Attachment #820740: patch v3, by Adam Langley for bug #917571

View | Details | Raw Unified | Return to bug 917571
Collapse All | Expand All

(-)a/cmd/bltest/blapitest.c (-17 / +118 lines)
Line     Link Here 
 Lines 629-634    Link Here 
629
					 const unsigned char *src,
629
					 const unsigned char *src,
630
					 PRUint32 src_length);
630
					 PRUint32 src_length);
631
631
632
typedef SECStatus (* bltestAEADFn)(unsigned char *dest,
633
				   const unsigned char *ad, size_t adLen,
634
				   const unsigned char *src, size_t srcLen,
635
				   size_t tagLen,
636
				   const unsigned char key[32],
637
				   const unsigned char nonce[8]);
638
632
typedef enum {
639
typedef enum {
633
    bltestINVALID = -1,
640
    bltestINVALID = -1,
634
    bltestDES_ECB,	  /* Symmetric Key Ciphers */
641
    bltestDES_ECB,	  /* Symmetric Key Ciphers */
 Lines 651-656    Link Here 
651
    bltestCAMELLIA_CBC,   /* .                     */
658
    bltestCAMELLIA_CBC,   /* .                     */
652
    bltestSEED_ECB,       /* SEED algorithm	   */
659
    bltestSEED_ECB,       /* SEED algorithm	   */
653
    bltestSEED_CBC,       /* SEED algorithm	   */
660
    bltestSEED_CBC,       /* SEED algorithm	   */
661
    bltestCHACHA20,       /* ChaCha20 + Poly1305   */
654
    bltestRSA,		  /* Public Key Ciphers	   */
662
    bltestRSA,		  /* Public Key Ciphers	   */
655
#ifdef NSS_ENABLE_ECC
663
#ifdef NSS_ENABLE_ECC
656
    bltestECDSA,	  /* . (Public Key Sig.)   */
664
    bltestECDSA,	  /* . (Public Key Sig.)   */
 Lines 688-693    Link Here 
688
    "camellia_cbc",
696
    "camellia_cbc",
689
    "seed_ecb",
697
    "seed_ecb",
690
    "seed_cbc",
698
    "seed_cbc",
699
    "chacha20_poly1305",
691
    "rsa",
700
    "rsa",
692
#ifdef NSS_ENABLE_ECC
701
#ifdef NSS_ENABLE_ECC
693
    "ecdsa",
702
    "ecdsa",
 Lines 797-802    Link Here 
797
	bltestSymmCipherFn   symmkeyCipher;
806
	bltestSymmCipherFn   symmkeyCipher;
798
	bltestPubKeyCipherFn pubkeyCipher;
807
	bltestPubKeyCipherFn pubkeyCipher;
799
	bltestHashCipherFn   hashCipher;
808
	bltestHashCipherFn   hashCipher;
809
	bltestAEADFn         aeadCipher;
800
    } cipher;
810
    } cipher;
801
    /* performance testing */
811
    /* performance testing */
802
    int   repetitionsToPerfom;
812
    int   repetitionsToPerfom;
 Lines 817-828    Link Here 
817
}
827
}
818
828
819
PRBool
829
PRBool
830
is_aeadCipher(bltestCipherMode mode)
831
{
832
    /* change as needed! */
833
    switch (mode) {
834
	case bltestCHACHA20:
835
	    return PR_TRUE;
836
	default:
837
	    return PR_FALSE;
838
    }
839
}
840
841
PRBool
820
is_authCipher(bltestCipherMode mode)
842
is_authCipher(bltestCipherMode mode)
821
{
843
{
822
    /* change as needed! */
844
    /* change as needed! */
823
    if (mode == bltestAES_GCM)
845
    switch (mode) {
824
	return PR_TRUE;
846
	case bltestAES_GCM:
825
    return PR_FALSE;
847
	case bltestCHACHA20:
848
	    return PR_TRUE;
849
	default:
850
	    return PR_FALSE;
851
    }
826
}
852
}
827
853
828
854
 Lines 830-840    Link Here 
830
is_singleShotCipher(bltestCipherMode mode)
856
is_singleShotCipher(bltestCipherMode mode)
831
{
857
{
832
    /* change as needed! */
858
    /* change as needed! */
833
    if (mode == bltestAES_GCM)
859
    switch (mode) {
834
	return PR_TRUE;
860
	case bltestAES_GCM:
835
    if (mode == bltestAES_CTS)
861
	case bltestAES_CTS:
836
	return PR_TRUE;
862
	case bltestCHACHA20:
837
    return PR_FALSE;
863
	    return PR_TRUE;
864
	default:
865
	    return PR_FALSE;
866
    }
838
}
867
}
839
868
840
PRBool
869
PRBool
 Lines 872-887    Link Here 
872
cipher_requires_IV(bltestCipherMode mode)
901
cipher_requires_IV(bltestCipherMode mode)
873
{
902
{
874
    /* change as needed! */
903
    /* change as needed! */
875
    if (mode == bltestDES_CBC || mode == bltestDES_EDE_CBC ||
904
    switch (mode) {
876
	mode == bltestRC2_CBC || 
905
	case bltestDES_CBC:
906
	case bltestDES_EDE_CBC:
907
	case bltestRC2_CBC:
877
#ifdef NSS_SOFTOKEN_DOES_RC5
908
#ifdef NSS_SOFTOKEN_DOES_RC5
878
	mode == bltestRC5_CBC ||
909
	case bltestRC5_CBC:
879
#endif
910
#endif
880
	mode == bltestAES_CBC || mode == bltestAES_CTS || 
911
	case bltestAES_CBC:
881
	mode == bltestAES_CTR || mode == bltestAES_GCM ||
912
	case bltestAES_CTS:
882
	mode == bltestCAMELLIA_CBC || mode == bltestSEED_CBC)
913
	case bltestAES_CTR:
883
	return PR_TRUE;
914
	case bltestAES_GCM:
884
    return PR_FALSE;
915
	case bltestCAMELLIA_CBC:
916
	case bltestSEED_CBC:
917
	case bltestCHACHA20:
918
	    return PR_TRUE;
919
	default:
920
	    return PR_FALSE;
921
    }
885
}
922
}
886
923
887
SECStatus finishIO(bltestIO *output, PRFileDesc *file);
924
SECStatus finishIO(bltestIO *output, PRFileDesc *file);
 Lines 1487-1492    Link Here 
1487
}
1524
}
1488
1525
1489
SECStatus
1526
SECStatus
1527
bltest_chacha20_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
1528
{
1529
    if (encrypt)
1530
	cipherInfo->cipher.aeadCipher = ChaCha20Poly1305_Seal;
1531
    else
1532
	cipherInfo->cipher.aeadCipher = ChaCha20Poly1305_Open;
1533
    return SECSuccess;
1534
}
1535
1536
SECStatus
1490
bltest_rsa_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
1537
bltest_rsa_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
1491
{
1538
{
1492
    int i;
1539
    int i;
 Lines 2109-2114    Link Here 
2109
			  cipherInfo->input.pBuf.len);
2156
			  cipherInfo->input.pBuf.len);
2110
	return bltest_seed_init(cipherInfo, encrypt);
2157
	return bltest_seed_init(cipherInfo, encrypt);
2111
	break;
2158
	break;
2159
    case bltestCHACHA20:
2160
	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
2161
			  cipherInfo->input.pBuf.len + 16);
2162
	return bltest_chacha20_init(cipherInfo, encrypt);
2163
	break;
2112
    case bltestRSA:
2164
    case bltestRSA:
2113
	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
2165
	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
2114
			  cipherInfo->input.pBuf.len);
2166
			  cipherInfo->input.pBuf.len);
 Lines 2497-2502    Link Here 
2497
            }
2549
            }
2498
        }
2550
        }
2499
        TIMEFINISH(cipherInfo->optime, 1.0);
2551
        TIMEFINISH(cipherInfo->optime, 1.0);
2552
    } else if (is_aeadCipher(cipherInfo->mode)) {
2553
        const unsigned char *input = cipherInfo->input.pBuf.data;
2554
        unsigned int inputLen = cipherInfo->input.pBuf.len;
2555
        unsigned char *output = cipherInfo->output.pBuf.data;
2556
        unsigned int outputLen = maxLen;
2557
        bltestSymmKeyParams *sk = &cipherInfo->params.sk;
2558
        const unsigned int tagLen = 16; /* same for all AEADs, so far. */
2559
2560
        TIMESTART();
2561
        rv = (*cipherInfo->cipher.aeadCipher)(
2562
                output, NULL /* no additional data */, 0,
2563
                input, inputLen,
2564
                tagLen,
2565
                sk->key.buf.data,
2566
                sk->iv.buf.data);
2567
        CHECKERROR(rv, __LINE__);
2568
        TIMEFINISH(cipherInfo->optime, 1.0);
2569
2570
        cipherInfo->repetitions = 0;
2571
        if (cipherInfo->repetitionsToPerfom != 0) {
2572
            TIMESTART();
2573
            for (i=0; i<cipherInfo->repetitionsToPerfom; i++,
2574
                     cipherInfo->repetitions++) {
2575
                rv = (*cipherInfo->cipher.aeadCipher)(
2576
                        output, NULL /* no additional data */, 0,
2577
                        input, inputLen,
2578
                        tagLen,
2579
                        sk->key.buf.data,
2580
                        sk->iv.buf.data);
2581
                CHECKERROR(rv, __LINE__);
2582
            }
2583
        } else {
2584
            int opsBetweenChecks = 0;
2585
            TIMEMARK(cipherInfo->seconds);
2586
            while (! (TIMETOFINISH())) {
2587
                int j = 0;
2588
                for (;j < opsBetweenChecks;j++) {
2589
                    (*cipherInfo->cipher.aeadCipher)(
2590
                            output, NULL /* no additional data */, 0,
2591
                            input, inputLen,
2592
                            tagLen,
2593
                            sk->key.buf.data,
2594
                            sk->iv.buf.data);
2595
                }
2596
                cipherInfo->repetitions += j;
2597
            }
2598
        }
2599
        TIMEFINISH(cipherInfo->optime, 1.0);
2500
    } else if (is_pubkeyCipher(cipherInfo->mode)) {
2600
    } else if (is_pubkeyCipher(cipherInfo->mode)) {
2501
        TIMESTART();
2601
        TIMESTART();
2502
        rv = (*cipherInfo->cipher.pubkeyCipher)(cipherInfo->cx,
2602
        rv = (*cipherInfo->cipher.pubkeyCipher)(cipherInfo->cx,
 Lines 3869-3875    Link Here 
3869
        /* Set up an encryption key. */
3969
        /* Set up an encryption key. */
3870
        keysize = 0;
3970
        keysize = 0;
3871
        file = NULL;
3971
        file = NULL;
3872
        if (is_symmkeyCipher(cipherInfo->mode)) {
3972
        if (is_symmkeyCipher(cipherInfo->mode) ||
3973
	    is_aeadCipher(cipherInfo->mode)) {
3873
            char *keystr = NULL;  /* if key is on command line */
3974
            char *keystr = NULL;  /* if key is on command line */
3874
            if (bltest.options[opt_Key].activated) {
3975
            if (bltest.options[opt_Key].activated) {
3875
                if (bltest.options[opt_CmdLine].activated) {
3976
                if (bltest.options[opt_CmdLine].activated) {
(-)a/cmd/pk11gcmtest/pk11gcmtest.c (-44 / +80 lines)
Line     Link Here 
 Lines 34-40    Link Here 
34
}
34
}
35
35
36
static SECStatus
36
static SECStatus
37
aes_encrypt_buf(
37
encrypt_buf(
38
    CK_MECHANISM_TYPE mechanism,
38
    const unsigned char *key, unsigned int keysize,
39
    const unsigned char *key, unsigned int keysize,
39
    const unsigned char *iv, unsigned int ivsize,
40
    const unsigned char *iv, unsigned int ivsize,
40
    unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
41
    unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
 Lines 46-51    Link Here 
46
    PK11SlotInfo* slot = NULL;
47
    PK11SlotInfo* slot = NULL;
47
    PK11SymKey *symKey = NULL;
48
    PK11SymKey *symKey = NULL;
48
    CK_GCM_PARAMS gcm_params;
49
    CK_GCM_PARAMS gcm_params;
50
    CK_NSS_AEAD_PARAMS aead_params;
49
    SECItem param;
51
    SECItem param;
50
52
51
    /* Import key into NSS. */
53
    /* Import key into NSS. */
 Lines 53-59    Link Here 
53
    key_item.data = (unsigned char *) key;  /* const cast */
55
    key_item.data = (unsigned char *) key;  /* const cast */
54
    key_item.len = keysize;
56
    key_item.len = keysize;
55
    slot = PK11_GetInternalSlot();
57
    slot = PK11_GetInternalSlot();
56
    symKey = PK11_ImportSymKey(slot, CKM_AES_GCM, PK11_OriginUnwrap,
58
    symKey = PK11_ImportSymKey(slot, mechanism, PK11_OriginUnwrap,
57
			       CKA_ENCRYPT, &key_item, NULL);
59
			       CKA_ENCRYPT, &key_item, NULL);
58
    PK11_FreeSlot(slot);
60
    PK11_FreeSlot(slot);
59
    slot = NULL;
61
    slot = NULL;
 Lines 62-81    Link Here 
62
	goto loser;
64
	goto loser;
63
    }
65
    }
64
66
65
    gcm_params.pIv = (unsigned char *) iv;  /* const cast */
67
    if (mechanism == CKM_AES_GCM) {
66
    gcm_params.ulIvLen = ivsize;
68
	gcm_params.pIv = (unsigned char *) iv;  /* const cast */
67
    gcm_params.pAAD = (unsigned char *) aad;  /* const cast */
69
	gcm_params.ulIvLen = ivsize;
68
    gcm_params.ulAADLen = aadlen;
70
	gcm_params.pAAD = (unsigned char *) aad;  /* const cast */
69
    gcm_params.ulTagBits = tagsize * 8;
71
	gcm_params.ulAADLen = aadlen;
72
	gcm_params.ulTagBits = tagsize * 8;
70
73
71
    param.type = siBuffer;
74
	param.type = siBuffer;
72
    param.data = (unsigned char *) &gcm_params;
75
	param.data = (unsigned char *) &gcm_params;
73
    param.len = sizeof(gcm_params);
76
	param.len = sizeof(gcm_params);
77
    } else {
78
	aead_params.pIv = (unsigned char *) iv;  /* const cast */
79
	aead_params.ulIvLen = ivsize;
80
	aead_params.pAAD = (unsigned char *) aad;  /* const cast */
81
	aead_params.ulAADLen = aadlen;
82
	aead_params.ulTagLen = tagsize;
74
83
75
    if (PK11_Encrypt(symKey, CKM_AES_GCM, &param,
84
	param.type = siBuffer;
85
	param.data = (unsigned char *) &aead_params;
86
	param.len = sizeof(aead_params);
87
    }
88
89
    if (PK11_Encrypt(symKey, mechanism, &param,
76
		     output, outputlen, maxoutputlen,
90
		     output, outputlen, maxoutputlen,
77
		     input, inputlen) != SECSuccess) {
91
		     input, inputlen) != SECSuccess) {
78
	fprintf(stderr, "PK11_Encrypt failed\n");
92
	fprintf(stderr, "PK11_Encrypt failed: %d\n", PORT_GetError());
79
	goto loser;
93
	goto loser;
80
    }
94
    }
81
95
 Lines 89-95    Link Here 
89
}
103
}
90
104
91
static SECStatus
105
static SECStatus
92
aes_decrypt_buf(
106
decrypt_buf(
107
    CK_MECHANISM_TYPE mechanism,
93
    const unsigned char *key, unsigned int keysize,
108
    const unsigned char *key, unsigned int keysize,
94
    const unsigned char *iv, unsigned int ivsize,
109
    const unsigned char *iv, unsigned int ivsize,
95
    unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
110
    unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
 Lines 103-112    Link Here 
103
    PK11SlotInfo *slot = NULL;
118
    PK11SlotInfo *slot = NULL;
104
    PK11SymKey *symKey = NULL;
119
    PK11SymKey *symKey = NULL;
105
    CK_GCM_PARAMS gcm_params;
120
    CK_GCM_PARAMS gcm_params;
121
    CK_NSS_AEAD_PARAMS aead_params;
106
    SECItem param;
122
    SECItem param;
107
123
108
    if (inputlen + tagsize > sizeof(concatenated)) {
124
    if (inputlen + tagsize > sizeof(concatenated)) {
109
	fprintf(stderr, "aes_decrypt_buf: local buffer too small\n");
125
	fprintf(stderr, "decrypt_buf: local buffer too small\n");
110
	goto loser;
126
	goto loser;
111
    }
127
    }
112
    memcpy(concatenated, input, inputlen);
128
    memcpy(concatenated, input, inputlen);
 Lines 117-123    Link Here 
117
    key_item.data = (unsigned char *) key;  /* const cast */
133
    key_item.data = (unsigned char *) key;  /* const cast */
118
    key_item.len = keysize;
134
    key_item.len = keysize;
119
    slot = PK11_GetInternalSlot();
135
    slot = PK11_GetInternalSlot();
120
    symKey = PK11_ImportSymKey(slot, CKM_AES_GCM, PK11_OriginUnwrap,
136
    symKey = PK11_ImportSymKey(slot, mechanism, PK11_OriginUnwrap,
121
			       CKA_DECRYPT, &key_item, NULL);
137
			       CKA_DECRYPT, &key_item, NULL);
122
    PK11_FreeSlot(slot);
138
    PK11_FreeSlot(slot);
123
    slot = NULL;
139
    slot = NULL;
 Lines 126-142    Link Here 
126
	goto loser;
142
	goto loser;
127
    }
143
    }
128
144
129
    gcm_params.pIv = (unsigned char *) iv;
145
    if (mechanism == CKM_AES_GCM) {
130
    gcm_params.ulIvLen = ivsize;
146
	gcm_params.pIv = (unsigned char *) iv;
131
    gcm_params.pAAD = (unsigned char *) aad;
147
	gcm_params.ulIvLen = ivsize;
132
    gcm_params.ulAADLen = aadlen;
148
	gcm_params.pAAD = (unsigned char *) aad;
133
    gcm_params.ulTagBits = tagsize * 8;
149
	gcm_params.ulAADLen = aadlen;
150
	gcm_params.ulTagBits = tagsize * 8;
134
151
135
    param.type = siBuffer;
152
	param.type = siBuffer;
136
    param.data = (unsigned char *) &gcm_params;
153
	param.data = (unsigned char *) &gcm_params;
137
    param.len = sizeof(gcm_params);
154
	param.len = sizeof(gcm_params);
155
    } else {
156
	aead_params.pIv = (unsigned char *) iv;
157
	aead_params.ulIvLen = ivsize;
158
	aead_params.pAAD = (unsigned char *) aad;
159
	aead_params.ulAADLen = aadlen;
160
	aead_params.ulTagLen = tagsize;
138
161
139
    if (PK11_Decrypt(symKey, CKM_AES_GCM, &param,
162
	param.type = siBuffer;
163
	param.data = (unsigned char *) &aead_params;
164
	param.len = sizeof(aead_params);
165
    }
166
167
    if (PK11_Decrypt(symKey, mechanism, &param,
140
		     output, outputlen, maxoutputlen,
168
		     output, outputlen, maxoutputlen,
141
		     concatenated, inputlen + tagsize) != SECSuccess) {
169
		     concatenated, inputlen + tagsize) != SECSuccess) {
142
	goto loser;
170
	goto loser;
 Lines 157-167    Link Here 
157
 * respfn is the pathname of the RESPONSE file.
185
 * respfn is the pathname of the RESPONSE file.
158
 */
186
 */
159
static void
187
static void
160
aes_gcm_kat(const char *respfn)
188
kat(CK_MECHANISM_TYPE mechanism, const char *respfn)
161
{
189
{
162
    char buf[512];      /* holds one line from the input REQUEST file.
190
    char buf[600];      /* holds one line from the input REQUEST file.
163
                         * needs to be large enough to hold the longest
191
                         * needs to be large enough to hold the longest
164
                         * line "CIPHERTEXT = <320 hex digits>\n".
192
                         * line "AAD = <590 hex digits>\n".
165
                         */
193
                         */
166
    FILE *aesresp;      /* input stream from the RESPONSE file */
194
    FILE *aesresp;      /* input stream from the RESPONSE file */
167
    int i, j;
195
    int i, j;
 Lines 172-186    Link Here 
172
    unsigned int keysize;
200
    unsigned int keysize;
173
    unsigned char iv[10*16];            /* 1 to 10 blocks */
201
    unsigned char iv[10*16];            /* 1 to 10 blocks */
174
    unsigned int ivsize;
202
    unsigned int ivsize;
175
    unsigned char plaintext[10*16];     /* 1 to 10 blocks */
203
    unsigned char plaintext[512];
176
    unsigned int plaintextlen = 0;
204
    unsigned int plaintextlen = 0;
177
    unsigned char aad[10*16];           /* 1 to 10 blocks */
205
    unsigned char aad[512];
178
    unsigned int aadlen = 0;
206
    unsigned int aadlen = 0;
179
    unsigned char ciphertext[10*16];    /* 1 to 10 blocks */
207
    unsigned char ciphertext[512];
180
    unsigned int ciphertextlen;
208
    unsigned int ciphertextlen;
181
    unsigned char tag[16];
209
    unsigned char tag[16];
182
    unsigned int tagsize;
210
    unsigned int tagsize;
183
    unsigned char output[10*16];         /* 1 to 10 blocks */
211
    unsigned char output[512];
184
    unsigned int outputlen;
212
    unsigned int outputlen;
185
213
186
    unsigned int expected_keylen = 0;
214
    unsigned int expected_keylen = 0;
 Lines 316-334    Link Here 
316
	    }
344
	    }
317
345
318
	    if (!is_encrypt) {
346
	    if (!is_encrypt) {
319
		rv = aes_decrypt_buf(key, keysize, iv, ivsize,
347
		rv = decrypt_buf(mechanism, key, keysize, iv, ivsize,
320
		    output, &outputlen, sizeof output,
348
		    output, &outputlen, sizeof output,
321
		    ciphertext, ciphertextlen, aad, aadlen, tag, tagsize);
349
		    ciphertext, ciphertextlen, aad, aadlen, tag, tagsize);
322
		if (rv != SECSuccess) {
350
		if (rv != SECSuccess) {
323
		    fprintf(stderr, "aes_decrypt_buf failed\n");
351
		    fprintf(stderr, "decrypt_buf failed\n");
324
		    goto loser;
352
		    goto loser;
325
		}
353
		}
326
		if (outputlen != plaintextlen) {
354
		if (outputlen != plaintextlen) {
327
		    fprintf(stderr, "aes_decrypt_buf: wrong output size\n");
355
		    fprintf(stderr, "decrypt_buf: wrong output size\n");
328
		    goto loser;
356
		    goto loser;
329
		}
357
		}
330
		if (memcmp(output, plaintext, plaintextlen) != 0) {
358
		if (memcmp(output, plaintext, plaintextlen) != 0) {
331
		    fprintf(stderr, "aes_decrypt_buf: wrong plaintext\n");
359
		    fprintf(stderr, "decrypt_buf: wrong plaintext\n");
332
		    goto loser;
360
		    goto loser;
333
		}
361
		}
334
	    }
362
	    }
 Lines 339-353    Link Here 
339
	    plaintextlen = 0;
367
	    plaintextlen = 0;
340
368
341
	    PORT_Assert(!is_encrypt);
369
	    PORT_Assert(!is_encrypt);
342
	    rv = aes_decrypt_buf(key, keysize, iv, ivsize,
370
	    rv = decrypt_buf(mechanism, key, keysize, iv, ivsize,
343
		output, &outputlen, sizeof output,
371
		output, &outputlen, sizeof output,
344
		ciphertext, ciphertextlen, aad, aadlen, tag, tagsize);
372
		ciphertext, ciphertextlen, aad, aadlen, tag, tagsize);
345
	    if (rv != SECFailure) {
373
	    if (rv != SECFailure) {
346
		fprintf(stderr, "aes_decrypt_buf succeeded unexpectedly\n");
374
		fprintf(stderr, "decrypt_buf succeeded unexpectedly\n");
347
		goto loser;
375
		goto loser;
348
	    }
376
	    }
349
	    if (PORT_GetError() != SEC_ERROR_BAD_DATA) {
377
	    if (PORT_GetError() != SEC_ERROR_BAD_DATA) {
350
		fprintf(stderr, "aes_decrypt_buf failed with incorrect "
378
		fprintf(stderr, "decrypt_buf failed with incorrect "
351
			"error code\n");
379
			"error code\n");
352
		goto loser;
380
		goto loser;
353
	    }
381
	    }
 Lines 404-426    Link Here 
404
	    }
432
	    }
405
433
406
	    if (is_encrypt) {
434
	    if (is_encrypt) {
407
		rv = aes_encrypt_buf(key, keysize, iv, ivsize,
435
		rv = encrypt_buf(mechanism, key, keysize, iv, ivsize,
408
		    output, &outputlen, sizeof output,
436
		    output, &outputlen, sizeof output,
409
		    plaintext, plaintextlen, aad, aadlen, tagsize);
437
		    plaintext, plaintextlen, aad, aadlen, tagsize);
410
		if (rv != SECSuccess) {
438
		if (rv != SECSuccess) {
411
		    fprintf(stderr, "aes_encrypt_buf failed\n");
439
		    fprintf(stderr, "encrypt_buf failed\n");
412
		    goto loser;
440
		    goto loser;
413
		}
441
		}
414
		if (outputlen != plaintextlen + tagsize) {
442
		if (outputlen != plaintextlen + tagsize) {
415
		    fprintf(stderr, "aes_encrypt_buf: wrong output size\n");
443
		    fprintf(stderr, "encrypt_buf: wrong output size\n");
416
		    goto loser;
444
		    goto loser;
417
		}
445
		}
418
		if (memcmp(output, ciphertext, plaintextlen) != 0) {
446
		if (memcmp(output, ciphertext, plaintextlen) != 0) {
419
		    fprintf(stderr, "aes_encrypt_buf: wrong ciphertext\n");
447
		    fprintf(stderr, "encrypt_buf: wrong ciphertext\n");
420
		    goto loser;
448
		    goto loser;
421
		}
449
		}
422
		if (memcmp(output + plaintextlen, tag, tagsize) != 0) {
450
		if (memcmp(output + plaintextlen, tag, tagsize) != 0) {
423
		    fprintf(stderr, "aes_encrypt_buf: wrong tag\n");
451
		    fprintf(stderr, "encrypt_buf: wrong tag\n");
424
		    goto loser;
452
		    goto loser;
425
		}
453
		}
426
	    }
454
	    }
 Lines 431-438    Link Here 
431
    printf("%u tests\n", num_tests);
459
    printf("%u tests\n", num_tests);
432
    printf("%u test groups\n", test_group);
460
    printf("%u test groups\n", test_group);
433
    printf("PASS\n");
461
    printf("PASS\n");
462
    fclose(aesresp);
463
    return;
434
loser:
464
loser:
465
    printf("FAIL\n");
435
    fclose(aesresp);
466
    fclose(aesresp);
467
    exit(1);
436
}
468
}
437
469
438
int main(int argc, char **argv)
470
int main(int argc, char **argv)
 Lines 448-455    Link Here 
448
	/* argv[2]=kat argv[3]=gcm argv[4]=<test name>.rsp */
480
	/* argv[2]=kat argv[3]=gcm argv[4]=<test name>.rsp */
449
	if (strcmp(argv[2], "kat") == 0) {
481
	if (strcmp(argv[2], "kat") == 0) {
450
	    /* Known Answer Test (KAT) */
482
	    /* Known Answer Test (KAT) */
451
	    aes_gcm_kat(argv[4]);
483
	    kat(CKM_AES_GCM, argv[4]);
452
	}
484
	}
485
    } else if (strcmp(argv[1], "chacha20") == 0 &&
486
	       strcmp(argv[2], "kat") == 0 &&
487
	       strcmp(argv[3], "poly1305") == 0) {
488
	kat(CKM_NSS_CHACHA20_POLY1305, argv[4]);
453
    }
489
    }
454
490
455
    NSS_Shutdown();
491
    NSS_Shutdown();
(-)0a2868789206 (+839 lines)
Added Link Here 
Added Link Here 
1
[Keylen = 256]
2
[IVlen = 64]
3
[PTlen = 0]
4
[AADlen = 0]
5
[Taglen = 128]
6
7
Count = 0
8
Key = 9a97f65b9b4c721b960a672145fca8d4e32e67f9111ea979ce9c4826806aeee6
9
IV = 3de9c0da2bd7f91e
10
PT =
11
AAD =
12
CT =
13
Tag = 5a6e21f4ba6dbee57380e79e79c30def
14
15
[Keylen = 256]
16
[IVlen = 64]
17
[PTlen = 40]
18
[AADlen = 40]
19
[Taglen = 128]
20
21
Count = 0
22
Key = bcb2639bf989c6251b29bf38d39a9bdce7c55f4b2ac12a39c8a37b5d0a5cc2b5
23
IV = 1e8b4c510f5ca083
24
PT = 8c8419bc27
25
AAD = 34ab88c265
26
CT = 1a7c2f33f5
27
Tag = 2875c659d0f2808de3a40027feff91a4
28
29
[Keylen = 256]
30
[IVlen = 64]
31
[PTlen = 80]
32
[AADlen = 80]
33
[Taglen = 128]
34
35
Count = 0
36
Key = 4290bcb154173531f314af57f3be3b5006da371ece272afa1b5dbdd1100a1007
37
IV = cd7cf67be39c794a
38
PT = 86d09974840bded2a5ca
39
AAD = 87e229d4500845a079c0
40
CT = e3e446f7ede9a19b62a4
41
Tag = 677dabf4e3d24b876bb284753896e1d6
42
43
[Keylen = 256]
44
[IVlen = 64]
45
[PTlen = 120]
46
[AADlen = 120]
47
[Taglen = 128]
48
49
Count = 0
50
Key = 422a5355b56dcf2b436aa8152858106a88d9ba23cdfe087b5e74e817a52388b3
51
IV = 1d12d6d91848f2ea
52
PT = 537a645387f22d6f6dbbea568d3feb
53
AAD = bef267c99aec8af56bc238612bfea6
54
CT = 281a366705c5a24b94e56146681e44
55
Tag = 38f2b8ee3be44abba3c010d9cab6e042
56
57
[Keylen = 256]
58
[IVlen = 64]
59
[PTlen = 160]
60
[AADlen = 160]
61
[Taglen = 128]
62
63
Count = 0
64
Key = ec7b864a078c3d05d970b6ea3ba6d33d6bb73dfa64c622a4727a96ede876f685
65
IV = 2bca0e59e39508d3
66
PT = b76733895c871edd728a45ed1a21f15a9597d49d
67
AAD = cc1243ea54272db602fb0853c8e7027c56338b6c
68
CT = 1fb9b2958fce47a5cada9d895fbb0c00d3569858
69
Tag = 042ad5042c89ebc1aad57d3fb703d314
70
71
[Keylen = 256]
72
[IVlen = 64]
73
[PTlen = 200]
74
[AADlen = 200]
75
[Taglen = 128]
76
77
Count = 0
78
Key = 2c4c0fdb611df2d4d5e7898c6af0022795364adb8749155e2c68776a090e7d5c
79
IV = 13ce7382734c4a71
80
PT = 0dc6ff21a346e1337dd0db81d8f7d9f6fd1864418b98aadcdb
81
AAD = 0115edcb176ab8bfa947d1f7c3a86a845d310bf6706c59a8f9
82
CT = dad65e4244a1a17ce59d88b00af4f7434bd7830ffdd4c5558f
83
Tag = ac1437b45d8eacf9c0fe547c84fb82a2
84
85
[Keylen = 256]
86
[IVlen = 64]
87
[PTlen = 240]
88
[AADlen = 240]
89
[Taglen = 128]
90
91
Count = 0
92
Key = c66e89fbab01208f6a60847f4f34b38d27b554c119cf8d9e0b118aa7266ab865
93
IV = 5d9856060c54ab06
94
PT = f9e3e9b5ed07b2080db8c1ffc37e4a6cb3cd544608921e18610d00b17c6e
95
AAD = 85c112a1efe0a20ef3a550526a7afbc98f6367ebbede4e703099abd78f51
96
CT = b5cc754f6dd19ef2d66f90e6bc9a322ddf216ef248cbe76b5ab6dd53bc36
97
Tag = 6dd98710d8a889dceea0d0a936f98617
98
99
[Keylen = 256]
100
[IVlen = 64]
101
[PTlen = 280]
102
[AADlen = 280]
103
[Taglen = 128]
104
105
Count = 0
106
Key = a8b9766f404dea8cf7d7dfaf5822f53df9ccd092e332a57f007b301b507d5e14
107
IV = c7f2f7a233104a2d
108
PT = 4d6faeaee39179a7c892faae3719656cc614c7e6ecd8fcb570a3b82c4dace969090338
109
AAD = c6d83b6a56408a356e68d0494d4eff150530b09551d008373d6dee2b8d6b5619d67fdb
110
CT = a15443f083316eef627a371f4c9ac654d0dd75255d8a303125e9f51af4233ff4ceb7fe
111
Tag = 52504e880f6792a60708cc6db72eae42
112
113
[Keylen = 256]
114
[IVlen = 64]
115
[PTlen = 320]
116
[AADlen = 320]
117
[Taglen = 128]
118
119
Count = 0
120
Key = 5e8d0e5f1467f7a750c55144d0c670f7d91075f386795b230c9bf1c04ba250bc
121
IV = 88049f44ba61b88f
122
PT = 51a1eebcc348e0582196a0bce16ed1f8ac2e91c3e8a690e04a9f4b5cf63313d7ad08d1efbff85c89
123
AAD = 5d09bf0be90026f9fc51f73418d6d864b6d197ea030b3de072bd2c2f5cab5860a342abbd29dba9dc
124
CT = 35aa4bd4537aa611fd7578fc227df50ebcb00c692a1cf6f02e50ed9270bd93af3bc68f4c75b96638
125
Tag = ccea1cbbc83944cc66df4dbf6fb7fc46
126
127
[Keylen = 256]
128
[IVlen = 64]
129
[PTlen = 360]
130
[AADlen = 360]
131
[Taglen = 128]
132
133
Count = 0
134
Key = 21a9f07ec891d488805e9b92bb1b2286f3f0410c323b07fee1dc6f7379e22e48
135
IV = 066215be6567377a
136
PT = c1b0affaf2b8d7ef51cca9aacf7969f92f928c2e3cc7db2e15f47ee1f65023910d09f209d007b7436ee898133d
137
AAD = dfdfdf4d3a68b47ad0d48828dc17b2585da9c81c3a8d71d826b5fa8020fee002397e91fc9658e9d61d728b93eb
138
CT = 8ff4ceb600e7d45696d02467f8e30df0d33864a040a41ffb9e4c2da09b92e88b6f6b850e9f7258d827b9aaf346
139
Tag = 4eeddc99784011f0758ba5ebfba61827
140
141
[Keylen = 256]
142
[IVlen = 64]
143
[PTlen = 400]
144
[AADlen = 400]
145
[Taglen = 128]
146
147
Count = 0
148
Key = 54c93db9aa0e00d10b45041c7a7e41ee9f90ab78ae4c1bba18d673c3b370abde
149
IV = 3f2d44e7b352360f
150
PT = 1241e7d6fbe5eef5d8af9c2fb8b516e0f1dd49aa4ebe5491205194fe5aea3704efaf30d392f44cc99e0925b84460d4873344
151
AAD = f1d1b08dd6fe96c46578c1d1ad38881840b10cb5eae41e5f05fe5287223fa72242aea48cb374a80be937b541f9381efa66bb
152
CT = 027b86865b80b4c4da823a7d3dbcf5845bf57d58ee334eb357e82369cc628979e2947830d9d4817efd3d0bc4779f0b388943
153
Tag = 4303fa0174ac2b9916bf89c593baee37
154
155
[Keylen = 256]
156
[IVlen = 64]
157
[PTlen = 440]
158
[AADlen = 440]
159
[Taglen = 128]
160
161
Count = 0
162
Key = 808e0e73e9bcd274d4c6f65df2fe957822a602f039d4752616ba29a28926ef4a
163
IV = 1b9cd73d2fc3cb8e
164
PT = 3436c7b5be2394af7e88320c82326a6db37887ff9de41961c7d654dd22dd1f7d40444d48f5c663b86ff41f3e15b5c8ca1337f97635858f
165
AAD = d57cfbe5f2538044282e53b2f0bb4e86ea2233041fb36adb8338ded092148f8c2e894ef8766a7ec2dd02c6ac5dbab0c3703c5e9119e37c
166
CT = 9b950b3caf7d25eaf5fca6fa3fe12ed077d80dcd5579851233c766bb8bb613ec91d925a939bb52fb88d5eda803cfe2a8cda2e055b962fd
167
Tag = 6bf5b718f5bbe1395a5fdfcbbef752f5
168
169
[Keylen = 256]
170
[IVlen = 64]
171
[PTlen = 480]
172
[AADlen = 480]
173
[Taglen = 128]
174
175
Count = 0
176
Key = 4adfe1a26c5636536cd7cb72aa5bded0b1aa64487ad0e4078f311e8782768e97
177
IV = d69e54badec11560
178
PT = 19b3f9411ce875fcb684cbdc07938c4c1347e164f9640d37b22f975b4b9a373c4302ae0e7dfdeba1e0d00ced446e338f4c5bc01b4becef5115825276
179
AAD = bda1b0f6c2f4eb8121dcbd2eebd91a03ae1d6e0523b9b6f34b6f16ceca0d086654fb0552bfd5c8e1887730e1449ea02d7f647ae835bc2dab4bbc65b9
180
CT = ea765a829d961e08bacaed801237ef4067df38ad3737b7c6de4db587a102a86fc4abbaabea0ee97c95ca7f571c7bab6f38cbae60cd6e6a4ce3c7a320
181
Tag = b425cdf10cd0123a7e64b347c6b4b1f0
182
183
[Keylen = 256]
184
[IVlen = 64]
185
[PTlen = 520]
186
[AADlen = 520]
187
[Taglen = 128]
188
189
Count = 0
190
Key = eb3db86c14b7cc2e494345d0dfb4841bbd3aa1e2bc640cca0c6c405520685639
191
IV = 88b54b28d6da8c81
192
PT = f75c0a357271430b1ecff07a307b6c29325c6e66935046704a19845e629f87a9e3b8aa6c1df55dd426a487d533bb333e46f0d3418464ac1bef059231f8e87e6284
193
AAD = 34b08bb0df821c573dcb56f5b8b4a9920465067f3b5bf3e3254ea1da1a7fc9847fd38bdfe6b30927945263a91fa288c7cf1bee0fddb0fadf5948c5d83eb4623575
194
CT = 146ec84f5dc1c9fe9de3307a9182dbaa75965bf85f5e64563e68d039a5b659aa8863b89228edb93ff3d8c3323ab0d03300476aa4aca206d4626a6b269b2078912d
195
Tag = 0058a8dff32c29935c62210c359bd281
196
197
[Keylen = 256]
198
[IVlen = 64]
199
[PTlen = 560]
200
[AADlen = 560]
201
[Taglen = 128]
202
203
Count = 0
204
Key = dd5b49b5953e04d926d664da3b65ebcffbbf06abbe93a3819dfc1abbecbaab13
205
IV = c5c8009459b9e31a
206
PT = f21f6706a4dc33a361362c214defd56d353bcb29811e5819ab3c5c2c13950c7aa0000b9d1fe69bb46454514dcce88a4a5eda097c281b81e51d6a4dba47c80326ba6cea8e2bab
207
AAD = fe6f4cbb00794adea59e9de8b03c7fdf482e46f6c47a35f96997669c735ed5e729a49416b42468777e6a8d7aa173c18b8177418ded600124a98cbb65489f9c24a04f1e7127ce
208
CT = 911ead61b2aa81d00c5eff53aeea3ab713709ed571765890d558fb59d3993b45f598a39e5eff4be844c4d4bd1ef9622e60412b21140007d54dcf31b2c0e3e98cf33a00fd27f0
209
Tag = d38d672665e2c8c4a07954b10ecff7d9
210
211
[Keylen = 256]
212
[IVlen = 64]
213
[PTlen = 600]
214
[AADlen = 600]
215
[Taglen = 128]
216
217
Count = 0
218
Key = 3b319e40148a67dc0bb19271d9272b327bc5eee087173d3d134ad56c8c7dc020
219
IV = ce5cf6fef84d0010
220
PT = 27b5627b17a2de31ad00fc2ecb347da0a399bb75cc6eadd4d6ee02de8fbd6a2168d4763ba9368ba982e97a2db8126df0343cdad06d2bc7d7e12eec731d130f8b8745c1954bfd1d717b4ea2
221
AAD = a026b6638f2939ec9cc28d935fb7113157f3b5b7e26c12f8f25b36412b0cd560b7f11b62788a76bd171342e2ae858bcecb8266ff8482bbaed593afe818b9829e05e8e2b281ae7799580142
222
CT = 368fb69892447b75778f1c5236e1e9d5d89255c3d68d565a5bba4f524d6ad27de13087f301e2ef4c08f5e2c6128b1d3e26de845c4ac4869e4c8bd8858ad0d26dec3b5d61a9e3666a3911ba
223
Tag = 2e70564c3999c448d92cc6df29d095c4
224
225
[Keylen = 256]
226
[IVlen = 64]
227
[PTlen = 640]
228
[AADlen = 640]
229
[Taglen = 128]
230
231
Count = 0
232
Key = 43bf97407a82d0f684bb85342380d66b85fcc81c3e22f1c0d972cd5bfdf407f4
233
IV = 8b6ba494c540fba4
234
PT = 4b4c7e292a357f56fdf567c32fc0f33608110d7ce5c69112987d7b5a0bd46d8627a721b0aed070b54ea9726084188c518cba829f3920365afc9382c6a5eb0dd332b84612366735be2479b63c9efc7ff5
235
AAD = 1e0acf4070e8d6758b60d81b6d289a4ecdc30e3de4f9090c13691d5b93d5bbcef984f90956de53c5cf44be6c70440661fa58e65dec2734ff51d6d03f57bddda1f47807247e3194e2f7ddd5f3cafd250f
236
CT = d0076c88ad4bc12d77eb8ae8d9b5bf3a2c5888a8d4c15297b38ece5d64f673191dc81547240a0cbe066c9c563f5c3424809971b5a07dcc70b107305561ce85aecb0b0ea0e8b4ff4d1e4f84836955a945
237
Tag = 75c9347425b459af6d99b17345c61ff7
238
239
[Keylen = 256]
240
[IVlen = 64]
241
[PTlen = 680]
242
[AADlen = 680]
243
[Taglen = 128]
244
245
Count = 0
246
Key = 12fc0bc94104ed8150bde1e56856ce3c57cd1cf633954d22552140e1f4e7c65d
247
IV = d3875d1b6c808353
248
PT = 24592082d6e73eb65c409b26ceae032e57f6877514947fc45eb007b8a6034494dde5563ac586ea081dc12fa6cda32266be858e4748be40bb20f71320711bf84c3f0e2783a63ad6e25a63b44c373a99af845cdf452c
249
AAD = b8be08463e84a909d071f5ff87213391b7da889dc56fd2f1e3cf86a0a03e2c8eaa2f539bf73f90f5298c26f27ef4a673a12784833acb4d0861562142c974ee37b09ae7708a19f14d1ad8c402bd1ecf5ea280fab280
250
CT = 9d9ae6328711fb897a88462d20b8aa1b278134cdf7b23e1f1c809fa408b68a7bfc2be61a790008edaa98823381f45ae65f71042689d88acfa5f63332f0fba737c4772c972eba266640056452903d6522cefd3f264e
251
Tag = e9c982d4ade7397bcfaa1e4c5a6cd578
252
253
[Keylen = 256]
254
[IVlen = 64]
255
[PTlen = 720]
256
[AADlen = 720]
257
[Taglen = 128]
258
259
Count = 0
260
Key = 7b6300f7dc21c9fddeaa71f439d53b553a7bf3e69ff515b5cb6495d652a0f99c
261
IV = 40b32e3fdc646453
262
PT = 572f60d98c8becc8ba80dd6b8d2d0f7b7bbfd7e4abc235f374abd44d9035c7650a79d1dd545fa2f6fb0b5eba271779913e5c5eb450528e4128909a96d11a652bf3f7ae9d0d17adbf612ec9ca32e73ef6e87d7f4e21fe3412ce14
263
AAD = 9ff377545a35cf1bfb77c734ad900c703aee6c3174fdb3736664863036a3a9d09163c2992f093e2408911b8751f001e493decc41e4eeeed04f698b6daed48452a7e1a74ec3b4f3dcf2151ca249fa568aa084c8428a41f20be5fd
264
CT = 229da76844426639e2fd3ef253a195e0a93f08452ba37219b6773f103134f3f87b1345f9b4bf8cfc11277c311780a2b6e19a363b6ac2efe6c4cc54a39b144e29c94b9ebbde6fd094c30f59d1b770ebf9fcad2a5c695dc003bf51
265
Tag = b72acab50131a29558d56ae7b9d48e4e
266
267
[Keylen = 256]
268
[IVlen = 64]
269
[PTlen = 760]
270
[AADlen = 760]
271
[Taglen = 128]
272
273
Count = 0
274
Key = 4aeb62f024e187606ee7cc9f5865c391c43df1963f459c87ba00e44bb163a866
275
IV = 9559bd08718b75af
276
PT = c5d586ceece6f41812c969bcf1e727fe6ff8d1ae8c8c52367c612caa7cdf50e0662f5dffc5ea7d3cc39400dfe3dc1897905f6490fd7747b5f5f9842739c67d07ce7c339a5b3997a7fb4cd0d8e4817ff8916b251c11ef919167f858e41504b9
277
AAD = 51f5b503b73a5de8b96534c2a3f2d859ece0bd063ea6dfa486a7eec99f6c020983f7148cccb86202cf9685cc1cc266930f04e536ad8bc26094252baa4606d883bd2aeed6b430152202e9b6cc797ff24fc365315ed67391374c1357c9a845f2
278
CT = 252ea42b6e5740306816974a4fe67b66e793ebe0914778ef485d55288eb6c9c45fa34ac853dc7a39252520514c3cb34c72b973b14b32bc257687d398f36f64cc2a668faffa7305ab240171343b5f9f49b6c2197e4fbe187b10540d7cdcfa37
279
Tag = 711ff33ef8d2b067a1b85c64f32f1814
280
281
[Keylen = 256]
282
[IVlen = 64]
283
[PTlen = 800]
284
[AADlen = 800]
285
[Taglen = 128]
286
287
Count = 0
288
Key = 9a19e72f005cae1ae78b8e350d7aabe59fc8845999e8c52fad545b942c225eaf
289
IV = d9dae2ea8d2ffc31
290
PT = 2110378d856ded07eb2be8e8f43308e0c75bc8a3fcc7b1773b0725b7de49f6a166c4528e64120bdf7c9776615d3ce6feeb03de964a7b919206a77392f80437faceb6745845cafc166e1c13b68e70ca2a1d00c71737b8fcbbbd50902565c32159e05fcd23
291
AAD = 1cd73b72c4e103afbefd7c777e0480f3f5e68c60b85bd2e71ef5caebb175d7fc6535d39f38f92c24f2eb0fe97d878ed3d5967c0bb4394a5d41f7d34cda6e1523d3848f049cde554a7d31e1afeab5d3e6150f85858335cbd28c8a7f87d528058df50eea06
292
CT = 5f009fbce4ec8e4ca9d8d42258b1a3e4e920b2fbad33d5e9f07557d9595e841025193b521ba440110dd83958e8ee30219d952b418e98a6c624894aa248aedc0678f2d263e7bfaf54ca379fef6c5d2f7ac422ea4b4369408b82d6225a7a2cf9a9f46fd4ef
293
Tag = aa0a5fa7d3cf717a4704a59973b1cd15
294
295
[Keylen = 256]
296
[IVlen = 64]
297
[PTlen = 840]
298
[AADlen = 840]
299
[Taglen = 128]
300
301
Count = 0
302
Key = ba1d0b3329ecc009f1da0fab4c854b00ad944870fdca561838e38bad364da507
303
IV = 8a81c92b37221f2f
304
PT = 6289944ffa3ccea4bf25cd601b271f64e6deb0eba77d65efb4d69ca93e01996e4727168b6f74f3ccf17bd44715f23ceb8fc030c0e035e77f53263db025021fd2d04b87a1b54b12229c5e860481452a80a125cb0693a2ba1b47e28ee7cbaf9e683c178232c7f6d34f97
305
AAD = e57883961b8d041d9b9eeaddcfd61fa9f59213f66571fadffffdd1498b9b014f1ef2e7e56c3044d7f9fa7a1403a1169e86430a2a782137093f5456e142aad03a5f7a66d38009dd01b7fc02c9cf61642dedaf7cc8d46066c281ee17780674c3a36eae66c58d2d765075
306
CT = 9c44d9135db0dbf81c862c1f69bec55a279794cdd29a58e61909aa29ec4c120c9c5a508d856b9e56138095714a4bb58402a1ad06774cf4ecdf2273839c0007cb88b5444b25c76f6d2424281101d043fc6369ebb3b2ff63cdb0f11a6ea1b8a7dafc80cdaef2813fa661
307
Tag = 65c746f659bcbdcd054e768c57c848c9
308
309
[Keylen = 256]
310
[IVlen = 64]
311
[PTlen = 880]
312
[AADlen = 880]
313
[Taglen = 128]
314
315
Count = 0
316
Key = 0cf8c73a6cffc1b8b2f5d320da1d859d314374e4a9468db7fd42c8d270b7613a
317
IV = 3c4c6f0281841aff
318
PT = 4434728d234603c916e2faa06b25d83bad3348990ecde2344368d1a7af1309bd04251bb2e0b72044948f8dea33cce2618283b6af742073a9586b26c1089335fe735141e099785a1235810a3a67ff309e2f0ce68220ba0077ad1a5dc1a4aef898a3b9ff8f5ad7fe60149bd0bd6d83
319
AAD = a38d09a4f1c9241623c639b7688d8d35345ea5824080c9d74e4352919db63c74d318f19e1cbb9b14eebd7c74b0ad0119247651911f3551583e749ea50ff648858dcaaa789b7419d9e93a5bf6c8167188dbac2f36804380db325201982b8b06597efeb7684546b272642941591e92
320
CT = bdfbfea261b1f4c134445321db9e6e40476e2dd2f4e4dbe86e31d6a116d25830762e065b07b11a3799aab93a94b4f98c31c0faeb77ec52c02048e9579257e67f5a6bae9bc65210c25b37fc16ee93bda88fd5f30a533e470b6188c6ce5739fa3e90f77120b490fc1027964f277f40
321
Tag = 4993ee9582f58eabdb26b98c4d56a244
322
323
[Keylen = 256]
324
[IVlen = 64]
325
[PTlen = 920]
326
[AADlen = 920]
327
[Taglen = 128]
328
329
Count = 0
330
Key = 69f4e5788d486a75adf9207df1bd262dd2fe3dd3a0236420390d16e2a3040466
331
IV = 6255bf5c71bb27d1
332
PT = c15048ca2941ef9600e767a5045aa98ac615225b805a9fbda3ac6301cd5a66aef611400fa3bc04838ead9924d382bef8251a47f1e487d2f3ca4bccd3476a6ca7f13e94fd639a259ef23cc2f8b8d248a471d30ac9219631c3e6985100dc45e0b59b8fc62046309165ddb6f092da3a4f067c8a44
333
AAD = 0c83039504c8464b49d63b7f944802f0d39c85e9f3745e250f10119fa2c960490f75ae4dced8503b156d072a69f20400e9494ab2fa58446c255d82ff0be4b7e43046580bc1cf34060c6f076c72ea455c3687381a3b908e152b10c95c7b94155b0b4b303b7764a8a27d1db0a885f1040d5dbcc3
334
CT = f0bb2b73d94f2a7cef70fe77e054f206998eacf2b86c05c4fa3f40f2b8cebf034fe17bcbee4dea821f51c18c0aa85b160f8508bd1dc455cc7f49668b1fb25557cdae147bf2399e07fcacaca18eccded741e026ef25365a6b0f44a6b3dd975ee6bb580f5fccd040b73c18b0fbf8f63199ba10fe
335
Tag = 4236a8750f0cafee3c4a06a577a85cb3
336
337
[Keylen = 256]
338
[IVlen = 64]
339
[PTlen = 960]
340
[AADlen = 960]
341
[Taglen = 128]
342
343
Count = 0
344
Key = ad7b9409147a896648a2a2fe2128f79022a70d96dc482730cd85c70db492b638
345
IV = a28a6dedf3f2b01a
346
PT = 791d293ff0a3b8510b4d494b30f50b38a01638bf130e58c7601904f12cb8900871e8cf3d50abd4d34fda122c76dfee5b7f82cd6e8590647535c915ae08714e427da52f80aef09f40040036034ca52718ea68313c534e7a045cd51745ec52f2e1b59463db07de7ca401c6f6453841d247f370341b2dbc1212
347
AAD = 9a6defddb9b8d5c24a26dd8096f5b8c3af7a89e1f7d886f560fabbe64f14db838d6eb9d6879f4f0b769fe1f9eebf67fcd47b6f9ceb4840b2dba7587e98dc5cae186ef2a0f8601060e8058d9dda812d91387c583da701d2ba3347f285c5d44385a2b0bf07150cbc95e7fcfa8ae07132849a023c98817c03d2
348
CT = c2f109d6d94f77a7289c8a2ab33bc6a98d976554721b0c726cbf4121069473e62ba36e7090e02414f3edc25c5d83ac80b49ad528cda1e3ad815b5a8c8ae9ad0753de725319df236983abd3f69ab4465d9b806c075b1896d40bdba72d73ba84c4a530896eb94ffccf5fb67eb59119e66a1861872218f928cf
349
Tag = e48dc0153d5b0f7edb76fc97a0224987
350
351
[Keylen = 256]
352
[IVlen = 64]
353
[PTlen = 1000]
354
[AADlen = 1000]
355
[Taglen = 128]
356
357
Count = 0
358
Key = 48470da98228c9b53f58747673504f74ca1737d7d4bb6dbf7c0cba6ca42f80b9
359
IV = 56fb4923a97e9320
360
PT = bc6626d651e2b237f22ee51608ddcffeba5f31c26df72f443f701f2b085d6f34f806e29673584cb21522179edb62a82427d946acabce065b88b2878e9eb87ed1004e55ef58f51ec46375ac542c5782725ff013136cb506fcf99496e13fcd224b8a74a971cc8ddb8b393ccc6ac910bd1906ea9f2ed8a5d066dc639c20cd
361
AAD = df8ab634d3dca14e2e091b15ecc78f91e229a1a13cba5edd6526d182525ec575aa45bc70fb6193ffcd59bad3c347159099c4f139c323c30a230753d070018786b2e59b758dd4a97d1a88e8f672092bef780b451fd66ba7431cbb5660ea7816cdf26e19a6ebb9aadc3088e6923f29f53f877a6758068f79a6f2a182b4bf
362
CT = a62e313ecf258cc9087cbb94fcc12643eb722d255c3f98c39f130e10058a375f0809662442c7b18044feb1602d89be40facae8e89ca967015f0b7f8c2e4e4a3855dbb46a066e49abf9cef67e6036400c8ff46b241fc99ba1974ba3ba6ea20dc52ec6753f6fc7697adbccd02b0bbea1df8352629b03b43cc3d632576787
363
Tag = 675287f8143b9b976e50a80f8531bd39
364
365
[Keylen = 256]
366
[IVlen = 64]
367
[PTlen = 1040]
368
[AADlen = 1040]
369
[Taglen = 128]
370
371
Count = 0
372
Key = b62fb85c1decd0faf242ce662140ad1b82975e99a3fa01666cac2385ab91da54
373
IV = 2f4a5ca096a4faf8
374
PT = 03b14f13c0065e4a4421de62ab1d842bffb80f3da30bf47d115c09857f5bdd5756fd7c9ac3d9af1c9fb94f2640f7f4386cfba74db468e5288dbe4dd78bfe4f69e41480ca6138e8beacc6eaa3374157c713cfa900c07dd836eaecc8827fa3e70e052ae09e8473e2ae1a10b1bb669ef60a8dd957f6553daa8114918e17371f2ac327bd
375
AAD = cfe3b7ab7550b0e8e2e8235fa0dcef95647ce6814abd3dc3f5a3bd7d6d282504660c34ad8341e4d11402c7d46c83a494d7ddb105e1002979023e0e3dc2978c9ae53e10eb8567e7a02b60e51e945c7040d832ca900d132b4205a35034fed939a1b7965183c25654931a9b744401c4649c945710b0d9733b87451348b32ba81de30ea7
376
CT = 8965db3d3ae4fb483208f147276e7d81b71a86e7202ffc9b1eaade009bc016838dc09ca4bcf30887b2f4243fbd652cd90ebed1ceef8151ff17ea70518d03b0f2a24960aa7de9b30fa65c2e2d57360061aae6d9376e984e9fcd5e5dd0911a4bc8deca832ffb76f252bd7da523076593ba6b174f7d9fb0377e066ecbb6638036241e86
377
Tag = 3d0fc53e9058c2be32aa0850e0fab5a6
378
379
[Keylen = 256]
380
[IVlen = 64]
381
[PTlen = 1080]
382
[AADlen = 1080]
383
[Taglen = 128]
384
385
Count = 0
386
Key = de9c657258774d4ebc09d109a0fc79d66493ae578797cac4eb8830a6a4b547e0
387
IV = b5e35fe3398efa34
388
PT = 4d68fb683aa4f4c7a16ba1114fc0b1b8d8898610fa2763e435ded8771b3651078bef73d4dfd14e76a34cd5eb9ef4db4ead4da9e83f4ce50fe059977b2d17d687c29335a04d87389d211f8215449749969f7652dc1935a0f9a94538dc81dc9a39af63446a6517609076987920547d0098a9c6766cf5e704883ea32feaea1889b1554b5eb0ce5ecc
389
AAD = 436ea5a5fee8293b93e4e8488116c94d3269c19f1d5050def23d280515457b931bbed64a542b317cc5023d648330a4b7adca14dd6f3783207b94f86ccaa0a0ac39b7db00ac87a99e3cd8a764ed9c75da8454479636ab2b29e770b166a5b75cacc425c919bf1ce9ac34afe6b4425c3d9fd2e48bc81e7d15516d60e592bfcc2ebefb660f0995f2b5
390
CT = 97a97b8f0f5420845ae8d57567f9bba693d30e6db916fad0b971f553ad7d993f806f27ab8b458d8046062ced4778c004b4f958a4436141637c6039963308dea2f54008b7feab79650295ed41bf9e65e1a2d75ab1c7b2a70ebb9e9f38d07a9a672d3e95ea78afe9ac02f2566b48b0251aef6eeeca8bd15bd8d43b559426aa9d15d960ee35cb3edf
391
Tag = e55dbb21851e8a5b365f86d02518331c
392
393
[Keylen = 256]
394
[IVlen = 64]
395
[PTlen = 1120]
396
[AADlen = 1120]
397
[Taglen = 128]
398
399
Count = 0
400
Key = 6885bd333c336c7672db8ebdf24c1a1b605c5a4ae279f0f698162f47e6c73401
401
IV = f0c4a213a6168aab
402
PT = fa905a2bfa5b5bad767239fb070a7bc0b303d1503ecd2b429418cc8feba843e5444ed89022fdb379c3b155a0f9ceab2979000a0f60292a631771f2fde4ef065aa746426609082969530a9c70ad145308c30ba389ea122fd766081511a031ce3a0bd9f9f583c7000b333b79ac004fbde6ec3eb2d905977ff95dcff77858e3c424fe8932a6a12139e6ec8d5e98
403
AAD = 8ded368f919efb522bb6a9ad009e02ffbc6a16536e34d95cdb34f1153d7cb7b0f3c2b13dd05cedae27cfe68ec3aca8047e0930a29c9d0770c1b83c234dcb0385deae7ae85da73a5f8de3dfb28612a001f4e552c4f67ae0e2ec53853289b7017a58591fd6f70b0e954876bb2f7ec33001e298856a64bb16181017ba924648c09fc63c62eff262c80d614679bd
404
CT = 0cb3d6c31e0f4029eca5524f951244df042fc637c4162511fea512a52d3f7581af097eb642e79e48666cb1086edbd38c4777c535a20945fabc23e7c9277e2b960aac46865f1026eb6da82759108b9baece5da930ccfc1052b1656b0eadaa120ed0c45ad04b24ae8cdb22ceab76c5f180b46a392ab45b1b99c612546e6b947f4d5c06ad5abee92ff96345ad43
405
Tag = d3b541ac446c84626daf800c0172eec6
406
407
[Keylen = 256]
408
[IVlen = 64]
409
[PTlen = 1160]
410
[AADlen = 1160]
411
[Taglen = 128]
412
413
Count = 0
414
Key = fbc978abb1240a6937ccc16735b8d6ed5411cdbc1897214165a174e16f4e699b
415
IV = 7968379a8ce88117
416
PT = 1a8196cd4a1389ec916ef8b7da5078a2afa8e9f1081223fa72f6524ac0a1a8019e44a09563a953615587429295052cc904b89f778ef446ed341430d7d8f747cf2db4308478524639f44457253ae5a4451c7efca8ae0b6c5c051aaa781e9c505489b381a6dcba87b157edc7f820a8fbaf2a52e484dc121f33d9d8b9ac59d4901d6ed8996ed4f62d9d4d82274c449cd74efa
417
AAD = 3913cd01299b8a4e507f067d887d7e9a6ded16dd9f9bb3115c5779aa14239fd33ee9f25756d45262dc3011069356425b5c81a4729594e17c9747119f81463e85625d5603d05e00f568b0c800bb181eb717be8d7a93166a504ce1bc817e15530c5bd2b3df1d4222245ea78a38bc10f66c5cf68d661503131f11af885c8a910b6dce70bc3a7448dfae00595beb707fe054d3
418
CT = d152bcb4c24c3711b0fad28548dc4db605bbc89237cdbea7dbf956b8855d1161a0781f27bd56d798141e2ace339955efb98fe05d9b44cd011e645106bf47726183958cb6df34ce5766695f60bc70b6fe0fabb9afa009a8ef043dbf75f861881368fa07726625448fe608d578cdc48277f2dc53eaaf1bdc075269a42f9302a57cad387a82c6969608acacda20e1cac4596c
419
Tag = 945dca73cf2f007ae243991c4fbe0479
420
421
[Keylen = 256]
422
[IVlen = 64]
423
[PTlen = 1200]
424
[AADlen = 1200]
425
[Taglen = 128]
426
427
Count = 0
428
Key = 77d1a857fbadfe01aba7974eea2dfb3dc7bf41de73686aece403993e5016c714
429
IV = fdd913a321c40eb0
430
PT = db8915bfe651e2ecb3ce0b27d99a6bfa7a7c507cfcb2987293018636c365a459c6a138b4428be538413db15bda69e697cbb92b154b7f4d2cbb07965225aa6865d7dcd1ba2c17c484b00b1986fed63e889f25a4966dc3ed4273f1577768f665362d7d3e824484f0dded7f82b8be8797ad951719719365e45abbf76324bc7d657799d4d4f4bb1dba67d96ab1c88519a5bee704f7214814
431
AAD = 3cb2c06c20cb0832bbacebfc205d77393ca1816346ea2681de4d3ab1fadb774ad273e4713290454496f5281ebc65e04cfe84ed37cd0aedc4bbe3decbd8d79d04a4e434876650e0d64309e336bfb10e924066a64acb92260b2dbd96735d03af03909aa6a80a6e89fda81037257aec21fe9be7e91a64e88e0a58fa38ecba4c4c4cffb61958f3c486cbb0b1d0b0014a2d1d3df248eec1ca
432
CT = acb825e6023b44b03b2efc265603e887954e8612b2ee134bdcb61501cfb9492952bf67be597c3a005b09af74d9e421a576d2c65e98104780feab838d8cb1bd135452ea39dc8907a4c1a6a9161805e4fa3e16989e6a418a7eea2582bf895da967028eab7c95d846a6de4b9980785814cf00484baa2f6de609912fff689bce6e854261ffe866bd8e63274605c7c5ad677bd7897ade543e
433
Tag = 938478a41a3223a2199f9276d116210f
434
435
[Keylen = 256]
436
[IVlen = 64]
437
[PTlen = 1240]
438
[AADlen = 1240]
439
[Taglen = 128]
440
441
Count = 0
442
Key = b7e9b90dc02b5cd6df5df7283ef293ed4dc07513d9e67331b606f4d42dec7d29
443
IV = a6c191f6d1818f8e
444
PT = 2ada0e3c7ca6db1f780ce8c79472af4e8e951ddc828e0d6e8a67df520638ff5f14a2f95a5e5931749ae2c4e9946ae4d5eb5de42fb5b77d2236e2e2bd817df51be40b1b8a6c21015a7c79fe06dba4a08b34013dfa02747b5f03930268404c455dc54a74d9c6e35485e10026da573cb41cd50b64cfafe4cfcdf3c9684ef877e45d84e22bd5e15fa6c8fd5be921366ff0dc6fe2df45f7252972c9b303
445
AAD = 0f4269ed5ef0bfff7be39946a4e86e8bf79f84b70cd0b14fecb7be3c071316ce86de3d99d6871e0ba5667d9d7bba7dcaba10cb2a36668b6c3e2fb6c102938b75008bb9c213ebf9b85b5e91a802df0d31d7f11d764b2289f6225212694ab6b7c0e3ff36e84245d9f4f43fc5f98e654dea7ba9bd918658879c5bb4a1642af0d83113e3cf935d3c0d5208318f66f654eb17d8c28a602543e77ad3e815
446
CT = 22586fe7338e99cdaad9f85bd724ba4cfe6249b8a71399f9a3707b5c4323b8d96679568dfc8d230aefb453df596e13eb3e8a439249bd64bc93a58f95089a62b94f6562b821c83d91f56c55147381e9de4beb4ae81bd6fe7caef7e7e9a2078f2fba8f3e70d4910da9accc92b8e81a61b0fefbece4bd89443e66e8ddda8e47a66a62f17fd0e7d0a4852ce1a4d43d72a0b5e8914bbec698f060f2b092
447
Tag = c082470297da8c5f682a169d28bc0239
448
449
[Keylen = 256]
450
[IVlen = 64]
451
[PTlen = 1280]
452
[AADlen = 1280]
453
[Taglen = 128]
454
455
Count = 0
456
Key = 6b2cb2678d1102f2fbbd028794a79f14585c223d405e1ae904c0361e9b241e99
457
IV = 7b3ae31f8f938251
458
PT = b3cb745930e05f3ab8c926c0a343a6eb14809fd21b8390a6fcc58adb5579e5432021765b2d249a0ecf6ba678634c4f53f71495865f031ee97aa159f9ead3a3fcb823ee5238bdf12706a9c6137d236e2e7110ce650c321e41daf0afd62bab2a8fe55d7018de49a14efe6d83a15b2f256d595e998d25309f23633360f5745c50c4e5af8ccc9a8a2cb47064105a023e919c7795d2dc331d3f2afb8c42e5c0bcc26d
459
AAD = 1c32fd3df22b3e440e2a3c7a7624990194cb16a5f74af36f87fd6ca7d410ce9064316a2d091945deef7d9b35ceec8396069307caced2b80afd7d53ec479c35cedf2dfd4c95c3dd8400f71ad34028c6e4f8681d93d0774064ba38f3fb9b0c1dfa1f5f0c7d20676a5911d999fb6a1d41367a8e99d852bf3d3b7b3f4c233249ed1ca135389a674ff48232ded3f6800a97b6d409c40e6cd70d09bf9d2ad25d9b9485
460
CT = ef70c7de98ab1d4ad817024a970be463443640eb0cd7ff234bdd00e653074a77a1d5749e698bd526dc709f82df06f4c0e64046b3dc5f3c7044aef53aebb807d32239d0652dd990362c44ec25bf5aeae641e27bf716e0c4a1c9fbd37bbf602bb0d0c35b0638be20dd5d5891d446137e842f92c0ee075c68225e4dbacb63cc6fb32442b4bcda5e62cb500a4df2741a4059034d2ccb71b0b8b0112bf1c4ca6eec74
461
Tag = 393ae233848034248c191ac0e36b6123
462
463
[Keylen = 256]
464
[IVlen = 64]
465
[PTlen = 1320]
466
[AADlen = 1320]
467
[Taglen = 128]
468
469
Count = 0
470
Key = 4dbc80a402c9fceaa755e1105dc49ef6489016776883e06fcf3aed93bf7f6af7
471
IV = 2358ae0ce3fb8e9f
472
PT = 197c06403eb896d2fa6465e4d64426d24cc7476aa1ae4127cd2bd8a48ce2c99c16b1cbf3064856e84073b6cf12e7406698ef3dd1240c026cbd1ab04ee603e1e6e735c9b7551fd0d355202b4f64b482dd4a7c7d82c4fe2eb494d0d5e17788982d704c1356c41a94655530deda23118cba281d0f717e149fbeb2c59b22d0c0574c1a2e640afad1a6ceb92e1bf1dde71752a1c991e9a5517fe98688a16b073dbf6884cfde61ac
473
AAD = cf6ce7b899fb700a90d2a5466d54d31358ecf0562e02b330a27ba0138006b342b7ed6349d73c4c5c6d29bde75a25089b11dac5b27adea7e7640ca1a7ceb050e3aae84a47e11640a6e485bd54ae9fdb547edc7313d24a0328429fcffd8b18f39880edd616447344ebeec9eadb2dcb1fa7e67179e7f913c194ebd8f5a58aea73b0c5d1133561245b6d9c5cfd8bb0c25b38ffb37db5e2de5cdded6b57355e9d215cb095b8731f
474
CT = aa87f9a83048b6919c8f2b050315db4e2adae4a9c2ca0109b81961b520e63299dcb028cec0b9d3249a945ee67dd029b40f361245c740f004f8cf0d2214fcfa65e6124a3e74b78aa94345c46fdc158d34823ed249ee550431eaae9218367321cdd6e6a477650469bb3cc137a8f48d9cf27934b16703608b383d2145659922fb83bb2e7ee2ef938a90f2ff846a4a949129b1fb74dde55c5ae013c2f285de84f7dac7d1662f23
475
Tag = 06b4318ac7f65d556f781428a0514ffe
476
477
[Keylen = 256]
478
[IVlen = 64]
479
[PTlen = 1360]
480
[AADlen = 1360]
481
[Taglen = 128]
482
483
Count = 0
484
Key = 9e4a62016dae4b3223fed1d01d0787e31d30694f79e8142224fe4c4735248a83
485
IV = 263a2fc06a2872e7
486
PT = 5a46946601f93a0cee5993c69575e599cc24f51aafa2d7c28d816a5b9b4decda2e59c111075fb60a903d701ad2680bb14aeda14af2ae9c07a759d8388b30446f28b85f0a05cd150050bd2e715ff550ebbd24da3ebb1eac15aba23d448659de34be962ab3ab31cb1758db76c468b5bb8ce44b06c4e4db9bd2f0615b1e727f053f6b4ffb6358d248f022bcad6ca973044bed23d3920906a89a9a9c5d8024ec67d7f061f64529a955ce16b3
487
AAD = 4cd65f68f9f88c0516231f2a425c8f8a287de47d409d5ecde3ad151e906b3839fb01bb91a456f20ea9d394d4b06604ab1f9009ef29019af7968d965d1643161ab33a5354cda2fdc9f1d21ec9cb71c325c65964a14f9b26eb16560beb9792075a1597394000fd5f331bd8b7d20d88e5f89cf8d0b33e4e78e4904bb59c9c8d5d31ac86b893e4a0667af1be85fdb77f7ec3e2594a68048d20c2fb9422f5879078772ee26a1c560cbcbb2113
488
CT = e944bb2ab06d138ad633c16ce82706ecf0ef5d119be1f3460c9ce101d9c4e04ef1677707fca40d1f8ca181e07273707b06624d6d7063c3b7b0bb0151b757b3e5237fb8004c161233d8bc7e5f28ea1c18da1874b3d54c5ad6ff0835eed35c8853704585cf83996e5e7cec68180af414e04f08134d3b0384ebdf0393c9310b55d8698fe10cb362defc0995e9a13b48b42cff61ffd9fe4c3c8c6dab355713b88f6e98a02e7231a0c6644ec4
489
Tag = 27de0d4ca7648f6396d5419a7b1243b7
490
491
[Keylen = 256]
492
[IVlen = 64]
493
[PTlen = 1400]
494
[AADlen = 1400]
495
[Taglen = 128]
496
497
Count = 0
498
Key = 18ca3ea3e8baeed1b341189297d33cef7f4e0a2fab40ec3b6bb67385d0969cfe
499
IV = b6aef34c75818e7c
500
PT = ef6d1bb4094782f602fcf41561cba4970679661c63befe35ff2ca7ad1a280bf6b1e7f153fa848edfeffe25153f540b71253e8baba9aeb719a02752cda60ea5938aab339eead5aabf81b19b0fc5c1ed556be6ad8970ea43c303d3046205b12c419dea71c4245cfedd0a31b0f4150b5a9fe80052790188529ab32f5e61d8ccde5973ed30bdf290cbfbd5f073c0c6a020eac0332fced17a9a08cef6f9217bd6bef68c1505d6eed40953e15508d87f08fc
501
AAD = f40f03beaa023db6311bad9b4d5d0d66a58d978e0bcbbf78acebde1f4eb9a284095628955a0b15afc454152f962ec3ea2b9a3b089b99658e68ede4dee5acd56672025eb7323bcbc6ba5d91c94310f18c918e3914bbbf869e1b8721476f9def31b9d32c471a54132481aa89f6c735ab193369496d8dbeb49b130d85fbff3f9cb7dccea4c1da7a2846eef5e6929d9009a9149e39c6c8ec150c9ab49a09c18c4749a0a9fcba77057cdea6efd4d142256c
502
CT = c531633c0c98230dcf059c1081d1d69c96bab71c3143ae60f9fc2b9cd18762314496ab6e90bf6796252cb9f667a1f08da47fc2b0eecda813228cae00d4c0d71f5e01b6ce762fa636efffe55d0e89fdc89ba42521cc019ab9d408fcd79c14914e8bbf0ea44d8a1d35743ad628327e432fdcfeb0b6679ddca8c92b998473732abd55dba54eefff83c78488eee5f92b145a74b6866531476fc46279d4fde24d049c1ce2b42358ff3ab2ba3a8866e547af
503
Tag = a0a5242759a6d9b1aa5baf9a4ef895a2
504
505
[Keylen = 256]
506
[IVlen = 64]
507
[PTlen = 1440]
508
[AADlen = 1440]
509
[Taglen = 128]
510
511
Count = 0
512
Key = 95fdd2d3d4296069055b6b79e5d1387628254a7be647baafdf99dd8af354d817
513
IV = cd7ed9e70f608613
514
PT = 0248284acffa4b2c46636bdf8cc70028dd151a6d8e7a5a5bc2d39acc1020e736885031b252bfe9f96490921f41d1e174bf1ac03707bc2ae5088a1208a7c664583835e8bb93c787b96dea9fc4b884930c57799e7b7a6649c61340376d042b9f5faee8956c70a63cf1cff4fc2c7cb8535c10214e73cec6b79669d824f23ff8c8a2ca1c05974dd6189cfee484d0906df487b6bd85671ce2b23825052e44b84803e2839a96391abc25945cb867b527cdd9b373fbfb83
515
AAD = 24a45a3a0076a5bcfd5afe1c54f7b77496117d29f4c0909f1e6940b81dde3abacb71ec71f0f4db8a7e540bd4c2c60faee21dd3ce72963855be1b0ce54fb20ad82dbc45be20cd6c171e2bebb79e65e7d01567ad0eeb869883e4e814c93688607a12b3b732c1703b09566c308d29ce676a5c762a85700639b70d82aaef408cf98821a372c6a0614a73ba9918a7951ea8b2bb77cd9896d26988086d8586d72edc92af2042ff5e5f1429a22f61065e03cfcd7edc2a93
516
CT = 40c6318d9e383e107cdd3e1c8951562193c3ef64ee442432a63e2edefc78f32ab07772aeac172cb67ecf4d21f8b448423527bbeb9d8ddd0b46bdb27f74096ceb24e41963b4cdca176676a75bdbe3abc270b349ac0c6cbd9c3a5cd5bce20202fc5cc0c1bdd4fd25e121e0a24bd7bbeb9b19b1912467bf5338ee2ce88aa383c082b42cc399c9654ca325f35523e81438beb3f8926be79c378822d7c8f785614408a5f7cac49e4543188725643e6c1a70b46d0ec400
517
Tag = 5801e84192c7267f66b0e04607a39a3e
518
519
[Keylen = 256]
520
[IVlen = 64]
521
[PTlen = 1480]
522
[AADlen = 1480]
523
[Taglen = 128]
524
525
Count = 0
526
Key = 6ae1102f84ed4dc114bb9d63f4dc78d7dbb1ab63f1659dd95f47940a7b7a811f
527
IV = c965d578ba91d227
528
PT = b82a8a9209618f1f5be9c2c32aba3dc45b4947007b14c851cd694456b303ad59a465662803006705673d6c3e29f1d3510dfc0405463c03414e0e07e359f1f1816c68b2434a19d3eee0464873e23c43f3ab60a3f606a0e5be81e3ab4aa27fb7707a57b949f00d6cd3a11ae4827d4889dd455a0b6d39e99012fd40db23fb50e79e11f8a6451669beb2fbd913effd49ad1b43926311f6e13a6e7a09cf4bebb1c0bf63ce59cd5a08e4b8d8dbf9d002e8a3d9e80c7995bb0b485280
529
AAD = dfd4ac3e80b2904623ff79ea8ee87862268939decf5306c07a175b6b9da0eb13ac209b4d164755929e03240a0fe26599f136fb2afdffd12bb20354aa1d20e5799839abb68ae46d50c8974e13e361d87ef550fe6d82e8b5b172cf5cd08482efdef793ede3530d24667faf3a1e96348867c2942641f4c036981b83f50236b8e8a10b83ebf6909aad0076302f1083f72de4cf4a1a3183fe6ec6bfe2e73e2af8e1e8c9d85079083fd179ccc2ee9ff002f213dbd7333053a46c5e43
530
CT = a9aeb8f0a2b3ca141ac71a808dcc0c9798ac117c5d2bd09b3cfe622693a9f8ca62e841b58bddb2042f888e3099b53638b88dfc930b7a6ee4272d77e4b1d7e442bab6afbde96ab0b432f0092d9ca50eef42f63c60c09e7b8de019b32ebe4030c37b8183cc1e3b913b0ce4ee4d744398fa03f9af1c070bed8cdafd65b3a84140cb4deadc70184de757332ce3780af84353f540755227e886a8d7ad980f3dd6fd68263d82e93f883381dec888bc9f4f48349aa2b4c342cb9f48c6
531
Tag = f26b3af8a45c416291ce66330733b2f8
532
533
[Keylen = 256]
534
[IVlen = 64]
535
[PTlen = 1520]
536
[AADlen = 1520]
537
[Taglen = 128]
538
539
Count = 0
540
Key = 405bb7b94715b875df068655f00513cb1ae23ffaac977ce273e57d3f83b43663
541
IV = 5c6da1259451119a
542
PT = f9f143c0c52c94b4ba7b0608b144156a49e7b5d27c97315743d171911e3645ab7957c80924e3c6b9c22ab7a1cac4b7e9c0de84e49fd5e4a2d1ab51d764fc5670318688ec942f7ab34c331dce8f90fea6972e07f0dadec29d8eb3b7b6521ddd678a6527a962f4d8af78c077e27f7a0b2ef7eabd19e92b7f8c1e8fb166d4763ce9c40c888cf49aa9cdfc3e997c8fe1cce3fe802441bbd698de269ff316f31c196e62d12c6bb5cd93fb3c79ca6369f8c1ac9102daf818975ea7f513bb38576a
543
AAD = 6fe6446505677bf08b385e2f6d83ef70e1547712208d9cebc010cba8c16ea4ece058d73c72273eed650afdc9f954f35aa1bdf90f1118b1173368acbc8d38d93ebf85bd30d6dc6d1b90913790c3efa55f34d31531f70c958759b2ba6f956c6fcdd289b58cb4c26e9515bf550f0fd71ab8527f062c9505cbb16e8e037d34de1756bef02a133dbf4a9c00ac03befc3fb7f137af04e12595ce9560f98b612480fcdba3b8be01db56ebec40f9deae532c3b0370b5c23a2a6b02a4de69efa8900c
544
CT = 1a4b073881922c6366680cc9c2a127b26f264148651b29abb0c388cf6c9b1865dba5a991e1f8309efbdb91bce44b278772c58fd41273526c33fec84beb53d1689b9da8483f71be6db73a73417069bb4cd3f195236e8d0a00d124eed3a6b6f89415b19a27fbe35774f6a1a6ee4bd4350b252b975f0db2d2eea82f4836350850d6290901e726e8af13644e2d98bc1d569c20800521e6affe976bd407049a2e6d9dd23f88d52e651391ecd2fc45b864310824aaadfa203762a77c1d64562dae
545
Tag = 0060026d3efc120f11c0739959ae0066
546
547
[Keylen = 256]
548
[IVlen = 64]
549
[PTlen = 1560]
550
[AADlen = 1560]
551
[Taglen = 128]
552
553
Count = 0
554
Key = 8c602bd94c630cd00c7a9c508067a5a9f133d12f06d9f6fe2a7b68dce4786d8a
555
IV = 760de0f7b7cb67e2
556
PT = c3ff559cf1d6ba6c0cc793ca09a0ba573a28359386a6ec93e1bacd8e630209e0b477a20aedec3c9cbf513ee6a1e3887112218d6155b9875f7e6c4bbba2c31972e905d19f529f4f0f9502996199f94f8728ba8d6424bb15f87fcacd88bb42c63fcc513759712bd0172b1e87c9da122f1993ffb7efd3a5c34b240dd3db89dddea36dbeb2836d9f8648f8e7cd428c0f948097af753b35f9876059e7702027bb00dc69071206e785f48fcbf81b39cc0343974ac70784a2e60c0df93b40379bea4ad8cac625
557
AAD = 9e14907c3a8e96c2636db1f3d78eb1f673d6ef043cbbb349467f1fe29bf60f23d5d5d1c3b133a8ad72065d822347541c13d1574baf737eb3cc3382fb479e6d5193b9c8e7d2444c66971ef099dc7f37f6cd97b9f7959d46e2cf25e8a5b3111b4d9e2ef906d905f0ee2d17587f7082d7c8e9a51509bde03d3d64338e1838d71700f1b4fcb100b5e0402969da462f26f974b4f9e766121f8fd54be99fc10beb9a606e13fbb1f960062815d19e67f80093360324013095719273c65542b0e31b1a2a3d928f
558
CT = 2794e6e133f6892f23837fff60cf7c28ee9942f8982ef8089db117903d0143293fdf12ea1cc014bcd8806fb83c19570eed7af522db0de489bbc87133a13434518bcfb9cda4d9f6d832a69209657a447abf8afd816ae15f313c7ea95ec4bc694efc2386cdd8d915dc475e8fadf3421fbb0319a3c0b3b6dfa80ca3bb22c7aab07fe14a3fea5f0aee17ab1302338eeac010a04e505e20096a95f3347dc2b4510f62d6a4c1fae6b36939503a6ac22780a62d72f2fc3849d4ef21267fffdef23196d88fbb9b
559
Tag = 457cce6e075ffdb180765ab2e105c707
560
561
[Keylen = 256]
562
[IVlen = 64]
563
[PTlen = 1600]
564
[AADlen = 1600]
565
[Taglen = 128]
566
567
Count = 0
568
Key = bd68ff5eb296c71cfe6bc903c14907f7726bcb1331f0c75f7801cd1b7948f3a1
569
IV = 65a748004b352ba6
570
PT = 52bf78c00f6e5dca2fc60e2e9a52e827df97808e9cf727773860cafc89f4b64178a19b30b46ed813fe00c8f09b25a6a1b6e350d5b005122934a59bfbd5e6e0c635c84a5226c3f2f7dcf951560f18ac220453d583015fdb2e446c69c6e6fdecf2e595e04fab1b0c506e3c6bd5e4414a35f15021e97f447aa334f54a8f1ef942dec6273511b5668b696fca97188ff15ed84b2f46145cce031c1a7f00bd88bb83d90797edc46161b3fda7a2299173496d73b812139556e8b4eb318078b9eb2ae5046e83b79dd3d45950
571
AAD = 5557b08a5010cbc9f46bb140c2505f68684eb24889324bff44b27234fd7a95a99cfb4ff90a8f9982085b725f78ac42eca6ce7f3314e457dc41f404008681a9d29ba765660de2e05bb679d65b81f5e797d8417b94eb9aabbd0576b5c57f86eae25f6050a7918e4c8021a85b47f7a83b4c8446898441c5cc4e0229776ef3e809cb085d71f3c75ec03378730cb066150f07e60f96aec983c0e7e72bf6bf87ae42228dfda195f97855fcdf4e6d1c4479d978abcfa276d16ed60ecbfbfc664041335ce65a40a2ca3424df
572
CT = a5c8cf42287d4760fca755e2111817b981c47e85b0047de270ec301ca5f7b3679f4749210892b6ea6568f3a6a4344734a0efc0120ffedecf212d55cbcbb67815ac964875af45f735b70092a8f8435f52fc01b981ae971d486026fb69a9c3927acfe1f2eab0340ae95f8dbee41b2548e400805ece191db5fd1f0804053f1dbfaf7f8d6fded3874cb92d99a2729d3faaa60522060cf0b8101b463b3eb35b380fcddb6406c027d73fe701a5090c8dd531c203ce979e26b9ced3431e2b726a7244a20d9377bd62951bf5
573
Tag = 4579fa1fdb4c674cc3cd232b8da52a97
574
575
[Keylen = 256]
576
[IVlen = 64]
577
[PTlen = 1640]
578
[AADlen = 1640]
579
[Taglen = 128]
580
581
Count = 0
582
Key = 934fd043c32d16a88fad01c3506469b077cb79d258b5664fa55ad8521afdcaa2
583
IV = c7091f6afbbeb360
584
PT = 2bdd1fc4f011ef97ea52ec643819941c7e0fb39023c2f3c7683804a0ddee14a5d1784a5246966d533b3538edc7d8742d27061c3cab88df0318ab242102de3a54d03632eeb871b72c7e8f8065b49f4a91e95e15f3f46b29fd76b8fcea0d23570c5530e3bbb8a6aafa9ae32c1b3eac653c5ed5fdb2da5a986075808f6385870c85b1913e26042a9d8e78f5bc2ea6de5a64f8aeafa22adcffc7f6932d543c29bb3a04614783f948680e433a71573568d2ce984d249fb4fc06a9f358c76aa3e64a357f4eae924c1356bd5baccf7e0f
585
AAD = f737dd85638eb324dd3891219c5eef7c2dd053cfd055d447a411eba304a4b27dce981d112c4540590933c153d603022c91ebd2b4a58069d27e6ca17a462ef822ca41bffa80b43a68b1b564644cb3c5a7f0fddf7a13a30ff24437fddd8ef93c6f6f205d054f81890d982bd4d4ece0b1563677e843fe48c1f54e9a57ed4da66061482712e710a401073be5080d5b8b96525bffa67de5af31d50385fbbf1a87c21bf0e0a1fdff69ec32c7b7103e0b8ee6c844245e0fc84b9f89fcce62966cea68e2871d3b82e8df424c76309fc88d
586
CT = dd13fbf22c8d18354d774bcd18f7eb814e9b528e9e424abc4e3f2463195e8018576565d16ab48845d11c9277f2865ebb4dc412fd5b27078f8325eadf971e6944c66542e34d9dda971e2aba70dbd3e94a1e638d521477a027776b52acf90520ca229ebc760b73128879475d1cbe1f70fc598b549cd92d8a9ac6833e500c138c56474db84cb3d70b7aa4f293a4c2b4d818b0ff9fd85918dc590a12a8c0e375c4d98b7fc87596547eb960676aad5559834588f00f251a9d53f95c47af4df3c4299175d5211779c148cfc988a5e9d9
587
Tag = 476616ea15190c1093fdc4a087643cae
588
589
[Keylen = 256]
590
[IVlen = 64]
591
[PTlen = 1680]
592
[AADlen = 1680]
593
[Taglen = 128]
594
595
Count = 0
596
Key = f9f6eb9ad736a8f66e7459fef5ec2890188dc26baf34a95f6f0384e79f5c6559
597
IV = 7858dfc084fe4b0f
598
PT = a644ca6e7cc076e87eb2929fd257693fce0f6fb64fd632f7f07c648ebd03696c8e262e6a810d7b7c4e5eef8c65b5323c99dbba50a70b4a9e5c2a9e7315973cd67f35d8052ce9a85a206416dd3031929f4f929b13d0a5fb10cb73c65f6c0ace019da146b51c5274a099f44e3669d26add6f2ff081e886f3cf952fe0dbbe6b0534c23e307574bd35fbd657f5fcbd5dc19fb382a1dc0a2dc8285a0350f71554e4c601497749e35567dd4a273cddc9a48ce53a5f1d297fd8baf8d1b9feb35d9151114345abada4d90db947bb9a743c175f5653d1
599
AAD = 2048d1c2ddfb5ec385b201832c7a993f229ba72ec16d6ebf723ef0c5032b9966209a9e8a63151b40412e96b82f86728ea6588c7e8e11ac71cc8eabab8c4b54de866658d9c5011def61fb3dbe4e630158a45ea41a2ed55ebd1efb1abeda7637de6fa5fd2f151c6d2f385bf6cd002ca8b4a2896e0d65944ee913e3c784669dd201b1985ef3577f7f123a5f9bcffa176c8f557c4f729133cac518642f27d9b22ca9b97faaafe5b669a10b79ace4a7d5727df146c77ce681357d69f9c2d65b4401bd73cd113387e3b3a05d897adad7a24c485e7b
600
CT = 4146faffd7313f5d9f625370d20413cc62ab65f4acfa3c7ee1125b937dd7a39f638fc46c8ed004fb525698de5d8620ec153435571817c3de257b0d0e648ebb92940c86a98262d54e764f28cbdd4f7d9bea970291f2110414f62064d7229c6332236c507b3dac742e651d85a2a22fb243c0cc7cc2d016e5bea38f33f9a9ce048944a5fe8b078d71d23168e12dfe5a0f0b829771edc7073fb96032b7be471337a37aca0cf7c0cdd543eed686cd34934717fd79a3f18492eef72f9f450b880aa7e2e1b65e3b04c22e72301338b43aa32ceec2e6
601
Tag = 10ffaf2be316676da02d7473a9df87b9
602
603
[Keylen = 256]
604
[IVlen = 64]
605
[PTlen = 1720]
606
[AADlen = 1720]
607
[Taglen = 128]
608
609
Count = 0
610
Key = 29b19636cdd32507fd98ec4ee26caab1a917646fb8f05b0dc01728a9f4a127f0
611
IV = 06699d245916686d
612
PT = 5fdf913aceab1d6dbaf7d9a29352fa8a3eb22718043a79cffa2fe8c35c820aec7c07644b8785dcf7a433b4189abb257fb12b06fae0662641011a069873c3e3c5ccc78e7358184a62c2005c44b8a92254958eb5ff460d73cd80284d6daba22c3faba046c5426fe8b7cacec64b235a8f8d3e2641e5bc378830594bcfb27c177aea745951ee5780a63705727ef42c4ad3abf556d88e3830f3db6b09e93edd09485cbf907f79de61f8dc5cb5fb7665ffa0ef53cb48702f6a81d8ad421cef20c1dbdf402b8fafed56a5361b2f93f914a2380fdd0557faf1f4de
613
AAD = 39116c49cc13adb065b92cb7635f73d5f6bf6b5ccbf72a3f65a5df6bd4a661105015358d9e69f42e98aed795e8161282bc113058b7ef3b9e23fcd8eeab34a392e03f4d6329c112cb968385ec52a7afc98bb8695785af6b27b700973cc952630b7247ce226b4fbb99b8a486370bf6345d4516c52c64e33f407c4f2d1ba90545c88732d98bbd97972ac5e94c694624a9b3782b0099824651cb7567914d25b3e13181a791dbcd40e76e836b3350d310a52151bf835d3c357c9871482c2928e8404c6e533406d4d6fa8f63366f2c4ed828141f1ff00f01a536
614
CT = 01e237220b619054a1f3670928fe67d40484b5af40fbd04d032500aac5acaa3b4584dd99a58c390627636a50de5d744f76a56a33205f9e3b00e16162eb47ff3333e1e208ca200f1a5338a86e17bd92dd2d16af8bb022a7dc05b923d019e05247f1a0d0b4bfcfce58dd6d83830705707676d55739abee89fcd5cb94b8fde006a5da02df64b00a467f45970b5ca440f22319b9735a55d454b9fba0588fef0c59d3d83823eba6e0601a96e10233826c5adeea6b2a51d386a07a9e047ad405b23d4c3d89f30c31e3199f0c8f927bfac43ceea1f969de0a8c0f
615
Tag = 092f9f3c5d4f2570c9946c87967f4579
616
617
[Keylen = 256]
618
[IVlen = 64]
619
[PTlen = 1760]
620
[AADlen = 1760]
621
[Taglen = 128]
622
623
Count = 0
624
Key = bae06b9b5456707551c7b0e207aae02a19b4848ad8ca4ce40705bf8c856a6e52
625
IV = 9c27065c3ef2d522
626
PT = 50cdd88137ff428a88e87b5845be4924f6387537bb5c0b654c80107ab5698db75b2e131848e7aec156d31aed0766d31c379fece4095d38264c6d5945974d25f729c3b0ba11ea853e9cebdb6f03bb670fce08adff74d0a8f02d633fb34e0fb7337a8e66e1c12084d914fb6173b8105684db822752c6751a372bb16690284d661b8b8bc6a6dfbddf45ebc2219596f9f2f878c118df69030de38b4d99dde43b9b9e20a3dab691645dd518342f49b06a0fe0a397adf261e99f07af5b0b3798b1022ba0939c42a54d3b93641cffa3c2e174bce9ab7ad7e7c7924308d1a77a
627
AAD = 5d5590db1bd316eb7a0e30e4c7a6dfdbef9d3287fdb8d824389599c3c2ee262b2192eb5b9708e66e22dbc7eca83fa1a995da3ce64c86fe5aa08b826d476dc439497e2d12e2702c63c8d27aa7f09fedee816dc8bffe1351d53271a34d4292b613b7efcedb7e3cf3e6ad389eef12471e9e20e38e7ae22a323abbadfe8f2e84271bffb1819feb4f77b82843cb8757cfae293631bc6d39669107e7015c85d7343ffa6fc1bbe6f5ab4de30cd752a281e03061ea89de2a3f5e90e20da22fd6e8525c100738667f42212b2cf45fcb23bbb54b21c117484b22c6e514685314df
628
CT = 66b7f69ac49fab4e5975aeb6fa9287d8eac02ac312c4de78f77f59da16cbcf87274e66801c4b862c33ea79cdc76528862bb2956c06db8b8acfac4794ebf39e35ac03cc73a4351a4ff762f681a48d6f25cad36e2814c9b5c40b9ae92509e58429106847789454d376836936bebc7a80e6c66e7aa52936d6b361378a41f849ad4e48f9ee2d3e92217a908fa8eb35736ac8ada7d32ae05391f2d807be3512543c36138a5fe660dd4cd4cd184bb43b6ba6bc0bae634e2fa9669304cd510ed5103f630068ff76d3375738de60a381842b421477e25a490cdd6894b2704125
629
Tag = c9998a677dfb0e91924aec9de0afd585
630
631
[Keylen = 256]
632
[IVlen = 64]
633
[PTlen = 1800]
634
[AADlen = 1800]
635
[Taglen = 128]
636
637
Count = 0
638
Key = 2cb374cb048c168f2e43597f028d9e73cade1b458284ffc260d4fc6b9011c414
639
IV = 9fb909169bc9f4e9
640
PT = 39eb929482784b463546f5d84f80510f2019923d465b99d194246d68c7ae343f91971d8f7059cebb86aa5dd099289aa648248b8c5ca04e66ac5e9bf06776e3883495397618a0227f035666806e636836b47d3d2d255a49db79866cf00d9ddabda259c4f968a1e01e651c7811cebbee2ee71803ea1d9d23487eb221f2d9555756800aba5e6abbefd6fb72b3151cc99ced599cd86df2a9b1ce94f89f347eeb124d9e7f0d9cc48d3dedd819e6d3dbac57ecee199547b266116a2035c9acc4c8ca3271ac74952372897c4a5f2cb84e2d81817fec9d6774f6d8a5b2021684132db4fca3
641
AAD = 0c7bd4f3a30ee944ccf9489181e6911684dcffad4593a9b65a67dfc80718c69b35897d01281016b7731e12c15cad8482e79458e08a755622e3f3f22a23ef6c8487a36ad1771ba06c641f06f85de0db3776cc6df06ad8fe3b4d60d58508de943083f17cbb9dc0d390ac94d8429e8c6fcfe063f424fbde0f62f6a7f91a626d195dc498a6e69bd93109c4e9ba13e7330aba456d710a4b0cc279d4045660406e26d61dff70d4a33c4f1052869f9248024e7a0f85f1effb32f6f7ccb1f860f3ef04e8f7b29096e6bcf9d4b3e0ce703e9bf228fdf515c2ff9cbabd16987be0f9babd3d8a
642
CT = 91ddadb86b7ebef798ddaa59da51d71316fcf6c9678143178227d778750dc9827fc6cc21e605c505023e6db25849df7fb6fc1ca4d223aa215f8c85b724643c83bf8218815a9f9e2952384e0ca6a80a3760b39daf91a3c6154c4728c2371fd181fa3764753d0b0c23808a82cd8f0497246e3a0f17f8906a07c725d2891ce968a9d432c2b102d85c05510b28e715bb60d0403a77490e7f18be81218bc4f39287b9bb09f50227dd2f55e4fb70c4438da8ba3c8ffbced87d90155913faa9979fc57e6cbeddfaba3d3ab4163c0eebc7d94279c27d3ed56338893dba542eaefba30f8c3b
643
Tag = 728e60f8124effbac234f70da925881c
644
645
[Keylen = 256]
646
[IVlen = 64]
647
[PTlen = 1840]
648
[AADlen = 1840]
649
[Taglen = 128]
650
651
Count = 0
652
Key = f0f16b6f12b3840bbd1c4a6a0811eef237f1521b45de9986daec9f28fca6485c
653
IV = 7ac93e754e290323
654
PT = 0530556424d823f90a7f1c524c4baa706aad2807e289e9479301e3e7a71f2a5e14e6232ea785f339c669af2e6d25f1d5a261096a548d23864945c3a589b67b09b0304a784d61b42b2419139485242e0d51fcbe9e8fed996d214de8717e6a71f8987ccad65eb92e66707034a5ae38e6486e26eb4374c565aad5df949dab209f7f7bcd8eb6fc52761a26cfe5d01fd349e59f4042e6dbe6b232f9301b971dee121d8aa1e62d40f043a42f3aa859d867eb809b1ced5ae1ec62cacf94a69fafd0631a8b5dfd66d855900fb295eec90ae5fcbf77beae267a79d24081bb322d8c4e0630fed252541b36
655
AAD = 13bfcc17b810099cda31ca53a1323db9b07633ceb2088a42263a4cbd6a4d47978776005c9a20203319c3a3ae434e9a26fb541047dc9df38dc36c095267272e203d0b24d119a70a7e96041b6d82b7c4d5570e1e4a1cf2f6e44ae63fe005a1f5b900778c482f7bd89e2e02305e35b8f61b7bb2c78a13aebfce0145d1c5aa0bf1d10d23616d5a3a446de550302f56f81dc56fe4f3700f14242688d9b92d8a427979b403c8de8c493a2cde510eaf6b285e6675b173aa0314a386b635c7577d5aff0d868a0cb3f73c8d2005f8c7c9dab5a060ef80102c9d4a4af988838afe87aff04c0689e8c3c7f9
656
CT = 2c14c3931e98e84507c4c165c2ed47ad4a178f0e216cd7ac2453bbbf9f85dd06bd8ef54a9ff1fd3dd8e0cafb635d8f2de861a0db5b14d03f17aaea8c89b3010797c71c13a0e666899d7ff6e53c4f08be8ddb3e37688b5afa088079b6c7519b833e16560073e699530302028a3496e05edddec01a23a4c7983956250e8d9e616f7b940856955cde81c1efabf6b7b92f153d03f4cd17e7f7d2907670cfc84d45c1d7936775a3fce47968504278ffaecacea0871b227f250e2979516f6fa310fec0d8df1af7872e5a534e82870aa05f43ef0a455846b93ce938064fa33e92de262e4156dae56775
657
Tag = d95d73bf9aeb71eba9042396f3725424
658
659
[Keylen = 256]
660
[IVlen = 64]
661
[PTlen = 1880]
662
[AADlen = 1880]
663
[Taglen = 128]
664
665
Count = 0
666
Key = 3792943c0396f1840496917ce8ad89608385007e796febeea3805f3f4cbeccf7
667
IV = 23b2f9068b2c4c85
668
PT = be6b67eb943ee7b5c785cd882f653e73a8f75b4a41a2a7c56ae5a10f729caf39948fe48ad0e51240e2e7aa43193c7ec6ce7f4909fc94c9f99e38e6a0ad7e98eb29c5c2e61c99e9cbe890f154185cec213a74725d23c1a4e4d0cb9b1a36b78c87e5eee20d2aa29aae80d4759eb0c51c5dc3a95bdbbf7e14eb434419a6c88a954ac03d0c98739f4211b8732acd71c297f578b8cb64ccac45f7235ddc7f2a3f5f997525c1ed39dc550126cdf9cedaf55425489085e91b170be6205a5a395f2dd4084a3e8dbc4fd8b13252f7effae067b571cb94a1e54aba45b1b9841308db0cc75b03cfce4ddafe89ce20f2d1
669
AAD = 7eb6d7b7bbaaa3c202a4f0f1de2263767169eb4a64853240d48c0f8d5d31b08d5baf42977614a57aad99426cde76d242cb37d2956d8c77dc4fd62a3abf30e8ac6cd58c8ef35e67497022960138c57787818892460f3bfc16e37ff388b1edc6ce2bc53c22717edc7a03d4c78b0dbbe9121c7fd8a3e3993b87a4fe389bff13bdae3b349de0b6db561602c53f746022aeb4483c723b67825042f4af20b7dd1e6031cf54215266295c524ac8e1370424c5c5e607fb3e23e97c8eebe64656775edf616422a8b974e1acf13ab45c9a367a7dd9b2d62f48bbc05819b65eccb813ca813f57b22ee4c280dbb5a9d8d5
670
CT = 0b316ab2bcf5359900fa4082d5d253b49ad94b70e3fab544f98bd111cbcef6766cf953deec08cae1f489fe12f7acc0032db8a6b0c0eee0c206ea5fb973feaebf90f690e840094db5e13fdd7157ba127368c995b426529435a1bcdd1f14ce9125b8a0e4c96b6ec09e3c36a180adf81941c002d19c19d53c2009be803b987504606b7d43bdee5e0b32ff23c466b6cccfcd0d4e88fd1332e73712b5ab725c1a383e584f34f80daff29d285ae5e43cf1d0cc7a828e75c25daced3a581a93d7a50f313b33f38dddfaa23cd5b9914797db820ee2400d52bf5fa982277fe9b5881ac42981633b3957b0e935051828
671
Tag = 01973ee2e81cef22751a6a8831d752ef
672
673
[Keylen = 256]
674
[IVlen = 64]
675
[PTlen = 1920]
676
[AADlen = 1920]
677
[Taglen = 128]
678
679
Count = 0
680
Key = fe4be6054773f634356ac328591fbc6f833b0d1beeb38dd5b6feb7481b4489d4
681
IV = 0b3f16f898a5a7d5
682
PT = 76ced1ade6d1ef4069afddb32e7432d4ff2fd06685121f7b16464e7a72d365744f547d2ccf53486310e38b42d8bacaf711e54c5458d2d68c4dbcc8de31ab6732f4430e88a64565f5b287640775aaa2af1cc461d3e415bb275c6246b1b58517aa72667eae291a2982eda175d1b22c5a58e6fec2b3743d55712f201ca24ba5c0ae8c25724871b2ec2fb914a8da5a52670ab9b43a83b8568ce74db5c634061cb80530c8070c38b8f48c33ba136cb9f2158ee7eda8b65f2192fc94d1291f182f101795b7190c74b319d2d3e02a97c824d9c9471a83797e4936310b207e3a1e0bcf75f7c3e3ee48a747641cdc4377f2d55082
683
AAD = 834cd775cbefe4b33a3ca53a00c06a3c4a666983e4115a029f15729460daa45d1505e95172d3695625a186b28b8be173a925af04665f209267b3c5123e8be13da447ee1ae856bb0925f35aaa76e04a7bca8460f76c2024de2149f38a8cfba81694b854885d72568105571b6b213a0bc188a44cc7fe13153cbf261401b238cf12a95e23cb56f240114f16e2f1e3a514615aab4449c0c49e4d900b0e17d1a8dabb53d43dca32fa052d576b73dd9b40856b515d6d7efc2a5c17e0ebcb17bd59dc86f22ce909301a2652f134e82ef0e4519487ed12d51536024f2ae8f75d937c42d003076e5dea8de0c684cda1f34253d8fc
684
CT = f8defb6fe95dfec499b909996a1f75a198a90e4d6c6464d00a357a555311c42fe92dbbc4b79c935e4f0b1a95e44fdbc1380bebabca28db4dd0d2870daaafc38ef27908c3509e945714801cc51f1a07b2430c74fa64f2a7c2f7fd1551d258c9c3be020873fc1bf19f33ab6c660911dcf2317195d0efee82d20ec26d22611f9cf86c51a64e28b3a1f344500018e0855c88dae3c07acaeaa10b60388484dce93e16e6e1a6e69e899806648a92568c8780e9f4baacd98cbb353ac2f908e775d92303cfab843f15be0e0c322a958802fb1a60fcc7631f151f4c2b8cb965d2d296acef250275a2fecc0cea803ce7c058b12dd2
685
Tag = ade515091930dd7861b27f78a87ef60c
686
687
[Keylen = 256]
688
[IVlen = 64]
689
[PTlen = 1960]
690
[AADlen = 1960]
691
[Taglen = 128]
692
693
Count = 0
694
Key = a288b11ce5382ec724ce4ab2d7efa8e777e91ebd04367935e15f9dac483e9596
695
IV = 874144dbf648b325
696
PT = 4c9195280a79a509919af4947e9e07231695fd7c5088539f23936ce88770ce07d9ad3ae4a463b3a57d0634d3a77ceaadf347a334682b04be8e58b8e86fb94a1f93255132b8cdb0df86f5bea354eea4e8315fea83e3fdf6e58aa9f26e93caa08e5e2551a94bd916a51fed29ec16f66800cda6a0aa24ec308bf5fb885afba272685de27c1edcdd3668048ef07b06e90d464a8aa28664903cac45e154e8e1e39c257e1ff506b9d95cef4f300bb73b899e7828602c3c1d290b8cf55ee5fd72ecce9e6efc9293aebf674a70e2a7673e75629c12950622dff71d3ec0992e57776c788c6927d30b4e24b749191c3ce8017f0ada6276e43720
697
AAD = 04abe8588c8c8c39a182092e5e7840442bd1c1149da102c4ee412bd8b82baa5087ef7291b5cd077c177c42770b0023e0e462b06e7553f191bcb0315a34918dcdbffe2b99c3e011b4220cc1775debcc0db55fa60df9b52234f3d3fa9606508badc26f30b47cdb4f1c0f4708d417b6853e66c2f1f67f6200daf760ceb64ffc43db27f057ad3ee973e31d7e5d5deb050315c1c687980c0c148ee1a492d47acfcd6132334176c11258c89b19ba02e6acc55d852f87b6a2169ed34a6147caa60906ac8c0813c0f05522af7b7f0faddb4bc297405e28ecf5a0f6aac6258422d29cfe250d61402840f3c27d0ce39b3e2d5f1e520541d2965e
698
CT = 0afce770a12f15d67ac104ba0640aab95922390607473cbda71321156a5559906be933fb0980da56f27e89796eaa1054f5aacf1668d9f273cc69071b9e8e22af6a205a6a88f7ad918e22f616bddbb07c78913c7e056e769e6fcf91c7600c2740212e3a176e4110cac9e361a59a773457064d2dc652dd115d04f1c3756c0e1d39f6737a16b4508663e310934c49c58058b3c7b9af7bb2334c8a163608c42499658986927cda365e2aead3ac29de16e47e954383ea566f8fb245a4e5a934c767bb3bf7e0eb8a477fd0e1f61bcb238462a0d19c5cea9293ca58ade76829413216a7882cd2846323046694f78cd8b0347792ebb75abdc1
699
Tag = 973e58b1b8adb176a6f1e5c963bfdc5c
700
701
[Keylen = 256]
702
[IVlen = 64]
703
[PTlen = 2000]
704
[AADlen = 2000]
705
[Taglen = 128]
706
707
Count = 0
708
Key = 65b63ed53750c88c508c44881ae59e6fff69c66288f3c14cfec503391262cafc
709
IV = 7f5e560a1de434ba
710
PT = 845ef27b6615fb699d37971db6b597930a7ef1e6f90054791eb04ddfe7252b5f88fd60eba5af469bc09661c0987a496fa540621afeec51bebda786826800943d977039dee76235248112ff8b743f25ed5f3cb0d3307f5e118d84fdbb9c3f5531bc177fb84549c994ea4496c65e5249da987dd755d46dc1788f582410266a10f291c1474f732183a2a39afe603771bb9c423fe3e8906f2be44a0c9a7c3f0ceb09d1d0f92d942383a875c0567c7869f045e56dd1a4d6e90c58d44fe0c5760bb4fd01de55439db52b56831e5a26a47de14249453a4f8e7da3cb3282c6622916197ebfaad85dd65c61e7d2d3ba626276366746f396394c1bf75f51ce
711
AAD = 51a3588398808e1d6a98505c6e5601ae2a2766f1f28f8f69d1ccbcad18038c157b41525be58ae4527a073748b7a04809e52a5df0c7988417607738e63d7ead47db795a346b04e740186e73ccad79f725b58ee22dc6e30d1f0a218eda1791e2229b253d4ab2b963a43e12318c8b0785c20fca3abcf220c08745d9f9602f0ece544a05736d76b12d249699c9e3e99f3f13cf4e5dc13a04125c949a5b30d034b23cb364c8781964bc6c30e5e5ca9673d517ef5f35965d8a8cf1be017e343df97b6bee37b30638b154286d1f36d2f9a0eaa23cc484eac5a05b15d9efc537d989dbc8b3106c0dc1a56e97e6aec2eff54a82cf7ae9df2af46b4c860f83
712
CT = 027b14197b4012256b133b78ddc94e72fb4d724fefa4ae329f5a5fa3fa784fe6d7e1e805e3f7a75557de64de506d38237b467fa577efb59e7cfe2356bed6655c5aa4e238dcfeb75c16549a0917268768a96acb5e20546a1fb7e3a7cff887f49f2cd7a135f72a98a779150f3207bf733e88861fd79eadbf77fa3bfe97bfe8b6a991cb3bcc2cde8287f7e89384846561934b0f3e05e0646e0e1907770df67a7594161a4d0763faa6fa844080932159999d528ee0558710058ce16f97d13ac9fd9bf5044191188bbfb598d0fafbdf790b61ce0781ecc04218a30ded45efd498cc9ba03562ed2b4a993ee98876b3ab7a9bc07829f1c4ca6ead98c06b
713
Tag = e4d18a701b8308697b5e79141ed783c1
714
715
[Keylen = 256]
716
[IVlen = 64]
717
[PTlen = 2040]
718
[AADlen = 2040]
719
[Taglen = 128]
720
721
Count = 0
722
Key = 4986fd62d6cb86b2eaf219174bec681bebcdef86c8be291f27d3e5dc69e2feba
723
IV = d08d486620ed2e84
724
PT = 3a22ad5de387db4fdd5d62a1b728c23a8dddc50b1e89f54f6198b90499f9da3122ebeb38ebf5fdfe30309734f79aff01e3de1e196b35bffa33bae451f31f74b8aec03763f9e0861a34fe5db0b40c76e57c7fc582bfa19c94ee25b5e168270f379bf9f8a0a18bed05de256f8f0dd7c23ba2ff1c7f721409462f04cc611ad9bd4c3c9acf30742acfb9518a6375cbb15d65a1bc6993ea434894f93d4f6e05996ebc1bd56579296309a2c6b8fde95072168b5fd31927c4c0abaa056bcd16221d5f220be47591f43255013a262dce439817f534830ba82155347e5fe3101f8011b89365a6568214ed0661914e8cb3431d6c8f2347dfc1209a3eca4aaf0a111f47fe
725
AAD = 7dd3f656a03c001b45ca0680bc3ac9d68c6e96b591d3c69eb8c65e489009d845cb331c98b82e627e06d5bf01e74c573df268c2386f12628c019951d42f55991ff20d72a7b2c45f41d0be7af428c92f324aaab8df70d900301cdf09a3d93eb711c919d34a86fff9cb078322ee2e0ad48dbdf3b7884f0f2dc5c36262c59bcfd75ac6200f59c6fcd0ce10ff5005fef5df8f0432377dfbfc1db8f559e27e1aeef3380ea3864867d36a25a18654779a751586cad3b8a46b90864ee697b08605673b8d2123433c020a21c4db243dde2420c12fd4d54a2704a0c8c376454a1b5e80fd6db89aabd56d9b421f29649e474824dfa56cb5c673c504d10be52b53751709fe
726
CT = c40180afd53001663ff4834110f56e6b0f178cd3c0e7f7de5d0089ee41d8403ffb98e84922706544a344d7e2625b12cf66b9c966f9f57d7b94e3e4b34e6f0aaed1763ce012782e2f5e1682e6c343fc7961fedddd0919d0b910e9923c17e36406979b256b85aec24ee352f03b48c1302eab419c83dccc5372cc059e9de596224fa70098eb32fc9579e97917b923914fa2efc30ab29b457bf14e45583b3771486bdc0876f3ea6e1a646746c4f8c5cb2641a1557c8473e6ea67d4811a67485ae9a678ff3a2408ca845c3b51957e189eef47dfc1d46bde4b9d754d7df13f828ddadb06e4ebddb5f0dafbdb28de4c5e6078926f20cdf9e97ecd58e309e640f74f06
727
Tag = fd5e29332832a14a31a9ce2ca8568498
728
729
[Keylen = 256]
730
[IVlen = 64]
731
[PTlen = 2080]
732
[AADlen = 2080]
733
[Taglen = 128]
734
735
Count = 0
736
Key = 7d28a60810e43d3dfa32e97c07957ec069fc80cc6a50061830aa29b3aa777dfc
737
IV = 47738ac8f10f2c3a
738
PT = b50278ae0f0fa2f918bb9a5ed3a0797c328e452974d33cbf26a1e213aa20c03d0d89490869754abf84dbbe231d7bccdced77d53fd4527356d8e02b681fc89a535ae87308bf7fbc26197a5ea85bdb3aa033b8da5cd197ea6d72f96f63b03f4ecc7adedf399a5043776cdb32c08f30b77f34df85f8adb8e02649a04b020b03e17d445ca63e4ed73ae432c481392e031eba2f9d2f7f981d1e50917822bd6ff71c239d33444ada3523a59dfbce5457eadec1ab926c9e6c5299c7521e3f204b96901a712504fcc782e8cea80ba12a7f7e71cec3d0871899b6ca059061da037715f7d13fed01c9cade1e687b4fbb1f4ac4b040db3b43800f112fb900e4f772d61b921cbce4da6f
739
AAD = 324292813b7df15bc070cc5d8a4bf74ead036430be63abc43304cf653959a24a91c7de5a671c50fa8a87e21bb82b069999aadfb6895d8bda4c3083d17b8ca55b9ab1511ed8c4b39d8c28c11a22ef90c08a983e3fe2d988df9e02b16a20b24f39ddb28429625f511db08298c4dc321f6c268fc836a6191df6232f51c463a397a8d8b33374abe94e62c0f5c322387e1fc4a1c1980a04a1a3c2c31b32f183a11c3268c6dca521149dc16af120a78be6627210e8ddbc44472bc24d66ce3681c7579b3d9a425212a704a4f5105cb80f0d18ee860953d10b59c114826779bbc368d7a0eece9f223e47cd8e5fd453607d101d9d9c2bd9a658d6520b87d7b4263f6d845a524a36e4
740
CT = 2c217e969c04740a1acfa30117eb5b32dc573df3354f4cc3bf8f696ff905f1e640f3b2c250473b376622e0c9bda13b94640521be1ef0fc660b4c10dbe2bfc093030753e04f6aaecf813b43b61f960455974b8bb8a9b461d1e8fd3802315e863c00448f24dd38deb90e135493274eb14ccbde15c50dcad734ed815a806be6622492a84cd062e3ba567b909a205a1d0d2bedd40169697d261c7b6c2e0b1f069853fd470e8f364a142c386c439a6dbe192ded5a3d0fbf73799f588c59e58c60249d980ddcf0d9693631cd9b3f972509c3a77123d38d9e267ecad06e1208e3f1c0a69fbca7c3bb1a48fda19493d0f8f48398820057b94120f3ef97d87e9e8a1b301a2534c68f
741
Tag = 1fdd2dcd935f55822bf7231a516ca841
742
743
[Keylen = 256]
744
[IVlen = 64]
745
[PTlen = 2120]
746
[AADlen = 2120]
747
[Taglen = 128]
748
749
Count = 0
750
Key = a76e9b916f5a67b78a5949651c8c3a9741a1bc3c41cdf85fd2c8f3e9a0616098
751
IV = 0808da8292dc14e0
752
PT = 9c149eeb09345c3c22462b03e49eb4dba6bc98b269b1086d752bcd8eea53b8977b238a04a994baf915591686baab90b79a3bf7d9adb2c6c2e31acd3e72f0813fb745aa5fb2e3da408f78001c9c09bd26a1a2646011b6120aaa2bbacc4a16c39fb5257b9b2ea2ad8bf70bcc9855cf11841116c2767310cf3cd49d1aa44cd505f079761e064d5bc7cea4a7173b086882a77d3fc179efc86fc4db8a373491d2ed81eabc63c950e832db17d09f474d4ec46bde47830caf26fabaa0372b81fccc449c0e19ccd630caf693a7b43bb1c408a54e03f50c44280a05ad89fb6e8f01d8ac278edf556e5d86ceb4b614fb2ef133819c6e1ff6abb86c54a135256204b5cd400b93624d3932e7c2b046
753
AAD = 6aeb7031e4a2e23eea93f05fdc562aa2bf43b8998bea7344377aaddc60fbdb7bcb1491d379ed0cb613ee757cfb66490db61bb431d2fad34b38ddd55bc5b22aa6c4773b9992f34b878c5663f6e8cdb5f80a17f4d312bf342492e48d1ce4c6d754076a634fece61500acf8168d47381af4faf980c6cac2bfd5da8c09b6edb0f543bf0fe02643e38d73fa37d8ae87fb66193f22e57faf4393c007d48c8631a685d520578f8f89db684fb371ea02f3a58b1e2168f0216321139472e0d03b6d90ba8aab65402e1c1ac4f9172a60e27e3d997b9b05e2f672120d6c87bcafa6d4c9b4cf8ba8a82932d92840368fc53dc5b48526103dcab5f1531038aabe89171327ac559b98a3cf4ea70bf051
754
CT = 9c3faab9261a63cea9477b3269007283995b06ba77ef83d9e693f7e4ee9855550eef94855be39a7a435b6a3584b202973777c7b2482376ba47b49311947a64983b60236756ee4455d4cfada8c36af8eb06b06ba2f6b79ffb1185c89f2b2a831cfaa3855fc1841d8910908be5078352011168a67d36372d851a3217cabf593ea462dcd325cf9a4f67e85418fd5c924e9b92ab026cbee4e7ab1067066cb5949dfc699a68fe539e1abb13cec33904e5207e6963d24f5a0b770613b8b00014e791bfff88f9c25ca126127a2f8d1d1e9794efd28dce98b53e228073faae8d5047530d502184fc341321c3f55fcbf41187fc31262c325b97f519959b6a29b36c71f76f60196bb1457b77c8bb
755
Tag = b45df119043d29008fcef36a169ef886
756
757
[Keylen = 256]
758
[IVlen = 64]
759
[PTlen = 2160]
760
[AADlen = 2160]
761
[Taglen = 128]
762
763
Count = 0
764
Key = 98cd2477a7a072c69f375b88d09ed9d7b9c3df3f87e36ce621726f76e3b41a1d
765
IV = 77d185aaf715aa48
766
PT = 42b31eefdacab0f03ef6060156000c8195adb0976cabbe1a42bfcc09f85659c60b98638401f2d2e2facfb9a97a62926bb0cecaf3af0180a01bfb6e576babf7fc43331937a92abd30cddfa3e450f895e9dd914dea3fafd759c136d685310ebce28ac0613ccdbf30115946c9634b67510b77d0e37f07714b2ddac9d7095b8d4bd887c132c4a9127eb01c8dedb4c39c87b98a741316656f9a8d5a5b0c0ac84789aa2347a5f99ca5ad55cd1bcf98f703eb4b00badb8a8555f38b3b368db8ba7ceea94e8b219f51edce75d84166b5602156ed5962a93a51db73c59d87e906179d7a74a2a2a69d8ad99f323225c87e475d3f771b4a203a2e2b03b458401044649fa6536dfab24d7037807dcbf6518e6578
767
AAD = f5bb1496052a4361dddf72a288e36953a3d815d6876c013f1d6ba839e127f721b052b1f7d8ca20c7dc0386a7d459ebd7eb9fc8cb08941e6ca9ddb980f3115f65bc1928a414d441ae71dcb879d5bfe0cde0562bc37f8fde0d5291ad405c92fcbb860c43b55ac0fe663b54b3d0616aca13a5c82b7b5d34125a05c2acb5530141030e6f2aa0c8322b2c8fa307e7518918e550e9f48921c6168f094d8758e16b9f815fd0458095c4143f0922adb1840d0e685636825a9c90ee90ee537f4b8dceecbc4287c82dc9a00d7e51671e37ea284ee3ca501b1b2596459d3f592f70186f41125739e342c9f6be9241973b1414dfe5fb8cba1af82e679278cfcf95420df0c5364af4d7e72ad57d5c871fcbc35462
768
CT = 7a3bf3e3ad5ae3ab71fb1f7121c3d8fb511099484b50af7ca128ee0337ed4b828dc4cde0b88dc1e8089101fa82c9beb3eb48fdcf0f5b16da441f5a3fce9a590022af95a94aed6a3e71e505f60f303c78c356f274ea85a55354078530664ecda32c80e77dc20974b3b38f4825b8fbee8c3970769a2f42c5181608a8d7d76ef4d093961b665ee42b9708fcafe2c82d3a307173e2a25ad2528c3bf83352b9265e45b70722d7cf8c9b80826d21335234ee3db69d0d37871c83222365900c96c17a7e9f5742d0bfe383be24d0d44590d4b0f29f7abe0c65daaffb968b3f2657b1eb300534eacb52ec7a6b6f9f57a50a91b1799f491361cf613c934b7f520dc4eeeb40ffc45e10be0a95e76f366d4eac14
769
Tag = f613b65226afb64c614fe60d9c71ed74
770
771
[Keylen = 256]
772
[IVlen = 64]
773
[PTlen = 2200]
774
[AADlen = 2200]
775
[Taglen = 128]
776
777
Count = 0
778
Key = 2f0f4631ab1c1bcf8f3ad0559c818d50e0af7d8cd63faa357f2069f30881d9cb
779
IV = 7d0ced2fdb1c9173
780
PT = 6516ba1d29357144eebfa486d21decf223da3aa76ec29bbfcbe7f1eeaf4a847710e5080177f7e5a7c8b4752c219b1cc70aef4db861ba67d0fa6222d9f4a1dc756a0ba44e62906f9374a960c16198866d867854d88f528a60e212eb91645787e75685b2e215c0a41990abc344a77236ec0186ba63a664592938cc5a8ac1d3eb99c95ce00e19fbe249263083d85b052d48bfdffc01585dc57bb2a2c6c4a819604c1ec0548c6f0f78dc05e4418b36277dc07233c7532f9c289d6aed0cc6bc7df4fd0a536c497b982e2dad2c30d2db1c6545a845c5dfa83a4ac49ef06fc9c919079d3e299e31b5c3be370814ae5022ae469d3ee55246a41bd0dc4e64351cc38c3c09af0a1aee3b388a6892deff0df3f93cd92d722b
781
AAD = 1ccfa1ececc8de1e200d0ecc19dcf67b7c96bea3a282c2bccba61035db5c14776387b8b8f58e5757deb0129d4e5e315f64df354a5985d2e47ebbbeafe0c914f7cf1d63dd0311ace19e69a8b6ff0ab25cc8df0408d22132205e89e5eb679268d82b2913e64e3f885bbf4a6d379b760b94590e3140dd7275ab4713cb56d0b716e2718f11316640cb394802862d39e77a46d0c065af3caf7dec14e887039d8aa8c3d3a8ac1ee06026f49d00b2f59d971b54735e95a51f199389a93a4fc24ebaba1f7a2eef7412f61febf79084fbf481afc6fb6b204084e5ef5df71f30506459dea074f11fc055cd2a8c0fc922c4811a849984352a56a15659b7d07a4cc90b88623638ea00c4c8bc13884df2237b359f2877aa41d6
782
CT = e580093789ba17ffb46672dc326f09278aca08598d3e5458eaa53e6ed45d5c71a396e35b5ea3fe7b7c0496a734d24f1c75420694be2ff095d5172fd3407794e4b99fd7c374fbe8d1564a048614d3f355bfb5866de1a53e1a51f9f5e8312253cfd82f36efaa1898c850ca0d975ad1e8b0d9597a5a9e6516fe2a3c92efb7495557a8afc3da15b0d3e2ba58f612519836946cf2d15b898320d16a026c8c00a1be2e35f0ebe68f28d91c6c45d24c3f3c157cb132fa659b7794df883d90741fa2d2afcc4f27858e13ecd41b154a35d24947ae7361170060c107d8ecacb393ea67104b60457278a392fdf1794bab97d3b02b71a4eb015eaa38a4b4c944c2bc7cd5e329da4a1ab2937a6af81a6caa5fce752331fdefd4
783
Tag = 0fd7419c54bc84265ed310a3411a3f2e
784
785
[Keylen = 256]
786
[IVlen = 64]
787
[PTlen = 2240]
788
[AADlen = 2240]
789
[Taglen = 128]
790
791
Count = 0
792
Key = a48b9b6df475e566aba7671fbd76772cb0eff0b12499967978ce3e25fac92feb
793
IV = 2ccbf0d6c40cb302
794
PT = 09da1cacd001dce4f7573a065a4406fe0da04ab367a2d87780a2762e168957a88d3fa78f0a4b6978d449026e5a801d32884b6e14fdaaaf864214f928ebc03dead081fee96683ebb032362d5088c4c2a3b1e242f055f2604919f4dd551db777a258cf9da6d95a2bde249247812b9efc7985cf08707620808524d6dd3079b0b63bf0f71ea5de834ccb8b7c6a97125fd6ca49148e866d3134bbf1d8a6b714e9a80fe549c8bfefe342f41be2ba2300e0028f78cefab65274632dfdbe70bf7d655ec4036df561f2d4fc4d56a482bbe2f9f2ae279b3aa216b39afee75e53602de319484db89a51e844f38c361634e474f8f1f01c340f3f3594860d671346449c6d08ee38de22d246309bc7e4a252a29c86aa6d94b5b4fa58904c70
795
AAD = 1c2503d5aa1aad193f0da12874074ea0432bb76a61cd43a3017061514da0759846a0f3ae3a49fdb0b6d29f713de665beacb6568f2694112ca380d13f3c1698316866a7a7f87f1d7503a92176ab84fc08977b46ba664508a858e7525753c45511b3d2f407d5e993c6ede77f13d12975707e5195704970a89f71fc30828049f92f944f3aa93d6a5297e678e08952919beb7eac5919df1919cab3c3da6aa696a1eeab6371f310f7e81143e7d240b0213ae554524b52000306160dd4877bf13ba0f13bbe867da7c7d707f31335eef4cd942938ac890a0829ec66bd30ae01a2188a6e5ea0f17cd7dc875e17f03c0ab5dd18e36db8a1fc1f72859ee046b62368f168b3bea2234e0432c07b7d8e1b9277f21e692c513b9e816e6860
796
CT = 7d35cfe4be56bd6e0e09dedcd01735b915bc1891a4d1f6a541abc4bcd0ebe89dcb8e365e5813742e8ec65777b6159422fada747da99394252baf8a046fc1b60ad79755f545f4448627b7acaf403000894f5641e78d3f946dfca29ec617f0660dcd6e8d8827e67e1022a245c595d86e60fbd176bf721b171bbe5ecaf4ae671b9f3dd3920146e6ad431bd8fc431820e19454b6ca209723d80fdbee187fca9c937c979206ae97be55f6ba7366a5608770a11d537396485eb0a66586385f4d4cf3905d1fc90831c3e136d5d513fa22be285193142994a3ed477145bacdcbdd791e8b3b88b0d4f1d18b27382550a818c4fd8884bf36f677c6c3ff5677406e510911e696af75e5b3f859bef699bdd16e6215fdb98d874025eada50
797
Tag = 2aabff35611b3e0013f6ae0df130799b
798
799
[Keylen = 256]
800
[IVlen = 64]
801
[PTlen = 2280]
802
[AADlen = 2280]
803
[Taglen = 128]
804
805
Count = 0
806
Key = 923d4b086b9e43b986f7b65e4cea6113a3d8aabefa89323c5e4d5b6f158bb7e0
807
IV = a0f73297b87f5deb
808
PT = 21435e8d5c8edf0684f58c2cba4070c10b4801adf46b6c4d322eb3990a38a9ad338ad704b9df6597f3e68d66cd5b56290c8466db2231e56d6bcb9c44e1bd081f42ca2a894dad369df2bd0d2c63d6c881732d6ea22bb22b5bc9a62eaffa1b094d0845f6b966d2cb095e7b3b8bcbc15e707449d35c8df4aea30c3b7243e977fffd59c80f1c5c9af4bb5a54b9c786fbbe8d21b2b906a87a786caed841a34a3e0cc0ac3209d83c58afba19edd63622dd261532d2cfb0b49d527d8eaa0887a087f5129d897f665264b229f860363d71a88b7d49c8dc6360182b357b0662391bb41337f46010ac32b9fada2d60a2efcb99365d3b27b7ac396900d1c821d0df8b86cc9cc1f2673259a33efea610bf8e1d00d7e9db2afea21da8f58c55f799999d
809
AAD = c853a8b39c0dc597d562f123cd221e4104b65423a062a4f4ba890ba344feb84290f61817e23330c365f58c3583ce08360d3c1171982ead5496d525ac878f23a57480a6ee39d4e65afd6268245bb982a2545fa1195427cdbbcd404cdad5198f55cce2a5a028fae435f71b15921d066e8d43766c32b2f2c3f57c0674e129607dcd3703eca529414adaee79d81fed432153cceb6f3fc53404810d8ec878f7d94be5d379d0e0e1aa9bc404b4b5d396038a9d76a5ce53c9f3759b8e50fb331858ca58cee81bfc3ee58baef5d19c402a3dc8b36370ec1ace5a4aa2527fb94b4f933a4ab8ccaaf6a5af5a779eae5667c2a24ab027e781c8d4f30c377aa5885a2fdaf6507d18cd824a847c35368b4ea984d2c3c3824a5b8ba3042e1852504a21a3
810
CT = f2e21052eebbb86a4f5e803360855d8632aa727dca6f5e79dd74d7aff106e442001928d113005b030f8446f8eff2ee951db663978abe43090dd5ad2c51ba97a0ecf988c607d95e486d02524f690fa3c28d5c48c1f75c1f555e7b43fe7e46f2ca2b9fdb408ec4ba18b6cdde2af673183cb7b1a3c23ae77eddd4cac75e1ea14743fc571f8d31ce2e96787524cd48aadaa474181c096a032184574ddc25a6e0ac8441c212bc36298708e33c963ae931e6c6241d1affeef7b6ef759495df44b6ab647447693cf703569e69aa72f1def9a342b8978c1edea9703a421ca75b92cac4de14b88c693200022b8a2ed22b1c4678b99f4d695e080dd1196d7168e14f0d0f8ff880d742e97b9f6d00af1f7118e10b77c5ef3ea6c52f84a20fd6ea46dc
811
Tag = fa8ee13400fb3f63b899df582f2fec45
812
813
[Keylen = 256]
814
[IVlen = 64]
815
[PTlen = 2320]
816
[AADlen = 2320]
817
[Taglen = 128]
818
819
Count = 0
820
Key = df73adab2768559ea983cce85453fe81d79be3b3c57f202b31b94d6635cf2e4b
821
IV = e7a87e6bf6b5a354
822
PT = 0032a37abf661faa18c587fd2aa88885c061deeba81105dd221969bed5d59c7204b09b1a8c4c8de3b9f748c7fc70626ebeaca060233a57b102221b1bf0f3d9fdaaad3d2b1439c24d08f9c67f49f3c47128f92ee530abf4c4f4573bc60ae4b38109f55bca3ca9e1ba9f9fd6e34ba0d174892977a53356e1f5c88c614fe3ff3b3dd0818e7a2285412e3b37444bbe8a80942efcfd03958809a6966cda9430b2f0c9e552f4bced6e19eb3e85fc5758bd7b588297ccbed37ed94c3adc8c08ea8b058462aac9d57a939ec711bc4ecfec944d2b653b7cfc7b02a65d7057c9fdadd51b9da8cc4a3c68dae9da8b9c5319c1a2baa3d6c891c5ac4a39461484b5a01abc64df447ada24c04a4363e605eaccf339a9aa515e724206206da6d22bbd2f52e64cd7c895
823
AAD = f833e5ab4f8bc89167f80f576b1d6b22cdd0e30721f5f735799746cf645b6eff531d4c7b03584f3dfcb73cbd35ac42736216dc7f0de098a4f42c61ceb4b227ee288e47d697a0a76afc762f084e8fdbf9351c28340c324771c109a469341ab10ca10483ed2af5e878d7d3dc2bced2f72da3d1a25852b103ee9878e8158eb4309c1ce528f3a178ace153b6d3ae0af0d577cb3cb1540489e80427f792217ad8a09b84f027fca7ceb651b4264e98e94b4cb8a37b133390897233e8ba9103628d05b9609e8552c4a4b11e3f2fa8d56af36957390e88cba44656be3edace798cf8cdf7771bac338a256bc3cba6df97728f222f423ca7c6d149c9372d66163a98f79a234b00d4b75fb2ec860dcc2d1998105e4b9c01d68f079f3e0aa21cc534047fc7b858f8
824
CT = b842eadfdf431c135bd6581d3eccae54e2267d8890036aa33dfe2d2d9715c44625441210a3a0d666d708d30588fe851ec36e10d8fa3584ed77b095149494b7c54379d62c8935e1d2b9a8f47e4759ad0b3437fdf2cc2fb6c5ea25ad10e0bdc9dc5b0517fc237eb783cc461c46665e2b1d1a5b8008dbf409ea2a63fea0276de23a32c99d92a498807a0f95e208fc6262321a78aafaf0cc3f833fff37bd4efa66f6023a25cdc6702cee3912799563d908a5183c9956a06aa71085d855dc7c809ed6e2889592b361ab3ab39060f8e419152187a794a19c2a1128882201900ea2cd597860674bf78d9720643df8701676718fd201baed4935a88e50558daf86edd08a9ab227ac7afae55c974b68de8dacad4a4d79b13ed6dfe74017a4cb9148e033436fb6
825
Tag = 184095b7a8190abec08bb72d19eeb103
826
827
[Keylen = 256]
828
[IVlen = 64]
829
[PTlen = 2360]
830
[AADlen = 2360]
831
[Taglen = 128]
832
833
Count = 0
834
Key = 55a4be2448b464c2ea52a2f2664ed6aba865c14ea1fea77f4689331fd105c8d4
835
IV = db37c0a405b4626d
836
PT = d266e66272e5d3462081b004cb42429c8b9741e9f678153754d726f6f9aa513464763c5e793b482fe512fece97585f1426120d4cefb3d0a8cc0a8db4bde93fc72c78f44d4fecca14650c660d3e285b327e7cdd813063e7e867b8a2d059a41bab70432b7f857199894da90dca3fe5272bae1ec694a1a07b60b05df275784d4975637e4673109f3ba846dfd1a048b202ed8e89973be608b91ee4743b1e759900f1443038951fe6189e806638985f3c16338c3c60695df58e621154d79bb973859c4558e9dca90470f77c73f004443ad5db0717abbe43266f90e57397b83ac34d1fef2e897e2483d5bcdcb627abd64b0d1aef525835f25e76d6e9158232cdde6dce970b59f58de8a98e653be32fb58edabbcefa5065d73afdf1c9c4fbf50c1022bd22bfcb98e4b422
837
AAD = fd6a3fdd879f8880843eac20ae01c1b9dc3487d270a806572088ef2ddc1f1e0de495e71d4813bf5c501ad31e5d791c4b5b3a0a71b63fdddcc8de4b056064ef467989ecccc5d0160d403bf3a025d4892b3b1de3e062bc3581d4410f273338311eb4637529e4a680a6e4a5e26e308630a5b6d49ead6d543f8f2bf9050aa94ce091318721e1d8b96e279f34b9759b65037bec4bf6ccda6929705aeeeebe49e327e4d7a916620c9faf3765120658af34c53fbb97ec07657b3f088fcbdc401aa7949ddeda34d885018c2c23f4f0bb8218bf0d4fc90643658b4d8834f4a8c08e590c2a790995baa9e77627c342d283e454f84fcc05be15e9627a2d9be340c9d72f222bbdfc47905f56616cd9f936d49e4732f319f020513340fb8b22828db251b102b6b137c9533936d6
838
CT = bd11ed07b7b4b30eeaf25d6a41a549cca0a5aee71f990ac566a37265d7af2ce3c03703427ee0b2755c2bdfc29f9d826aec6ee4ad28af48079ac23db16580b97424f3a4e35cc23625d39f95699d9ff5143e9a2bc26fcfee4f125f5aa2d968ccfc2faaf9db3c28850f6757f735cbc50c94c498bcde4f23bffafa8dd5f70d1a011e35eb26e905d4e68848fedebeb197be595c085ba33f11ba8398258445051751888e9bba111f800f31b37c447074ca6dce6d54b4dfad6cee5138643d4f6ac045e8047248924e88ea4294c7878bc22c9b41924ce301f22693c33733107bf1ba85e34806c5e4366ea66fc52a5f89dd9bf213239158b3d4d2600dde696c61d76c398b9bf10de9118e812e891c8f3355c0ecc6405f79bc32a58905e37888a1d8395fbedc3ac54eca569f
839
Tag = f7d3b58a34a86e99267e5db206f17bbe
(-)a/cmd/ssltap/ssltap.c (+3 lines)
Line     Link Here 
 Lines 442-447    Link Here 
442
  case 0x00C02C:    cs_str = "TLS/ECDHE-ECDSA/AES256-GCM/SHA384"; break;
442
  case 0x00C02C:    cs_str = "TLS/ECDHE-ECDSA/AES256-GCM/SHA384"; break;
443
  case 0x00C02F:    cs_str = "TLS/ECDHE-RSA/AES128-GCM/SHA256"; break;
443
  case 0x00C02F:    cs_str = "TLS/ECDHE-RSA/AES128-GCM/SHA256"; break;
444
444
445
  case 0x00CC13:    cs_str = "TLS/ECDHE-RSA/CHACHA20-POLY1305/SHA256"; break;
446
  case 0x00CC14:    cs_str = "TLS/ECDHE-ECDSA/CHACHA20-POLY1305/SHA256"; break;
447
445
  case 0x00FEFF:    cs_str = "SSL3/RSA-FIPS/3DESEDE-CBC/SHA";	break;
448
  case 0x00FEFF:    cs_str = "SSL3/RSA-FIPS/3DESEDE-CBC/SHA";	break;
446
  case 0x00FEFE:    cs_str = "SSL3/RSA-FIPS/DES-CBC/SHA";	break;
449
  case 0x00FEFE:    cs_str = "SSL3/RSA-FIPS/DES-CBC/SHA";	break;
447
  case 0x00FFE1:    cs_str = "SSL3/RSA-FIPS/DES56-CBC/SHA";     break;
450
  case 0x00FFE1:    cs_str = "SSL3/RSA-FIPS/DES56-CBC/SHA";     break;
(-)a/lib/freebl/Makefile (+11 lines)
Line     Link Here 
 Lines 458-463    Link Here 
458
    endif
458
    endif
459
endif # NSS_ENABLE_ECC
459
endif # NSS_ENABLE_ECC
460
460
461
ifeq ($(CPU_ARCH),x86_64)
462
    # poly1305-donna-x64-sse2-incremental-source.c requires __int128 support
463
    # in GCC 4.6.0.
464
    #EXTRA_SRCS += poly1305/poly1305-donna-x64-sse2-incremental-source.c
465
    EXTRA_SRCS += poly1305/poly1305.c
466
    EXTRA_SRCS += chacha20/chacha20_vec.c
467
else
468
    EXTRA_SRCS += poly1305/poly1305.c
469
    EXTRA_SRCS += chacha20/chacha20.c
470
endif # x86_64
471
461
#######################################################################
472
#######################################################################
462
# (5) Execute "global" rules. (OPTIONAL)                              #
473
# (5) Execute "global" rules. (OPTIONAL)                              #
463
#######################################################################
474
#######################################################################
(-)a/lib/freebl/blapi.h (+32 lines)
Line     Link Here 
 Lines 818-823    Link Here 
818
		 unsigned int *outputLen, unsigned int maxOutputLen,
818
		 unsigned int *outputLen, unsigned int maxOutputLen,
819
		 const unsigned char *input, unsigned int inputLen);
819
		 const unsigned char *input, unsigned int inputLen);
820
820
821
/******************************************/
822
/*
823
** ChaCha20+Poly1305 AEAD
824
*/
825
826
extern SECStatus
827
ChaCha20Poly1305_InitContext(ChaCha20Poly1305Context *ctx,
828
			     const unsigned char *key, unsigned int keyLen,
829
			     unsigned int tagLen);
830
831
extern ChaCha20Poly1305Context *
832
ChaCha20Poly1305_CreateContext(const unsigned char *key, unsigned int keyLen,
833
			       unsigned int tagLen);
834
835
extern void
836
ChaCha20Poly1305_DestroyContext(ChaCha20Poly1305Context *ctx, PRBool freeit);
837
838
extern SECStatus
839
ChaCha20Poly1305_Seal(const ChaCha20Poly1305Context *ctx,
840
		      unsigned char *output, unsigned int *outputLen,
841
		      unsigned int maxOutputLen,
842
		      const unsigned char *input, unsigned int inputLen,
843
		      const unsigned char *nonce, unsigned int nonceLen,
844
		      const unsigned char *ad, unsigned int adLen);
845
846
extern SECStatus
847
ChaCha20Poly1305_Open(const ChaCha20Poly1305Context *ctx,
848
		      unsigned char *output, unsigned int *outputLen,
849
		      unsigned int maxOutputLen,
850
		      const unsigned char *input, unsigned int inputLen,
851
		      const unsigned char *nonce, unsigned int nonceLen,
852
		      const unsigned char *ad, unsigned int adLen);
821
853
822
/******************************************/
854
/******************************************/
823
/*
855
/*
(-)a/lib/freebl/blapit.h (+2 lines)
Line     Link Here 
 Lines 222-227    Link Here 
222
struct SHA512ContextStr     ;
222
struct SHA512ContextStr     ;
223
struct AESKeyWrapContextStr ;
223
struct AESKeyWrapContextStr ;
224
struct SEEDContextStr       ;	
224
struct SEEDContextStr       ;	
225
struct ChaCha20Poly1305ContextStr;
225
226
226
typedef struct DESContextStr        DESContext;
227
typedef struct DESContextStr        DESContext;
227
typedef struct RC2ContextStr        RC2Context;
228
typedef struct RC2ContextStr        RC2Context;
 Lines 240-245    Link Here 
240
typedef struct SHA512ContextStr     SHA384Context;
241
typedef struct SHA512ContextStr     SHA384Context;
241
typedef struct AESKeyWrapContextStr AESKeyWrapContext;
242
typedef struct AESKeyWrapContextStr AESKeyWrapContext;
242
typedef struct SEEDContextStr	    SEEDContext;	
243
typedef struct SEEDContextStr	    SEEDContext;	
244
typedef struct ChaCha20Poly1305ContextStr ChaCha20Poly1305Context;	
243
245
244
/***************************************************************************
246
/***************************************************************************
245
** RSA Public and Private Key structures
247
** RSA Public and Private Key structures
(-)0a2868789206 (+108 lines)
Added Link Here 
Added Link Here 
1
/* This Source Code Form is subject to the terms of the Mozilla Public
2
 * License, v. 2.0. If a copy of the MPL was not distributed with this
3
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5
/* Adopted from the public domain code in NaCl by djb. */
6
7
#include <string.h>
8
#include <stdio.h>
9
10
#include "prtypes.h"
11
#include "chacha20.h"
12
13
#define ROTL32(v, n) (((v) << (n)) | ((v) >> (32 - (n))))
14
#define ROTATE(v, c) ROTL32((v), (c))
15
#define XOR(v, w) ((v) ^ (w))
16
#define PLUS(x, y) ((x) + (y))
17
18
#define U32TO8_LITTLE(p, v) \
19
	{ (p)[0] = ((v)      ) & 0xff; (p)[1] = ((v) >>  8) & 0xff; \
20
	  (p)[2] = ((v) >> 16) & 0xff; (p)[3] = ((v) >> 24) & 0xff; }
21
#define U8TO32_LITTLE(p)   \
22
	(((PRUint32)((p)[0])      ) | ((PRUint32)((p)[1]) <<  8) | \
23
	 ((PRUint32)((p)[2]) << 16) | ((PRUint32)((p)[3]) << 24)   )
24
25
#define QUARTERROUND(a,b,c,d) \
26
  x[a] = PLUS(x[a],x[b]); x[d] = ROTATE(XOR(x[d],x[a]),16); \
27
  x[c] = PLUS(x[c],x[d]); x[b] = ROTATE(XOR(x[b],x[c]),12); \
28
  x[a] = PLUS(x[a],x[b]); x[d] = ROTATE(XOR(x[d],x[a]), 8); \
29
  x[c] = PLUS(x[c],x[d]); x[b] = ROTATE(XOR(x[b],x[c]), 7);
30
31
static void ChaChaCore(unsigned char output[64], const PRUint32 input[16],
32
		       int num_rounds) {
33
    PRUint32 x[16];
34
    int i;
35
36
    memcpy(x, input, sizeof(PRUint32) * 16);
37
    for (i = num_rounds; i > 0; i -= 2) {
38
	QUARTERROUND( 0, 4, 8,12)
39
	QUARTERROUND( 1, 5, 9,13)
40
	QUARTERROUND( 2, 6,10,14)
41
	QUARTERROUND( 3, 7,11,15)
42
	QUARTERROUND( 0, 5,10,15)
43
	QUARTERROUND( 1, 6,11,12)
44
	QUARTERROUND( 2, 7, 8,13)
45
	QUARTERROUND( 3, 4, 9,14)
46
    }
47
48
    for (i = 0; i < 16; ++i) {
49
	x[i] = PLUS(x[i], input[i]);
50
    }
51
    for (i = 0; i < 16; ++i) {
52
	U32TO8_LITTLE(output + 4 * i, x[i]);
53
    }
54
}
55
56
static const unsigned char sigma[16] = "expand 32-byte k";
57
58
void ChaCha20XOR(unsigned char *out, const unsigned char *in, unsigned int inLen,
59
		 const unsigned char key[32], const unsigned char nonce[8],
60
		 uint64_t counter) {
61
    unsigned char block[64];
62
    PRUint32 input[16];
63
    unsigned int u;
64
    unsigned int i;
65
66
    input[4] = U8TO32_LITTLE(key + 0);
67
    input[5] = U8TO32_LITTLE(key + 4);
68
    input[6] = U8TO32_LITTLE(key + 8);
69
    input[7] = U8TO32_LITTLE(key + 12);
70
71
    input[8] = U8TO32_LITTLE(key + 16);
72
    input[9] = U8TO32_LITTLE(key + 20);
73
    input[10] = U8TO32_LITTLE(key + 24);
74
    input[11] = U8TO32_LITTLE(key + 28);
75
76
    input[0] = U8TO32_LITTLE(sigma + 0);
77
    input[1] = U8TO32_LITTLE(sigma + 4);
78
    input[2] = U8TO32_LITTLE(sigma + 8);
79
    input[3] = U8TO32_LITTLE(sigma + 12);
80
81
    input[12] = counter;
82
    input[13] = counter >> 32;
83
    input[14] = U8TO32_LITTLE(nonce + 0);
84
    input[15] = U8TO32_LITTLE(nonce + 4);
85
86
    while (inLen >= 64) {
87
	ChaChaCore(block, input, 20);
88
	for (i = 0; i < 64; i++) {
89
	    out[i] = in[i] ^ block[i];
90
	}
91
92
	input[12]++;
93
	if (input[12] == 0) {
94
	    input[13]++;
95
	}
96
97
	inLen -= 64;
98
	in += 64;
99
	out += 64;
100
    }
101
102
    if (inLen > 0) {
103
	ChaChaCore(block, input, 20);
104
	for (i = 0; i < inLen; i++) {
105
	    out[i] = in[i] ^ block[i];
106
	}
107
    }
108
}
(-)0a2868789206 (+22 lines)
Added Link Here 
Added Link Here 
1
/*
2
 * chacha20.h - header file for ChaCha20 implementation.
3
 *
4
 * This Source Code Form is subject to the terms of the Mozilla Public
5
 * License, v. 2.0. If a copy of the MPL was not distributed with this
6
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7
8
#ifndef FREEBL_CHACHA20_H_
9
#define FREEBL_CHACHA20_H_
10
11
#include <stdint.h>
12
13
/* ChaCha20XOR encrypts |inLen| bytes from |in| with the given key and
14
 * nonce and writes the result to |out|, which may be equal to |in|. The
15
 * initial block counter is specified by |counter|. */
16
extern void ChaCha20XOR(unsigned char *out,
17
			const unsigned char *in, unsigned int inLen,
18
			const unsigned char key[32],
19
			const unsigned char nonce[8],
20
			uint64_t counter);
21
22
#endif  /* FREEBL_CHACHA20_H_ */
(-)0a2868789206 (+281 lines)
Added Link Here 
Added Link Here 
1
/* This Source Code Form is subject to the terms of the Mozilla Public
2
 * License, v. 2.0. If a copy of the MPL was not distributed with this
3
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5
/* This implementation is by Ted Krovetz and was submitted to SUPERCOP and
6
 * marked as public domain. It was been altered to allow for non-aligned inputs
7
 * and to allow the block counter to be passed in specifically. */
8
9
#include <string.h>
10
11
#include "chacha20.h"
12
13
#ifndef CHACHA_RNDS
14
#define CHACHA_RNDS 20    /* 8 (high speed), 20 (conservative), 12 (middle) */
15
#endif
16
17
/* Architecture-neutral way to specify 16-byte vector of ints	      */
18
typedef unsigned vec __attribute__ ((vector_size (16)));
19
20
/* This implementation is designed for Neon, SSE and AltiVec machines. The
21
 * following specify how to do certain vector operations efficiently on
22
 * each architecture, using intrinsics.
23
 * This implementation supports parallel processing of multiple blocks,
24
 * including potentially using general-purpose registers.
25
 */
26
#if __ARM_NEON__
27
#include <arm_neon.h>
28
#define GPR_TOO   1
29
#define VBPI      2
30
#define ONE       (vec)vsetq_lane_u32(1,vdupq_n_u32(0),0)
31
#define LOAD(m)   (vec)(*((vec*)(m)))
32
#define STORE(m,r) (*((vec*)(m))) = (r)
33
#define ROTV1(x)  (vec)vextq_u32((uint32x4_t)x,(uint32x4_t)x,1)
34
#define ROTV2(x)  (vec)vextq_u32((uint32x4_t)x,(uint32x4_t)x,2)
35
#define ROTV3(x)  (vec)vextq_u32((uint32x4_t)x,(uint32x4_t)x,3)
36
#define ROTW16(x) (vec)vrev32q_u16((uint16x8_t)x)
37
#if __clang__
38
#define ROTW7(x)  (x << ((vec){ 7, 7, 7, 7})) ^ (x >> ((vec){25,25,25,25}))
39
#define ROTW8(x)  (x << ((vec){ 8, 8, 8, 8})) ^ (x >> ((vec){24,24,24,24}))
40
#define ROTW12(x) (x << ((vec){12,12,12,12})) ^ (x >> ((vec){20,20,20,20}))
41
#else
42
#define ROTW7(x)  (vec)vsriq_n_u32(vshlq_n_u32((uint32x4_t)x,7),(uint32x4_t)x,25)
43
#define ROTW8(x)  (vec)vsriq_n_u32(vshlq_n_u32((uint32x4_t)x,8),(uint32x4_t)x,24)
44
#define ROTW12(x) (vec)vsriq_n_u32(vshlq_n_u32((uint32x4_t)x,12),(uint32x4_t)x,20)
45
#endif
46
#elif __SSE2__
47
#include <emmintrin.h>
48
#define GPR_TOO   0
49
#if __clang__
50
#define VBPI      4
51
#else
52
#define VBPI      3
53
#endif
54
#define ONE       (vec)_mm_set_epi32(0,0,0,1)
55
#define LOAD(m)   (vec)_mm_loadu_si128((__m128i*)(m))
56
#define STORE(m,r) _mm_storeu_si128((__m128i*)(m), (__m128i) (r))
57
#define ROTV1(x)  (vec)_mm_shuffle_epi32((__m128i)x,_MM_SHUFFLE(0,3,2,1))
58
#define ROTV2(x)  (vec)_mm_shuffle_epi32((__m128i)x,_MM_SHUFFLE(1,0,3,2))
59
#define ROTV3(x)  (vec)_mm_shuffle_epi32((__m128i)x,_MM_SHUFFLE(2,1,0,3))
60
#define ROTW7(x)  (vec)(_mm_slli_epi32((__m128i)x, 7) ^ _mm_srli_epi32((__m128i)x,25))
61
#define ROTW12(x) (vec)(_mm_slli_epi32((__m128i)x,12) ^ _mm_srli_epi32((__m128i)x,20))
62
#if __SSSE3__
63
#include <tmmintrin.h>
64
#define ROTW8(x)  (vec)_mm_shuffle_epi8((__m128i)x,_mm_set_epi8(14,13,12,15,10,9,8,11,6,5,4,7,2,1,0,3))
65
#define ROTW16(x) (vec)_mm_shuffle_epi8((__m128i)x,_mm_set_epi8(13,12,15,14,9,8,11,10,5,4,7,6,1,0,3,2))
66
#else
67
#define ROTW8(x)  (vec)(_mm_slli_epi32((__m128i)x, 8) ^ _mm_srli_epi32((__m128i)x,24))
68
#define ROTW16(x) (vec)(_mm_slli_epi32((__m128i)x,16) ^ _mm_srli_epi32((__m128i)x,16))
69
#endif
70
#else
71
#error -- Implementation supports only machines with neon or SSE2
72
#endif
73
74
#ifndef REVV_BE
75
#define REVV_BE(x)  (x)
76
#endif
77
78
#ifndef REVW_BE
79
#define REVW_BE(x)  (x)
80
#endif
81
82
#define BPI      (VBPI + GPR_TOO)  /* Blocks computed per loop iteration   */
83
84
#define DQROUND_VECTORS(a,b,c,d)		\
85
    a += b; d ^= a; d = ROTW16(d);	      \
86
    c += d; b ^= c; b = ROTW12(b);	      \
87
    a += b; d ^= a; d = ROTW8(d);	       \
88
    c += d; b ^= c; b = ROTW7(b);	       \
89
    b = ROTV1(b); c = ROTV2(c);  d = ROTV3(d);  \
90
    a += b; d ^= a; d = ROTW16(d);	      \
91
    c += d; b ^= c; b = ROTW12(b);	      \
92
    a += b; d ^= a; d = ROTW8(d);	       \
93
    c += d; b ^= c; b = ROTW7(b);	       \
94
    b = ROTV3(b); c = ROTV2(c); d = ROTV1(d);
95
96
#define QROUND_WORDS(a,b,c,d) \
97
  a = a+b; d ^= a; d = d<<16 | d>>16; \
98
  c = c+d; b ^= c; b = b<<12 | b>>20; \
99
  a = a+b; d ^= a; d = d<< 8 | d>>24; \
100
  c = c+d; b ^= c; b = b<< 7 | b>>25;
101
102
#define WRITE_XOR(in, op, d, v0, v1, v2, v3)		   \
103
    STORE(op + d + 0, LOAD(in + d + 0) ^ REVV_BE(v0));      \
104
    STORE(op + d + 4, LOAD(in + d + 4) ^ REVV_BE(v1));      \
105
    STORE(op + d + 8, LOAD(in + d + 8) ^ REVV_BE(v2));      \
106
    STORE(op + d +12, LOAD(in + d +12) ^ REVV_BE(v3));
107
108
void ChaCha20XOR(
109
    unsigned char *out,
110
    const unsigned char *in,
111
    unsigned int inlen,
112
    const unsigned char key[32],
113
    const unsigned char nonce[8],
114
    uint64_t counter)
115
{
116
    unsigned iters, i, *op=(unsigned *)out, *ip=(unsigned *)in, *kp;
117
#if defined(__ARM_NEON__)
118
    unsigned *np;
119
#endif
120
    vec s0, s1, s2, s3;
121
#if !defined(__ARM_NEON__) && !defined(__SSE2__)
122
    __attribute__ ((aligned (16))) unsigned key[8], nonce[4];
123
#endif
124
    __attribute__ ((aligned (16))) unsigned chacha_const[] =
125
	{0x61707865,0x3320646E,0x79622D32,0x6B206574};
126
#if defined(__ARM_NEON__) || defined(__SSE2__)
127
    kp = (unsigned *)key;
128
#else
129
    ((vec *)key)[0] = REVV_BE(((vec *)key)[0]);
130
    ((vec *)key)[1] = REVV_BE(((vec *)key)[1]);
131
    nonce[0] = REVW_BE(((unsigned *)nonce)[0]);
132
    nonce[1] = REVW_BE(((unsigned *)nonce)[1]);
133
    nonce[2] = REVW_BE(((unsigned *)nonce)[2]);
134
    nonce[3] = REVW_BE(((unsigned *)nonce)[3]);
135
    kp = (unsigned *)key;
136
    np = (unsigned *)nonce;
137
#endif
138
#if defined(__ARM_NEON__)
139
    np = (unsigned*) nonce;
140
#endif
141
    s0 = LOAD(chacha_const);
142
    s1 = LOAD(&((vec*)kp)[0]);
143
    s2 = LOAD(&((vec*)kp)[1]);
144
    s3 = (vec) {
145
	counter & 0xffffffff,
146
	counter >> 32,
147
	((uint32_t*)nonce)[0],
148
	((uint32_t*)nonce)[1]
149
    };
150
151
    for (iters = 0; iters < inlen/(BPI*64); iters++) {
152
#if GPR_TOO
153
	register unsigned x0, x1, x2, x3, x4, x5, x6, x7, x8,
154
		  x9, x10, x11, x12, x13, x14, x15;
155
#endif
156
#if VBPI > 2
157
	vec v8,v9,v10,v11;
158
#endif
159
#if VBPI > 3
160
	vec v12,v13,v14,v15;
161
#endif
162
163
	vec v0,v1,v2,v3,v4,v5,v6,v7;
164
	v4 = v0 = s0; v5 = v1 = s1; v6 = v2 = s2; v3 = s3;
165
	v7 = v3 + ONE;
166
#if VBPI > 2
167
	v8 = v4; v9 = v5; v10 = v6;
168
	v11 =  v7 + ONE;
169
#endif
170
#if VBPI > 3
171
	v12 = v8; v13 = v9; v14 = v10;
172
	v15 = v11 + ONE;
173
#endif
174
#if GPR_TOO
175
	x0 = chacha_const[0]; x1 = chacha_const[1];
176
	x2 = chacha_const[2]; x3 = chacha_const[3];
177
	x4 = kp[0]; x5 = kp[1]; x6  = kp[2]; x7  = kp[3];
178
	x8 = kp[4]; x9 = kp[5]; x10 = kp[6]; x11 = kp[7];
179
	x12 = (counter & 0xffffffff)+BPI*iters+(BPI-1); x13 = counter >> 32;
180
	x14 = np[0]; x15 = np[1];
181
#endif
182
	for (i = CHACHA_RNDS/2; i; i--) {
183
	    DQROUND_VECTORS(v0,v1,v2,v3)
184
	    DQROUND_VECTORS(v4,v5,v6,v7)
185
#if VBPI > 2
186
	    DQROUND_VECTORS(v8,v9,v10,v11)
187
#endif
188
#if VBPI > 3
189
	    DQROUND_VECTORS(v12,v13,v14,v15)
190
#endif
191
#if GPR_TOO
192
	    QROUND_WORDS( x0, x4, x8,x12)
193
	    QROUND_WORDS( x1, x5, x9,x13)
194
	    QROUND_WORDS( x2, x6,x10,x14)
195
	    QROUND_WORDS( x3, x7,x11,x15)
196
	    QROUND_WORDS( x0, x5,x10,x15)
197
	    QROUND_WORDS( x1, x6,x11,x12)
198
	    QROUND_WORDS( x2, x7, x8,x13)
199
	    QROUND_WORDS( x3, x4, x9,x14)
200
#endif
201
	}
202
203
	WRITE_XOR(ip, op, 0, v0+s0, v1+s1, v2+s2, v3+s3)
204
	s3 += ONE;
205
	WRITE_XOR(ip, op, 16, v4+s0, v5+s1, v6+s2, v7+s3)
206
	s3 += ONE;
207
#if VBPI > 2
208
	WRITE_XOR(ip, op, 32, v8+s0, v9+s1, v10+s2, v11+s3)
209
	s3 += ONE;
210
#endif
211
#if VBPI > 3
212
	WRITE_XOR(ip, op, 48, v12+s0, v13+s1, v14+s2, v15+s3)
213
	s3 += ONE;
214
#endif
215
	ip += VBPI*16;
216
	op += VBPI*16;
217
#if GPR_TOO
218
	op[0]  = REVW_BE(REVW_BE(ip[0])  ^ (x0  + chacha_const[0]));
219
	op[1]  = REVW_BE(REVW_BE(ip[1])  ^ (x1  + chacha_const[1]));
220
	op[2]  = REVW_BE(REVW_BE(ip[2])  ^ (x2  + chacha_const[2]));
221
	op[3]  = REVW_BE(REVW_BE(ip[3])  ^ (x3  + chacha_const[3]));
222
	op[4]  = REVW_BE(REVW_BE(ip[4])  ^ (x4  + kp[0]));
223
	op[5]  = REVW_BE(REVW_BE(ip[5])  ^ (x5  + kp[1]));
224
	op[6]  = REVW_BE(REVW_BE(ip[6])  ^ (x6  + kp[2]));
225
	op[7]  = REVW_BE(REVW_BE(ip[7])  ^ (x7  + kp[3]));
226
	op[8]  = REVW_BE(REVW_BE(ip[8])  ^ (x8  + kp[4]));
227
	op[9]  = REVW_BE(REVW_BE(ip[9])  ^ (x9  + kp[5]));
228
	op[10] = REVW_BE(REVW_BE(ip[10]) ^ (x10 + kp[6]));
229
	op[11] = REVW_BE(REVW_BE(ip[11]) ^ (x11 + kp[7]));
230
	op[12] = REVW_BE(REVW_BE(ip[12]) ^ (x12 + (counter & 0xffffffff)+BPI*iters+(BPI-1)));
231
	op[13] = REVW_BE(REVW_BE(ip[13]) ^ (x13 + (counter >> 32)));
232
	op[14] = REVW_BE(REVW_BE(ip[14]) ^ (x14 + np[0]));
233
	op[15] = REVW_BE(REVW_BE(ip[15]) ^ (x15 + np[1]));
234
	s3 += ONE;
235
	ip += 16;
236
	op += 16;
237
#endif
238
    }
239
240
    for (iters = inlen%(BPI*64)/64; iters != 0; iters--) {
241
	vec v0 = s0, v1 = s1, v2 = s2, v3 = s3;
242
	for (i = CHACHA_RNDS/2; i; i--) {
243
	    DQROUND_VECTORS(v0,v1,v2,v3);
244
	}
245
	WRITE_XOR(ip, op, 0, v0+s0, v1+s1, v2+s2, v3+s3)
246
	s3 += ONE;
247
	ip += 16;
248
	op += 16;
249
    }
250
251
    inlen = inlen % 64;
252
    if (inlen) {
253
	__attribute__ ((aligned (16))) vec buf[4];
254
	vec v0,v1,v2,v3;
255
	v0 = s0; v1 = s1; v2 = s2; v3 = s3;
256
	for (i = CHACHA_RNDS/2; i; i--) {
257
	    DQROUND_VECTORS(v0,v1,v2,v3);
258
	}
259
260
	if (inlen >= 16) {
261
	    STORE(op + 0, LOAD(ip + 0) ^ REVV_BE(v0 + s0));
262
	    if (inlen >= 32) {
263
		STORE(op + 4, LOAD(ip + 4) ^ REVV_BE(v1 + s1));
264
		if (inlen >= 48) {
265
		    STORE(op + 8, LOAD(ip + 8) ^ REVV_BE(v2 + s2));
266
		    buf[3] = REVV_BE(v3 + s3);
267
		} else {
268
		    buf[2] = REVV_BE(v2 + s2);
269
		}
270
	    } else {
271
		buf[1] = REVV_BE(v1 + s1);
272
	    }
273
	} else {
274
	    buf[0] = REVV_BE(v0 + s0);
275
	}
276
277
	for (i=inlen & ~15; i<inlen; i++) {
278
	    ((char *)op)[i] = ((char *)ip)[i] ^ ((char *)buf)[i];
279
	}
280
    }
281
}
(-)0a2868789206 (+169 lines)
Added Link Here 
Added Link Here 
1
/* This Source Code Form is subject to the terms of the Mozilla Public
2
 * License, v. 2.0. If a copy of the MPL was not distributed with this
3
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5
#ifdef FREEBL_NO_DEPEND
6
#include "stubs.h"
7
#endif
8
9
#include <string.h>
10
#include <stdio.h>
11
12
#include "seccomon.h"
13
#include "secerr.h"
14
#include "blapit.h"
15
#include "poly1305/poly1305.h"
16
#include "chacha20/chacha20.h"
17
#include "chacha20poly1305.h"
18
19
/* Poly1305Do writes the Poly1305 authenticator of the given additional data
20
 * and ciphertext to |out|. */
21
static void
22
Poly1305Do(unsigned char *out,
23
	   const unsigned char *ad, unsigned int adLen,
24
	   const unsigned char *ciphertext, unsigned int ciphertextLen,
25
	   const unsigned char key[32])
26
{
27
    poly1305_state state;
28
    unsigned int j;
29
    unsigned char lengthBytes[8];
30
    unsigned int i;
31
32
    Poly1305Init(&state, key);
33
    j = adLen;
34
    for (i = 0; i < sizeof(lengthBytes); i++) {
35
	lengthBytes[i] = j;
36
	j >>= 8;
37
    }
38
    Poly1305Update(&state, ad, adLen);
39
    Poly1305Update(&state, lengthBytes, sizeof(lengthBytes));
40
    j = ciphertextLen;
41
    for (i = 0; i < sizeof(lengthBytes); i++) {
42
	lengthBytes[i] = j;
43
	j >>= 8;
44
    }
45
    Poly1305Update(&state, ciphertext, ciphertextLen);
46
    Poly1305Update(&state, lengthBytes, sizeof(lengthBytes));
47
    Poly1305Finish(&state, out);
48
}
49
50
SECStatus
51
ChaCha20Poly1305_InitContext(ChaCha20Poly1305Context *ctx,
52
			     const unsigned char *key, unsigned int keyLen,
53
			     unsigned int tagLen)
54
{
55
    if (keyLen != 32) {
56
	PORT_SetError(SEC_ERROR_BAD_KEY);
57
	return SECFailure;
58
    }
59
    if (tagLen == 0 || tagLen > 16) {
60
	PORT_SetError(SEC_ERROR_INPUT_LEN);
61
	return SECFailure;
62
    }
63
64
    memcpy(ctx->key, key, sizeof(ctx->key));
65
    ctx->tagLen = tagLen;
66
67
    return SECSuccess;
68
}
69
70
ChaCha20Poly1305Context *
71
ChaCha20Poly1305_CreateContext(const unsigned char *key, unsigned int keyLen,
72
			       unsigned int tagLen)
73
{
74
    ChaCha20Poly1305Context *ctx;
75
76
    ctx = PORT_New(ChaCha20Poly1305Context);
77
    if (ctx == NULL) {
78
	return NULL;
79
    }
80
81
    if (ChaCha20Poly1305_InitContext(ctx, key, keyLen, tagLen) != SECSuccess) {
82
	PORT_Free(ctx);
83
	ctx = NULL;
84
    }
85
86
    return ctx;
87
}
88
89
void
90
ChaCha20Poly1305_DestroyContext(ChaCha20Poly1305Context *ctx, PRBool freeit)
91
{
92
    memset(ctx, 0, sizeof(*ctx));
93
    if (freeit) {
94
	PORT_Free(ctx);
95
    }
96
}
97
98
SECStatus
99
ChaCha20Poly1305_Seal(const ChaCha20Poly1305Context *ctx,
100
		      unsigned char *output, unsigned int *outputLen,
101
		      unsigned int maxOutputLen,
102
		      const unsigned char *input, unsigned int inputLen,
103
		      const unsigned char *nonce, unsigned int nonceLen,
104
		      const unsigned char *ad, unsigned int adLen)
105
{
106
    unsigned char block[64];
107
    unsigned char tag[16];
108
109
    if (nonceLen != 8) {
110
	PORT_SetError(SEC_ERROR_INPUT_LEN);
111
	return SECFailure;
112
    }
113
    *outputLen = inputLen + ctx->tagLen;
114
    if (maxOutputLen < *outputLen) {
115
	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
116
	return SECFailure;
117
    }
118
119
    memset(block, 0, sizeof(block));
120
    // Generate a block of keystream. The first 32 bytes will be the poly1305
121
    // key. The remainder of the block is discarded.
122
    ChaCha20XOR(block, block, sizeof(block), ctx->key, nonce, 0);
123
    ChaCha20XOR(output, input, inputLen, ctx->key, nonce, 1);
124
125
    Poly1305Do(tag, ad, adLen, output, inputLen, block);
126
    memcpy(output + inputLen, tag, ctx->tagLen);
127
128
    return SECSuccess;
129
}
130
131
SECStatus
132
ChaCha20Poly1305_Open(const ChaCha20Poly1305Context *ctx,
133
		      unsigned char *output, unsigned int *outputLen,
134
		      unsigned int maxOutputLen,
135
		      const unsigned char *input, unsigned int inputLen,
136
		      const unsigned char *nonce, unsigned int nonceLen,
137
		      const unsigned char *ad, unsigned int adLen)
138
{
139
    unsigned char block[64];
140
    unsigned char tag[16];
141
142
    if (nonceLen != 8) {
143
	PORT_SetError(SEC_ERROR_INPUT_LEN);
144
	return SECFailure;
145
    }
146
    if (inputLen < ctx->tagLen) {
147
	PORT_SetError(SEC_ERROR_INPUT_LEN);
148
	return SECFailure;
149
    }
150
    *outputLen = inputLen - ctx->tagLen;
151
    if (maxOutputLen < *outputLen) {
152
	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
153
	return SECFailure;
154
    }
155
156
    memset(block, 0, sizeof(block));
157
    // Generate a block of keystream. The first 32 bytes will be the poly1305
158
    // key. The remainder of the block is discarded.
159
    ChaCha20XOR(block, block, sizeof(block), ctx->key, nonce, 0);
160
    Poly1305Do(tag, ad, adLen, input, inputLen - ctx->tagLen, block);
161
    if (NSS_SecureMemcmp(tag, &input[inputLen - ctx->tagLen], ctx->tagLen) != 0) {
162
	PORT_SetError(SEC_ERROR_BAD_DATA);
163
	return SECFailure;
164
    }
165
166
    ChaCha20XOR(output, input, inputLen - ctx->tagLen, ctx->key, nonce, 1);
167
168
    return SECSuccess;
169
}
(-)0a2868789206 (+15 lines)
Added Link Here 
Added Link Here 
1
/* This Source Code Form is subject to the terms of the Mozilla Public
2
 * License, v. 2.0. If a copy of the MPL was not distributed with this
3
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5
#ifndef _CHACHA20_POLY1305_H_
6
#define _CHACHA20_POLY1305_H_ 1
7
8
/* ChaCha20Poly1305ContextStr saves the key and tag length for a
9
 * ChaCha20+Poly1305 AEAD operation. */
10
struct ChaCha20Poly1305ContextStr {
11
    unsigned char key[32];
12
    unsigned char tagLen;
13
};
14
15
#endif /* _CHACHA20_POLY1305_H_ */
(-)a/lib/freebl/ldvector.c (-1 / +9 lines)
Line     Link Here 
 Lines 263-271    Link Here 
263
    /* End of Version 3.014 */
263
    /* End of Version 3.014 */
264
264
265
    HMAC_ConstantTime,
265
    HMAC_ConstantTime,
266
    SSLv3_MAC_ConstantTime
266
    SSLv3_MAC_ConstantTime,
267
267
268
    /* End of Version 3.015 */
268
    /* End of Version 3.015 */
269
270
    ChaCha20Poly1305_InitContext,
271
    ChaCha20Poly1305_CreateContext,
272
    ChaCha20Poly1305_DestroyContext,
273
    ChaCha20Poly1305_Seal,
274
    ChaCha20Poly1305_Open
275
276
    /* End of Version 3.016 */
269
};
277
};
270
278
271
const FREEBLVector * 
279
const FREEBLVector * 
(-)a/lib/freebl/loader.c (+57 lines)
Line     Link Here 
 Lines 1906-1908    Link Here 
1906
      header, headerLen,
1906
      header, headerLen,
1907
      body, bodyLen, bodyTotalLen);
1907
      body, bodyLen, bodyTotalLen);
1908
}
1908
}
1909
1910
SECStatus
1911
ChaCha20Poly1305_InitContext(ChaCha20Poly1305Context *ctx,
1912
			     const unsigned char *key, unsigned int keyLen,
1913
			     unsigned int tagLen)
1914
{
1915
  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
1916
      return SECFailure;
1917
  return (vector->p_ChaCha20Poly1305_InitContext)(ctx, key, keyLen, tagLen);
1918
}
1919
1920
ChaCha20Poly1305Context *
1921
ChaCha20Poly1305_CreateContext(const unsigned char *key, unsigned int keyLen,
1922
			       unsigned int tagLen)
1923
{
1924
  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
1925
      return NULL;
1926
  return (vector->p_ChaCha20Poly1305_CreateContext)(key, keyLen, tagLen);
1927
}
1928
1929
void
1930
ChaCha20Poly1305_DestroyContext(ChaCha20Poly1305Context *ctx, PRBool freeit)
1931
{
1932
  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
1933
      return;
1934
  (vector->p_ChaCha20Poly1305_DestroyContext)(ctx, freeit);
1935
}
1936
1937
SECStatus
1938
ChaCha20Poly1305_Seal(const ChaCha20Poly1305Context *ctx,
1939
		      unsigned char *output, unsigned int *outputLen,
1940
		      unsigned int maxOutputLen,
1941
		      const unsigned char *input, unsigned int inputLen,
1942
		      const unsigned char *nonce, unsigned int nonceLen,
1943
		      const unsigned char *ad, unsigned int adLen)
1944
{
1945
  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
1946
      return SECFailure;
1947
  return (vector->p_ChaCha20Poly1305_Seal)(
1948
      ctx, output, outputLen, maxOutputLen, input, inputLen,
1949
      nonce, nonceLen, ad, adLen);
1950
}
1951
1952
SECStatus
1953
ChaCha20Poly1305_Open(const ChaCha20Poly1305Context *ctx,
1954
		      unsigned char *output, unsigned int *outputLen,
1955
		      unsigned int maxOutputLen,
1956
		      const unsigned char *input, unsigned int inputLen,
1957
		      const unsigned char *nonce, unsigned int nonceLen,
1958
		      const unsigned char *ad, unsigned int adLen)
1959
{
1960
  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
1961
      return SECFailure;
1962
  return (vector->p_ChaCha20Poly1305_Open)(
1963
      ctx, output, outputLen, maxOutputLen, input, inputLen,
1964
      nonce, nonceLen, ad, adLen);
1965
}
(-)a/lib/freebl/loader.h (-1 / +27 lines)
Line     Link Here 
 Lines 10-16    Link Here 
10
10
11
#include "blapi.h"
11
#include "blapi.h"
12
12
13
#define FREEBL_VERSION 0x030F
13
#define FREEBL_VERSION 0x0310
14
14
15
struct FREEBLVectorStr {
15
struct FREEBLVectorStr {
16
16
 Lines 596-601    Link Here 
596
     unsigned int bodyTotalLen);
596
     unsigned int bodyTotalLen);
597
597
598
  /* Version 3.015 came to here */
598
  /* Version 3.015 came to here */
599
600
 SECStatus (* p_ChaCha20Poly1305_InitContext)(
601
     ChaCha20Poly1305Context *ctx, const unsigned char *key,
602
     unsigned int keyLen, unsigned int tagLen);
603
604
 ChaCha20Poly1305Context * (* p_ChaCha20Poly1305_CreateContext)(
605
     const unsigned char *key, unsigned int keyLen, unsigned int tagLen);
606
607
 void (* p_ChaCha20Poly1305_DestroyContext)(
608
     ChaCha20Poly1305Context *ctx, PRBool freeit);
609
610
 SECStatus (* p_ChaCha20Poly1305_Seal)(
611
     const ChaCha20Poly1305Context *ctx,
612
     unsigned char *output, unsigned int *outputLen, unsigned int maxOutputLen,
613
     const unsigned char *input, unsigned int inputLen,
614
     const unsigned char *nonce, unsigned int nonceLen,
615
     const unsigned char *ad, unsigned int adLen);
616
617
 SECStatus (* p_ChaCha20Poly1305_Open)(
618
     const ChaCha20Poly1305Context *ctx,
619
     unsigned char *output, unsigned int *outputLen, unsigned int maxOutputLen,
620
     const unsigned char *input, unsigned int inputLen,
621
     const unsigned char *nonce, unsigned int nonceLen,
622
     const unsigned char *ad, unsigned int adLen);
623
624
  /* Version 3.016 came to here */
599
 };
625
 };
600
626
601
typedef struct FREEBLVectorStr FREEBLVector;
627
typedef struct FREEBLVectorStr FREEBLVector;
(-)a/lib/freebl/manifest.mn (+2 lines)
Line     Link Here 
 Lines 55-60    Link Here 
55
55
56
PRIVATE_EXPORTS = \
56
PRIVATE_EXPORTS = \
57
	alghmac.h \
57
	alghmac.h \
58
	chacha20poly1305.h \
58
	blapi.h \
59
	blapi.h \
59
	hmacct.h \
60
	hmacct.h \
60
	secmpi.h \
61
	secmpi.h \
 Lines 101-106    Link Here 
101
	desblapi.c \
102
	desblapi.c \
102
	des.c \
103
	des.c \
103
	drbg.c \
104
	drbg.c \
105
	chacha20poly1305.c \
104
	cts.c \
106
	cts.c \
105
	ctr.c \
107
	ctr.c \
106
	gcm.c \
108
	gcm.c \
(-)0a2868789206 (+623 lines)
Added Link Here 
Added Link Here 
1
/* This Source Code Form is subject to the terms of the Mozilla Public
2
 * License, v. 2.0. If a copy of the MPL was not distributed with this
3
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5
/* This implementation of poly1305 is by Andrew Moon
6
 * (https://github.com/floodyberry/poly1305-donna) and released as public
7
 * domain. It implements SIMD vectorization based on the algorithm described in
8
 * http://cr.yp.to/papers.html#neoncrypto. Unrolled to 2 powers, i.e. 64 byte
9
 * block size. */
10
11
#include <emmintrin.h>
12
#include <stdint.h>
13
14
#include "poly1305.h"
15
16
#define ALIGN(x) __attribute__((aligned(x)))
17
#define INLINE inline
18
#define U8TO64_LE(m) (*(uint64_t*)(m))
19
#define U8TO32_LE(m) (*(uint32_t*)(m))
20
#define U64TO8_LE(m,v) (*(uint64_t*)(m)) = v
21
22
typedef __m128i xmmi;
23
typedef unsigned __int128 uint128_t;
24
25
static const uint32_t ALIGN(16) poly1305_x64_sse2_message_mask[4] = {(1 << 26) - 1, 0, (1 << 26) - 1, 0};
26
static const uint32_t ALIGN(16) poly1305_x64_sse2_5[4] = {5, 0, 5, 0};
27
static const uint32_t ALIGN(16) poly1305_x64_sse2_1shl128[4] = {(1 << 24), 0, (1 << 24), 0};
28
29
static uint128_t INLINE
30
add128(uint128_t a, uint128_t b) {
31
	return a + b;
32
}
33
34
static uint128_t INLINE
35
add128_64(uint128_t a, uint64_t b) {
36
	return a + b;
37
}
38
39
static uint128_t INLINE
40
mul64x64_128(uint64_t a, uint64_t b) {
41
	return (uint128_t)a * b;
42
}
43
44
static uint64_t INLINE
45
lo128(uint128_t a) {
46
	return (uint64_t)a;
47
}
48
49
static uint64_t INLINE
50
shr128(uint128_t v, const int shift) {
51
	return (uint64_t)(v >> shift);
52
}
53
54
static uint64_t INLINE
55
shr128_pair(uint64_t hi, uint64_t lo, const int shift) {
56
	return (uint64_t)((((uint128_t)hi << 64) | lo) >> shift);
57
}
58
59
typedef struct poly1305_power_t {
60
	union {
61
		xmmi v;
62
		uint64_t u[2];
63
		uint32_t d[4];
64
	} R20,R21,R22,R23,R24,S21,S22,S23,S24;
65
} poly1305_power;
66
67
typedef struct poly1305_state_internal_t {
68
	poly1305_power P[2];     /* 288 bytes, top 32 bit halves unused = 144 bytes of free storage */
69
	union {
70
		xmmi H[5];           /*  80 bytes  */
71
		uint64_t HH[10];
72
	};
73
	/* uint64_t r0,r1,r2;       [24 bytes] */
74
	/* uint64_t pad0,pad1;      [16 bytes] */
75
	uint64_t started;        /*   8 bytes  */
76
	uint64_t leftover;       /*   8 bytes  */
77
	uint8_t buffer[64];      /*  64 bytes  */
78
} poly1305_state_internal;   /* 448 bytes total + 63 bytes for alignment = 511 bytes raw */
79
80
static poly1305_state_internal INLINE
81
*poly1305_aligned_state(poly1305_state *state) {
82
	return (poly1305_state_internal *)(((uint64_t)state + 63) & ~63);
83
}
84
85
/* copy 0-63 bytes */
86
static void INLINE
87
poly1305_block_copy(uint8_t *dst, const uint8_t *src, size_t bytes) {
88
	size_t offset = src - dst;
89
	if (bytes & 32) {
90
		_mm_storeu_si128((xmmi *)(dst + 0), _mm_loadu_si128((xmmi *)(dst + offset + 0)));
91
		_mm_storeu_si128((xmmi *)(dst + 16), _mm_loadu_si128((xmmi *)(dst + offset + 16)));
92
		dst += 32;
93
	}
94
	if (bytes & 16) { _mm_storeu_si128((xmmi *)dst, _mm_loadu_si128((xmmi *)(dst + offset))); dst += 16; }
95
	if (bytes &  8) { *(uint64_t *)dst = *(uint64_t *)(dst + offset); dst += 8; }
96
	if (bytes &  4) { *(uint32_t *)dst = *(uint32_t *)(dst + offset); dst += 4; }
97
	if (bytes &  2) { *(uint16_t *)dst = *(uint16_t *)(dst + offset); dst += 2; }
98
	if (bytes &  1) { *( uint8_t *)dst = *( uint8_t *)(dst + offset);           }
99
}
100
101
/* zero 0-15 bytes */
102
static void INLINE
103
poly1305_block_zero(uint8_t *dst, size_t bytes) {
104
	if (bytes &  8) { *(uint64_t *)dst = 0; dst += 8; }
105
	if (bytes &  4) { *(uint32_t *)dst = 0; dst += 4; }
106
	if (bytes &  2) { *(uint16_t *)dst = 0; dst += 2; }
107
	if (bytes &  1) { *( uint8_t *)dst = 0; }
108
}
109
110
static size_t INLINE
111
poly1305_min(size_t a, size_t b) {
112
	return (a < b) ? a : b;
113
}
114
115
void
116
Poly1305Init(poly1305_state *state, const unsigned char key[32]) {
117
	poly1305_state_internal *st = poly1305_aligned_state(state);
118
	poly1305_power *p;
119
	uint64_t r0,r1,r2;
120
	uint64_t t0,t1;
121
122
	/* clamp key */
123
	t0 = U8TO64_LE(key + 0);
124
	t1 = U8TO64_LE(key + 8);
125
	r0 = t0 & 0xffc0fffffff; t0 >>= 44; t0 |= t1 << 20;
126
	r1 = t0 & 0xfffffc0ffff; t1 >>= 24;
127
	r2 = t1 & 0x00ffffffc0f;
128
129
	/* store r in un-used space of st->P[1] */
130
	p = &st->P[1];
131
	p->R20.d[1] = (uint32_t)(r0      );
132
	p->R20.d[3] = (uint32_t)(r0 >> 32);
133
	p->R21.d[1] = (uint32_t)(r1      );
134
	p->R21.d[3] = (uint32_t)(r1 >> 32);
135
	p->R22.d[1] = (uint32_t)(r2      );
136
	p->R22.d[3] = (uint32_t)(r2 >> 32);
137
138
	/* store pad */
139
	p->R23.d[1] = U8TO32_LE(key + 16);
140
	p->R23.d[3] = U8TO32_LE(key + 20);
141
	p->R24.d[1] = U8TO32_LE(key + 24);
142
	p->R24.d[3] = U8TO32_LE(key + 28);
143
144
	/* H = 0 */
145
	st->H[0] = _mm_setzero_si128();
146
	st->H[1] = _mm_setzero_si128();
147
	st->H[2] = _mm_setzero_si128();
148
	st->H[3] = _mm_setzero_si128();
149
	st->H[4] = _mm_setzero_si128();
150
151
	st->started = 0;
152
	st->leftover = 0;
153
}
154
155
static void
156
poly1305_first_block(poly1305_state_internal *st, const uint8_t *m) {
157
	const xmmi MMASK = _mm_load_si128((xmmi *)poly1305_x64_sse2_message_mask);
158
	const xmmi FIVE = _mm_load_si128((xmmi*)poly1305_x64_sse2_5);
159
	const xmmi HIBIT = _mm_load_si128((xmmi*)poly1305_x64_sse2_1shl128);
160
	xmmi T5,T6;
161
	poly1305_power *p;
162
	uint128_t d[3];
163
	uint64_t r0,r1,r2;
164
	uint64_t r20,r21,r22,s22;
165
	uint64_t pad0,pad1;
166
	uint64_t c;
167
	uint64_t i;
168
169
	/* pull out stored info */
170
	p = &st->P[1];
171
172
	r0   = ((uint64_t)p->R20.d[3] << 32) | (uint64_t)p->R20.d[1];
173
	r1   = ((uint64_t)p->R21.d[3] << 32) | (uint64_t)p->R21.d[1];
174
	r2   = ((uint64_t)p->R22.d[3] << 32) | (uint64_t)p->R22.d[1];
175
	pad0 = ((uint64_t)p->R23.d[3] << 32) | (uint64_t)p->R23.d[1];
176
	pad1 = ((uint64_t)p->R24.d[3] << 32) | (uint64_t)p->R24.d[1];
177
178
	/* compute powers r^2,r^4 */
179
	r20 = r0;
180
	r21 = r1;
181
	r22 = r2;
182
	for (i = 0; i < 2; i++) {
183
		s22 = r22 * (5 << 2);
184
185
		d[0] = add128(mul64x64_128(r20, r20), mul64x64_128(r21 * 2, s22));
186
		d[1] = add128(mul64x64_128(r22, s22), mul64x64_128(r20 * 2, r21));
187
		d[2] = add128(mul64x64_128(r21, r21), mul64x64_128(r22 * 2, r20));
188
189
		                           r20 = lo128(d[0]) & 0xfffffffffff; c = shr128(d[0], 44);
190
		d[1] = add128_64(d[1], c); r21 = lo128(d[1]) & 0xfffffffffff; c = shr128(d[1], 44);
191
		d[2] = add128_64(d[2], c); r22 = lo128(d[2]) & 0x3ffffffffff; c = shr128(d[2], 42);
192
		r20 += c * 5; c = (r20 >> 44); r20 = r20 & 0xfffffffffff;
193
		r21 += c;
194
195
		p->R20.v = _mm_shuffle_epi32(_mm_cvtsi32_si128((uint32_t)( r20                     ) & 0x3ffffff), _MM_SHUFFLE(1,0,1,0));
196
		p->R21.v = _mm_shuffle_epi32(_mm_cvtsi32_si128((uint32_t)((r20 >> 26) | (r21 << 18)) & 0x3ffffff), _MM_SHUFFLE(1,0,1,0));
197
		p->R22.v = _mm_shuffle_epi32(_mm_cvtsi32_si128((uint32_t)((r21 >> 8)               ) & 0x3ffffff), _MM_SHUFFLE(1,0,1,0));
198
		p->R23.v = _mm_shuffle_epi32(_mm_cvtsi32_si128((uint32_t)((r21 >> 34) | (r22 << 10)) & 0x3ffffff), _MM_SHUFFLE(1,0,1,0));
199
		p->R24.v = _mm_shuffle_epi32(_mm_cvtsi32_si128((uint32_t)((r22 >> 16)              )            ), _MM_SHUFFLE(1,0,1,0));
200
		p->S21.v = _mm_mul_epu32(p->R21.v, FIVE);
201
		p->S22.v = _mm_mul_epu32(p->R22.v, FIVE);
202
		p->S23.v = _mm_mul_epu32(p->R23.v, FIVE);
203
		p->S24.v = _mm_mul_epu32(p->R24.v, FIVE);
204
		p--;
205
	}
206
207
	/* put saved info back */
208
	p = &st->P[1];
209
	p->R20.d[1] = (uint32_t)(r0        );
210
	p->R20.d[3] = (uint32_t)(r0   >> 32);
211
	p->R21.d[1] = (uint32_t)(r1        );
212
	p->R21.d[3] = (uint32_t)(r1   >> 32);
213
	p->R22.d[1] = (uint32_t)(r2        );
214
	p->R22.d[3] = (uint32_t)(r2   >> 32);
215
	p->R23.d[1] = (uint32_t)(pad0      );
216
	p->R23.d[3] = (uint32_t)(pad0 >> 32);
217
	p->R24.d[1] = (uint32_t)(pad1      );
218
	p->R24.d[3] = (uint32_t)(pad1 >> 32);
219
220
	/* H = [Mx,My] */
221
	T5 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 0)), _mm_loadl_epi64((xmmi *)(m + 16)));
222
	T6 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 8)), _mm_loadl_epi64((xmmi *)(m + 24)));
223
	st->H[0] = _mm_and_si128(MMASK, T5);
224
	st->H[1] = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
225
	T5 = _mm_or_si128(_mm_srli_epi64(T5, 52), _mm_slli_epi64(T6, 12));
226
	st->H[2] = _mm_and_si128(MMASK, T5);
227
	st->H[3] = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
228
	st->H[4] = _mm_or_si128(_mm_srli_epi64(T6, 40), HIBIT);
229
}
230
231
static void
232
poly1305_blocks(poly1305_state_internal *st, const uint8_t *m, size_t bytes) {
233
	const xmmi MMASK = _mm_load_si128((xmmi *)poly1305_x64_sse2_message_mask);
234
	const xmmi FIVE = _mm_load_si128((xmmi*)poly1305_x64_sse2_5);
235
	const xmmi HIBIT = _mm_load_si128((xmmi*)poly1305_x64_sse2_1shl128);
236
237
	poly1305_power *p;
238
	xmmi H0,H1,H2,H3,H4;
239
	xmmi T0,T1,T2,T3,T4,T5,T6;
240
	xmmi M0,M1,M2,M3,M4;
241
	xmmi C1,C2;
242
243
	H0 = st->H[0];
244
	H1 = st->H[1];
245
	H2 = st->H[2];
246
	H3 = st->H[3];
247
	H4 = st->H[4];
248
249
	while (bytes >= 64) {
250
		/* H *= [r^4,r^4] */
251
		p = &st->P[0];
252
		T0 = _mm_mul_epu32(H0, p->R20.v);
253
		T1 = _mm_mul_epu32(H0, p->R21.v);
254
		T2 = _mm_mul_epu32(H0, p->R22.v);
255
		T3 = _mm_mul_epu32(H0, p->R23.v);
256
		T4 = _mm_mul_epu32(H0, p->R24.v);
257
		T5 = _mm_mul_epu32(H1, p->S24.v); T6 = _mm_mul_epu32(H1, p->R20.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
258
		T5 = _mm_mul_epu32(H2, p->S23.v); T6 = _mm_mul_epu32(H2, p->S24.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
259
		T5 = _mm_mul_epu32(H3, p->S22.v); T6 = _mm_mul_epu32(H3, p->S23.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
260
		T5 = _mm_mul_epu32(H4, p->S21.v); T6 = _mm_mul_epu32(H4, p->S22.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
261
		T5 = _mm_mul_epu32(H1, p->R21.v); T6 = _mm_mul_epu32(H1, p->R22.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
262
		T5 = _mm_mul_epu32(H2, p->R20.v); T6 = _mm_mul_epu32(H2, p->R21.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
263
		T5 = _mm_mul_epu32(H3, p->S24.v); T6 = _mm_mul_epu32(H3, p->R20.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
264
		T5 = _mm_mul_epu32(H4, p->S23.v); T6 = _mm_mul_epu32(H4, p->S24.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
265
		T5 = _mm_mul_epu32(H1, p->R23.v);                                   T4 = _mm_add_epi64(T4, T5);
266
		T5 = _mm_mul_epu32(H2, p->R22.v);                                   T4 = _mm_add_epi64(T4, T5);
267
		T5 = _mm_mul_epu32(H3, p->R21.v);                                   T4 = _mm_add_epi64(T4, T5);
268
		T5 = _mm_mul_epu32(H4, p->R20.v);                                   T4 = _mm_add_epi64(T4, T5);
269
270
		/* H += [Mx,My]*[r^2,r^2] */
271
		T5 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 0)), _mm_loadl_epi64((xmmi *)(m + 16)));
272
		T6 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 8)), _mm_loadl_epi64((xmmi *)(m + 24)));
273
		M0 = _mm_and_si128(MMASK, T5);
274
		M1 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
275
		T5 = _mm_or_si128(_mm_srli_epi64(T5, 52), _mm_slli_epi64(T6, 12));
276
		M2 = _mm_and_si128(MMASK, T5);
277
		M3 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
278
		M4 = _mm_or_si128(_mm_srli_epi64(T6, 40), HIBIT);
279
280
		p = &st->P[1];
281
		T5 = _mm_mul_epu32(M0, p->R20.v); T6 = _mm_mul_epu32(M0, p->R21.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
282
		T5 = _mm_mul_epu32(M1, p->S24.v); T6 = _mm_mul_epu32(M1, p->R20.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
283
		T5 = _mm_mul_epu32(M2, p->S23.v); T6 = _mm_mul_epu32(M2, p->S24.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
284
		T5 = _mm_mul_epu32(M3, p->S22.v); T6 = _mm_mul_epu32(M3, p->S23.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
285
		T5 = _mm_mul_epu32(M4, p->S21.v); T6 = _mm_mul_epu32(M4, p->S22.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
286
		T5 = _mm_mul_epu32(M0, p->R22.v); T6 = _mm_mul_epu32(M0, p->R23.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
287
		T5 = _mm_mul_epu32(M1, p->R21.v); T6 = _mm_mul_epu32(M1, p->R22.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
288
		T5 = _mm_mul_epu32(M2, p->R20.v); T6 = _mm_mul_epu32(M2, p->R21.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
289
		T5 = _mm_mul_epu32(M3, p->S24.v); T6 = _mm_mul_epu32(M3, p->R20.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
290
		T5 = _mm_mul_epu32(M4, p->S23.v); T6 = _mm_mul_epu32(M4, p->S24.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
291
		T5 = _mm_mul_epu32(M0, p->R24.v);                                   T4 = _mm_add_epi64(T4, T5);
292
		T5 = _mm_mul_epu32(M1, p->R23.v);                                   T4 = _mm_add_epi64(T4, T5);
293
		T5 = _mm_mul_epu32(M2, p->R22.v);                                   T4 = _mm_add_epi64(T4, T5);
294
		T5 = _mm_mul_epu32(M3, p->R21.v);                                   T4 = _mm_add_epi64(T4, T5);
295
		T5 = _mm_mul_epu32(M4, p->R20.v);                                   T4 = _mm_add_epi64(T4, T5);
296
297
		/* H += [Mx,My] */
298
		T5 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 32)), _mm_loadl_epi64((xmmi *)(m + 48)));
299
		T6 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 40)), _mm_loadl_epi64((xmmi *)(m + 56)));
300
		M0 = _mm_and_si128(MMASK, T5);
301
		M1 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
302
		T5 = _mm_or_si128(_mm_srli_epi64(T5, 52), _mm_slli_epi64(T6, 12));
303
		M2 = _mm_and_si128(MMASK, T5);
304
		M3 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
305
		M4 = _mm_or_si128(_mm_srli_epi64(T6, 40), HIBIT);
306
307
		T0 = _mm_add_epi64(T0, M0);
308
		T1 = _mm_add_epi64(T1, M1);
309
		T2 = _mm_add_epi64(T2, M2);
310
		T3 = _mm_add_epi64(T3, M3);
311
		T4 = _mm_add_epi64(T4, M4);
312
313
		/* reduce */
314
		C1 = _mm_srli_epi64(T0, 26); C2 = _mm_srli_epi64(T3, 26); T0 = _mm_and_si128(T0, MMASK); T3 = _mm_and_si128(T3, MMASK); T1 = _mm_add_epi64(T1, C1); T4 = _mm_add_epi64(T4, C2);
315
		C1 = _mm_srli_epi64(T1, 26); C2 = _mm_srli_epi64(T4, 26); T1 = _mm_and_si128(T1, MMASK); T4 = _mm_and_si128(T4, MMASK); T2 = _mm_add_epi64(T2, C1); T0 = _mm_add_epi64(T0, _mm_mul_epu32(C2, FIVE));
316
		C1 = _mm_srli_epi64(T2, 26); C2 = _mm_srli_epi64(T0, 26); T2 = _mm_and_si128(T2, MMASK); T0 = _mm_and_si128(T0, MMASK); T3 = _mm_add_epi64(T3, C1); T1 = _mm_add_epi64(T1, C2);
317
		C1 = _mm_srli_epi64(T3, 26);                              T3 = _mm_and_si128(T3, MMASK);                                T4 = _mm_add_epi64(T4, C1);
318
319
		/* H = (H*[r^4,r^4] + [Mx,My]*[r^2,r^2] + [Mx,My]) */
320
		H0 = T0;
321
		H1 = T1;
322
		H2 = T2;
323
		H3 = T3;
324
		H4 = T4;
325
326
		m += 64;
327
		bytes -= 64;
328
	}
329
330
	st->H[0] = H0;
331
	st->H[1] = H1;
332
	st->H[2] = H2;
333
	st->H[3] = H3;
334
	st->H[4] = H4;
335
}
336
337
static size_t
338
poly1305_combine(poly1305_state_internal *st, const uint8_t *m, size_t bytes) {
339
	const xmmi MMASK = _mm_load_si128((xmmi *)poly1305_x64_sse2_message_mask);
340
	const xmmi HIBIT = _mm_load_si128((xmmi*)poly1305_x64_sse2_1shl128);
341
	const xmmi FIVE = _mm_load_si128((xmmi*)poly1305_x64_sse2_5);
342
343
	poly1305_power *p;
344
	xmmi H0,H1,H2,H3,H4;
345
	xmmi M0,M1,M2,M3,M4;
346
	xmmi T0,T1,T2,T3,T4,T5,T6;
347
	xmmi C1,C2;
348
349
	uint64_t r0,r1,r2;
350
	uint64_t t0,t1,t2,t3,t4;
351
	uint64_t c;
352
	size_t consumed = 0;
353
354
	H0 = st->H[0];
355
	H1 = st->H[1];
356
	H2 = st->H[2];
357
	H3 = st->H[3];
358
	H4 = st->H[4];
359
360
	/* p = [r^2,r^2] */
361
	p = &st->P[1];
362
363
	if (bytes >= 32) {
364
		/* H *= [r^2,r^2] */
365
		T0 = _mm_mul_epu32(H0, p->R20.v);
366
		T1 = _mm_mul_epu32(H0, p->R21.v);
367
		T2 = _mm_mul_epu32(H0, p->R22.v);
368
		T3 = _mm_mul_epu32(H0, p->R23.v);
369
		T4 = _mm_mul_epu32(H0, p->R24.v);
370
		T5 = _mm_mul_epu32(H1, p->S24.v); T6 = _mm_mul_epu32(H1, p->R20.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
371
		T5 = _mm_mul_epu32(H2, p->S23.v); T6 = _mm_mul_epu32(H2, p->S24.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
372
		T5 = _mm_mul_epu32(H3, p->S22.v); T6 = _mm_mul_epu32(H3, p->S23.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
373
		T5 = _mm_mul_epu32(H4, p->S21.v); T6 = _mm_mul_epu32(H4, p->S22.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
374
		T5 = _mm_mul_epu32(H1, p->R21.v); T6 = _mm_mul_epu32(H1, p->R22.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
375
		T5 = _mm_mul_epu32(H2, p->R20.v); T6 = _mm_mul_epu32(H2, p->R21.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
376
		T5 = _mm_mul_epu32(H3, p->S24.v); T6 = _mm_mul_epu32(H3, p->R20.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
377
		T5 = _mm_mul_epu32(H4, p->S23.v); T6 = _mm_mul_epu32(H4, p->S24.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
378
		T5 = _mm_mul_epu32(H1, p->R23.v);                                   T4 = _mm_add_epi64(T4, T5);
379
		T5 = _mm_mul_epu32(H2, p->R22.v);                                   T4 = _mm_add_epi64(T4, T5);
380
		T5 = _mm_mul_epu32(H3, p->R21.v);                                   T4 = _mm_add_epi64(T4, T5);
381
		T5 = _mm_mul_epu32(H4, p->R20.v);                                   T4 = _mm_add_epi64(T4, T5);
382
383
		/* H += [Mx,My] */
384
		T5 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 0)), _mm_loadl_epi64((xmmi *)(m + 16)));
385
		T6 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 8)), _mm_loadl_epi64((xmmi *)(m + 24)));
386
		M0 = _mm_and_si128(MMASK, T5);
387
		M1 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
388
		T5 = _mm_or_si128(_mm_srli_epi64(T5, 52), _mm_slli_epi64(T6, 12));
389
		M2 = _mm_and_si128(MMASK, T5);
390
		M3 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
391
		M4 = _mm_or_si128(_mm_srli_epi64(T6, 40), HIBIT);
392
393
		T0 = _mm_add_epi64(T0, M0);
394
		T1 = _mm_add_epi64(T1, M1);
395
		T2 = _mm_add_epi64(T2, M2);
396
		T3 = _mm_add_epi64(T3, M3);
397
		T4 = _mm_add_epi64(T4, M4);
398
399
		/* reduce */
400
		C1 = _mm_srli_epi64(T0, 26); C2 = _mm_srli_epi64(T3, 26); T0 = _mm_and_si128(T0, MMASK); T3 = _mm_and_si128(T3, MMASK); T1 = _mm_add_epi64(T1, C1); T4 = _mm_add_epi64(T4, C2);
401
		C1 = _mm_srli_epi64(T1, 26); C2 = _mm_srli_epi64(T4, 26); T1 = _mm_and_si128(T1, MMASK); T4 = _mm_and_si128(T4, MMASK); T2 = _mm_add_epi64(T2, C1); T0 = _mm_add_epi64(T0, _mm_mul_epu32(C2, FIVE));
402
		C1 = _mm_srli_epi64(T2, 26); C2 = _mm_srli_epi64(T0, 26); T2 = _mm_and_si128(T2, MMASK); T0 = _mm_and_si128(T0, MMASK); T3 = _mm_add_epi64(T3, C1); T1 = _mm_add_epi64(T1, C2);
403
		C1 = _mm_srli_epi64(T3, 26);                              T3 = _mm_and_si128(T3, MMASK);                                T4 = _mm_add_epi64(T4, C1);
404
405
		/* H = (H*[r^2,r^2] + [Mx,My]) */
406
		H0 = T0;
407
		H1 = T1;
408
		H2 = T2;
409
		H3 = T3;
410
		H4 = T4;
411
412
		consumed = 32;
413
	}
414
415
	/* finalize, H *= [r^2,r] */
416
	r0 = ((uint64_t)p->R20.d[3] << 32) | (uint64_t)p->R20.d[1];
417
	r1 = ((uint64_t)p->R21.d[3] << 32) | (uint64_t)p->R21.d[1];
418
	r2 = ((uint64_t)p->R22.d[3] << 32) | (uint64_t)p->R22.d[1];
419
420
	p->R20.d[2] = (uint32_t)( r0                    ) & 0x3ffffff;
421
	p->R21.d[2] = (uint32_t)((r0 >> 26) | (r1 << 18)) & 0x3ffffff;
422
	p->R22.d[2] = (uint32_t)((r1 >> 8)              ) & 0x3ffffff;
423
	p->R23.d[2] = (uint32_t)((r1 >> 34) | (r2 << 10)) & 0x3ffffff;
424
	p->R24.d[2] = (uint32_t)((r2 >> 16)             )            ;
425
	p->S21.d[2] = p->R21.d[2] * 5;
426
	p->S22.d[2] = p->R22.d[2] * 5;
427
	p->S23.d[2] = p->R23.d[2] * 5;
428
	p->S24.d[2] = p->R24.d[2] * 5;
429
430
	/* H *= [r^2,r] */
431
	T0 = _mm_mul_epu32(H0, p->R20.v);
432
	T1 = _mm_mul_epu32(H0, p->R21.v);
433
	T2 = _mm_mul_epu32(H0, p->R22.v);
434
	T3 = _mm_mul_epu32(H0, p->R23.v);
435
	T4 = _mm_mul_epu32(H0, p->R24.v);
436
	T5 = _mm_mul_epu32(H1, p->S24.v); T6 = _mm_mul_epu32(H1, p->R20.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
437
	T5 = _mm_mul_epu32(H2, p->S23.v); T6 = _mm_mul_epu32(H2, p->S24.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
438
	T5 = _mm_mul_epu32(H3, p->S22.v); T6 = _mm_mul_epu32(H3, p->S23.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
439
	T5 = _mm_mul_epu32(H4, p->S21.v); T6 = _mm_mul_epu32(H4, p->S22.v); T0 = _mm_add_epi64(T0, T5); T1 = _mm_add_epi64(T1, T6);
440
	T5 = _mm_mul_epu32(H1, p->R21.v); T6 = _mm_mul_epu32(H1, p->R22.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
441
	T5 = _mm_mul_epu32(H2, p->R20.v); T6 = _mm_mul_epu32(H2, p->R21.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
442
	T5 = _mm_mul_epu32(H3, p->S24.v); T6 = _mm_mul_epu32(H3, p->R20.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
443
	T5 = _mm_mul_epu32(H4, p->S23.v); T6 = _mm_mul_epu32(H4, p->S24.v); T2 = _mm_add_epi64(T2, T5); T3 = _mm_add_epi64(T3, T6);
444
	T5 = _mm_mul_epu32(H1, p->R23.v);                                   T4 = _mm_add_epi64(T4, T5);
445
	T5 = _mm_mul_epu32(H2, p->R22.v);                                   T4 = _mm_add_epi64(T4, T5);
446
	T5 = _mm_mul_epu32(H3, p->R21.v);                                   T4 = _mm_add_epi64(T4, T5);
447
	T5 = _mm_mul_epu32(H4, p->R20.v);                                   T4 = _mm_add_epi64(T4, T5);
448
449
	C1 = _mm_srli_epi64(T0, 26); C2 = _mm_srli_epi64(T3, 26); T0 = _mm_and_si128(T0, MMASK); T3 = _mm_and_si128(T3, MMASK); T1 = _mm_add_epi64(T1, C1); T4 = _mm_add_epi64(T4, C2);
450
	C1 = _mm_srli_epi64(T1, 26); C2 = _mm_srli_epi64(T4, 26); T1 = _mm_and_si128(T1, MMASK); T4 = _mm_and_si128(T4, MMASK); T2 = _mm_add_epi64(T2, C1); T0 = _mm_add_epi64(T0, _mm_mul_epu32(C2, FIVE));
451
	C1 = _mm_srli_epi64(T2, 26); C2 = _mm_srli_epi64(T0, 26); T2 = _mm_and_si128(T2, MMASK); T0 = _mm_and_si128(T0, MMASK); T3 = _mm_add_epi64(T3, C1); T1 = _mm_add_epi64(T1, C2);
452
	C1 = _mm_srli_epi64(T3, 26);                              T3 = _mm_and_si128(T3, MMASK);                                T4 = _mm_add_epi64(T4, C1);
453
454
	/* H = H[0]+H[1] */
455
	H0 = _mm_add_epi64(T0, _mm_srli_si128(T0, 8));
456
	H1 = _mm_add_epi64(T1, _mm_srli_si128(T1, 8));
457
	H2 = _mm_add_epi64(T2, _mm_srli_si128(T2, 8));
458
	H3 = _mm_add_epi64(T3, _mm_srli_si128(T3, 8));
459
	H4 = _mm_add_epi64(T4, _mm_srli_si128(T4, 8));
460
461
	t0 = _mm_cvtsi128_si32(H0)    ; c = (t0 >> 26); t0 &= 0x3ffffff;
462
	t1 = _mm_cvtsi128_si32(H1) + c; c = (t1 >> 26); t1 &= 0x3ffffff;
463
	t2 = _mm_cvtsi128_si32(H2) + c; c = (t2 >> 26); t2 &= 0x3ffffff;
464
	t3 = _mm_cvtsi128_si32(H3) + c; c = (t3 >> 26); t3 &= 0x3ffffff;
465
	t4 = _mm_cvtsi128_si32(H4) + c; c = (t4 >> 26); t4 &= 0x3ffffff;
466
	t0 =              t0 + (c * 5); c = (t0 >> 26); t0 &= 0x3ffffff;
467
	t1 =              t1 + c;
468
469
	st->HH[0] =  ((t0      ) | (t1 << 26)             ) & 0xfffffffffffull;
470
	st->HH[1] =  ((t1 >> 18) | (t2 <<  8) | (t3 << 34)) & 0xfffffffffffull;
471
	st->HH[2] =  ((t3 >> 10) | (t4 << 16)             ) & 0x3ffffffffffull;
472
473
	return consumed;
474
}
475
476
void
477
Poly1305Update(poly1305_state *state, const unsigned char *m, size_t bytes) {
478
	poly1305_state_internal *st = poly1305_aligned_state(state);
479
	size_t want;
480
481
	/* need at least 32 initial bytes to start the accelerated branch */
482
	if (!st->started) {
483
		if ((st->leftover == 0) && (bytes > 32)) {
484
			poly1305_first_block(st, m);
485
			m += 32;
486
			bytes -= 32;
487
		} else {
488
			want = poly1305_min(32 - st->leftover, bytes);
489
			poly1305_block_copy(st->buffer + st->leftover, m, want);
490
			bytes -= want;
491
			m += want;
492
			st->leftover += want;
493
			if ((st->leftover < 32) || (bytes == 0))
494
				return;
495
			poly1305_first_block(st, st->buffer);
496
			st->leftover = 0;
497
		}
498
		st->started = 1;
499
	}
500
501
	/* handle leftover */
502
	if (st->leftover) {
503
		want = poly1305_min(64 - st->leftover, bytes);
504
		poly1305_block_copy(st->buffer + st->leftover, m, want);
505
		bytes -= want;
506
		m += want;
507
		st->leftover += want;
508
		if (st->leftover < 64)
509
			return;
510
		poly1305_blocks(st, st->buffer, 64);
511
		st->leftover = 0;
512
	}
513
514
	/* process 64 byte blocks */
515
	if (bytes >= 64) {
516
		want = (bytes & ~63);
517
		poly1305_blocks(st, m, want);
518
		m += want;
519
		bytes -= want;
520
	}
521
522
	if (bytes) {
523
		poly1305_block_copy(st->buffer + st->leftover, m, bytes);
524
		st->leftover += bytes;
525
	}
526
}
527
528
void
529
Poly1305Finish(poly1305_state *state, unsigned char mac[16]) {
530
	poly1305_state_internal *st = poly1305_aligned_state(state);
531
	size_t leftover = st->leftover;
532
	uint8_t *m = st->buffer;
533
	uint128_t d[3];
534
	uint64_t h0,h1,h2;
535
	uint64_t t0,t1;
536
	uint64_t g0,g1,g2,c,nc;
537
	uint64_t r0,r1,r2,s1,s2;
538
	poly1305_power *p;
539
540
	if (st->started) {
541
		size_t consumed = poly1305_combine(st, m, leftover);
542
		leftover -= consumed;
543
		m += consumed;
544
	}
545
546
	/* st->HH will either be 0 or have the combined result */
547
	h0 = st->HH[0];
548
	h1 = st->HH[1];
549
	h2 = st->HH[2];
550
551
	p = &st->P[1];
552
	r0 = ((uint64_t)p->R20.d[3] << 32) | (uint64_t)p->R20.d[1];
553
	r1 = ((uint64_t)p->R21.d[3] << 32) | (uint64_t)p->R21.d[1];
554
	r2 = ((uint64_t)p->R22.d[3] << 32) | (uint64_t)p->R22.d[1];
555
	s1 = r1 * (5 << 2);
556
	s2 = r2 * (5 << 2);
557
558
	if (leftover < 16)
559
		goto poly1305_donna_atmost15bytes;
560
561
poly1305_donna_atleast16bytes:
562
	t0 = U8TO64_LE(m + 0);
563
	t1 = U8TO64_LE(m + 8);
564
	h0 += t0 & 0xfffffffffff;
565
	t0 = shr128_pair(t1, t0, 44);
566
	h1 += t0 & 0xfffffffffff;
567
	h2 += (t1 >> 24) | ((uint64_t)1 << 40);
568
569
poly1305_donna_mul:
570
	d[0] = add128(add128(mul64x64_128(h0, r0), mul64x64_128(h1, s2)), mul64x64_128(h2, s1));
571
	d[1] = add128(add128(mul64x64_128(h0, r1), mul64x64_128(h1, r0)), mul64x64_128(h2, s2));
572
	d[2] = add128(add128(mul64x64_128(h0, r2), mul64x64_128(h1, r1)), mul64x64_128(h2, r0));
573
	                           h0 = lo128(d[0]) & 0xfffffffffff; c = shr128(d[0], 44);
574
	d[1] = add128_64(d[1], c); h1 = lo128(d[1]) & 0xfffffffffff; c = shr128(d[1], 44);
575
	d[2] = add128_64(d[2], c); h2 = lo128(d[2]) & 0x3ffffffffff; c = shr128(d[2], 42);
576
	h0   += c * 5;
577
578
	m += 16;
579
	leftover -= 16;
580
	if (leftover >= 16) goto poly1305_donna_atleast16bytes;
581
582
	/* final bytes */
583
poly1305_donna_atmost15bytes:
584
	if (!leftover) goto poly1305_donna_finish;
585
586
	m[leftover++] = 1;
587
	poly1305_block_zero(m + leftover, 16 - leftover);
588
	leftover = 16;
589
590
	t0 = U8TO64_LE(m+0);
591
	t1 = U8TO64_LE(m+8);
592
	h0 += t0 & 0xfffffffffff; t0 = shr128_pair(t1, t0, 44);
593
	h1 += t0 & 0xfffffffffff;
594
	h2 += (t1 >> 24);
595
596
	goto poly1305_donna_mul;
597
598
poly1305_donna_finish:
599
	             c = (h0 >> 44); h0 &= 0xfffffffffff;
600
	h1 += c;     c = (h1 >> 44); h1 &= 0xfffffffffff;
601
	h2 += c;     c = (h2 >> 42); h2 &= 0x3ffffffffff;
602
	h0 += c * 5;
603
604
	g0 = h0 + 5; c = (g0 >> 44); g0 &= 0xfffffffffff;
605
	g1 = h1 + c; c = (g1 >> 44); g1 &= 0xfffffffffff;
606
	g2 = h2 + c - ((uint64_t)1 << 42);
607
608
	c = (g2 >> 63) - 1;
609
	nc = ~c;
610
	h0 = (h0 & nc) | (g0 & c);
611
	h1 = (h1 & nc) | (g1 & c);
612
	h2 = (h2 & nc) | (g2 & c);
613
614
	/* pad */
615
	t0 = ((uint64_t)p->R23.d[3] << 32) | (uint64_t)p->R23.d[1];
616
	t1 = ((uint64_t)p->R24.d[3] << 32) | (uint64_t)p->R24.d[1];
617
	h0 += (t0 & 0xfffffffffff)    ; c = (h0 >> 44); h0 &= 0xfffffffffff; t0 = shr128_pair(t1, t0, 44);
618
	h1 += (t0 & 0xfffffffffff) + c; c = (h1 >> 44); h1 &= 0xfffffffffff; t1 = (t1 >> 24);
619
	h2 += (t1                ) + c;
620
621
	U64TO8_LE(mac + 0, ((h0      ) | (h1 << 44)));
622
	U64TO8_LE(mac + 8, ((h1 >> 20) | (h2 << 24)));
623
}
(-)0a2868789206 (+254 lines)
Added Link Here 
Added Link Here 
1
/* This Source Code Form is subject to the terms of the Mozilla Public
2
 * License, v. 2.0. If a copy of the MPL was not distributed with this
3
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5
/* This implementation of poly1305 is by Andrew Moon
6
 * (https://github.com/floodyberry/poly1305-donna) and released as public
7
 * domain. */
8
9
#include <string.h>
10
#include <stdint.h>
11
12
#include "poly1305.h"
13
14
#if defined(NSS_X86) || defined(NSS_X64)
15
/* We can assume little-endian. */
16
static uint32_t U8TO32_LE(const unsigned char *m) {
17
	uint32_t r;
18
	memcpy(&r, m, sizeof(r));
19
	return r;
20
}
21
22
static void U32TO8_LE(unsigned char *m, uint32_t v) {
23
	memcpy(m, &v, sizeof(v));
24
}
25
#else
26
static void U8TO32_LE(const unsigned char *m) {
27
	return (uint32_t)m[0] |
28
	       (uint32_t)m[1] << 8 |
29
	       (uint32_t)m[2] << 16 |
30
	       (uint32_t)m[3] << 24;
31
}
32
33
static void U32TO8_LE(unsigned char *m, uint32_t v) {
34
	m[0] = v;
35
	m[1] = v >> 8;
36
	m[2] = v >> 16;
37
	m[3] = v >> 24;
38
}
39
#endif
40
41
static uint64_t
42
mul32x32_64(uint32_t a, uint32_t b) {
43
	return (uint64_t)a * b;
44
}
45
46
struct poly1305_state_st {
47
	uint32_t r0,r1,r2,r3,r4;
48
	uint32_t s1,s2,s3,s4;
49
	uint32_t h0,h1,h2,h3,h4;
50
	unsigned char buf[16];
51
	unsigned int buf_used;
52
	unsigned char key[16];
53
};
54
55
/* update updates |state| given some amount of input data. This function may
56
 * only be called with a |len| that is not a multiple of 16 at the end of the
57
 * data. Otherwise the input must be buffered into 16 byte blocks. */
58
static void update(struct poly1305_state_st *state, const unsigned char *in,
59
		   size_t len) {
60
	uint32_t t0,t1,t2,t3;
61
	uint64_t t[5];
62
	uint32_t b;
63
	uint64_t c;
64
	size_t j;
65
	unsigned char mp[16];
66
67
	if (len < 16)
68
		goto poly1305_donna_atmost15bytes;
69
70
poly1305_donna_16bytes:
71
	t0 = U8TO32_LE(in);
72
	t1 = U8TO32_LE(in+4);
73
	t2 = U8TO32_LE(in+8);
74
	t3 = U8TO32_LE(in+12);
75
76
	in += 16;
77
	len -= 16;
78
79
	state->h0 += t0 & 0x3ffffff;
80
	state->h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff;
81
	state->h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff;
82
	state->h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff;
83
	state->h4 += (t3 >> 8) | (1 << 24);
84
85
poly1305_donna_mul:
86
	t[0] = mul32x32_64(state->h0,state->r0) +
87
	       mul32x32_64(state->h1,state->s4) +
88
	       mul32x32_64(state->h2,state->s3) +
89
	       mul32x32_64(state->h3,state->s2) +
90
	       mul32x32_64(state->h4,state->s1);
91
	t[1] = mul32x32_64(state->h0,state->r1) +
92
	       mul32x32_64(state->h1,state->r0) +
93
	       mul32x32_64(state->h2,state->s4) +
94
	       mul32x32_64(state->h3,state->s3) +
95
	       mul32x32_64(state->h4,state->s2);
96
	t[2] = mul32x32_64(state->h0,state->r2) +
97
	       mul32x32_64(state->h1,state->r1) +
98
	       mul32x32_64(state->h2,state->r0) +
99
	       mul32x32_64(state->h3,state->s4) +
100
	       mul32x32_64(state->h4,state->s3);
101
	t[3] = mul32x32_64(state->h0,state->r3) +
102
	       mul32x32_64(state->h1,state->r2) +
103
	       mul32x32_64(state->h2,state->r1) +
104
	       mul32x32_64(state->h3,state->r0) +
105
	       mul32x32_64(state->h4,state->s4);
106
	t[4] = mul32x32_64(state->h0,state->r4) +
107
	       mul32x32_64(state->h1,state->r3) +
108
	       mul32x32_64(state->h2,state->r2) +
109
	       mul32x32_64(state->h3,state->r1) +
110
	       mul32x32_64(state->h4,state->r0);
111
112
	           state->h0 = (uint32_t)t[0] & 0x3ffffff; c =           (t[0] >> 26);
113
	t[1] += c; state->h1 = (uint32_t)t[1] & 0x3ffffff; b = (uint32_t)(t[1] >> 26);
114
	t[2] += b; state->h2 = (uint32_t)t[2] & 0x3ffffff; b = (uint32_t)(t[2] >> 26);
115
	t[3] += b; state->h3 = (uint32_t)t[3] & 0x3ffffff; b = (uint32_t)(t[3] >> 26);
116
	t[4] += b; state->h4 = (uint32_t)t[4] & 0x3ffffff; b = (uint32_t)(t[4] >> 26);
117
	state->h0 += b * 5;
118
119
	if (len >= 16)
120
		goto poly1305_donna_16bytes;
121
122
	/* final bytes */
123
poly1305_donna_atmost15bytes:
124
	if (!len)
125
		return;
126
127
	for (j = 0; j < len; j++)
128
		mp[j] = in[j];
129
	mp[j++] = 1;
130
	for (; j < 16; j++)
131
		mp[j] = 0;
132
	len = 0;
133
134
	t0 = U8TO32_LE(mp+0);
135
	t1 = U8TO32_LE(mp+4);
136
	t2 = U8TO32_LE(mp+8);
137
	t3 = U8TO32_LE(mp+12);
138
139
	state->h0 += t0 & 0x3ffffff;
140
	state->h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff;
141
	state->h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff;
142
	state->h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff;
143
	state->h4 += (t3 >> 8);
144
145
	goto poly1305_donna_mul;
146
}
147
148
void Poly1305Init(poly1305_state *statep, const unsigned char key[32]) {
149
	struct poly1305_state_st *state = (struct poly1305_state_st*) statep;
150
	uint32_t t0,t1,t2,t3;
151
152
	t0 = U8TO32_LE(key+0);
153
	t1 = U8TO32_LE(key+4);
154
	t2 = U8TO32_LE(key+8);
155
	t3 = U8TO32_LE(key+12);
156
157
	/* precompute multipliers */
158
	state->r0 = t0 & 0x3ffffff; t0 >>= 26; t0 |= t1 << 6;
159
	state->r1 = t0 & 0x3ffff03; t1 >>= 20; t1 |= t2 << 12;
160
	state->r2 = t1 & 0x3ffc0ff; t2 >>= 14; t2 |= t3 << 18;
161
	state->r3 = t2 & 0x3f03fff; t3 >>= 8;
162
	state->r4 = t3 & 0x00fffff;
163
164
	state->s1 = state->r1 * 5;
165
	state->s2 = state->r2 * 5;
166
	state->s3 = state->r3 * 5;
167
	state->s4 = state->r4 * 5;
168
169
	/* init state */
170
	state->h0 = 0;
171
	state->h1 = 0;
172
	state->h2 = 0;
173
	state->h3 = 0;
174
	state->h4 = 0;
175
176
	state->buf_used = 0;
177
	memcpy(state->key, key + 16, sizeof(state->key));
178
}
179
180
void Poly1305Update(poly1305_state *statep, const unsigned char *in,
181
		     size_t in_len) {
182
	unsigned int i;
183
	struct poly1305_state_st *state = (struct poly1305_state_st*) statep;
184
185
	if (state->buf_used) {
186
		unsigned int todo = 16 - state->buf_used;
187
		if (todo > in_len)
188
			todo = in_len;
189
		for (i = 0; i < todo; i++)
190
			state->buf[state->buf_used + i] = in[i];
191
		state->buf_used += todo;
192
		in_len -= todo;
193
		in += todo;
194
195
		if (state->buf_used == 16) {
196
			update(state, state->buf, 16);
197
			state->buf_used = 0;
198
		}
199
	}
200
201
	if (in_len >= 16) {
202
		size_t todo = in_len & ~0xf;
203
		update(state, in, todo);
204
		in += todo;
205
		in_len &= 0xf;
206
	}
207
208
	if (in_len) {
209
		for (i = 0; i < in_len; i++)
210
			state->buf[i] = in[i];
211
		state->buf_used = in_len;
212
	}
213
}
214
215
void Poly1305Finish(poly1305_state *statep, unsigned char mac[16]) {
216
	struct poly1305_state_st *state = (struct poly1305_state_st*) statep;
217
	uint64_t f0,f1,f2,f3;
218
	uint32_t g0,g1,g2,g3,g4;
219
	uint32_t b, nb;
220
221
	if (state->buf_used)
222
		update(state, state->buf, state->buf_used);
223
224
	                    b = state->h0 >> 26; state->h0 = state->h0 & 0x3ffffff;
225
	state->h1 +=     b; b = state->h1 >> 26; state->h1 = state->h1 & 0x3ffffff;
226
	state->h2 +=     b; b = state->h2 >> 26; state->h2 = state->h2 & 0x3ffffff;
227
	state->h3 +=     b; b = state->h3 >> 26; state->h3 = state->h3 & 0x3ffffff;
228
	state->h4 +=     b; b = state->h4 >> 26; state->h4 = state->h4 & 0x3ffffff;
229
	state->h0 += b * 5;
230
231
	g0 = state->h0 + 5; b = g0 >> 26; g0 &= 0x3ffffff;
232
	g1 = state->h1 + b; b = g1 >> 26; g1 &= 0x3ffffff;
233
	g2 = state->h2 + b; b = g2 >> 26; g2 &= 0x3ffffff;
234
	g3 = state->h3 + b; b = g3 >> 26; g3 &= 0x3ffffff;
235
	g4 = state->h4 + b - (1 << 26);
236
237
	b = (g4 >> 31) - 1;
238
	nb = ~b;
239
	state->h0 = (state->h0 & nb) | (g0 & b);
240
	state->h1 = (state->h1 & nb) | (g1 & b);
241
	state->h2 = (state->h2 & nb) | (g2 & b);
242
	state->h3 = (state->h3 & nb) | (g3 & b);
243
	state->h4 = (state->h4 & nb) | (g4 & b);
244
245
	f0 = ((state->h0      ) | (state->h1 << 26)) + (uint64_t)U8TO32_LE(&state->key[0]);
246
	f1 = ((state->h1 >>  6) | (state->h2 << 20)) + (uint64_t)U8TO32_LE(&state->key[4]);
247
	f2 = ((state->h2 >> 12) | (state->h3 << 14)) + (uint64_t)U8TO32_LE(&state->key[8]);
248
	f3 = ((state->h3 >> 18) | (state->h4 <<  8)) + (uint64_t)U8TO32_LE(&state->key[12]);
249
250
	U32TO8_LE(&mac[ 0], f0); f1 += (f0 >> 32);
251
	U32TO8_LE(&mac[ 4], f1); f2 += (f1 >> 32);
252
	U32TO8_LE(&mac[ 8], f2); f3 += (f2 >> 32);
253
	U32TO8_LE(&mac[12], f3);
254
}
(-)0a2868789206 (+31 lines)
Added Link Here 
Added Link Here 
1
/*
2
 * poly1305.h - header file for Poly1305 implementation.
3
 *
4
 * This Source Code Form is subject to the terms of the Mozilla Public
5
 * License, v. 2.0. If a copy of the MPL was not distributed with this
6
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7
8
#ifndef FREEBL_POLY1305_H_
9
#define FREEBL_POLY1305_H_
10
11
typedef unsigned char poly1305_state[512];
12
13
/* Poly1305Init sets up |state| so that it can be used to calculate an
14
 * authentication tag with the one-time key |key|. Note that |key| is a
15
 * one-time key and therefore there is no `reset' method because that would
16
 * enable several messages to be authenticated with the same key. */
17
extern void Poly1305Init(poly1305_state* state,
18
			 const unsigned char key[32]);
19
20
/* Poly1305Update processes |in_len| bytes from |in|. It can be called zero or
21
 * more times after poly1305_init. */
22
extern void Poly1305Update(poly1305_state* state,
23
			   const unsigned char *in,
24
			   size_t inLen);
25
26
/* Poly1305Finish completes the poly1305 calculation and writes a 16 byte
27
 * authentication tag to |mac|. */
28
extern void Poly1305Finish(poly1305_state* state,
29
			   unsigned char mac[16]);
30
31
#endif  /* FREEBL_POLY1305_H_ */
(-)a/lib/pk11wrap/pk11mech.c (+6 lines)
Line     Link Here 
 Lines 152-157    Link Here 
152
	return CKM_SEED_CBC;
152
	return CKM_SEED_CBC;
153
    case CKK_CAMELLIA:
153
    case CKK_CAMELLIA:
154
	return CKM_CAMELLIA_CBC;
154
	return CKM_CAMELLIA_CBC;
155
    case CKK_NSS_CHACHA20:
156
	return CKM_NSS_CHACHA20_POLY1305;
155
    case CKK_AES:
157
    case CKK_AES:
156
	return CKM_AES_CBC;
158
	return CKM_AES_CBC;
157
    case CKK_DES:
159
    case CKK_DES:
 Lines 219-224    Link Here 
219
    case CKM_CAMELLIA_CBC_PAD:
221
    case CKM_CAMELLIA_CBC_PAD:
220
    case CKM_CAMELLIA_KEY_GEN:
222
    case CKM_CAMELLIA_KEY_GEN:
221
	return CKK_CAMELLIA;
223
	return CKK_CAMELLIA;
224
    case CKM_NSS_CHACHA20_POLY1305:
225
	return CKK_NSS_CHACHA20;
222
    case CKM_AES_ECB:
226
    case CKM_AES_ECB:
223
    case CKM_AES_CBC:
227
    case CKM_AES_CBC:
224
    case CKM_AES_CCM:
228
    case CKM_AES_CCM:
 Lines 429-434    Link Here 
429
    case CKM_CAMELLIA_CBC_PAD:
433
    case CKM_CAMELLIA_CBC_PAD:
430
    case CKM_CAMELLIA_KEY_GEN:
434
    case CKM_CAMELLIA_KEY_GEN:
431
	return CKM_CAMELLIA_KEY_GEN;
435
	return CKM_CAMELLIA_KEY_GEN;
436
    case CKM_NSS_CHACHA20_POLY1305:
437
	return CKM_NSS_CHACHA20_KEY_GEN;
432
    case CKM_AES_ECB:
438
    case CKM_AES_ECB:
433
    case CKM_AES_CBC:
439
    case CKM_AES_CBC:
434
    case CKM_AES_CCM:
440
    case CKM_AES_CCM:
(-)a/lib/softoken/pkcs11.c (+3 lines)
Line     Link Here 
 Lines 368-373    Link Here 
368
     {CKM_SEED_MAC,		{16, 16, CKF_SN_VR},		PR_TRUE},
368
     {CKM_SEED_MAC,		{16, 16, CKF_SN_VR},		PR_TRUE},
369
     {CKM_SEED_MAC_GENERAL,	{16, 16, CKF_SN_VR},		PR_TRUE},
369
     {CKM_SEED_MAC_GENERAL,	{16, 16, CKF_SN_VR},		PR_TRUE},
370
     {CKM_SEED_CBC_PAD,		{16, 16, CKF_EN_DE_WR_UN},	PR_TRUE},
370
     {CKM_SEED_CBC_PAD,		{16, 16, CKF_EN_DE_WR_UN},	PR_TRUE},
371
     /* ------------------------- ChaCha20 Operations ---------------------- */
372
     {CKM_NSS_CHACHA20_KEY_GEN,	{32, 32, CKF_GENERATE},		PR_TRUE},
373
     {CKM_NSS_CHACHA20_POLY1305,{32, 32, CKF_EN_DE},		PR_TRUE},
371
     /* ------------------------- Hashing Operations ----------------------- */
374
     /* ------------------------- Hashing Operations ----------------------- */
372
     {CKM_MD2,			{0,   0, CKF_DIGEST},		PR_FALSE},
375
     {CKM_MD2,			{0,   0, CKF_DIGEST},		PR_FALSE},
373
     {CKM_MD2_HMAC,		{1, 128, CKF_SN_VR},		PR_TRUE},
376
     {CKM_MD2_HMAC,		{1, 128, CKF_SN_VR},		PR_TRUE},
(-)a/lib/softoken/pkcs11c.c (+122 lines)
Line     Link Here 
 Lines 475-480    Link Here 
475
                           maxLen, input, inputLen);
475
                           maxLen, input, inputLen);
476
}
476
}
477
477
478
static SFTKChaCha20Poly1305Info *
479
sftk_ChaCha20Poly1305_CreateContext(const unsigned char *key, unsigned int keyLen,
480
				    const CK_NSS_AEAD_PARAMS* params)
481
{
482
    SFTKChaCha20Poly1305Info *ctx;
483
484
    if (params->ulIvLen != sizeof(ctx->nonce)) {
485
	PORT_SetError(SEC_ERROR_INPUT_LEN);
486
	return NULL;
487
    }
488
489
    ctx = PORT_New(SFTKChaCha20Poly1305Info);
490
    if (ctx == NULL) {
491
	return NULL;
492
    }
493
494
    if (ChaCha20Poly1305_InitContext(&ctx->freeblCtx, key, keyLen,
495
				     params->ulTagLen) != SECSuccess) {
496
	PORT_Free(ctx);
497
	return NULL;
498
    }
499
500
    memcpy(ctx->nonce, params->pIv, sizeof(ctx->nonce));
501
502
    if (params->ulAADLen > sizeof(ctx->ad)) {
503
	/* Need to allocate an overflow buffer for the additional data. */
504
	ctx->adOverflow = (unsigned char *)PORT_Alloc(params->ulAADLen);
505
	if (!ctx->adOverflow) {
506
	    PORT_Free(ctx);
507
	    return NULL;
508
	}
509
	memcpy(ctx->adOverflow, params->pAAD, params->ulAADLen);
510
    } else {
511
	ctx->adOverflow = NULL;
512
	memcpy(ctx->ad, params->pAAD, params->ulAADLen);
513
    }
514
    ctx->adLen = params->ulAADLen;
515
516
    return ctx;
517
}
518
519
static void
520
sftk_ChaCha20Poly1305_DestroyContext(SFTKChaCha20Poly1305Info *ctx, PRBool freeit)
521
{
522
    ChaCha20Poly1305_DestroyContext(&ctx->freeblCtx, PR_FALSE);
523
    if (ctx->adOverflow != NULL) {
524
	PORT_Free(ctx->adOverflow);
525
	ctx->adOverflow = NULL;
526
    }
527
    ctx->adLen = 0;
528
    if (freeit) {
529
	PORT_Free(ctx);
530
    }
531
}
532
533
static SECStatus
534
sftk_ChaCha20Poly1305_Encrypt(const SFTKChaCha20Poly1305Info *ctx,
535
			      unsigned char *output, unsigned int *outputLen,
536
			      unsigned int maxOutputLen,
537
			      const unsigned char *input, unsigned int inputLen)
538
{
539
    const unsigned char *ad = ctx->adOverflow;
540
541
    if (ad == NULL) {
542
	ad = ctx->ad;
543
    }
544
545
    return ChaCha20Poly1305_Seal(&ctx->freeblCtx, output, outputLen, maxOutputLen,
546
				 input, inputLen, ctx->nonce, sizeof(ctx->nonce),
547
				 ad, ctx->adLen);
548
}
549
550
static SECStatus
551
sftk_ChaCha20Poly1305_Decrypt(const SFTKChaCha20Poly1305Info *ctx,
552
			      unsigned char *output, unsigned int *outputLen,
553
			      unsigned int maxOutputLen,
554
			      const unsigned char *input, unsigned int inputLen)
555
{
556
    const unsigned char *ad = ctx->adOverflow;
557
558
    if (ad == NULL) {
559
	ad = ctx->ad;
560
    }
561
562
    return ChaCha20Poly1305_Open(&ctx->freeblCtx, output, outputLen, maxOutputLen,
563
				 input, inputLen, ctx->nonce, sizeof(ctx->nonce),
564
				 ad, ctx->adLen);
565
}
566
478
/** NSC_CryptInit initializes an encryption/Decryption operation.
567
/** NSC_CryptInit initializes an encryption/Decryption operation.
479
 *
568
 *
480
 * Always called by NSC_EncryptInit, NSC_DecryptInit, NSC_WrapKey,NSC_UnwrapKey.
569
 * Always called by NSC_EncryptInit, NSC_DecryptInit, NSC_WrapKey,NSC_UnwrapKey.
 Lines 870-875    Link Here 
870
	context->destroy = (SFTKDestroy) AES_DestroyContext;
959
	context->destroy = (SFTKDestroy) AES_DestroyContext;
871
	break;
960
	break;
872
961
962
    case CKM_NSS_CHACHA20_POLY1305:
963
	if (pMechanism->ulParameterLen != sizeof(CK_NSS_AEAD_PARAMS)) {
964
	    crv = CKR_MECHANISM_PARAM_INVALID;
965
	    break;
966
	}
967
	context->multi = PR_FALSE;
968
	if (key_type != CKK_NSS_CHACHA20) {
969
	    crv = CKR_KEY_TYPE_INCONSISTENT;
970
	    break;
971
	}
972
	att = sftk_FindAttribute(key,CKA_VALUE);
973
	if (att == NULL) {
974
	    crv = CKR_KEY_HANDLE_INVALID;
975
	    break;
976
	}
977
	context->cipherInfo = sftk_ChaCha20Poly1305_CreateContext(
978
		(unsigned char*) att->attrib.pValue, att->attrib.ulValueLen,
979
		(CK_NSS_AEAD_PARAMS*) pMechanism->pParameter);
980
	sftk_FreeAttribute(att);
981
	if (context->cipherInfo == NULL) {
982
	    crv = sftk_MapCryptError(PORT_GetError());
983
	    break;
984
	}
985
	context->update = (SFTKCipher) (isEncrypt ? sftk_ChaCha20Poly1305_Encrypt :
986
					sftk_ChaCha20Poly1305_Decrypt);
987
	context->destroy = (SFTKDestroy) sftk_ChaCha20Poly1305_DestroyContext;
988
	break;
989
873
    case CKM_NETSCAPE_AES_KEY_WRAP_PAD:
990
    case CKM_NETSCAPE_AES_KEY_WRAP_PAD:
874
    	context->doPad = PR_TRUE;
991
    	context->doPad = PR_TRUE;
875
	/* fall thru */
992
	/* fall thru */
 Lines 3276-3281    Link Here 
3276
	*key_type = CKK_AES;
3393
	*key_type = CKK_AES;
3277
	if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
3394
	if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
3278
	break;
3395
	break;
3396
    case CKM_NSS_CHACHA20_KEY_GEN:
3397
	*key_type = CKK_NSS_CHACHA20;
3398
	if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
3399
	break;
3279
    default:
3400
    default:
3280
	PORT_Assert(0);
3401
	PORT_Assert(0);
3281
	crv = CKR_MECHANISM_INVALID;
3402
	crv = CKR_MECHANISM_INVALID;
 Lines 3521-3526    Link Here 
3521
    case CKM_SEED_KEY_GEN:
3642
    case CKM_SEED_KEY_GEN:
3522
    case CKM_CAMELLIA_KEY_GEN:
3643
    case CKM_CAMELLIA_KEY_GEN:
3523
    case CKM_AES_KEY_GEN:
3644
    case CKM_AES_KEY_GEN:
3645
    case CKM_NSS_CHACHA20_KEY_GEN:
3524
#if NSS_SOFTOKEN_DOES_RC5
3646
#if NSS_SOFTOKEN_DOES_RC5
3525
    case CKM_RC5_KEY_GEN:
3647
    case CKM_RC5_KEY_GEN:
3526
#endif
3648
#endif
(-)a/lib/softoken/pkcs11i.h (+12 lines)
Line     Link Here 
 Lines 14-19    Link Here 
14
#include "pkcs11t.h"
14
#include "pkcs11t.h"
15
15
16
#include "sftkdbt.h" 
16
#include "sftkdbt.h" 
17
#include "chacha20poly1305.h"
17
#include "hasht.h"
18
#include "hasht.h"
18
19
19
/* 
20
/* 
 Lines 104-109    Link Here 
104
typedef struct SFTKOAEPEncryptInfoStr SFTKOAEPEncryptInfo;
105
typedef struct SFTKOAEPEncryptInfoStr SFTKOAEPEncryptInfo;
105
typedef struct SFTKOAEPDecryptInfoStr SFTKOAEPDecryptInfo;
106
typedef struct SFTKOAEPDecryptInfoStr SFTKOAEPDecryptInfo;
106
typedef struct SFTKSSLMACInfoStr SFTKSSLMACInfo;
107
typedef struct SFTKSSLMACInfoStr SFTKSSLMACInfo;
108
typedef struct SFTKChaCha20Poly1305InfoStr SFTKChaCha20Poly1305Info;
107
typedef struct SFTKItemTemplateStr SFTKItemTemplate;
109
typedef struct SFTKItemTemplateStr SFTKItemTemplate;
108
110
109
/* define function pointer typdefs for pointer tables */
111
/* define function pointer typdefs for pointer tables */
 Lines 399-404    Link Here 
399
    unsigned int	keySize;
401
    unsigned int	keySize;
400
};
402
};
401
403
404
/* SFTKChaCha20Poly1305Info saves the key, tag length, nonce, and additional data
405
 * for a ChaCha20+Poly1305 AEAD operation. */
406
struct SFTKChaCha20Poly1305InfoStr {
407
    ChaCha20Poly1305Context freeblCtx;
408
    unsigned char nonce[8];
409
    unsigned char ad[16];
410
    unsigned char *adOverflow;
411
    unsigned int adLen;
412
};
413
402
/*
414
/*
403
 * Template based on SECItems, suitable for passing as arrays
415
 * Template based on SECItems, suitable for passing as arrays
404
 */
416
 */
(-)a/lib/ssl/ssl3con.c (-2 / +52 lines)
Line     Link Here 
 Lines 86-91    Link Here 
86
static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
86
static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
87
   /*      cipher_suite                     policy       enabled   isPresent */
87
   /*      cipher_suite                     policy       enabled   isPresent */
88
#ifdef NSS_ENABLE_ECC
88
#ifdef NSS_ENABLE_ECC
89
 { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,  SSL_ALLOWED, PR_FALSE, PR_FALSE},
90
 { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
89
 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
91
 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
90
 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
92
 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
91
#endif /* NSS_ENABLE_ECC */
93
#endif /* NSS_ENABLE_ECC */
 Lines 258-263    Link Here 
258
    {cipher_camellia_256, calg_camellia,    32,32, type_block, 16,16, 0, 0},
260
    {cipher_camellia_256, calg_camellia,    32,32, type_block, 16,16, 0, 0},
259
    {cipher_seed,         calg_seed,        16,16, type_block, 16,16, 0, 0},
261
    {cipher_seed,         calg_seed,        16,16, type_block, 16,16, 0, 0},
260
    {cipher_aes_128_gcm,  calg_aes_gcm,     16,16, type_aead,   4, 0,16, 8},
262
    {cipher_aes_128_gcm,  calg_aes_gcm,     16,16, type_aead,   4, 0,16, 8},
263
    {cipher_chacha20,     calg_chacha20,    32,32, type_aead,   0, 0,16, 0},
261
    {cipher_missing,      calg_null,         0, 0, type_stream, 0, 0, 0, 0},
264
    {cipher_missing,      calg_null,         0, 0, type_stream, 0, 0, 0, 0},
262
};
265
};
263
266
 Lines 384-389    Link Here 
384
    {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa},
387
    {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa},
385
    {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa},
388
    {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa},
386
    {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa},
389
    {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa},
390
    {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe_rsa},
391
    {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe_ecdsa},
387
392
388
#ifdef NSS_ENABLE_ECC
393
#ifdef NSS_ENABLE_ECC
389
    {TLS_ECDH_ECDSA_WITH_NULL_SHA,        cipher_null, mac_sha, kea_ecdh_ecdsa},
394
    {TLS_ECDH_ECDSA_WITH_NULL_SHA,        cipher_null, mac_sha, kea_ecdh_ecdsa},
 Lines 449-454    Link Here 
449
    { calg_camellia , CKM_CAMELLIA_CBC			},
454
    { calg_camellia , CKM_CAMELLIA_CBC			},
450
    { calg_seed     , CKM_SEED_CBC			},
455
    { calg_seed     , CKM_SEED_CBC			},
451
    { calg_aes_gcm  , CKM_AES_GCM			},
456
    { calg_aes_gcm  , CKM_AES_GCM			},
457
    { calg_chacha20 , CKM_NSS_CHACHA20_POLY1305		},
452
/*  { calg_init     , (CK_MECHANISM_TYPE)0x7fffffffL    }  */
458
/*  { calg_init     , (CK_MECHANISM_TYPE)0x7fffffffL    }  */
453
};
459
};
454
460
 Lines 1946-1951    Link Here 
1946
}
1952
}
1947
#endif
1953
#endif
1948
1954
1955
static SECStatus
1956
ssl3_ChaCha20Poly1305(
1957
	ssl3KeyMaterial *keys,
1958
	PRBool doDecrypt,
1959
	unsigned char *out,
1960
	int *outlen,
1961
	int maxout,
1962
	const unsigned char *in,
1963
	int inlen,
1964
	const unsigned char *additionalData,
1965
	int additionalDataLen)
1966
{
1967
    SECItem            param;
1968
    SECStatus          rv = SECFailure;
1969
    unsigned int       uOutLen;
1970
    CK_NSS_AEAD_PARAMS aeadParams;
1971
    static const int   tagSize = 16;
1972
1973
    param.type = siBuffer;
1974
    param.len = sizeof(aeadParams);
1975
    param.data = (unsigned char *) &aeadParams;
1976
    memset(&aeadParams, 0, sizeof(aeadParams));
1977
    aeadParams.pIv = (unsigned char *) additionalData;
1978
    aeadParams.ulIvLen = 8;
1979
    aeadParams.pAAD = (unsigned char *) additionalData;
1980
    aeadParams.ulAADLen = additionalDataLen;
1981
    aeadParams.ulTagLen = tagSize;
1982
1983
    if (doDecrypt) {
1984
	rv = PK11_Decrypt(keys->write_key, CKM_NSS_CHACHA20_POLY1305, &param,
1985
			  out, &uOutLen, maxout, in, inlen);
1986
    } else {
1987
	rv = PK11_Encrypt(keys->write_key, CKM_NSS_CHACHA20_POLY1305, &param,
1988
			  out, &uOutLen, maxout, in, inlen);
1989
    }
1990
    *outlen = (int) uOutLen;
1991
1992
    return rv;
1993
}
1994
1949
/* Initialize encryption and MAC contexts for pending spec.
1995
/* Initialize encryption and MAC contexts for pending spec.
1950
 * Master Secret already is derived.
1996
 * Master Secret already is derived.
1951
 * Caller holds Spec write lock.
1997
 * Caller holds Spec write lock.
 Lines 1979-1991    Link Here 
1979
    pwSpec->client.write_mac_context = NULL;
2025
    pwSpec->client.write_mac_context = NULL;
1980
    pwSpec->server.write_mac_context = NULL;
2026
    pwSpec->server.write_mac_context = NULL;
1981
2027
1982
    if (calg == calg_aes_gcm) {
2028
    if (calg == calg_aes_gcm || calg == calg_chacha20) {
1983
	pwSpec->encode = NULL;
2029
	pwSpec->encode = NULL;
1984
	pwSpec->decode = NULL;
2030
	pwSpec->decode = NULL;
1985
	pwSpec->destroy = NULL;
2031
	pwSpec->destroy = NULL;
1986
	pwSpec->encodeContext = NULL;
2032
	pwSpec->encodeContext = NULL;
1987
	pwSpec->decodeContext = NULL;
2033
	pwSpec->decodeContext = NULL;
1988
	pwSpec->aead = ssl3_AESGCM;
2034
	if (calg == calg_aes_gcm) {
2035
	    pwSpec->aead = ssl3_AESGCM;
2036
	} else {
2037
	    pwSpec->aead = ssl3_ChaCha20Poly1305;
2038
	}
1989
	return SECSuccess;
2039
	return SECSuccess;
1990
    }
2040
    }
1991
2041
(-)a/lib/ssl/ssl3ecc.c (+4 lines)
Line     Link Here 
 Lines 898-903    Link Here 
898
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
898
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
899
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
899
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
900
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
900
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
901
    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
901
    TLS_ECDHE_ECDSA_WITH_NULL_SHA,
902
    TLS_ECDHE_ECDSA_WITH_NULL_SHA,
902
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
903
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
903
    0 /* end of list marker */
904
    0 /* end of list marker */
 Lines 909-914    Link Here 
909
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
910
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
910
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
911
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
911
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
912
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
913
    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
912
    TLS_ECDHE_RSA_WITH_NULL_SHA,
914
    TLS_ECDHE_RSA_WITH_NULL_SHA,
913
    TLS_ECDHE_RSA_WITH_RC4_128_SHA,
915
    TLS_ECDHE_RSA_WITH_RC4_128_SHA,
914
    0 /* end of list marker */
916
    0 /* end of list marker */
 Lines 921-926    Link Here 
921
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
923
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
922
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
924
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
923
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
925
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
926
    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
924
    TLS_ECDHE_ECDSA_WITH_NULL_SHA,
927
    TLS_ECDHE_ECDSA_WITH_NULL_SHA,
925
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
928
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
926
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
929
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
 Lines 928-933    Link Here 
928
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
931
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
929
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
932
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
930
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
933
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
934
    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
931
    TLS_ECDHE_RSA_WITH_NULL_SHA,
935
    TLS_ECDHE_RSA_WITH_NULL_SHA,
932
    TLS_ECDHE_RSA_WITH_RC4_128_SHA,
936
    TLS_ECDHE_RSA_WITH_RC4_128_SHA,
933
    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
937
    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
(-)a/lib/ssl/sslenum.c (+2 lines)
Line     Link Here 
 Lines 31-36    Link Here 
31
const PRUint16 SSL_ImplementedCiphers[] = {
31
const PRUint16 SSL_ImplementedCiphers[] = {
32
    /* AES-GCM */
32
    /* AES-GCM */
33
#ifdef NSS_ENABLE_ECC
33
#ifdef NSS_ENABLE_ECC
34
    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
35
    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
34
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
36
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
35
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
37
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
36
#endif /* NSS_ENABLE_ECC */
38
#endif /* NSS_ENABLE_ECC */
(-)a/lib/ssl/sslimpl.h (-1 / +3 lines)
Line     Link Here 
 Lines 55-60    Link Here 
55
#define calg_camellia	ssl_calg_camellia
55
#define calg_camellia	ssl_calg_camellia
56
#define calg_seed	ssl_calg_seed
56
#define calg_seed	ssl_calg_seed
57
#define calg_aes_gcm    ssl_calg_aes_gcm
57
#define calg_aes_gcm    ssl_calg_aes_gcm
58
#define calg_chacha20	ssl_calg_chacha20
58
59
59
#define mac_null	ssl_mac_null
60
#define mac_null	ssl_mac_null
60
#define mac_md5 	ssl_mac_md5
61
#define mac_md5 	ssl_mac_md5
 Lines 282-288    Link Here 
282
} ssl3CipherSuiteCfg;
283
} ssl3CipherSuiteCfg;
283
284
284
#ifdef NSS_ENABLE_ECC
285
#ifdef NSS_ENABLE_ECC
285
#define ssl_V3_SUITES_IMPLEMENTED 61
286
#define ssl_V3_SUITES_IMPLEMENTED 63
286
#else
287
#else
287
#define ssl_V3_SUITES_IMPLEMENTED 37
288
#define ssl_V3_SUITES_IMPLEMENTED 37
288
#endif /* NSS_ENABLE_ECC */
289
#endif /* NSS_ENABLE_ECC */
 Lines 456-461    Link Here 
456
    cipher_camellia_256,
457
    cipher_camellia_256,
457
    cipher_seed,
458
    cipher_seed,
458
    cipher_aes_128_gcm,
459
    cipher_aes_128_gcm,
460
    cipher_chacha20,
459
    cipher_missing              /* reserved for no such supported cipher */
461
    cipher_missing              /* reserved for no such supported cipher */
460
    /* This enum must match ssl3_cipherName[] in ssl3con.c.  */
462
    /* This enum must match ssl3_cipherName[] in ssl3con.c.  */
461
} SSL3BulkCipher;
463
} SSL3BulkCipher;
(-)a/lib/ssl/sslinfo.c (+3 lines)
Line     Link Here 
 Lines 118-123    Link Here 
118
#define C_NULL  "NULL", calg_null
118
#define C_NULL  "NULL", calg_null
119
#define C_SJ 	"SKIPJACK", calg_sj
119
#define C_SJ 	"SKIPJACK", calg_sj
120
#define C_AESGCM "AES-GCM", calg_aes_gcm
120
#define C_AESGCM "AES-GCM", calg_aes_gcm
121
#define C_CHACHA20 "CHACHA20POLY1305", calg_chacha20
121
122
122
#define B_256	256, 256, 256
123
#define B_256	256, 256, 256
123
#define B_128	128, 128, 128
124
#define B_128	128, 128, 128
 Lines 196-207    Link Here 
196
{0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA),  S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA, 1, 0, 0, },
197
{0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA),  S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA, 1, 0, 0, },
197
{0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256), S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA256, 1, 0, 0, },
198
{0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256), S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA256, 1, 0, 0, },
198
{0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA),  S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA, 1, 0, 0, },
199
{0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA),  S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA, 1, 0, 0, },
200
{0,CS(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305),S_ECDSA,K_ECDHE,C_CHACHA20,B_256,M_AEAD_128,0, 0, 0, },
199
201
200
{0,CS(TLS_ECDH_RSA_WITH_NULL_SHA),            S_RSA, K_ECDH, C_NULL, B_0, M_SHA, 0, 0, 0, },
202
{0,CS(TLS_ECDH_RSA_WITH_NULL_SHA),            S_RSA, K_ECDH, C_NULL, B_0, M_SHA, 0, 0, 0, },
201
{0,CS(TLS_ECDH_RSA_WITH_RC4_128_SHA),         S_RSA, K_ECDH, C_RC4, B_128, M_SHA, 0, 0, 0, },
203
{0,CS(TLS_ECDH_RSA_WITH_RC4_128_SHA),         S_RSA, K_ECDH, C_RC4, B_128, M_SHA, 0, 0, 0, },
202
{0,CS(TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA),    S_RSA, K_ECDH, C_3DES, B_3DES, M_SHA, 1, 0, 0, },
204
{0,CS(TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA),    S_RSA, K_ECDH, C_3DES, B_3DES, M_SHA, 1, 0, 0, },
203
{0,CS(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA),     S_RSA, K_ECDH, C_AES, B_128, M_SHA, 1, 0, 0, },
205
{0,CS(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA),     S_RSA, K_ECDH, C_AES, B_128, M_SHA, 1, 0, 0, },
204
{0,CS(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA),     S_RSA, K_ECDH, C_AES, B_256, M_SHA, 1, 0, 0, },
206
{0,CS(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA),     S_RSA, K_ECDH, C_AES, B_256, M_SHA, 1, 0, 0, },
207
{0,CS(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305),  S_RSA,K_ECDHE,C_CHACHA20,B_256,M_AEAD_128, 0, 0, 0, },
205
208
206
{0,CS(TLS_ECDHE_RSA_WITH_NULL_SHA),           S_RSA, K_ECDHE, C_NULL, B_0, M_SHA, 0, 0, 0, },
209
{0,CS(TLS_ECDHE_RSA_WITH_NULL_SHA),           S_RSA, K_ECDHE, C_NULL, B_0, M_SHA, 0, 0, 0, },
207
{0,CS(TLS_ECDHE_RSA_WITH_RC4_128_SHA),        S_RSA, K_ECDHE, C_RC4, B_128, M_SHA, 0, 0, 0, },
210
{0,CS(TLS_ECDHE_RSA_WITH_RC4_128_SHA),        S_RSA, K_ECDHE, C_RC4, B_128, M_SHA, 0, 0, 0, },
(-)a/lib/ssl/sslproto.h (+3 lines)
Line     Link Here 
 Lines 213-218    Link Here 
213
#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   0xC02F
213
#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   0xC02F
214
#define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256    0xC031
214
#define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256    0xC031
215
215
216
#define TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305	0xCC13
217
#define TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305	0xCC14
218
216
/* Netscape "experimental" cipher suites. */
219
/* Netscape "experimental" cipher suites. */
217
#define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA	0xffe0
220
#define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA	0xffe0
218
#define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA	0xffe1
221
#define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA	0xffe1
(-)a/lib/ssl/sslt.h (-1 / +2 lines)
Line     Link Here 
 Lines 81-87    Link Here 
81
    ssl_calg_aes      = 7,
81
    ssl_calg_aes      = 7,
82
    ssl_calg_camellia = 8,
82
    ssl_calg_camellia = 8,
83
    ssl_calg_seed     = 9,
83
    ssl_calg_seed     = 9,
84
    ssl_calg_aes_gcm  = 10
84
    ssl_calg_aes_gcm  = 10,
85
    ssl_calg_chacha20 = 11
85
} SSLCipherAlgorithm;
86
} SSLCipherAlgorithm;
86
87
87
typedef enum { 
88
typedef enum { 
(-)a/lib/util/pkcs11n.h (+13 lines)
Line     Link Here 
 Lines 51-56    Link Here 
51
#define CKK_NSS_JPAKE_ROUND1       (CKK_NSS + 2)
51
#define CKK_NSS_JPAKE_ROUND1       (CKK_NSS + 2)
52
#define CKK_NSS_JPAKE_ROUND2       (CKK_NSS + 3)
52
#define CKK_NSS_JPAKE_ROUND2       (CKK_NSS + 3)
53
53
54
#define CKK_NSS_CHACHA20           (CKK_NSS + 4)
55
54
/*
56
/*
55
 * NSS-defined certificate types
57
 * NSS-defined certificate types
56
 *
58
 *
 Lines 214-219    Link Here 
214
#define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256   (CKM_NSS + 23)
216
#define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256   (CKM_NSS + 23)
215
#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
217
#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
216
218
219
#define CKM_NSS_CHACHA20_KEY_GEN                (CKM_NSS + 25)
220
#define CKM_NSS_CHACHA20_POLY1305               (CKM_NSS + 26)
221
217
/*
222
/*
218
 * HISTORICAL:
223
 * HISTORICAL:
219
 * Do not attempt to use these. They are only used by NETSCAPE's internal
224
 * Do not attempt to use these. They are only used by NETSCAPE's internal
 Lines 281-286    Link Here 
281
    CK_ULONG ulHeaderLen;       /* in */
286
    CK_ULONG ulHeaderLen;       /* in */
282
} CK_NSS_MAC_CONSTANT_TIME_PARAMS;
287
} CK_NSS_MAC_CONSTANT_TIME_PARAMS;
283
288
289
typedef struct CK_NSS_AEAD_PARAMS {
290
    CK_BYTE_PTR  pIv;  /* This is the nonce. */
291
    CK_ULONG     ulIvLen;
292
    CK_BYTE_PTR  pAAD;
293
    CK_ULONG     ulAADLen;
294
    CK_ULONG     ulTagLen;
295
} CK_NSS_AEAD_PARAMS;
296
284
/*
297
/*
285
 * NSS-defined return values
298
 * NSS-defined return values
286
 *
299
 *
(-)a/tests/cipher/cipher.sh (-2 / +19 lines)
Line     Link Here 
 Lines 107-112    Link Here 
107
  done < ${GCM_TXT}
107
  done < ${GCM_TXT}
108
}
108
}
109
109
110
######################## cipher_chacha20_poly1305 ######################
111
# local shell function to test ChaCha20+Poly1305
112
########################################################################
113
cipher_chacha20_poly1305()
114
{
115
    EXP_RET=0
116
    INPUT_FILE=ChaCha20Poly1305Encrypt.rsp
117
    TESTNAME="ChaCha20_Poly1305_Encrypt"
118
119
    TESTNAME=`echo $TESTNAME | sed -e "s/_/ /g"`
120
    INPUT_FILE=ChaCha20Poly1305Encrypt.rsp
121
    echo "pk11gcmtest chacha20 kat poly1305 $GCMTESTDIR/tests/$INPUT_FILE"
122
    ${PROFTOOL} ${BINDIR}/pk11gcmtest chacha20 kat poly1305 $GCMTESTDIR/tests/$INPUT_FILE
123
    html_msg $? $EXP_RET "$TESTNAME"
124
}
125
110
############################## cipher_cleanup ############################
126
############################## cipher_cleanup ############################
111
# local shell function to finish this script (no exit since it might be
127
# local shell function to finish this script (no exit since it might be
112
# sourced)
128
# sourced)
 Lines 129-134    Link Here 
129
    return 0
145
    return 0
130
fi
146
fi
131
cipher_init
147
cipher_init
132
cipher_main
148
#cipher_main
133
cipher_gcm
149
#cipher_gcm
150
cipher_chacha20_poly1305
134
cipher_cleanup
151
cipher_cleanup

Return to bug 917571