,0xcc,0xfe,0xbd, 0x9c,0x69,0xd0,0xec,
800 0xf8,0x67,0xde,0x98, 0xe5,0x50,0x5e,0x93,
801 0x6a,0x5b,0x31,0x2a, 0x62,0xee,0x03,0xbe,
802 0x76,0x9c,0x1d,0x13, 0x16,0x13,0xcf,0x63,
803 0x30,0x18,0x7d,0x1e, 0x55,0x94,0xf5,0x29,
804 0xb4,0x91,0xb4,0x76, 0x1c,0x31,0x9e,0xe5,
805 0x1b,0x0a,0xee,0x89, 0xb4,0xd9,0x45,0x19,
806 0xd7,0x47,0x2c,0x01, 0x20,0xe6,0x1d,0x7c,
807 0xb3,0x5e,0x1b,0x2a, 0x8c,0x3d,0x4d,0x1a,
808 0x6b,0x35,0x84,0x41, 0x6a,0xe4,0x32,0x8f,
809 0x9a,0x0d,0xbf,0x90, 0xff,0xcf,0x4c,0xfb,
810 0x9b,0x07,0x81,0x94, 0xcf,0x8e,0x1a,0x8a,
811 0xfc,0xbd,0x91,0xfe, 0xc3,0xe1,0x18,0xc7,
812 0x1f,0x0d,0x8e,0x1c, 0x2e,0xfc,0x02,0xe8,
813 0x39,0xbf,0x05,0x90, 0x58,0x94,0xee,0xe7,
814 0x15,0x31,0x5d,0x9f, 0x68,0x36,0x64,0x32,
815 0x25,0x49,0xdd,0x3e, 0xc8,0xb6,0x83,0x5e,
816 0x09,0x90,0xcd,0x48, 0xaf,0x9e,0xfe,0xd6,
817 0x79,0x8e,0x69,0x4b, 0x94,0xd5,0xf4,0x84,
818 0x7b,0xce,0xea,0x2f, 0x9b,0x79,0x7a,0x7c,
819 0x22,0x28,0x4d,0xa1, 0x38,0x1a,0x66,0x24,
820 0x79,0xa3,0xfa,0xfa, 0x8d,0x98,0x7c,0x54,
821 0x71,0x54,0xef,0x37, 0xa6,0xf1,0x97,0x54,
822 0xad,0xe7,0x67,0xa0, 0xf3,0x33,0xcf,0x4f,
823 0x4e,0xa3,0x47,0xee, 0x31,0xd3,0x98,0xf9,
824 0x7f,0x9f,0x44,0x18, 0x2f,0x13,0x1b,0x44,
825 0x57,0xcd,0x15,0x5b, 0xde,0x8f,0x1a,0x3c,
826 0xb5,0x1e,0xa7,0x2d, 0x4d,0xbe,0x85,0x08,
827 0x78,0xeb,0xe2,0x35, 0x3a,0xbe,0x55,0x6b,
828 0xc3,0xe1,0x0f,0x77, 0x43,0x41,0x11,0x5a,
829 0x61,0xc9,0x3b,0xbc, 0xad,0x88,0x9e,0xba,
830 0xc6,0xd2,0xdc,0x87, 0xd9,0x54,0xcc,0x86,
831 0x46,0xe6,0xa5,0x29, 0x2c,0x08,0x49,0x53,
832 0x2c,0xe3,0x0e,0x60, 0xc5,0x48,0xca,0x62,
833 0x3f,0xf6,0x93,0xc1, 0xba,0x8d,0x36,0x49,
834 0xe7,0x0f,0x9c,0x49, 0x7d,0xee,0x2a,0x22,
835 0xc3,0xe5,0x11,0x21, 0xfa,0xc7,0xeb,0x79,
836 0xcc,0x4d,0x75,0x4e, 0x66,0x33,0xf5,0x09,
837 0xa3,0xb9,0x60,0xa5, 0xd6,0xbd,0x38,0x75,
838 0x0c,0x2f,0x5f,0x1f, 0xea,0xa5,0x9d,0x45,
839 0x3c,0xe4,0x41,0xb8, 0xf6,0x4e,0x15,0x87,
840 0x0b,0x7f,0x42,0x4e, 0x51,0x3d,0xc4,0x9a,
841 0xb2,0xca,0x37,0x16, 0x0f,0xed,0x9e,0x0b,
842 0x93,0x86,0x12,0x93, 0x36,0x5e,0x39,0xc4,
843 0xf0,0xf4,0x48,0xdb, 0xeb,0x18,0x5e,0x50,
844 0x71,0x30,0x83,0xe5, 0x0f,0xb1,0x73,0xa7,
845 0xc6,0xf0,0xca,0x29, 0x0e,0xc4,0x07,0x5b,
846 0x8b,0x09,0x68,0x68, 0x10,0x32,0x92,0x62,
847 0x6a,0x6c,0x56,0x8b, 0x01,0x46,0x9a,0x20,
848 0x89,0xe0,0x93,0x85, 0x8c,0x53,0x87,0xf6,
849 0x02,0xd3,0x8d,0x72, 0x31,0x35,0xa1,0x34,
850 0x63,0x70,0x61,0x80, 0x06,0xf1,0x54,0xb3,
851 0x5d,0xdf,0xad,0x9c, 0x7e,0x3a,0xc2,0x8f,
852 0x76,0x8b,0x4c,0x74, 0x2c,0x8c,0x6f,0x0a,
853 0x60,0x13,0xa8,0xce, 0x4c,0x49,0x70,0x90,
854 0x59,0x57,0xf5,0x7b, 0x03,0x94,0x37,0x87,
855 0xfa,0xfe,0xeb,0xe7, 0x2d,0x01,0x45,0x69,
856 0xb4,0x10,0x80,0x6d, 0x13,0x26,0xe3,0x9b,
857 0x49,0x2a,0x0b,0xb1, 0x36,0xf9,0x62,0x63,
858 0x33,0x2a,0xee,0x51, 0x5e,0x35,0xa4,0x2e,
859 0x34,0xa1,0x77,0xac, 0x27,0x99,0x03,0xc6,
860 0xe2,0x83,0x11,0x72, 0x77,0x30,0x8b,0xb7,
861 0xde,0x1a,0xa1,0x4b, 0xa9,0x9c,0x07,0x02,
862 0xf2,0xdc,0x06,0x45, 0xf2,0xab,0x31,0x46,
863 0x50,0x25,0x34,0x54, 0xa8,0x06,0x88,0x6c,
864 0xfc,0x88,0xb5,0xae, 0x30,0xbd,0xe1,0xe7,
865 0xfe,0x51,0x46,0x05, 0x9a,0x29,0xd9,0x93,
866 0x99,0x60,0x69,0x4a, 0x5c,0xb2,0x29,0x6b,
867 0xa1,0xbb,0x9d,0xe4, 0x9b,0x7d,0x4a,0xe5,
868 0x37,0xcb,0x16,0x6f, 0x44,0x93,0xe4,0x71,
869 0x34,0x7b,0x54,0xec, 0x5b,0x2b,0xe0,0xf7,
870 0x32,0xed,0x77,0xa6, 0xb3,0x7c,0x8d,0x1a,
871 0xc0,0x57,0xbe,0x2b, 0x6d,0x7f,0xd7,0x35,
872 0xe6,0x93,0xed,0x90, 0x26,0xfe,0x41,0xf3,
873 0x58,0x55,0x03,0xb7, 0xb2,0x94,0xe2,0x0c,
874 0x34,0xc3,0x06,0xc6, 0x9e,0x4b,0x17,0xc7,
875 0xb9,0x58,0x23,0x58, 0xd3,0x73,0x18,0x5e,
876 0xcf,0x28,0xac,0x90, 0xa0,0xba,0x35,0x90,
877 0x96,0xb3,0xc7,0x6c, 0xe1,0x07,0xdf,0x5d,
878 0xaa,0x2c,0xa6,0x6b, 0x82,0x2d,0x71,0x66,
879 0xb7,0x76,0x37,0xdb, 0x39,0x7f,0x22,0x8f,
880 0x38,0x70,0xd4,0xeb, 0xf8,0xf0,0x73,0xed,
881 0xb6,0x67,0x75,0xaf, 0xd7,0x5d,0x01,0x01,
882 0xc4,0xd6,0x7c,0xbc, 0xc3,0xe6,0xad,0x9a,
883 0x9c,0x6a,0x43,0x9b, 0xfb,0x34,0x55,0x47,
884 0xcd,0xeb,0x4e,0x2c, 0x29,0x6f,0xb0,0xeb,
885 0xb5,0x08,0xdb,0x6b, 0x40,0x26,0x51,0x54,
886 0x5a,0x97,0x64,0x74, 0x95,0xe6,0xae,0x8a,
887 0x4c,0xe9,0x44,0x47, 0x85,0xd6,0xcf,0xe0,
888 0x11,0x65,0x45,0xb3, 0xe1,0xfc,0x6a,0x01,
889 0x38,0x40,0x8a,0x71, 0xc5,0xd6,0x64,0xa8,
890 0x36,0x95,0x44,0x9c, 0x10,0x41,0xa3,0x71,
891 0xb4,0x70,0x02,0xdf, 0xf9,0xad,0x2b,0xec,
892 0x75,0xf7,0x09,0x6c, 0x5d,0x2a,0xd0,0x0b,
893 0x2e,0xb3,0xf0,0xd3, 0xce,0xdb,0x26,0x80,
894 },
895 .h = {
896 0x2d,0xb3,0x7e,0x73, 0xde,0x6a,0x9e,0xa9,
897 0x54,0x9a,0x0f,0xb3, 0x0b,0xcc,0xc9,0xde,
898 0x7a,0x4e,0x4a,0x71, 0x07,0x33,0xee,0x06,
899 0x5c,0x9a,0xa1,0x30, 0x5e,0x39,0x4e,0x10,
900 },
901 },
902 [2] = { /* 1024-byte message */
903 .k = {
904 0x4c,0xe4,0x3c,0x6e, 0xa0,0xe3,0x0e,0x64,
905 0x35,0x44,0x3e,0x0b, 0x4d,0x29,0xbe,0x04,
906 0xa7,0xaa,0x88,0xe0, 0xe0,0x07,0x7d,0xa8,
907 0x2b,0x87,0x7d,0x08, 0xa6,0x59,0xd0,0xa5,
908 0x03,0xae,0x9b,0xee, 0xd4,0x11,0x39,0x7d,
909 0x9e,0x1d,0x89,0xe3, 0xc6,0x92,0x36,0x07,
910 0xa4,0x43,0xad,0x2f, 0xd5,0x71,0x84,0x2d,
911 0xc0,0x37,0xed,0x62, 0x4e,0x2b,0x8c,0xd5,
912 0x1d,0xf7,0x00,0xbb, 0x3d,0x5e,0xcc,0xc5,
913 0x6d,0xdd,0x17,0xf2, 0x89,0x25,0x30,0x16,
914 0x04,0xd7,0x1f,0x84, 0x7d,0x61,0xa0,0x7a,
915 0x49,0x88,0x44,0x46, 0xc6,0x05,0xd1,0xc9,
916 0xa0,0x2a,0x86,0xdd, 0xd3,0x80,0x40,0xa4,
917 0x28,0xb3,0xa4,0x3b, 0x71,0x0a,0x7f,0x2d,
918 0x3b,0xcd,0xe6,0xac, 0x59,0xda,0x43,0x56,
919 0x6e,0x9a,0x3f,0x1e, 0x82,0xcf,0xb3,0xa0,
920 0xa1,0x46,0xcf,0x2e, 0x32,0x05,0xcd,0x68,
921 0xbb,0x51,0x71,0x8a, 0x16,0x75,0xbe,0x49,
922 0x7e,0xb3,0x63,0x30, 0x95,0x34,0xe6,0x85,
923 0x7e,0x9a,0xdd,0xe6, 0x43,0xd6,0x59,0xf8,
924 0x6a,0xb8,0x8f,0x5f, 0x5d,0xd9,0x55,0x41,
925 0x12,0xf9,0x98,0xc6, 0x93,0x7c,0x3f,0x46,
926 0xab,0x7c,0x8b,0x28, 0xde,0x9a,0xb1,0xf0,
927 0x6c,0x43,0x2a,0xb3, 0x70,0xc5,0x9d,0xc0,
928 0x26,0xcf,0xad,0x9c, 0x87,0x9b,0x3f,0x7c,
929 0x24,0xac,0xe7,0xd4, 0xe8,0x14,0xe3,0x3e,
930 0xf6,0x8a,0x97,0x87, 0x63,0x2c,0x88,0xdc,
931 0xc5,0x23,0x68,0x6e, 0x94,0xe1,0x09,0xc4,
932 0x44,0xda,0x8f,0xa7, 0x9f,0xc4,0x52,0xa4,
933 0x18,0x1d,0x3c,0x08, 0xca,0x0a,0x3e,0xb4,
934 0xbf,0xbe,0xc6,0x47, 0xe2,0x89,0x2b,0x07,
935 0x71,0xd9,0xc8,0x6a, 0x06,0xd5,0xd0,0x47,
936 0x4e,0x07,0x4f,0x6b, 0xdb,0xdf,0x3d,0xf0,
937 0x7c,0x5f,0x49,0x70, 0x17,0x4f,0x9f,0x33,
938 0x7e,0x4b,0x72,0x3b, 0x8c,0x68,0x22,0xf9,
939 0xd2,0xad,0xe4,0xe4, 0xb2,0x61,0x9d,0xb8,
940 0xc2,0x5c,0xf0,0x3b, 0x08,0xb2,0x75,0x30,
941 0x3a,0xd0,0x7d,0xf9, 0xb2,0x00,0x40,0x56,
942 0x79,0xe2,0x0d,0x31, 0x72,0xe2,0xc2,0xd1,
943 0x2e,0x27,0xe7,0xc8, 0x96,0x1a,0xc6,0x7e,
944 0xb8,0xc1,0x93,0xfb, 0x1d,0xbc,0xed,0x97,
945 0x2f,0x2f,0xea,0xa1, 0x40,0x49,0xf6,0x1d,
946 0xab,0x54,0x46,0x2e, 0x73,0xf2,0x74,0xf1,
947 0x6d,0x5c,0xe6,0xa0, 0xd4,0x73,0x1c,0xbc,
948 0x07,0x81,0xf5,0x94, 0xe6,0x18,0xdc,0x42,
949 0x68,0xb9,0xeb,0xfb, 0xa3,0x76,0x8c,0x83,
950 0x98,0xe9,0x96,0xa6, 0xa6,0x5e,0x0e,0xd1,
951 0xfc,0xb7,0x8e,0x8b, 0x9e,0xa4,0x00,0x76,
952 0x0e,0x35,0x92,0x5e, 0x05,0xa1,0x92,0xc4,
953 0x0c,0xd1,0xec,0x8c, 0x04,0x8e,0x65,0x56,
954 0x43,0xae,0x16,0x18, 0x2e,0x3e,0xfe,0x47,
955 0x92,0xe1,0x76,0x1b, 0xb6,0xcc,0x0b,0x82,
956 0xe1,0x8c,0x7b,0x43, 0xe4,0x90,0xed,0x28,
957 0x0b,0xe6,0x05,0xea, 0x4a,0xc0,0xf1,0x12,
958 0x54,0x09,0x93,0xda, 0xfc,0xf4,0x86,0xff,
959 0x4c,0xaa,0x7d,0xbe, 0xd0,0x4a,0xa6,0x9d,
960 0x6b,0x27,0x8f,0xb1, 0xb5,0x3a,0x9b,0xce,
961 0xe2,0x5c,0x29,0x35, 0xd6,0xe7,0xf3,0xa4,
962 0x5e,0x70,0xf6,0xc6, 0xde,0x63,0x86,0xf7,
963 0xc9,0xab,0x42,0xb9, 0xe7,0x5d,0x1c,0x68,
964 0x73,0xa3,0xed,0xb0, 0xa0,0xb6,0x18,0x15,
965 0xe6,0x57,0x4c,0x21, 0xf7,0xf3,0xc6,0x32,
966 0x4d,0x07,0x4a,0x14, 0xde,0xb2,0xc7,0xca,
967 0xf0,0x78,0xc4,0x85, 0xe3,0xdc,0xfb,0x35,
968 0x7c,0x6b,0xc0,0xb8, 0xcd,0x7a,0x22,0xfc,
969 0xe4,0xe8,0xe2,0x98, 0x6c,0x8e,0xdf,0x37,
970 0x8e,0x0f,0x25,0x23, 0xdd,0xea,0x40,0x6f,
971 0xb3,0x07,0x7e,0x7a, 0x6b,0xa1,0xa1,0xcf,
972 0x24,0xd9,0xad,0x72, 0x7a,0x45,0x49,0xca,
973 0xfe,0xc7,0x2e,0x6d, 0xaa,0xc1,0x08,0x2c,
974 0xe6,0xde,0xde,0x73, 0x01,0x9c,0xdc,0x65,
975 0x3a,0xdf,0xc6,0x15, 0x37,0x62,0x0b,0x2c,
976 0x9a,0x36,0xed,0x37, 0xd9,0xfc,0xa9,0xb3,
977 0x32,0xc3,0xde,0x26, 0xe7,0xf0,0x3f,0x02,
978 0xed,0x35,0x74,0xea, 0xdd,0x32,0xe9,0x96,
979 0x75,0x66,0xb8,0xf0, 0x75,0x98,0x8f,0x3a,
980 0xd0,0xc2,0xa1,0x98, 0x5f,0xf9,0x32,0x31,
981 0x00,0x18,0x7d,0xc5, 0x9d,0x15,0x5b,0xdc,
982 0x13,0x37,0x69,0xfc, 0x95,0x7a,0x62,0x0e,
983 0x8a,0x86,0xed,0x18, 0x78,0x3c,0x49,0xf4,
984 0x18,0x73,0xcd,0x2e, 0x7b,0xa3,0x40,0xd7,
985 0x01,0xf6,0xc7,0x2a, 0xc5,0xce,0x13,0x09,
986 0xb1,0xe5,0x25,0x17, 0xdf,0x9d,0x7e,0x0b,
987 0x50,0x46,0x62,0x78, 0xb5,0x25,0xb2,0xd9,
988 0x65,0xfa,0x5b,0xf7, 0xfe,0xc6,0xe0,0x7b,
989 0x7b,0x4e,0x14,0x2e, 0x0d,0x3a,0xd0,0xe0,
990 0xa0,0xd2,0xeb,0x4d, 0x87,0x11,0x42,0x28,
991 0x02,0x7e,0xa8,0x56, 0x5b,0x53,0xbd,0x76,
992 0x47,0x8f,0x5f,0x8b, 0xc7,0xd9,0x72,0xf7,
993 0x11,0xbb,0x94,0xdb, 0x0d,0x07,0xb7,0x0a,
994 0xcc,0x41,0x00,0xcd, 0xd0,0x50,0x25,0x31,
995 0xc9,0x47,0x6b,0xdd, 0x3f,0x70,0x24,0x3e,
996 0xde,0x02,0x62,0x6c, 0xb4,0x44,0x92,0x8e,
997 0x98,0x9c,0x0e,0x30, 0x2f,0x80,0xb9,0x5e,
998 0x75,0x90,0xa6,0x02, 0xf0,0xed,0xb0,0x8b,
999 0x44,0xa3,0x59,0x2d, 0xc3,0x08,0xe5,0xd9,
1000 0x89,0x6a,0x71,0x44, 0x04,0xc4,0xb2,0x61,
1001 0x5b,0xf5,0x46,0x44, 0xdc,0x36,0x2e,0xfd,
1002 0x41,0xf5,0xa1,0x3a, 0xb3,0x93,0x74,0x7d,
1003 0x54,0x5e,0x64,0xdc, 0xbc,0xd7,0x07,0x48,
1004 0x3e,0x73,0x81,0x22, 0x9c,0x5a,0xf6,0xde,
1005 0x94,0x42,0xe1,0x6c, 0x92,0xe7,0x6d,0xa0,
1006 0x5e,0xc3,0xd6,0xe9, 0x84,0xd9,0xba,0x57,
1007 0xef,0x85,0x6a,0x9b, 0xe6,0x9a,0x2b,0xf8,
1008 0x8d,0xfe,0x9d,0xad, 0x70,0x26,0x05,0x14,
1009 0x45,0x07,0xcb,0x72, 0xd4,0x8b,0x14,0x44,
1010 0x74,0x40,0x9c,0x29, 0x8b,0xba,0x40,0x09,
1011 0x52,0xfc,0xc5,0x40, 0xb1,0x25,0x69,0xaa,
1012 0x8f,0x12,0xc4,0xc6, 0x2b,0x3f,0x73,0x9d,
1013 0xff,0x52,0xd4,0xac, 0x77,0x43,0xdc,0xd2,
1014 0x06,0x9a,0x1b,0xfc, 0x0c,0x8f,0x6b,0x59,
1015 0xa5,0xd4,0xde,0x06, 0x16,0x34,0xef,0x75,
1016 0x22,0x54,0x9c,0x53, 0x38,0x0b,0x57,0xc7,
1017 0xaa,0x78,0x2d,0x3a, 0x9b,0xdd,0xed,0xb5,
1018 0x0b,0xb0,0x08,0x5f, 0x57,0xdb,0xfc,0xbe,
1019 0x44,0xfd,0x71,0x5f, 0x71,0x14,0xd5,0x14,
1020 0x70,0xb6,0xee,0xd0, 0xf3,0x37,0x6f,0x57,
1021 0x55,0x3c,0x7c,0x23, 0x6f,0xbe,0x83,0x5c,
1022 0xb5,0x64,0xfd,0x6d, 0x7c,0xe4,0x05,0x2b,
1023 0xdb,0xc4,0xf5,0xa0, 0xd3,0xa6,0x15,0x48,
1024 0xc2,0x50,0xf8,0xf7, 0xc2,0xab,0xb5,0x6a,
1025 0x0d,0x1a,0xb5,0x30, 0x33,0xf8,0x12,0x2d,
1026 0xfb,0xa6,0x2e,0xe5, 0xbe,0x40,0xba,0x48,
1027 0xef,0x05,0xc8,0x37, 0x3a,0x36,0xad,0x99,
1028 0x77,0x87,0x84,0xac, 0xd8,0xcb,0x7a,0x88,
1029 0x3e,0x2d,0x8b,0xbe, 0x9a,0x35,0x88,0x26,
1030 0xe9,0x20,0xd4,0x66, 0x80,0x8b,0xf8,0x54,
1031 0xba,0xcd,0xa8,0x47, 0x35,0x1b,0xc4,0x09,
1032 0x6d,0xff,0x0e,0x60, 0x7c,0xf3,0x68,0xbf,
1033 0xe3,0xe9,0x73,0x07, 0x84,0xf0,0x08,0x45,
1034 0x97,0x65,0x94,0xd1, 0x35,0x4e,0x67,0x0c,
1035 0xe3,0xb7,0x61,0x7b, 0x09,0x22,0xed,0x18,
1036 0xee,0x0b,0x54,0xc0, 0xab,0x8b,0xaa,0x71,
1037 0x4c,0x40,0xbf,0xf7, 0xe0,0x7e,0x08,0xaa,
1038 },
1039 .mlen = 1024,
1040 .m = {
1041 0x1d,0xea,0xe5,0x2b, 0x4c,0x22,0x4d,0xf3,
1042 0x15,0x53,0xcb,0x41, 0xf5,0xcf,0x0b,0x7b,
1043 0xc9,0x80,0xc0,0x95, 0xd2,0x7b,0x08,0x4b,
1044 0x3d,0xcd,0xd8,0x3b, 0x2f,0x18,0xd4,0x70,
1045 0x38,0xb2,0xa7,0x2f, 0x7f,0xba,0xd8,0xed,
1046 0xbc,0x8f,0xac,0xe4, 0xe2,0x11,0x2d,0x6d,
1047 0xe6,0xa4,0x36,0x90, 0xc2,0x7f,0xdf,0xe3,
1048 0xdc,0x50,0xdb,0x6c, 0x56,0xcf,0x7d,0xd6,
1049 0xd0,0xcb,0xd6,0x9b, 0x01,0xbb,0xef,0x1c,
1050 0x0a,0x6c,0x92,0x23, 0xeb,0x77,0xf9,0xd1,
1051 0x25,0xdc,0x94,0x30, 0x30,0xa4,0x96,0x3e,
1052 0xdf,0x52,0x4c,0xe7, 0xdf,0x27,0x9f,0x73,
1053 0x78,0x0c,0x8c,0x7f, 0x9d,0xae,0x79,0x5d,
1054 0x91,0x5e,0x4b,0x02, 0xa9,0x31,0x9c,0xff,
1055 0x46,0x73,0xec,0x0d, 0x5a,0xb8,0xeb,0x48,
1056 0x19,0x9c,0x44,0xe0, 0xc8,0x81,0x96,0x4c,
1057 0x47,0x0c,0xe7,0x1d, 0x2a,0x9c,0xd5,0xe0,
1058 0xe7,0xd6,0xa0,0x88, 0xf0,0xf6,0xda,0xa7,
1059 0x6a,0xdd,0xfd,0x4f, 0x00,0x6e,0x25,0x7d,
1060 0xb9,0x81,0x19,0x2f, 0x4e,0xcc,0x8d,0x6e,
1061 0xa6,0x92,0xcf,0xd8, 0x6e,0x78,0x0a,0xf6,
1062 0x8a,0x43,0xeb,0x60, 0x0c,0x8b,0x93,0x50,
1063 0x88,0xd1,0x67,0x05, 0x0c,0xdc,0x43,0x85,
1064 0x50,0x91,0x63,0xa4, 0x32,0x14,0x66,0x84,
1065 0xdb,0x04,0x9f,0x77, 0x95,0x60,0x19,0xc6,
1066 0x98,0x60,0x62,0xe4, 0xc6,0xee,0x70,0x76,
1067 0xb0,0x59,0x80,0x59, 0x46,0xae,0x99,0x26,
1068 0x62,0x4a,0xf0,0x45, 0x8f,0xf0,0x70,0x5b,
1069 0x52,0xfc,0xee,0x4d, 0x30,0x47,0xc8,0xae,
1070 0xe2,0xbc,0x2c,0x73, 0x78,0x67,0xf1,0x00,
1071 0xb4,0xda,0x01,0xad, 0x3b,0xc4,0x5c,0x6c,
1072 0x65,0xca,0x84,0x22, 0x95,0x32,0x95,0x20,
1073 0x4d,0xdc,0x96,0x2e, 0x61,0xe4,0xc8,0xec,
1074 0x2d,0xbf,0xc1,0x5d, 0x70,0xf9,0x75,0xf2,
1075 0xad,0x0a,0xc9,0xd7, 0x0a,0x81,0x3c,0xa1,
1076 0x13,0xec,0x63,0xd4, 0xd0,0x67,0xf4,0xcc,
1077 0x6e,0xb8,0x52,0x08, 0x46,0xc9,0x2a,0x92,
1078 0x59,0xd9,0x14,0x17, 0xde,0x2f,0xc7,0x36,
1079 0xd5,0xd5,0xfc,0x8a, 0x63,0xd5,0x5f,0xe3,
1080 0xdd,0x55,0x00,0x8e, 0x5e,0xc9,0xed,0x04,
1081 0x1d,0xeb,0xae,0xc5, 0xd0,0xf9,0x73,0x28,
1082 0xf3,0x81,0xd5,0xb4, 0x60,0xb2,0x42,0x81,
1083 0x68,0xf3,0xb9,0x73, 0x07,0x2e,0x34,0x8e,
1084 0x47,0x12,0xae,0x7c, 0xa8,0xc2,0xce,0xad,
1085 0x0f,0x6e,0x44,0xa5, 0x35,0x5e,0x61,0x6b,
1086 0xfc,0x67,0x9c,0x82, 0xa1,0xd2,0xff,0xfe,
1087 0x60,0x7c,0x40,0x02, 0x24,0x9e,0x8b,0x90,
1088 0xa0,0x89,0xd9,0x83, 0x04,0xd8,0xef,0x9c,
1089 0x96,0x28,0x77,0x3e, 0xe3,0xb0,0xf8,0x3d,
1090 0xfb,0x91,0x8f,0x6f, 0x83,0x58,0x1e,0x4b,
1091 0x64,0xc7,0xf6,0xe0, 0x85,0x03,0xe3,0xf9,
1092 0x6b,0xc9,0x9e,0x9d, 0x57,0x25,0xe4,0x69,
1093 0x08,0x59,0x28,0x4a, 0x52,0x9c,0x49,0x19,
1094 0x24,0x49,0xba,0xb1, 0x82,0xd4,0xcf,0xd0,
1095 0x1e,0x1d,0xc2,0x02, 0x42,0x4e,0xdf,0xf7,
1096 0x2b,0x3d,0x99,0xf6, 0x99,0xa4,0x3a,0xe1,
1097 0x9d,0x68,0xc8,0x08, 0xec,0xec,0x1c,0xa8,
1098 0x41,0x4a,0x27,0x84, 0xe9,0x0d,0x95,0x54,
1099 0x1a,0xca,0x5f,0x5d, 0x5a,0x96,0xb9,0x5b,
1100 0x6e,0xbc,0x39,0x7f, 0x7a,0x20,0xc5,0xb2,
1101 0x60,0x0c,0xa3,0x78, 0xc3,0x2b,0x87,0xcc,
1102 0xea,0xb0,0x4d,0x27, 0xfb,0x6c,0x58,0x51,
1103 0xce,0x90,0xca,0xd6, 0x86,0x91,0x4d,0x2c,
1104 0x8c,0x82,0xf0,0xc9, 0x9a,0x0a,0x73,0xb3,
1105 0xcb,0xa9,0xd4,0x26, 0x4d,0x74,0xbe,0x0e,
1106 0x4a,0x6e,0x10,0xeb, 0x4e,0xba,0x4e,0xba,
1107 0x0d,0x26,0x69,0x87, 0x5e,0x08,0x2b,0x43,
1108 0xbe,0x97,0x4e,0x2a, 0x63,0xbc,0x52,0xb7,
1109 0xda,0x23,0x23,0x11, 0xfa,0xcf,0x89,0xac,
1110 0x90,0x5f,0x60,0x7a, 0x50,0xb7,0xbe,0x79,
1111 0x0b,0x2c,0xf0,0x27, 0xf0,0xfb,0xaf,0x64,
1112 0xc8,0x57,0x7c,0xeb, 0x1c,0xf7,0x36,0xec,
1113 0x09,0x97,0x66,0x31, 0x54,0xe4,0x00,0xcf,
1114 0x68,0x24,0x77,0x1a, 0xbc,0x27,0x3a,0xad,
1115 0x8a,0x01,0x7e,0x45, 0xe7,0xe4,0xa4,0xeb,
1116 0x38,0x62,0x9d,0x90, 0xea,0x00,0x9c,0x03,
1117 0x5e,0xb2,0x7d,0xd8, 0x2f,0xe9,0xc9,0x3c,
1118 0x1a,0x5c,0x21,0x1a, 0x59,0x45,0x62,0x47,
1119 0x93,0x1b,0xdc,0xd8, 0x3e,0x07,0x8b,0x75,
1120 0xd0,0x6d,0xcc,0x8d, 0xec,0x79,0xa8,0x9a,
1121 0x51,0xa5,0x50,0x18, 0xae,0x44,0x93,0x75,
1122 0xc1,0xc8,0x1e,0x10, 0x59,0x1e,0x0b,0xb3,
1123 0x06,0x30,0xa8,0x66, 0x8d,0x8e,0xd6,0x4d,
1124 0x0d,0x8a,0xb4,0x28, 0xdc,0xfb,0x5d,0x59,
1125 0xe0,0x92,0x77,0x38, 0xfa,0xad,0x46,0x46,
1126 0x25,0x15,0x4c,0xca, 0x09,0x2b,0x31,0xe9,
1127 0x36,0xe8,0xc2,0x67, 0x34,0x4d,0x5e,0xa0,
1128 0x8f,0x9a,0xe8,0x7f, 0xf2,0x2a,0x92,0x78,
1129 0xde,0x09,0x75,0xe7, 0xe5,0x50,0x0a,0x2e,
1130 0x88,0x63,0xc0,0x8f, 0xa8,0x73,0x0f,0xe5,
1131 0x1e,0x9d,0xdb,0xce, 0x53,0xe0,0x42,0x94,
1132 0x7b,0x5c,0xa1,0x5e, 0x1e,0x8f,0x0a,0x6e,
1133 0x8b,0x1a,0xad,0x93, 0x70,0x86,0xf1,0x69,
1134 0x70,0x93,0x24,0xe3, 0x83,0x2f,0xa8,0x04,
1135 0xba,0x27,0x0a,0x2e, 0x03,0xeb,0x69,0xd9,
1136 0x56,0x0e,0xc4,0x10, 0x55,0x31,0x2c,0x3f,
1137 0xd1,0xb2,0x94,0x0f, 0x28,0x15,0x3c,0x02,
1138 0x15,0x5e,0xec,0x26, 0x9c,0xc3,0xfc,0xa7,
1139 0x5c,0xb0,0xfa,0xc0, 0x02,0xf9,0x01,0x3f,
1140 0x01,0x73,0x24,0x22, 0x50,0x28,0x2a,0xca,
1141 0xb1,0xf2,0x03,0x00, 0x2f,0xc6,0x6f,0x28,
1142 0x4f,0x4b,0x4f,0x1a, 0x9a,0xb8,0x16,0x93,
1143 0x31,0x60,0x7c,0x3d, 0x35,0xc8,0xd6,0x90,
1144 0xde,0x8c,0x89,0x39, 0xbd,0x21,0x11,0x05,
1145 0xe8,0xc4,0x04,0x3b, 0x65,0xa5,0x15,0xcf,
1146 0xcf,0x15,0x14,0xf6, 0xe7,0x2e,0x3c,0x47,
1147 0x59,0x0b,0xaa,0xc0, 0xd4,0xab,0x04,0x14,
1148 0x9c,0xd7,0xe2,0x43, 0xc7,0x87,0x09,0x03,
1149 0x27,0xd2,0x0a,0xff, 0x8d,0xd5,0x80,0x34,
1150 0x93,0xa2,0x2c,0xb1, 0x4e,0x16,0x2d,0x82,
1151 0x51,0x5c,0x3c,0xe5, 0x75,0x51,0x7b,0xb4,
1152 0xd8,0x1e,0x59,0x98, 0x0f,0x75,0xed,0x02,
1153 0x1c,0x13,0xf6,0x02, 0xda,0xf9,0x47,0xf7,
1154 0x45,0x25,0x0f,0x58, 0x22,0x5d,0xef,0xf0,
1155 0x1b,0xdb,0xae,0xaf, 0xbe,0xc6,0xe1,0xcd,
1156 0x70,0x46,0x6e,0x03, 0x9a,0x20,0x77,0x00,
1157 0x3c,0x32,0xb5,0x8f, 0x04,0xb6,0x6f,0xa2,
1158 0x31,0xc9,0x7c,0xf9, 0x84,0x67,0x87,0xfb,
1159 0x7b,0x13,0xb0,0x4d, 0x35,0xfd,0x37,0x5b,
1160 0xf4,0x25,0xf0,0x02, 0x74,0xa0,0x69,0xd4,
1161 0x53,0x61,0x4b,0x54, 0x68,0x94,0x0e,0x08,
1162 0x25,0x82,0x90,0xfc, 0x25,0xb6,0x63,0xe2,
1163 0x07,0x9f,0x42,0xf1, 0xbb,0x33,0xea,0xab,
1164 0x92,0x54,0x2b,0x9f, 0x88,0xc0,0x31,0x2b,
1165 0xfd,0x36,0x50,0x80, 0xfc,0x1a,0xff,0xab,
1166 0xe8,0xc4,0x7f,0xb6, 0x98,0xb9,0x2e,0x17,
1167 0xca,0x28,0x3d,0xdf, 0x0f,0x07,0x43,0x20,
1168 0xf0,0x07,0xea,0xe5, 0xcd,0x4e,0x81,0x34,
1169 },
1170 .h = {
1171 0x9d,0x22,0x88,0xfd, 0x41,0x43,0x88,0x45,
1172 0x34,0xfe,0x85,0xc4, 0xb9,0xff,0xe1,0x55,
1173 0x40,0x1d,0x25,0x37, 0xd1,0xf8,0xfc,0x2b,
1174 0x3a,0xf5,0x3b,0x69, 0xbf,0xa6,0x9d,0xed,
1175 },
1176 },
1177 };
1178 static uint32_t k[268];
1179 uint8_t h[32];
1180 unsigned i, j;
1181 int result = 0;
1182
1183 for (i = 0; i < __arraycount(C); i++) {
1184 for (j = 0; j < 268; j++)
1185 k[j] = le32dec(C[i].k + 4*j);
1186 nh(h, C[i].m, C[i].mlen, k);
1187 if (memcmp(h, C[i].h, 32)) {
1188 char prefix[10];
1189 snprintf(prefix, sizeof prefix, "nh %u", i);
1190 hexdump(printf, prefix, h, 32);
1191 result = -1;
1192 }
1193 }
1194
1195 return result;
1196 }
1197
1198 /* https://github.com/google/adiantum/blob/a5ad5134ab11b10a3ee982c52385953fac88fedc/test_vectors/ours/NHPoly1305/NHPoly1305.json */
1199 static int
nhpoly1305_selftest(void)1200 nhpoly1305_selftest(void)
1201 {
1202 static const struct {
1203 uint8_t k[1088];
1204 unsigned mlen;
1205 uint8_t m[1024];
1206 uint8_t h[16];
1207 } C[] = {
1208 [0] = { /* 0-byte message */
1209 .k = {
1210 /* Poly1305 key */
1211 0xd2,0x5d,0x4c,0xdd, 0x8d,0x2b,0x7f,0x7a,
1212 0xd9,0xbe,0x71,0xec, 0xd1,0x83,0x52,0xe3,
1213
1214 /* NH key */
1215 0xe1,0xad,0xd7,0x5c, 0x0a,0x75,0x9d,0xec,
1216 0x1d,0x13,0x7e,0x5d, 0x71,0x07,0xc9,0xe4,
1217 0x57,0x2d,0x44,0x68, 0xcf,0xd8,0xd6,0xc5,
1218 0x39,0x69,0x7d,0x32, 0x75,0x51,0x4f,0x7e,
1219 0xb2,0x4c,0xc6,0x90, 0x51,0x6e,0xd9,0xd6,
1220 0xa5,0x8b,0x2d,0xf1, 0x94,0xf9,0xf7,0x5e,
1221 0x2c,0x84,0x7b,0x41, 0x0f,0x88,0x50,0x89,
1222 0x30,0xd9,0xa1,0x38, 0x46,0x6c,0xc0,0x4f,
1223 0xe8,0xdf,0xdc,0x66, 0xab,0x24,0x43,0x41,
1224 0x91,0x55,0x29,0x65, 0x86,0x28,0x5e,0x45,
1225 0xd5,0x2d,0xb7,0x80, 0x08,0x9a,0xc3,0xd4,
1226 0x9a,0x77,0x0a,0xd4, 0xef,0x3e,0xe6,0x3f,
1227 0x6f,0x2f,0x9b,0x3a, 0x7d,0x12,0x1e,0x80,
1228 0x6c,0x44,0xa2,0x25, 0xe1,0xf6,0x60,0xe9,
1229 0x0d,0xaf,0xc5,0x3c, 0xa5,0x79,0xae,0x64,
1230 0xbc,0xa0,0x39,0xa3, 0x4d,0x10,0xe5,0x4d,
1231 0xd5,0xe7,0x89,0x7a, 0x13,0xee,0x06,0x78,
1232 0xdc,0xa4,0xdc,0x14, 0x27,0xe6,0x49,0x38,
1233 0xd0,0xe0,0x45,0x25, 0x36,0xc5,0xf4,0x79,
1234 0x2e,0x9a,0x98,0x04, 0xe4,0x2b,0x46,0x52,
1235 0x7c,0x33,0xca,0xe2, 0x56,0x51,0x50,0xe2,
1236 0xa5,0x9a,0xae,0x18, 0x6a,0x13,0xf8,0xd2,
1237 0x21,0x31,0x66,0x02, 0xe2,0xda,0x8d,0x7e,
1238 0x41,0x19,0xb2,0x61, 0xee,0x48,0x8f,0xf1,
1239 0x65,0x24,0x2e,0x1e, 0x68,0xce,0x05,0xd9,
1240 0x2a,0xcf,0xa5,0x3a, 0x57,0xdd,0x35,0x91,
1241 0x93,0x01,0xca,0x95, 0xfc,0x2b,0x36,0x04,
1242 0xe6,0x96,0x97,0x28, 0xf6,0x31,0xfe,0xa3,
1243 0x9d,0xf6,0x6a,0x1e, 0x80,0x8d,0xdc,0xec,
1244 0xaf,0x66,0x11,0x13, 0x02,0x88,0xd5,0x27,
1245 0x33,0xb4,0x1a,0xcd, 0xa3,0xf6,0xde,0x31,
1246 0x8e,0xc0,0x0e,0x6c, 0xd8,0x5a,0x97,0x5e,
1247 0xdd,0xfd,0x60,0x69, 0x38,0x46,0x3f,0x90,
1248 0x5e,0x97,0xd3,0x32, 0x76,0xc7,0x82,0x49,
1249 0xfe,0xba,0x06,0x5f, 0x2f,0xa2,0xfd,0xff,
1250 0x80,0x05,0x40,0xe4, 0x33,0x03,0xfb,0x10,
1251 0xc0,0xde,0x65,0x8c, 0xc9,0x8d,0x3a,0x9d,
1252 0xb5,0x7b,0x36,0x4b, 0xb5,0x0c,0xcf,0x00,
1253 0x9c,0x87,0xe4,0x49, 0xad,0x90,0xda,0x4a,
1254 0xdd,0xbd,0xff,0xe2, 0x32,0x57,0xd6,0x78,
1255 0x36,0x39,0x6c,0xd3, 0x5b,0x9b,0x88,0x59,
1256 0x2d,0xf0,0x46,0xe4, 0x13,0x0e,0x2b,0x35,
1257 0x0d,0x0f,0x73,0x8a, 0x4f,0x26,0x84,0x75,
1258 0x88,0x3c,0xc5,0x58, 0x66,0x18,0x1a,0xb4,
1259 0x64,0x51,0x34,0x27, 0x1b,0xa4,0x11,0xc9,
1260 0x6d,0x91,0x8a,0xfa, 0x32,0x60,0x9d,0xd7,
1261 0x87,0xe5,0xaa,0x43, 0x72,0xf8,0xda,0xd1,
1262 0x48,0x44,0x13,0x61, 0xdc,0x8c,0x76,0x17,
1263 0x0c,0x85,0x4e,0xf3, 0xdd,0xa2,0x42,0xd2,
1264 0x74,0xc1,0x30,0x1b, 0xeb,0x35,0x31,0x29,
1265 0x5b,0xd7,0x4c,0x94, 0x46,0x35,0xa1,0x23,
1266 0x50,0xf2,0xa2,0x8e, 0x7e,0x4f,0x23,0x4f,
1267 0x51,0xff,0xe2,0xc9, 0xa3,0x7d,0x56,0x8b,
1268 0x41,0xf2,0xd0,0xc5, 0x57,0x7e,0x59,0xac,
1269 0xbb,0x65,0xf3,0xfe, 0xf7,0x17,0xef,0x63,
1270 0x7c,0x6f,0x23,0xdd, 0x22,0x8e,0xed,0x84,
1271 0x0e,0x3b,0x09,0xb3, 0xf3,0xf4,0x8f,0xcd,
1272 0x37,0xa8,0xe1,0xa7, 0x30,0xdb,0xb1,0xa2,
1273 0x9c,0xa2,0xdf,0x34, 0x17,0x3e,0x68,0x44,
1274 0xd0,0xde,0x03,0x50, 0xd1,0x48,0x6b,0x20,
1275 0xe2,0x63,0x45,0xa5, 0xea,0x87,0xc2,0x42,
1276 0x95,0x03,0x49,0x05, 0xed,0xe0,0x90,0x29,
1277 0x1a,0xb8,0xcf,0x9b, 0x43,0xcf,0x29,0x7a,
1278 0x63,0x17,0x41,0x9f, 0xe0,0xc9,0x10,0xfd,
1279 0x2c,0x56,0x8c,0x08, 0x55,0xb4,0xa9,0x27,
1280 0x0f,0x23,0xb1,0x05, 0x6a,0x12,0x46,0xc7,
1281 0xe1,0xfe,0x28,0x93, 0x93,0xd7,0x2f,0xdc,
1282 0x98,0x30,0xdb,0x75, 0x8a,0xbe,0x97,0x7a,
1283 0x02,0xfb,0x8c,0xba, 0xbe,0x25,0x09,0xbe,
1284 0xce,0xcb,0xa2,0xef, 0x79,0x4d,0x0e,0x9d,
1285 0x1b,0x9d,0xb6,0x39, 0x34,0x38,0xfa,0x07,
1286 0xec,0xe8,0xfc,0x32, 0x85,0x1d,0xf7,0x85,
1287 0x63,0xc3,0x3c,0xc0, 0x02,0x75,0xd7,0x3f,
1288 0xb2,0x68,0x60,0x66, 0x65,0x81,0xc6,0xb1,
1289 0x42,0x65,0x4b,0x4b, 0x28,0xd7,0xc7,0xaa,
1290 0x9b,0xd2,0xdc,0x1b, 0x01,0xe0,0x26,0x39,
1291 0x01,0xc1,0x52,0x14, 0xd1,0x3f,0xb7,0xe6,
1292 0x61,0x41,0xc7,0x93, 0xd2,0xa2,0x67,0xc6,
1293 0xf7,0x11,0xb5,0xf5, 0xea,0xdd,0x19,0xfb,
1294 0x4d,0x21,0x12,0xd6, 0x7d,0xf1,0x10,0xb0,
1295 0x89,0x07,0xc7,0x5a, 0x52,0x73,0x70,0x2f,
1296 0x32,0xef,0x65,0x2b, 0x12,0xb2,0xf0,0xf5,
1297 0x20,0xe0,0x90,0x59, 0x7e,0x64,0xf1,0x4c,
1298 0x41,0xb3,0xa5,0x91, 0x08,0xe6,0x5e,0x5f,
1299 0x05,0x56,0x76,0xb4, 0xb0,0xcd,0x70,0x53,
1300 0x10,0x48,0x9c,0xff, 0xc2,0x69,0x55,0x24,
1301 0x87,0xef,0x84,0xea, 0xfb,0xa7,0xbf,0xa0,
1302 0x91,0x04,0xad,0x4f, 0x8b,0x57,0x54,0x4b,
1303 0xb6,0xe9,0xd1,0xac, 0x37,0x2f,0x1d,0x2e,
1304 0xab,0xa5,0xa4,0xe8, 0xff,0xfb,0xd9,0x39,
1305 0x2f,0xb7,0xac,0xd1, 0xfe,0x0b,0x9a,0x80,
1306 0x0f,0xb6,0xf4,0x36, 0x39,0x90,0x51,0xe3,
1307 0x0a,0x2f,0xb6,0x45, 0x76,0x89,0xcd,0x61,
1308 0xfe,0x48,0x5f,0x75, 0x1d,0x13,0x00,0x62,
1309 0x80,0x24,0x47,0xe7, 0xbc,0x37,0xd7,0xe3,
1310 0x15,0xe8,0x68,0x22, 0xaf,0x80,0x6f,0x4b,
1311 0xa8,0x9f,0x01,0x10, 0x48,0x14,0xc3,0x02,
1312 0x52,0xd2,0xc7,0x75, 0x9b,0x52,0x6d,0x30,
1313 0xac,0x13,0x85,0xc8, 0xf7,0xa3,0x58,0x4b,
1314 0x49,0xf7,0x1c,0x45, 0x55,0x8c,0x39,0x9a,
1315 0x99,0x6d,0x97,0x27, 0x27,0xe6,0xab,0xdd,
1316 0x2c,0x42,0x1b,0x35, 0xdd,0x9d,0x73,0xbb,
1317 0x6c,0xf3,0x64,0xf1, 0xfb,0xb9,0xf7,0xe6,
1318 0x4a,0x3c,0xc0,0x92, 0xc0,0x2e,0xb7,0x1a,
1319 0xbe,0xab,0xb3,0x5a, 0xe5,0xea,0xb1,0x48,
1320 0x58,0x13,0x53,0x90, 0xfd,0xc3,0x8e,0x54,
1321 0xf9,0x18,0x16,0x73, 0xe8,0xcb,0x6d,0x39,
1322 0x0e,0xd7,0xe0,0xfe, 0xb6,0x9f,0x43,0x97,
1323 0xe8,0xd0,0x85,0x56, 0x83,0x3e,0x98,0x68,
1324 0x7f,0xbd,0x95,0xa8, 0x9a,0x61,0x21,0x8f,
1325 0x06,0x98,0x34,0xa6, 0xc8,0xd6,0x1d,0xf3,
1326 0x3d,0x43,0xa4,0x9a, 0x8c,0xe5,0xd3,0x5a,
1327 0x32,0xa2,0x04,0x22, 0xa4,0x19,0x1a,0x46,
1328 0x42,0x7e,0x4d,0xe5, 0xe0,0xe6,0x0e,0xca,
1329 0xd5,0x58,0x9d,0x2c, 0xaf,0xda,0x33,0x5c,
1330 0xb0,0x79,0x9e,0xc9, 0xfc,0xca,0xf0,0x2f,
1331 0xa8,0xb2,0x77,0xeb, 0x7a,0xa2,0xdd,0x37,
1332 0x35,0x83,0x07,0xd6, 0x02,0x1a,0xb6,0x6c,
1333 0x24,0xe2,0x59,0x08, 0x0e,0xfd,0x3e,0x46,
1334 0xec,0x40,0x93,0xf4, 0x00,0x26,0x4f,0x2a,
1335 0xff,0x47,0x2f,0xeb, 0x02,0x92,0x26,0x5b,
1336 0x53,0x17,0xc2,0x8d, 0x2a,0xc7,0xa3,0x1b,
1337 0xcd,0xbc,0xa7,0xe8, 0xd1,0x76,0xe3,0x80,
1338 0x21,0xca,0x5d,0x3b, 0xe4,0x9c,0x8f,0xa9,
1339 0x5b,0x7f,0x29,0x7f, 0x7c,0xd8,0xed,0x6d,
1340 0x8c,0xb2,0x86,0x85, 0xe7,0x77,0xf2,0x85,
1341 0xab,0x38,0xa9,0x9d, 0xc1,0x4e,0xc5,0x64,
1342 0x33,0x73,0x8b,0x59, 0x03,0xad,0x05,0xdf,
1343 0x25,0x98,0x31,0xde, 0xef,0x13,0xf1,0x9b,
1344 0x3c,0x91,0x9d,0x7b, 0xb1,0xfa,0xe6,0xbf,
1345 0x5b,0xed,0xa5,0x55, 0xe6,0xea,0x6c,0x74,
1346 0xf4,0xb9,0xe4,0x45, 0x64,0x72,0x81,0xc2,
1347 0x4c,0x28,0xd4,0xcd, 0xac,0xe2,0xde,0xf9,
1348 0xeb,0x5c,0xeb,0x61, 0x60,0x5a,0xe5,0x28,
1349 },
1350 .mlen = 0,
1351 .h = {0},
1352 },
1353 [1] = { /* 16-byte message */
1354 .k = {
1355 /* Poly1305 key */
1356 0x29,0x21,0x43,0xcb, 0xcb,0x13,0x07,0xde,
1357 0xbf,0x48,0xdf,0x8a, 0x7f,0xa2,0x84,0xde,
1358
1359 /* NH key */
1360 0x72,0x23,0x9d,0xf5, 0xf0,0x07,0xf2,0x4c,
1361 0x20,0x3a,0x93,0xb9, 0xcd,0x5d,0xfe,0xcb,
1362 0x99,0x2c,0x2b,0x58, 0xc6,0x50,0x5f,0x94,
1363 0x56,0xc3,0x7c,0x0d, 0x02,0x3f,0xb8,0x5e,
1364 0x7b,0xc0,0x6c,0x51, 0x34,0x76,0xc0,0x0e,
1365 0xc6,0x22,0xc8,0x9e, 0x92,0xa0,0x21,0xc9,
1366 0x85,0x5c,0x7c,0xf8, 0xe2,0x64,0x47,0xc9,
1367 0xe4,0xa2,0x57,0x93, 0xf8,0xa2,0x69,0xcd,
1368 0x62,0x98,0x99,0xf4, 0xd7,0x7b,0x14,0xb1,
1369 0xd8,0x05,0xff,0x04, 0x15,0xc9,0xe1,0x6e,
1370 0x9b,0xe6,0x50,0x6b, 0x0b,0x3f,0x22,0x1f,
1371 0x08,0xde,0x0c,0x5b, 0x08,0x7e,0xc6,0x2f,
1372 0x6c,0xed,0xd6,0xb2, 0x15,0xa4,0xb3,0xf9,
1373 0xa7,0x46,0x38,0x2a, 0xea,0x69,0xa5,0xde,
1374 0x02,0xc3,0x96,0x89, 0x4d,0x55,0x3b,0xed,
1375 0x3d,0x3a,0x85,0x77, 0xbf,0x97,0x45,0x5c,
1376 0x9e,0x02,0x69,0xe2, 0x1b,0x68,0xbe,0x96,
1377 0xfb,0x64,0x6f,0x0f, 0xf6,0x06,0x40,0x67,
1378 0xfa,0x04,0xe3,0x55, 0xfa,0xbe,0xa4,0x60,
1379 0xef,0x21,0x66,0x97, 0xe6,0x9d,0x5c,0x1f,
1380 0x62,0x37,0xaa,0x31, 0xde,0xe4,0x9c,0x28,
1381 0x95,0xe0,0x22,0x86, 0xf4,0x4d,0xf3,0x07,
1382 0xfd,0x5f,0x3a,0x54, 0x2c,0x51,0x80,0x71,
1383 0xba,0x78,0x69,0x5b, 0x65,0xab,0x1f,0x81,
1384 0xed,0x3b,0xff,0x34, 0xa3,0xfb,0xbc,0x73,
1385 0x66,0x7d,0x13,0x7f, 0xdf,0x6e,0xe2,0xe2,
1386 0xeb,0x4f,0x6c,0xda, 0x7d,0x33,0x57,0xd0,
1387 0xd3,0x7c,0x95,0x4f, 0x33,0x58,0x21,0xc7,
1388 0xc0,0xe5,0x6f,0x42, 0x26,0xc6,0x1f,0x5e,
1389 0x85,0x1b,0x98,0x9a, 0xa2,0x1e,0x55,0x77,
1390 0x23,0xdf,0x81,0x5e, 0x79,0x55,0x05,0xfc,
1391 0xfb,0xda,0xee,0xba, 0x5a,0xba,0xf7,0x77,
1392 0x7f,0x0e,0xd3,0xe1, 0x37,0xfe,0x8d,0x2b,
1393 0xd5,0x3f,0xfb,0xd0, 0xc0,0x3c,0x0b,0x3f,
1394 0xcf,0x3c,0x14,0xcf, 0xfb,0x46,0x72,0x4c,
1395 0x1f,0x39,0xe2,0xda, 0x03,0x71,0x6d,0x23,
1396 0xef,0x93,0xcd,0x39, 0xd9,0x37,0x80,0x4d,
1397 0x65,0x61,0xd1,0x2c, 0x03,0xa9,0x47,0x72,
1398 0x4d,0x1e,0x0e,0x16, 0x33,0x0f,0x21,0x17,
1399 0xec,0x92,0xea,0x6f, 0x37,0x22,0xa4,0xd8,
1400 0x03,0x33,0x9e,0xd8, 0x03,0x69,0x9a,0xe8,
1401 0xb2,0x57,0xaf,0x78, 0x99,0x05,0x12,0xab,
1402 0x48,0x90,0x80,0xf0, 0x12,0x9b,0x20,0x64,
1403 0x7a,0x1d,0x47,0x5f, 0xba,0x3c,0xf9,0xc3,
1404 0x0a,0x0d,0x8d,0xa1, 0xf9,0x1b,0x82,0x13,
1405 0x3e,0x0d,0xec,0x0a, 0x83,0xc0,0x65,0xe1,
1406 0xe9,0x95,0xff,0x97, 0xd6,0xf2,0xe4,0xd5,
1407 0x86,0xc0,0x1f,0x29, 0x27,0x63,0xd7,0xde,
1408 0xb7,0x0a,0x07,0x99, 0x04,0x2d,0xa3,0x89,
1409 0xa2,0x43,0xcf,0xf3, 0xe1,0x43,0xac,0x4a,
1410 0x06,0x97,0xd0,0x05, 0x4f,0x87,0xfa,0xf9,
1411 0x9b,0xbf,0x52,0x70, 0xbd,0xbc,0x6c,0xf3,
1412 0x03,0x13,0x60,0x41, 0x28,0x09,0xec,0xcc,
1413 0xb1,0x1a,0xec,0xd6, 0xfb,0x6f,0x2a,0x89,
1414 0x5d,0x0b,0x53,0x9c, 0x59,0xc1,0x84,0x21,
1415 0x33,0x51,0x47,0x19, 0x31,0x9c,0xd4,0x0a,
1416 0x4d,0x04,0xec,0x50, 0x90,0x61,0xbd,0xbc,
1417 0x7e,0xc8,0xd9,0x6c, 0x98,0x1d,0x45,0x41,
1418 0x17,0x5e,0x97,0x1c, 0xc5,0xa8,0xe8,0xea,
1419 0x46,0x58,0x53,0xf7, 0x17,0xd5,0xad,0x11,
1420 0xc8,0x54,0xf5,0x7a, 0x33,0x90,0xf5,0x19,
1421 0xba,0x36,0xb4,0xfc, 0x52,0xa5,0x72,0x3d,
1422 0x14,0xbb,0x55,0xa7, 0xe9,0xe3,0x12,0xf7,
1423 0x1c,0x30,0xa2,0x82, 0x03,0xbf,0x53,0x91,
1424 0x2e,0x60,0x41,0x9f, 0x5b,0x69,0x39,0xf6,
1425 0x4d,0xc8,0xf8,0x46, 0x7a,0x7f,0xa4,0x98,
1426 0x36,0xff,0x06,0xcb, 0xca,0xe7,0x33,0xf2,
1427 0xc0,0x4a,0xf4,0x3c, 0x14,0x44,0x5f,0x6b,
1428 0x75,0xef,0x02,0x36, 0x75,0x08,0x14,0xfd,
1429 0x10,0x8e,0xa5,0x58, 0xd0,0x30,0x46,0x49,
1430 0xaf,0x3a,0xf8,0x40, 0x3d,0x35,0xdb,0x84,
1431 0x11,0x2e,0x97,0x6a, 0xb7,0x87,0x7f,0xad,
1432 0xf1,0xfa,0xa5,0x63, 0x60,0xd8,0x5e,0xbf,
1433 0x41,0x78,0x49,0xcf, 0x77,0xbb,0x56,0xbb,
1434 0x7d,0x01,0x67,0x05, 0x22,0xc8,0x8f,0x41,
1435 0xba,0x81,0xd2,0xca, 0x2c,0x38,0xac,0x76,
1436 0x06,0xc1,0x1a,0xc2, 0xce,0xac,0x90,0x67,
1437 0x57,0x3e,0x20,0x12, 0x5b,0xd9,0x97,0x58,
1438 0x65,0x05,0xb7,0x04, 0x61,0x7e,0xd8,0x3a,
1439 0xbf,0x55,0x3b,0x13, 0xe9,0x34,0x5a,0x37,
1440 0x36,0xcb,0x94,0x45, 0xc5,0x32,0xb3,0xa0,
1441 0x0c,0x3e,0x49,0xc5, 0xd3,0xed,0xa7,0xf0,
1442 0x1c,0x69,0xcc,0xea, 0xcc,0x83,0xc9,0x16,
1443 0x95,0x72,0x4b,0xf4, 0x89,0xd5,0xb9,0x10,
1444 0xf6,0x2d,0x60,0x15, 0xea,0x3c,0x06,0x66,
1445 0x9f,0x82,0xad,0x17, 0xce,0xd2,0xa4,0x48,
1446 0x7c,0x65,0xd9,0xf8, 0x02,0x4d,0x9b,0x4c,
1447 0x89,0x06,0x3a,0x34, 0x85,0x48,0x89,0x86,
1448 0xf9,0x24,0xa9,0x54, 0x72,0xdb,0x44,0x95,
1449 0xc7,0x44,0x1c,0x19, 0x11,0x4c,0x04,0xdc,
1450 0x13,0xb9,0x67,0xc8, 0xc3,0x3a,0x6a,0x50,
1451 0xfa,0xd1,0xfb,0xe1, 0x88,0xb6,0xf1,0xa3,
1452 0xc5,0x3b,0xdc,0x38, 0x45,0x16,0x26,0x02,
1453 0x3b,0xb8,0x8f,0x8b, 0x58,0x7d,0x23,0x04,
1454 0x50,0x6b,0x81,0x9f, 0xae,0x66,0xac,0x6f,
1455 0xcf,0x2a,0x9d,0xf1, 0xfd,0x1d,0x57,0x07,
1456 0xbe,0x58,0xeb,0x77, 0x0c,0xe3,0xc2,0x19,
1457 0x14,0x74,0x1b,0x51, 0x1c,0x4f,0x41,0xf3,
1458 0x32,0x89,0xb3,0xe7, 0xde,0x62,0xf6,0x5f,
1459 0xc7,0x6a,0x4a,0x2a, 0x5b,0x0f,0x5f,0x87,
1460 0x9c,0x08,0xb9,0x02, 0x88,0xc8,0x29,0xb7,
1461 0x94,0x52,0xfa,0x52, 0xfe,0xaa,0x50,0x10,
1462 0xba,0x48,0x75,0x5e, 0x11,0x1b,0xe6,0x39,
1463 0xd7,0x82,0x2c,0x87, 0xf1,0x1e,0xa4,0x38,
1464 0x72,0x3e,0x51,0xe7, 0xd8,0x3e,0x5b,0x7b,
1465 0x31,0x16,0x89,0xba, 0xd6,0xad,0x18,0x5e,
1466 0xba,0xf8,0x12,0xb3, 0xf4,0x6c,0x47,0x30,
1467 0xc0,0x38,0x58,0xb3, 0x10,0x8d,0x58,0x5d,
1468 0xb4,0xfb,0x19,0x7e, 0x41,0xc3,0x66,0xb8,
1469 0xd6,0x72,0x84,0xe1, 0x1a,0xc2,0x71,0x4c,
1470 0x0d,0x4a,0x21,0x7a, 0xab,0xa2,0xc0,0x36,
1471 0x15,0xc5,0xe9,0x46, 0xd7,0x29,0x17,0x76,
1472 0x5e,0x47,0x36,0x7f, 0x72,0x05,0xa7,0xcc,
1473 0x36,0x63,0xf9,0x47, 0x7d,0xe6,0x07,0x3c,
1474 0x8b,0x79,0x1d,0x96, 0x61,0x8d,0x90,0x65,
1475 0x7c,0xf5,0xeb,0x4e, 0x6e,0x09,0x59,0x6d,
1476 0x62,0x50,0x1b,0x0f, 0xe0,0xdc,0x78,0xf2,
1477 0x5b,0x83,0x1a,0xa1, 0x11,0x75,0xfd,0x18,
1478 0xd7,0xe2,0x8d,0x65, 0x14,0x21,0xce,0xbe,
1479 0xb5,0x87,0xe3,0x0a, 0xda,0x24,0x0a,0x64,
1480 0xa9,0x9f,0x03,0x8d, 0x46,0x5d,0x24,0x1a,
1481 0x8a,0x0c,0x42,0x01, 0xca,0xb1,0x5f,0x7c,
1482 0xa5,0xac,0x32,0x4a, 0xb8,0x07,0x91,0x18,
1483 0x6f,0xb0,0x71,0x3c, 0xc9,0xb1,0xa8,0xf8,
1484 0x5f,0x69,0xa5,0xa1, 0xca,0x9e,0x7a,0xaa,
1485 0xac,0xe9,0xc7,0x47, 0x41,0x75,0x25,0xc3,
1486 0x73,0xe2,0x0b,0xdd, 0x6d,0x52,0x71,0xbe,
1487 0xc5,0xdc,0xb4,0xe7, 0x01,0x26,0x53,0x77,
1488 0x86,0x90,0x85,0x68, 0x6b,0x7b,0x03,0x53,
1489 0xda,0x52,0x52,0x51, 0x68,0xc8,0xf3,0xec,
1490 0x6c,0xd5,0x03,0x7a, 0xa3,0x0e,0xb4,0x02,
1491 0x5f,0x1a,0xab,0xee, 0xca,0x67,0x29,0x7b,
1492 0xbd,0x96,0x59,0xb3, 0x8b,0x32,0x7a,0x92,
1493 0x9f,0xd8,0x25,0x2b, 0xdf,0xc0,0x4c,0xda,
1494 },
1495 .mlen = 16,
1496 .m = {
1497 0xbc,0xda,0x81,0xa8, 0x78,0x79,0x1c,0xbf,
1498 0x77,0x53,0xba,0x4c, 0x30,0x5b,0xb8,0x33,
1499 },
1500 .h = {
1501 0x04,0xbf,0x7f,0x6a, 0xce,0x72,0xea,0x6a,
1502 0x79,0xdb,0xb0,0xc9, 0x60,0xf6,0x12,0xcc,
1503 },
1504 },
1505 [2] = { /* 1024-byte message */
1506 .k = {
1507 0x65,0x4d,0xe3,0xf8, 0xd2,0x4c,0xac,0x28,
1508 0x68,0xf5,0xb3,0x81, 0x71,0x4b,0xa1,0xfa,
1509 0x04,0x0e,0xd3,0x81, 0x36,0xbe,0x0c,0x81,
1510 0x5e,0xaf,0xbc,0x3a, 0xa4,0xc0,0x8e,0x8b,
1511 0x55,0x63,0xd3,0x52, 0x97,0x88,0xd6,0x19,
1512 0xbc,0x96,0xdf,0x49, 0xff,0x04,0x63,0xf5,
1513 0x0c,0x11,0x13,0xaa, 0x9e,0x1f,0x5a,0xf7,
1514 0xdd,0xbd,0x37,0x80, 0xc3,0xd0,0xbe,0xa7,
1515 0x05,0xc8,0x3c,0x98, 0x1e,0x05,0x3c,0x84,
1516 0x39,0x61,0xc4,0xed, 0xed,0x71,0x1b,0xc4,
1517 0x74,0x45,0x2c,0xa1, 0x56,0x70,0x97,0xfd,
1518 0x44,0x18,0x07,0x7d, 0xca,0x60,0x1f,0x73,
1519 0x3b,0x6d,0x21,0xcb, 0x61,0x87,0x70,0x25,
1520 0x46,0x21,0xf1,0x1f, 0x21,0x91,0x31,0x2d,
1521 0x5d,0xcc,0xb7,0xd1, 0x84,0x3e,0x3d,0xdb,
1522 0x03,0x53,0x2a,0x82, 0xa6,0x9a,0x95,0xbc,
1523 0x1a,0x1e,0x0a,0x5e, 0x07,0x43,0xab,0x43,
1524 0xaf,0x92,0x82,0x06, 0x91,0x04,0x09,0xf4,
1525 0x17,0x0a,0x9a,0x2c, 0x54,0xdb,0xb8,0xf4,
1526 0xd0,0xf0,0x10,0x66, 0x24,0x8d,0xcd,0xda,
1527 0xfe,0x0e,0x45,0x9d, 0x6f,0xc4,0x4e,0xf4,
1528 0x96,0xaf,0x13,0xdc, 0xa9,0xd4,0x8c,0xc4,
1529 0xc8,0x57,0x39,0x3c, 0xc2,0xd3,0x0a,0x76,
1530 0x4a,0x1f,0x75,0x83, 0x44,0xc7,0xd1,0x39,
1531 0xd8,0xb5,0x41,0xba, 0x73,0x87,0xfa,0x96,
1532 0xc7,0x18,0x53,0xfb, 0x9b,0xda,0xa0,0x97,
1533 0x1d,0xee,0x60,0x85, 0x9e,0x14,0xc3,0xce,
1534 0xc4,0x05,0x29,0x3b, 0x95,0x30,0xa3,0xd1,
1535 0x9f,0x82,0x6a,0x04, 0xf5,0xa7,0x75,0x57,
1536 0x82,0x04,0xfe,0x71, 0x51,0x71,0xb1,0x49,
1537 0x50,0xf8,0xe0,0x96, 0xf1,0xfa,0xa8,0x88,
1538 0x3f,0xa0,0x86,0x20, 0xd4,0x60,0x79,0x59,
1539 0x17,0x2d,0xd1,0x09, 0xf4,0xec,0x05,0x57,
1540 0xcf,0x62,0x7e,0x0e, 0x7e,0x60,0x78,0xe6,
1541 0x08,0x60,0x29,0xd8, 0xd5,0x08,0x1a,0x24,
1542 0xc4,0x6c,0x24,0xe7, 0x92,0x08,0x3d,0x8a,
1543 0x98,0x7a,0xcf,0x99, 0x0a,0x65,0x0e,0xdc,
1544 0x8c,0x8a,0xbe,0x92, 0x82,0x91,0xcc,0x62,
1545 0x30,0xb6,0xf4,0x3f, 0xc6,0x8a,0x7f,0x12,
1546 0x4a,0x8a,0x49,0xfa, 0x3f,0x5c,0xd4,0x5a,
1547 0xa6,0x82,0xa3,0xe6, 0xaa,0x34,0x76,0xb2,
1548 0xab,0x0a,0x30,0xef, 0x6c,0x77,0x58,0x3f,
1549 0x05,0x6b,0xcc,0x5c, 0xae,0xdc,0xd7,0xb9,
1550 0x51,0x7e,0x8d,0x32, 0x5b,0x24,0x25,0xbe,
1551 0x2b,0x24,0x01,0xcf, 0x80,0xda,0x16,0xd8,
1552 0x90,0x72,0x2c,0xad, 0x34,0x8d,0x0c,0x74,
1553 0x02,0xcb,0xfd,0xcf, 0x6e,0xef,0x97,0xb5,
1554 0x4c,0xf2,0x68,0xca, 0xde,0x43,0x9e,0x8a,
1555 0xc5,0x5f,0x31,0x7f, 0x14,0x71,0x38,0xec,
1556 0xbd,0x98,0xe5,0x71, 0xc4,0xb5,0xdb,0xef,
1557 0x59,0xd2,0xca,0xc0, 0xc1,0x86,0x75,0x01,
1558 0xd4,0x15,0x0d,0x6f, 0xa4,0xf7,0x7b,0x37,
1559 0x47,0xda,0x18,0x93, 0x63,0xda,0xbe,0x9e,
1560 0x07,0xfb,0xb2,0x83, 0xd5,0xc4,0x34,0x55,
1561 0xee,0x73,0xa1,0x42, 0x96,0xf9,0x66,0x41,
1562 0xa4,0xcc,0xd2,0x93, 0x6e,0xe1,0x0a,0xbb,
1563 0xd2,0xdd,0x18,0x23, 0xe6,0x6b,0x98,0x0b,
1564 0x8a,0x83,0x59,0x2c, 0xc3,0xa6,0x59,0x5b,
1565 0x01,0x22,0x59,0xf7, 0xdc,0xb0,0x87,0x7e,
1566 0xdb,0x7d,0xf4,0x71, 0x41,0xab,0xbd,0xee,
1567 0x79,0xbe,0x3c,0x01, 0x76,0x0b,0x2d,0x0a,
1568 0x42,0xc9,0x77,0x8c, 0xbb,0x54,0x95,0x60,
1569 0x43,0x2e,0xe0,0x17, 0x52,0xbd,0x90,0xc9,
1570 0xc2,0x2c,0xdd,0x90, 0x24,0x22,0x76,0x40,
1571 0x5c,0xb9,0x41,0xc9, 0xa1,0xd5,0xbd,0xe3,
1572 0x44,0xe0,0xa4,0xab, 0xcc,0xb8,0xe2,0x32,
1573 0x02,0x15,0x04,0x1f, 0x8c,0xec,0x5d,0x14,
1574 0xac,0x18,0xaa,0xef, 0x6e,0x33,0x19,0x6e,
1575 0xde,0xfe,0x19,0xdb, 0xeb,0x61,0xca,0x18,
1576 0xad,0xd8,0x3d,0xbf, 0x09,0x11,0xc7,0xa5,
1577 0x86,0x0b,0x0f,0xe5, 0x3e,0xde,0xe8,0xd9,
1578 0x0a,0x69,0x9e,0x4c, 0x20,0xff,0xf9,0xc5,
1579 0xfa,0xf8,0xf3,0x7f, 0xa5,0x01,0x4b,0x5e,
1580 0x0f,0xf0,0x3b,0x68, 0xf0,0x46,0x8c,0x2a,
1581 0x7a,0xc1,0x8f,0xa0, 0xfe,0x6a,0x5b,0x44,
1582 0x70,0x5c,0xcc,0x92, 0x2c,0x6f,0x0f,0xbd,
1583 0x25,0x3e,0xb7,0x8e, 0x73,0x58,0xda,0xc9,
1584 0xa5,0xaa,0x9e,0xf3, 0x9b,0xfd,0x37,0x3e,
1585 0xe2,0x88,0xa4,0x7b, 0xc8,0x5c,0xa8,0x93,
1586 0x0e,0xe7,0x9a,0x9c, 0x2e,0x95,0x18,0x9f,
1587 0xc8,0x45,0x0c,0x88, 0x9e,0x53,0x4f,0x3a,
1588 0x76,0xc1,0x35,0xfa, 0x17,0xd8,0xac,0xa0,
1589 0x0c,0x2d,0x47,0x2e, 0x4f,0x69,0x9b,0xf7,
1590 0xd0,0xb6,0x96,0x0c, 0x19,0xb3,0x08,0x01,
1591 0x65,0x7a,0x1f,0xc7, 0x31,0x86,0xdb,0xc8,
1592 0xc1,0x99,0x8f,0xf8, 0x08,0x4a,0x9d,0x23,
1593 0x22,0xa8,0xcf,0x27, 0x01,0x01,0x88,0x93,
1594 0x9c,0x86,0x45,0xbd, 0xe0,0x51,0xca,0x52,
1595 0x84,0xba,0xfe,0x03, 0xf7,0xda,0xc5,0xce,
1596 0x3e,0x77,0x75,0x86, 0xaf,0x84,0xc8,0x05,
1597 0x44,0x01,0x0f,0x02, 0xf3,0x58,0xb0,0x06,
1598 0x5a,0xd7,0x12,0x30, 0x8d,0xdf,0x1f,0x1f,
1599 0x0a,0xe6,0xd2,0xea, 0xf6,0x3a,0x7a,0x99,
1600 0x63,0xe8,0xd2,0xc1, 0x4a,0x45,0x8b,0x40,
1601 0x4d,0x0a,0xa9,0x76, 0x92,0xb3,0xda,0x87,
1602 0x36,0x33,0xf0,0x78, 0xc3,0x2f,0x5f,0x02,
1603 0x1a,0x6a,0x2c,0x32, 0xcd,0x76,0xbf,0xbd,
1604 0x5a,0x26,0x20,0x28, 0x8c,0x8c,0xbc,0x52,
1605 0x3d,0x0a,0xc9,0xcb, 0xab,0xa4,0x21,0xb0,
1606 0x54,0x40,0x81,0x44, 0xc7,0xd6,0x1c,0x11,
1607 0x44,0xc6,0x02,0x92, 0x14,0x5a,0xbf,0x1a,
1608 0x09,0x8a,0x18,0xad, 0xcd,0x64,0x3d,0x53,
1609 0x4a,0xb6,0xa5,0x1b, 0x57,0x0e,0xef,0xe0,
1610 0x8c,0x44,0x5f,0x7d, 0xbd,0x6c,0xfd,0x60,
1611 0xae,0x02,0x24,0xb6, 0x99,0xdd,0x8c,0xaf,
1612 0x59,0x39,0x75,0x3c, 0xd1,0x54,0x7b,0x86,
1613 0xcc,0x99,0xd9,0x28, 0x0c,0xb0,0x94,0x62,
1614 0xf9,0x51,0xd1,0x19, 0x96,0x2d,0x66,0xf5,
1615 0x55,0xcf,0x9e,0x59, 0xe2,0x6b,0x2c,0x08,
1616 0xc0,0x54,0x48,0x24, 0x45,0xc3,0x8c,0x73,
1617 0xea,0x27,0x6e,0x66, 0x7d,0x1d,0x0e,0x6e,
1618 0x13,0xe8,0x56,0x65, 0x3a,0xb0,0x81,0x5c,
1619 0xf0,0xe8,0xd8,0x00, 0x6b,0xcd,0x8f,0xad,
1620 0xdd,0x53,0xf3,0xa4, 0x6c,0x43,0xd6,0x31,
1621 0xaf,0xd2,0x76,0x1e, 0x91,0x12,0xdb,0x3c,
1622 0x8c,0xc2,0x81,0xf0, 0x49,0xdb,0xe2,0x6b,
1623 0x76,0x62,0x0a,0x04, 0xe4,0xaa,0x8a,0x7c,
1624 0x08,0x0b,0x5d,0xd0, 0xee,0x1d,0xfb,0xc4,
1625 0x02,0x75,0x42,0xd6, 0xba,0xa7,0x22,0xa8,
1626 0x47,0x29,0xb7,0x85, 0x6d,0x93,0x3a,0xdb,
1627 0x00,0x53,0x0b,0xa2, 0xeb,0xf8,0xfe,0x01,
1628 0x6f,0x8a,0x31,0xd6, 0x17,0x05,0x6f,0x67,
1629 0x88,0x95,0x32,0xfe, 0x4f,0xa6,0x4b,0xf8,
1630 0x03,0xe4,0xcd,0x9a, 0x18,0xe8,0x4e,0x2d,
1631 0xf7,0x97,0x9a,0x0c, 0x7d,0x9f,0x7e,0x44,
1632 0x69,0x51,0xe0,0x32, 0x6b,0x62,0x86,0x8f,
1633 0xa6,0x8e,0x0b,0x21, 0x96,0xe5,0xaf,0x77,
1634 0xc0,0x83,0xdf,0xa5, 0x0e,0xd0,0xa1,0x04,
1635 0xaf,0xc1,0x10,0xcb, 0x5a,0x40,0xe4,0xe3,
1636 0x38,0x7e,0x07,0xe8, 0x4d,0xfa,0xed,0xc5,
1637 0xf0,0x37,0xdf,0xbb, 0x8a,0xcf,0x3d,0xdc,
1638 0x61,0xd2,0xc6,0x2b, 0xff,0x07,0xc9,0x2f,
1639 0x0c,0x2d,0x5c,0x07, 0xa8,0x35,0x6a,0xfc,
1640 0xae,0x09,0x03,0x45, 0x74,0x51,0x4d,0xc4,
1641 0xb8,0x23,0x87,0x4a, 0x99,0x27,0x20,0x87,
1642 0x62,0x44,0x0a,0x4a, 0xce,0x78,0x47,0x22,
1643 },
1644 .mlen = 1024,
1645 .m = {
1646 0x8e,0xb0,0x4c,0xde, 0x9c,0x4a,0x04,0x5a,
1647 0xf6,0xa9,0x7f,0x45, 0x25,0xa5,0x7b,0x3a,
1648 0xbc,0x4d,0x73,0x39, 0x81,0xb5,0xbd,0x3d,
1649 0x21,0x6f,0xd7,0x37, 0x50,0x3c,0x7b,0x28,
1650 0xd1,0x03,0x3a,0x17, 0xed,0x7b,0x7c,0x2a,
1651 0x16,0xbc,0xdf,0x19, 0x89,0x52,0x71,0x31,
1652 0xb6,0xc0,0xfd,0xb5, 0xd3,0xba,0x96,0x99,
1653 0xb6,0x34,0x0b,0xd0, 0x99,0x93,0xfc,0x1a,
1654 0x01,0x3c,0x85,0xc6, 0x9b,0x78,0x5c,0x8b,
1655 0xfe,0xae,0xd2,0xbf, 0xb2,0x6f,0xf9,0xed,
1656 0xc8,0x25,0x17,0xfe, 0x10,0x3b,0x7d,0xda,
1657 0xf4,0x8d,0x35,0x4b, 0x7c,0x7b,0x82,0xe7,
1658 0xc2,0xb3,0xee,0x60, 0x4a,0x03,0x86,0xc9,
1659 0x4e,0xb5,0xc4,0xbe, 0xd2,0xbd,0x66,0xf1,
1660 0x13,0xf1,0x09,0xab, 0x5d,0xca,0x63,0x1f,
1661 0xfc,0xfb,0x57,0x2a, 0xfc,0xca,0x66,0xd8,
1662 0x77,0x84,0x38,0x23, 0x1d,0xac,0xd3,0xb3,
1663 0x7a,0xad,0x4c,0x70, 0xfa,0x9c,0xc9,0x61,
1664 0xa6,0x1b,0xba,0x33, 0x4b,0x4e,0x33,0xec,
1665 0xa0,0xa1,0x64,0x39, 0x40,0x05,0x1c,0xc2,
1666 0x3f,0x49,0x9d,0xae, 0xf2,0xc5,0xf2,0xc5,
1667 0xfe,0xe8,0xf4,0xc2, 0xf9,0x96,0x2d,0x28,
1668 0x92,0x30,0x44,0xbc, 0xd2,0x7f,0xe1,0x6e,
1669 0x62,0x02,0x8f,0x3d, 0x1c,0x80,0xda,0x0e,
1670 0x6a,0x90,0x7e,0x75, 0xff,0xec,0x3e,0xc4,
1671 0xcd,0x16,0x34,0x3b, 0x05,0x6d,0x4d,0x20,
1672 0x1c,0x7b,0xf5,0x57, 0x4f,0xfa,0x3d,0xac,
1673 0xd0,0x13,0x55,0xe8, 0xb3,0xe1,0x1b,0x78,
1674 0x30,0xe6,0x9f,0x84, 0xd4,0x69,0xd1,0x08,
1675 0x12,0x77,0xa7,0x4a, 0xbd,0xc0,0xf2,0xd2,
1676 0x78,0xdd,0xa3,0x81, 0x12,0xcb,0x6c,0x14,
1677 0x90,0x61,0xe2,0x84, 0xc6,0x2b,0x16,0xcc,
1678 0x40,0x99,0x50,0x88, 0x01,0x09,0x64,0x4f,
1679 0x0a,0x80,0xbe,0x61, 0xae,0x46,0xc9,0x0a,
1680 0x5d,0xe0,0xfb,0x72, 0x7a,0x1a,0xdd,0x61,
1681 0x63,0x20,0x05,0xa0, 0x4a,0xf0,0x60,0x69,
1682 0x7f,0x92,0xbc,0xbf, 0x4e,0x39,0x4d,0xdd,
1683 0x74,0xd1,0xb7,0xc0, 0x5a,0x34,0xb7,0xae,
1684 0x76,0x65,0x2e,0xbc, 0x36,0xb9,0x04,0x95,
1685 0x42,0xe9,0x6f,0xca, 0x78,0xb3,0x72,0x07,
1686 0xa3,0xba,0x02,0x94, 0x67,0x4c,0xb1,0xd7,
1687 0xe9,0x30,0x0d,0xf0, 0x3b,0xb8,0x10,0x6d,
1688 0xea,0x2b,0x21,0xbf, 0x74,0x59,0x82,0x97,
1689 0x85,0xaa,0xf1,0xd7, 0x54,0x39,0xeb,0x05,
1690 0xbd,0xf3,0x40,0xa0, 0x97,0xe6,0x74,0xfe,
1691 0xb4,0x82,0x5b,0xb1, 0x36,0xcb,0xe8,0x0d,
1692 0xce,0x14,0xd9,0xdf, 0xf1,0x94,0x22,0xcd,
1693 0xd6,0x00,0xba,0x04, 0x4c,0x05,0x0c,0xc0,
1694 0xd1,0x5a,0xeb,0x52, 0xd5,0xa8,0x8e,0xc8,
1695 0x97,0xa1,0xaa,0xc1, 0xea,0xc1,0xbe,0x7c,
1696 0x36,0xb3,0x36,0xa0, 0xc6,0x76,0x66,0xc5,
1697 0xe2,0xaf,0xd6,0x5c, 0xe2,0xdb,0x2c,0xb3,
1698 0x6c,0xb9,0x99,0x7f, 0xff,0x9f,0x03,0x24,
1699 0xe1,0x51,0x44,0x66, 0xd8,0x0c,0x5d,0x7f,
1700 0x5c,0x85,0x22,0x2a, 0xcf,0x6d,0x79,0x28,
1701 0xab,0x98,0x01,0x72, 0xfe,0x80,0x87,0x5f,
1702 0x46,0xba,0xef,0x81, 0x24,0xee,0xbf,0xb0,
1703 0x24,0x74,0xa3,0x65, 0x97,0x12,0xc4,0xaf,
1704 0x8b,0xa0,0x39,0xda, 0x8a,0x7e,0x74,0x6e,
1705 0x1b,0x42,0xb4,0x44, 0x37,0xfc,0x59,0xfd,
1706 0x86,0xed,0xfb,0x8c, 0x66,0x33,0xda,0x63,
1707 0x75,0xeb,0xe1,0xa4, 0x85,0x4f,0x50,0x8f,
1708 0x83,0x66,0x0d,0xd3, 0x37,0xfa,0xe6,0x9c,
1709 0x4f,0x30,0x87,0x35, 0x18,0xe3,0x0b,0xb7,
1710 0x6e,0x64,0x54,0xcd, 0x70,0xb3,0xde,0x54,
1711 0xb7,0x1d,0xe6,0x4c, 0x4d,0x55,0x12,0x12,
1712 0xaf,0x5f,0x7f,0x5e, 0xee,0x9d,0xe8,0x8e,
1713 0x32,0x9d,0x4e,0x75, 0xeb,0xc6,0xdd,0xaa,
1714 0x48,0x82,0xa4,0x3f, 0x3c,0xd7,0xd3,0xa8,
1715 0x63,0x9e,0x64,0xfe, 0xe3,0x97,0x00,0x62,
1716 0xe5,0x40,0x5d,0xc3, 0xad,0x72,0xe1,0x28,
1717 0x18,0x50,0xb7,0x75, 0xef,0xcd,0x23,0xbf,
1718 0x3f,0xc0,0x51,0x36, 0xf8,0x41,0xc3,0x08,
1719 0xcb,0xf1,0x8d,0x38, 0x34,0xbd,0x48,0x45,
1720 0x75,0xed,0xbc,0x65, 0x7b,0xb5,0x0c,0x9b,
1721 0xd7,0x67,0x7d,0x27, 0xb4,0xc4,0x80,0xd7,
1722 0xa9,0xb9,0xc7,0x4a, 0x97,0xaa,0xda,0xc8,
1723 0x3c,0x74,0xcf,0x36, 0x8f,0xe4,0x41,0xe3,
1724 0xd4,0xd3,0x26,0xa7, 0xf3,0x23,0x9d,0x8f,
1725 0x6c,0x20,0x05,0x32, 0x3e,0xe0,0xc3,0xc8,
1726 0x56,0x3f,0xa7,0x09, 0xb7,0xfb,0xc7,0xf7,
1727 0xbe,0x2a,0xdd,0x0f, 0x06,0x7b,0x0d,0xdd,
1728 0xb0,0xb4,0x86,0x17, 0xfd,0xb9,0x04,0xe5,
1729 0xc0,0x64,0x5d,0xad, 0x2a,0x36,0x38,0xdb,
1730 0x24,0xaf,0x5b,0xff, 0xca,0xf9,0x41,0xe8,
1731 0xf9,0x2f,0x1e,0x5e, 0xf9,0xf5,0xd5,0xf2,
1732 0xb2,0x88,0xca,0xc9, 0xa1,0x31,0xe2,0xe8,
1733 0x10,0x95,0x65,0xbf, 0xf1,0x11,0x61,0x7a,
1734 0x30,0x1a,0x54,0x90, 0xea,0xd2,0x30,0xf6,
1735 0xa5,0xad,0x60,0xf9, 0x4d,0x84,0x21,0x1b,
1736 0xe4,0x42,0x22,0xc8, 0x12,0x4b,0xb0,0x58,
1737 0x3e,0x9c,0x2d,0x32, 0x95,0x0a,0x8e,0xb0,
1738 0x0a,0x7e,0x77,0x2f, 0xe8,0x97,0x31,0x6a,
1739 0xf5,0x59,0xb4,0x26, 0xe6,0x37,0x12,0xc9,
1740 0xcb,0xa0,0x58,0x33, 0x6f,0xd5,0x55,0x55,
1741 0x3c,0xa1,0x33,0xb1, 0x0b,0x7e,0x2e,0xb4,
1742 0x43,0x2a,0x84,0x39, 0xf0,0x9c,0xf4,0x69,
1743 0x4f,0x1e,0x79,0xa6, 0x15,0x1b,0x87,0xbb,
1744 0xdb,0x9b,0xe0,0xf1, 0x0b,0xba,0xe3,0x6e,
1745 0xcc,0x2f,0x49,0x19, 0x22,0x29,0xfc,0x71,
1746 0xbb,0x77,0x38,0x18, 0x61,0xaf,0x85,0x76,
1747 0xeb,0xd1,0x09,0xcc, 0x86,0x04,0x20,0x9a,
1748 0x66,0x53,0x2f,0x44, 0x8b,0xc6,0xa3,0xd2,
1749 0x5f,0xc7,0x79,0x82, 0x66,0xa8,0x6e,0x75,
1750 0x7d,0x94,0xd1,0x86, 0x75,0x0f,0xa5,0x4f,
1751 0x3c,0x7a,0x33,0xce, 0xd1,0x6e,0x9d,0x7b,
1752 0x1f,0x91,0x37,0xb8, 0x37,0x80,0xfb,0xe0,
1753 0x52,0x26,0xd0,0x9a, 0xd4,0x48,0x02,0x41,
1754 0x05,0xe3,0x5a,0x94, 0xf1,0x65,0x61,0x19,
1755 0xb8,0x88,0x4e,0x2b, 0xea,0xba,0x8b,0x58,
1756 0x8b,0x42,0x01,0x00, 0xa8,0xfe,0x00,0x5c,
1757 0xfe,0x1c,0xee,0x31, 0x15,0x69,0xfa,0xb3,
1758 0x9b,0x5f,0x22,0x8e, 0x0d,0x2c,0xe3,0xa5,
1759 0x21,0xb9,0x99,0x8a, 0x8e,0x94,0x5a,0xef,
1760 0x13,0x3e,0x99,0x96, 0x79,0x6e,0xd5,0x42,
1761 0x36,0x03,0xa9,0xe2, 0xca,0x65,0x4e,0x8a,
1762 0x8a,0x30,0xd2,0x7d, 0x74,0xe7,0xf0,0xaa,
1763 0x23,0x26,0xdd,0xcb, 0x82,0x39,0xfc,0x9d,
1764 0x51,0x76,0x21,0x80, 0xa2,0xbe,0x93,0x03,
1765 0x47,0xb0,0xc1,0xb6, 0xdc,0x63,0xfd,0x9f,
1766 0xca,0x9d,0xa5,0xca, 0x27,0x85,0xe2,0xd8,
1767 0x15,0x5b,0x7e,0x14, 0x7a,0xc4,0x89,0xcc,
1768 0x74,0x14,0x4b,0x46, 0xd2,0xce,0xac,0x39,
1769 0x6b,0x6a,0x5a,0xa4, 0x0e,0xe3,0x7b,0x15,
1770 0x94,0x4b,0x0f,0x74, 0xcb,0x0c,0x7f,0xa9,
1771 0xbe,0x09,0x39,0xa3, 0xdd,0x56,0x5c,0xc7,
1772 0x99,0x56,0x65,0x39, 0xf4,0x0b,0x7d,0x87,
1773 0xec,0xaa,0xe3,0x4d, 0x22,0x65,0x39,0x4e,
1774 },
1775 .h = {
1776 0x64,0x3a,0xbc,0xc3, 0x3f,0x74,0x40,0x51,
1777 0x6e,0x56,0x01,0x1a, 0x51,0xec,0x36,0xde,
1778 },
1779 },
1780 };
1781 const uint8_t *pk;
1782 const uint8_t *nhk;
1783 static uint32_t nhk32[268];
1784 uint8_t h[16];
1785 unsigned i, j;
1786 int result = 0;
1787
1788 for (i = 0; i < __arraycount(C); i++) {
1789 pk = C[i].k;
1790 nhk = C[i].k + 16;
1791 for (j = 0; j < 268; j++)
1792 nhk32[j] = le32dec(nhk + 4*j);
1793 nhpoly1305(h, C[i].m, C[i].mlen, pk, nhk32);
1794 if (memcmp(h, C[i].h, 16)) {
1795 char prefix[16];
1796 snprintf(prefix, sizeof prefix, "nhpoly1305 %u", i);
1797 hexdump(printf, prefix, h, 32);
1798 result = -1;
1799 }
1800 }
1801
1802 return result;
1803 }
1804
1805 void
adiantum_init(struct adiantum * A,const uint8_t key[static32])1806 adiantum_init(struct adiantum *A, const uint8_t key[static 32])
1807 {
1808 uint8_t nonce[24] = {1};
1809 unsigned i;
1810
1811 memcpy(A->ks, key, 32);
1812
1813 /* Relies on ordering of struct members. */
1814 memset(A->kk, 0, 32 + 16 + 16 + 1072);
1815 xchacha_stream_xor(A->kk, A->kk, 32 + 16 + 16 + 1072, 0, nonce, A->ks,
1816 12);
1817
1818 /* Put the NH key words into host byte order. */
1819 for (i = 0; i < __arraycount(A->kn); i++)
1820 A->kn[i] = le32toh(A->kn[i]);
1821
1822 /* Expand the AES key. */
1823 aes_setenckey256(&A->kk_enc, A->kk);
1824 aes_setdeckey256(&A->kk_dec, A->kk);
1825 }
1826
1827 static void
adiantum_hash(uint8_t h[static16],const void * l,size_t llen,const void * t,size_t tlen,const uint8_t kt[static16],const uint8_t kl[static16],const uint32_t kn[static268])1828 adiantum_hash(uint8_t h[static 16], const void *l, size_t llen,
1829 const void *t, size_t tlen,
1830 const uint8_t kt[static 16],
1831 const uint8_t kl[static 16],
1832 const uint32_t kn[static 268])
1833 {
1834 struct poly1305 P;
1835 uint8_t llenbuf[16];
1836 uint8_t ht[16];
1837 uint8_t hl[16];
1838
1839 KASSERT(llen % 16 == 0);
1840
1841 memset(llenbuf, 0, sizeof llenbuf);
1842 le64enc(llenbuf, 8*llen);
1843
1844 /* Compute H_T := Poly1305_{K_T}(le128(|l|) || tweak). */
1845 poly1305_init(&P, kt);
1846 poly1305_update_blocks(&P, llenbuf, 16);
1847 poly1305_update_blocks(&P, t, tlen);
1848 poly1305_final(ht, &P);
1849
1850 /* Compute H_L := Poly1305_{K_L}(NH(pad_128(l))). */
1851 nhpoly1305(hl, l, llen, kl, kn);
1852
1853 /* Compute H := H_T + H_L (mod 2^128). */
1854 add128(h, ht, hl);
1855 }
1856
1857 void
adiantum_enc(void * c,const void * p,size_t len,const void * t,size_t tlen,const struct adiantum * A)1858 adiantum_enc(void *c, const void *p, size_t len, const void *t, size_t tlen,
1859 const struct adiantum *A)
1860 {
1861 size_t Rlen = 16;
1862 size_t Llen = len - Rlen;
1863 uint8_t *c8 = c;
1864 uint8_t *cL = c8;
1865 uint8_t *cR = c8 + Llen;
1866 const uint8_t *p8 = p;
1867 const uint8_t *pL = p8;
1868 const uint8_t *pR = p8 + Llen;
1869 uint8_t h[16];
1870 uint8_t buf[16] __aligned(16);
1871 uint8_t nonce[24];
1872
1873 KASSERT(len % 16 == 0);
1874
1875 adiantum_hash(h, pL, Llen, t, tlen, A->kt, A->kl, A->kn);
1876 add128(buf, pR, h); /* buf := P_M */
1877 aes_enc(&A->kk_enc, buf, buf, AES_256_NROUNDS); /* buf := C_M */
1878
1879 memcpy(nonce, buf, 16);
1880 le64enc(nonce + 16, 1);
1881 xchacha_stream_xor(cL, pL, Llen, 0, nonce, A->ks, 12);
1882
1883 adiantum_hash(h, cL, Llen, t, tlen, A->kt, A->kl, A->kn);
1884 sub128(cR, buf, h);
1885
1886 explicit_memset(h, 0, sizeof h);
1887 explicit_memset(buf, 0, sizeof buf);
1888 }
1889
1890 void
adiantum_dec(void * p,const void * c,size_t len,const void * t,size_t tlen,const struct adiantum * A)1891 adiantum_dec(void *p, const void *c, size_t len, const void *t, size_t tlen,
1892 const struct adiantum *A)
1893 {
1894 size_t Rlen = 16;
1895 size_t Llen = len - Rlen;
1896 const uint8_t *c8 = c;
1897 const uint8_t *cL = c8;
1898 const uint8_t *cR = c8 + Llen;
1899 uint8_t *p8 = p;
1900 uint8_t *pL = p8;
1901 uint8_t *pR = p8 + Llen;
1902 uint8_t h[16];
1903 uint8_t buf[16] __aligned(16);
1904 uint8_t nonce[24];
1905
1906 KASSERT(len % 16 == 0);
1907
1908 adiantum_hash(h, cL, Llen, t, tlen, A->kt, A->kl, A->kn);
1909 add128(buf, cR, h); /* buf := C_M */
1910
1911 memcpy(nonce, buf, 16);
1912 le64enc(nonce + 16, 1);
1913 xchacha_stream_xor(pL, cL, Llen, 0, nonce, A->ks, 12);
1914
1915 aes_dec(&A->kk_dec, buf, buf, AES_256_NROUNDS); /* buf := P_M */
1916 adiantum_hash(h, pL, Llen, t, tlen, A->kt, A->kl, A->kn);
1917 sub128(pR, buf, h);
1918
1919 explicit_memset(h, 0, sizeof h);
1920 explicit_memset(buf, 0, sizeof buf);
1921 }
1922
1923 #ifdef _KERNEL
1924
1925 MODULE(MODULE_CLASS_MISC, adiantum, "aes,chacha");
1926
1927 static int
adiantum_modcmd(modcmd_t cmd,void * opaque)1928 adiantum_modcmd(modcmd_t cmd, void *opaque)
1929 {
1930
1931 switch (cmd) {
1932 case MODULE_CMD_INIT: {
1933 int result = 0;
1934 result |= addsub128_selftest();
1935 result |= poly1305_selftest();
1936 result |= nh_selftest();
1937 result |= nhpoly1305_selftest();
1938 result |= adiantum_selftest();
1939 if (result)
1940 panic("adiantum self-test failed");
1941 aprint_debug("adiantum: self-test passed\n");
1942 return 0;
1943 }
1944 case MODULE_CMD_FINI:
1945 return 0;
1946 default:
1947 return ENOTTY;
1948 }
1949 }
1950
1951 #else /* !defined(_KERNEL) */
1952
1953 #include <err.h>
1954 #include <stdio.h>
1955 #include <unistd.h>
1956
1957 static int
read_block(int fd,void * buf,size_t len)1958 read_block(int fd, void *buf, size_t len)
1959 {
1960 char *p = buf;
1961 size_t n = len;
1962 ssize_t nread;
1963
1964 for (;;) {
1965 if ((nread = read(fd, p, n)) == -1)
1966 err(1, "read");
1967 if (nread == 0) {
1968 if (n < len)
1969 errx(1, "partial block");
1970 return -1; /* eof */
1971 }
1972 if ((size_t)nread >= n)
1973 break;
1974 p += (size_t)nread;
1975 n -= (size_t)nread;
1976 }
1977
1978 return 0;
1979 }
1980
1981 static void
write_block(int fd,const void * buf,size_t len)1982 write_block(int fd, const void *buf, size_t len)
1983 {
1984 const char *p = buf;
1985 size_t n = len;
1986 ssize_t nwrit;
1987
1988 for (;;) {
1989 if ((nwrit = write(fd, p, n)) == -1)
1990 err(1, "write");
1991 if ((size_t)nwrit >= n)
1992 break;
1993 p += (size_t)nwrit;
1994 n -= (size_t)nwrit;
1995 }
1996 }
1997
1998 #define SECSIZE 512
1999
2000 static void
process(void)2001 process(void)
2002 {
2003 static const uint8_t k[32] = {0};
2004 static uint8_t buf[65536];
2005 static struct adiantum C;
2006 uint8_t blkno[16] = {0};
2007 unsigned i;
2008
2009 adiantum_init(&C, k);
2010 while (read_block(STDIN_FILENO, buf, sizeof buf) == 0) {
2011 for (i = 0; i < sizeof buf; i += SECSIZE) {
2012 adiantum_enc(buf + i, buf + i, SECSIZE, blkno, 16, &C);
2013 le64enc(blkno, 1 + le32dec(blkno));
2014 }
2015 write_block(STDOUT_FILENO, buf, sizeof buf);
2016 if (le64dec(blkno) == 1024*1024*1024/SECSIZE)
2017 return;
2018 }
2019 }
2020
2021 int
main(void)2022 main(void)
2023 {
2024 int result = 0;
2025
2026 result |= addsub128_selftest();
2027 result |= poly1305_selftest();
2028 result |= nh_selftest();
2029 result |= nhpoly1305_selftest();
2030 result |= adiantum_selftest();
2031 if (result)
2032 return result;
2033
2034 process();
2035 return 0;
2036 }
2037
2038 #endif /* _KERNEL */
2039