diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-06-12 03:36:19 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-06-12 03:36:19 +0000 |
| commit | cc4d0d80101c8697a980973217067ab3d4c00cdf (patch) | |
| tree | c3270cda530bef7de6d3b988b4670239bec2d7a6 | |
| parent | Releasing progress-linux version 2:3.100-1~progress7.99u1. (diff) | |
| download | nss-cc4d0d80101c8697a980973217067ab3d4c00cdf.tar.xz nss-cc4d0d80101c8697a980973217067ab3d4c00cdf.zip | |
Merging upstream version 2:3.101.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
159 files changed, 9107 insertions, 41131 deletions
diff --git a/nss/.hg_archival.txt b/nss/.hg_archival.txt index 3181a55..664e6fb 100644 --- a/nss/.hg_archival.txt +++ b/nss/.hg_archival.txt @@ -1,4 +1,4 @@ repo: 9949429068caa6bb8827a8ceeaa7c605d722f47f -node: 09996a932d30c1318c690296c69c0caa25130d52 -branch: NSS_3_100_BRANCH -tag: NSS_3_100_RTM +node: a77ce655e144b18c6a7d286621b121e6bf0f3e3a +branch: NSS_3_101_BRANCH +tag: NSS_3_101_RTM diff --git a/nss/.taskcluster.yml b/nss/.taskcluster.yml index 0edf685..107dc5e 100644 --- a/nss/.taskcluster.yml +++ b/nss/.taskcluster.yml @@ -76,6 +76,16 @@ tasks: features: taskclusterProxy: true + artifacts: + 'public/docker-contexts': + type: 'directory' + path: '/home/worker/docker-contexts' + # This needs to be at least the deadline of the + # decision task + the docker-image task deadlines. + # It is set to a week to allow for some time for + # debugging, but they are not useful long-term. + expires: {$fromNow: '7 day'} + extra: treeherder: symbol: D diff --git a/nss/automation/abi-check/expected-report-libnss3.so.txt b/nss/automation/abi-check/expected-report-libnss3.so.txt index 97f1a7c..09ccd73 100644 --- a/nss/automation/abi-check/expected-report-libnss3.so.txt +++ b/nss/automation/abi-check/expected-report-libnss3.so.txt @@ -1,24 +1,28 @@ +9 Added functions: + + 'function SECOidTag HASH_GetHashOidTagByHMACOidTag(SECOidTag)' {HASH_GetHashOidTagByHMACOidTag@@NSS_3.101} + 'function int PK11_GetMaxKeyLength(CK_MECHANISM_TYPE)' {PK11_GetMaxKeyLength@@NSS_3.101} + 'function SECStatus PK11_ReadDistrustAfterAttribute(PK11SlotInfo*, CK_OBJECT_HANDLE, CK_ATTRIBUTE_TYPE, PRBool*, PRTime*)' {PK11_ReadDistrustAfterAttribute@@NSS_3.101} + 'function SECStatus SECKEY_EnforceKeySize(KeyType, unsigned int, SECErrorCodes)' {SECKEY_EnforceKeySize@@NSS_3.101} + 'function unsigned int SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey*)' {SECKEY_PrivateKeyStrengthInBits@@NSS_3.101} + 'function CK_RSA_PKCS_MGF_TYPE SEC_GetMgfTypeByOidTag(SECOidTag)' {SEC_GetMgfTypeByOidTag@@NSS_3.101} + 'function SECOidTag SEC_PKCS5GetCryptoFromAlgTag(SECOidTag)' {SEC_PKCS5GetCryptoFromAlgTag@@NSS_3.101} + 'function SECOidTag SEC_PKCS5GetHashAlgorithm(SECAlgorithmID*)' {SEC_PKCS5GetHashAlgorithm@@NSS_3.101} + 'function SECOidTag SEC_PKCS5GetHashFromAlgTag(SECOidTag)' {SEC_PKCS5GetHashFromAlgTag@@NSS_3.101} + 1 function with some indirect sub-type change: [C]'function SECStatus CERT_AddOCSPAcceptableResponses(CERTOCSPRequest*, SECOidTag, ...)' at ocsp.c:2202:1 has some indirect sub-type changes: parameter 2 of type 'typedef SECOidTag' has sub-type changes: underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed: type size hasn't changed - 10 enumerator insertions: - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_STDDH_SHA1KDF_SCHEME' value '375' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_STDDH_SHA224KDF_SCHEME' value '376' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_STDDH_SHA256KDF_SCHEME' value '377' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_STDDH_SHA384KDF_SCHEME' value '378' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_STDDH_SHA512KDF_SCHEME' value '379' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_COFACTORDH_SHA1KDF_SCHEME' value '380' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_COFACTORDH_SHA224KDF_SCHEME' value '381' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_COFACTORDH_SHA256KDF_SCHEME' value '382' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_COFACTORDH_SHA384KDF_SCHEME' value '383' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_COFACTORDH_SHA512KDF_SCHEME' value '384' + 3 enumerator insertions: + '__anonymous_enum__::SEC_OID_RC2_64_CBC' value '385' + '__anonymous_enum__::SEC_OID_RC2_128_CBC' value '386' + '__anonymous_enum__::SEC_OID_ECDH_KEA' value '387' 1 enumerator change: - '__anonymous_enum__::SEC_OID_TOTAL' from value '375' to '385' at secoidt.h:34:1 - - + '__anonymous_enum__::SEC_OID_TOTAL' from value '385' to '388' at secoidt.h:34:1 + diff --git a/nss/automation/abi-check/expected-report-libnssutil3.so.txt b/nss/automation/abi-check/expected-report-libnssutil3.so.txt index f0d77ef..9caa923 100644 --- a/nss/automation/abi-check/expected-report-libnssutil3.so.txt +++ b/nss/automation/abi-check/expected-report-libnssutil3.so.txt @@ -1,24 +1,27 @@ +7 Added functions: + + 'function SECOidTag HASH_GetHMACOidTagByHashOidTag_Util(SECOidTag)' {HASH_GetHMACOidTagByHashOidTag_Util@@NSSUTIL_3.101} + 'function SECOidTag HASH_GetHashOidTagByHMACOidTag_Util(SECOidTag)' {HASH_GetHashOidTagByHMACOidTag_Util@@NSSUTIL_3.101} + 'function SECOidTag HASH_GetHashOidTagByHashType_Util(HASH_HashType)' {HASH_GetHashOidTagByHashType_Util@@NSSUTIL_3.101} + 'function HASH_HashType HASH_GetHashTypeByOidTag_Util(SECOidTag)' {HASH_GetHashTypeByOidTag_Util@@NSSUTIL_3.101} + 'function SECStatus NSS_GetAlgorithmPolicyAll(PRUint32, PRUint32, SECOidTag**, int*)' {NSS_GetAlgorithmPolicyAll@@NSSUTIL_3.101} + 'function SECStatus NSS_SetAlgorithmPolicyAll(PRUint32, PRUint32)' {NSS_SetAlgorithmPolicyAll@@NSSUTIL_3.101} + 'function SECOidTag SECOID_GetTotalTags()' {SECOID_GetTotalTags@@NSSUTIL_3.101} + 1 function with some indirect sub-type change: - [C]'function SECStatus NSS_GetAlgorithmPolicy(SECOidTag, PRUint32*)' at secoid.c:2336:1 has some indirect sub-type changes: + [C]'function SECStatus NSS_GetAlgorithmPolicy(SECOidTag, PRUint32*)' at secoid.c:2366:1 has some indirect sub-type changes: parameter 1 of type 'typedef SECOidTag' has sub-type changes: underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed: type size hasn't changed - 10 enumerator insertions: - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_STDDH_SHA1KDF_SCHEME' value '375' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_STDDH_SHA224KDF_SCHEME' value '376' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_STDDH_SHA256KDF_SCHEME' value '377' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_STDDH_SHA384KDF_SCHEME' value '378' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_STDDH_SHA512KDF_SCHEME' value '379' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_COFACTORDH_SHA1KDF_SCHEME' value '380' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_COFACTORDH_SHA224KDF_SCHEME' value '381' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_COFACTORDH_SHA256KDF_SCHEME' value '382' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_COFACTORDH_SHA384KDF_SCHEME' value '383' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_COFACTORDH_SHA512KDF_SCHEME' value '384' + 3 enumerator insertions: + '__anonymous_enum__::SEC_OID_RC2_64_CBC' value '385' + '__anonymous_enum__::SEC_OID_RC2_128_CBC' value '386' + '__anonymous_enum__::SEC_OID_ECDH_KEA' value '387' 1 enumerator change: - '__anonymous_enum__::SEC_OID_TOTAL' from value '375' to '385' at secoidt.h:34:1 + '__anonymous_enum__::SEC_OID_TOTAL' from value '385' to '388' at secoidt.h:34:1 diff --git a/nss/automation/abi-check/expected-report-libsmime3.so.txt b/nss/automation/abi-check/expected-report-libsmime3.so.txt index a42f62c..4bd55cc 100644 --- a/nss/automation/abi-check/expected-report-libsmime3.so.txt +++ b/nss/automation/abi-check/expected-report-libsmime3.so.txt @@ -1,4 +1,9 @@ +2 Added functions: + + 'function PRBool SEC_PKCS12CipherAllowed(SECOidTag, SECOidTag)' {SEC_PKCS12CipherAllowed@@NSS_3.101} + 'function PRBool SEC_PKCS12IntegrityHashAllowed(SECOidTag, PRBool)' {SEC_PKCS12IntegrityHashAllowed@@NSS_3.101} + 1 function with some indirect sub-type change: [C]'function PK11SymKey* NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo*)' at cmscinfo.c:426:1 has some indirect sub-type changes: @@ -10,7 +15,7 @@ type of 'NSSCMSContent NSSCMSContentInfoStr::content' changed: underlying type 'union NSSCMSContentUnion' at cmst.h:113:1 changed: type size hasn't changed - 2 data member changes (2 filtered): + 1 data member changes (3 filtered): type of 'NSSCMSEncryptedData* NSSCMSContentUnion::encryptedData' changed: in pointed to type 'typedef NSSCMSEncryptedData' at cmst.h:65:1: underlying type 'struct NSSCMSEncryptedDataStr' at cmst.h:470:1 changed: @@ -24,89 +29,22 @@ 1 data member change: type of 'SECOidData* NSSCMSAttributeStr::typeTag' changed: in pointed to type 'typedef SECOidData' at secoidt.h:16:1: - underlying type 'struct SECOidDataStr' at secoidt.h:547:1 changed: + underlying type 'struct SECOidDataStr' at secoidt.h:550:1 changed: type size hasn't changed 1 data member change: type of 'SECOidTag SECOidDataStr::offset' changed: underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed: type size hasn't changed - 10 enumerator insertions: - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_STDDH_SHA1KDF_SCHEME' value '375' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_STDDH_SHA224KDF_SCHEME' value '376' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_STDDH_SHA256KDF_SCHEME' value '377' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_STDDH_SHA384KDF_SCHEME' value '378' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_STDDH_SHA512KDF_SCHEME' value '379' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_COFACTORDH_SHA1KDF_SCHEME' value '380' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_COFACTORDH_SHA224KDF_SCHEME' value '381' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_COFACTORDH_SHA256KDF_SCHEME' value '382' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_COFACTORDH_SHA384KDF_SCHEME' value '383' - '__anonymous_enum__::SEC_OID_DHSINGLEPASS_COFACTORDH_SHA512KDF_SCHEME' value '384' + 3 enumerator insertions: + '__anonymous_enum__::SEC_OID_RC2_64_CBC' value '385' + '__anonymous_enum__::SEC_OID_RC2_128_CBC' value '386' + '__anonymous_enum__::SEC_OID_ECDH_KEA' value '387' 1 enumerator change: - '__anonymous_enum__::SEC_OID_TOTAL' from value '375' to '385' at secoidt.h:34:1 - - - - - - type of 'NSSCMSEnvelopedData* NSSCMSContentUnion::envelopedData' changed: - in pointed to type 'typedef NSSCMSEnvelopedData' at cmst.h:60:1: - underlying type 'struct NSSCMSEnvelopedDataStr' at cmst.h:257:1 changed: - type size hasn't changed - 1 data member changes (2 filtered): - type of 'NSSCMSRecipientInfo** NSSCMSEnvelopedDataStr::recipientInfos' changed: - in pointed to type 'NSSCMSRecipientInfo*': - in pointed to type 'typedef NSSCMSRecipientInfo' at cmst.h:62:1: - underlying type 'struct NSSCMSRecipientInfoStr' at cmst.h:439:1 changed: - type size changed from 1536 to 1664 bits - 3 data member changes: - type of '__anonymous_union__ NSSCMSRecipientInfoStr::ri' changed: - type size changed from 1344 to 1472 bits - 2 data member changes: - type of 'NSSCMSKEKRecipientInfo __anonymous_union__::kekRecipientInfo' changed: - underlying type 'struct NSSCMSKEKRecipientInfoStr' at cmst.h:397:1 changed: - type size hasn't changed - 1 data member change: - type of 'NSSCMSKEKIdentifier NSSCMSKEKRecipientInfoStr::kekIdentifier' changed: - underlying type 'struct NSSCMSKEKIdentifierStr' at cmst.h:390:1 changed: - type size hasn't changed - 1 data member change: - type of 'SECItem* NSSCMSKEKIdentifierStr::other' changed: - in pointed to type 'typedef SECItem' at cmst.h:347:1: - underlying type 'struct SECItemStr' at cmst.h:342:1 changed: - type name changed from 'SECItemStr' to 'NSSCMSOtherKeyAttributeStr' - type size changed from 192 to 384 bits - 2 data member deletions: - 'unsigned char* SECItemStr::data', at offset 64 (in bits) at seccomon.h:52:1 - - 'unsigned int SECItemStr::len', at offset 128 (in bits) at seccomon.h:53:1 - - 1 data member insertion: - 'SECItem NSSCMSOtherKeyAttributeStr::keyAttr', at offset 192 (in bits) at cmst.h:344:1 - 1 data member change: - type of 'SECItemType SECItemStr::type' changed: - underlying type 'enum __anonymous_enum__' at seccomon.h:50:1 changed: - entity changed from 'enum __anonymous_enum__' to 'struct SECItemStr' at seccomon.h:50:1 - type size changed from 32 to 192 bits - type alignment changed from 32 to 0 bits - - - - - type of 'NSSCMSKeyAgreeRecipientInfo __anonymous_union__::keyAgreeRecipientInfo' changed: - underlying type 'struct NSSCMSKeyAgreeRecipientInfoStr' at cmst.h:376:1 changed: - type size changed from 1344 to 1472 bits - 3 data member changes: - type of 'SECItem* NSSCMSKeyAgreeRecipientInfoStr::ukm' changed: - entity changed from 'SECItem*' to 'typedef SECItem' at seccomon.h:48:1 - type size changed from 64 to 192 bits + '__anonymous_enum__::SEC_OID_TOTAL' from value '385' to '388' at secoidt.h:34:1 - 'SECAlgorithmID NSSCMSKeyAgreeRecipientInfoStr::keyEncAlg' offset changed from 896 to 1024 (in bits) (by +128 bits) - 'NSSCMSRecipientEncryptedKey** NSSCMSKeyAgreeRecipientInfoStr::recipientEncryptedKeys' offset changed from 1280 to 1408 (in bits) (by +128 bits) - 'NSSCMSMessage* NSSCMSRecipientInfoStr::cmsg' offset changed from 1408 to 1536 (in bits) (by +128 bits) - 'CERTCertificate* NSSCMSRecipientInfoStr::cert' offset changed from 1472 to 1600 (in bits) (by +128 bits) diff --git a/nss/automation/abi-check/previous-nss-release b/nss/automation/abi-check/previous-nss-release index 335e901..7cbd0f8 100644 --- a/nss/automation/abi-check/previous-nss-release +++ b/nss/automation/abi-check/previous-nss-release @@ -1 +1 @@ -NSS_3_99_BRANCH +NSS_3_100_BRANCH diff --git a/nss/automation/taskcluster/docker-ecckiila/Dockerfile b/nss/automation/taskcluster/docker-ecckiila/Dockerfile deleted file mode 100644 index f51b775..0000000 --- a/nss/automation/taskcluster/docker-ecckiila/Dockerfile +++ /dev/null @@ -1,50 +0,0 @@ -# Minimal image with clang-format 3.9. -FROM ubuntu:bionic-20221215 -LABEL maintainer="iaroslav.gridin@tuni.fi" - -# for new clang/llvm -RUN apt-get update \ - && apt-get install -y --no-install-recommends \ - ca-certificates \ - locales \ - cmake \ - build-essential \ - git \ - clang-10 \ - mercurial \ - unifdef \ - python3-mako \ - libgmp-dev \ - jq \ - python3-setuptools \ - python3-pip \ - python3-dev \ - clang-format-10 \ - && rm -rf /var/lib/apt/lists/* \ - && apt-get autoremove -y && apt-get clean -y - -RUN pip3 install fastecdsa - -ENV SHELL /bin/bash -ENV USER worker -ENV LOGNAME $USER -ENV HOME /home/$USER -ENV HOSTNAME taskcluster-worker -ENV LANG en_US.UTF-8 -ENV LC_ALL $LANG -ENV HOST localhost -ENV DOMSUF localdomain - -RUN locale-gen $LANG \ - && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales - -RUN useradd -d $HOME -s $SHELL -m $USER -WORKDIR $HOME - -ADD bin $HOME/bin -RUN chmod +x $HOME/bin/* - -USER $USER - -# Set a default command for debugging. -CMD ["/bin/bash", "--login"] diff --git a/nss/automation/taskcluster/docker-ecckiila/bin/checkout.sh b/nss/automation/taskcluster/docker-ecckiila/bin/checkout.sh deleted file mode 100755 index 2a7d32c..0000000 --- a/nss/automation/taskcluster/docker-ecckiila/bin/checkout.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env bash - -set -v -e -x - -if [ $(id -u) = 0 ]; then - # Drop privileges by re-running this script. - exec su worker $0 -fi - -# Default values for testing. -REVISION=${NSS_HEAD_REVISION:-default} -REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss} - -# Clone NSS. -hg clone -r $REVISION $REPOSITORY nss - -# Clone NSPR if needed. -hg clone -r default https://hg.mozilla.org/projects/nspr - -if [[ -f nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then - pushd nspr - cat ../nss/nspr.patch | patch -p1 - popd -fi - diff --git a/nss/automation/taskcluster/docker-ecckiila/bin/ecckiila.sh b/nss/automation/taskcluster/docker-ecckiila/bin/ecckiila.sh deleted file mode 100755 index e9549b2..0000000 --- a/nss/automation/taskcluster/docker-ecckiila/bin/ecckiila.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/env bash - -set -v -e -x - -if [ $(id -u) = 0 ]; then - # Drop privileges by re-running this script. - exec su worker $0 -fi - -git clone --depth=1 https://gitlab.com/nisec/ecckiila.git diff --git a/nss/automation/taskcluster/docker-ecckiila/bin/run.sh b/nss/automation/taskcluster/docker-ecckiila/bin/run.sh deleted file mode 100755 index f7d507f..0000000 --- a/nss/automation/taskcluster/docker-ecckiila/bin/run.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash -eu -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -# -################################################################################ - -set -e -x -v - -cd $HOME/ecckiila -cp $HOME/nss/.clang-format ./ -for c in secp384r1 secp521r1; do (cd ecp/$c && cmake . && make && unifdef ecp_$c.c -DRIG_NULL -URIG_NSS -URIG_GOST -UOPENSSL_BUILDING_OPENSSL -UKIILA_OPENSSL_EMIT_CURVEDEF -UKIILA_UNUSED -UOPENSSL_NO_ASM -ULIB_TEST -x2 > tmp_ecp_$c.c && clang-format-10 -i tmp_ecp_$c.c && diff $HOME/nss/lib/freebl/ecl/ecp_$c.c tmp_ecp_$c.c); done; - diff --git a/nss/automation/taskcluster/graph/package.json b/nss/automation/taskcluster/graph/package.json index 7bf52b9..66b3aeb 100644 --- a/nss/automation/taskcluster/graph/package.json +++ b/nss/automation/taskcluster/graph/package.json @@ -19,6 +19,7 @@ "merge": "^1.2.0", "minimist": "^1.2.0", "slugid": "^1.1.0", + "tar": "^6.2.1", "taskcluster-client": "^22.0.0" } } diff --git a/nss/automation/taskcluster/graph/src/context_hash.js b/nss/automation/taskcluster/graph/src/context_hash.js index 0699a05..b1ad5bc 100644 --- a/nss/automation/taskcluster/graph/src/context_hash.js +++ b/nss/automation/taskcluster/graph/src/context_hash.js @@ -16,6 +16,10 @@ function sha256(data) { // Recursively collect a list of all files of a given directory. function collectFilesInDirectory(dir) { + if (fs.lstatSync(dir).isFile()) { + return [dir]; + } + return flatmap(fs.readdirSync(dir), entry => { let entry_path = path.join(dir, entry); @@ -40,8 +44,8 @@ function collectFileHashes(context_path) { // Compute a context hash for the given context path. export default function (context_path) { - // Regenerate all images when the image_builder changes. - let hashes = collectFileHashes("automation/taskcluster/image_builder"); + // Regenerate when image_builder.js changes + let hashes = collectFileHashes("automation/taskcluster/graph/src/image_builder.js"); // Regenerate images when the image itself changes. hashes = hashes.concat(collectFileHashes(context_path)); diff --git a/nss/automation/taskcluster/graph/src/extend.js b/nss/automation/taskcluster/graph/src/extend.js index 318d935..740073b 100644 --- a/nss/automation/taskcluster/graph/src/extend.js +++ b/nss/automation/taskcluster/graph/src/extend.js @@ -20,11 +20,6 @@ const ACVP_IMAGE = { path: "automation/taskcluster/docker-acvp" }; -const ECCKIILA_IMAGE = { - name: "ecckiila", - path: "automation/taskcluster/docker-ecckiila" -}; - const CLANG_FORMAT_IMAGE = { name: "clang-format", path: "automation/taskcluster/docker-clang-format" @@ -1181,17 +1176,6 @@ async function scheduleTools() { })); queue.scheduleTask(merge(base, { - symbol: "ecckiila", - name: "ecckiila", - image: ECCKIILA_IMAGE, - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && bin/ecckiila.sh && bin/run.sh" - ] - })); - - queue.scheduleTask(merge(base, { symbol: "Coverage", name: "Coverage", image: FUZZ_IMAGE, diff --git a/nss/automation/taskcluster/graph/src/image_builder.js b/nss/automation/taskcluster/graph/src/image_builder.js index 7f7e762..a61d7b8 100644 --- a/nss/automation/taskcluster/graph/src/image_builder.js +++ b/nss/automation/taskcluster/graph/src/image_builder.js @@ -6,6 +6,9 @@ import * as queue from "./queue"; import context_hash from "./context_hash"; import taskcluster from "taskcluster-client"; +const fs = require("fs"); +const tar = require("tar"); + async function taskHasImageArtifact(taskId) { let queue = new taskcluster.Queue(taskcluster.fromEnvVars()); let {artifacts} = await queue.listLatestArtifacts(taskId); @@ -28,32 +31,37 @@ export async function findTask({name, path}) { export async function buildTask({name, path}) { let hash = await context_hash(path); let ns = `docker.images.v1.${process.env.TC_PROJECT}.${name}.hash.${hash}`; + let fullPath = "/home/worker/nss/" + path + let contextName = name + ".tar.gz"; + let contextRoot = "/home/worker/docker-contexts/"; + let contextPath = contextRoot + contextName; + + if (!fs.existsSync(contextRoot)) { + fs.mkdirSync(contextRoot); + } + + await tar.create({gzip: true, file: contextPath, cwd: fullPath}, ["."]); return { name: `Image Builder (${name})`, - image: "nssdev/image_builder:0.1.5", + image: "mozillareleases/image_builder:5.0.0", + workerType: "images-gcp", routes: ["index." + ns], env: { - NSS_HEAD_REPOSITORY: process.env.NSS_HEAD_REPOSITORY, - NSS_HEAD_REVISION: process.env.NSS_HEAD_REVISION, - PROJECT: process.env.TC_PROJECT, - CONTEXT_PATH: path, + IMAGE_NAME: name, + CONTEXT_PATH: "public/docker-contexts/" + contextName, + CONTEXT_TASK_ID: process.env.TASK_ID, HASH: hash }, artifacts: { "public/image.tar.zst": { type: "file", expires: 24 * 90, - path: "/artifacts/image.tar.zst" + path: "/workspace/image.tar.zst" } }, - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && nss/automation/taskcluster/scripts/build_image.sh" - ], platform: "nss-decision", - features: ["dind"], + features: ["allowPtrace", "chainOfTrust"], maxRunTime: 7200, kind: "build", symbol: `I(${name})` diff --git a/nss/automation/taskcluster/graph/src/queue.js b/nss/automation/taskcluster/graph/src/queue.js index 1baa604..2a69347 100644 --- a/nss/automation/taskcluster/graph/src/queue.js +++ b/nss/automation/taskcluster/graph/src/queue.js @@ -107,6 +107,10 @@ function convertTask(def) { if (def.parents) { dependencies = dependencies.concat(def.parents); } + if (dependencies.length === 0) { + // If task has no dependencies, make it depend on the Decision task. + dependencies.push(process.env.TASK_ID); + } if (def.tests) { env.NSS_TESTS = def.tests; diff --git a/nss/automation/taskcluster/graph/src/try_syntax.js b/nss/automation/taskcluster/graph/src/try_syntax.js index 591cea6..7328649 100644 --- a/nss/automation/taskcluster/graph/src/try_syntax.js +++ b/nss/automation/taskcluster/graph/src/try_syntax.js @@ -57,7 +57,7 @@ function parseOptions(opts) { } // Parse tools. - let allTools = ["clang-format", "scan-build", "hacl", "acvp", "ecckiila", "saw", "abi", "coverage"]; + let allTools = ["clang-format", "scan-build", "hacl", "acvp", "saw", "abi", "coverage"]; let tools = intersect(opts.tools.split(/\s*,\s*/), allTools); // If the given value is "all" run all tools. diff --git a/nss/automation/taskcluster/image_builder/Dockerfile b/nss/automation/taskcluster/image_builder/Dockerfile deleted file mode 100644 index f8b4edc..0000000 --- a/nss/automation/taskcluster/image_builder/Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -FROM ubuntu:16.04 -MAINTAINER Tim Taubert <ttaubert@mozilla.com> - -WORKDIR /home/worker - -ENV DEBIAN_FRONTEND noninteractive - -RUN apt-get update && apt-get install -y apt-transport-https apt-utils -RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 36A1D7869245C8950F966E92D8576A8BA88D21E9 && \ - sh -c "echo deb https://get.docker.io/ubuntu docker main \ - > /etc/apt/sources.list.d/docker.list" -RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE && \ - sh -c "echo deb http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu xenial main \ - > /etc/apt/sources.list.d/mercurial.list" -RUN apt-get update && apt-get install -y \ - lxc-docker-1.6.1 \ - mercurial - -ADD bin /home/worker/bin -RUN chmod +x /home/worker/bin/* - -# Set a default command useful for debugging -CMD ["/bin/bash", "--login"] diff --git a/nss/automation/taskcluster/image_builder/VERSION b/nss/automation/taskcluster/image_builder/VERSION deleted file mode 100644 index 9faa1b7..0000000 --- a/nss/automation/taskcluster/image_builder/VERSION +++ /dev/null @@ -1 +0,0 @@ -0.1.5 diff --git a/nss/automation/taskcluster/image_builder/bin/checkout.sh b/nss/automation/taskcluster/image_builder/bin/checkout.sh deleted file mode 100644 index 0cdd2ac..0000000 --- a/nss/automation/taskcluster/image_builder/bin/checkout.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env bash - -set -v -e -x - -# Default values for testing. -REVISION=${NSS_HEAD_REVISION:-default} -REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss} - -# Clone NSS. -for i in 0 2 5; do - sleep $i - hg clone -r $REVISION $REPOSITORY nss && exit 0 - rm -rf nss -done -exit 1 diff --git a/nss/automation/taskcluster/scripts/build_image.sh b/nss/automation/taskcluster/scripts/build_image.sh deleted file mode 100755 index 3a469cf..0000000 --- a/nss/automation/taskcluster/scripts/build_image.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/bash -vex - -set -x -e -v - -# Prefix errors with taskcluster error prefix so that they are parsed by Treeherder -raise_error() { - echo - echo "[taskcluster-image-build:error] $1" - exit 1 -} - -# Ensure that the PROJECT is specified so the image can be indexed -test -n "$PROJECT" || raise_error "Project must be provided." -test -n "$HASH" || raise_error "Context Hash must be provided." - -CONTEXT_PATH="/home/worker/nss/$CONTEXT_PATH" - -test -d "$CONTEXT_PATH" || raise_error "Context Path $CONTEXT_PATH does not exist." -test -f "$CONTEXT_PATH/Dockerfile" || raise_error "Dockerfile must be present in $CONTEXT_PATH." - -apt-get update -apt-get -y install zstd - -docker build -t "$PROJECT:$HASH" "$CONTEXT_PATH" - -mkdir /artifacts -docker save "$PROJECT:$HASH" | zstd > /artifacts/image.tar.zst diff --git a/nss/automation/taskcluster/scripts/run_hacl.sh b/nss/automation/taskcluster/scripts/run_hacl.sh index f2c20a0..462696e 100755 --- a/nss/automation/taskcluster/scripts/run_hacl.sh +++ b/nss/automation/taskcluster/scripts/run_hacl.sh @@ -29,6 +29,7 @@ find . -type f -name '*.[ch]' -exec clang-format -i {} \+ # It was implemented like this due to not uniqueness of the names in the verified folders # For instance, the files Hacl_Chacha20.h are present in both directories, but the content differs. +# TODO(Bug 1899443): remove these exceptions files=($(find ~/nss/lib/freebl/verified/internal -type f -name '*.[ch]')) for f in "${files[@]}"; do file_name=$(basename "$f") @@ -37,7 +38,7 @@ for f in "${files[@]}"; do -o $file_name == "Hacl_Ed25519_PrecompTable.h" ] then continue; - fi + fi diff $hacl_file $f done @@ -45,12 +46,11 @@ files=($(find ~/nss/lib/freebl/verified/ -type f -name '*.[ch]' -not -path "*/fr for f in "${files[@]}"; do file_name=$(basename "$f") hacl_file=($(find ~/hacl-star/dist/mozilla/ ~/hacl-star/dist/karamel/ -type f -name $file_name -not -path "*/hacl-star/dist/mozilla/internal/*")) - # TODO(Bug 1854438): Remove P384 exception. - # TODO(Bug 1854439): Remove P521 exception. if [ $file_name == "Hacl_P384.c" \ -o $file_name == "Hacl_P384.h" \ -o $file_name == "Hacl_P521.c" \ - -o $file_name == "Hacl_P521.h" ] + -o $file_name == "Hacl_P521.h" \ + -o $file_name == "target.h" ] then continue; fi @@ -110,4 +110,4 @@ for f in "${files[@]}"; do continue; fi diff $hacl_file $f -done
\ No newline at end of file +done diff --git a/nss/cmd/certutil/certutil.c b/nss/cmd/certutil/certutil.c index 07b1ea5..68337af 100644 --- a/nss/cmd/certutil/certutil.c +++ b/nss/cmd/certutil/certutil.c @@ -1038,6 +1038,7 @@ DeleteCertAndKey(char *nickname, secuPWData *pwdata) if (rv != SECSuccess) { SECU_PrintError(progName, "could not authenticate to token %s.", PK11_GetTokenName(slot)); + PK11_FreeSlot(slot); return SECFailure; } } diff --git a/nss/cmd/ecperf/ecperf.c b/nss/cmd/ecperf/ecperf.c index a07004d..4a0be5a 100644 --- a/nss/cmd/ecperf/ecperf.c +++ b/nss/cmd/ecperf/ecperf.c @@ -207,37 +207,20 @@ M_TimeOperation(void (*threadFunc)(void *), } /* Test curve using specific field arithmetic. */ -#define ECTEST_NAMED_GFP(name_c, name_v) \ - if (usefreebl) { \ - printf("Testing %s using freebl implementation...\n", name_c); \ - rv = ectest_curve_freebl(name_v, iterations, numThreads, ec_field_GFp); \ - if (rv != SECSuccess) \ - goto cleanup; \ - printf("... okay.\n"); \ - } \ - if (usepkcs11) { \ - printf("Testing %s using pkcs11 implementation...\n", name_c); \ - rv = ectest_curve_pkcs11(name_v, iterations, numThreads); \ - if (rv != SECSuccess) \ - goto cleanup; \ - printf("... okay.\n"); \ - } - -/* Test curve using specific field arithmetic. */ -#define ECTEST_NAMED_CUSTOM(name_c, name_v) \ - if (usefreebl) { \ - printf("Testing %s using freebl implementation...\n", name_c); \ - rv = ectest_curve_freebl(name_v, iterations, numThreads, ec_field_plain); \ - if (rv != SECSuccess) \ - goto cleanup; \ - printf("... okay.\n"); \ - } \ - if (usepkcs11) { \ - printf("Testing %s using pkcs11 implementation...\n", name_c); \ - rv = ectest_curve_pkcs11(name_v, iterations, numThreads); \ - if (rv != SECSuccess) \ - goto cleanup; \ - printf("... okay.\n"); \ +#define ECTEST_NAMED(name_c, name_v) \ + if (usefreebl) { \ + printf("Testing %s using freebl implementation...\n", name_c); \ + rv = ectest_curve_freebl(name_v, iterations, numThreads); \ + if (rv != SECSuccess) \ + goto cleanup; \ + printf("... okay.\n"); \ + } \ + if (usepkcs11) { \ + printf("Testing %s using pkcs11 implementation...\n", name_c); \ + rv = ectest_curve_pkcs11(name_v, iterations, numThreads); \ + if (rv != SECSuccess) \ + goto cleanup; \ + printf("... okay.\n"); \ } #define PK11_SETATTRS(x, id, v, l) \ @@ -455,8 +438,7 @@ ECDH_DeriveWrap(ECPrivateKey *priv, ECPublicKey *pub, int *dummy) * If tests fail, then it prints an error message, aborts, and returns an * error code. Otherwise, returns 0. */ SECStatus -ectest_curve_freebl(ECCurveName curve, int iterations, int numThreads, - ECFieldType fieldType) +ectest_curve_freebl(ECCurveName curve, int iterations, int numThreads) { ECParams ecParams = { 0 }; ECPrivateKey *ecPriv = NULL; @@ -620,10 +602,10 @@ main(int argv, char **argc) /* specific arithmetic tests */ if (nist) { - ECTEST_NAMED_GFP("NIST-P256", ECCurve_NIST_P256); - ECTEST_NAMED_GFP("NIST-P384", ECCurve_NIST_P384); - ECTEST_NAMED_GFP("NIST-P521", ECCurve_NIST_P521); - ECTEST_NAMED_CUSTOM("Curve25519", ECCurve25519); + ECTEST_NAMED("NIST-P256", ECCurve_NIST_P256); + ECTEST_NAMED("NIST-P384", ECCurve_NIST_P384); + ECTEST_NAMED("NIST-P521", ECCurve_NIST_P521); + ECTEST_NAMED("Curve25519", ECCurve25519); } cleanup: diff --git a/nss/cmd/fbectest/fbectest.c b/nss/cmd/fbectest/fbectest.c index 1c8f4c0..f4f99bc 100644 --- a/nss/cmd/fbectest/fbectest.c +++ b/nss/cmd/fbectest/fbectest.c @@ -20,14 +20,12 @@ typedef struct { char *their_pubhex; char *common_key; char *name; - ECFieldType fieldType; } ECDH_KAT; typedef struct { ECCurveName curve; char *point; char *name; - ECFieldType fieldType; } ECDH_BAD; #include "testvecs.h" @@ -49,8 +47,7 @@ printBuf(const SECItem *item) /* Initialise test with basic curve populate with only the necessary things */ SECStatus -init_params(ECParams *ecParams, ECCurveName curve, PLArenaPool **arena, - ECFieldType type) +init_params(ECParams *ecParams, ECCurveName curve, PLArenaPool **arena) { if ((curve < ECCurve_noName) || (curve > ECCurve_pastLastCurve)) { return SECFailure; @@ -69,7 +66,7 @@ init_params(ECParams *ecParams, ECCurveName curve, PLArenaPool **arena, ecParams->DEREncoding.len = 0; ecParams->arena = *arena; ecParams->fieldID.size = ecCurve_map[curve]->size; - ecParams->fieldID.type = type; + ecParams->fieldID.type = ec_field_plain; ecParams->cofactor = ecCurve_map[curve]->cofactor; return SECSuccess; @@ -173,7 +170,7 @@ ectest_validate_point(ECDH_BAD *bad) SECStatus rv = SECFailure; PLArenaPool *arena = NULL; - rv = init_params(&ecParams, bad->curve, &arena, bad->fieldType); + rv = init_params(&ecParams, bad->curve, &arena); if (rv != SECSuccess) { return rv; } diff --git a/nss/cmd/fbectest/testvecs.h b/nss/cmd/fbectest/testvecs.h index e66a2bf..2ed73b4 100644 --- a/nss/cmd/fbectest/testvecs.h +++ b/nss/cmd/fbectest/testvecs.h @@ -4,175 +4,175 @@ static ECDH_KAT ecdh_testvecs[] = { "04ead218590119e8876b29146ff89ca61770c4edbbf97d38ce385ed281d8a6b23028af61281fd35e2fa7002523acc85a429cb06ee6648325389f59edfce1405141", "04700c48f77f56584c5cc632ca65640db91b6bacce3a4df6b42ce7cc838833d287db71e509e3fd9b060ddb20ba5c51dcc5948d46fbf640dfe0441782cab85fa4ac", "46fc62106420ff012e54a434fbdd2d25ccc5852060561e68040dd7778997bd7b", - "curve: P256 vector: 0", ec_field_GFp }, + "curve: P256 vector: 0" }, { ECCurve_NIST_P256, 1, "38f65d6dce47676044d58ce5139582d568f64bb16098d179dbab07741dd5caf5", "04119f2f047902782ab0c9e27a54aff5eb9b964829ca99c06b02ddba95b0a3f6d08f52b726664cac366fc98ac7a012b2682cbd962e5acb544671d41b9445704d1d", "04809f04289c64348c01515eb03d5ce7ac1a8cb9498f5caa50197e58d43a86a7aeb29d84e811197f25eba8f5194092cb6ff440e26d4421011372461f579271cda3", "057d636096cb80b67a8c038c890e887d1adfa4195e9b3ce241c8a778c59cda67", - "curve: P256 vector: 1", ec_field_GFp }, + "curve: P256 vector: 1" }, { ECCurve_NIST_P256, 1, "1accfaf1b97712b85a6f54b148985a1bdc4c9bec0bd258cad4b3d603f49f32c8", "04d9f2b79c172845bfdb560bbb01447ca5ecc0470a09513b6126902c6b4f8d1051f815ef5ec32128d3487834764678702e64e164ff7315185e23aff5facd96d7bc", "04a2339c12d4a03c33546de533268b4ad667debf458b464d77443636440ee7fec3ef48a3ab26e20220bcda2c1851076839dae88eae962869a497bf73cb66faf536", "2d457b78b4614132477618a5b077965ec90730a8c81a1c75d6d4ec68005d67ec", - "curve: P256 vector: 2", ec_field_GFp }, + "curve: P256 vector: 2" }, { ECCurve_NIST_P256, 1, "207c43a79bfee03db6f4b944f53d2fb76cc49ef1c9c4d34d51b6c65c4db6932d", "0424277c33f450462dcb3d4801d57b9ced05188f16c28eda873258048cd1607e0dc4789753e2b1f63b32ff014ec42cd6a69fac81dfe6d0d6fd4af372ae27c46f88", "04df3989b9fa55495719b3cf46dccd28b5153f7808191dd518eff0c3cff2b705ed422294ff46003429d739a33206c8752552c8ba54a270defc06e221e0feaf6ac4", "96441259534b80f6aee3d287a6bb17b5094dd4277d9e294f8fe73e48bf2a0024", - "curve: P256 vector: 3", ec_field_GFp }, + "curve: P256 vector: 3" }, { ECCurve_NIST_P256, 1, "59137e38152350b195c9718d39673d519838055ad908dd4757152fd8255c09bf", "04a8c5fdce8b62c5ada598f141adb3b26cf254c280b2857a63d2ad783a73115f6b806e1aafec4af80a0d786b3de45375b517a7e5b51ffb2c356537c9e6ef227d4a", "0441192d2813e79561e6a1d6f53c8bc1a433a199c835e141b05a74a97b0faeb9221af98cc45e98a7e041b01cf35f462b7562281351c8ebf3ffa02e33a0722a1328", "19d44c8d63e8e8dd12c22a87b8cd4ece27acdde04dbf47f7f27537a6999a8e62", - "curve: P256 vector: 4", ec_field_GFp }, + "curve: P256 vector: 4" }, { ECCurve_NIST_P256, 1, "f5f8e0174610a661277979b58ce5c90fee6c9b3bb346a90a7196255e40b132ef", "047b861dcd2844a5a8363f6b8ef8d493640f55879217189d80326aad9480dfc149c4675b45eeb306405f6c33c38bc69eb2bdec9b75ad5af4706aab84543b9cc63a", "0433e82092a0f1fb38f5649d5867fba28b503172b7035574bf8e5b7100a3052792f2cf6b601e0a05945e335550bf648d782f46186c772c0f20d3cd0d6b8ca14b2f", "664e45d5bba4ac931cd65d52017e4be9b19a515f669bea4703542a2c525cd3d3", - "curve: P256 vector: 5", ec_field_GFp }, + "curve: P256 vector: 5" }, { ECCurve_NIST_P256, 1, "3b589af7db03459c23068b64f63f28d3c3c6bc25b5bf76ac05f35482888b5190", "049fb38e2d58ea1baf7622e96720101cae3cde4ba6c1e9fa26d9b1de0899102863d5561b900406edf50802dd7d73e89395f8aed72fba0e1d1b61fe1d22302260f0", "046a9e0c3f916e4e315c91147be571686d90464e8bf981d34a90b6353bca6eeba740f9bead39c2f2bcc2602f75b8a73ec7bdffcbcead159d0174c6c4d3c5357f05", "ca342daa50dc09d61be7c196c85e60a80c5cb04931746820be548cdde055679d", - "curve: P256 vector: 6", ec_field_GFp }, + "curve: P256 vector: 6" }, { ECCurve_NIST_P256, 1, "d8bf929a20ea7436b2461b541a11c80e61d826c0a4c9d322b31dd54e7f58b9c8", "0420f07631e4a6512a89ad487c4e9d63039e579cb0d7a556cb9e661cd59c1e7fa46de91846b3eee8a5ec09c2ab1f41e21bd83620ccdd1bdce3ab7ea6e02dd274f5", "04a9c0acade55c2a73ead1a86fb0a9713223c82475791cd0e210b046412ce224bbf6de0afa20e93e078467c053d241903edad734c6b403ba758c2b5ff04c9d4229", "35aa9b52536a461bfde4e85fc756be928c7de97923f0416c7a3ac8f88b3d4489", - "curve: P256 vector: 7", ec_field_GFp }, + "curve: P256 vector: 7" }, { ECCurve_NIST_P256, 1, "0f9883ba0ef32ee75ded0d8bda39a5146a29f1f2507b3bd458dbea0b2bb05b4d", "04abb61b423be5d6c26e21c605832c9142dc1dfe5a5fff28726737936e6fbf516d733d2513ef58beab202090586fac91bf0fee31e80ab33473ab23a2d89e58fad6", "0494e94f16a98255fff2b9ac0c9598aac35487b3232d3231bd93b7db7df36f9eb9d8049a43579cfa90b8093a94416cbefbf93386f15b3f6e190b6e3455fedfe69a", "605c16178a9bc875dcbff54d63fe00df699c03e8a888e9e94dfbab90b25f39b4", - "curve: P256 vector: 8", ec_field_GFp }, + "curve: P256 vector: 8" }, { ECCurve_NIST_P256, 1, "2beedb04b05c6988f6a67500bb813faf2cae0d580c9253b6339e4a3337bb6c08", "043d63e429cb5fa895a9247129bf4e48e89f35d7b11de8158efeb3e106a2a873950cae9e477ef41e7c8c1064379bb7b554ddcbcae79f9814281f1e50f0403c61f3", "04e099bf2a4d557460b5544430bbf6da11004d127cb5d67f64ab07c94fcdf5274fd9c50dbe70d714edb5e221f4e020610eeb6270517e688ca64fb0e98c7ef8c1c5", "f96e40a1b72840854bb62bc13c40cc2795e373d4e715980b261476835a092e0b", - "curve: P256 vector: 9", ec_field_GFp }, + "curve: P256 vector: 9" }, { ECCurve_NIST_P256, 1, "77c15dcf44610e41696bab758943eff1409333e4d5a11bbe72c8f6c395e9f848", "04ad5d13c3db508ddcd38457e5991434a251bed49cf5ddcb59cdee73865f138c9f62cec1e70588aa4fdfc7b9a09daa678081c04e1208b9d662b8a2214bf8e81a21", "04f75a5fe56bda34f3c1396296626ef012dc07e4825838778a645c8248cff0165833bbdf1b1772d8059df568b061f3f1122f28a8d819167c97be448e3dc3fb0c3c", "8388fa79c4babdca02a8e8a34f9e43554976e420a4ad273c81b26e4228e9d3a3", - "curve: P256 vector: 10", ec_field_GFp }, + "curve: P256 vector: 10" }, { ECCurve_NIST_P256, 1, "42a83b985011d12303db1a800f2610f74aa71cdf19c67d54ce6c9ed951e9093e", "04ab48caa61ea35f13f8ed07ffa6a13e8db224dfecfae1a7df8b1bb6ebaf0cb97d1274530ca2c385a3218bddfbcbf0b4024c9badd5243bff834ebff24a8618dccb", "042db4540d50230756158abf61d9835712b6486c74312183ccefcaef2797b7674d62f57f314e3f3495dc4e099012f5e0ba71770f9660a1eada54104cdfde77243e", "72877cea33ccc4715038d4bcbdfe0e43f42a9e2c0c3b017fc2370f4b9acbda4a", - "curve: P256 vector: 11", ec_field_GFp }, + "curve: P256 vector: 11" }, { ECCurve_NIST_P256, 1, "ceed35507b5c93ead5989119b9ba342cfe38e6e638ba6eea343a55475de2800b", "049a8cd9bd72e71752df91440f77c547509a84df98114e7de4f26cdb39234a625dd07cfc84c8e144fab2839f5189bb1d7c88631d579bbc58012ed9a2327da52f62", "04cd94fc9497e8990750309e9a8534fd114b0a6e54da89c4796101897041d14ecbc3def4b5fe04faee0a11932229fff563637bfdee0e79c6deeaf449f85401c5c4", "e4e7408d85ff0e0e9c838003f28cdbd5247cdce31f32f62494b70e5f1bc36307", - "curve: P256 vector: 12", ec_field_GFp }, + "curve: P256 vector: 12" }, { ECCurve_NIST_P256, 1, "43e0e9d95af4dc36483cdd1968d2b7eeb8611fcce77f3a4e7d059ae43e509604", "04f989cf8ee956a82e7ebd9881cdbfb2fd946189b08db53559bc8cfdd48071eb145eff28f1a18a616b04b7d337868679f6dd84f9a7b3d7b6f8af276c19611a541d", "0415b9e467af4d290c417402e040426fe4cf236bae72baa392ed89780dfccdb471cdf4e9170fb904302b8fd93a820ba8cc7ed4efd3a6f2d6b05b80b2ff2aee4e77", "ed56bcf695b734142c24ecb1fc1bb64d08f175eb243a31f37b3d9bb4407f3b96", - "curve: P256 vector: 13", ec_field_GFp }, + "curve: P256 vector: 13" }, { ECCurve_NIST_P256, 1, "b2f3600df3368ef8a0bb85ab22f41fc0e5f4fdd54be8167a5c3cd4b08db04903", "0469c627625b36a429c398b45c38677cb35d8beb1cf78a571e40e99fe4eac1cd4e81690112b0a88f20f7136b28d7d47e5fbc2ada3c8edd87589bc19ec9590637bd", "0449c503ba6c4fa605182e186b5e81113f075bc11dcfd51c932fb21e951eee2fa18af706ff0922d87b3f0c5e4e31d8b259aeb260a9269643ed520a13bb25da5924", "bc5c7055089fc9d6c89f83c1ea1ada879d9934b2ea28fcf4e4a7e984b28ad2cf", - "curve: P256 vector: 14", ec_field_GFp }, + "curve: P256 vector: 14" }, { ECCurve_NIST_P256, 1, "4002534307f8b62a9bf67ff641ddc60fef593b17c3341239e95bdb3e579bfdc8", "045fe964671315a18aa68a2a6e3dd1fde7e23b8ce7181471cfac43c99e1ae80262d5827be282e62c84de531b963884ba832db5d6b2c3a256f0e604fe7e6b8a7f72", "0419b38de39fdd2f70f7091631a4f75d1993740ba9429162c2a45312401636b29c09aed7232b28e060941741b6828bcdfa2bc49cc844f3773611504f82a390a5ae", "9a4e8e657f6b0e097f47954a63c75d74fcba71a30d83651e3e5a91aa7ccd8343", - "curve: P256 vector: 15", ec_field_GFp }, + "curve: P256 vector: 15" }, { ECCurve_NIST_P256, 1, "4dfa12defc60319021b681b3ff84a10a511958c850939ed45635934ba4979147", "04c9b2b8496f1440bd4a2d1e52752fd372835b364885e154a7dac49295f281ec7cfbe6b926a8a4de26ccc83b802b1212400754be25d9f3eeaf008b09870ae76321", "042c91c61f33adfe9311c942fdbff6ba47020feff416b7bb63cec13faf9b0999546cab31b06419e5221fca014fb84ec870622a1b12bab5ae43682aa7ea73ea08d0", "3ca1fc7ad858fb1a6aba232542f3e2a749ffc7203a2374a3f3d3267f1fc97b78", - "curve: P256 vector: 16", ec_field_GFp }, + "curve: P256 vector: 16" }, { ECCurve_NIST_P256, 1, "1331f6d874a4ed3bc4a2c6e9c74331d3039796314beee3b7152fcdba5556304e", "0459e1e101521046ad9cf1d082e9d2ec7dd22530cce064991f1e55c5bcf5fcb591482f4f673176c8fdaa0bb6e59b15a3e47454e3a04297d3863c9338d98add1f37", "04a28a2edf58025668f724aaf83a50956b7ac1cfbbff79b08c3bf87dfd2828d767dfa7bfffd4c766b86abeaf5c99b6e50cb9ccc9d9d00b7ffc7804b0491b67bc03", "1aaabe7ee6e4a6fa732291202433a237df1b49bc53866bfbe00db96a0f58224f", - "curve: P256 vector: 17", ec_field_GFp }, + "curve: P256 vector: 17" }, { ECCurve_NIST_P256, 1, "dd5e9f70ae740073ca0204df60763fb6036c45709bf4a7bb4e671412fad65da3", "0430b9db2e2e977bcdc98cb87dd736cbd8e78552121925cf16e1933657c2fb23146a45028800b81291bce5c2e1fed7ded650620ebbe6050c6f3a7f0dfb4673ab5c", "04a2ef857a081f9d6eb206a81c4cf78a802bdf598ae380c8886ecd85fdc1ed7644563c4c20419f07bc17d0539fade1855e34839515b892c0f5d26561f97fa04d1a", "430e6a4fba4449d700d2733e557f66a3bf3d50517c1271b1ddae1161b7ac798c", - "curve: P256 vector: 18", ec_field_GFp }, + "curve: P256 vector: 18" }, { ECCurve_NIST_P256, 1, "5ae026cfc060d55600717e55b8a12e116d1d0df34af831979057607c2d9c2f76", "0446c9ebd1a4a3c8c0b6d572b5dcfba12467603208a9cb5d2acfbb733c40cf639146c913a27d044185d38b467ace011e04d4d9bbbb8cb9ae25fa92aaf15a595e86", "04ccd8a2d86bc92f2e01bce4d6922cf7fe1626aed044685e95e2eebd464505f01fe9ddd583a9635a667777d5b8a8f31b0f79eba12c75023410b54b8567dddc0f38", "1ce9e6740529499f98d1f1d71329147a33df1d05e4765b539b11cf615d6974d3", - "curve: P256 vector: 19", ec_field_GFp }, + "curve: P256 vector: 19" }, { ECCurve_NIST_P256, 1, "b601ac425d5dbf9e1735c5e2d5bdb79ca98b3d5be4a2cfd6f2273f150e064d9d", "047c9e950841d26c8dde8994398b8f5d475a022bc63de7773fcf8d552e01f1ba0acc42b9885c9b3bee0f8d8c57d3a8f6355016c019c4062fa22cff2f209b5cc2e1", "04c188ffc8947f7301fb7b53e36746097c2134bf9cc981ba74b4e9c4361f595e4ebf7d2f2056e72421ef393f0c0f2b0e00130e3cac4abbcc00286168e85ec55051", "4690e3743c07d643f1bc183636ab2a9cb936a60a802113c49bb1b3f2d0661660", - "curve: P256 vector: 20", ec_field_GFp }, + "curve: P256 vector: 20" }, { ECCurve_NIST_P256, 1, "fefb1dda1845312b5fce6b81b2be205af2f3a274f5a212f66c0d9fc33d7ae535", "0438b54db85500cb20c61056edd3d88b6a9dc26780a047f213a6e1b900f76596eb6387e4e5781571e4eb8ae62991a33b5dc33301c5bc7e125d53794a39160d8fd0", "04317e1020ff53fccef18bf47bb7f2dd7707fb7b7a7578e04f35b3beed222a0eb609420ce5a19d77c6fe1ee587e6a49fbaf8f280e8df033d75403302e5a27db2ae", "30c2261bd0004e61feda2c16aa5e21ffa8d7e7f7dbf6ec379a43b48e4b36aeb0", - "curve: P256 vector: 21", ec_field_GFp }, + "curve: P256 vector: 21" }, { ECCurve_NIST_P256, 1, "334ae0c4693d23935a7e8e043ebbde21e168a7cba3fa507c9be41d7681e049ce", "043f2bf1589abf3047bf3e54ac9a95379bff95f8f55405f64eca36a7eebe8ffca75212a94e66c5ae9a8991872f66a72723d80ec5b2e925745c456f5371943b3a06", "0445fb02b2ceb9d7c79d9c2fa93e9c7967c2fa4df5789f9640b24264b1e524fcb15c6e8ecf1f7d3023893b7b1ca1e4d178972ee2a230757ddc564ffe37f5c5a321", "2adae4a138a239dcd93c243a3803c3e4cf96e37fe14e6a9b717be9599959b11c", - "curve: P256 vector: 22", ec_field_GFp }, + "curve: P256 vector: 22" }, { ECCurve_NIST_P256, 1, "2c4bde40214fcc3bfc47d4cf434b629acbe9157f8fd0282540331de7942cf09d", "0429c0807f10cbc42fb45c9989da50681eead716daa7b9e91fd32e062f5eb92ca0ff1d6d1955d7376b2da24fe1163a271659136341bc2eb1195fc706dc62e7f34d", "04a19ef7bff98ada781842fbfc51a47aff39b5935a1c7d9625c8d323d511c92de6e9c184df75c955e02e02e400ffe45f78f339e1afe6d056fb3245f4700ce606ef", "2e277ec30f5ea07d6ce513149b9479b96e07f4b6913b1b5c11305c1444a1bc0b", - "curve: P256 vector: 23", ec_field_GFp }, + "curve: P256 vector: 23" }, { ECCurve_NIST_P256, 1, "85a268f9d7772f990c36b42b0a331adc92b5941de0b862d5d89a347cbf8faab0", "049cf4b98581ca1779453cc816ff28b4100af56cf1bf2e5bc312d83b6b1b21d3337a5504fcac5231a0d12d658218284868229c844a04a3450d6c7381abe080bf3b", "04356c5a444c049a52fee0adeb7e5d82ae5aa83030bfff31bbf8ce2096cf161c4b57d128de8b2a57a094d1a001e572173f96e8866ae352bf29cddaf92fc85b2f92", "1e51373bd2c6044c129c436e742a55be2a668a85ae08441b6756445df5493857", - "curve: P256 vector: 24", ec_field_GFp }, + "curve: P256 vector: 24" }, { ECCurve_NIST_P384, 1, "3cc3122a68f0d95027ad38c067916ba0eb8c38894d22e1b15618b6818a661774ad463b205da88cf699ab4d43c9cf98a1", @@ -181,7 +181,7 @@ static ECDH_KAT ecdh_testvecs[] = { "04a7c76b970c3b5fe8b05d2838ae04ab47697b9eaf52e764592efda27fe7513272734466b400091adbf2d68c58e0c5006" "6ac68f19f2e1cb879aed43a9969b91a0839c4c38a49749b661efedf243451915ed0905a32b060992b468c64766fc8437a", "5f9d29dc5e31a163060356213669c8ce132e22f57c9a04f40ba7fcead493b457e5621e766c40a2e3d4d6a04b25e533f1", - "curve: P384 vector: 0", ec_field_GFp }, + "curve: P384 vector: 0" }, { ECCurve_NIST_P384, 1, "92860c21bde06165f8e900c687f8ef0a05d14f290b3f07d8b3a8cc6404366e5d5119cd6d03fb12dc58e89f13df9cd783", @@ -190,7 +190,7 @@ static ECDH_KAT ecdh_testvecs[] = { "0430f43fcf2b6b00de53f624f1543090681839717d53c7c955d1d69efaf0349b7363acb447240101cbb3af6641ce4b88e0" "25e46c0c54f0162a77efcc27b6ea792002ae2ba82714299c860857a68153ab62e525ec0530d81b5aa15897981e858757", "a23742a2c267d7425fda94b93f93bbcc24791ac51cd8fd501a238d40812f4cbfc59aac9520d758cf789c76300c69d2ff", - "curve: P384 vector: 1", ec_field_GFp }, + "curve: P384 vector: 1" }, { ECCurve_NIST_P384, 1, "12cf6a223a72352543830f3f18530d5cb37f26880a0b294482c8a8ef8afad09aa78b7dc2f2789a78c66af5d1cc553853", @@ -199,7 +199,7 @@ static ECDH_KAT ecdh_testvecs[] = { "041aefbfa2c6c8c855a1a216774550b79a24cda37607bb1f7cc906650ee4b3816d68f6a9c75da6e4242cebfb6652f65180" "419d28b723ebadb7658fcebb9ad9b7adea674f1da3dc6b6397b55da0f61a3eddacb4acdb14441cb214b04a0844c02fa3", "3d2e640f350805eed1ff43b40a72b2abed0a518bcebe8f2d15b111b6773223da3c3489121db173d414b5bd5ad7153435", - "curve: P384 vector: 2", ec_field_GFp }, + "curve: P384 vector: 2" }, { ECCurve_NIST_P384, 1, "8dd48063a3a058c334b5cc7a4ce07d02e5ee6d8f1f3c51a1600962cbab462690ae3cd974fb39e40b0e843daa0fd32de1", @@ -208,7 +208,7 @@ static ECDH_KAT ecdh_testvecs[] = { "048bc089326ec55b9cf59b34f0eb754d93596ca290fcb3444c83d4de3a5607037ec397683f8cef07eab2fe357eae36c44" "9d9d16ce8ac85b3f1e94568521aae534e67139e310ec72693526aa2e927b5b322c95a1a033c229cb6770c957cd3148dd7", "6a42cfc392aba0bfd3d17b7ccf062b91fc09bbf3417612d02a90bdde62ae40c54bb2e56e167d6b70db670097eb8db854", - "curve: P384 vector: 3", ec_field_GFp }, + "curve: P384 vector: 3" }, { ECCurve_NIST_P384, 1, "84ece6cc3429309bd5b23e959793ed2b111ec5cb43b6c18085fcaea9efa0685d98a6262ee0d330ee250bc8a67d0e733f", @@ -217,7 +217,7 @@ static ECDH_KAT ecdh_testvecs[] = { "04eb952e2d9ac0c20c6cc48fb225c2ad154f53c8750b003fd3b4ed8ed1dc0defac61bcdde02a2bcfee7067d75d342ed2b" "0f1828205baece82d1b267d0d7ff2f9c9e15b69a72df47058a97f3891005d1fb38858f5603de840e591dfa4f6e7d489e1", "ce7ba454d4412729a32bb833a2d1fd2ae612d4667c3a900e069214818613447df8c611de66da200db7c375cf913e4405", - "curve: P384 vector: 4", ec_field_GFp }, + "curve: P384 vector: 4" }, { ECCurve_NIST_P384, 1, "68fce2121dc3a1e37b10f1dde309f9e2e18fac47cd1770951451c3484cdb77cb136d00e731260597cc2859601c01a25b", @@ -226,7 +226,7 @@ static ECDH_KAT ecdh_testvecs[] = { "04441d029e244eb7168d647d4df50db5f4e4974ab3fdaf022aff058b3695d0b8c814cc88da6285dc6df1ac55c55388500" "3e8025ac23a41d4b1ea2aa46c50c6e479946b59b6d76497cd9249977e0bfe4a6262622f13d42a3c43d66bdbb30403c345", "ba69f0acdf3e1ca95caaac4ecaf475bbe51b54777efce01ca381f45370e486fe87f9f419b150c61e329a286d1aa265ec", - "curve: P384 vector: 5", ec_field_GFp }, + "curve: P384 vector: 5" }, { ECCurve_NIST_P384, 1, "b1764c54897e7aae6de9e7751f2f37de849291f88f0f91093155b858d1cc32a3a87980f706b86cc83f927bdfdbeae0bd", @@ -235,7 +235,7 @@ static ECDH_KAT ecdh_testvecs[] = { "043d4e6bf08a73404accc1629873468e4269e82d90d832e58ad72142639b5a056ad8d35c66c60e8149fac0c797bceb7c2" "f9b0308dc7f0e6d29f8c277acbc65a21e5adb83d11e6873bc0a07fda0997f482504602f59e10bc5cb476b83d0a4f75e71", "1a6688ee1d6e59865d8e3ada37781d36bb0c2717eef92e61964d3927cb765c2965ea80f7f63e58c322ba0397faeaf62b", - "curve: P384 vector: 6", ec_field_GFp }, + "curve: P384 vector: 6" }, { ECCurve_NIST_P384, 1, "f0f7a96e70d98fd5a30ad6406cf56eb5b72a510e9f192f50e1f84524dbf3d2439f7287bb36f5aa912a79deaab4adea82", @@ -244,7 +244,7 @@ static ECDH_KAT ecdh_testvecs[] = { "04f5f6bef1d110da03be0017eac760cc34b24d092f736f237bc7054b3865312a813bcb62d297fb10a4f7abf54708fe2d3d" "06fdf8d7dc032f4e10010bf19cbf6159321252ff415fb91920d438f24e67e60c2eb0463204679fa356af44cea9c9ebf5", "d06a568bf2336b90cbac325161be7695eacb2295f599500d787f072612aca313ee5d874f807ddef6c1f023fe2b6e7cd0", - "curve: P384 vector: 7", ec_field_GFp }, + "curve: P384 vector: 7" }, { ECCurve_NIST_P384, 1, "9efb87ddc61d43c482ba66e1b143aef678fbd0d1bebc2000941fabe677fe5b706bf78fce36d100b17cc787ead74bbca2", @@ -253,7 +253,7 @@ static ECDH_KAT ecdh_testvecs[] = { "047cdec77e0737ea37c67b89b7137fe38818010f4464438ee4d1d35a0c488cad3fde2f37d00885d36d3b795b9f93d23a6" "728c42ee8d6027c56cf979ba4c229fdb01d234944f8ac433650112c3cf0f02844e888a3569dfef7828a8a884589aa055e", "bb3b1eda9c6560d82ff5bee403339f1e80342338a991344853b56b24f109a4d94b92f654f0425edd4c205903d7586104", - "curve: P384 vector: 8", ec_field_GFp }, + "curve: P384 vector: 8" }, { ECCurve_NIST_P384, 1, "d787a57fde22ec656a0a525cf3c738b30d73af61e743ea90893ecb2d7b622add2f94ee25c2171467afb093f3f84d0018", @@ -262,7 +262,7 @@ static ECDH_KAT ecdh_testvecs[] = { "048eeea3a319c8df99fbc29cb55f243a720d95509515ee5cc587a5c5ae22fbbd009e626db3e911def0b99a4f7ae304b1b" "a73877dc94db9adddc0d9a4b24e8976c22d73c844370e1ee857f8d1b129a3bd5f63f40caf3bd0533e38a5f5777074ff9e", "1e97b60add7cb35c7403dd884c0a75795b7683fff8b49f9d8672a8206bfdcf0a106b8768f983258c74167422e44e4d14", - "curve: P384 vector: 9", ec_field_GFp }, + "curve: P384 vector: 9" }, { ECCurve_NIST_P384, 1, "83d70f7b164d9f4c227c767046b20eb34dfc778f5387e32e834b1e6daec20edb8ca5bb4192093f543b68e6aeb7ce788b", @@ -271,7 +271,7 @@ static ECDH_KAT ecdh_testvecs[] = { "04a721f6a2d4527411834b13d4d3a33c29beb83ab7682465c6cbaf6624aca6ea58c30eb0f29dd842886695400d7254f20f" "14ba6e26355109ad35129366d5e3a640ae798505a7fa55a96a36b5dad33de00474f6670f522214dd7952140ab0a7eb68", "1023478840e54775bfc69293a3cf97f5bc914726455c66538eb5623e218feef7df4befa23e09d77145ad577db32b41f9", - "curve: P384 vector: 10", ec_field_GFp }, + "curve: P384 vector: 10" }, { ECCurve_NIST_P384, 1, "8f558e05818b88ed383d5fca962e53413db1a0e4637eda194f761944cbea114ab9d5da175a7d57882550b0e432f395a9", @@ -280,7 +280,7 @@ static ECDH_KAT ecdh_testvecs[] = { "04d882a8505c2d5cb9b8851fc676677bb0087681ad53faceba1738286b45827561e7da37b880276c656cfc38b32ade847" "e34b314bdc134575654573cffaf40445da2e6aaf987f7e913cd4c3091523058984a25d8f21da8326192456c6a0fa5f60c", "6ad6b9dc8a6cf0d3691c501cbb967867f6e4bbb764b60dbff8fcff3ed42dbba39d63cf325b4b4078858495ddee75f954", - "curve: P384 vector: 11", ec_field_GFp }, + "curve: P384 vector: 11" }, { ECCurve_NIST_P384, 1, "0f5dee0affa7bbf239d5dff32987ebb7cf84fcceed643e1d3c62d0b3352aec23b6e5ac7fa4105c8cb26126ad2d1892cb", @@ -289,7 +289,7 @@ static ECDH_KAT ecdh_testvecs[] = { "04815c9d773dbf5fb6a1b86799966247f4006a23c92e68c55e9eaa998b17d8832dd4d84d927d831d4f68dac67c6488219f" "e79269948b2611484560fd490feec887cb55ef99a4b524880fa7499d6a07283aae2afa33feab97deca40bc606c4d8764", "cc9e063566d46b357b3fcae21827377331e5e290a36e60cd7c39102b828ae0b918dc5a02216b07fe6f1958d834e42437", - "curve: P384 vector: 12", ec_field_GFp }, + "curve: P384 vector: 12" }, { ECCurve_NIST_P384, 1, "037b633b5b8ba857c0fc85656868232e2febf59578718391b81da8541a00bfe53c30ae04151847f27499f8d7abad8cf4", @@ -298,7 +298,7 @@ static ECDH_KAT ecdh_testvecs[] = { "041c0eeda7a2be000c5bdcda0478aed4db733d2a9e341224379123ad847030f29e3b168fa18e89a3c0fba2a6ce1c28fc3" "bec8c1c83c118c4dbea94271869f2d868eb65e8b44e21e6f14b0f4d9b38c068daefa27114255b9a41d084cc4a1ad85456", "deff7f03bd09865baf945e73edff6d5122c03fb561db87dec8662e09bed4340b28a9efe118337bb7d3d4f7f568635ff9", - "curve: P384 vector: 13", ec_field_GFp }, + "curve: P384 vector: 13" }, { ECCurve_NIST_P384, 1, "e3d07106bedcc096e7d91630ffd3094df2c7859db8d7edbb2e37b4ac47f429a637d06a67d2fba33838764ef203464991", @@ -307,7 +307,7 @@ static ECDH_KAT ecdh_testvecs[] = { "04c95c185e256bf997f30b311548ae7f768a38dee43eeeef43083f3077be70e2bf39ac1d4daf360c514c8c6be623443d1" "a3e63a663eaf75d8a765ab2b9a35513d7933fa5e26420a5244550ec6c3b6f033b96db2aca3d6ac6aab052ce929595aea5", "c8b1038f735ad3bb3e4637c3e47eab487637911a6b7950a4e461948329d3923b969e5db663675623611a457fcda35a71", - "curve: P384 vector: 14", ec_field_GFp }, + "curve: P384 vector: 14" }, { ECCurve_NIST_P384, 1, "f3f9b0c65a49a506632c8a45b10f66b5316f9eeb06fae218f2da62333f99905117b141c760e8974efc4af10570635791", @@ -316,7 +316,7 @@ static ECDH_KAT ecdh_testvecs[] = { "043497238a7e6ad166df2dac039aa4dac8d17aa925e7c7631eb3b56e3aaa1c545fcd54d2e5985807910fb202b1fc191d2a" "a49e5c487dcc7aa40a8f234c979446040d9174e3ad357d404d7765183195aed3f913641b90c81a306ebf0d8913861316", "d337eaa32b9f716b8747b005b97a553c59dab0c51df41a2d49039cdae705aa75c7b9e7bc0b6a0e8c578c902bc4fff23e", - "curve: P384 vector: 15", ec_field_GFp }, + "curve: P384 vector: 15" }, { ECCurve_NIST_P384, 1, "59fce7fad7de28bac0230690c95710c720e528f9a4e54d3a6a8cd5fc5c5f21637031ce1c5b4e3d39647d8dcb9b794664", @@ -325,7 +325,7 @@ static ECDH_KAT ecdh_testvecs[] = { "0490a34737d45b1aa65f74e0bd0659bc118f8e4b774b761944ffa6573c6df4f41dec0d11b697abd934d390871d4b453240" "9b590719bb3307c149a7817be355d684893a307764b512eeffe07cb699edb5a6ffbf8d6032e6c79d5e93e94212c2aa4e", "32d292b695a4488e42a7b7922e1ae537d76a3d21a0b2e36875f60e9f6d3e8779c2afb3a413b9dd79ae18e70b47d337c1", - "curve: P384 vector: 16", ec_field_GFp }, + "curve: P384 vector: 16" }, { ECCurve_NIST_P384, 1, "3e49fbf950a424c5d80228dc4bc35e9f6c6c0c1d04440998da0a609a877575dbe437d6a5cedaa2ddd2a1a17fd112aded", @@ -334,7 +334,7 @@ static ECDH_KAT ecdh_testvecs[] = { "04dda546acfc8f903d11e2e3920669636d44b2068aeb66ff07aa266f0030e1535b0ed0203cb8a460ac990f1394faf22f1" "d15bbb2597913035faadf413476f4c70f7279769a40c986f470c427b4ee4962abdf8173bbad81874772925fd32f0b159f", "1220e7e6cad7b25df98e5bbdcc6c0b65ca6c2a50c5ff6c41dca71e475646fd489615979ca92fb4389aeadefde79a24f1", - "curve: P384 vector: 17", ec_field_GFp }, + "curve: P384 vector: 17" }, { ECCurve_NIST_P384, 1, "50ccc1f7076e92f4638e85f2db98e0b483e6e2204c92bdd440a6deea04e37a07c6e72791c190ad4e4e86e01efba84269", @@ -343,7 +343,7 @@ static ECDH_KAT ecdh_testvecs[] = { "04788be2336c52f4454d63ee944b1e49bfb619a08371048e6da92e584eae70bde1f171c4df378bd1f3c0ab03048a237802" "4673ebd8db604eaf41711748bab2968a23ca4476ce144e728247f08af752929157b5830f1e26067466bdfa8b65145a33", "793bb9cd22a93cf468faf804a38d12b78cb12189ec679ddd2e9aa21fa9a5a0b049ab16a23574fe04c1c3c02343b91beb", - "curve: P384 vector: 18", ec_field_GFp }, + "curve: P384 vector: 18" }, { ECCurve_NIST_P384, 1, "06f132b71f74d87bf99857e1e4350a594e5fe35533b888552ceccbc0d8923c902e36141d7691e28631b8bc9bafe5e064", @@ -352,7 +352,7 @@ static ECDH_KAT ecdh_testvecs[] = { "04d09bb822eb99e38060954747c82bb3278cf96bbf36fece3400f4c873838a40c135eb3babb9293bd1001bf3ecdee7bf2" "6d416db6e1b87bbb7427788a3b6c7a7ab2c165b1e366f9608df512037584f213a648d47f16ac326e19aae972f63fd76c9", "012d191cf7404a523678c6fc075de8285b243720a903047708bb33e501e0dbee5bcc40d7c3ef6c6da39ea24d830da1e8", - "curve: P384 vector: 19", ec_field_GFp }, + "curve: P384 vector: 19" }, { ECCurve_NIST_P384, 1, "12048ebb4331ec19a1e23f1a2c773b664ccfe90a28bfb846fc12f81dff44b7443c77647164bf1e9e67fd2c07a6766241", @@ -361,7 +361,7 @@ static ECDH_KAT ecdh_testvecs[] = { "0413741262ede5861dad71063dfd204b91ea1d3b7c631df68eb949969527d79a1dc59295ef7d2bca6743e8cd77b04d1" "b580baaeadc7e19d74a8a04451a135f1be1b02fe299f9dc00bfdf201e83d995c6950bcc1cb89d6f7b30bf54656b9a4da586", "ad0fd3ddffe8884b9263f3c15fe1f07f2a5a22ffdc7e967085eea45f0cd959f20f18f522763e28bcc925e496a52dda98", - "curve: P384 vector: 20", ec_field_GFp }, + "curve: P384 vector: 20" }, { ECCurve_NIST_P384, 1, "34d61a699ca576169fcdc0cc7e44e4e1221db0fe63d16850c8104029f7d48449714b9884328cae189978754ab460b486", @@ -370,7 +370,7 @@ static ECDH_KAT ecdh_testvecs[] = { "049e22cbc18657f516a864b37b783348b66f1aa9626cd631f4fa1bd32ad88cf11db52057c660860d39d11fbf024fabd44" "46b0d53c79681c28116df71e9cee74fd56c8b7f04b39f1198cc72284e98be9562e35926fb4f48a9fbecafe729309e8b6f", "dc4ca392dc15e20185f2c6a8ea5ec31dfc96f56153a47394b3072b13d0015f5d4ae13beb3bed54d65848f9b8383e6c95", - "curve: P384 vector: 21", ec_field_GFp }, + "curve: P384 vector: 21" }, { ECCurve_NIST_P384, 1, "dc60fa8736d702135ff16aab992bb88eac397f5972456c72ec447374d0d8ce61153831bfc86ad5a6eb5b60bfb96a862c", @@ -379,7 +379,7 @@ static ECDH_KAT ecdh_testvecs[] = { "042db5da5f940eaa884f4db5ec2139b0469f38e4e6fbbcc52df15c0f7cf7fcb1808c749764b6be85d2fdc5b16f58ad5d" "c022e8b02dcf33e1b5a083849545f84ad5e43f77cb71546dbbac0d11bdb2ee202e9d3872e8d028c08990746c5e1dde9989", "d765b208112d2b9ed5ad10c4046e2e3b0dbf57c469329519e239ac28b25c7d852bf757d5de0ee271cadd021d86cfd347", - "curve: P384 vector: 22", ec_field_GFp }, + "curve: P384 vector: 22" }, { ECCurve_NIST_P384, 1, "6fa6a1c704730987aa634b0516a826aba8c6d6411d3a4c89772d7a62610256a2e2f289f5c3440b0ec1e70fa339e251ce", @@ -388,7 +388,7 @@ static ECDH_KAT ecdh_testvecs[] = { "04329647baa354224eb4414829c5368c82d7893b39804e08cbb2180f459befc4b347a389a70c91a23bd9d30c83be5295d" "3cc8f61923fad2aa8e505d6cfa126b9fabd5af9dce290b75660ef06d1caa73681d06089c33bc4246b3aa30dbcd2435b12", "d3778850aeb58804fbe9dfe6f38b9fa8e20c2ca4e0dec335aafceca0333e3f2490b53c0c1a14a831ba37c4b9d74be0f2", - "curve: P384 vector: 23", ec_field_GFp }, + "curve: P384 vector: 23" }, { ECCurve_NIST_P384, 1, "74ad8386c1cb2ca0fcdeb31e0869bb3f48c036afe2ef110ca302bc8b910f621c9fcc54cec32bb89ec7caa84c7b8e54a8", @@ -397,7 +397,7 @@ static ECDH_KAT ecdh_testvecs[] = { "0429d8a36d22200a75b7aea1bb47cdfcb1b7fd66de967041434728ab5d533a060df732130600fe6f75852a871fb2938e3" "9e19b53db528395de897a45108967715eb8cb55c3fcbf23379372c0873a058d57544b102ecce722b2ccabb1a603774fd5", "81e1e71575bb4505498de097350186430a6242fa6c57b85a5f984a23371123d2d1424eefbf804258392bc723e4ef1e35", - "curve: P384 vector: 24", ec_field_GFp }, + "curve: P384 vector: 24" }, { ECCurve_NIST_P521, 1, "017eecc07ab4b329068fba65e56a1f8890aa935e57134ae0ffcce802735151f4eac6564f6ee9974c5e6887a1fefee5743" @@ -410,7 +410,7 @@ static ECDH_KAT ecdh_testvecs[] = { "a83bde99e0f6716939e632bc8986fa18dccd443a348b6c3e522497955a4f3c302f676", "005fc70477c3e63bc3954bd0df3ea0d1f41ee21746ed95fc5e1fdf90930d5e136672d72cc770742d1711c3c3a4c334a0ad9" "759436a4d3c5bf6e74b9578fac148c831", - "curve: P521 vector: 0", ec_field_GFp }, + "curve: P521 vector: 0" }, { ECCurve_NIST_P521, 1, "00816f19c1fb10ef94d4a1d81c156ec3d1de08b66761f03f06ee4bb9dcebbbfe1eaa1ed49a6a990838d8ed318c14d74cc" @@ -423,7 +423,7 @@ static ECDH_KAT ecdh_testvecs[] = { "7d4505d9b0a96b3bfac041e4c6a6990ae7f700e5b4a6640229112deafa0cd8bb0d089b0", "000b3920ac830ade812c8f96805da2236e002acbbf13596a9ab254d44d0e91b6255ebf1229f366fb5a05c5884ef46032c2" "6d42189273ca4efa4c3db6bd12a6853759", - "curve: P521 vector: 1", ec_field_GFp }, + "curve: P521 vector: 1" }, { ECCurve_NIST_P521, 1, "012f2e0c6d9e9d117ceb9723bced02eb3d4eebf5feeaf8ee0113ccd8057b13ddd416e0b74280c2d0ba8ed291c443bc1b14" @@ -436,7 +436,7 @@ static ECDH_KAT ecdh_testvecs[] = { "60272675a548996217e4ab2b8ebce31d71fca63fcc3c08e91c1d8edd91cf6fe845f8", "006b380a6e95679277cfee4e8353bf96ef2a1ebdd060749f2f046fe571053740bbcc9a0b55790bc9ab56c3208aa05ddf746" "a10a3ad694daae00d980d944aabc6a08f", - "curve: P521 vector: 2", ec_field_GFp }, + "curve: P521 vector: 2" }, { ECCurve_NIST_P521, 1, "00e548a79d8b05f923b9825d11b656f222e8cb98b0f89de1d317184dc5a698f7c71161ee7dc11cd31f4f4f8ae3a981e1a3e7" @@ -449,7 +449,7 @@ static ECDH_KAT ecdh_testvecs[] = { "3be831b915435905925b44947c592959945b4eb7c951c3b9c8cf52530ba23", "00fbbcd0b8d05331fef6086f22a6cce4d35724ab7a2f49dd8458d0bfd57a0b8b70f246c17c4468c076874b0dff7a0336823b19e" "98bf1cec05e4beffb0591f97713c6", - "curve: P521 vector: 3", ec_field_GFp }, + "curve: P521 vector: 3" }, { ECCurve_NIST_P521, 1, "01c8aae94bb10b8ca4f7be577b4fb32bb2381032c4942c24fc2d753e7cc5e47b483389d9f3b956d20ee9001b1eef9f23545f72" @@ -462,7 +462,7 @@ static ECDH_KAT ecdh_testvecs[] = { "aa4965fb622f42b7391e27e5ec21c5679c5b06b59127372997d421adc1e", "0145cfa38f25943516c96a5fd4bfebb2f645d10520117aa51971eff442808a23b4e23c187e639ff928c3725fbd1c0c2ad0d4aeb2" "07bc1a6fb6cb6d467888dc044b3c", - "curve: P521 vector: 4", ec_field_GFp }, + "curve: P521 vector: 4" }, { ECCurve_NIST_P521, 1, "009b0af137c9696c75b7e6df7b73156bb2d45f482e5a4217324f478b10ceb76af09724cf86afa316e7f89918d31d54824a5c33" @@ -475,7 +475,7 @@ static ECDH_KAT ecdh_testvecs[] = { "0fbeeb247cf6d3fba7a60697536ad03f49b80a9d1cb079673654977c5fa94", "005c5721e96c273319fd60ecc46b5962f698e974b429f28fe6962f4ac656be2eb8674c4aafc037eab48ece612953b1e8d86101" "6b6ad0c79805784c67f73ada96f351", - "curve: P521 vector: 5", ec_field_GFp }, + "curve: P521 vector: 5" }, { ECCurve_NIST_P521, 1, "01e48faacee6dec83ffcde944cf6bdf4ce4bae72747888ebafee455b1e91584971efb49127976a52f4142952f7c207ec0265f2b" @@ -488,7 +488,7 @@ static ECDH_KAT ecdh_testvecs[] = { "7b7e6a82091c2db874d8e7abf0f58064691344154f396dbaed188b6", "01736d9717429b4f412e903febe2f9e0fffd81355d6ce2c06ff3f66a3be15ceec6e65e308347593f00d7f33591da4043c30763d72" "749f72cdceebe825e4b34ecd570", - "curve: P521 vector: 6", ec_field_GFp }, + "curve: P521 vector: 6" }, { ECCurve_NIST_P521, 1, "00c29aa223ea8d64b4a1eda27f39d3bc98ea0148dd98c1cbe595f8fd2bfbde119c9e017a50f5d1fc121c08c1cef31b75885955" @@ -501,7 +501,7 @@ static ECDH_KAT ecdh_testvecs[] = { "c268ac1b6ec88bd71b7ba78e2c33c152e4bf7da5d565e4acbecf5e92c7ad662bb", "018f2ae9476c771726a77780208dedfefa205488996b18fecc50bfd4c132753f5766b2cd744afa9918606de2e016effc63622" "e9029e76dc6e3f0c69f7aeced565c2c", - "curve: P521 vector: 7", ec_field_GFp }, + "curve: P521 vector: 7" }, { ECCurve_NIST_P521, 1, "0028692be2bf5c4b48939846fb3d5bce74654bb2646e15f8389e23708a1afadf561511ea0d9957d0b53453819d60fba8f65a1" @@ -514,7 +514,7 @@ static ECDH_KAT ecdh_testvecs[] = { "4683f10fab84652dfe9e928c2626b5456453e1573ff60be1507467d431fbb2", "0105a346988b92ed8c7a25ce4d79d21bc86cfcc7f99c6cd19dbb4a39f48ab943b79e4f0647348da0b80bd864b85c6b8d92536" "d6aa544dc7537a00c858f8b66319e25", - "curve: P521 vector: 8", ec_field_GFp }, + "curve: P521 vector: 8" }, { ECCurve_NIST_P521, 1, "01194d1ee613f5366cbc44b504d21a0cf6715e209cd358f2dd5f3e71cc0d67d0e964168c42a084ebda746f9863a86bacffc81" @@ -527,7 +527,7 @@ static ECDH_KAT ecdh_testvecs[] = { "f074c4ccf2d634ae97b701956f67a11006c52d97197d92f585f5748bc2672eeb", "004531b3d2c6cd12f21604c8610e6723dbf4daf80b5a459d6ba5814397d1c1f7a21d7c114be964e27376aaebe3a7bc3d6af7" "a7f8c7befb611afe487ff032921f750f", - "curve: P521 vector: 9", ec_field_GFp }, + "curve: P521 vector: 9" }, { ECCurve_NIST_P521, 1, "01fd90e3e416e98aa3f2b6afa7f3bf368e451ad9ca5bd54b5b14aee2ed6723dde5181f5085b68169b09fbec721372ccf6b" @@ -540,7 +540,7 @@ static ECDH_KAT ecdh_testvecs[] = { "3c5cdb722893ffbb2027259d594de77438809738120c6f783934f926c3fb69b40c409", "0100c8935969077bae0ba89ef0df8161d975ec5870ac811ae7e65ca5394efba4f0633d41bf79ea5e5b9496bbd7aae000b05" "94baa82ef8f244e6984ae87ae1ed124b7", - "curve: P521 vector: 10", ec_field_GFp }, + "curve: P521 vector: 10" }, { ECCurve_NIST_P521, 1, "009012ecfdadc85ced630afea534cdc8e9d1ab8be5f3753dcf5f2b09b40eda66fc6858549bc36e6f8df55998cfa9a0703a" @@ -553,7 +553,7 @@ static ECDH_KAT ecdh_testvecs[] = { "e15327acaac1fa40424c395a6556cb8167312527fae5865ecffc14bbdc17da78cdcf", "017f36af19303841d13a389d95ec0b801c7f9a679a823146c75c17bc44256e9ad422a4f8b31f14647b2c7d317b933f7c294" "6c4b8abd1d56d620fab1b5ff1a3adc71f", - "curve: P521 vector: 11", ec_field_GFp }, + "curve: P521 vector: 11" }, { ECCurve_NIST_P521, 1, "01b5ff847f8eff20b88cfad42c06e58c3742f2f8f1fdfd64b539ba48c25926926bd5e332b45649c0b184f77255e9d58fe8" @@ -566,7 +566,7 @@ static ECDH_KAT ecdh_testvecs[] = { "c7b428d0e7f3f4d503e5d60c68cb49b13c2480cd486bed9200caddaddfe4ff8e3562", "00062f9fc29ae1a68b2ee0dcf956cbd38c88ae5f645eaa546b00ebe87a7260bf724be20d34b9d02076655c933d056b21e30" "4c24ddb1dedf1dd76de611fc4a2340336", - "curve: P521 vector: 12", ec_field_GFp }, + "curve: P521 vector: 12" }, { ECCurve_NIST_P521, 1, "011a6347d4e801c91923488354cc533e7e35fddf81ff0fb7f56bb0726e0c29ee5dcdc5f394ba54cf57269048aab6e055895c" @@ -579,7 +579,7 @@ static ECDH_KAT ecdh_testvecs[] = { "2f14c8cbf2a68f488ab35dcdf64056271dee1f606a440ba4bd4e5a11b8b8e54f", "0128ab09bfec5406799e610f772ba17e892249fa8e0e7b18a04b9197034b250b48294f1867fb9641518f92766066a07a8b917" "b0e76879e1011e51ccbd9f540c54d4f", - "curve: P521 vector: 13", ec_field_GFp }, + "curve: P521 vector: 13" }, { ECCurve_NIST_P521, 1, "0022b6d2a22d71dfaa811d2d9f9f31fbed27f2e1f3d239538ddf3e4cc8c39a330266db25b7bc0a9704f17bde7f3592bf5f1f2d" @@ -592,7 +592,7 @@ static ECDH_KAT ecdh_testvecs[] = { "60d93e5b43db8789f1ec0aba47286a39ea584235acea757dbf13d53b58364", "0101e462e9d9159968f6440e956f11dcf2227ae4aea81667122b6af9239a291eb5d6cf5a4087f358525fcacfa46bb2db01a75a" "f1ba519b2d31da33eda87a9d565748", - "curve: P521 vector: 14", ec_field_GFp }, + "curve: P521 vector: 14" }, { ECCurve_NIST_P521, 1, "005bacfff268acf6553c3c583b464ea36a1d35e2b257a5d49eb3419d5a095087c2fb4d15cf5bf5af816d0f3ff7586490ccd3ddc1" @@ -605,7 +605,7 @@ static ECDH_KAT ecdh_testvecs[] = { "016085e71552ff488c72b7339fefb7915c38459cb20ab85aec4e45052", "0141d6a4b719ab67eaf04a92c0a41e2dda78f4354fb90bdc35202cc7699b9b04d49616f82255debf7bbec045ae58f982a66905fc" "fae69d689785e38c868eb4a27e7b", - "curve: P521 vector: 15", ec_field_GFp }, + "curve: P521 vector: 15" }, { ECCurve_NIST_P521, 1, "008e2c93c5423876223a637cad367c8589da69a2d0fc68612f31923ae50219df2452e7cc92615b67f17b57ffd2f52b19154bb40" @@ -618,7 +618,7 @@ static ECDH_KAT ecdh_testvecs[] = { "15e5701d7ceee416291ff5fed85e687f727388b9afe26a4f6feed560b218e6bb", "00345e26e0abb1aac12b75f3a9cf41efe1c336396dffa4a067a4c2cfeb878c68b2b045faa4e5b4e6fa4678f5b603c351903b1" "4bf9a6a70c439257199a640890b61d1", - "curve: P521 vector: 16", ec_field_GFp }, + "curve: P521 vector: 16" }, { ECCurve_NIST_P521, 1, "0004d49d39d40d8111bf16d28c5936554326b197353eebbcf47545393bc8d3aaf98f14f5be7074bfb38e6cc97b989754074da" @@ -631,7 +631,7 @@ static ECDH_KAT ecdh_testvecs[] = { "c29f7d7fb0324debadc10bbb93de68f62c35069268283f5265865db57a79f7bf7", "006fe9de6fb8e672e7fd150fdc5e617fabb0d43906354ccfd224757c7276f7a1010091b17ed072074f8d10a5ec971eb35a5c" "b7076603b7bc38d432cbc059f80f9488", - "curve: P521 vector: 17", ec_field_GFp }, + "curve: P521 vector: 17" }, { ECCurve_NIST_P521, 1, "011a5d1cc79cd2bf73ea106f0e60a5ace220813b53e27b739864334a07c03367efda7a4619fa6eef3a9746492283b3c445610" @@ -644,7 +644,7 @@ static ECDH_KAT ecdh_testvecs[] = { "5561bbabaae372e9e67e6e1a3be60e19b470cdf673ec1fc393d3426e20", "01e4e759ecedce1013baf73e6fcc0b92451d03bdd50489b78871c333114990c9ba6a9b2fc7b1a2d9a1794c1b60d9279af6f" "146f0bbfb0683140403bfa4ccdb524a29", - "curve: P521 vector: 18", ec_field_GFp }, + "curve: P521 vector: 18" }, { ECCurve_NIST_P521, 1, "010c908caf1be74c616b625fc8c1f514446a6aec83b5937141d6afbb0a8c7666a7746fa1f7a6664a2123e8cdf6cd8bf836c5" @@ -657,7 +657,7 @@ static ECDH_KAT ecdh_testvecs[] = { "0a847c11a1ab3f1d12cc850c32e095614ca8f7e2721477b486e9ff40372977c3f65c", "0163c9191d651039a5fe985a0eea1eba018a40ab1937fcd2b61220820ee8f2302e9799f6edfc3f5174f369d672d377ea895" "4a8d0c8b851e81a56fda95212a6578f0e", - "curve: P521 vector: 19", ec_field_GFp }, + "curve: P521 vector: 19" }, { ECCurve_NIST_P521, 1, "01b37d6b7288de671360425d3e5ac1ccb21815079d8d73431e9b74a6f0e7ae004a357575b11ad66642ce8b775593eba9d98" @@ -670,7 +670,7 @@ static ECDH_KAT ecdh_testvecs[] = { "602380c86721e61db1830f51e139f210000bcec0d8edd39e54d73a9a129f95cd5fa979", "015d613e267a36342e0d125cdad643d80d97ed0600afb9e6b9545c9e64a98cc6da7c5aaa3a8da0bdd9dd3b97e9788218a8" "0abafc106ef065c8f1c4e1119ef58d298b", - "curve: P521 vector: 20", ec_field_GFp }, + "curve: P521 vector: 20" }, { ECCurve_NIST_P521, 1, "00f2661ac762f60c5fff23be5d969ccd4ec6f98e4e72618d12bdcdb9b4102162333788c0bae59f91cdfc172c7a1681ee44d9" @@ -683,7 +683,7 @@ static ECDH_KAT ecdh_testvecs[] = { "1069bde6387feb71587b8ffce5b266e1bae86de29378a34e5c74b6724c4d40a719923", "014d6082a3b5ced1ab8ca265a8106f302146c4acb8c30bb14a4c991e3c82a9731288bdb91e0e85bda313912d06384fc44" "f2153fb13506fa9cf43c9aab5750988c943", - "curve: P521 vector: 21", ec_field_GFp }, + "curve: P521 vector: 21" }, { ECCurve_NIST_P521, 1, "00f430ca1261f09681a9282e9e970a9234227b1d5e58d558c3cc6eff44d1bdf53de16ad5ee2b18b92d62fc79586116b0e" @@ -696,7 +696,7 @@ static ECDH_KAT ecdh_testvecs[] = { "c98e7ecdbf2b2a68e22928059f67db188007161d3ecf397e0883f0c4eb7eaf7827a62205cc", "0020c00747cb8d492fd497e0fec54644bf027d418ab686381f109712a99cabe328b9743d2225836f9ad66e5d7fed1de2" "47e0da92f60d5b31f9e47672e57f710598f4", - "curve: P521 vector: 22", ec_field_GFp }, + "curve: P521 vector: 22" }, { ECCurve_NIST_P521, 1, "005dc33aeda03c2eb233014ee468dff753b72f73b00991043ea353828ae69d4cd0fadeda7bb278b535d7c57406ff2e6e" @@ -709,7 +709,7 @@ static ECDH_KAT ecdh_testvecs[] = { "8a2232a0c2dbc4e8e1d09214bab38485be6e357c4200d073b52f04e4a16fc6f5247187aecb", "00c2bfafcd7fbd3e2fd1c750fdea61e70bd4787a7e68468c574ee99ebc47eedef064e8944a73bcb7913dbab5d93dca6" "60d216c553622362794f7a2acc71022bdb16f", - "curve: P521 vector: 23", ec_field_GFp }, + "curve: P521 vector: 23" }, { ECCurve_NIST_P521, 1, "00df14b1f1432a7b0fb053965fd8643afee26b2451ecb6a8a53a655d5fbe16e4c64ce8647225eb11e7fdcb23627471" @@ -722,9 +722,9 @@ static ECDH_KAT ecdh_testvecs[] = { "d387df67cde85003e0e427552f1cd09059aad0262e235cce5fba8cedc4fdc1463da76dcd4b6d1a46", "01aaf24e5d47e4080c18c55ea35581cd8da30f1a079565045d2008d51b12d0abb4411cda7a0785b15d149ed301a36" "97062f42da237aa7f07e0af3fd00eb1800d9c41", - "curve: P521 vector: 24", ec_field_GFp }, + "curve: P521 vector: 24" }, - { ECCurve_pastLastCurve, 0, NULL, NULL, NULL, NULL, NULL, 0 } + { ECCurve_pastLastCurve, 0, NULL, NULL, NULL, NULL, NULL } }; static ECDH_KAT nonnist_testvecs[] = { @@ -733,25 +733,25 @@ static ECDH_KAT nonnist_testvecs[] = { NULL, "e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c", "c3da55379de9c6908e94ea4df28d084f32eccf03491c71f754b4075577a28552", - "curve: 25519 vector: 0", ec_field_plain }, + "curve: 25519 vector: 0" }, { ECCurve25519, 1, "4b66e9d4d1b4673c5ad22691957d6af5c11b6421e0ea01d42ca4169e7918ba0d", NULL, "e5210f12786811d3f4b7959d0538ae2c31dbe7106fc03c3efc4cd549c715a493", "95cbde9476e8907d7aade45cb4b873f88b595a68799fa152e6f8f7647aac7957", - "curve: 25519 vector: 1", ec_field_plain }, + "curve: 25519 vector: 1" }, { ECCurve25519, 1, "0900000000000000000000000000000000000000000000000000000000000000", NULL, "0900000000000000000000000000000000000000000000000000000000000000", "422c8e7a6227d7bca1350b3e2bb7279f7897b87bb6854b783c60e80311ae3079", - "curve: 25519 vector: 2", ec_field_plain }, + "curve: 25519 vector: 2" }, { ECCurve25519, 1000, "0900000000000000000000000000000000000000000000000000000000000000", NULL, "0900000000000000000000000000000000000000000000000000000000000000", "684cf59ba83309552800ef566f2f4d3c1c3887c49360e3875f2eb94d99532c51", - "curve: 25519 vector: 1000 iterations", ec_field_plain }, + "curve: 25519 vector: 1000 iterations" }, #ifdef NSS_ENABLE_EXPENSIVE_TESTS /* This test is disabled by default because it takes a very long time * to run. */ @@ -760,59 +760,59 @@ static ECDH_KAT nonnist_testvecs[] = { NULL, "0900000000000000000000000000000000000000000000000000000000000000", "7c3911e0ab2586fd864497297e575e6f3bc601c0883c30df5f4dd2d24f665424", - "curve: 25519 vector: 1000000 iterations", ec_field_plain }, + "curve: 25519 vector: 1000000 iterations" }, #endif { ECCurve25519, 1, "174a56a75017c029e0861044d3c57c291823cf477ae6e21065cc121578bfa893", NULL, "7bd8396462a5788951caf3d3a28cb0904e4d081e62e6ac2d9da7152eb1310f30", "28c09f6be3666a6ab3bf8f5b03eec14e95505e32726ae887053ce6a2061a9656", - "curve: 25519 custom vector 1", ec_field_plain }, + "curve: 25519 custom vector 1" }, { ECCurve25519, 1, "577a2a7fcdacd4ccf7d7f81ba93ec83ae4bda32bec00ff7d59c294b69404f688", NULL, "a43b5491cbd9273abf694115f383fabe3bdc5f2baa30d2e00e43b6937a75cc5d", "4aed703c32552576ca0b30a3fab53242e1eea29ddec993219d3c2b3c3e59b735", - "curve: 25519 custom vector 1", ec_field_plain }, + "curve: 25519 custom vector 1" }, - { ECCurve_pastLastCurve, 0, NULL, NULL, NULL, NULL, NULL, 0 } + { ECCurve_pastLastCurve, 0, NULL, NULL, NULL, NULL, NULL } }; static ECDH_BAD nonnist_testvecs_bad_values[] = { - { ECCurve25519, "00", "curve: 25519 vector: 0 bad point", ec_field_plain }, + { ECCurve25519, "00", "curve: 25519 vector: 0 bad point" }, { ECCurve25519, "0100000000000000000000000000000000000000000000000000000000000000", - "curve: 25519 vector: 1 bad point", ec_field_plain }, + "curve: 25519 vector: 1 bad point" }, { ECCurve25519, "e0eb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b8", - "curve: 25519 vector: 2 bad point", ec_field_plain }, + "curve: 25519 vector: 2 bad point" }, { ECCurve25519, "5f9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f1157", - "curve: 25519 vector: 3 bad point", ec_field_plain }, + "curve: 25519 vector: 3 bad point" }, { ECCurve25519, "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", - "curve: 25519 vector: 4 bad point", ec_field_plain }, + "curve: 25519 vector: 4 bad point" }, { ECCurve25519, "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", - "curve: 25519 vector: 5 bad point", ec_field_plain }, + "curve: 25519 vector: 5 bad point" }, { ECCurve25519, "eeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", - "curve: 25519 vector: 6 bad point", ec_field_plain }, + "curve: 25519 vector: 6 bad point" }, { ECCurve25519, "cdeb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b880", - "curve: 25519 vector: 7 bad point", ec_field_plain }, + "curve: 25519 vector: 7 bad point" }, { ECCurve25519, "4c9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f11d7", - "curve: 25519 vector: 8 bad point", ec_field_plain }, + "curve: 25519 vector: 8 bad point" }, { ECCurve25519, "d9ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - "curve: 25519 vector: 9 bad point", ec_field_plain }, + "curve: 25519 vector: 9 bad point" }, { ECCurve25519, "daffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - "curve: 25519 vector: 10 bad point", ec_field_plain }, + "curve: 25519 vector: 10 bad point" }, { ECCurve25519, "dbffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - "curve: 25519 vector: 11 bad point", ec_field_plain }, + "curve: 25519 vector: 11 bad point" }, - { ECCurve_pastLastCurve, 0, NULL, 0 } + { ECCurve_pastLastCurve, 0, NULL } }; diff --git a/nss/cmd/lib/secutil.c b/nss/cmd/lib/secutil.c index 916dd8d..cb72576 100644 --- a/nss/cmd/lib/secutil.c +++ b/nss/cmd/lib/secutil.c @@ -1189,8 +1189,8 @@ const SEC_ASN1Template secuKDF2Params[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) }, { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) }, { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) }, - { SEC_ASN1_INTEGER, offsetof(secuPBEParams, keyLength) }, - { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg), + { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, offsetof(secuPBEParams, keyLength) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN | SEC_ASN1_OPTIONAL, offsetof(secuPBEParams, kdfAlg), SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, { 0 } }; @@ -1301,8 +1301,15 @@ secu_PrintKDF2Params(FILE *out, SECItem *value, char *m, int level) SECU_PrintAsHex(out, ¶m.salt, "Salt", level + 1); SECU_PrintInteger(out, ¶m.iterationCount, "Iteration Count", level + 1); - SECU_PrintInteger(out, ¶m.keyLength, "Key Length", level + 1); - SECU_PrintAlgorithmID(out, ¶m.kdfAlg, "KDF algorithm", level + 1); + if (param.keyLength.data != NULL) { + SECU_PrintInteger(out, ¶m.keyLength, "Key Length", level + 1); + } + if (param.kdfAlg.algorithm.data != NULL) { + SECU_PrintAlgorithmID(out, ¶m.kdfAlg, "KDF algorithm", level + 1); + } else { + SECU_Indent(out, level + 1); + fprintf(out, "Implicit KDF Algorithm: HMAC-SHA-1\n"); + } } PORT_FreeArena(pool, PR_FALSE); } diff --git a/nss/cmd/pk12util/pk12util.c b/nss/cmd/pk12util/pk12util.c index 9b88cf0..764942a 100644 --- a/nss/cmd/pk12util/pk12util.c +++ b/nss/cmd/pk12util/pk12util.c @@ -942,26 +942,16 @@ PKCS12U_MapHashFromString(char *hashString) } /* make sure it's a hashing oid */ if (HASH_GetHashTypeByOidTag(hashAlg) == HASH_AlgNULL) { - return SEC_OID_UNKNOWN; + /* allow HMAC here. HMAC implies PKCS 5 v2 pba */ + SECOidTag baseHashAlg = HASH_GetHashOidTagByHMACOidTag(hashAlg); + if (baseHashAlg == SEC_OID_UNKNOWN) { + /* not an hmac either, reject the entry */ + return SEC_OID_UNKNOWN; + } } return hashAlg; } -static void -p12u_EnableAllCiphers() -{ - SEC_PKCS12EnableCipher(PKCS12_RC4_40, 1); - SEC_PKCS12EnableCipher(PKCS12_RC4_128, 1); - SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_40, 1); - SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1); - SEC_PKCS12EnableCipher(PKCS12_DES_56, 1); - SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1); - SEC_PKCS12EnableCipher(PKCS12_AES_CBC_128, 1); - SEC_PKCS12EnableCipher(PKCS12_AES_CBC_192, 1); - SEC_PKCS12EnableCipher(PKCS12_AES_CBC_256, 1); - SEC_PKCS12SetPreferredCipher(PKCS12_AES_CBC_256, 1); -} - static PRUintn P12U_Init(char *dir, char *dbprefix, PRBool listonly) { @@ -983,7 +973,8 @@ P12U_Init(char *dir, char *dbprefix, PRBool listonly) PORT_SetUCS2_ASCIIConversionFunction(p12u_ucs2_ascii_conversion_function); /* use the defaults for UCS4-UTF8 and UCS2-UTF8 */ - p12u_EnableAllCiphers(); + /* ciphers are already enabled by default, allow policy to work */ + /* p12u_EnableAllCiphers(); */ return 0; } @@ -1174,6 +1165,10 @@ main(int argc, char **argv) } } } + /* in FIPS mode default to encoding with pkcs5v2 for the MAC */ + if (PK11_IsFIPS()) { + hash = SEC_OID_HMAC_SHA256; + } if (pk12util.options[opt_Mac].activated) { char *hashString = pk12util.options[opt_Mac].arg; diff --git a/nss/cmd/smimetools/cmsutil.c b/nss/cmd/smimetools/cmsutil.c index 4343695..b139cf7 100644 --- a/nss/cmd/smimetools/cmsutil.c +++ b/nss/cmd/smimetools/cmsutil.c @@ -17,6 +17,7 @@ #include "nss.h" #include "smime.h" #include "pk11func.h" +#include "sechash.h" #if defined(XP_UNIX) #include <unistd.h> @@ -327,6 +328,15 @@ decode(FILE *out, SECItem *input, const struct decodeOptionsStr *decodeOptions) fprintf(stderr, "signer %d status = %s\n", j, svs); goto loser; } + /* if the signatures validate and we asked to keep + * the certs, save the profiles */ + if (decodeOptions->keepCerts) { + rv = NSS_SMIMESignerInfo_SaveSMIMEProfile(si); + if (rv != SECSuccess) { + SECU_PrintError(progName, "SMIME profile import failed"); + goto loser; + } + } } } break; case SEC_OID_PKCS7_ENVELOPED_DATA: { @@ -393,7 +403,7 @@ signed_data(struct signOptionsStr *signOptions) NSSCMSMessage *cmsg = NULL; NSSCMSContentInfo *cinfo; NSSCMSSignedData *sigd; - NSSCMSSignerInfo *signerinfo; + NSSCMSSignerInfo *signerinfo = NULL; CERTCertificate *cert = NULL, *ekpcert = NULL; if (cms_verbose) { @@ -589,6 +599,7 @@ signed_data(struct signOptionsStr *signOptions) fprintf(stderr, "ERROR: cannot add CMS signerInfo object.\n"); goto loser; } + signerinfo = NULL; /* sigd has adopted signerinfo */ if (cms_verbose) { fprintf(stderr, "created signed-data message\n"); } @@ -606,6 +617,9 @@ loser: if (cert) { CERT_DestroyCertificate(cert); } + if (signerinfo) { + NSS_CMSSignerInfo_Destroy(signerinfo); + } NSS_CMSMessage_Destroy(cmsg); return NULL; } @@ -1042,6 +1056,59 @@ doBatchDecode(FILE *outFile, PRFileDesc *batchFile, return exitStatus; } +/* legacy SHA2 table... + * cmsutil took hash values of SHA256, SHA244, etc., the the + * oid table has values of SHA-256, SHA-224. Use the follow + * table to handle the old values. NOTE: no need to add new + * hashes to this table, just use the actual oid table + * values */ +typedef struct LegacyHashNameStr { + char *name; + SECOidTag tag; +} LegacyHashName; + +LegacyHashName legacyHashNamesTable[] = { + { "SHA1", SEC_OID_SHA1 }, + { "SHA224", SEC_OID_SHA224 }, + { "SHA256", SEC_OID_SHA256 }, + { "SHA384", SEC_OID_SHA384 }, + { "SHA512", SEC_OID_SHA512 }, +}; +size_t legacyHashNamesTableSize = PR_ARRAY_SIZE(legacyHashNamesTable); + +SECOidTag +CMSU_FindTagFromString(const char *cipherString) +{ + SECOidTag tag; + SECOidData *oid; + size_t slen; + + /* future enhancement: accept dotted oid spec? */ + + for (tag = 1; (oid = SECOID_FindOIDByTag(tag)) != NULL; tag++) { + /* only interested in oids that we actually understand */ + if (oid->mechanism == CKM_INVALID_MECHANISM) { + continue; + } + if (PORT_Strcasecmp(oid->desc, cipherString) != 0) { + continue; + } + return tag; + } + slen = PORT_Strlen(cipherString); + if ((slen > 3) && (PORT_Strncasecmp(cipherString, "SHA", 3) == 0) && + (cipherString[3] != '-')) { + int i; + for (i = 0; i < legacyHashNamesTableSize; i++) { + if (PORT_Strcasecmp(legacyHashNamesTable[i].name, cipherString) == 0) { + return legacyHashNamesTable[i].tag; + } + } + /* not on any table, must be invalid */ + } + return SEC_OID_UNKNOWN; +} + int main(int argc, char **argv) { @@ -1075,6 +1142,8 @@ main(int argc, char **argv) PORT_Assert(ev); #endif + SECOID_Init(); + progName = strrchr(argv[0], '/'); if (!progName) progName = strrchr(argv[0], '\\'); @@ -1141,25 +1210,26 @@ main(int argc, char **argv) exit(1); } decodeOptions.suppressContent = PR_TRUE; - if (!strcmp(optstate->value, "MD2")) - signOptions.hashAlgTag = SEC_OID_MD2; - else if (!strcmp(optstate->value, "MD4")) - signOptions.hashAlgTag = SEC_OID_MD4; - else if (!strcmp(optstate->value, "MD5")) - signOptions.hashAlgTag = SEC_OID_MD5; - else if (!strcmp(optstate->value, "SHA1")) - signOptions.hashAlgTag = SEC_OID_SHA1; - else if (!strcmp(optstate->value, "SHA256")) - signOptions.hashAlgTag = SEC_OID_SHA256; - else if (!strcmp(optstate->value, "SHA384")) - signOptions.hashAlgTag = SEC_OID_SHA384; - else if (!strcmp(optstate->value, "SHA512")) - signOptions.hashAlgTag = SEC_OID_SHA512; - else { + /* lookup hash value from our oid table and make sure it's a hash + * using HASH_ functions */ + signOptions.hashAlgTag = CMSU_FindTagFromString(optstate->value); + if (HASH_GetHashTypeByOidTag(signOptions.hashAlgTag) == HASH_AlgNULL) { + char *comma = ""; + int i; + /* it wasn't, use the HASH_ functions to find the valid values + * and print it as an error */ fprintf(stderr, - "%s: -H requires one of MD2,MD4,MD5,SHA1,SHA256,SHA384,SHA512\n", - progName); - exit(1); + "%s: -H requires one of ", progName); + for (i = HASH_AlgNULL + 1; PR_TRUE; i++) { + SECOidTag hashTag = HASH_GetHashOidTagByHashType(i); + if (hashTag == SEC_OID_UNKNOWN) { + fprintf(stderr, "\n"); + exit(1); + } + fprintf(stderr, "%s%s", comma, SECOID_FindOIDTagDescription(hashTag)); + comma = ","; + } + /* NOT REACHED */ } break; case 'N': diff --git a/nss/doc/pk12util.xml b/nss/doc/pk12util.xml index ef1547d..184c880 100644 --- a/nss/doc/pk12util.xml +++ b/nss/doc/pk12util.xml @@ -115,7 +115,7 @@ <varlistentry> <term>-M hashAlg</term> - <listitem><para>Specify the hash algorithm used in the pkcs #12 mac. This algorithm also specifies the HMAC used in the prf when using pkcs #5 v2.</para></listitem> + <listitem><para>Specify the hash algorithm used in the pkcs #12 mac. If an hmac is specified, then the PKCS #12 mac is replaced by a PKCS #5 mac1 pbe. This algorithm also specifies the HMAC used in the prf when using pkcs #5 v2.</para></listitem> </varlistentry> diff --git a/nss/doc/rst/releases/index.rst b/nss/doc/rst/releases/index.rst index e0f3249..9ab138f 100644 --- a/nss/doc/rst/releases/index.rst +++ b/nss/doc/rst/releases/index.rst @@ -8,6 +8,7 @@ Releases :glob: :hidden: + nss_3_101.rst nss_3_100.rst nss_3_99.rst nss_3_98.rst @@ -65,24 +66,42 @@ Releases .. note:: - **NSS 3.100** is the latest version of NSS. - Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_100_release_notes` + **NSS 3.101** is the latest version of NSS. + Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_101_release_notes` **NSS 3.90.2 (ESR)** is the latest version of NSS. Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_90_2_release_notes` .. container:: - Changes in 3.100 included in this release: + Changes in 3.101 included in this release: - - Bug 1893029 - merge pk11_kyberSlotList into pk11_ecSlotList for faster Xyber operations. - - Bug 1893752 - remove ckcapi. - - Bug 1893162 - avoid a potential PK11GenericObject memory leak. - - Bug 671060 - Remove incomplete ESDH code. - - Bug 215997 - Decrypt RSA OAEP encrypted messages. - - Bug 1887996 - Fix certutil CRLDP URI code. - - Bug 1890069 - Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys. - - Bug 676118: Add ability to encrypt and decrypt CMS messages using ECDH. - - Bug 676100 - Correct Templates for key agreement in smime/cmsasn.c. - - Bug 1548723 - Moving the decodedCert allocation to NSS. - - Bug 1885404 - Allow developers to speed up repeated local execution of NSS tests that depend on certificates.
\ No newline at end of file + - Bug 1900413 - add diagnostic assertions for SFTKObject refcount. + - Bug 1899759 - freeing the slot in DeleteCertAndKey if authentication failed + - Bug 1899883 - fix formatting issues. + - Bug 1889671 - Add Firmaprofesional CA Root-A Web to NSS. + - Bug 1899593 - remove invalid acvp fuzz test vectors. + - Bug 1898830 - pad short P-384 and P-521 signatures gtests. + - Bug 1898627 - remove unused FreeBL ECC code. r=rrelyea + - Bug 1898830 - pad short P-384 and P-521 signatures. + - Bug 1898825 - be less strict about ECDSA private key length. + - Bug 1854439 - Integrate HACL* P-521. + - Bug 1854438 - Integrate HACL* P-384. + - Bug 1898074 - memory leak in create_objects_from_handles. + - Bug 1898858 - ensure all input is consumed in a few places in mozilla::pkix + - Bug 1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy + - Bug 1748105 - clean up escape handling + - Bug 1896353 - Use lib::pkix as default validator instead of the old-one + - Bug 1827444 - Need to add high level support for PQ signing. + - Bug 1548723 - Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation + - Bug 1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy + - Bug 1893404 - Allow for non-full length ecdsa signature when using softoken + - Bug 1830415 - Modification of .taskcluster.yml due to mozlint indent defects + - Bug 1793811 - Implement support for PBMAC1 in PKCS#12 + - Bug 1897487 - disable VLA warnings for fuzz builds. + - Bug 1895032 - remove redundant AllocItem implementation. + - Bug 1893334 - add PK11_ReadDistrustAfterAttribute. + - Bug 215997 - Clang-formatting of SEC_GetMgfTypeByOidTag update + - Bug 1895012 - Set SEC_ERROR_LIBRARY_FAILURE on self-test failure + - Bug 1894572 - sftk_getParameters(): Fix fallback to default variable after error with configfile. + - Bug 1830415 - Switch to the mozillareleases/image_builder image
\ No newline at end of file diff --git a/nss/doc/rst/releases/nss_3_101.rst b/nss/doc/rst/releases/nss_3_101.rst new file mode 100644 index 0000000..d067bff --- /dev/null +++ b/nss/doc/rst/releases/nss_3_101.rst @@ -0,0 +1,82 @@ +.. _mozilla_projects_nss_nss_3_101_release_notes: + +NSS 3.101 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.101 was released on *6 June 2024**. + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_101_RTM. NSS 3.101 requires NSPR 4.35 or newer. + + NSS 3.101 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_101_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_releases`. + +.. _changes_in_nss_3.101: + +`Changes in NSS 3.101 <#changes_in_nss_3.101>`__ +------------------------------------------------------------------ + +.. container:: + + - Bug 1900413 - add diagnostic assertions for SFTKObject refcount. + - Bug 1899759 - freeing the slot in DeleteCertAndKey if authentication failed + - Bug 1899883 - fix formatting issues. + - Bug 1889671 - Add Firmaprofesional CA Root-A Web to NSS. + - Bug 1899593 - remove invalid acvp fuzz test vectors. + - Bug 1898830 - pad short P-384 and P-521 signatures gtests. + - Bug 1898627 - remove unused FreeBL ECC code. r=rrelyea + - Bug 1898830 - pad short P-384 and P-521 signatures. + - Bug 1898825 - be less strict about ECDSA private key length. + - Bug 1854439 - Integrate HACL* P-521. + - Bug 1854438 - Integrate HACL* P-384. + - Bug 1898074 - memory leak in create_objects_from_handles. + - Bug 1898858 - ensure all input is consumed in a few places in mozilla::pkix + - Bug 1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy + - Bug 1748105 - clean up escape handling + - Bug 1896353 - Use lib::pkix as default validator instead of the old-one + - Bug 1827444 - Need to add high level support for PQ signing. + - Bug 1548723 - Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation + - Bug 1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy + - Bug 1893404 - Allow for non-full length ecdsa signature when using softoken + - Bug 1830415 - Modification of .taskcluster.yml due to mozlint indent defects + - Bug 1793811 - Implement support for PBMAC1 in PKCS#12 + - Bug 1897487 - disable VLA warnings for fuzz builds. + - Bug 1895032 - remove redundant AllocItem implementation. + - Bug 1893334 - add PK11_ReadDistrustAfterAttribute. + - Bug 215997 - Clang-formatting of SEC_GetMgfTypeByOidTag update + - Bug 1895012 - Set SEC_ERROR_LIBRARY_FAILURE on self-test failure + - Bug 1894572 - sftk_getParameters(): Fix fallback to default variable after error with configfile. + - Bug 1830415 - Switch to the mozillareleases/image_builder image + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.101 shared libraries are backwards-compatible with all older NSS 3.x shared + libraries. A program linked with older NSS 3.x shared libraries will work with + this new version of the shared libraries without recompiling or + relinking. Furthermore, applications that restrict their use of NSS APIs to the + functions listed in NSS Public Functions will remain compatible with future + versions of the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report on + `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). diff --git a/nss/fuzz/fuzz.gyp b/nss/fuzz/fuzz.gyp index 46a114d..a57fa5f 100644 --- a/nss/fuzz/fuzz.gyp +++ b/nss/fuzz/fuzz.gyp @@ -9,6 +9,9 @@ 'variables': { 'debug_optimization_level': '2', }, + 'cflags_cc': [ + '-Wno-vla-extension', + ], 'target_conditions': [ [ '_type=="executable"', { 'libraries!': [ diff --git a/nss/gtests/mozpkix_gtest/pkixcheck_CheckIssuer_tests.cpp b/nss/gtests/mozpkix_gtest/pkixcheck_CheckIssuer_tests.cpp index bcc2c11..0513440 100644 --- a/nss/gtests/mozpkix_gtest/pkixcheck_CheckIssuer_tests.cpp +++ b/nss/gtests/mozpkix_gtest/pkixcheck_CheckIssuer_tests.cpp @@ -61,3 +61,31 @@ TEST_F(pkixcheck_CheckIssuer, EmptyIssuer) { ASSERT_EQ(Result::ERROR_EMPTY_ISSUER_NAME, CheckIssuer(EMPTY_NAME)); } + +TEST_F(pkixcheck_CheckIssuer, TrailingData) +{ + static const uint8_t validNameData[] = { + 0x30/*SEQUENCE*/, 0x02/*LENGTH=2*/, + 0x31, 0x00 // the contents of the sequence aren't validated + }; + static const Input validName(validNameData); + ASSERT_EQ(Success, CheckIssuer(validName)); + + static const uint8_t trailingDataData[] = { + 0x30/*SEQUENCE*/, 0x02/*LENGTH=2*/, + 0x31, 0x00, // the contents of the sequence aren't validated + 0x77 // trailing data is invalid + }; + static const Input trailingData(trailingDataData); + ASSERT_EQ(Result::ERROR_BAD_DER, CheckIssuer(trailingData)); +} + +TEST_F(pkixcheck_CheckIssuer, InvalidContents) +{ + static const uint8_t invalidContentsData[] = { + 0x31/*SET (should be SEQUENCE)*/, 0x02/*LENGTH=2*/, + 0x31, 0x00 + }; + static const Input invalidContents(invalidContentsData); + ASSERT_EQ(Result::ERROR_BAD_DER, CheckIssuer(invalidContents)); +} diff --git a/nss/gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp b/nss/gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp index b87f0a7..44e2810 100644 --- a/nss/gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp +++ b/nss/gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp @@ -282,3 +282,19 @@ TEST_F(pkixcheck_CheckKeyUsage, unusedBitNotZero) ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &twoValueBytes, KeyUsage::digitalSignature)); } + +TEST_F(pkixcheck_CheckKeyUsage, trailingData) +{ + static uint8_t keyUsageWithTrailingDataData[] = { + 0x03/*BIT STRING*/, 0x02/*LENGTH=2*/, 7/*unused bits*/, 0x80, + // The BIT STRING has already ended, but there's trailing data + 0xab, 0xba + }; + static const Input keyUsageWithTrailingDataBytes(keyUsageWithTrailingDataData); + ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, + &keyUsageWithTrailingDataBytes, + KeyUsage::digitalSignature)); + ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, + &keyUsageWithTrailingDataBytes, + KeyUsage::digitalSignature)); +} diff --git a/nss/gtests/mozpkix_gtest/pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp b/nss/gtests/mozpkix_gtest/pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp index 155a753..fb957f7 100644 --- a/nss/gtests/mozpkix_gtest/pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp +++ b/nss/gtests/mozpkix_gtest/pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp @@ -71,6 +71,11 @@ static const uint8_t zeroByteInteger[] = { 0x30, 0x02, 0x02, 0x00 }; +static const uint8_t trailingData[] = { + 0x30, 0x03, 0x02, 0x01, 0x05, // statusRequest + 0xe5, 0xe5, 0xe5 // trailing data +}; + static const TLSFeaturesTestParams TLSFEATURESSATISFIED_TEST_PARAMS[] = { @@ -87,6 +92,8 @@ static const TLSFeaturesTestParams Result::ERROR_REQUIRED_TLS_FEATURE_MISSING }, { BS(zeroByteInteger), Result::ERROR_REQUIRED_TLS_FEATURE_MISSING, Result::ERROR_REQUIRED_TLS_FEATURE_MISSING }, + { BS(trailingData), Result::ERROR_BAD_DER, + Result::ERROR_REQUIRED_TLS_FEATURE_MISSING }, }; class pkixcheck_TLSFeaturesSatisfiedInternal diff --git a/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp b/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp index c7e8236..8292510 100644 --- a/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp +++ b/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp @@ -218,6 +218,7 @@ public: /*optional*/ const ByteString* certs = nullptr, /*optional*/ OCSPResponseExtension* singleExtensions = nullptr, /*optional*/ OCSPResponseExtension* responseExtensions = nullptr, + /*optional*/ const ByteString* trailingResponseData = nullptr, /*optional*/ DigestAlgorithm certIDHashAlgorithm = DigestAlgorithm::sha1, /*optional*/ ByteString certIDHashAlgorithmEncoded = ByteString()) { @@ -236,6 +237,7 @@ public: context.certs = certs; context.singleExtensions = singleExtensions; context.responseExtensions = responseExtensions; + context.trailingResponseData = trailingResponseData; context.certStatus = static_cast<uint8_t>(certStatus); context.thisUpdate = thisUpdate; @@ -430,17 +432,17 @@ TEST_F(pkixocsp_VerifyEncodedResponse_successful, check_validThrough) } } +// python DottedOIDToCode.py --tlv +// id_ocsp_singleExtensionSctList 1.3.6.1.4.1.11129.2.4.5 +static const uint8_t tlv_id_ocsp_singleExtensionSctList[] = { + 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x04, 0x05 +}; +static const uint8_t dummySctList[] = { + 0x01, 0x02, 0x03, 0x04, 0x05 +}; + TEST_F(pkixocsp_VerifyEncodedResponse_successful, ct_extension) { - // python DottedOIDToCode.py --tlv - // id_ocsp_singleExtensionSctList 1.3.6.1.4.1.11129.2.4.5 - static const uint8_t tlv_id_ocsp_singleExtensionSctList[] = { - 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x04, 0x05 - }; - static const uint8_t dummySctList[] = { - 0x01, 0x02, 0x03, 0x04, 0x05 - }; - OCSPResponseExtension ctExtension; ctExtension.id = BytesToByteString(tlv_id_ocsp_singleExtensionSctList); // SignedCertificateTimestampList structure is encoded as an OCTET STRING @@ -470,6 +472,35 @@ TEST_F(pkixocsp_VerifyEncodedResponse_successful, ct_extension) trustDomain.signedCertificateTimestamps); } +TEST_F(pkixocsp_VerifyEncodedResponse_successful, trailingResponseData) +{ + OCSPResponseExtension ctExtension; + ctExtension.id = BytesToByteString(tlv_id_ocsp_singleExtensionSctList); + // SignedCertificateTimestampList structure is encoded as an OCTET STRING + // within the extension value (see RFC 6962 section 3.3). + // pkix decodes it internally and returns the actual structure. + ctExtension.value = TLV(der::OCTET_STRING, BytesToByteString(dummySctList)); + ByteString trailingResponseData(3, 0x20); + ByteString responseString( + CreateEncodedOCSPSuccessfulResponse( + OCSPResponseContext::good, *endEntityCertID, byKey, + *rootKeyPair, oneDayBeforeNow, + oneDayBeforeNow, &oneDayAfterNow, + sha256WithRSAEncryption(), + /*certs*/ nullptr, + &ctExtension, + /*responseExtensions*/ nullptr, + &trailingResponseData)); + Input response; + ASSERT_EQ(Success, + response.Init(responseString.data(), responseString.length())); + bool expired; + ASSERT_EQ(Result::ERROR_OCSP_MALFORMED_RESPONSE, + VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, + Now(), END_ENTITY_MAX_LIFETIME_IN_DAYS, + response, expired)); +} + struct CertIDHashAlgorithm { DigestAlgorithm hashAlgorithm; @@ -519,6 +550,7 @@ TEST_P(pkixocsp_VerifyEncodedResponse_CertIDHashAlgorithm, CertIDHashAlgorithm) nullptr, nullptr, nullptr, + nullptr, GetParam().hashAlgorithm, GetParam().encodedHashAlgorithm)); Input response; diff --git a/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc b/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc index 8544605..6ed8894 100644 --- a/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc +++ b/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc @@ -649,30 +649,26 @@ class TestAgent { return SECSuccess; } - static SECStatus certCompressionShrinkDecode( - const SECItem* input, SECItem* output, - size_t expectedLenDecodedCertificate) { + static SECStatus certCompressionShrinkDecode(const SECItem* input, + unsigned char* output, + size_t outputLen, + size_t* usedLen) { if (input == NULL || input->data == NULL) { PR_SetError(SEC_ERROR_INVALID_ARGS, 0); return SECFailure; } - if (output == NULL || output->data == NULL || - output->len != input->len + 2) { + if (output == NULL || outputLen != input->len + 2) { return SECFailure; } - if (expectedLenDecodedCertificate != output->len) { - std::cerr << "Cannot decompress certificate message." << std::endl; - return SECFailure; - } - - output->data[0] = 0; - output->data[1] = 0; + output[0] = 0; + output[1] = 0; for (size_t i = 0; i < input->len; i++) { - output->data[i + 2] = input->data[i]; + output[i + 2] = input->data[i]; } + *usedLen = outputLen; return SECSuccess; } @@ -704,9 +700,10 @@ class TestAgent { return SECSuccess; } - static SECStatus certCompressionExpandDecode( - const SECItem* input, SECItem* output, - size_t expectedLenDecodedCertificate) { + static SECStatus certCompressionExpandDecode(const SECItem* input, + unsigned char* output, + size_t outputLen, + size_t* usedLen) { if (input == NULL || input->data == NULL) { PR_SetError(SEC_ERROR_INVALID_ARGS, 0); return SECFailure; @@ -718,8 +715,7 @@ class TestAgent { return SECFailure; } - if (output == NULL || output->data == NULL || - output->len != input->len - 4) { + if (output == NULL || outputLen != input->len - 4) { return SECFailure; } @@ -730,14 +726,11 @@ class TestAgent { return SECFailure; } - if (expectedLenDecodedCertificate != output->len) { - std::cerr << "Cannot decompress certificate message." << std::endl; - return SECFailure; + for (size_t i = 0; i < outputLen; i++) { + output[i] = input->data[i + 4]; } - for (size_t i = 0; i < output->len; i++) { - output->data[i] = input->data[i + 4]; - } + *usedLen = outputLen; return SECSuccess; } @@ -771,9 +764,10 @@ class TestAgent { return SECSuccess; } - static SECStatus certCompressionRandomDecode( - const SECItem* input, SECItem* output, - size_t expectedLenDecodedCertificate) { + static SECStatus certCompressionRandomDecode(const SECItem* input, + unsigned char* output, + size_t outputLen, + size_t* usedLen) { if (input == NULL || input->data == NULL) { PR_SetError(SEC_ERROR_INVALID_ARGS, 0); return SECFailure; @@ -785,19 +779,15 @@ class TestAgent { return SECFailure; } - if (output == NULL || output->data == NULL || - output->len != input->len - 1) { + if (output == NULL || outputLen != input->len - 1) { return SECFailure; } - if (expectedLenDecodedCertificate != output->len) { - std::cerr << "Cannot decompress certificate message." << std::endl; - return SECFailure; + for (size_t i = 0; i < outputLen; i++) { + output[i] = input->data[i + 1]; } - for (size_t i = 0; i < output->len; i++) { - output->data[i] = input->data[i + 1]; - } + *usedLen = outputLen; return SECSuccess; } diff --git a/nss/gtests/pk11_gtest/pk11_ecdsa_unittest.cc b/nss/gtests/pk11_gtest/pk11_ecdsa_unittest.cc index cf35958..22d2dc6 100644 --- a/nss/gtests/pk11_gtest/pk11_ecdsa_unittest.cc +++ b/nss/gtests/pk11_gtest/pk11_ecdsa_unittest.cc @@ -74,20 +74,45 @@ static const Pkcs11EcdsaTestParams kEcdsaVectors[] = { DataBuffer(kP256Data, sizeof(kP256Data)), DataBuffer(kP256Signature, sizeof(kP256Signature))}}, {SEC_OID_SHA256, - {DataBuffer(kP256Pkcs8ZeroPad, sizeof(kP256Pkcs8ZeroPad)), - DataBuffer(kP256SpkiZeroPad, sizeof(kP256SpkiZeroPad)), - DataBuffer(kP256DataZeroPad, sizeof(kP256DataZeroPad)), - DataBuffer(kP256SignatureZeroPad, sizeof(kP256SignatureZeroPad))}}, + {DataBuffer(kP256Pkcs8KeyLen30, sizeof(kP256Pkcs8KeyLen30)), + DataBuffer(kP256SpkiKeyLen, sizeof(kP256SpkiKeyLen)), + DataBuffer(kP256DataKeyLen, sizeof(kP256DataKeyLen)), + DataBuffer(kP256SignatureKeyLen, sizeof(kP256SignatureKeyLen))}}, + {SEC_OID_SHA256, + {DataBuffer(kP256Pkcs8KeyLen33, sizeof(kP256Pkcs8KeyLen33)), + DataBuffer(kP256SpkiKeyLen, sizeof(kP256SpkiKeyLen)), + DataBuffer(kP256DataKeyLen, sizeof(kP256DataKeyLen)), + DataBuffer(kP256SignatureKeyLen, sizeof(kP256SignatureKeyLen))}}, {SEC_OID_SHA384, {DataBuffer(kP384Pkcs8, sizeof(kP384Pkcs8)), DataBuffer(kP384Spki, sizeof(kP384Spki)), DataBuffer(kP384Data, sizeof(kP384Data)), DataBuffer(kP384Signature, sizeof(kP384Signature))}}, + {SEC_OID_SHA256, + {DataBuffer(kP384Pkcs8KeyLen46, sizeof(kP384Pkcs8KeyLen46)), + DataBuffer(kP384SpkiKeyLen, sizeof(kP384SpkiKeyLen)), + DataBuffer(kP384DataKeyLen, sizeof(kP384DataKeyLen)), + DataBuffer(kP384SignatureKeyLen, sizeof(kP384SignatureKeyLen))}}, + {SEC_OID_SHA256, + {DataBuffer(kP384Pkcs8KeyLen49, sizeof(kP384Pkcs8KeyLen49)), + DataBuffer(kP384SpkiKeyLen, sizeof(kP384SpkiKeyLen)), + DataBuffer(kP384DataKeyLen, sizeof(kP384DataKeyLen)), + DataBuffer(kP384SignatureKeyLen, sizeof(kP384SignatureKeyLen))}}, {SEC_OID_SHA512, {DataBuffer(kP521Pkcs8, sizeof(kP521Pkcs8)), DataBuffer(kP521Spki, sizeof(kP521Spki)), DataBuffer(kP521Data, sizeof(kP521Data)), - DataBuffer(kP521Signature, sizeof(kP521Signature))}}}; + DataBuffer(kP521Signature, sizeof(kP521Signature))}}, + {SEC_OID_SHA256, + {DataBuffer(kP521Pkcs8KeyLen64, sizeof(kP521Pkcs8KeyLen64)), + DataBuffer(kP521SpkiKeyLen, sizeof(kP521SpkiKeyLen)), + DataBuffer(kP521DataKeyLen, sizeof(kP521DataKeyLen)), + DataBuffer(kP521SignatureKeyLen, sizeof(kP521SignatureKeyLen))}}, + {SEC_OID_SHA256, + {DataBuffer(kP521Pkcs8KeyLen67, sizeof(kP521Pkcs8KeyLen67)), + DataBuffer(kP521SpkiKeyLen, sizeof(kP521SpkiKeyLen)), + DataBuffer(kP521DataKeyLen, sizeof(kP521DataKeyLen)), + DataBuffer(kP521SignatureKeyLen, sizeof(kP521SignatureKeyLen))}}}; INSTANTIATE_TEST_SUITE_P(EcdsaSignVerify, Pkcs11EcdsaTest, ::testing::ValuesIn(kEcdsaVectors)); @@ -326,4 +351,56 @@ INSTANTIATE_TEST_SUITE_P(Pkcs11EcdsaRoundtripTest, Pkcs11EcdsaRoundtripTest, SEC_OID_SECG_EC_SECP521R1, SEC_OID_CURVE25519)); +class Pkcs11EcdsaUnpaddedSignatureTest + : public Pkcs11EcdsaTestBase, + public ::testing::WithParamInterface<Pkcs11EcdsaTestParams> { + public: + Pkcs11EcdsaUnpaddedSignatureTest() + : Pkcs11EcdsaTestBase(GetParam().hash_oid_) {} +}; + +static const Pkcs11EcdsaTestParams kEcdsaUnpaddedSignaturesVectors[] = { + {SEC_OID_SHA512, + {DataBuffer(NULL, 0), + DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)), + DataBuffer(kP256DataUnpaddedSigLong, sizeof(kP256DataUnpaddedSigLong)), + DataBuffer(kP256SignatureUnpaddedSigLong, + sizeof(kP256SignatureUnpaddedSigLong))}}, + {SEC_OID_SHA512, + {DataBuffer(NULL, 0), + DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)), + DataBuffer(kP256DataUnpaddedSigShort, sizeof(kP256DataUnpaddedSigShort)), + DataBuffer(kP256SignatureUnpaddedSigShort, + sizeof(kP256SignatureUnpaddedSigShort))}}, + {SEC_OID_SHA512, + {DataBuffer(NULL, 0), + DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)), + DataBuffer(kP384DataUnpaddedSigLong, sizeof(kP384DataUnpaddedSigLong)), + DataBuffer(kP384SignatureUnpaddedSigLong, + sizeof(kP384SignatureUnpaddedSigLong))}}, + {SEC_OID_SHA512, + {DataBuffer(NULL, 0), + DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)), + DataBuffer(kP384DataUnpaddedSigShort, sizeof(kP384DataUnpaddedSigShort)), + DataBuffer(kP384SignatureUnpaddedSigShort, + sizeof(kP384SignatureUnpaddedSigShort))}}, + {SEC_OID_SHA512, + {DataBuffer(NULL, 0), + DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)), + DataBuffer(kP521DataUnpaddedSigLong, sizeof(kP521DataUnpaddedSigLong)), + DataBuffer(kP521SignatureUnpaddedSigLong, + sizeof(kP521SignatureUnpaddedSigLong))}}, + {SEC_OID_SHA512, + {DataBuffer(NULL, 0), + DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)), + DataBuffer(kP521DataUnpaddedSigShort, sizeof(kP521DataUnpaddedSigShort)), + DataBuffer(kP521SignatureUnpaddedSigShort, + sizeof(kP521SignatureUnpaddedSigShort))}}}; + +TEST_P(Pkcs11EcdsaUnpaddedSignatureTest, Verify) { + Verify(GetParam().sig_params_); +} +INSTANTIATE_TEST_SUITE_P(EcdsaVerifyUnpaddedSignatures, + Pkcs11EcdsaUnpaddedSignatureTest, + ::testing::ValuesIn(kEcdsaUnpaddedSignaturesVectors)); } // namespace nss_test diff --git a/nss/gtests/pk11_gtest/pk11_ecdsa_vectors.h b/nss/gtests/pk11_gtest/pk11_ecdsa_vectors.h index 9f625dd..6075c62 100644 --- a/nss/gtests/pk11_gtest/pk11_ecdsa_vectors.h +++ b/nss/gtests/pk11_gtest/pk11_ecdsa_vectors.h @@ -130,37 +130,197 @@ const uint8_t kP521Signature[] = { 0xd8, 0xb8, 0xc3, 0x7f, 0xf0, 0x77, 0x7b, 0x1a, 0x20, 0xf8, 0xcc, 0xb1, 0xdc, 0xcc, 0x43, 0x99, 0x7f, 0x1e, 0xe0, 0xe4, 0x4d, 0xa4, 0xa6, 0x7a}; -// ECDSA P256 test case with a leading zero in the private key -const uint8_t kP256Pkcs8ZeroPad[] = { - 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, +// ECDSA P256 key of length 30 with leading zeros stripped. +const uint8_t kP256Pkcs8KeyLen30[] = { + 0x30, 0x81, 0x85, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, - 0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02, 0x01, 0x01, 0x04, 0x20, - 0x00, 0x16, 0x40, 0x71, 0x99, 0xe3, 0x07, 0xaa, 0xdc, 0x98, 0x0b, 0x21, - 0x62, 0xce, 0x66, 0x1f, 0xe4, 0x1a, 0x86, 0x9a, 0x23, 0x33, 0xf6, 0x72, - 0xb4, 0xa3, 0xdc, 0x3b, 0x50, 0xba, 0x20, 0xce, 0xa1, 0x44, 0x03, 0x42, - 0x00, 0x04, 0x53, 0x11, 0x9a, 0x86, 0xa0, 0xc2, 0x99, 0x4f, 0xa6, 0xf8, - 0x08, 0xf8, 0x61, 0x01, 0x0e, 0x6b, 0x04, 0x9c, 0xd8, 0x15, 0x63, 0x2e, - 0xd1, 0x38, 0x00, 0x10, 0xee, 0xe4, 0xc9, 0x11, 0xff, 0x05, 0xba, 0xd6, - 0xcd, 0x94, 0xea, 0x00, 0xec, 0x85, 0x26, 0x2c, 0xbd, 0x4d, 0x85, 0xbd, - 0x20, 0xce, 0xa5, 0xb1, 0x3f, 0x4d, 0x82, 0x9b, 0x9f, 0x28, 0x2e, 0xd3, - 0x8a, 0x87, 0x1f, 0x89, 0xf8, 0x02}; -const uint8_t kP256SpkiZeroPad[] = { + 0x03, 0x01, 0x07, 0x04, 0x6b, 0x30, 0x69, 0x02, 0x01, 0x01, 0x04, 0x1e, + 0x7d, 0x75, 0x44, 0xaa, 0x3b, 0x34, 0x5e, 0x0e, 0x70, 0x99, 0x02, 0xd0, + 0x2e, 0xed, 0x45, 0x98, 0x9f, 0x03, 0x37, 0x64, 0x03, 0xe4, 0x3a, 0x11, + 0x73, 0xe5, 0x52, 0x0f, 0x5b, 0xf4, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, + 0x44, 0x4c, 0x75, 0xd3, 0xc9, 0x55, 0xdd, 0x5a, 0x3b, 0xa1, 0xfb, 0x91, + 0xff, 0x74, 0x5f, 0x10, 0x8b, 0xe9, 0xd0, 0xad, 0x92, 0xf7, 0xd7, 0x66, + 0x78, 0x63, 0xba, 0x9f, 0xca, 0x58, 0xcf, 0xd3, 0x94, 0x24, 0xb8, 0xf0, + 0x86, 0x52, 0x45, 0xcb, 0xbb, 0x9e, 0x83, 0x28, 0x83, 0x1f, 0x1d, 0x29, + 0x4b, 0xca, 0xe0, 0x8b, 0x8c, 0x61, 0x1c, 0x43, 0x61, 0xce, 0x93, 0xba, + 0x1c, 0x44, 0xf1, 0xb0}; + +// ECDSA P256 key of length 33 with an extra leading zero. +// Arithmetically equivalent to kP256Pkcs8KeyLen30. +const uint8_t kP256Pkcs8KeyLen33[] = { + 0x30, 0x81, 0x88, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, + 0x03, 0x01, 0x07, 0x04, 0x6e, 0x30, 0x6c, 0x02, 0x01, 0x01, 0x04, 0x21, + 0x00, 0x00, 0x00, 0x7d, 0x75, 0x44, 0xaa, 0x3b, 0x34, 0x5e, 0x0e, 0x70, + 0x99, 0x02, 0xd0, 0x2e, 0xed, 0x45, 0x98, 0x9f, 0x03, 0x37, 0x64, 0x03, + 0xe4, 0x3a, 0x11, 0x73, 0xe5, 0x52, 0x0f, 0x5b, 0xf4, 0xa1, 0x44, 0x03, + 0x42, 0x00, 0x04, 0x44, 0x4c, 0x75, 0xd3, 0xc9, 0x55, 0xdd, 0x5a, 0x3b, + 0xa1, 0xfb, 0x91, 0xff, 0x74, 0x5f, 0x10, 0x8b, 0xe9, 0xd0, 0xad, 0x92, + 0xf7, 0xd7, 0x66, 0x78, 0x63, 0xba, 0x9f, 0xca, 0x58, 0xcf, 0xd3, 0x94, + 0x24, 0xb8, 0xf0, 0x86, 0x52, 0x45, 0xcb, 0xbb, 0x9e, 0x83, 0x28, 0x83, + 0x1f, 0x1d, 0x29, 0x4b, 0xca, 0xe0, 0x8b, 0x8c, 0x61, 0x1c, 0x43, 0x61, + 0xce, 0x93, 0xba, 0x1c, 0x44, 0xf1, 0xb0}; + +// SPKI for kP256Pkcs8KeyLen30 / kP256Pkcs8KeyLen33 +const uint8_t kP256SpkiKeyLen[] = { 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, - 0x42, 0x00, 0x04, 0x53, 0x11, 0x9a, 0x86, 0xa0, 0xc2, 0x99, 0x4f, 0xa6, - 0xf8, 0x08, 0xf8, 0x61, 0x01, 0x0e, 0x6b, 0x04, 0x9c, 0xd8, 0x15, 0x63, - 0x2e, 0xd1, 0x38, 0x00, 0x10, 0xee, 0xe4, 0xc9, 0x11, 0xff, 0x05, 0xba, - 0xd6, 0xcd, 0x94, 0xea, 0x00, 0xec, 0x85, 0x26, 0x2c, 0xbd, 0x4d, 0x85, - 0xbd, 0x20, 0xce, 0xa5, 0xb1, 0x3f, 0x4d, 0x82, 0x9b, 0x9f, 0x28, 0x2e, - 0xd3, 0x8a, 0x87, 0x1f, 0x89, 0xf8, 0x02}; -const uint8_t kP256DataZeroPad[] = {'s', 'a', 'm', 'p', 'l', 'e'}; -const uint8_t kP256SignatureZeroPad[] = { - 0xa6, 0xf4, 0xe4, 0xa8, 0x3f, 0x03, 0x59, 0x89, 0x60, 0x53, 0xe7, - 0xdc, 0xb5, 0xbe, 0x78, 0xaf, 0xc1, 0xca, 0xc0, 0x65, 0xba, 0xa4, - 0x3c, 0xf1, 0xe4, 0xae, 0xe3, 0xba, 0x22, 0x3d, 0xac, 0x9d, 0x6d, - 0x1b, 0x26, 0x00, 0xcf, 0x47, 0xa1, 0xe1, 0x04, 0x21, 0x8d, 0x0b, - 0xbb, 0x16, 0xfa, 0x3e, 0x59, 0x32, 0x01, 0xb0, 0x45, 0x3e, 0x27, - 0xa4, 0xc4, 0xfd, 0x31, 0xc9, 0x1a, 0x8e, 0x74, 0xd8}; + 0x42, 0x00, 0x04, 0x44, 0x4c, 0x75, 0xd3, 0xc9, 0x55, 0xdd, 0x5a, 0x3b, + 0xa1, 0xfb, 0x91, 0xff, 0x74, 0x5f, 0x10, 0x8b, 0xe9, 0xd0, 0xad, 0x92, + 0xf7, 0xd7, 0x66, 0x78, 0x63, 0xba, 0x9f, 0xca, 0x58, 0xcf, 0xd3, 0x94, + 0x24, 0xb8, 0xf0, 0x86, 0x52, 0x45, 0xcb, 0xbb, 0x9e, 0x83, 0x28, 0x83, + 0x1f, 0x1d, 0x29, 0x4b, 0xca, 0xe0, 0x8b, 0x8c, 0x61, 0x1c, 0x43, 0x61, + 0xce, 0x93, 0xba, 0x1c, 0x44, 0xf1, 0xb0}; + +// Signature from kP256Pkcs8KeyLen30 / kP256Pkcs8KeyLen33 +const uint8_t kP256DataKeyLen[] = {'s', 'a', 'm', 'p', 'l', 'e'}; +const uint8_t kP256SignatureKeyLen[] = { + 0x40, 0x5f, 0x6f, 0x44, 0xc0, 0x94, 0xf8, 0xfd, 0xa0, 0xac, 0xb7, + 0x25, 0x7b, 0x0e, 0x99, 0x33, 0x80, 0xfc, 0x5b, 0x37, 0xd6, 0xfa, + 0x42, 0xb9, 0xfb, 0xd1, 0xdd, 0x0c, 0xfa, 0x3d, 0x01, 0x88, 0x42, + 0x46, 0x28, 0x0c, 0xc9, 0x4f, 0xe7, 0x95, 0xd4, 0x88, 0x3b, 0x2f, + 0x58, 0x23, 0x15, 0x1e, 0x44, 0xca, 0xab, 0x0b, 0x61, 0x32, 0x76, + 0xe6, 0xab, 0x3e, 0xfd, 0x23, 0x86, 0xfd, 0xb6, 0x12, +}; + +// ECDSA P384 key of length 46 with leading zeros stripped. +const uint8_t kP384Pkcs8KeyLen46[] = { + 0x30, 0x81, 0xb4, 0x02, 0x01, 0x00, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22, + 0x04, 0x81, 0x9c, 0x30, 0x81, 0x99, 0x02, 0x01, 0x01, 0x04, 0x2e, 0x92, + 0x62, 0x5a, 0x47, 0x27, 0x34, 0xe3, 0x95, 0x93, 0x02, 0x44, 0xc0, 0x56, + 0x8a, 0x5c, 0xaa, 0x0f, 0x51, 0xd0, 0xf2, 0xc1, 0xb5, 0x4f, 0xfd, 0x59, + 0xbb, 0x6d, 0x7a, 0x81, 0x55, 0x55, 0xa0, 0xbb, 0x00, 0xcf, 0x4a, 0x3a, + 0xca, 0xa0, 0xb6, 0xb3, 0xe6, 0x95, 0xa5, 0x73, 0xdc, 0xa1, 0x64, 0x03, + 0x62, 0x00, 0x04, 0xb8, 0xcf, 0x04, 0xee, 0x4b, 0x18, 0xdf, 0xde, 0x02, + 0x23, 0xd4, 0x82, 0x1b, 0x18, 0x92, 0xf7, 0x4e, 0x60, 0x72, 0xb4, 0x75, + 0x47, 0x5c, 0xd2, 0x00, 0x87, 0x03, 0xfd, 0x6f, 0x89, 0x6f, 0x70, 0xea, + 0x2e, 0xd3, 0xfb, 0x91, 0x90, 0xcf, 0x23, 0x55, 0x7d, 0xf5, 0x2b, 0xfa, + 0x99, 0xd3, 0xb2, 0xbe, 0xb6, 0x48, 0x56, 0xe9, 0x7a, 0x59, 0xeb, 0x88, + 0x2f, 0x4c, 0x1b, 0x65, 0xdd, 0x2e, 0xeb, 0x67, 0xfe, 0xf7, 0x96, 0x95, + 0xa7, 0x19, 0xb4, 0x23, 0x12, 0xa0, 0xd6, 0xac, 0x2c, 0x0d, 0x66, 0x81, + 0x2c, 0xf4, 0x95, 0x99, 0x7c, 0x27, 0x4b, 0xbb, 0xfb, 0xd1, 0x4c, 0x26, + 0x57, 0xa7, 0xd4}; + +// ECDSA P384 key of length 49 with an extra leading zero. +// Arithmetically equivalent to kP384Pkcs8KeyLen46. +const uint8_t kP384Pkcs8KeyLen49[] = { + 0x30, 0x81, 0xb7, 0x02, 0x01, 0x00, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22, + 0x04, 0x81, 0x9f, 0x30, 0x81, 0x9c, 0x02, 0x01, 0x01, 0x04, 0x31, 0x00, + 0x00, 0x00, 0x92, 0x62, 0x5a, 0x47, 0x27, 0x34, 0xe3, 0x95, 0x93, 0x02, + 0x44, 0xc0, 0x56, 0x8a, 0x5c, 0xaa, 0x0f, 0x51, 0xd0, 0xf2, 0xc1, 0xb5, + 0x4f, 0xfd, 0x59, 0xbb, 0x6d, 0x7a, 0x81, 0x55, 0x55, 0xa0, 0xbb, 0x00, + 0xcf, 0x4a, 0x3a, 0xca, 0xa0, 0xb6, 0xb3, 0xe6, 0x95, 0xa5, 0x73, 0xdc, + 0xa1, 0x64, 0x03, 0x62, 0x00, 0x04, 0xb8, 0xcf, 0x04, 0xee, 0x4b, 0x18, + 0xdf, 0xde, 0x02, 0x23, 0xd4, 0x82, 0x1b, 0x18, 0x92, 0xf7, 0x4e, 0x60, + 0x72, 0xb4, 0x75, 0x47, 0x5c, 0xd2, 0x00, 0x87, 0x03, 0xfd, 0x6f, 0x89, + 0x6f, 0x70, 0xea, 0x2e, 0xd3, 0xfb, 0x91, 0x90, 0xcf, 0x23, 0x55, 0x7d, + 0xf5, 0x2b, 0xfa, 0x99, 0xd3, 0xb2, 0xbe, 0xb6, 0x48, 0x56, 0xe9, 0x7a, + 0x59, 0xeb, 0x88, 0x2f, 0x4c, 0x1b, 0x65, 0xdd, 0x2e, 0xeb, 0x67, 0xfe, + 0xf7, 0x96, 0x95, 0xa7, 0x19, 0xb4, 0x23, 0x12, 0xa0, 0xd6, 0xac, 0x2c, + 0x0d, 0x66, 0x81, 0x2c, 0xf4, 0x95, 0x99, 0x7c, 0x27, 0x4b, 0xbb, 0xfb, + 0xd1, 0x4c, 0x26, 0x57, 0xa7, 0xd4}; +const uint8_t kP384SpkiKeyLen[] = { + 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, + 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22, 0x03, 0x62, 0x00, 0x04, + 0xb8, 0xcf, 0x04, 0xee, 0x4b, 0x18, 0xdf, 0xde, 0x02, 0x23, 0xd4, 0x82, + 0x1b, 0x18, 0x92, 0xf7, 0x4e, 0x60, 0x72, 0xb4, 0x75, 0x47, 0x5c, 0xd2, + 0x00, 0x87, 0x03, 0xfd, 0x6f, 0x89, 0x6f, 0x70, 0xea, 0x2e, 0xd3, 0xfb, + 0x91, 0x90, 0xcf, 0x23, 0x55, 0x7d, 0xf5, 0x2b, 0xfa, 0x99, 0xd3, 0xb2, + 0xbe, 0xb6, 0x48, 0x56, 0xe9, 0x7a, 0x59, 0xeb, 0x88, 0x2f, 0x4c, 0x1b, + 0x65, 0xdd, 0x2e, 0xeb, 0x67, 0xfe, 0xf7, 0x96, 0x95, 0xa7, 0x19, 0xb4, + 0x23, 0x12, 0xa0, 0xd6, 0xac, 0x2c, 0x0d, 0x66, 0x81, 0x2c, 0xf4, 0x95, + 0x99, 0x7c, 0x27, 0x4b, 0xbb, 0xfb, 0xd1, 0x4c, 0x26, 0x57, 0xa7, 0xd4, +}; +const uint8_t kP384DataKeyLen[] = {'s', 'a', 'm', 'p', 'l', 'e'}; +const uint8_t kP384SignatureKeyLen[] = { + 0xd7, 0xb7, 0x2a, 0x78, 0x49, 0x7f, 0xe9, 0x27, 0x28, 0x2e, 0x4b, 0x84, + 0x38, 0x6c, 0xfa, 0x50, 0xcf, 0x81, 0x9b, 0x18, 0x10, 0xf6, 0x72, 0xb6, + 0xce, 0xe1, 0xf3, 0xab, 0xb0, 0x33, 0x93, 0xd8, 0x77, 0x51, 0xc7, 0x6c, + 0x31, 0xf4, 0x09, 0x5b, 0xeb, 0xe0, 0x05, 0xac, 0x9f, 0x8e, 0xc9, 0xb0, + 0xa5, 0xea, 0x0c, 0x85, 0xf3, 0x29, 0xb1, 0x0f, 0x08, 0xb1, 0x33, 0x06, + 0xf0, 0x89, 0xe4, 0x51, 0x54, 0xed, 0x98, 0xf3, 0x83, 0x05, 0xa6, 0xa5, + 0xd3, 0x1d, 0xef, 0xde, 0xab, 0x01, 0xea, 0x6e, 0x83, 0x31, 0xf1, 0x89, + 0xb1, 0x13, 0x55, 0x7d, 0x18, 0xbd, 0xf0, 0xee, 0x91, 0x01, 0x11, 0x21, +}; + +// ECDSA P521 key of length 64 with leading zeros stripped. +const uint8_t kP521Pkcs8KeyLen64[] = { + 0x30, 0x81, 0xec, 0x02, 0x01, 0x00, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23, + 0x04, 0x81, 0xd4, 0x30, 0x81, 0xd1, 0x02, 0x01, 0x01, 0x04, 0x40, 0xcf, + 0x70, 0xc4, 0x84, 0x8c, 0x95, 0x94, 0x71, 0x19, 0x51, 0xf0, 0x1d, 0x72, + 0xae, 0xd4, 0xc8, 0x25, 0xb1, 0x63, 0x96, 0x93, 0xab, 0x9f, 0x5e, 0x1c, + 0xee, 0x2e, 0xd5, 0x98, 0x9d, 0x18, 0xe1, 0x1d, 0x10, 0x77, 0xbc, 0xfe, + 0x82, 0xcb, 0x8a, 0x47, 0x6c, 0x8d, 0x87, 0x9e, 0x42, 0x9a, 0x3e, 0x4a, + 0x95, 0x3b, 0x8c, 0x66, 0x7a, 0x17, 0x82, 0x17, 0x4f, 0x29, 0x56, 0x7b, + 0xa2, 0xba, 0x84, 0xa1, 0x81, 0x89, 0x03, 0x81, 0x86, 0x00, 0x04, 0x00, + 0x65, 0x92, 0x0a, 0xd7, 0xa2, 0x34, 0xad, 0xf7, 0x13, 0x8b, 0xee, 0x05, + 0x61, 0xb9, 0xb4, 0x8f, 0xd4, 0x45, 0x69, 0xd9, 0x32, 0x94, 0x2f, 0xec, + 0xff, 0xa6, 0x7a, 0xa9, 0x41, 0xa1, 0x82, 0x56, 0xd6, 0xe7, 0x3d, 0x65, + 0xb9, 0x5a, 0x8c, 0xaf, 0x10, 0x93, 0x69, 0xe8, 0xdf, 0xc3, 0xb6, 0x99, + 0x0d, 0xca, 0x75, 0xc8, 0x94, 0x68, 0x97, 0xed, 0x3e, 0xd1, 0x00, 0x24, + 0x36, 0x71, 0xee, 0x39, 0xa4, 0x00, 0xb1, 0x8b, 0x5d, 0xf4, 0xe5, 0x71, + 0x70, 0xec, 0x4f, 0x5d, 0x59, 0x03, 0x17, 0xbd, 0xa6, 0x23, 0x56, 0xcf, + 0xb1, 0x82, 0x65, 0x04, 0xd7, 0x1a, 0x5c, 0x9e, 0x03, 0x73, 0xc6, 0x04, + 0x2f, 0x68, 0xc8, 0xab, 0x61, 0x5a, 0x45, 0x93, 0x1c, 0xfe, 0x65, 0x75, + 0x0e, 0x38, 0x23, 0x74, 0xbe, 0xa9, 0x80, 0xfe, 0x1b, 0x95, 0x14, 0xdc, + 0x5e, 0xa0, 0xd8, 0x6e, 0x0c, 0x81, 0xc9, 0x6c, 0x20, 0x20, 0xc1}; +// ECDSA P521 key of length 67 with an extra leading zero. +// Arithmetically equivalent to kP521Pkcs8KeyLen64. +const uint8_t kP521Pkcs8KeyLen67[] = { + 0x30, 0x81, 0xef, 0x02, 0x01, 0x00, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23, + 0x04, 0x81, 0xd7, 0x30, 0x81, 0xd4, 0x02, 0x01, 0x01, 0x04, 0x43, 0x00, + 0x00, 0x00, 0xcf, 0x70, 0xc4, 0x84, 0x8c, 0x95, 0x94, 0x71, 0x19, 0x51, + 0xf0, 0x1d, 0x72, 0xae, 0xd4, 0xc8, 0x25, 0xb1, 0x63, 0x96, 0x93, 0xab, + 0x9f, 0x5e, 0x1c, 0xee, 0x2e, 0xd5, 0x98, 0x9d, 0x18, 0xe1, 0x1d, 0x10, + 0x77, 0xbc, 0xfe, 0x82, 0xcb, 0x8a, 0x47, 0x6c, 0x8d, 0x87, 0x9e, 0x42, + 0x9a, 0x3e, 0x4a, 0x95, 0x3b, 0x8c, 0x66, 0x7a, 0x17, 0x82, 0x17, 0x4f, + 0x29, 0x56, 0x7b, 0xa2, 0xba, 0x84, 0xa1, 0x81, 0x89, 0x03, 0x81, 0x86, + 0x00, 0x04, 0x00, 0x65, 0x92, 0x0a, 0xd7, 0xa2, 0x34, 0xad, 0xf7, 0x13, + 0x8b, 0xee, 0x05, 0x61, 0xb9, 0xb4, 0x8f, 0xd4, 0x45, 0x69, 0xd9, 0x32, + 0x94, 0x2f, 0xec, 0xff, 0xa6, 0x7a, 0xa9, 0x41, 0xa1, 0x82, 0x56, 0xd6, + 0xe7, 0x3d, 0x65, 0xb9, 0x5a, 0x8c, 0xaf, 0x10, 0x93, 0x69, 0xe8, 0xdf, + 0xc3, 0xb6, 0x99, 0x0d, 0xca, 0x75, 0xc8, 0x94, 0x68, 0x97, 0xed, 0x3e, + 0xd1, 0x00, 0x24, 0x36, 0x71, 0xee, 0x39, 0xa4, 0x00, 0xb1, 0x8b, 0x5d, + 0xf4, 0xe5, 0x71, 0x70, 0xec, 0x4f, 0x5d, 0x59, 0x03, 0x17, 0xbd, 0xa6, + 0x23, 0x56, 0xcf, 0xb1, 0x82, 0x65, 0x04, 0xd7, 0x1a, 0x5c, 0x9e, 0x03, + 0x73, 0xc6, 0x04, 0x2f, 0x68, 0xc8, 0xab, 0x61, 0x5a, 0x45, 0x93, 0x1c, + 0xfe, 0x65, 0x75, 0x0e, 0x38, 0x23, 0x74, 0xbe, 0xa9, 0x80, 0xfe, 0x1b, + 0x95, 0x14, 0xdc, 0x5e, 0xa0, 0xd8, 0x6e, 0x0c, 0x81, 0xc9, 0x6c, 0x20, + 0x20, 0xc1}; +const uint8_t kP521SpkiKeyLen[] = { + 0x30, 0x81, 0x9b, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, + 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23, 0x03, 0x81, 0x86, + 0x00, 0x04, 0x00, 0x65, 0x92, 0x0a, 0xd7, 0xa2, 0x34, 0xad, 0xf7, 0x13, + 0x8b, 0xee, 0x05, 0x61, 0xb9, 0xb4, 0x8f, 0xd4, 0x45, 0x69, 0xd9, 0x32, + 0x94, 0x2f, 0xec, 0xff, 0xa6, 0x7a, 0xa9, 0x41, 0xa1, 0x82, 0x56, 0xd6, + 0xe7, 0x3d, 0x65, 0xb9, 0x5a, 0x8c, 0xaf, 0x10, 0x93, 0x69, 0xe8, 0xdf, + 0xc3, 0xb6, 0x99, 0x0d, 0xca, 0x75, 0xc8, 0x94, 0x68, 0x97, 0xed, 0x3e, + 0xd1, 0x00, 0x24, 0x36, 0x71, 0xee, 0x39, 0xa4, 0x00, 0xb1, 0x8b, 0x5d, + 0xf4, 0xe5, 0x71, 0x70, 0xec, 0x4f, 0x5d, 0x59, 0x03, 0x17, 0xbd, 0xa6, + 0x23, 0x56, 0xcf, 0xb1, 0x82, 0x65, 0x04, 0xd7, 0x1a, 0x5c, 0x9e, 0x03, + 0x73, 0xc6, 0x04, 0x2f, 0x68, 0xc8, 0xab, 0x61, 0x5a, 0x45, 0x93, 0x1c, + 0xfe, 0x65, 0x75, 0x0e, 0x38, 0x23, 0x74, 0xbe, 0xa9, 0x80, 0xfe, 0x1b, + 0x95, 0x14, 0xdc, 0x5e, 0xa0, 0xd8, 0x6e, 0x0c, 0x81, 0xc9, 0x6c, 0x20, + 0x20, 0xc1, +}; +const uint8_t kP521DataKeyLen[] = {'s', 'a', 'm', 'p', 'l', 'e'}; +const uint8_t kP521SignatureKeyLen[] = { + 0x00, 0x9e, 0x46, 0x74, 0xb3, 0xba, 0x40, 0x54, 0x96, 0xf7, 0xbe, 0xe6, + 0x16, 0x1f, 0xb4, 0xd5, 0x35, 0x9b, 0xa7, 0xd3, 0x38, 0x80, 0x35, 0x81, + 0x7e, 0x9e, 0xcd, 0xf5, 0x2a, 0xa5, 0xe5, 0x4c, 0x6d, 0xde, 0x80, 0x39, + 0x28, 0x06, 0x07, 0x27, 0x91, 0x90, 0xb9, 0xd4, 0x7c, 0x18, 0x1e, 0x9a, + 0x8f, 0x9e, 0xe4, 0xc8, 0xcb, 0x54, 0x36, 0x68, 0xee, 0x81, 0xa4, 0xef, + 0x0b, 0x15, 0x7e, 0xc8, 0xc9, 0xbe, 0x01, 0x1a, 0x87, 0xaa, 0x50, 0xd0, + 0x08, 0xd9, 0xb8, 0x3a, 0xec, 0xa5, 0xd8, 0x7c, 0x69, 0x90, 0xc1, 0x03, + 0xeb, 0xe3, 0x1d, 0x3a, 0x76, 0x14, 0x82, 0xda, 0xd1, 0x1d, 0x36, 0x9d, + 0x3a, 0x46, 0x34, 0xe7, 0x64, 0x78, 0x53, 0xa3, 0x71, 0x2b, 0xa1, 0x99, + 0xe8, 0x9e, 0xe5, 0x45, 0x64, 0x1b, 0xc1, 0x04, 0x46, 0xe2, 0xd6, 0xf1, + 0xfc, 0x11, 0x85, 0xe2, 0x38, 0x6d, 0x36, 0x26, 0x31, 0x58, 0x9a, 0x9d, +}; // ECDSA test vectors, SPKI and PKCS#8 edge cases. const uint8_t kP256Pkcs8NoCurveOIDOrAlgorithmParams[] = { @@ -280,4 +440,110 @@ const uint8_t kP256SpkiPointNotOnCurve[] = { 0x28, 0xbc, 0x64, 0xf2, 0xf1, 0xb2, 0x0c, 0x2d, 0x7e, 0x9f, 0x51, 0x77, 0xa3, 0xc2, 0x94, 0x00, 0x33, 0x11, 0x77}; +const uint8_t kP521DataUnpaddedSigLong[] = {'W', 'T', 'F', '6', '0', + 'M', 'W', 'M', 'N', '3'}; +const uint8_t kP521DataUnpaddedSigShort[] = { + 'M', 'I', '6', '3', 'V', 'N', 'G', 'L', 'F', 'R', +}; +const uint8_t kP521SpkiUnpaddedSig[] = { + 0x30, 0x81, 0x9b, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, + 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23, 0x03, 0x81, 0x86, + 0x00, 0x04, 0x01, 0xd2, 0x37, 0xeb, 0x78, 0xc7, 0x9b, 0x86, 0xff, 0x29, + 0x7b, 0x55, 0x4d, 0x11, 0xc7, 0x9c, 0x2d, 0xc1, 0x67, 0x9f, 0xad, 0x2a, + 0xa9, 0xb9, 0x51, 0x30, 0x6d, 0xde, 0x14, 0x16, 0xea, 0xb3, 0x9d, 0x18, + 0xfc, 0xf0, 0x38, 0x6e, 0x7f, 0xa6, 0x82, 0xb9, 0x19, 0x01, 0xaf, 0xe7, + 0xc3, 0xd8, 0xec, 0x9a, 0x62, 0x7b, 0xbf, 0x41, 0xc7, 0x86, 0x89, 0x52, + 0x76, 0x8e, 0x01, 0x97, 0x1b, 0x16, 0x97, 0x69, 0x01, 0x2d, 0x07, 0x88, + 0x6f, 0xe0, 0x17, 0xbe, 0x82, 0xc4, 0x12, 0xd6, 0x16, 0x72, 0xf8, 0x57, + 0x75, 0x5c, 0x69, 0x79, 0xd0, 0x11, 0x05, 0x96, 0x2f, 0xa4, 0x61, 0xcd, + 0x8f, 0x54, 0x95, 0x58, 0xbd, 0x7d, 0x71, 0x84, 0x63, 0x18, 0xb8, 0x5b, + 0xaa, 0x1b, 0xd2, 0xe9, 0x65, 0x63, 0x15, 0x34, 0x25, 0x35, 0x2f, 0x35, + 0x27, 0x3a, 0x84, 0x42, 0x7a, 0x42, 0x8e, 0xfd, 0x15, 0xbe, 0x0c, 0x0c, + 0xe2, 0x9f}; +const uint8_t kP521SignatureUnpaddedSigLong[] = { + 0x01, 0xa7, 0x3a, 0x14, 0x79, 0x77, 0x9e, 0x48, 0xb0, 0xff, 0xb5, 0xbe, + 0xfb, 0xfa, 0x7a, 0x84, 0x24, 0xb3, 0x5c, 0xf0, 0xfd, 0x77, 0x9d, 0xd4, + 0x66, 0x49, 0xfd, 0xbf, 0x04, 0xbf, 0xbb, 0x75, 0x22, 0xbb, 0x35, 0x42, + 0xdb, 0xe7, 0xed, 0x5a, 0x8f, 0x15, 0xf3, 0xa9, 0x0e, 0xb6, 0x5b, 0xde, + 0x23, 0x79, 0x47, 0xa7, 0x1d, 0x25, 0x24, 0x68, 0x63, 0xf6, 0x9c, 0x2e, + 0x21, 0xe0, 0x30, 0xfc, 0xd3, 0x65, 0x01, 0x12, 0x4e, 0xf0, 0xbb, 0x89, + 0xec, 0xec, 0x4f, 0xef, 0xbe, 0xdc, 0xd6, 0xac, 0xa4, 0x16, 0x68, 0x2b, + 0x78, 0xdf, 0x6c, 0x6e, 0xb8, 0xf4, 0x5b, 0x45, 0x1b, 0xdd, 0x84, 0x40, + 0x94, 0x07, 0xc7, 0xbc, 0xb6, 0x57, 0x92, 0xf1, 0x64, 0xb9, 0x2c, 0xcb, + 0x1d, 0xbe, 0x1c, 0x93, 0x78, 0x97, 0x8b, 0x84, 0x4e, 0x69, 0x6d, 0x0b, + 0xb0, 0x5f, 0xf1, 0x84, 0x18, 0x82, 0x8d, 0x55, 0xdf, 0x36, 0x43, 0x8a}; +const uint8_t kP521SignatureUnpaddedSigShort[] = { + 0x40, 0x12, 0xa7, 0x96, 0x5d, 0x77, 0xba, 0x8a, 0x90, 0x57, 0x52, 0x11, + 0xad, 0x72, 0x21, 0xd6, 0x6c, 0x73, 0x81, 0x43, 0x5d, 0x09, 0xe4, 0xde, + 0xee, 0xc2, 0xb5, 0x03, 0x1f, 0x0f, 0xd1, 0x6a, 0xfc, 0x26, 0x6d, 0x99, + 0x6d, 0x84, 0x32, 0x05, 0x56, 0x66, 0xe3, 0x6b, 0xf7, 0xf2, 0x04, 0xc9, + 0x44, 0x17, 0xaa, 0xbd, 0x24, 0xd8, 0x87, 0x4e, 0x53, 0x9d, 0x08, 0x65, + 0x91, 0x95, 0xeb, 0xeb, 0x92, 0x0b, 0xdb, 0x34, 0x80, 0xe8, 0x9f, 0x38, + 0x73, 0x00, 0x7c, 0xfc, 0x2b, 0xfa, 0xcf, 0xa6, 0x6c, 0x1c, 0xb0, 0x75, + 0x76, 0x01, 0x22, 0xe7, 0x3c, 0xd8, 0xc4, 0x1f, 0x5e, 0xde, 0x0b, 0x95, + 0x7a, 0x50, 0x2b, 0x8c, 0x87, 0xc4, 0x12, 0x8e, 0x00, 0x09, 0x29, 0x2c, + 0x21, 0xd1, 0x96, 0xa0, 0xf3, 0x0f, 0x54, 0xdb, 0x6a, 0xbb, 0x90, 0xf5, + 0x5c, 0x7a, 0x8d, 0x83, 0x9c, 0x39, 0x38, 0x58, 0x5a, 0x0e}; +const uint8_t kP384DataUnpaddedSigLong[] = {'L', 'T', 'N', '4', 'B', + 'P', 'X', 'Y', '5', 'N'}; +const uint8_t kP384DataUnpaddedSigShort[] = {'3', 'U', 'S', 'N', 'N', + 'U', '6', 'E', 'E', '0'}; +const uint8_t kP384SpkiUnpaddedSig[] = { + 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, + 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22, 0x03, 0x62, 0x00, 0x04, + 0x1e, 0x98, 0x4c, 0xcf, 0x05, 0xd4, 0x9b, 0x98, 0x11, 0xae, 0xa1, 0xaa, + 0x72, 0x27, 0xac, 0xde, 0x7f, 0xe8, 0x4d, 0xda, 0xaa, 0x67, 0x51, 0x2e, + 0x0b, 0x30, 0x31, 0xab, 0x05, 0xac, 0x95, 0xdf, 0x09, 0x96, 0xcf, 0xe3, + 0xf5, 0xfa, 0x30, 0xad, 0x43, 0x0b, 0xa5, 0x7e, 0xd7, 0xd1, 0xee, 0x4e, + 0x83, 0x53, 0xe3, 0x26, 0xeb, 0xc1, 0xc9, 0xe5, 0x35, 0x36, 0x1a, 0xbf, + 0xbf, 0x99, 0xd6, 0xe2, 0x14, 0x43, 0xcb, 0x54, 0xde, 0x06, 0xb5, 0x7d, + 0x27, 0xb7, 0xc2, 0x27, 0xaf, 0xb6, 0x12, 0x4f, 0x47, 0xa0, 0xdb, 0xb5, + 0x6e, 0x7b, 0x44, 0x0d, 0xc8, 0xbd, 0x13, 0x3c, 0x27, 0x7c, 0xf2, 0x3a}; +const uint8_t kP384SignatureUnpaddedSigLong[] = { + 0x19, 0x22, 0x21, 0x72, 0x8a, 0xa4, 0x22, 0x26, 0x75, 0x16, 0x9c, 0x58, + 0x93, 0xd8, 0x43, 0xac, 0x28, 0x78, 0xe7, 0xe2, 0xf2, 0x5d, 0xa6, 0x59, + 0x74, 0x6d, 0x55, 0x95, 0xe1, 0xa8, 0xc9, 0x18, 0x54, 0x5d, 0x03, 0xa0, + 0xb0, 0x90, 0xe9, 0xf1, 0xc5, 0xf6, 0x29, 0x1a, 0x50, 0x9d, 0xe3, 0xde, + 0x4a, 0x69, 0xdf, 0x1b, 0xe5, 0x53, 0xd7, 0xe8, 0xd4, 0xbf, 0x8c, 0xfc, + 0x07, 0x66, 0xbc, 0xa7, 0xb5, 0x47, 0x29, 0xbd, 0x15, 0x8c, 0x57, 0x6c, + 0xde, 0x37, 0x57, 0xa4, 0xd4, 0x61, 0x79, 0x92, 0x67, 0x25, 0x2e, 0xbc, + 0x8b, 0x88, 0x6a, 0xfa, 0xa5, 0x00, 0x19, 0x11, 0x64, 0x69, 0x7b, 0xf6}; +const uint8_t kP384SignatureUnpaddedSigShort[] = { + 0x69, 0xe6, 0xc2, 0xd0, 0xb0, 0x59, 0xca, 0x1f, 0x07, 0x4c, 0x90, 0x13, + 0x75, 0xe0, 0xc5, 0xb9, 0x38, 0xf2, 0xd8, 0x55, 0xf7, 0x08, 0xbd, 0x8e, + 0x61, 0xbd, 0x50, 0x7e, 0xb6, 0xb5, 0xea, 0xbc, 0xa4, 0xa0, 0x18, 0x9b, + 0x63, 0x6b, 0x8a, 0x91, 0x88, 0x39, 0x0a, 0xbe, 0x6a, 0xb6, 0x4b, 0xaf, + 0xcb, 0x31, 0x89, 0xcf, 0x43, 0x28, 0x4b, 0x04, 0x6a, 0xe0, 0x8d, 0xbc, + 0xbf, 0xa2, 0x45, 0xdf, 0x1c, 0x83, 0x82, 0x3e, 0x2b, 0xa3, 0xea, 0x50, + 0x80, 0xec, 0x31, 0x48, 0x20, 0x30, 0x75, 0x94, 0xd9, 0x08, 0x9f, 0x6f, + 0x53, 0x21, 0x6f, 0x72, 0x74, 0x0c, 0xc4, 0x21, 0x28, 0xc9}; + +const uint8_t kP256DataUnpaddedSigLong[] = {'J', '5', 'C', 'N', 'Q', + 'T', 'F', 'A', 'J', 'T'}; +const uint8_t kP256DataUnpaddedSigShort[] = {'K', 'O', 'S', '9', '4', + 'F', 'V', 'C', 'Y', 'C'}; +const uint8_t kP256SpkiUnpaddedSig[] = { + 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, + 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, + 0x42, 0x00, 0x04, 0x30, 0x40, 0x9d, 0x57, 0xdd, 0xd0, 0x70, 0x1d, 0x4b, + 0x40, 0x84, 0xd4, 0x7a, 0xc0, 0x30, 0x68, 0x33, 0xf1, 0x1d, 0x47, 0xaa, + 0x37, 0x4d, 0xe2, 0xc8, 0xce, 0xdc, 0x82, 0x1d, 0xf7, 0xcf, 0xdd, 0x9e, + 0xb6, 0x6c, 0x85, 0x87, 0x9d, 0x31, 0x79, 0x7e, 0xe4, 0xe9, 0xc7, 0x4f, + 0xd6, 0x07, 0x1d, 0x2f, 0x54, 0x82, 0x5d, 0x22, 0xbf, 0xbc, 0xf0, 0x75, + 0x01, 0x09, 0x43, 0xc6, 0x52, 0xcb, 0x45}; +const uint8_t kP256SignatureUnpaddedSigLong[] = { + 0xad, 0x6f, 0xcf, 0x41, 0xc1, 0x83, 0xe3, 0x6f, 0xe0, 0x2c, 0x9f, + 0x56, 0xa5, 0x17, 0x60, 0xbf, 0x80, 0x71, 0x18, 0x54, 0x1d, 0x82, + 0xdb, 0xe6, 0xc2, 0x4e, 0x60, 0x4a, 0xa6, 0x0c, 0xed, 0xcf, 0xe9, + 0xbf, 0xda, 0x11, 0xc2, 0x0a, 0x9c, 0x02, 0x5f, 0xb6, 0xa0, 0xb8, + 0xbc, 0xda, 0xbf, 0x80, 0xb4, 0xfb, 0x68, 0xab, 0xc8, 0xa8, 0x07, + 0xeb, 0x50, 0x5c, 0x8a, 0x47, 0xcf, 0x61, 0x91, 0x5f}; +const uint8_t kP256SignatureUnpaddedSigShort[] = { + 0x3d, 0x99, 0x94, 0xa9, 0x80, 0x12, 0x43, 0x27, 0xde, 0x78, 0x9e, + 0x61, 0xaf, 0x10, 0xee, 0xd2, 0x22, 0xc6, 0x6e, 0x1c, 0xdf, 0xe7, + 0x75, 0x28, 0x84, 0xae, 0xb8, 0xdb, 0x7b, 0xf1, 0x91, 0x86, 0x5b, + 0x5a, 0x28, 0x16, 0x15, 0xfe, 0xd9, 0x48, 0x33, 0x95, 0xa8, 0x8f, + 0x92, 0xbb, 0xe3, 0x9c, 0xca, 0x04, 0xef, 0x56, 0x48, 0x16, 0x73, + 0xa6, 0xb6, 0x6a, 0x38, 0xc9, 0x78, 0xc4}; + } // namespace nss_test diff --git a/nss/gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc b/nss/gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc index f05d763..eb620b0 100644 --- a/nss/gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc +++ b/nss/gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc @@ -239,6 +239,9 @@ TEST(RsaPkcs1Test, Pkcs1MinimumPadding) { SECItem hash_item = {siBuffer, toUcharPtr(hash.data()), static_cast<unsigned int>(hash.len())}; SECItem sig_item = {siBuffer, toUcharPtr(sig.data()), sig_len}; + /* don't let policy foil us */ + NSS_OptionSet(NSS_KEY_SIZE_POLICY_CLEAR_FLAGS, + NSS_KEY_SIZE_POLICY_VERIFY_FLAG); rv = VFY_VerifyDigestDirect(&hash_item, short_pub.get(), &sig_item, SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA512, nullptr); diff --git a/nss/gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc b/nss/gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc index e7d6bc2..8c1c19d 100644 --- a/nss/gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc +++ b/nss/gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc @@ -64,6 +64,22 @@ TEST_F(SoftokenBuiltinsTest, CheckNoDistrustFields) { EXPECT_EQ(PR_FALSE, PK11_HasAttributeSet(cert->slot, cert->pkcs11ID, CKA_NSS_EMAIL_DISTRUST_AFTER, PR_FALSE)); + + SECStatus rv; + PRBool isDistrusted; + PRTime distrustAfter; + rv = PK11_ReadDistrustAfterAttribute(cert->slot, cert->pkcs11ID, + CKA_NSS_SERVER_DISTRUST_AFTER, + &isDistrusted, &distrustAfter); + EXPECT_EQ(SECSuccess, rv); + EXPECT_EQ(PR_FALSE, isDistrusted); + + rv = PK11_ReadDistrustAfterAttribute(cert->slot, cert->pkcs11ID, + CKA_NSS_EMAIL_DISTRUST_AFTER, + &isDistrusted, &distrustAfter); + EXPECT_EQ(SECSuccess, rv); + EXPECT_EQ(PR_FALSE, isDistrusted); + ASSERT_FALSE(cert->distrust); } @@ -95,6 +111,23 @@ TEST_F(SoftokenBuiltinsTest, CheckOkDistrustFields) { EXPECT_TRUE(!memcmp(kExpectedDERValueEmail, cert->distrust->emailDistrustAfter.data, kDistrustFieldSize)); + + SECStatus rv; + PRBool isDistrusted; + PRTime distrustAfter; + rv = PK11_ReadDistrustAfterAttribute(cert->slot, cert->pkcs11ID, + CKA_NSS_SERVER_DISTRUST_AFTER, + &isDistrusted, &distrustAfter); + EXPECT_EQ(SECSuccess, rv); + EXPECT_EQ(PR_TRUE, isDistrusted); + EXPECT_EQ(1592352000000000, distrustAfter); + + rv = PK11_ReadDistrustAfterAttribute(cert->slot, cert->pkcs11ID, + CKA_NSS_EMAIL_DISTRUST_AFTER, + &isDistrusted, &distrustAfter); + EXPECT_EQ(SECSuccess, rv); + EXPECT_EQ(PR_TRUE, isDistrusted); + EXPECT_EQ(1192352000000000, distrustAfter); } TEST_F(SoftokenBuiltinsTest, CheckInvalidDistrustFields) { @@ -119,6 +152,19 @@ TEST_F(SoftokenBuiltinsTest, CheckInvalidDistrustFields) { PK11_HasAttributeSet(cert->slot, cert->pkcs11ID, CKA_NSS_EMAIL_DISTRUST_AFTER, PR_FALSE)); ASSERT_FALSE(cert->distrust); + + SECStatus rv; + PRBool isDistrusted; + PRTime distrustAfter; + rv = PK11_ReadDistrustAfterAttribute(cert->slot, cert->pkcs11ID, + CKA_NSS_SERVER_DISTRUST_AFTER, + &isDistrusted, &distrustAfter); + EXPECT_EQ(SECFailure, rv); + + rv = PK11_ReadDistrustAfterAttribute(cert->slot, cert->pkcs11ID, + CKA_NSS_EMAIL_DISTRUST_AFTER, + &isDistrusted, &distrustAfter); + EXPECT_EQ(SECFailure, rv); } } // namespace nss_test diff --git a/nss/gtests/ssl_gtest/ssl_certificate_compression_unittest.cc b/nss/gtests/ssl_gtest/ssl_certificate_compression_unittest.cc index 44c6a7e..5a03733 100644 --- a/nss/gtests/ssl_gtest/ssl_certificate_compression_unittest.cc +++ b/nss/gtests/ssl_gtest/ssl_certificate_compression_unittest.cc @@ -229,13 +229,19 @@ static SECStatus SimpleXorCertCompEncode(const SECItem* input, } /* Test decoding function. */ -static SECStatus SimpleXorCertCompDecode(const SECItem* input, SECItem* output, - size_t expectedLenDecodedCertificate) { - PORT_Memcpy(output->data, input->data, input->len); - for (size_t i = 0; i < output->len; i++) { - output->data[i] ^= 0x55; +static SECStatus SimpleXorCertCompDecode(const SECItem* input, uint8_t* output, + size_t outputLen, + size_t* receivedOutputLen) { + if (input->len != outputLen) { + return SECFailure; } + PORT_Memcpy(output, input->data, input->len); + for (size_t i = 0; i < outputLen; i++) { + output[i] ^= 0x55; + } + *receivedOutputLen = outputLen; + return SECSuccess; } @@ -249,13 +255,19 @@ static SECStatus SimpleXorWithDifferentValueEncode(const SECItem* input, } /* Test decoding function. */ -static SECStatus SimpleXorWithDifferentValueDecode( - const SECItem* input, SECItem* output, - size_t expectedLenDecodedCertificate) { - PORT_Memcpy(output->data, input->data, input->len); - for (size_t i = 0; i < output->len; i++) { - output->data[i] ^= 0x77; +static SECStatus SimpleXorWithDifferentValueDecode(const SECItem* input, + uint8_t* output, + size_t outputLen, + size_t* receivedOutputLen) { + if (input->len != outputLen) { + return SECFailure; + } + + PORT_Memcpy(output, input->data, input->len); + for (size_t i = 0; i < outputLen; i++) { + output[i] ^= 0x77; } + *receivedOutputLen = outputLen; return SECSuccess; } @@ -1235,8 +1247,8 @@ static SECStatus SimpleXorCertCompEncode_always_error(const SECItem* input, /* Test decoding function. Returns error unconditionally. */ static SECStatus SimpleXorCertCompDecode_always_error( - const SECItem* input, SECItem* output, - size_t expectedLenDecodedCertificate) { + const SECItem* input, uint8_t* output, size_t outputLen, + size_t* receivedOutputLen) { return SECFailure; } @@ -1293,6 +1305,48 @@ TEST_F(TlsConnectStreamTls13, CertificateCompression_CertificateCannotDecode) { client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CERTIFICATE); } +/* Decoding function returning unexpected decoded certificate length. */ +static SECStatus WrongUsedLenCertCompDecode(const SECItem* input, + uint8_t* output, size_t outputLen, + size_t* receivedOutputLen) { + if (input->len != outputLen) { + return SECFailure; + } + + PORT_Memcpy(output, input->data, input->len); + *receivedOutputLen = outputLen - 1; + + return SECSuccess; +} + +TEST_F(TlsConnectStreamTls13, + CertificateCompression_WrongDecodedCertificateLength) { + EnsureTlsSetup(); + + SSLCertificateCompressionAlgorithm t = {0xff01, "test function", + SimpleXorCertCompEncode, + WrongUsedLenCertCompDecode}; + + EXPECT_EQ(SECSuccess, + SSLExp_SetCertificateCompressionAlgorithm(server_->ssl_fd(), t)); + EXPECT_EQ(SECSuccess, + SSLExp_SetCertificateCompressionAlgorithm(client_->ssl_fd(), t)); + + ExpectAlert(client_, kTlsAlertBadCertificate); + StartConnect(); + + client_->SetServerKeyBits(server_->server_key_bits()); + client_->Handshake(); + server_->Handshake(); + + ASSERT_TRUE_WAIT(client_->state() != TlsAgent::STATE_CONNECTING, 5000); + + server_->ExpectReceiveAlert(kTlsAlertCloseNotify); + client_->ExpectSendAlert(kTlsAlertCloseNotify); + + client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CERTIFICATE); +} + /* The test checking the client authentification is successful using certificate * compression. */ TEST_F(TlsConnectStreamTls13, CertificateCompression_PostAuth) { diff --git a/nss/lib/certdb/alg1485.c b/nss/lib/certdb/alg1485.c index 0cf9602..af9b15b 100644 --- a/nss/lib/certdb/alg1485.c +++ b/nss/lib/certdb/alg1485.c @@ -4,6 +4,7 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#include <limits.h> #include "prprf.h" #include "cert.h" #include "certi.h" @@ -599,6 +600,8 @@ typedef enum { * Some callers will do quoting when needed, others will not. * If a caller selects minimalEscapeAndQuote, and the string does not * need quoting, then this function changes it to minimalEscape. + * Limit source to 16K, which avoids any possibility of overflow. + * Maximum output size would be 3*srclen+2. */ static int cert_RFC1485_GetRequiredLen(const char* src, int srclen, EQMode* pEQMode) @@ -608,6 +611,10 @@ cert_RFC1485_GetRequiredLen(const char* src, int srclen, EQMode* pEQMode) PRBool needsQuoting = PR_FALSE; char lastC = 0; + /* avoids needing to check for overflow */ + if (srclen > 16384) { + return -1; + } /* need to make an initial pass to determine if quoting is needed */ for (i = 0; i < srclen; i++) { char c = src[i]; @@ -637,6 +644,7 @@ cert_RFC1485_GetRequiredLen(const char* src, int srclen, EQMode* pEQMode) reqLen += 2; if (pEQMode && mode == minimalEscapeAndQuote && !needsQuoting) *pEQMode = minimalEscape; + /* Maximum output size would be 3*srclen+2 */ return reqLen; } @@ -648,12 +656,14 @@ escapeAndQuote(char* dst, int dstlen, char* src, int srclen, EQMode* pEQMode) int i, reqLen = 0; EQMode mode = pEQMode ? *pEQMode : minimalEscape; + reqLen = cert_RFC1485_GetRequiredLen(src, srclen, &mode); + /* reqLen is max 16384*3 + 2 */ /* space for terminal null */ - reqLen = cert_RFC1485_GetRequiredLen(src, srclen, &mode) + 1; - if (reqLen > dstlen) { + if (reqLen < 0 || reqLen + 1 > dstlen) { PORT_SetError(SEC_ERROR_OUTPUT_LEN); return SECFailure; } + reqLen += 1; if (mode == minimalEscapeAndQuote) *dst++ = C_DOUBLE_QUOTE; @@ -981,8 +991,22 @@ AppendAVA(stringBuf* bufp, CERTAVA* ava, CertStrictnessLevel strict) } nameLen = strlen(tagName); - valueLen = - (useHex ? avaValue->len : cert_RFC1485_GetRequiredLen((char*)avaValue->data, avaValue->len, &mode)); + + if (useHex) { + valueLen = avaValue->len; + } else { + int reqLen = cert_RFC1485_GetRequiredLen((char*)avaValue->data, avaValue->len, &mode); + if (reqLen < 0) { + SECITEM_FreeItem(avaValue, PR_TRUE); + return SECFailure; + } + valueLen = reqLen; + } + if (UINT_MAX - nameLen < 2 || + valueLen > UINT_MAX - nameLen - 2) { + SECITEM_FreeItem(avaValue, PR_TRUE); + return SECFailure; + } len = nameLen + valueLen + 2; /* Add 2 for '=' and trailing NUL */ maxName = nameLen; @@ -1198,20 +1222,23 @@ avaToString(PLArenaPool* arena, CERTAVA* ava) if (!avaValue) { return buf; } - valueLen = - cert_RFC1485_GetRequiredLen((char*)avaValue->data, avaValue->len, NULL) + 1; - if (arena) { - buf = (char*)PORT_ArenaZAlloc(arena, valueLen); - } else { - buf = (char*)PORT_ZAlloc(valueLen); - } - if (buf) { - SECStatus rv = - escapeAndQuote(buf, valueLen, (char*)avaValue->data, avaValue->len, NULL); - if (rv != SECSuccess) { - if (!arena) - PORT_Free(buf); - buf = NULL; + int reqLen = cert_RFC1485_GetRequiredLen((char*)avaValue->data, avaValue->len, NULL); + /* reqLen is max 16384*3 + 2 */ + if (reqLen >= 0) { + valueLen = reqLen + 1; + if (arena) { + buf = (char*)PORT_ArenaZAlloc(arena, valueLen); + } else { + buf = (char*)PORT_ZAlloc(valueLen); + } + if (buf) { + SECStatus rv = + escapeAndQuote(buf, valueLen, (char*)avaValue->data, avaValue->len, NULL); + if (rv != SECSuccess) { + if (!arena) + PORT_Free(buf); + buf = NULL; + } } } SECITEM_FreeItem(avaValue, PR_TRUE); diff --git a/nss/lib/certhigh/certvfy.c b/nss/lib/certhigh/certvfy.c index 8e74227..be01efb 100644 --- a/nss/lib/certhigh/certvfy.c +++ b/nss/lib/certhigh/certvfy.c @@ -44,7 +44,7 @@ checkKeyParams(const SECAlgorithmID *sigAlgorithm, const SECKEYPublicKey *key) SECOidTag sigAlg; SECOidTag curve; PRUint32 policyFlags = 0; - PRInt32 minLen, len; + PRInt32 minLen, len, optFlags; sigAlg = SECOID_GetAlgorithmTag(sigAlgorithm); @@ -109,6 +109,13 @@ checkKeyParams(const SECAlgorithmID *sigAlgorithm, const SECKEYPublicKey *key) return SECFailure; } + if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) == SECFailure) { + return SECSuccess; + } + if ((optFlags & NSS_KEY_SIZE_POLICY_VERIFY_FLAG) == 0) { + return SECSuccess; + } + len = 8 * key->u.rsa.modulus.len; rv = NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minLen); @@ -131,6 +138,12 @@ checkKeyParams(const SECAlgorithmID *sigAlgorithm, const SECKEYPublicKey *key) PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return SECFailure; } + if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) == SECFailure) { + return SECSuccess; + } + if ((optFlags & NSS_KEY_SIZE_POLICY_VERIFY_FLAG) == 0) { + return SECSuccess; + } len = 8 * key->u.dsa.params.prime.len; @@ -162,6 +175,7 @@ CERT_VerifySignedDataWithPublicKey(const CERTSignedData *sd, SECOidTag sigAlg; SECOidTag encAlg; SECOidTag hashAlg; + CK_MECHANISM_TYPE mech; PRUint32 policyFlags; if (!pubKey || !sd) { @@ -173,7 +187,7 @@ CERT_VerifySignedDataWithPublicKey(const CERTSignedData *sd, sigAlg = SECOID_GetAlgorithmTag(&sd->signatureAlgorithm); rv = sec_DecodeSigAlg(pubKey, sigAlg, &sd->signatureAlgorithm.parameters, - &encAlg, &hashAlg); + &encAlg, &hashAlg, &mech, NULL); if (rv != SECSuccess) { return SECFailure; /* error is set */ } diff --git a/nss/lib/certhigh/certvfypkix.c b/nss/lib/certhigh/certvfypkix.c index 1f6762b..efe2dd7 100644 --- a/nss/lib/certhigh/certvfypkix.c +++ b/nss/lib/certhigh/certvfypkix.c @@ -39,7 +39,7 @@ pkix_pl_lifecycle_ObjectTableUpdate(int *objCountTable); PRInt32 parallelFnInvocationCount; #endif /* PKIX_OBJECT_LEAK_TEST */ -static PRBool usePKIXValidationEngine = PR_FALSE; +static PRBool usePKIXValidationEngine = PR_TRUE; #endif /* NSS_DISABLE_LIBPKIX */ /* diff --git a/nss/lib/ckfw/builtins/certdata.txt b/nss/lib/ckfw/builtins/certdata.txt index ed5e6cb..ea914d4 100644 --- a/nss/lib/ckfw/builtins/certdata.txt +++ b/nss/lib/ckfw/builtins/certdata.txt @@ -25359,3 +25359,127 @@ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + +# +# Certificate "FIRMAPROFESIONAL CA ROOT-A WEB" +# +# Issuer: CN=FIRMAPROFESIONAL CA ROOT-A WEB,OID.2.5.4.97=VATES-A62634068,O=Firmaprofesional SA,C=ES +# Serial Number:31:97:21:ed:af:89:42:7f:35:41:87:a1:67:56:4c:6d +# Subject: CN=FIRMAPROFESIONAL CA ROOT-A WEB,OID.2.5.4.97=VATES-A62634068,O=Firmaprofesional SA,C=ES +# Not Valid Before: Wed Apr 06 09:01:36 2022 +# Not Valid After : Sun Mar 31 09:01:36 2047 +# Fingerprint (SHA-256): BE:F2:56:DA:F2:6E:9C:69:BD:EC:16:02:35:97:98:F3:CA:F7:18:21:A0:3E:01:82:57:C5:3C:65:61:7F:3D:4A +# Fingerprint (SHA1): A8:31:11:74:A6:14:15:0D:CA:77:DD:0E:E4:0C:5D:58:FC:A0:72:A5 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "FIRMAPROFESIONAL CA ROOT-A WEB" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\156\061\013\060\011\006\003\125\004\006\023\002\105\123\061 +\034\060\032\006\003\125\004\012\014\023\106\151\162\155\141\160 +\162\157\146\145\163\151\157\156\141\154\040\123\101\061\030\060 +\026\006\003\125\004\141\014\017\126\101\124\105\123\055\101\066 +\062\066\063\064\060\066\070\061\047\060\045\006\003\125\004\003 +\014\036\106\111\122\115\101\120\122\117\106\105\123\111\117\116 +\101\114\040\103\101\040\122\117\117\124\055\101\040\127\105\102 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\156\061\013\060\011\006\003\125\004\006\023\002\105\123\061 +\034\060\032\006\003\125\004\012\014\023\106\151\162\155\141\160 +\162\157\146\145\163\151\157\156\141\154\040\123\101\061\030\060 +\026\006\003\125\004\141\014\017\126\101\124\105\123\055\101\066 +\062\066\063\064\060\066\070\061\047\060\045\006\003\125\004\003 +\014\036\106\111\122\115\101\120\122\117\106\105\123\111\117\116 +\101\114\040\103\101\040\122\117\117\124\055\101\040\127\105\102 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\061\227\041\355\257\211\102\177\065\101\207\241\147\126 +\114\155 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\002\172\060\202\002\000\240\003\002\001\002\002\020\061 +\227\041\355\257\211\102\177\065\101\207\241\147\126\114\155\060 +\012\006\010\052\206\110\316\075\004\003\003\060\156\061\013\060 +\011\006\003\125\004\006\023\002\105\123\061\034\060\032\006\003 +\125\004\012\014\023\106\151\162\155\141\160\162\157\146\145\163 +\151\157\156\141\154\040\123\101\061\030\060\026\006\003\125\004 +\141\014\017\126\101\124\105\123\055\101\066\062\066\063\064\060 +\066\070\061\047\060\045\006\003\125\004\003\014\036\106\111\122 +\115\101\120\122\117\106\105\123\111\117\116\101\114\040\103\101 +\040\122\117\117\124\055\101\040\127\105\102\060\036\027\015\062 +\062\060\064\060\066\060\071\060\061\063\066\132\027\015\064\067 +\060\063\063\061\060\071\060\061\063\066\132\060\156\061\013\060 +\011\006\003\125\004\006\023\002\105\123\061\034\060\032\006\003 +\125\004\012\014\023\106\151\162\155\141\160\162\157\146\145\163 +\151\157\156\141\154\040\123\101\061\030\060\026\006\003\125\004 +\141\014\017\126\101\124\105\123\055\101\066\062\066\063\064\060 +\066\070\061\047\060\045\006\003\125\004\003\014\036\106\111\122 +\115\101\120\122\117\106\105\123\111\117\116\101\114\040\103\101 +\040\122\117\117\124\055\101\040\127\105\102\060\166\060\020\006 +\007\052\206\110\316\075\002\001\006\005\053\201\004\000\042\003 +\142\000\004\107\123\352\054\021\244\167\307\052\352\363\326\137 +\173\323\004\221\134\372\210\306\042\271\203\020\142\167\204\063 +\055\351\003\210\324\340\063\367\355\167\054\112\140\352\344\157 +\255\155\264\370\114\212\244\344\037\312\352\117\070\112\056\202 +\163\053\307\146\233\012\214\100\234\174\212\366\362\071\140\262 +\336\313\354\270\344\157\352\233\135\267\123\220\030\062\125\305 +\040\267\224\243\143\060\141\060\017\006\003\125\035\023\001\001 +\377\004\005\060\003\001\001\377\060\037\006\003\125\035\043\004 +\030\060\026\200\024\223\341\103\143\134\074\235\326\047\363\122 +\354\027\262\251\257\054\367\166\370\060\035\006\003\125\035\016 +\004\026\004\024\223\341\103\143\134\074\235\326\047\363\122\354 +\027\262\251\257\054\367\166\370\060\016\006\003\125\035\017\001 +\001\377\004\004\003\002\001\006\060\012\006\010\052\206\110\316 +\075\004\003\003\003\150\000\060\145\002\060\035\174\244\173\303 +\211\165\063\341\073\251\105\277\106\351\351\241\335\311\042\026 +\267\107\021\013\330\232\272\361\310\013\160\120\123\002\221\160 +\205\131\251\036\244\346\352\043\061\240\000\002\061\000\375\342 +\370\263\257\026\271\036\163\304\226\343\301\060\031\330\176\346 +\303\227\336\034\117\270\211\057\063\353\110\017\031\367\207\106 +\135\046\220\245\205\305\271\172\224\076\207\250\275\000 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "FIRMAPROFESIONAL CA ROOT-A WEB" +# Issuer: CN=FIRMAPROFESIONAL CA ROOT-A WEB,OID.2.5.4.97=VATES-A62634068,O=Firmaprofesional SA,C=ES +# Serial Number:31:97:21:ed:af:89:42:7f:35:41:87:a1:67:56:4c:6d +# Subject: CN=FIRMAPROFESIONAL CA ROOT-A WEB,OID.2.5.4.97=VATES-A62634068,O=Firmaprofesional SA,C=ES +# Not Valid Before: Wed Apr 06 09:01:36 2022 +# Not Valid After : Sun Mar 31 09:01:36 2047 +# Fingerprint (SHA-256): BE:F2:56:DA:F2:6E:9C:69:BD:EC:16:02:35:97:98:F3:CA:F7:18:21:A0:3E:01:82:57:C5:3C:65:61:7F:3D:4A +# Fingerprint (SHA1): A8:31:11:74:A6:14:15:0D:CA:77:DD:0E:E4:0C:5D:58:FC:A0:72:A5 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "FIRMAPROFESIONAL CA ROOT-A WEB" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\250\061\021\164\246\024\025\015\312\167\335\016\344\014\135\130 +\374\240\162\245 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\202\262\255\105\000\202\260\146\143\370\137\303\147\116\316\243 +END +CKA_ISSUER MULTILINE_OCTAL +\060\156\061\013\060\011\006\003\125\004\006\023\002\105\123\061 +\034\060\032\006\003\125\004\012\014\023\106\151\162\155\141\160 +\162\157\146\145\163\151\157\156\141\154\040\123\101\061\030\060 +\026\006\003\125\004\141\014\017\126\101\124\105\123\055\101\066 +\062\066\063\064\060\066\070\061\047\060\045\006\003\125\004\003 +\014\036\106\111\122\115\101\120\122\117\106\105\123\111\117\116 +\101\114\040\103\101\040\122\117\117\124\055\101\040\127\105\102 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\061\227\041\355\257\211\102\177\065\101\207\241\147\126 +\114\155 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + diff --git a/nss/lib/ckfw/builtins/nssckbi.h b/nss/lib/ckfw/builtins/nssckbi.h index edf4cbd..1eb1165 100644 --- a/nss/lib/ckfw/builtins/nssckbi.h +++ b/nss/lib/ckfw/builtins/nssckbi.h @@ -46,8 +46,8 @@ * It's recommend to switch back to 0 after having reached version 98/99. */ #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2 -#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 66 -#define NSS_BUILTINS_LIBRARY_VERSION "2.66" +#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 68 +#define NSS_BUILTINS_LIBRARY_VERSION "2.68" /* These version numbers detail the semantic changes to the ckfw engine. */ #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 diff --git a/nss/lib/cryptohi/keyhi.h b/nss/lib/cryptohi/keyhi.h index 173dbda..0f31bd8 100644 --- a/nss/lib/cryptohi/keyhi.h +++ b/nss/lib/cryptohi/keyhi.h @@ -12,7 +12,7 @@ #include "secdert.h" #include "keythi.h" #include "certt.h" -/*#include "secpkcs5.h" */ +#include "secerr.h" SEC_BEGIN_PROTOS @@ -271,6 +271,10 @@ extern int SECKEY_ECParamsToBasePointOrderLen(const SECItem *params); */ SECOidTag SECKEY_GetECCOid(const SECKEYECParams *params); +/* make sure the key length matches the policy for keyType */ +SECStatus SECKEY_EnforceKeySize(KeyType keyType, unsigned keyLength, + SECErrorCodes error); + SEC_END_PROTOS #endif /* _KEYHI_H_ */ diff --git a/nss/lib/cryptohi/keyi.h b/nss/lib/cryptohi/keyi.h index 5683afb..219be82 100644 --- a/nss/lib/cryptohi/keyi.h +++ b/nss/lib/cryptohi/keyi.h @@ -12,11 +12,27 @@ SEC_BEGIN_PROTOS * are good candidates for public functions.. */ KeyType seckey_GetKeyType(SECOidTag pubKeyOid); -/* extract the 'encryption' (could be signing) and hash oids from and - * algorithm, key and parameters (parameters is the parameters field - * of a algorithm ID structure (SECAlgorithmID)*/ +/* + * Pulls the hash algorithm, signing algorithm, and key type out of a + * composite algorithm. + * + * key: pointer to the public key. Should be NULL if called for a sign operation. + * sigAlg: the composite algorithm to dissect. + * hashalg: address of a SECOidTag which will be set with the hash algorithm. + * encalg: address of a SECOidTag which will be set with the signing alg. + * mechp: address of a PCKS #11 Mechanism which will be set to the + * combined hash/encrypt mechanism. If set to CKM_INVALID_MECHANISM, the code + * will fall back to external hashing. + * mechparams: address of a SECItem will set to the parameters for the combined + * hash/encrypt mechanism. + * + * Returns: SECSuccess if the algorithm was acceptable, SECFailure if the + * algorithm was not found or was not a signing algorithm. + */ SECStatus sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, - const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg); + const SECItem *param, SECOidTag *encalg, + SECOidTag *hashalg, CK_MECHANISM_TYPE *mech, + SECItem *mechparams); /* just get the 'encryption' oid from the combined signature oid */ SECOidTag sec_GetEncAlgFromSigAlg(SECOidTag sigAlg); @@ -35,11 +51,9 @@ SECStatus sec_DecodeRSAPSSParams(PLArenaPool *arena, /* convert the encoded RSA-PSS parameters into PKCS #11 mechanism parameters */ SECStatus sec_DecodeRSAPSSParamsToMechanism(PLArenaPool *arena, const SECItem *params, - CK_RSA_PKCS_PSS_PARAMS *mech); + CK_RSA_PKCS_PSS_PARAMS *mech, + SECOidTag *hashAlg); -/* make sure the key length matches the policy for keyType */ -SECStatus seckey_EnforceKeySize(KeyType keyType, unsigned keyLength, - SECErrorCodes error); SEC_END_PROTOS #endif /* _KEYHI_H_ */ diff --git a/nss/lib/cryptohi/sechash.c b/nss/lib/cryptohi/sechash.c index 5c592df..11eb837 100644 --- a/nss/lib/cryptohi/sechash.c +++ b/nss/lib/cryptohi/sechash.c @@ -238,184 +238,6 @@ HASH_GetHashObject(HASH_HashType type) return &SECHashObjects[type]; } -HASH_HashType -HASH_GetHashTypeByOidTag(SECOidTag hashOid) -{ - HASH_HashType ht = HASH_AlgNULL; - - switch (hashOid) { - case SEC_OID_MD2: - ht = HASH_AlgMD2; - break; - case SEC_OID_MD5: - ht = HASH_AlgMD5; - break; - case SEC_OID_SHA1: - ht = HASH_AlgSHA1; - break; - case SEC_OID_SHA224: - ht = HASH_AlgSHA224; - break; - case SEC_OID_SHA256: - ht = HASH_AlgSHA256; - break; - case SEC_OID_SHA384: - ht = HASH_AlgSHA384; - break; - case SEC_OID_SHA512: - ht = HASH_AlgSHA512; - break; - case SEC_OID_SHA3_224: - ht = HASH_AlgSHA3_224; - break; - case SEC_OID_SHA3_256: - ht = HASH_AlgSHA3_256; - break; - case SEC_OID_SHA3_384: - ht = HASH_AlgSHA3_384; - break; - case SEC_OID_SHA3_512: - ht = HASH_AlgSHA3_512; - break; - default: - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - break; - } - return ht; -} - -SECOidTag -HASH_GetHashOidTagByHashType(HASH_HashType type) -{ - SECOidTag oid = SEC_OID_UNKNOWN; - - switch (type) { - case HASH_AlgMD2: - oid = SEC_OID_MD2; - break; - case HASH_AlgMD5: - oid = SEC_OID_MD5; - break; - case HASH_AlgSHA1: - oid = SEC_OID_SHA1; - break; - case HASH_AlgSHA224: - oid = SEC_OID_SHA224; - break; - case HASH_AlgSHA256: - oid = SEC_OID_SHA256; - break; - case HASH_AlgSHA384: - oid = SEC_OID_SHA384; - break; - case HASH_AlgSHA512: - oid = SEC_OID_SHA512; - break; - case HASH_AlgSHA3_224: - oid = SEC_OID_SHA3_224; - break; - case HASH_AlgSHA3_256: - oid = SEC_OID_SHA3_256; - break; - case HASH_AlgSHA3_384: - oid = SEC_OID_SHA3_384; - break; - case HASH_AlgSHA3_512: - oid = SEC_OID_SHA3_512; - break; - default: - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - break; - } - return oid; -} - -SECOidTag -HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid) -{ - SECOidTag hashOid = SEC_OID_UNKNOWN; - - switch (hmacOid) { - /* no oid exists for HMAC_MD2 */ - /* NSS does not define a oid for HMAC_MD4 */ - case SEC_OID_HMAC_SHA1: - hashOid = SEC_OID_SHA1; - break; - case SEC_OID_HMAC_SHA224: - hashOid = SEC_OID_SHA224; - break; - case SEC_OID_HMAC_SHA256: - hashOid = SEC_OID_SHA256; - break; - case SEC_OID_HMAC_SHA384: - hashOid = SEC_OID_SHA384; - break; - case SEC_OID_HMAC_SHA512: - hashOid = SEC_OID_SHA512; - break; - case SEC_OID_HMAC_SHA3_224: - hashOid = SEC_OID_SHA3_224; - break; - case SEC_OID_HMAC_SHA3_256: - hashOid = SEC_OID_SHA3_256; - break; - case SEC_OID_HMAC_SHA3_384: - hashOid = SEC_OID_SHA3_384; - break; - case SEC_OID_HMAC_SHA3_512: - hashOid = SEC_OID_SHA3_512; - break; - default: - hashOid = SEC_OID_UNKNOWN; - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - break; - } - return hashOid; -} - -SECOidTag -HASH_GetHMACOidTagByHashOidTag(SECOidTag hashOid) -{ - SECOidTag hmacOid = SEC_OID_UNKNOWN; - - switch (hashOid) { - /* no oid exists for HMAC_MD2 */ - /* NSS does not define a oid for HMAC_MD4 */ - case SEC_OID_SHA1: - hmacOid = SEC_OID_HMAC_SHA1; - break; - case SEC_OID_SHA224: - hmacOid = SEC_OID_HMAC_SHA224; - break; - case SEC_OID_SHA256: - hmacOid = SEC_OID_HMAC_SHA256; - break; - case SEC_OID_SHA384: - hmacOid = SEC_OID_HMAC_SHA384; - break; - case SEC_OID_SHA512: - hmacOid = SEC_OID_HMAC_SHA512; - break; - case SEC_OID_SHA3_224: - hmacOid = SEC_OID_HMAC_SHA3_224; - break; - case SEC_OID_SHA3_256: - hmacOid = SEC_OID_HMAC_SHA3_256; - break; - case SEC_OID_SHA3_384: - hmacOid = SEC_OID_HMAC_SHA3_384; - break; - case SEC_OID_SHA3_512: - hmacOid = SEC_OID_HMAC_SHA3_512; - break; - default: - hmacOid = SEC_OID_UNKNOWN; - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - break; - } - return hmacOid; -} - const SECHashObject * HASH_GetHashObjectByOidTag(SECOidTag hashOid) { diff --git a/nss/lib/cryptohi/sechash.h b/nss/lib/cryptohi/sechash.h index 16e8b67..0e4568b 100644 --- a/nss/lib/cryptohi/sechash.h +++ b/nss/lib/cryptohi/sechash.h @@ -8,6 +8,8 @@ #include "seccomon.h" #include "hasht.h" #include "secoidt.h" +#include "pkcs11t.h" +#include "nsshash.h" SEC_BEGIN_PROTOS @@ -49,11 +51,7 @@ extern const SECHashObject *HASH_GetHashObject(HASH_HashType type); extern const SECHashObject *HASH_GetHashObjectByOidTag(SECOidTag hashOid); -extern HASH_HashType HASH_GetHashTypeByOidTag(SECOidTag hashOid); -extern SECOidTag HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid); -extern SECOidTag HASH_GetHMACOidTagByHashOidTag(SECOidTag hashOid); - -extern SECOidTag HASH_GetHashOidTagByHashType(HASH_HashType type); +extern CK_RSA_PKCS_MGF_TYPE SEC_GetMgfTypeByOidTag(SECOidTag tag); SEC_END_PROTOS diff --git a/nss/lib/cryptohi/seckey.c b/nss/lib/cryptohi/seckey.c index 1a68104..03a60c3 100644 --- a/nss/lib/cryptohi/seckey.c +++ b/nss/lib/cryptohi/seckey.c @@ -1345,7 +1345,7 @@ SECKEY_CopyPublicKey(const SECKEYPublicKey *pubk) * size. */ SECStatus -seckey_EnforceKeySize(KeyType keyType, unsigned keyLength, SECErrorCodes error) +SECKEY_EnforceKeySize(KeyType keyType, unsigned keyLength, SECErrorCodes error) { PRInt32 opt = -1; PRInt32 optVal; @@ -2310,10 +2310,18 @@ sec_GetHashMechanismByOidTag(SECOidTag tag) } } -static CK_RSA_PKCS_MGF_TYPE -sec_GetMgfTypeByOidTag(SECOidTag tag) +CK_RSA_PKCS_MGF_TYPE +SEC_GetMgfTypeByOidTag(SECOidTag tag) { switch (tag) { + case SEC_OID_SHA3_512: + return CKG_MGF1_SHA3_512; + case SEC_OID_SHA3_384: + return CKG_MGF1_SHA3_384; + case SEC_OID_SHA3_256: + return CKG_MGF1_SHA3_256; + case SEC_OID_SHA3_224: + return CKG_MGF1_SHA3_224; case SEC_OID_SHA512: return CKG_MGF1_SHA512; case SEC_OID_SHA384: @@ -2415,7 +2423,8 @@ sec_DecodeRSAPSSParams(PLArenaPool *arena, SECStatus sec_DecodeRSAPSSParamsToMechanism(PLArenaPool *arena, const SECItem *params, - CK_RSA_PKCS_PSS_PARAMS *mech) + CK_RSA_PKCS_PSS_PARAMS *mech, + SECOidTag *hashAlgp) { SECOidTag hashAlg; SECOidTag maskHashAlg; @@ -2427,13 +2436,14 @@ sec_DecodeRSAPSSParamsToMechanism(PLArenaPool *arena, if (rv != SECSuccess) { return SECFailure; } + *hashAlgp = hashAlg; mech->hashAlg = sec_GetHashMechanismByOidTag(hashAlg); if (mech->hashAlg == CKM_INVALID_MECHANISM) { return SECFailure; } - mech->mgf = sec_GetMgfTypeByOidTag(maskHashAlg); + mech->mgf = SEC_GetMgfTypeByOidTag(maskHashAlg); if (mech->mgf == 0) { return SECFailure; } diff --git a/nss/lib/cryptohi/secsign.c b/nss/lib/cryptohi/secsign.c index 8779904..9bcdee1 100644 --- a/nss/lib/cryptohi/secsign.c +++ b/nss/lib/cryptohi/secsign.c @@ -20,10 +20,14 @@ struct SGNContextStr { SECOidTag signalg; SECOidTag hashalg; + CK_MECHANISM_TYPE mech; void *hashcx; + /* if we are using explicitly hashing, this value will be non-null */ const SECHashObject *hashobj; + /* if we are using the combined mechanism, this value will be non-null */ + PK11Context *signcx; SECKEYPrivateKey *key; - SECItem *params; + SECItem mechparams; }; static SGNContext * @@ -31,6 +35,8 @@ sgn_NewContext(SECOidTag alg, SECItem *params, SECKEYPrivateKey *key) { SGNContext *cx; SECOidTag hashalg, signalg; + CK_MECHANISM_TYPE mech; + SECItem mechparams; KeyType keyType; PRUint32 policyFlags; PRInt32 optFlags; @@ -44,7 +50,8 @@ sgn_NewContext(SECOidTag alg, SECItem *params, SECKEYPrivateKey *key) * it may just support CKM_SHA1_RSA_PKCS and/or CKM_MD5_RSA_PKCS. */ /* we have a private key, not a public key, so don't pass it in */ - rv = sec_DecodeSigAlg(NULL, alg, params, &signalg, &hashalg); + rv = sec_DecodeSigAlg(NULL, alg, params, &signalg, &hashalg, &mech, + &mechparams); if (rv != SECSuccess) { PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return NULL; @@ -56,15 +63,15 @@ sgn_NewContext(SECOidTag alg, SECItem *params, SECKEYPrivateKey *key) !((key->keyType == dsaKey) && (keyType == fortezzaKey)) && !((key->keyType == rsaKey) && (keyType == rsaPssKey))) { PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - return NULL; + goto loser; } if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) { if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) { - rv = seckey_EnforceKeySize(key->keyType, + rv = SECKEY_EnforceKeySize(key->keyType, SECKEY_PrivateKeyStrengthInBits(key), SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); if (rv != SECSuccess) { - return NULL; + goto loser; } } } @@ -72,23 +79,28 @@ sgn_NewContext(SECOidTag alg, SECItem *params, SECKEYPrivateKey *key) if ((NSS_GetAlgorithmPolicy(hashalg, &policyFlags) == SECFailure) || !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) { PORT_SetError(SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); - return NULL; + goto loser; } /* check the policy on the encryption algorithm */ if ((NSS_GetAlgorithmPolicy(signalg, &policyFlags) == SECFailure) || !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) { PORT_SetError(SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); - return NULL; + goto loser; } cx = (SGNContext *)PORT_ZAlloc(sizeof(SGNContext)); - if (cx) { - cx->hashalg = hashalg; - cx->signalg = signalg; - cx->key = key; - cx->params = params; + if (!cx) { + goto loser; } + cx->hashalg = hashalg; + cx->signalg = signalg; + cx->mech = mech; + cx->key = key; + cx->mechparams = mechparams; return cx; +loser: + SECITEM_FreeItem(&mechparams, PR_FALSE); + return NULL; } SGNContext * @@ -112,19 +124,55 @@ SGN_DestroyContext(SGNContext *cx, PRBool freeit) (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE); cx->hashcx = NULL; } + if (cx->signcx != NULL) { + PK11_DestroyContext(cx->signcx, PR_TRUE); + cx->signcx = NULL; + } + SECITEM_FreeItem(&cx->mechparams, PR_FALSE); if (freeit) { PORT_ZFree(cx, sizeof(SGNContext)); } } } +static PK11Context * +sgn_CreateCombinedContext(SGNContext *cx) +{ + /* the particular combination of hash and signature doesn't have a combined + * mechanism, fall back to hand hash & sign */ + if (cx->mech == CKM_INVALID_MECHANISM) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return NULL; + } + /* the token the private key resides in doesn't support the combined + * mechanism, fall back to hand hash & sign */ + if (!PK11_DoesMechanismFlag(cx->key->pkcs11Slot, cx->mech, CKF_SIGN)) { + PORT_SetError(SEC_ERROR_NO_TOKEN); + return NULL; + } + return PK11_CreateContextByPrivKey(cx->mech, CKA_SIGN, cx->key, + &cx->mechparams); +} + SECStatus SGN_Begin(SGNContext *cx) { + PK11Context *signcx = NULL; + if (cx->hashcx != NULL) { (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE); cx->hashcx = NULL; } + if (cx->signcx != NULL) { + (void)PK11_DestroyContext(cx->signcx, PR_TRUE); + cx->signcx = NULL; + } + /* if we can get a combined context, we'll use that */ + signcx = sgn_CreateCombinedContext(cx); + if (signcx != NULL) { + cx->signcx = signcx; + return SECSuccess; + } cx->hashobj = HASH_GetHashObjectByOidTag(cx->hashalg); if (!cx->hashobj) @@ -142,8 +190,11 @@ SECStatus SGN_Update(SGNContext *cx, const unsigned char *input, unsigned int inputLen) { if (cx->hashcx == NULL) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + if (cx->signcx == NULL) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + return PK11_DigestOp(cx->signcx, input, inputLen); } (*cx->hashobj->update)(cx->hashcx, input, inputLen); return SECSuccess; @@ -175,12 +226,54 @@ static DERTemplate SGNDigestInfoTemplate[] = { { 0 } }; +static SECStatus +sgn_allocateSignatureItem(SECKEYPrivateKey *privKey, SECItem *sigitem) +{ + int signatureLen; + signatureLen = PK11_SignatureLen(privKey); + if (signatureLen <= 0) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + sigitem->len = signatureLen; + sigitem->data = (unsigned char *)PORT_Alloc(signatureLen); + + if (sigitem->data == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; + } + return SECSuccess; +} + +/* Sometimes the DER signature format for the signature is different than + * The PKCS #11 format for the signature. This code handles the correction + * from PKCS #11 to DER */ +static SECStatus +sgn_PKCS11ToX509Sig(SGNContext *cx, SECItem *sigitem) +{ + SECStatus rv; + SECItem result = { siBuffer, NULL, 0 }; + + if ((cx->signalg == SEC_OID_ANSIX9_DSA_SIGNATURE) || + (cx->signalg == SEC_OID_ANSIX962_EC_PUBLIC_KEY)) { + /* DSAU_EncodeDerSigWithLen works for DSA and ECDSA */ + rv = DSAU_EncodeDerSigWithLen(&result, sigitem, sigitem->len); + /* we are done with sigItem. In case of failure, we want to free + * it anyway */ + SECITEM_FreeItem(sigitem, PR_FALSE); + if (rv != SECSuccess) { + return rv; + } + *sigitem = result; + } + return SECSuccess; +} + SECStatus SGN_End(SGNContext *cx, SECItem *result) { unsigned char digest[HASH_LENGTH_MAX]; unsigned part1; - int signatureLen; SECStatus rv; SECItem digder, sigitem; PLArenaPool *arena = 0; @@ -191,11 +284,27 @@ SGN_End(SGNContext *cx, SECItem *result) digder.data = 0; sigitem.data = 0; - /* Finish up digest function */ if (cx->hashcx == NULL) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + if (cx->signcx == NULL) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + /* if we are doing the combined hash/sign function, just finalize + * the signature */ + rv = sgn_allocateSignatureItem(privKey, result); + if (rv != SECSuccess) { + return rv; + } + rv = PK11_DigestFinal(cx->signcx, result->data, &result->len, + result->len); + if (rv != SECSuccess) { + SECITEM_ZfreeItem(result, PR_FALSE); + result->data = NULL; + return rv; + } + return sgn_PKCS11ToX509Sig(cx, result); } + /* Finish up digest function */ (*cx->hashobj->end)(cx->hashcx, digest, &part1, sizeof(digest)); if (privKey->keyType == rsaKey && @@ -229,43 +338,13 @@ SGN_End(SGNContext *cx, SECItem *result) ** Encrypt signature after constructing appropriate PKCS#1 signature ** block */ - signatureLen = PK11_SignatureLen(privKey); - if (signatureLen <= 0) { - PORT_SetError(SEC_ERROR_INVALID_KEY); - rv = SECFailure; - goto loser; - } - sigitem.len = signatureLen; - sigitem.data = (unsigned char *)PORT_Alloc(signatureLen); - - if (sigitem.data == NULL) { - rv = SECFailure; - goto loser; + rv = sgn_allocateSignatureItem(privKey, &sigitem); + if (rv != SECSuccess) { + return rv; } if (cx->signalg == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) { - CK_RSA_PKCS_PSS_PARAMS mech; - SECItem mechItem = { siBuffer, (unsigned char *)&mech, sizeof(mech) }; - - PORT_Memset(&mech, 0, sizeof(mech)); - - if (cx->params && cx->params->data) { - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if (!arena) { - rv = SECFailure; - goto loser; - } - - rv = sec_DecodeRSAPSSParamsToMechanism(arena, cx->params, &mech); - if (rv != SECSuccess) { - goto loser; - } - } else { - mech.hashAlg = CKM_SHA_1; - mech.mgf = CKG_MGF1_SHA1; - mech.sLen = digder.len; - } - rv = PK11_SignWithMechanism(privKey, CKM_RSA_PKCS_PSS, &mechItem, + rv = PK11_SignWithMechanism(privKey, CKM_RSA_PKCS_PSS, &cx->mechparams, &sigitem, &digder); if (rv != SECSuccess) { goto loser; @@ -276,18 +355,12 @@ SGN_End(SGNContext *cx, SECItem *result) goto loser; } } - - if ((cx->signalg == SEC_OID_ANSIX9_DSA_SIGNATURE) || - (cx->signalg == SEC_OID_ANSIX962_EC_PUBLIC_KEY)) { - /* DSAU_EncodeDerSigWithLen works for DSA and ECDSA */ - rv = DSAU_EncodeDerSigWithLen(result, &sigitem, sigitem.len); - if (rv != SECSuccess) - goto loser; - SECITEM_FreeItem(&sigitem, PR_FALSE); - } else { - result->len = sigitem.len; - result->data = sigitem.data; + rv = sgn_PKCS11ToX509Sig(cx, &sigitem); + *result = sigitem; + if (rv != SECSuccess) { + goto loser; } + return SECSuccess; loser: if (rv != SECSuccess) { @@ -300,6 +373,42 @@ loser: return rv; } +static SECStatus +sgn_SingleShot(SGNContext *cx, const unsigned char *input, + unsigned int inputLen, SECItem *result) +{ + SECStatus rv; + + result->data = 0; + /* if we have the combined mechanism, just do the single shot + * version */ + if ((cx->mech != CKM_INVALID_MECHANISM) && + PK11_DoesMechanismFlag(cx->key->pkcs11Slot, cx->mech, CKF_SIGN)) { + SECItem data = { siBuffer, (unsigned char *)input, inputLen }; + rv = sgn_allocateSignatureItem(cx->key, result); + if (rv != SECSuccess) { + return rv; + } + rv = PK11_SignWithMechanism(cx->key, cx->mech, &cx->mechparams, + result, &data); + if (rv != SECSuccess) { + SECITEM_ZfreeItem(result, PR_FALSE); + return rv; + } + return sgn_PKCS11ToX509Sig(cx, result); + } + /* fall back to the stream version */ + rv = SGN_Begin(cx); + if (rv != SECSuccess) + return rv; + + rv = SGN_Update(cx, input, inputLen); + if (rv != SECSuccess) + return rv; + + return SGN_End(cx, result); +} + /************************************************************************/ static SECStatus @@ -314,16 +423,10 @@ sec_SignData(SECItem *res, const unsigned char *buf, int len, if (sgn == NULL) return SECFailure; - rv = SGN_Begin(sgn); + rv = sgn_SingleShot(sgn, buf, len, res); if (rv != SECSuccess) goto loser; - rv = SGN_Update(sgn, buf, len); - if (rv != SECSuccess) - goto loser; - - rv = SGN_End(sgn, res); - loser: SGN_DestroyContext(sgn, PR_TRUE); return rv; @@ -483,7 +586,7 @@ SGN_Digest(SECKEYPrivateKey *privKey, if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) { if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) { - rv = seckey_EnforceKeySize(privKey->keyType, + rv = SECKEY_EnforceKeySize(privKey->keyType, SECKEY_PrivateKeyStrengthInBits(privKey), SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); if (rv != SECSuccess) { diff --git a/nss/lib/cryptohi/secvfy.c b/nss/lib/cryptohi/secvfy.c index 04c755a..34b6ab5 100644 --- a/nss/lib/cryptohi/secvfy.c +++ b/nss/lib/cryptohi/secvfy.c @@ -17,6 +17,7 @@ #include "secerr.h" #include "keyi.h" #include "nss.h" +#include "prenv.h" /* ** Recover the DigestInfo from an RSA PKCS#1 signature. @@ -139,19 +140,23 @@ struct VFYContextStr { unsigned char ecdsasig[2 * MAX_ECKEY_LEN]; /* the full RSA signature, only used in RSA-PSS */ unsigned char rsasig[(RSA_MAX_MODULUS_BITS + 7) / 8]; + unsigned char gensig[MAX_SIGNATURE_LEN]; } u; + unsigned int signatureLen; unsigned int pkcs1RSADigestInfoLen; /* the encoded DigestInfo from a RSA PKCS#1 signature */ unsigned char *pkcs1RSADigestInfo; void *wincx; void *hashcx; const SECHashObject *hashobj; - SECOidTag encAlg; /* enc alg */ + PK11Context *vfycx; + SECOidTag encAlg; /* enc alg */ + CK_MECHANISM_TYPE mech; PRBool hasSignature; /* true if the signature was provided in the * VFY_CreateContext call. If false, the * signature must be provided with a * VFY_EndWithSignature call. */ - SECItem *params; + SECItem mechparams; }; static SECStatus @@ -189,6 +194,7 @@ checkedSignatureLen(const SECKEYPublicKey *pubk) PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); return 0; } + PORT_Assert(maxSigLen <= MAX_SIGNATURE_LEN); if (sigLen > maxSigLen) { PORT_SetError(SEC_ERROR_INVALID_KEY); return 0; @@ -296,30 +302,146 @@ sec_GetEncAlgFromSigAlg(SECOidTag sigAlg) } return SEC_OID_UNKNOWN; } +static CK_MECHANISM_TYPE +sec_RSAPKCS1GetCombinedMech(SECOidTag hashalg) +{ + switch (hashalg) { + case SEC_OID_MD5: + return CKM_MD5_RSA_PKCS; + case SEC_OID_MD2: + return CKM_MD2_RSA_PKCS; + case SEC_OID_SHA1: + return CKM_SHA1_RSA_PKCS; + case SEC_OID_SHA224: + return CKM_SHA224_RSA_PKCS; + case SEC_OID_SHA256: + return CKM_SHA256_RSA_PKCS; + case SEC_OID_SHA384: + return CKM_SHA384_RSA_PKCS; + case SEC_OID_SHA512: + return CKM_SHA512_RSA_PKCS; + default: + break; + } + return CKM_INVALID_MECHANISM; +} + +static CK_MECHANISM_TYPE +sec_RSAPSSGetCombinedMech(SECOidTag hashalg) +{ + switch (hashalg) { + case SEC_OID_SHA1: + return CKM_SHA1_RSA_PKCS_PSS; + case SEC_OID_SHA224: + return CKM_SHA224_RSA_PKCS_PSS; + case SEC_OID_SHA256: + return CKM_SHA256_RSA_PKCS_PSS; + case SEC_OID_SHA384: + return CKM_SHA384_RSA_PKCS_PSS; + case SEC_OID_SHA512: + return CKM_SHA512_RSA_PKCS_PSS; + default: + break; + } + return CKM_INVALID_MECHANISM; +} + +static CK_MECHANISM_TYPE +sec_DSAGetCombinedMech(SECOidTag hashalg) +{ + switch (hashalg) { + case SEC_OID_SHA1: + return CKM_DSA_SHA1; + case SEC_OID_SHA224: + return CKM_DSA_SHA224; + case SEC_OID_SHA256: + return CKM_DSA_SHA256; + case SEC_OID_SHA384: + return CKM_DSA_SHA384; + case SEC_OID_SHA512: + return CKM_DSA_SHA512; + default: + break; + } + return CKM_INVALID_MECHANISM; +} +static CK_MECHANISM_TYPE +sec_ECDSAGetCombinedMech(SECOidTag hashalg) +{ + switch (hashalg) { + case SEC_OID_SHA1: + return CKM_ECDSA_SHA1; + case SEC_OID_SHA224: + return CKM_ECDSA_SHA224; + case SEC_OID_SHA256: + return CKM_ECDSA_SHA256; + case SEC_OID_SHA384: + return CKM_ECDSA_SHA384; + case SEC_OID_SHA512: + return CKM_ECDSA_SHA512; + default: + break; + } + return CKM_INVALID_MECHANISM; +} + +static CK_MECHANISM_TYPE +sec_GetCombinedMech(SECOidTag encalg, SECOidTag hashalg) +{ + switch (encalg) { + case SEC_OID_PKCS1_RSA_ENCRYPTION: + return sec_RSAPKCS1GetCombinedMech(hashalg); + case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: + return sec_RSAPSSGetCombinedMech(hashalg); + case SEC_OID_ANSIX962_EC_PUBLIC_KEY: + return sec_ECDSAGetCombinedMech(hashalg); + case SEC_OID_ANSIX9_DSA_SIGNATURE: + return sec_DSAGetCombinedMech(hashalg); + default: + break; + } + return CKM_INVALID_MECHANISM; +} /* * Pulls the hash algorithm, signing algorithm, and key type out of a * composite algorithm. * + * key: pointer to the public key. Should be NULL if called for a sign operation. * sigAlg: the composite algorithm to dissect. * hashalg: address of a SECOidTag which will be set with the hash algorithm. * encalg: address of a SECOidTag which will be set with the signing alg. + * mechp: address of a PCKS #11 Mechanism which will be set to the + * combined hash/encrypt mechanism. If set to CKM_INVALID_MECHANISM, the code + * will fall back to external hashing. + * mechparams: address of a SECItem will set to the parameters for the combined + * hash/encrypt mechanism. * * Returns: SECSuccess if the algorithm was acceptable, SECFailure if the * algorithm was not found or was not a signing algorithm. */ SECStatus sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, - const SECItem *param, SECOidTag *encalgp, SECOidTag *hashalg) + const SECItem *param, SECOidTag *encalgp, SECOidTag *hashalg, + CK_MECHANISM_TYPE *mechp, SECItem *mechparamsp) { unsigned int len; PLArenaPool *arena; SECStatus rv; SECItem oid; SECOidTag encalg; + char *evp; PR_ASSERT(hashalg != NULL); PR_ASSERT(encalgp != NULL); + PR_ASSERT(mechp != NULL); + /* Get the expected combined mechanism from the signature OID + * We'll override it in the table below if necessary */ + *mechp = PK11_AlgtagToMechanism(sigAlg); + if (mechparamsp) { + mechparamsp->data = NULL; + mechparamsp->len = 0; + } switch (sigAlg) { /* We probably shouldn't be generating MD2 signatures either */ @@ -335,24 +457,57 @@ sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, *hashalg = SEC_OID_SHA1; break; case SEC_OID_PKCS1_RSA_ENCRYPTION: + /* SEC_OID_PKCS1_RSA_ENCRYPTION returns the generic + * CKM_RSA_PKCS mechanism, which isn't a combined mechanism. + * We don't have a hash, so we need to fall back to the old + * code which gets the hashalg by decoding the signature */ + *mechp = CKM_INVALID_MECHANISM; *hashalg = SEC_OID_UNKNOWN; /* get it from the RSA signature */ break; case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: + /* SEC_OID_PKCS1_RSA_PSS_SIGNATURE returns the generic + * CKM_RSA_PSS_PKCS mechanism, which isn't a combined mechanism. + * If successful, we'll select the mechanism below, set it to + * invalid here incase we aren't successful */ + *mechp = CKM_INVALID_MECHANISM; + CK_RSA_PKCS_PSS_PARAMS *rsapssmechparams = NULL; + CK_RSA_PKCS_PSS_PARAMS space; + + /* if we don't have a mechanism parameter to put the data in + * we don't need to return it, just use a stack buffer */ + if (mechparamsp == NULL) { + rsapssmechparams = &space; + } else { + rsapssmechparams = PORT_ZNew(CK_RSA_PKCS_PSS_PARAMS); + } + if (rsapssmechparams == NULL) { + return SECFailure; + } if (param && param->data) { PORTCheapArenaPool tmpArena; PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE); - rv = sec_DecodeRSAPSSParams(&tmpArena.arena, param, - hashalg, NULL, NULL); + rv = sec_DecodeRSAPSSParamsToMechanism(&tmpArena.arena, param, + rsapssmechparams, hashalg); PORT_DestroyCheapArena(&tmpArena); /* only accept hash algorithms */ if (rv != SECSuccess || HASH_GetHashTypeByOidTag(*hashalg) == HASH_AlgNULL) { /* error set by sec_DecodeRSAPSSParams or HASH_GetHashTypeByOidTag */ + if (mechparamsp) + PORT_Free(rsapssmechparams); return SECFailure; } } else { *hashalg = SEC_OID_SHA1; /* default, SHA-1 */ + rsapssmechparams->hashAlg = CKM_SHA_1; + rsapssmechparams->mgf = CKG_MGF1_SHA1; + rsapssmechparams->sLen = SHA1_LENGTH; + } + *mechp = sec_RSAPSSGetCombinedMech(*hashalg); + if (mechparamsp) { + mechparamsp->data = (unsigned char *)rsapssmechparams; + mechparamsp->len = sizeof(*rsapssmechparams); } break; @@ -385,6 +540,7 @@ sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, case SEC_OID_MISSI_KEA_DSS: case SEC_OID_MISSI_KEA_DSS_OLD: case SEC_OID_MISSI_DSS_OLD: + *mechp = CKM_DSA_SHA1; *hashalg = SEC_OID_SHA1; break; case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST: @@ -406,6 +562,7 @@ sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, /* use the largest in this case */ *hashalg = SEC_OID_SHA512; } + *mechp = sec_ECDSAGetCombinedMech(*hashalg); break; case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST: if (param == NULL) { @@ -429,23 +586,110 @@ sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, /* error set by HASH_GetHashTypeByOidTag */ return SECFailure; } + *mechp = sec_ECDSAGetCombinedMech(*hashalg); break; /* we don't implement MD4 hashes */ case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: default: + *mechp = CKM_INVALID_MECHANISM; PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return SECFailure; } encalg = sec_GetEncAlgFromSigAlg(sigAlg); if (encalg == SEC_OID_UNKNOWN) { + *mechp = CKM_INVALID_MECHANISM; + SECITEM_FreeItem(mechparamsp, PR_FALSE); return SECFailure; } *encalgp = encalg; + /* for testing, we want to be able to turn off combo signatures to + * 1) make sure the fallback code is working correctly so we know + * we can handle cases where the fallback doesn't work. + * 2) make sure that the combo code is compatible with the non-combo + * versions. + * We know if we are signing or verifying based on the value of 'key'. + * Since key is a public key, then it's set to NULL for signing */ + evp = PR_GetEnvSecure("NSS_COMBO_SIGNATURES"); + if (evp) { + if (PORT_Strcasecmp(evp, "none") == 0) { + *mechp = CKM_INVALID_MECHANISM; + } else if (key && (PORT_Strcasecmp(evp, "signonly") == 0)) { + *mechp = CKM_INVALID_MECHANISM; + } else if (!key && (PORT_Strcasecmp(evp, "vfyonly") == 0)) { + *mechp = CKM_INVALID_MECHANISM; + } + /* anything else we take as use combo, which is the default */ + } return SECSuccess; } +SECStatus +vfy_ImportPublicKey(VFYContext *cx) +{ + PK11SlotInfo *slot; + CK_OBJECT_HANDLE objID; + + if (cx->key->pkcs11Slot && + PK11_DoesMechanismFlag(cx->key->pkcs11Slot, + cx->mech, CKF_VERIFY)) { + return SECSuccess; + } + slot = PK11_GetBestSlotWithAttributes(cx->mech, CKF_VERIFY, 0, cx->wincx); + if (slot == NULL) { + return SECFailure; /* can't find a slot, fall back to + * normal processing */ + } + objID = PK11_ImportPublicKey(slot, cx->key, PR_FALSE); + PK11_FreeSlot(slot); + return objID == CK_INVALID_HANDLE ? SECFailure : SECSuccess; +} + +/* Sometimes there are differences between how DER encodes a + * signature and how it's encoded in PKCS #11. This function converts the + * DER form to the PKCS #11 form. it also verify signature length based + * on the key, and verifies that length will fit in our buffer. */ +static SECStatus +vfy_SetPKCS11SigFromX509Sig(VFYContext *cx, const SECItem *sig) +{ + unsigned int sigLen; + + /* skip the legacy RSA PKCS #11 case, it's always handled separately */ + if ((cx->key->keyType == rsaKey) && (cx->mech == CKM_INVALID_MECHANISM) && + (cx->encAlg != SEC_OID_PKCS1_RSA_PSS_SIGNATURE)) { + return SECSuccess; + } + + sigLen = checkedSignatureLen(cx->key); + /* Check signature length is within limits */ + if (sigLen == 0) { + /* error set by checkedSignatureLen */ + return SECFailure; + } + if (sigLen > sizeof(cx->u)) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + return SECFailure; + } + /* save the authenticated length */ + cx->signatureLen = sigLen; + switch (cx->encAlg) { + case SEC_OID_ANSIX9_DSA_SIGNATURE: + case SEC_OID_ANSIX962_EC_PUBLIC_KEY: + /* decodeECorDSASignature will check sigLen == sig->len after padding */ + return decodeECorDSASignature(cx->encAlg, sig, cx->u.buffer, sigLen); + default: + break; + } + /* all other cases, no transform needed, just copy the signature */ + if (sig->len != sigLen) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + return SECFailure; + } + PORT_Memcpy(cx->u.buffer, sig->data, sigLen); + return SECSuccess; +} + /* * we can verify signatures that come from 2 different sources: * one in with the signature contains a signature oid, and the other @@ -453,6 +697,17 @@ sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, * and a hash oid. The latter is the more basic, so that's what * our base vfyCreate function takes. * + * Modern signature algorithms builds the hashing into the algorithm, and + * some tokens (like smart cards), purposefully only export hash & sign + * combo mechanisms (which gives stronger guarrentees on key type usage + * for RSA operations). If mech is set to a PKCS #11 mechanism, we assume + * we can do the combined operations, otherwise we fall back to manually + * hashing then signing. + * + * This function adopts the mechparamsp parameter, so if we fail before + * setting up the context, we need to free any space associated with it + * before we return. + * * There is one noteworthy corner case, if we are using an RSA key, and the * signature block is provided, then the hashAlg can be specified as * SEC_OID_UNKNOWN. In this case, verify will use the hash oid supplied @@ -460,11 +715,12 @@ sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, */ static VFYContext * vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig, - SECOidTag encAlg, SECOidTag hashAlg, SECOidTag *hash, void *wincx) + SECOidTag encAlg, SECOidTag hashAlg, CK_MECHANISM_TYPE mech, + SECItem *mechparamsp, SECOidTag *hash, PRBool prehash, + void *wincx) { VFYContext *cx; SECStatus rv; - unsigned int sigLen; KeyType type; PRUint32 policyFlags; PRInt32 optFlags; @@ -474,15 +730,17 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig, type = seckey_GetKeyType(encAlg); if ((key->keyType != type) && ((key->keyType != rsaKey) || (type != rsaPssKey))) { + SECITEM_FreeItem(mechparamsp, PR_FALSE); PORT_SetError(SEC_ERROR_PKCS7_KEYALG_MISMATCH); return NULL; } if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) { if (optFlags & NSS_KEY_SIZE_POLICY_VERIFY_FLAG) { - rv = seckey_EnforceKeySize(key->keyType, + rv = SECKEY_EnforceKeySize(key->keyType, SECKEY_PublicKeyStrengthInBits(key), SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); if (rv != SECSuccess) { + SECITEM_FreeItem(mechparamsp, PR_FALSE); return NULL; } } @@ -490,12 +748,16 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig, /* check the policy on the encryption algorithm */ if ((NSS_GetAlgorithmPolicy(encAlg, &policyFlags) == SECFailure) || !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) { + SECITEM_FreeItem(mechparamsp, PR_FALSE); PORT_SetError(SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); return NULL; } cx = (VFYContext *)PORT_ZAlloc(sizeof(VFYContext)); if (cx == NULL) { + /* after this point mechparamsp is 'owned' by the context and will be + * freed by Destroy context for any other failures here */ + SECITEM_FreeItem(mechparamsp, PR_FALSE); goto loser; } @@ -503,50 +765,46 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig, cx->hasSignature = (sig != NULL); cx->encAlg = encAlg; cx->hashAlg = hashAlg; + cx->mech = mech; + if (mechparamsp) { + cx->mechparams = *mechparamsp; + } else { + /* probably needs to have a call to set the default + * paramseters based on hashAlg and encAlg */ + cx->mechparams.data = NULL; + cx->mechparams.len = 0; + } cx->key = SECKEY_CopyPublicKey(key); cx->pkcs1RSADigestInfo = NULL; rv = SECSuccess; + if (mech != CKM_INVALID_MECHANISM) { + rv = vfy_ImportPublicKey(cx); + /* if we can't import the key, then we probably can't + * support the requested combined mechanism, fallback + * to the non-combined method */ + if (rv != SECSuccess) { + cx->mech = mech = CKM_INVALID_MECHANISM; + } + } if (sig) { rv = SECFailure; - if (type == rsaKey) { + /* sigh, if we are prehashing, we still need to do verifyRecover + * recover for RSA PKCS #1 */ + if ((mech == CKM_INVALID_MECHANISM || prehash) && (type == rsaKey)) { + /* in traditional rsa PKCS #1, we use verify recover to get + * the encoded RSADigestInfo. In all other cases we just + * stash the signature encoded in PKCS#11 in our context */ rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg, &cx->pkcs1RSADigestInfo, &cx->pkcs1RSADigestInfoLen, cx->key, sig, wincx); } else { - sigLen = checkedSignatureLen(key); - /* Check signature length is within limits */ - if (sigLen == 0) { - /* error set by checkedSignatureLen */ - rv = SECFailure; - goto loser; - } - if (sigLen > sizeof(cx->u)) { - PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - rv = SECFailure; - goto loser; - } - switch (type) { - case rsaPssKey: - if (sig->len != sigLen) { - PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - rv = SECFailure; - goto loser; - } - PORT_Memcpy(cx->u.buffer, sig->data, sigLen); - rv = SECSuccess; - break; - case ecKey: - case dsaKey: - /* decodeECorDSASignature will check sigLen == sig->len after padding */ - rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen); - break; - default: - /* Unreachable */ - rv = SECFailure; - goto loser; - } + /* at this point hashAlg should be known. Only the RSA case + * enters here with hashAlg unknown, and it's found out + * above */ + PORT_Assert(hashAlg != SEC_OID_UNKNOWN); + rv = vfy_SetPKCS11SigFromX509Sig(cx, sig); } if (rv != SECSuccess) { goto loser; @@ -584,11 +842,15 @@ VFY_CreateContext(SECKEYPublicKey *key, SECItem *sig, SECOidTag sigAlg, void *wincx) { SECOidTag encAlg, hashAlg; - SECStatus rv = sec_DecodeSigAlg(key, sigAlg, NULL, &encAlg, &hashAlg); + CK_MECHANISM_TYPE mech; + SECItem mechparams; + SECStatus rv = sec_DecodeSigAlg(key, sigAlg, NULL, &encAlg, &hashAlg, + &mech, &mechparams); if (rv != SECSuccess) { return NULL; } - return vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx); + return vfy_CreateContext(key, sig, encAlg, hashAlg, mech, + &mechparams, NULL, PR_FALSE, wincx); } VFYContext * @@ -596,28 +858,28 @@ VFY_CreateContextDirect(const SECKEYPublicKey *key, const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg, SECOidTag *hash, void *wincx) { - return vfy_CreateContext(key, sig, encAlg, hashAlg, hash, wincx); + CK_MECHANISM_TYPE mech = sec_GetCombinedMech(encAlg, hashAlg); + return vfy_CreateContext(key, sig, encAlg, hashAlg, mech, NULL, + hash, PR_FALSE, wincx); } VFYContext * VFY_CreateContextWithAlgorithmID(const SECKEYPublicKey *key, const SECItem *sig, const SECAlgorithmID *sigAlgorithm, SECOidTag *hash, void *wincx) { - VFYContext *cx; SECOidTag encAlg, hashAlg; + CK_MECHANISM_TYPE mech; + SECItem mechparams; SECStatus rv = sec_DecodeSigAlg(key, SECOID_GetAlgorithmTag((SECAlgorithmID *)sigAlgorithm), - &sigAlgorithm->parameters, &encAlg, &hashAlg); + &sigAlgorithm->parameters, &encAlg, &hashAlg, + &mech, &mechparams); if (rv != SECSuccess) { return NULL; } - cx = vfy_CreateContext(key, sig, encAlg, hashAlg, hash, wincx); - if (sigAlgorithm->parameters.data) { - cx->params = SECITEM_DupItem(&sigAlgorithm->parameters); - } - - return cx; + return vfy_CreateContext(key, sig, encAlg, hashAlg, mech, &mechparams, + hash, PR_FALSE, wincx); } void @@ -628,15 +890,17 @@ VFY_DestroyContext(VFYContext *cx, PRBool freeit) (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE); cx->hashcx = NULL; } + if (cx->vfycx != NULL) { + (void)PK11_DestroyContext(cx->vfycx, PR_TRUE); + cx->vfycx = NULL; + } if (cx->key) { SECKEY_DestroyPublicKey(cx->key); } if (cx->pkcs1RSADigestInfo) { PORT_Free(cx->pkcs1RSADigestInfo); } - if (cx->params) { - SECITEM_FreeItem(cx->params, PR_TRUE); - } + SECITEM_FreeItem(&cx->mechparams, PR_FALSE); if (freeit) { PORT_ZFree(cx, sizeof(VFYContext)); } @@ -650,7 +914,17 @@ VFY_Begin(VFYContext *cx) (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE); cx->hashcx = NULL; } - + if (cx->vfycx != NULL) { + (void)PK11_DestroyContext(cx->vfycx, PR_TRUE); + cx->vfycx = NULL; + } + if (cx->mech != CKM_INVALID_MECHANISM) { + cx->vfycx = PK11_CreateContextByPubKey(cx->mech, CKA_VERIFY, cx->key, + &cx->mechparams, cx->wincx); + if (!cx->vfycx) + return SECFailure; + return SECSuccess; + } cx->hashobj = HASH_GetHashObjectByOidTag(cx->hashAlg); if (!cx->hashobj) return SECFailure; /* error code is set */ @@ -667,102 +941,87 @@ SECStatus VFY_Update(VFYContext *cx, const unsigned char *input, unsigned inputLen) { if (cx->hashcx == NULL) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + if (cx->vfycx == NULL) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + return PK11_DigestOp(cx->vfycx, input, inputLen); } (*cx->hashobj->update)(cx->hashcx, input, inputLen); return SECSuccess; } +static SECStatus +vfy_SingleShot(VFYContext *cx, const unsigned char *buf, int len) +{ + SECStatus rv; + /* if we have the combo mechanism, do a direct verify */ + if (cx->mech != CKM_INVALID_MECHANISM) { + SECItem sig = { siBuffer, cx->u.gensig, cx->signatureLen }; + SECItem data = { siBuffer, (unsigned char *)buf, len }; + return PK11_VerifyWithMechanism(cx->key, cx->mech, &cx->mechparams, + &sig, &data, cx->wincx); + } + rv = VFY_Begin(cx); + if (rv != SECSuccess) { + return rv; + } + rv = VFY_Update(cx, (unsigned char *)buf, len); + if (rv != SECSuccess) { + return rv; + } + return VFY_End(cx); +} + SECStatus VFY_EndWithSignature(VFYContext *cx, SECItem *sig) { unsigned char final[HASH_LENGTH_MAX]; unsigned part; - SECItem hash, rsasig, dsasig; /* dsasig is also used for ECDSA */ SECStatus rv; - if ((cx->hasSignature == PR_FALSE) && (sig == NULL)) { + /* make sure our signature is set (either previously nor now) */ + if (sig) { + rv = vfy_SetPKCS11SigFromX509Sig(cx, sig); + if (rv != SECSuccess) { + return SECFailure; + } + } else if (cx->hasSignature == PR_FALSE) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } if (cx->hashcx == NULL) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + unsigned int dummy; + if (cx->vfycx == NULL) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + return PK11_DigestFinal(cx->vfycx, cx->u.gensig, &dummy, + cx->signatureLen); } (*cx->hashobj->end)(cx->hashcx, final, &part, sizeof(final)); + SECItem gensig = { siBuffer, cx->u.gensig, cx->signatureLen }; + SECItem hash = { siBuffer, final, part }; + PORT_Assert(part <= sizeof(final)); + /* handle the algorithm specific final call */ switch (cx->key->keyType) { case ecKey: case dsaKey: - dsasig.len = checkedSignatureLen(cx->key); - if (dsasig.len == 0) { - return SECFailure; - } - if (dsasig.len > sizeof(cx->u)) { - PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - return SECFailure; - } - dsasig.data = cx->u.buffer; - - if (sig) { - rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data, - dsasig.len); - if (rv != SECSuccess) { - PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - return SECFailure; - } - } - hash.data = final; - hash.len = part; - if (PK11_Verify(cx->key, &dsasig, &hash, cx->wincx) != SECSuccess) { + if (PK11_Verify(cx->key, &gensig, &hash, cx->wincx) != SECSuccess) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); return SECFailure; } break; case rsaKey: if (cx->encAlg == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) { - CK_RSA_PKCS_PSS_PARAMS mech; - SECItem mechItem = { siBuffer, (unsigned char *)&mech, sizeof(mech) }; - PORTCheapArenaPool tmpArena; - - PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE); - rv = sec_DecodeRSAPSSParamsToMechanism(&tmpArena.arena, - cx->params, - &mech); - PORT_DestroyCheapArena(&tmpArena); - if (rv != SECSuccess) { - return SECFailure; - } - - rsasig.data = cx->u.buffer; - rsasig.len = checkedSignatureLen(cx->key); - if (rsasig.len == 0) { - /* Error set by checkedSignatureLen */ - return SECFailure; - } - if (rsasig.len > sizeof(cx->u)) { - PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - return SECFailure; - } - if (sig) { - if (sig->len != rsasig.len) { - PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - return SECFailure; - } - PORT_Memcpy(rsasig.data, sig->data, rsasig.len); - } - hash.data = final; - hash.len = part; - if (PK11_VerifyWithMechanism(cx->key, CKM_RSA_PKCS_PSS, &mechItem, - &rsasig, &hash, cx->wincx) != SECSuccess) { + if (PK11_VerifyWithMechanism(cx->key, CKM_RSA_PKCS_PSS, + &cx->mechparams, &gensig, &hash, + cx->wincx) != SECSuccess) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); return SECFailure; } } else { - SECItem digest; - digest.data = final; - digest.len = part; if (sig) { SECOidTag hashid; PORT_Assert(cx->hashAlg != SEC_OID_UNKNOWN); @@ -776,7 +1035,7 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig) } PORT_Assert(cx->hashAlg == hashid); } - return verifyPKCS1DigestInfo(cx, &digest); + return verifyPKCS1DigestInfo(cx, &hash); } break; default: @@ -799,17 +1058,20 @@ VFY_End(VFYContext *cx) static SECStatus vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key, const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg, - void *wincx) + CK_MECHANISM_TYPE mech, SECItem *mechparamsp, void *wincx) { SECStatus rv; VFYContext *cx; SECItem dsasig; /* also used for ECDSA */ rv = SECFailure; - cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx); + cx = vfy_CreateContext(key, sig, encAlg, hashAlg, mech, mechparamsp, + NULL, PR_TRUE, wincx); if (cx != NULL) { switch (key->keyType) { case rsaKey: + /* PSS isn't handled here for VerifyDigest. SSL + * calls PK11_Verify directly */ rv = verifyPKCS1DigestInfo(cx, digest); /* Error (if any) set by verifyPKCS1DigestInfo */ break; @@ -845,7 +1107,9 @@ VFY_VerifyDigestDirect(const SECItem *digest, const SECKEYPublicKey *key, const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg, void *wincx) { - return vfy_VerifyDigest(digest, key, sig, encAlg, hashAlg, wincx); + CK_MECHANISM_TYPE mech = sec_GetCombinedMech(encAlg, hashAlg); + return vfy_VerifyDigest(digest, key, sig, encAlg, hashAlg, mech, + NULL, wincx); } SECStatus @@ -853,11 +1117,15 @@ VFY_VerifyDigest(SECItem *digest, SECKEYPublicKey *key, SECItem *sig, SECOidTag algid, void *wincx) { SECOidTag encAlg, hashAlg; - SECStatus rv = sec_DecodeSigAlg(key, algid, NULL, &encAlg, &hashAlg); + CK_MECHANISM_TYPE mech; + SECItem mechparams; + SECStatus rv = sec_DecodeSigAlg(key, algid, NULL, &encAlg, &hashAlg, + &mech, &mechparams); if (rv != SECSuccess) { return SECFailure; } - return vfy_VerifyDigest(digest, key, sig, encAlg, hashAlg, wincx); + return vfy_VerifyDigest(digest, key, sig, encAlg, hashAlg, + mech, &mechparams, wincx); } /* @@ -871,42 +1139,43 @@ VFY_VerifyDigestWithAlgorithmID(const SECItem *digest, SECOidTag hashCmp, void *wincx) { SECOidTag encAlg, hashAlg; + CK_MECHANISM_TYPE mech; + SECItem mechparams; SECStatus rv = sec_DecodeSigAlg(key, SECOID_GetAlgorithmTag((SECAlgorithmID *)sigAlgorithm), - &sigAlgorithm->parameters, &encAlg, &hashAlg); + &sigAlgorithm->parameters, &encAlg, &hashAlg, + &mech, &mechparams); if (rv != SECSuccess) { return rv; } if (hashCmp != SEC_OID_UNKNOWN && hashAlg != SEC_OID_UNKNOWN && hashCmp != hashAlg) { + if (mechparams.data != NULL) { + PORT_Free(mechparams.data); + } PORT_SetError(SEC_ERROR_BAD_SIGNATURE); return SECFailure; } - return vfy_VerifyDigest(digest, key, sig, encAlg, hashAlg, wincx); + return vfy_VerifyDigest(digest, key, sig, encAlg, hashAlg, + mech, &mechparams, wincx); } static SECStatus vfy_VerifyData(const unsigned char *buf, int len, const SECKEYPublicKey *key, const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg, - const SECItem *params, SECOidTag *hash, void *wincx) + CK_MECHANISM_TYPE mech, SECItem *mechparamsp, + SECOidTag *hash, void *wincx) { SECStatus rv; VFYContext *cx; - cx = vfy_CreateContext(key, sig, encAlg, hashAlg, hash, wincx); + cx = vfy_CreateContext(key, sig, encAlg, hashAlg, mech, mechparamsp, + hash, PR_FALSE, wincx); if (cx == NULL) return SECFailure; - if (params) { - cx->params = SECITEM_DupItem(params); - } - rv = VFY_Begin(cx); - if (rv == SECSuccess) { - rv = VFY_Update(cx, (unsigned char *)buf, len); - if (rv == SECSuccess) - rv = VFY_End(cx); - } + rv = vfy_SingleShot(cx, buf, len); VFY_DestroyContext(cx, PR_TRUE); return rv; @@ -918,7 +1187,9 @@ VFY_VerifyDataDirect(const unsigned char *buf, int len, SECOidTag encAlg, SECOidTag hashAlg, SECOidTag *hash, void *wincx) { - return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, NULL, hash, wincx); + CK_MECHANISM_TYPE mech = sec_GetCombinedMech(encAlg, hashAlg); + return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, mech, NULL, + hash, wincx); } SECStatus @@ -926,11 +1197,15 @@ VFY_VerifyData(const unsigned char *buf, int len, const SECKEYPublicKey *key, const SECItem *sig, SECOidTag algid, void *wincx) { SECOidTag encAlg, hashAlg; - SECStatus rv = sec_DecodeSigAlg(key, algid, NULL, &encAlg, &hashAlg); + CK_MECHANISM_TYPE mech; + SECItem mechparams; + SECStatus rv = sec_DecodeSigAlg(key, algid, NULL, &encAlg, &hashAlg, + &mech, &mechparams); if (rv != SECSuccess) { return rv; } - return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, NULL, NULL, wincx); + return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, + mech, &mechparams, NULL, wincx); } SECStatus @@ -942,11 +1217,14 @@ VFY_VerifyDataWithAlgorithmID(const unsigned char *buf, int len, { SECOidTag encAlg, hashAlg; SECOidTag sigAlg = SECOID_GetAlgorithmTag((SECAlgorithmID *)sigAlgorithm); + CK_MECHANISM_TYPE mech; + SECItem mechparams; SECStatus rv = sec_DecodeSigAlg(key, sigAlg, - &sigAlgorithm->parameters, &encAlg, &hashAlg); + &sigAlgorithm->parameters, &encAlg, &hashAlg, + &mech, &mechparams); if (rv != SECSuccess) { return rv; } - return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, - &sigAlgorithm->parameters, hash, wincx); + return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, mech, + &mechparams, hash, wincx); } diff --git a/nss/lib/dev/devtoken.c b/nss/lib/dev/devtoken.c index 5e65dfd..2532afc 100644 --- a/nss/lib/dev/devtoken.c +++ b/nss/lib/dev/devtoken.c @@ -209,19 +209,21 @@ create_objects_from_handles( PRUint32 numH) { nssCryptokiObject **objects; + if (numH == PR_UINT32_MAX) { + return NULL; /* avoid overflow in ZNEWARRAY */ + } objects = nss_ZNEWARRAY(NULL, nssCryptokiObject *, numH + 1); - if (objects) { - PRInt32 i; - for (i = 0; i < (PRInt32)numH; i++) { - objects[i] = nssCryptokiObject_Create(tok, session, handles[i]); - if (!objects[i]) { - for (--i; i > 0; --i) { - nssCryptokiObject_Destroy(objects[i]); - } - nss_ZFreeIf(objects); - objects = NULL; - break; + if (!objects) { + return NULL; + } + for (PRUint32 i = 0; i < numH; i++) { + objects[i] = nssCryptokiObject_Create(tok, session, handles[i]); + if (!objects[i]) { + for (; i > 0; --i) { + nssCryptokiObject_Destroy(objects[i - 1]); } + nss_ZFreeIf(objects); + return NULL; } } return objects; diff --git a/nss/lib/freebl/blapit.h b/nss/lib/freebl/blapit.h index e530031..2126bdc 100644 --- a/nss/lib/freebl/blapit.h +++ b/nss/lib/freebl/blapit.h @@ -154,6 +154,10 @@ typedef int __BLAPI_DEPRECATED __attribute__((deprecated)); #define DH_MIN_P_BITS 128 #define DH_MAX_P_BITS 16384 +/* max signature for all our supported signatures */ +/* currently RSA is the biggest */ +#define MAX_SIGNATURE_LEN ((RSA_MAX_MODULUS_BITS + 7) / 8) + /* * The FIPS 186-1 algorithm for generating primes P and Q allows only 9 * distinct values for the length of P, and only one value for the diff --git a/nss/lib/freebl/ec.c b/nss/lib/freebl/ec.c index cd6a88c..ed390e7 100644 --- a/nss/lib/freebl/ec.c +++ b/nss/lib/freebl/ec.c @@ -23,50 +23,6 @@ #define EC_DOUBLECHECK PR_FALSE SECStatus -ec_secp384r1_scalar_validate(const SECItem *scalar) -{ - if (!scalar || !scalar->data) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - - if (scalar->len != 48) { - PORT_SetError(SEC_ERROR_BAD_KEY); - return SECFailure; - } - - bool b = Hacl_P384_validate_private_key(scalar->data); - - if (!b) { - PORT_SetError(SEC_ERROR_BAD_KEY); - return SECFailure; - } - return SECSuccess; -} - -SECStatus -ec_secp521r1_scalar_validate(const SECItem *scalar) -{ - if (!scalar || !scalar->data) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - - if (scalar->len != 66) { - PORT_SetError(SEC_ERROR_BAD_KEY); - return SECFailure; - } - - bool b = Hacl_P521_validate_private_key(scalar->data); - - if (!b) { - PORT_SetError(SEC_ERROR_BAD_KEY); - return SECFailure; - } - return SECSuccess; -} - -SECStatus ec_ED25519_pt_validate(const SECItem *px) { if (!px || !px->data || px->len != Ed25519_PUBLIC_KEYLEN) { @@ -104,19 +60,19 @@ static const ECMethod kMethods[] = { }, { ECCurve_NIST_P384, - NULL, - NULL, + ec_secp384r1_pt_mul, + ec_secp384r1_pt_validate, ec_secp384r1_scalar_validate, - NULL, - NULL, + ec_secp384r1_sign_digest, + ec_secp384r1_verify_digest, }, { ECCurve_NIST_P521, - NULL, - NULL, + ec_secp521r1_pt_mul, + ec_secp521r1_pt_validate, ec_secp521r1_scalar_validate, - NULL, - NULL, + ec_secp521r1_sign_digest, + ec_secp521r1_verify_digest, }, { ECCurve_Ed25519, NULL, @@ -138,159 +94,6 @@ ec_get_method_from_name(ECCurveName name) return NULL; } -/* - * Returns true if pointP is the point at infinity, false otherwise - */ -PRBool -ec_point_at_infinity(SECItem *pointP) -{ - unsigned int i; - - for (i = 1; i < pointP->len; i++) { - if (pointP->data[i] != 0x00) - return PR_FALSE; - } - - return PR_TRUE; -} - -/* - * Computes scalar point multiplication pointQ = k1 * G + k2 * pointP for - * the curve whose parameters are encoded in params with base point G. - */ -SECStatus -ec_points_mul(const ECParams *params, const mp_int *k1, const mp_int *k2, - const SECItem *pointP, SECItem *pointQ) -{ - mp_int Px, Py, Qx, Qy; - mp_int Gx, Gy, order, irreducible, a, b; - ECGroup *group = NULL; - SECStatus rv = SECFailure; - mp_err err = MP_OKAY; - unsigned int len; - -#if EC_DEBUG - int i; - char mpstr[256]; - - printf("ec_points_mul: params [len=%d]:", params->DEREncoding.len); - for (i = 0; i < params->DEREncoding.len; i++) - printf("%02x:", params->DEREncoding.data[i]); - printf("\n"); - - if (k1 != NULL) { - mp_tohex((mp_int *)k1, mpstr); - printf("ec_points_mul: scalar k1: %s\n", mpstr); - mp_todecimal((mp_int *)k1, mpstr); - printf("ec_points_mul: scalar k1: %s (dec)\n", mpstr); - } - - if (k2 != NULL) { - mp_tohex((mp_int *)k2, mpstr); - printf("ec_points_mul: scalar k2: %s\n", mpstr); - mp_todecimal((mp_int *)k2, mpstr); - printf("ec_points_mul: scalar k2: %s (dec)\n", mpstr); - } - - if (pointP != NULL) { - printf("ec_points_mul: pointP [len=%d]:", pointP->len); - for (i = 0; i < pointP->len; i++) - printf("%02x:", pointP->data[i]); - printf("\n"); - } -#endif - - /* NOTE: We only support uncompressed points for now */ - len = (((unsigned int)params->fieldID.size) + 7) >> 3; - if (pointP != NULL) { - if ((pointP->data[0] != EC_POINT_FORM_UNCOMPRESSED) || - (pointP->len != (2 * len + 1))) { - PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM); - return SECFailure; - }; - } - - MP_DIGITS(&Px) = 0; - MP_DIGITS(&Py) = 0; - MP_DIGITS(&Qx) = 0; - MP_DIGITS(&Qy) = 0; - MP_DIGITS(&Gx) = 0; - MP_DIGITS(&Gy) = 0; - MP_DIGITS(&order) = 0; - MP_DIGITS(&irreducible) = 0; - MP_DIGITS(&a) = 0; - MP_DIGITS(&b) = 0; - CHECK_MPI_OK(mp_init(&Px)); - CHECK_MPI_OK(mp_init(&Py)); - CHECK_MPI_OK(mp_init(&Qx)); - CHECK_MPI_OK(mp_init(&Qy)); - CHECK_MPI_OK(mp_init(&Gx)); - CHECK_MPI_OK(mp_init(&Gy)); - CHECK_MPI_OK(mp_init(&order)); - CHECK_MPI_OK(mp_init(&irreducible)); - CHECK_MPI_OK(mp_init(&a)); - CHECK_MPI_OK(mp_init(&b)); - - if ((k2 != NULL) && (pointP != NULL)) { - /* Initialize Px and Py */ - CHECK_MPI_OK(mp_read_unsigned_octets(&Px, pointP->data + 1, (mp_size)len)); - CHECK_MPI_OK(mp_read_unsigned_octets(&Py, pointP->data + 1 + len, (mp_size)len)); - } - - /* construct from named params, if possible */ - if (params->name != ECCurve_noName) { - group = ECGroup_fromName(params->name); - } - - if (group == NULL) - goto cleanup; - - if ((k2 != NULL) && (pointP != NULL)) { - CHECK_MPI_OK(ECPoints_mul(group, k1, k2, &Px, &Py, &Qx, &Qy)); - } else { - CHECK_MPI_OK(ECPoints_mul(group, k1, NULL, NULL, NULL, &Qx, &Qy)); - } - - /* our ECC codes uses large stack variables to store intermediate results, - * clear our stack before returning to prevent CSP leakage */ - BLAPI_CLEAR_STACK(2048) - - /* Construct the SECItem representation of point Q */ - pointQ->data[0] = EC_POINT_FORM_UNCOMPRESSED; - CHECK_MPI_OK(mp_to_fixlen_octets(&Qx, pointQ->data + 1, - (mp_size)len)); - CHECK_MPI_OK(mp_to_fixlen_octets(&Qy, pointQ->data + 1 + len, - (mp_size)len)); - - rv = SECSuccess; - -#if EC_DEBUG - printf("ec_points_mul: pointQ [len=%d]:", pointQ->len); - for (i = 0; i < pointQ->len; i++) - printf("%02x:", pointQ->data[i]); - printf("\n"); -#endif - -cleanup: - ECGroup_free(group); - mp_clear(&Px); - mp_clear(&Py); - mp_clear(&Qx); - mp_clear(&Qy); - mp_clear(&Gx); - mp_clear(&Gy); - mp_clear(&order); - mp_clear(&irreducible); - mp_clear(&a); - mp_clear(&b); - if (err) { - MP_TO_SEC_ERROR(err); - rv = SECFailure; - } - - return rv; -} - /* Generates a new EC key pair. The private key is a supplied * value and the public key is the result of performing a scalar * point multiplication of that value with the curve's base point. @@ -302,29 +105,26 @@ ec_NewKey(ECParams *ecParams, ECPrivateKey **privKey, SECStatus rv = SECFailure; PLArenaPool *arena; ECPrivateKey *key; - mp_int k; - mp_err err = MP_OKAY; int len; -#if EC_DEBUG - printf("ec_NewKey called\n"); -#endif - MP_DIGITS(&k) = 0; - if (!ecParams || ecParams->name == ECCurve_noName || !privKey || !privKeyBytes || privKeyLen <= 0) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } + if (ecParams->fieldID.type != ec_field_plain) { + PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); + return SECFailure; + } + /* Initialize an arena for the EC key. */ if (!(arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE))) return SECFailure; key = (ECPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(ECPrivateKey)); if (!key) { - PORT_FreeArena(arena, PR_TRUE); - return SECFailure; + goto cleanup; } /* Set the version number (SEC 1 section C.4 says it should be 1) */ @@ -338,14 +138,8 @@ ec_NewKey(ECParams *ecParams, ECPrivateKey **privKey, key->ecParams.type = ecParams->type; key->ecParams.fieldID.size = ecParams->fieldID.size; key->ecParams.fieldID.type = ecParams->fieldID.type; - if (ecParams->fieldID.type == ec_field_GFp || - ecParams->fieldID.type == ec_field_plain) { - CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.fieldID.u.prime, - &ecParams->fieldID.u.prime)); - } else { - CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.fieldID.u.poly, - &ecParams->fieldID.u.poly)); - } + CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.fieldID.u.prime, + &ecParams->fieldID.u.prime)); key->ecParams.fieldID.k1 = ecParams->fieldID.k1; key->ecParams.fieldID.k2 = ecParams->fieldID.k2; key->ecParams.fieldID.k3 = ecParams->fieldID.k3; @@ -381,56 +175,24 @@ ec_NewKey(ECParams *ecParams, ECPrivateKey **privKey, /* Compute corresponding public key */ /* Use curve specific code for point multiplication */ - if (ecParams->name == ECCurve_Ed25519) { - rv = ED_DerivePublicKey(&key->privateValue, &key->publicValue); - if (rv != SECSuccess) { - goto cleanup; - } - NSS_DECLASSIFY(key->publicValue.data, key->publicValue.len); /* Declassifying public key to avoid false positive */ - goto done; - } - - if (ecParams->fieldID.type == ec_field_plain) { + CHECK_SEC_OK(ED_DerivePublicKey(&key->privateValue, &key->publicValue)); + } else { const ECMethod *method = ec_get_method_from_name(ecParams->name); if (method == NULL || method->pt_mul == NULL) { - /* unknown curve */ + PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); rv = SECFailure; goto cleanup; } - rv = method->pt_mul(&key->publicValue, &key->privateValue, NULL); - NSS_DECLASSIFY(key->publicValue.data, key->publicValue.len); /* Declassifying public key to avoid false positive */ - if (rv != SECSuccess) { - goto cleanup; - } else { - goto done; - } + CHECK_SEC_OK(method->pt_mul(&key->publicValue, &key->privateValue, NULL)); } - CHECK_MPI_OK(mp_init(&k)); - CHECK_MPI_OK(mp_read_unsigned_octets(&k, key->privateValue.data, - (mp_size)len)); - - rv = ec_points_mul(ecParams, &k, NULL, NULL, &(key->publicValue)); NSS_DECLASSIFY(key->publicValue.data, key->publicValue.len); /* Declassifying public key to avoid false positive */ - if (rv != SECSuccess) { - goto cleanup; - } - -done: *privKey = key; + return SECSuccess; cleanup: - mp_clear(&k); - if (rv) { - PORT_FreeArena(arena, PR_TRUE); - } - -#if EC_DEBUG - printf("ec_NewKey returning %s\n", - (rv == SECSuccess) ? "success" : "failure"); -#endif - + PORT_FreeArena(arena, PR_TRUE); return rv; } @@ -443,9 +205,7 @@ SECStatus EC_NewKeyFromSeed(ECParams *ecParams, ECPrivateKey **privKey, const unsigned char *seed, int seedlen) { - SECStatus rv = SECFailure; - rv = ec_NewKey(ecParams, privKey, seed, seedlen); - return rv; + return ec_NewKey(ecParams, privKey, seed, seedlen); } /* Generate a random private key using the algorithm A.4.1 or A.4.2 of ANSI X9.62, @@ -556,95 +316,28 @@ cleanup: SECStatus EC_ValidatePublicKey(ECParams *ecParams, SECItem *publicValue) { - mp_int Px, Py; - ECGroup *group = NULL; - SECStatus rv = SECFailure; - mp_err err = MP_OKAY; - unsigned int len; - if (!ecParams || ecParams->name == ECCurve_noName || !publicValue || !publicValue->len) { PORT_SetError(SEC_ERROR_INVALID_ARGS); - rv = SECFailure; - return rv; + return SECFailure; } /* Uses curve specific code for point validation. */ - if (ecParams->fieldID.type == ec_field_plain) { - const ECMethod *method = ec_get_method_from_name(ecParams->name); - if (method == NULL || method->pt_validate == NULL) { - /* unknown curve */ - PORT_SetError(SEC_ERROR_INVALID_ARGS); - rv = SECFailure; - return rv; - } - rv = method->pt_validate(publicValue); - if (rv != SECSuccess) { - PORT_SetError(SEC_ERROR_BAD_KEY); - } - return rv; - } - - /* NOTE: We only support uncompressed points for now */ - len = (((unsigned int)ecParams->fieldID.size) + 7) >> 3; - if (publicValue->data[0] != EC_POINT_FORM_UNCOMPRESSED) { - PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM); - return SECFailure; - } else if (publicValue->len != (2 * len + 1)) { - PORT_SetError(SEC_ERROR_BAD_KEY); + if (ecParams->fieldID.type != ec_field_plain) { + PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); return SECFailure; } - MP_DIGITS(&Px) = 0; - MP_DIGITS(&Py) = 0; - CHECK_MPI_OK(mp_init(&Px)); - CHECK_MPI_OK(mp_init(&Py)); - - /* Initialize Px and Py */ - CHECK_MPI_OK(mp_read_unsigned_octets(&Px, publicValue->data + 1, (mp_size)len)); - CHECK_MPI_OK(mp_read_unsigned_octets(&Py, publicValue->data + 1 + len, (mp_size)len)); - - /* construct from named params */ - group = ECGroup_fromName(ecParams->name); - if (group == NULL) { - /* - * ECGroup_fromName fails if ecParams->name is not a valid - * ECCurveName value, or if we run out of memory, or perhaps - * for other reasons. Unfortunately if ecParams->name is a - * valid ECCurveName value, we don't know what the right error - * code should be because ECGroup_fromName doesn't return an - * error code to the caller. Set err to MP_UNDEF because - * that's what ECGroup_fromName uses internally. - */ - if ((ecParams->name <= ECCurve_noName) || - (ecParams->name >= ECCurve_pastLastCurve)) { - err = MP_BADARG; - } else { - err = MP_UNDEF; - } - goto cleanup; - } - - /* validate public point */ - if ((err = ECPoint_validate(group, &Px, &Py)) < MP_YES) { - if (err == MP_NO) { - PORT_SetError(SEC_ERROR_BAD_KEY); - rv = SECFailure; - err = MP_OKAY; /* don't change the error code */ - } - goto cleanup; + const ECMethod *method = ec_get_method_from_name(ecParams->name); + if (method == NULL || method->pt_validate == NULL) { + /* unknown curve */ + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } - rv = SECSuccess; - -cleanup: - ECGroup_free(group); - mp_clear(&Px); - mp_clear(&Py); - - if (err) { - MP_TO_SEC_ERROR(err); - rv = SECFailure; + SECStatus rv = method->pt_validate(publicValue); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_BAD_KEY); } return rv; } @@ -666,16 +359,11 @@ ECDH_Derive(SECItem *publicValue, PRBool withCofactor, SECItem *derivedSecret) { - SECStatus rv = SECFailure; - unsigned int len = 0; - mp_err err = MP_OKAY; - if (!publicValue || !publicValue->len || !ecParams || ecParams->name == ECCurve_noName || !privateValue || !privateValue->len || !derivedSecret) { PORT_SetError(SEC_ERROR_INVALID_ARGS); - rv = SECFailure; - return rv; + return SECFailure; } /* @@ -684,107 +372,32 @@ ECDH_Derive(SECItem *publicValue, */ if (EC_ValidatePublicKey(ecParams, publicValue) != SECSuccess) { PORT_SetError(SEC_ERROR_BAD_KEY); - rv = SECFailure; - return rv; + return SECFailure; } /* Perform curve specific multiplication using ECMethod */ - if (ecParams->fieldID.type == ec_field_plain) { - const ECMethod *method; - memset(derivedSecret, 0, sizeof(*derivedSecret)); - derivedSecret = SECITEM_AllocItem(NULL, derivedSecret, EC_GetScalarSize(ecParams)); - if (derivedSecret == NULL) { - PORT_SetError(SEC_ERROR_NO_MEMORY); - rv = SECFailure; - return rv; - } - method = ec_get_method_from_name(ecParams->name); - if (method == NULL || method->pt_validate == NULL || - method->pt_mul == NULL) { - PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); - rv = SECFailure; - goto done; - } - rv = method->pt_mul(derivedSecret, privateValue, publicValue); - if (rv != SECSuccess) { - PORT_SetError(SEC_ERROR_BAD_KEY); - } - goto done; - } - - SECItem pointQ = { siBuffer, NULL, 0 }; - mp_int k; /* to hold the private value */ -#if EC_DEBUG - int i; -#endif - - /* - * We fail if the public value is the point at infinity, since - * this produces predictable results. - */ - if (ec_point_at_infinity(publicValue)) { - PORT_SetError(SEC_ERROR_BAD_KEY); + if (ecParams->fieldID.type != ec_field_plain) { + PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); return SECFailure; } - MP_DIGITS(&k) = 0; - memset(derivedSecret, 0, sizeof *derivedSecret); - len = (ecParams->fieldID.size + 7) >> 3; - pointQ.len = EC_GetPointSize(ecParams); - if ((pointQ.data = PORT_Alloc(pointQ.len)) == NULL) - goto cleanup; - - CHECK_MPI_OK(mp_init(&k)); - CHECK_MPI_OK(mp_read_unsigned_octets(&k, privateValue->data, - (mp_size)privateValue->len)); - - if (withCofactor && (ecParams->cofactor != 1)) { - mp_int cofactor; - /* multiply k with the cofactor */ - MP_DIGITS(&cofactor) = 0; - CHECK_MPI_OK(mp_init(&cofactor)); - mp_set(&cofactor, ecParams->cofactor); - CHECK_MPI_OK(mp_mul(&k, &cofactor, &k)); - mp_clear(&cofactor); - } - - /* Multiply our private key and peer's public point */ - if (ec_points_mul(ecParams, NULL, &k, publicValue, &pointQ) != SECSuccess) { - goto cleanup; - } - if (ec_point_at_infinity(&pointQ)) { - PORT_SetError(SEC_ERROR_BAD_KEY); /* XXX better error code? */ - goto cleanup; + const ECMethod *method = ec_get_method_from_name(ecParams->name); + if (method == NULL || method->pt_validate == NULL || + method->pt_mul == NULL) { + PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); + return SECFailure; } - /* Allocate memory for the derived secret and copy - * the x co-ordinate of pointQ into it. - */ - SECITEM_AllocItem(NULL, derivedSecret, len); - memcpy(derivedSecret->data, pointQ.data + 1, len); - - rv = SECSuccess; - -#if EC_DEBUG - printf("derived_secret:\n"); - for (i = 0; i < derivedSecret->len; i++) - printf("%02x:", derivedSecret->data[i]); - printf("\n"); -#endif - -cleanup: - mp_clear(&k); - - if (pointQ.data) { - PORT_ZFree(pointQ.data, pointQ.len); + memset(derivedSecret, 0, sizeof(*derivedSecret)); + derivedSecret = SECITEM_AllocItem(NULL, derivedSecret, EC_GetScalarSize(ecParams)); + if (derivedSecret == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; } -done: - - if (err) { - MP_TO_SEC_ERROR(err); - } + SECStatus rv = method->pt_mul(derivedSecret, privateValue, publicValue); if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_BAD_KEY); SECITEM_ZfreeItem(derivedSecret, PR_FALSE); } return rv; @@ -799,255 +412,48 @@ static SECStatus ec_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature, const SECItem *digest, const unsigned char *kb, const int kblen) { - SECStatus rv = SECFailure; ECParams *ecParams = NULL; - mp_err err = MP_OKAY; - int flen = 0; /* length in bytes of the field size */ unsigned olen; /* length in bytes of the base point order */ /* Check args */ if (!key || !signature || !digest || !kb || (kblen <= 0)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); - rv = SECFailure; - goto done; + return SECFailure; } ecParams = &(key->ecParams); - flen = (ecParams->fieldID.size + 7) >> 3; olen = ecParams->order.len; if (signature->data == NULL) { /* a call to get the signature length only */ signature->len = 2 * olen; - rv = SECSuccess; - goto done; + return SECSuccess; } if (signature->len < 2 * olen) { PORT_SetError(SEC_ERROR_OUTPUT_LEN); - rv = SECFailure; - goto done; + return SECFailure; } /* Perform curve specific signature using ECMethod */ - if (ecParams->fieldID.type == ec_field_plain) { - const ECMethod *method = ec_get_method_from_name(ecParams->name); - if (method == NULL || method->sign_digest == NULL) { - PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); - rv = SECFailure; - goto done; - } - rv = method->sign_digest(key, signature, digest, kb, kblen); - if (rv != SECSuccess) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - } - goto done; - } - - mp_int x1; - mp_int d, k; /* private key, random integer */ - mp_int r, s; /* tuple (r, s) is the signature */ - mp_int t; /* holding tmp values */ - mp_int n; - mp_int ar; /* blinding value */ - SECItem kGpoint = { siBuffer, NULL, 0 }; - unsigned char *t2 = NULL; - unsigned obits; /* length in bits of the base point order */ - -#if EC_DEBUG - char mpstr[256]; -#endif - - /* Initialize MPI integers. */ - /* must happen before the first potential call to cleanup */ - MP_DIGITS(&x1) = 0; - MP_DIGITS(&d) = 0; - MP_DIGITS(&k) = 0; - MP_DIGITS(&r) = 0; - MP_DIGITS(&s) = 0; - MP_DIGITS(&n) = 0; - MP_DIGITS(&t) = 0; - MP_DIGITS(&ar) = 0; - - CHECK_MPI_OK(mp_init(&x1)); - CHECK_MPI_OK(mp_init(&d)); - CHECK_MPI_OK(mp_init(&k)); - CHECK_MPI_OK(mp_init(&r)); - CHECK_MPI_OK(mp_init(&s)); - CHECK_MPI_OK(mp_init(&n)); - CHECK_MPI_OK(mp_init(&t)); - CHECK_MPI_OK(mp_init(&ar)); - - SECITEM_TO_MPINT(ecParams->order, &n); - SECITEM_TO_MPINT(key->privateValue, &d); - - CHECK_MPI_OK(mp_read_unsigned_octets(&k, kb, kblen)); - /* Make sure k is in the interval [1, n-1] */ - if ((mp_cmp_z(&k) <= 0) || (mp_cmp(&k, &n) >= 0)) { -#if EC_DEBUG - printf("k is outside [1, n-1]\n"); - mp_tohex(&k, mpstr); - printf("k : %s \n", mpstr); - mp_tohex(&n, mpstr); - printf("n : %s \n", mpstr); -#endif - PORT_SetError(SEC_ERROR_NEED_RANDOM); - goto cleanup; - } - - /* - ** ANSI X9.62, Section 5.3.2, Step 2 - ** - ** Compute kG - */ - kGpoint.len = EC_GetPointSize(ecParams); - kGpoint.data = PORT_Alloc(kGpoint.len); - if ((kGpoint.data == NULL) || - (ec_points_mul(ecParams, &k, NULL, NULL, &kGpoint) != SECSuccess)) - goto cleanup; - NSS_DECLASSIFY(kGpoint.data, kGpoint.len); /* Declassifying the r component */ - /* - ** ANSI X9.62, Section 5.3.3, Step 1 - ** - ** Extract the x co-ordinate of kG into x1 - */ - CHECK_MPI_OK(mp_read_unsigned_octets(&x1, kGpoint.data + 1, - (mp_size)flen)); - - /* - ** ANSI X9.62, Section 5.3.3, Step 2 - ** - ** r = x1 mod n NOTE: n is the order of the curve - */ - CHECK_MPI_OK(mp_mod(&x1, &n, &r)); - - /* - ** ANSI X9.62, Section 5.3.3, Step 3 - ** - ** verify r != 0 - */ - if (mp_cmp_z(&r) == 0) { - PORT_SetError(SEC_ERROR_NEED_RANDOM); - goto cleanup; - } - - /* - ** ANSI X9.62, Section 5.3.3, Step 4 - ** - ** s = (k**-1 * (HASH(M) + d*r)) mod n - */ - SECITEM_TO_MPINT(*digest, &s); /* s = HASH(M) */ - - /* In the definition of EC signing, digests are truncated - * to the length of n in bits. - * (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/ - CHECK_MPI_OK((obits = mpl_significant_bits(&n))); - if (digest->len * 8 > obits) { - mpl_rsh(&s, &s, digest->len * 8 - obits); - } - -#if EC_DEBUG - mp_todecimal(&n, mpstr); - printf("n : %s (dec)\n", mpstr); - mp_todecimal(&d, mpstr); - printf("d : %s (dec)\n", mpstr); - mp_tohex(&x1, mpstr); - printf("x1: %s\n", mpstr); - mp_todecimal(&s, mpstr); - printf("digest: %s (decimal)\n", mpstr); - mp_todecimal(&r, mpstr); - printf("r : %s (dec)\n", mpstr); - mp_tohex(&r, mpstr); - printf("r : %s\n", mpstr); -#endif - - if ((t2 = PORT_Alloc(2 * ecParams->order.len)) == NULL) { - rv = SECFailure; - goto cleanup; - } - if (RNG_GenerateGlobalRandomBytes(t2, 2 * ecParams->order.len) != SECSuccess) { - PORT_SetError(SEC_ERROR_NEED_RANDOM); - rv = SECFailure; - goto cleanup; - } - CHECK_MPI_OK(mp_read_unsigned_octets(&t, t2, 2 * ecParams->order.len)); /* t <-$ Zn */ - PORT_Memset(t2, 0, 2 * ecParams->order.len); - if (RNG_GenerateGlobalRandomBytes(t2, 2 * ecParams->order.len) != SECSuccess) { - PORT_SetError(SEC_ERROR_NEED_RANDOM); - rv = SECFailure; - goto cleanup; - } - CHECK_MPI_OK(mp_read_unsigned_octets(&ar, t2, 2 * ecParams->order.len)); /* ar <-$ Zn */ - - /* Using mp_invmod on k directly would leak bits from k. */ - CHECK_MPI_OK(mp_mul(&k, &ar, &k)); /* k = k * ar */ - NSS_DECLASSIFY(MP_DIGITS(&k), MP_ALLOC(&k) * sizeof(mp_digit)); /* declassifying k here because it is masked by multiplying with ar */ - CHECK_MPI_OK(mp_mulmod(&k, &t, &n, &k)); /* k = k * t mod n */ - CHECK_MPI_OK(mp_invmod(&k, &n, &k)); /* k = k**-1 mod n */ - CHECK_MPI_OK(mp_mulmod(&k, &t, &n, &k)); /* k = k * t mod n */ - /* To avoid leaking secret bits here the addition is blinded. */ - CHECK_MPI_OK(mp_mul(&d, &ar, &t)); /* t = d * ar */ - NSS_DECLASSIFY(MP_DIGITS(&t), MP_ALLOC(&t) * sizeof(mp_digit)); /* declassifying d here because it is masked by multiplying with ar */ - CHECK_MPI_OK(mp_mulmod(&t, &r, &n, &d)); /* d = t * r mod n */ - CHECK_MPI_OK(mp_mulmod(&s, &ar, &n, &t)); /* t = s * ar mod n */ - CHECK_MPI_OK(mp_add(&t, &d, &s)); /* s = t + d */ - CHECK_MPI_OK(mp_mulmod(&s, &k, &n, &s)); /* s = s * k mod n */ - -#if EC_DEBUG - mp_todecimal(&s, mpstr); - printf("s : %s (dec)\n", mpstr); - mp_tohex(&s, mpstr); - printf("s : %s\n", mpstr); -#endif - - /* - ** ANSI X9.62, Section 5.3.3, Step 5 - ** - ** verify s != 0 - */ - if (mp_cmp_z(&s) == 0) { - PORT_SetError(SEC_ERROR_NEED_RANDOM); - goto cleanup; - } - - /* - ** - ** Signature is tuple (r, s) - */ - CHECK_MPI_OK(mp_to_fixlen_octets(&r, signature->data, olen)); - CHECK_MPI_OK(mp_to_fixlen_octets(&s, signature->data + olen, olen)); - - signature->len = 2 * olen; - rv = SECSuccess; - err = MP_OKAY; - -cleanup: - mp_clear(&x1); - mp_clear(&d); - mp_clear(&k); - mp_clear(&r); - mp_clear(&s); - mp_clear(&n); - mp_clear(&t); - mp_clear(&ar); - - if (t2) { - PORT_ZFree(t2, 2 * ecParams->order.len); + if (ecParams->fieldID.type != ec_field_plain) { + PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); + return SECFailure; } - if (kGpoint.data) { - PORT_ZFree(kGpoint.data, kGpoint.len); + const ECMethod *method = ec_get_method_from_name(ecParams->name); + if (method == NULL || method->sign_digest == NULL) { + PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); + return SECFailure; } -done: - if (err) { - MP_TO_SEC_ERROR(err); - rv = SECFailure; + SECStatus rv = method->sign_digest(key, signature, digest, kb, kblen); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); } #if EC_DEBUG printf("ECDSA signing with seed %s\n", (rv == SECSuccess) ? "succeeded" : "failed"); #endif - return rv; } @@ -1086,7 +492,6 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature, SECStatus ECDSA_SignDigest(ECPrivateKey *key, SECItem *signature, const SECItem *digest) { - SECStatus rv = SECFailure; SECItem nonceRand = { siBuffer, NULL, 0 }; if (!key) { @@ -1098,21 +503,20 @@ ECDSA_SignDigest(ECPrivateKey *key, SECItem *signature, const SECItem *digest) SECITEM_AllocItem(NULL, &nonceRand, EC_GetScalarSize(&key->ecParams)); if (nonceRand.data == NULL) { PORT_SetError(SEC_ERROR_NO_MEMORY); - rv = SECFailure; - goto cleanup; + return SECFailure; } - rv = ec_GenerateRandomPrivateKey(&key->ecParams, &nonceRand); - if (rv != SECSuccess || nonceRand.data == NULL) + + SECStatus rv = ec_GenerateRandomPrivateKey(&key->ecParams, &nonceRand); + if (rv != SECSuccess) { goto cleanup; + } /* Generate ECDSA signature with the specified k value */ rv = ECDSA_SignDigestWithSeed(key, signature, digest, nonceRand.data, nonceRand.len); NSS_DECLASSIFY(signature->data, signature->len); cleanup: - if (nonceRand.data) { - SECITEM_ZfreeItem(&nonceRand, PR_FALSE); - } + SECITEM_ZfreeItem(&nonceRand, PR_FALSE); #if EC_DEBUG printf("ECDSA signing %s\n", @@ -1136,218 +540,30 @@ ECDSA_VerifyDigest(ECPublicKey *key, const SECItem *signature, { SECStatus rv = SECFailure; ECParams *ecParams = NULL; - mp_err err = MP_OKAY; /* Check args */ if (!key || !signature || !digest) { PORT_SetError(SEC_ERROR_INVALID_ARGS); - rv = SECFailure; - goto done; + return SECFailure; } ecParams = &(key->ecParams); /* Perform curve specific signature verification using ECMethod */ - if (ecParams->fieldID.type == ec_field_plain) { - const ECMethod *method = ec_get_method_from_name(ecParams->name); - if (method == NULL || method->verify_digest == NULL) { - PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); - rv = SECFailure; - goto done; - } - rv = method->verify_digest(key, signature, digest); - if (rv != SECSuccess) { - PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - } - goto done; - } - - mp_int r_, s_; /* tuple (r', s') is received signature) */ - mp_int c, u1, u2, v; /* intermediate values used in verification */ - mp_int x1; - mp_int n; - SECItem pointC = { siBuffer, NULL, 0 }; - int slen; /* length in bytes of a half signature (r or s) */ - int flen; /* length in bytes of the field size */ - unsigned olen; /* length in bytes of the base point order */ - unsigned obits; /* length in bits of the base point order */ - -#if EC_DEBUG - char mpstr[256]; - printf("ECDSA verification called\n"); -#endif - - /* Initialize MPI integers. */ - /* must happen before the first potential call to cleanup */ - MP_DIGITS(&r_) = 0; - MP_DIGITS(&s_) = 0; - MP_DIGITS(&c) = 0; - MP_DIGITS(&u1) = 0; - MP_DIGITS(&u2) = 0; - MP_DIGITS(&x1) = 0; - MP_DIGITS(&v) = 0; - MP_DIGITS(&n) = 0; - - CHECK_MPI_OK(mp_init(&r_)); - CHECK_MPI_OK(mp_init(&s_)); - CHECK_MPI_OK(mp_init(&c)); - CHECK_MPI_OK(mp_init(&u1)); - CHECK_MPI_OK(mp_init(&u2)); - CHECK_MPI_OK(mp_init(&x1)); - CHECK_MPI_OK(mp_init(&v)); - CHECK_MPI_OK(mp_init(&n)); - - flen = (ecParams->fieldID.size + 7) >> 3; - olen = ecParams->order.len; - if (signature->len == 0 || signature->len % 2 != 0 || - signature->len > 2 * olen) { - PORT_SetError(SEC_ERROR_INPUT_LEN); - goto cleanup; - } - slen = signature->len / 2; - - /* - * The incoming point has been verified in sftk_handlePublicKeyObject. - */ - - SECITEM_AllocItem(NULL, &pointC, EC_GetPointSize(ecParams)); - if (pointC.data == NULL) { - goto cleanup; - } - - /* - ** Convert received signature (r', s') into MPI integers. - */ - CHECK_MPI_OK(mp_read_unsigned_octets(&r_, signature->data, slen)); - CHECK_MPI_OK(mp_read_unsigned_octets(&s_, signature->data + slen, slen)); - - /* - ** ANSI X9.62, Section 5.4.2, Steps 1 and 2 - ** - ** Verify that 0 < r' < n and 0 < s' < n - */ - SECITEM_TO_MPINT(ecParams->order, &n); - if (mp_cmp_z(&r_) <= 0 || mp_cmp_z(&s_) <= 0 || - mp_cmp(&r_, &n) >= 0 || mp_cmp(&s_, &n) >= 0) { - PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - goto cleanup; /* will return rv == SECFailure */ - } - - /* - ** ANSI X9.62, Section 5.4.2, Step 3 - ** - ** c = (s')**-1 mod n - */ - CHECK_MPI_OK(mp_invmod(&s_, &n, &c)); /* c = (s')**-1 mod n */ - - /* - ** ANSI X9.62, Section 5.4.2, Step 4 - ** - ** u1 = ((HASH(M')) * c) mod n - */ - SECITEM_TO_MPINT(*digest, &u1); /* u1 = HASH(M) */ - - /* In the definition of EC signing, digests are truncated - * to the length of n in bits. - * (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/ - CHECK_MPI_OK((obits = mpl_significant_bits(&n))); - if (digest->len * 8 > obits) { /* u1 = HASH(M') */ - mpl_rsh(&u1, &u1, digest->len * 8 - obits); + if (ecParams->fieldID.type != ec_field_plain) { + PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); + return SECFailure; } -#if EC_DEBUG - mp_todecimal(&r_, mpstr); - printf("r_: %s (dec)\n", mpstr); - mp_todecimal(&s_, mpstr); - printf("s_: %s (dec)\n", mpstr); - mp_todecimal(&c, mpstr); - printf("c : %s (dec)\n", mpstr); - mp_todecimal(&u1, mpstr); - printf("digest: %s (dec)\n", mpstr); -#endif - - CHECK_MPI_OK(mp_mulmod(&u1, &c, &n, &u1)); /* u1 = u1 * c mod n */ - - /* - ** ANSI X9.62, Section 5.4.2, Step 4 - ** - ** u2 = ((r') * c) mod n - */ - CHECK_MPI_OK(mp_mulmod(&r_, &c, &n, &u2)); - - /* - ** ANSI X9.62, Section 5.4.3, Step 1 - ** - ** Compute u1*G + u2*Q - ** Here, A = u1.G B = u2.Q and C = A + B - ** If the result, C, is the point at infinity, reject the signature - */ - if (ec_points_mul(ecParams, &u1, &u2, &key->publicValue, &pointC) != SECSuccess) { - rv = SECFailure; - goto cleanup; - } - if (ec_point_at_infinity(&pointC)) { - PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - rv = SECFailure; - goto cleanup; + const ECMethod *method = ec_get_method_from_name(ecParams->name); + if (method == NULL || method->verify_digest == NULL) { + PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); + return SECFailure; } - CHECK_MPI_OK(mp_read_unsigned_octets(&x1, pointC.data + 1, flen)); - - /* - ** ANSI X9.62, Section 5.4.4, Step 2 - ** - ** v = x1 mod n - */ - CHECK_MPI_OK(mp_mod(&x1, &n, &v)); - -#if EC_DEBUG - mp_todecimal(&r_, mpstr); - printf("r_: %s (dec)\n", mpstr); - mp_todecimal(&v, mpstr); - printf("v : %s (dec)\n", mpstr); -#endif - - /* - ** ANSI X9.62, Section 5.4.4, Step 3 - ** - ** Verification: v == r' - */ - if (mp_cmp(&v, &r_)) { + rv = method->verify_digest(key, signature, digest); + if (rv != SECSuccess) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - rv = SECFailure; /* Signature failed to verify. */ - } else { - rv = SECSuccess; /* Signature verified. */ - } - -#if EC_DEBUG - mp_todecimal(&u1, mpstr); - printf("u1: %s (dec)\n", mpstr); - mp_todecimal(&u2, mpstr); - printf("u2: %s (dec)\n", mpstr); - mp_tohex(&x1, mpstr); - printf("x1: %s\n", mpstr); - mp_todecimal(&v, mpstr); - printf("v : %s (dec)\n", mpstr); -#endif - -cleanup: - mp_clear(&r_); - mp_clear(&s_); - mp_clear(&c); - mp_clear(&u1); - mp_clear(&u2); - mp_clear(&x1); - mp_clear(&v); - mp_clear(&n); - - if (pointC.data) - SECITEM_ZfreeItem(&pointC, PR_FALSE); - -done: - if (err) { - MP_TO_SEC_ERROR(err); - rv = SECFailure; } #if EC_DEBUG @@ -1456,4 +672,4 @@ ED_DerivePublicKey(const SECItem *privateKey, SECItem *publicKey) Hacl_Ed25519_secret_to_public(publicKey->data, privateKey->data); return SECSuccess; -}
\ No newline at end of file +} diff --git a/nss/lib/freebl/ecdecode.c b/nss/lib/freebl/ecdecode.c index c78eedf..8ba5a85 100644 --- a/nss/lib/freebl/ecdecode.c +++ b/nss/lib/freebl/ecdecode.c @@ -32,14 +32,8 @@ EC_CopyParams(PLArenaPool *arena, ECParams *dstParams, dstParams->type = srcParams->type; dstParams->fieldID.size = srcParams->fieldID.size; dstParams->fieldID.type = srcParams->fieldID.type; - if (srcParams->fieldID.type == ec_field_GFp || - srcParams->fieldID.type == ec_field_plain) { - CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->fieldID.u.prime, - &srcParams->fieldID.u.prime)); - } else { - CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->fieldID.u.poly, - &srcParams->fieldID.u.poly)); - } + CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->fieldID.u.prime, + &srcParams->fieldID.u.prime)); dstParams->fieldID.k1 = srcParams->fieldID.k1; dstParams->fieldID.k2 = srcParams->fieldID.k2; dstParams->fieldID.k3 = srcParams->fieldID.k3; @@ -79,7 +73,7 @@ gf_populate_params_bytes(ECCurveName name, ECFieldType field_type, ECParams *par CHECK_OK(curveParams); params->fieldID.size = curveParams->size; params->fieldID.type = field_type; - if (field_type != ec_field_GFp && field_type != ec_field_plain) { + if (field_type != ec_field_plain) { return SECFailure; } params->fieldID.u.prime.len = curveParams->scalarSize; @@ -164,7 +158,7 @@ EC_FillParams(PLArenaPool *arena, const SECItem *encodedParams, * (the NIST P-384 curve) */ CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_SECG_PRIME_384R1, - ec_field_GFp, params)); + ec_field_plain, params)); break; case SEC_OID_SECG_EC_SECP521R1: @@ -172,7 +166,7 @@ EC_FillParams(PLArenaPool *arena, const SECItem *encodedParams, * (the NIST P-521 curve) */ CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_SECG_PRIME_521R1, - ec_field_GFp, params)); + ec_field_plain, params)); break; case SEC_OID_ED25519_PUBLIC_KEY: diff --git a/nss/lib/freebl/ecl/README b/nss/lib/freebl/ecl/README deleted file mode 100644 index 2996822..0000000 --- a/nss/lib/freebl/ecl/README +++ /dev/null @@ -1,163 +0,0 @@ -This Source Code Form is subject to the terms of the Mozilla Public -License, v. 2.0. If a copy of the MPL was not distributed with this -file, You can obtain one at http://mozilla.org/MPL/2.0/. - -The ECL exposes routines for constructing and converting curve -parameters for internal use. - - -HEADER FILES -============ - -ecl-exp.h - Exports data structures and curve names. For use by code -that does not have access to mp_ints. - -ecl-curve.h - Provides hex encodings (in the form of ECCurveParams -structs) of standardizes elliptic curve domain parameters and mappings -from ECCurveName to ECCurveParams. For use by code that does not have -access to mp_ints. - -ecl.h - Interface to constructors for curve parameters and group object, -and point multiplication operations. Used by higher level algorithms -(like ECDH and ECDSA) to actually perform elliptic curve cryptography. - -ecl-priv.h - Data structures and functions for internal use within the -library. - -ecp.h - Internal header file that contains all functions for point -arithmetic over prime fields. - -DATA STRUCTURES AND TYPES -========================= - -ECCurveName (from ecl-exp.h) - Opaque name for standardized elliptic -curve domain parameters. - -ECCurveParams (from ecl-exp.h) - Provides hexadecimal encoding -of elliptic curve domain parameters. Can be generated by a user -and passed to ECGroup_fromHex or can be generated from a name by -EC_GetNamedCurveParams. ecl-curve.h contains ECCurveParams structs for -the standardized curves defined by ECCurveName. - -ECGroup (from ecl.h and ecl-priv.h) - Opaque data structure that -represents a group of elliptic curve points for a particular set of -elliptic curve domain parameters. Contains all domain parameters (curve -a and b, field, base point) as well as pointers to the functions that -should be used for point arithmetic and the underlying field GFMethod. -Generated by either ECGroup_fromHex or ECGroup_fromName. - -GFMethod (from ecl-priv.h) - Represents a field underlying a set of -elliptic curve domain parameters. Contains the irreducible that defines -the field (either the prime or the binary polynomial) as well as -pointers to the functions that should be used for field arithmetic. - -ARITHMETIC FUNCTIONS -==================== - -Higher-level algorithms (like ECDH and ECDSA) should call ECPoint_mul -or ECPoints_mul (from ecl.h) to do point arithmetic. These functions -will choose which underlying algorithms to use, based on the ECGroup -structure. - -Point Multiplication --------------------- - -ecl_mult.c provides the ECPoints_mul and ECPoint_mul wrappers. -It also provides two implementations for the pts_mul operation - -ec_pts_mul_basic (which computes kP, lQ, and then adds kP + lQ) and -ec_pts_mul_simul_w2 (which does a simultaneous point multiplication -using a table with window size 2*2). - -ec_naf.c provides an implementation of an algorithm to calculate a -non-adjacent form of a scalar, minimizing the number of point -additions that need to be done in a point multiplication. - -Point Arithmetic over Prime Fields ----------------------------------- - -ecp_aff.c provides point arithmetic using affine coordinates. - -ecp_jac.c provides point arithmetic using Jacobian projective -coordinates and mixed Jacobian-affine coordinates. (Jacobian projective -coordinates represent a point (x, y) as (X, Y, Z), where x=X/Z^2, -y=Y/Z^3). - -ecp_jm.c provides point arithmetic using Modified Jacobian -coordinates and mixed Modified_Jacobian-affine coordinates. -(Modified Jacobian coordinates represent a point (x, y) -as (X, Y, Z, a*Z^4), where x=X/Z^2, y=Y/Z^3, and a is -the linear coefficient in the curve defining equation). - -ecp_192.c and ecp_224.c provide optimized field arithmetic. - -Field Arithmetic ----------------- - -ecl_gf.c provides constructors for field objects (GFMethod) with the -functions GFMethod_cons*. It also provides wrappers around the basic -field operations. - -Prime Field Arithmetic ----------------------- - -The mpi library provides the basic prime field arithmetic. - -ecp_mont.c provides wrappers around the Montgomery multiplication -functions from the mpi library and adds encoding and decoding functions. -It also provides the function to construct a GFMethod object using -Montgomery multiplication. - -ecp_192.c and ecp_224.c provide optimized modular reduction for the -fields defined by nistp192 and nistp224 primes. - -ecl_gf.c provides wrappers around the basic field operations. - -Field Encoding --------------- - -By default, field elements are encoded in their basic form. It is -possible to use an alternative encoding, however. For example, it is -possible to Montgomery representation of prime field elements and -take advantage of the fast modular multiplication that Montgomery -representation provides. The process of converting from basic form to -Montgomery representation is called field encoding, and the opposite -process would be field decoding. All internal point operations assume -that the operands are field encoded as appropriate. By rewiring the -underlying field arithmetic to perform operations on these encoded -values, the same overlying point arithmetic operations can be used -regardless of field representation. - -ALGORITHM WIRING -================ - -The EC library allows point and field arithmetic algorithms to be -substituted ("wired-in") on a fine-grained basis. This allows for -generic algorithms and algorithms that are optimized for a particular -curve, field, or architecture, to coexist and to be automatically -selected at runtime. - -Wiring Mechanism ----------------- - -The ECGroup and GFMethod structure contain pointers to the point and -field arithmetic functions, respectively, that are to be used in -operations. - -The selection of algorithms to use is handled in the function -ecgroup_fromNameAndHex in ecl.c. - -Default Wiring --------------- - -Curves over prime fields by default use montgomery field arithmetic, -point multiplication using 5-bit window non-adjacent-form with -Modified Jacobian coordinates, and 2*2-bit simultaneous point -multiplication using Jacobian coordinates. -(Wiring in function ECGroup_consGFp_mont in ecl.c.) - -Curves over prime fields that have optimized modular reduction (i.e., -secp160r1, nistp192, and nistp224) do not use Montgomery field -arithmetic. Instead, they use basic field arithmetic with their -optimized reduction (as in ecp_192.c and ecp_224.c). They -use the same point multiplication and simultaneous point multiplication -algorithms as other curves over prime fields. diff --git a/nss/lib/freebl/ecl/ec_naf.c b/nss/lib/freebl/ecl/ec_naf.c deleted file mode 100644 index cad08cb..0000000 --- a/nss/lib/freebl/ecl/ec_naf.c +++ /dev/null @@ -1,68 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include "ecl-priv.h" - -/* Returns 2^e as an integer. This is meant to be used for small powers of - * two. */ -int -ec_twoTo(int e) -{ - int a = 1; - int i; - - for (i = 0; i < e; i++) { - a *= 2; - } - return a; -} - -/* Computes the windowed non-adjacent-form (NAF) of a scalar. Out should - * be an array of signed char's to output to, bitsize should be the number - * of bits of out, in is the original scalar, and w is the window size. - * NAF is discussed in the paper: D. Hankerson, J. Hernandez and A. - * Menezes, "Software implementation of elliptic curve cryptography over - * binary fields", Proc. CHES 2000. */ -mp_err -ec_compute_wNAF(signed char *out, int bitsize, const mp_int *in, int w) -{ - mp_int k; - mp_err res = MP_OKAY; - int i, twowm1, mask; - - twowm1 = ec_twoTo(w - 1); - mask = 2 * twowm1 - 1; - - MP_DIGITS(&k) = 0; - MP_CHECKOK(mp_init_copy(&k, in)); - - i = 0; - /* Compute wNAF form */ - while (mp_cmp_z(&k) > 0) { - if (mp_isodd(&k)) { - out[i] = MP_DIGIT(&k, 0) & mask; - if (out[i] >= twowm1) - out[i] -= 2 * twowm1; - - /* Subtract off out[i]. Note mp_sub_d only works with - * unsigned digits */ - if (out[i] >= 0) { - MP_CHECKOK(mp_sub_d(&k, out[i], &k)); - } else { - MP_CHECKOK(mp_add_d(&k, -(out[i]), &k)); - } - } else { - out[i] = 0; - } - MP_CHECKOK(mp_div_2(&k, &k)); - i++; - } - /* Zero out the remaining elements of the out array. */ - for (; i < bitsize + 1; i++) { - out[i] = 0; - } -CLEANUP: - mp_clear(&k); - return res; -} diff --git a/nss/lib/freebl/ecl/ecl-priv.h b/nss/lib/freebl/ecl/ecl-priv.h index c1e0e85..e42d713 100644 --- a/nss/lib/freebl/ecl/ecl-priv.h +++ b/nss/lib/freebl/ecl/ecl-priv.h @@ -6,247 +6,7 @@ #define __ecl_priv_h_ #include "ecl.h" -#include "mpi.h" -#include "mplogic.h" -#include "../blapii.h" - -/* MAX_FIELD_SIZE_DIGITS is the maximum size of field element supported */ -/* the following needs to go away... */ -#if defined(MP_USE_LONG_LONG_DIGIT) || defined(MP_USE_LONG_DIGIT) -#define ECL_SIXTY_FOUR_BIT -#else -#define ECL_THIRTY_TWO_BIT -#endif - -#define ECL_CURVE_DIGITS(curve_size_in_bits) \ - (((curve_size_in_bits) + (sizeof(mp_digit) * 8 - 1)) / (sizeof(mp_digit) * 8)) -#define ECL_BITS (sizeof(mp_digit) * 8) -#define ECL_MAX_FIELD_SIZE_DIGITS (80 / sizeof(mp_digit)) - -/* Gets the i'th bit in the binary representation of a. If i >= length(a), - * then return 0. (The above behaviour differs from mpl_get_bit, which - * causes an error if i >= length(a).) */ -#define MP_GET_BIT(a, i) \ - ((i) >= mpl_significant_bits((a))) ? 0 : mpl_get_bit((a), (i)) - -#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD) -#define MP_ADD_CARRY(a1, a2, s, carry) \ - { \ - mp_word w; \ - w = ((mp_word)carry) + (a1) + (a2); \ - s = ACCUM(w); \ - carry = CARRYOUT(w); \ - } - -#define MP_SUB_BORROW(a1, a2, s, borrow) \ - { \ - mp_word w; \ - w = ((mp_word)(a1)) - (a2)-borrow; \ - s = ACCUM(w); \ - borrow = (w >> MP_DIGIT_BIT) & 1; \ - } - -#else -/* NOTE, - * carry and borrow are both read and written. - * a1 or a2 and s could be the same variable. - * don't trash those outputs until their respective inputs have - * been read. */ -#define MP_ADD_CARRY(a1, a2, s, carry) \ - { \ - mp_digit tmp, sum; \ - tmp = (a1); \ - sum = tmp + (a2); \ - tmp = (sum < tmp); /* detect overflow */ \ - s = sum += carry; \ - carry = tmp + (sum < carry); \ - } - -#define MP_SUB_BORROW(a1, a2, s, borrow) \ - { \ - mp_digit tmp; \ - tmp = (a1); \ - s = tmp - (a2); \ - tmp = (s > tmp); /* detect borrow */ \ - if (borrow && !s--) \ - tmp++; \ - borrow = tmp; \ - } -#endif - -struct GFMethodStr; -typedef struct GFMethodStr GFMethod; -struct GFMethodStr { - /* Indicates whether the structure was constructed from dynamic memory - * or statically created. */ - int constructed; - /* Irreducible that defines the field. For prime fields, this is the - * prime p. For binary polynomial fields, this is the bitstring - * representation of the irreducible polynomial. */ - mp_int irr; - /* For prime fields, the value irr_arr[0] is the number of bits in the - * field. For binary polynomial fields, the irreducible polynomial - * f(t) is represented as an array of unsigned int[], where f(t) is - * of the form: f(t) = t^p[0] + t^p[1] + ... + t^p[4] where m = p[0] - * > p[1] > ... > p[4] = 0. */ - unsigned int irr_arr[5]; - /* Field arithmetic methods. All methods (except field_enc and - * field_dec) are assumed to take field-encoded parameters and return - * field-encoded values. All methods (except field_enc and field_dec) - * are required to be implemented. */ - mp_err (*field_add)(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth); - mp_err (*field_neg)(const mp_int *a, mp_int *r, const GFMethod *meth); - mp_err (*field_sub)(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth); - mp_err (*field_mod)(const mp_int *a, mp_int *r, const GFMethod *meth); - mp_err (*field_mul)(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth); - mp_err (*field_sqr)(const mp_int *a, mp_int *r, const GFMethod *meth); - mp_err (*field_div)(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth); - mp_err (*field_enc)(const mp_int *a, mp_int *r, const GFMethod *meth); - mp_err (*field_dec)(const mp_int *a, mp_int *r, const GFMethod *meth); - /* Extra storage for implementation-specific data. Any memory - * allocated to these extra fields will be cleared by extra_free. */ - void *extra1; - void *extra2; - void (*extra_free)(GFMethod *meth); -}; - -/* Construct generic GFMethods. */ -GFMethod *GFMethod_consGFp(const mp_int *irr); -GFMethod *GFMethod_consGFp_mont(const mp_int *irr); - -/* Free the memory allocated (if any) to a GFMethod object. */ -void GFMethod_free(GFMethod *meth); - -struct ECGroupStr { - /* Indicates whether the structure was constructed from dynamic memory - * or statically created. */ - int constructed; - /* Field definition and arithmetic. */ - GFMethod *meth; - /* Textual representation of curve name, if any. */ - char *text; - /* Curve parameters, field-encoded. */ - mp_int curvea, curveb; - /* x and y coordinates of the base point, field-encoded. */ - mp_int genx, geny; - /* Order and cofactor of the base point. */ - mp_int order; - int cofactor; - /* Point arithmetic methods. All methods are assumed to take - * field-encoded parameters and return field-encoded values. All - * methods (except base_point_mul and points_mul) are required to be - * implemented. */ - mp_err (*point_add)(const mp_int *px, const mp_int *py, - const mp_int *qx, const mp_int *qy, mp_int *rx, - mp_int *ry, const ECGroup *group); - mp_err (*point_sub)(const mp_int *px, const mp_int *py, - const mp_int *qx, const mp_int *qy, mp_int *rx, - mp_int *ry, const ECGroup *group); - mp_err (*point_dbl)(const mp_int *px, const mp_int *py, mp_int *rx, - mp_int *ry, const ECGroup *group); - mp_err (*point_mul)(const mp_int *n, const mp_int *px, - const mp_int *py, mp_int *rx, mp_int *ry, - const ECGroup *group); - mp_err (*base_point_mul)(const mp_int *n, mp_int *rx, mp_int *ry, - const ECGroup *group); - mp_err (*points_mul)(const mp_int *k1, const mp_int *k2, - const mp_int *px, const mp_int *py, mp_int *rx, - mp_int *ry, const ECGroup *group); - mp_err (*validate_point)(const mp_int *px, const mp_int *py, const ECGroup *group); - /* Extra storage for implementation-specific data. Any memory - * allocated to these extra fields will be cleared by extra_free. */ - void *extra1; - void *extra2; - void (*extra_free)(ECGroup *group); -}; - -/* Wrapper functions for generic prime field arithmetic. */ -mp_err ec_GFp_add(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth); -mp_err ec_GFp_neg(const mp_int *a, mp_int *r, const GFMethod *meth); -mp_err ec_GFp_sub(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth); - -/* fixed length in-line adds. Count is in words */ -mp_err ec_GFp_add_3(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth); -mp_err ec_GFp_add_4(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth); -mp_err ec_GFp_add_5(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth); -mp_err ec_GFp_add_6(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth); -mp_err ec_GFp_sub_3(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth); -mp_err ec_GFp_sub_4(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth); -mp_err ec_GFp_sub_5(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth); -mp_err ec_GFp_sub_6(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth); - -mp_err ec_GFp_mod(const mp_int *a, mp_int *r, const GFMethod *meth); -mp_err ec_GFp_mul(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth); -mp_err ec_GFp_sqr(const mp_int *a, mp_int *r, const GFMethod *meth); -mp_err ec_GFp_div(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth); -/* Wrapper functions for generic binary polynomial field arithmetic. */ -mp_err ec_GF2m_add(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth); -mp_err ec_GF2m_neg(const mp_int *a, mp_int *r, const GFMethod *meth); -mp_err ec_GF2m_mod(const mp_int *a, mp_int *r, const GFMethod *meth); -mp_err ec_GF2m_mul(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth); -mp_err ec_GF2m_sqr(const mp_int *a, mp_int *r, const GFMethod *meth); -mp_err ec_GF2m_div(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth); - -/* Montgomery prime field arithmetic. */ -mp_err ec_GFp_mul_mont(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth); -mp_err ec_GFp_sqr_mont(const mp_int *a, mp_int *r, const GFMethod *meth); -mp_err ec_GFp_div_mont(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth); -mp_err ec_GFp_enc_mont(const mp_int *a, mp_int *r, const GFMethod *meth); -mp_err ec_GFp_dec_mont(const mp_int *a, mp_int *r, const GFMethod *meth); -void ec_GFp_extra_free_mont(GFMethod *meth); - -/* point multiplication */ -mp_err ec_pts_mul_basic(const mp_int *k1, const mp_int *k2, - const mp_int *px, const mp_int *py, mp_int *rx, - mp_int *ry, const ECGroup *group); -mp_err ec_pts_mul_simul_w2(const mp_int *k1, const mp_int *k2, - const mp_int *px, const mp_int *py, mp_int *rx, - mp_int *ry, const ECGroup *group); - -/* Computes the windowed non-adjacent-form (NAF) of a scalar. Out should - * be an array of signed char's to output to, bitsize should be the number - * of bits of out, in is the original scalar, and w is the window size. - * NAF is discussed in the paper: D. Hankerson, J. Hernandez and A. - * Menezes, "Software implementation of elliptic curve cryptography over - * binary fields", Proc. CHES 2000. */ -mp_err ec_compute_wNAF(signed char *out, int bitsize, const mp_int *in, - int w); - -/* Optimized field arithmetic */ -mp_err ec_group_set_gfp192(ECGroup *group, ECCurveName); -mp_err ec_group_set_gfp224(ECGroup *group, ECCurveName); -mp_err ec_group_set_gfp256(ECGroup *group, ECCurveName); -mp_err ec_group_set_gfp384(ECGroup *group, ECCurveName); -mp_err ec_group_set_gfp521(ECGroup *group, ECCurveName); -mp_err ec_group_set_gf2m163(ECGroup *group, ECCurveName name); -mp_err ec_group_set_gf2m193(ECGroup *group, ECCurveName name); -mp_err ec_group_set_gf2m233(ECGroup *group, ECCurveName name); - -/* Optimized point multiplication */ -mp_err ec_group_set_gfp256_32(ECGroup *group, ECCurveName name); -mp_err ec_group_set_secp384r1(ECGroup *group, ECCurveName name); -mp_err ec_group_set_secp521r1(ECGroup *group, ECCurveName name); SECStatus ec_Curve25519_mul(PRUint8 *q, const PRUint8 *s, const PRUint8 *p); + #endif /* __ecl_priv_h_ */ diff --git a/nss/lib/freebl/ecl/ecl.c b/nss/lib/freebl/ecl/ecl.c deleted file mode 100644 index e34a73c..0000000 --- a/nss/lib/freebl/ecl/ecl.c +++ /dev/null @@ -1,329 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#ifdef FREEBL_NO_DEPEND -#include "../stubs.h" -#endif - -#include "mpi.h" -#include "mplogic.h" -#include "ecl.h" -#include "ecl-priv.h" -#include "ecp.h" -#include "ecl-curve.h" -#include <stdlib.h> -#include <string.h> - -/* Allocate memory for a new ECGroup object. */ -ECGroup * -ECGroup_new() -{ - mp_err res = MP_OKAY; - ECGroup *group; - group = (ECGroup *)malloc(sizeof(ECGroup)); - if (group == NULL) - return NULL; - group->constructed = MP_YES; - group->meth = NULL; - group->text = NULL; - MP_DIGITS(&group->curvea) = 0; - MP_DIGITS(&group->curveb) = 0; - MP_DIGITS(&group->genx) = 0; - MP_DIGITS(&group->geny) = 0; - MP_DIGITS(&group->order) = 0; - group->base_point_mul = NULL; - group->points_mul = NULL; - group->validate_point = NULL; - group->extra1 = NULL; - group->extra2 = NULL; - group->extra_free = NULL; - MP_CHECKOK(mp_init(&group->curvea)); - MP_CHECKOK(mp_init(&group->curveb)); - MP_CHECKOK(mp_init(&group->genx)); - MP_CHECKOK(mp_init(&group->geny)); - MP_CHECKOK(mp_init(&group->order)); - -CLEANUP: - if (res != MP_OKAY) { - ECGroup_free(group); - return NULL; - } - return group; -} - -/* Construct a generic ECGroup for elliptic curves over prime fields. */ -ECGroup * -ECGroup_consGFp(const mp_int *irr, const mp_int *curvea, - const mp_int *curveb, const mp_int *genx, - const mp_int *geny, const mp_int *order, int cofactor) -{ - mp_err res = MP_OKAY; - ECGroup *group = NULL; - - group = ECGroup_new(); - if (group == NULL) - return NULL; - - group->meth = GFMethod_consGFp(irr); - if (group->meth == NULL) { - res = MP_MEM; - goto CLEANUP; - } - MP_CHECKOK(mp_copy(curvea, &group->curvea)); - MP_CHECKOK(mp_copy(curveb, &group->curveb)); - MP_CHECKOK(mp_copy(genx, &group->genx)); - MP_CHECKOK(mp_copy(geny, &group->geny)); - MP_CHECKOK(mp_copy(order, &group->order)); - group->cofactor = cofactor; - group->point_add = &ec_GFp_pt_add_aff; - group->point_sub = &ec_GFp_pt_sub_aff; - group->point_dbl = &ec_GFp_pt_dbl_aff; - group->point_mul = &ec_GFp_pt_mul_jm_wNAF; - group->base_point_mul = NULL; - group->points_mul = &ec_GFp_pts_mul_jac; - group->validate_point = &ec_GFp_validate_point; - -CLEANUP: - if (res != MP_OKAY) { - ECGroup_free(group); - return NULL; - } - return group; -} - -/* Construct a generic ECGroup for elliptic curves over prime fields with - * field arithmetic implemented in Montgomery coordinates. */ -ECGroup * -ECGroup_consGFp_mont(const mp_int *irr, const mp_int *curvea, - const mp_int *curveb, const mp_int *genx, - const mp_int *geny, const mp_int *order, int cofactor) -{ - mp_err res = MP_OKAY; - ECGroup *group = NULL; - - group = ECGroup_new(); - if (group == NULL) - return NULL; - - group->meth = GFMethod_consGFp_mont(irr); - if (group->meth == NULL) { - res = MP_MEM; - goto CLEANUP; - } - MP_CHECKOK(group->meth->field_enc(curvea, &group->curvea, group->meth)); - MP_CHECKOK(group->meth->field_enc(curveb, &group->curveb, group->meth)); - MP_CHECKOK(group->meth->field_enc(genx, &group->genx, group->meth)); - MP_CHECKOK(group->meth->field_enc(geny, &group->geny, group->meth)); - MP_CHECKOK(mp_copy(order, &group->order)); - group->cofactor = cofactor; - group->point_add = &ec_GFp_pt_add_aff; - group->point_sub = &ec_GFp_pt_sub_aff; - group->point_dbl = &ec_GFp_pt_dbl_aff; - group->point_mul = &ec_GFp_pt_mul_jm_wNAF; - group->base_point_mul = NULL; - group->points_mul = &ec_GFp_pts_mul_jac; - group->validate_point = &ec_GFp_validate_point; - -CLEANUP: - if (res != MP_OKAY) { - ECGroup_free(group); - return NULL; - } - return group; -} - -/* Construct an ECGroup. */ -ECGroup * -construct_ecgroup(const ECCurveName name, mp_int irr, mp_int curvea, - mp_int curveb, mp_int genx, mp_int geny, mp_int order, - int cofactor, ECField field, const char *text) -{ - int bits; - ECGroup *group = NULL; - mp_err res = MP_OKAY; - - /* determine number of bits */ - bits = mpl_significant_bits(&irr) - 1; - if (bits < MP_OKAY) { - res = bits; - goto CLEANUP; - } - - /* determine which optimizations (if any) to use */ - if (field == ECField_GFp) { - switch (name) { - case ECCurve_SECG_PRIME_256R1: - group = - ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, - &order, cofactor); - if (group == NULL) { - res = MP_UNDEF; - goto CLEANUP; - } - MP_CHECKOK(ec_group_set_gfp256(group, name)); - MP_CHECKOK(ec_group_set_gfp256_32(group, name)); - break; - case ECCurve_SECG_PRIME_384R1: - group = - ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, - &order, cofactor); - if (group == NULL) { - res = MP_UNDEF; - goto CLEANUP; - } - MP_CHECKOK(ec_group_set_secp384r1(group, name)); - break; - case ECCurve_SECG_PRIME_521R1: - group = - ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, - &order, cofactor); - if (group == NULL) { - res = MP_UNDEF; - goto CLEANUP; - } - MP_CHECKOK(ec_group_set_gfp521(group, name)); - MP_CHECKOK(ec_group_set_secp521r1(group, name)); - break; - default: - /* use generic arithmetic */ - group = - ECGroup_consGFp_mont(&irr, &curvea, &curveb, &genx, &geny, - &order, cofactor); - if (group == NULL) { - res = MP_UNDEF; - goto CLEANUP; - } - } - } else { - res = MP_UNDEF; - goto CLEANUP; - } - - /* set name, if any */ - if ((group != NULL) && (text != NULL)) { - group->text = strdup(text); - if (group->text == NULL) { - res = MP_MEM; - } - } - -CLEANUP: - if (group && res != MP_OKAY) { - ECGroup_free(group); - return NULL; - } - return group; -} - -/* Construct ECGroup from parameters and name, if any. */ -ECGroup * -ecgroup_fromName(const ECCurveName name, - const ECCurveBytes *params) -{ - mp_int irr, curvea, curveb, genx, geny, order; - ECGroup *group = NULL; - mp_err res = MP_OKAY; - - /* initialize values */ - MP_DIGITS(&irr) = 0; - MP_DIGITS(&curvea) = 0; - MP_DIGITS(&curveb) = 0; - MP_DIGITS(&genx) = 0; - MP_DIGITS(&geny) = 0; - MP_DIGITS(&order) = 0; - MP_CHECKOK(mp_init(&irr)); - MP_CHECKOK(mp_init(&curvea)); - MP_CHECKOK(mp_init(&curveb)); - MP_CHECKOK(mp_init(&genx)); - MP_CHECKOK(mp_init(&geny)); - MP_CHECKOK(mp_init(&order)); - MP_CHECKOK(mp_read_unsigned_octets(&irr, params->irr, params->scalarSize)); - MP_CHECKOK(mp_read_unsigned_octets(&curvea, params->curvea, params->scalarSize)); - MP_CHECKOK(mp_read_unsigned_octets(&curveb, params->curveb, params->scalarSize)); - MP_CHECKOK(mp_read_unsigned_octets(&genx, params->genx, params->scalarSize)); - MP_CHECKOK(mp_read_unsigned_octets(&geny, params->geny, params->scalarSize)); - MP_CHECKOK(mp_read_unsigned_octets(&order, params->order, params->scalarSize)); - - group = construct_ecgroup(name, irr, curvea, curveb, genx, geny, order, - params->cofactor, params->field, params->text); - -CLEANUP: - mp_clear(&irr); - mp_clear(&curvea); - mp_clear(&curveb); - mp_clear(&genx); - mp_clear(&geny); - mp_clear(&order); - if (group && res != MP_OKAY) { - ECGroup_free(group); - return NULL; - } - return group; -} - -/* Construct ECCurveBytes from an ECCurveName */ -const ECCurveBytes * -ec_GetNamedCurveParams(const ECCurveName name) -{ - if ((name <= ECCurve_noName) || (ECCurve_pastLastCurve <= name) || - (ecCurve_map[name] == NULL)) { - return NULL; - } else { - return ecCurve_map[name]; - } -} - -/* Construct ECGroup from named parameters. */ -ECGroup * -ECGroup_fromName(const ECCurveName name) -{ - const ECCurveBytes *params = NULL; - - /* This doesn't work with Curve25519 but it's not necessary to. */ - PORT_Assert(name != ECCurve25519); - - params = ec_GetNamedCurveParams(name); - if (params == NULL) { - return NULL; - } - - /* construct actual group */ - return ecgroup_fromName(name, params); -} - -/* Validates an EC public key as described in Section 5.2.2 of X9.62. */ -mp_err -ECPoint_validate(const ECGroup *group, const mp_int *px, const mp_int *py) -{ - /* 1: Verify that publicValue is not the point at infinity */ - /* 2: Verify that the coordinates of publicValue are elements - * of the field. - */ - /* 3: Verify that publicValue is on the curve. */ - /* 4: Verify that the order of the curve times the publicValue - * is the point at infinity. - */ - return group->validate_point(px, py, group); -} - -/* Free the memory allocated (if any) to an ECGroup object. */ -void -ECGroup_free(ECGroup *group) -{ - if (group == NULL) - return; - GFMethod_free(group->meth); - if (group->constructed == MP_NO) - return; - mp_clear(&group->curvea); - mp_clear(&group->curveb); - mp_clear(&group->genx); - mp_clear(&group->geny); - mp_clear(&group->order); - if (group->text != NULL) - free(group->text); - if (group->extra_free != NULL) - group->extra_free(group); - free(group); -} diff --git a/nss/lib/freebl/ecl/ecl.h b/nss/lib/freebl/ecl/ecl.h index 3783f75..58cea5b 100644 --- a/nss/lib/freebl/ecl/ecl.h +++ b/nss/lib/freebl/ecl/ecl.h @@ -10,39 +10,8 @@ #include "blapi.h" #include "ecl-exp.h" -#include "mpi.h" #include "eclt.h" -struct ECGroupStr; -typedef struct ECGroupStr ECGroup; - -/* Construct ECGroup from named parameters. */ -ECGroup *ECGroup_fromName(const ECCurveName name); - -/* Free an allocated ECGroup. */ -void ECGroup_free(ECGroup *group); - -/* Elliptic curve scalar-point multiplication. Computes Q(x, y) = k * P(x, - * y). If x, y = NULL, then P is assumed to be the generator (base point) - * of the group of points on the elliptic curve. Input and output values - * are assumed to be NOT field-encoded. */ -mp_err ECPoint_mul(const ECGroup *group, const mp_int *k, const mp_int *px, - const mp_int *py, mp_int *qx, mp_int *qy); - -/* Elliptic curve scalar-point multiplication. Computes Q(x, y) = k1 * G + - * k2 * P(x, y), where G is the generator (base point) of the group of - * points on the elliptic curve. Input and output values are assumed to - * be NOT field-encoded. */ -mp_err ECPoints_mul(const ECGroup *group, const mp_int *k1, - const mp_int *k2, const mp_int *px, const mp_int *py, - mp_int *qx, mp_int *qy); - -/* Validates an EC public key as described in Section 5.2.2 of X9.62. - * Returns MP_YES if the public key is valid, MP_NO if the public key - * is invalid, or an error code if the validation could not be - * performed. */ -mp_err ECPoint_validate(const ECGroup *group, const mp_int *px, const mp_int *py); - SECStatus ec_Curve25519_pt_mul(SECItem *X, SECItem *k, SECItem *P); SECStatus ec_Curve25519_pt_validate(const SECItem *px); SECStatus ec_Curve25519_scalar_validate(const SECItem *scalar); @@ -57,8 +26,24 @@ SECStatus ec_secp256r1_sign_digest(ECPrivateKey *key, SECItem *signature, SECStatus ec_secp256r1_verify_digest(ECPublicKey *key, const SECItem *signature, const SECItem *digest); +SECStatus ec_secp521r1_pt_mul(SECItem *X, SECItem *k, SECItem *P); +SECStatus ec_secp521r1_pt_validate(const SECItem *px); +SECStatus ec_secp521r1_scalar_validate(const SECItem *scalar); + +SECStatus ec_secp521r1_sign_digest(ECPrivateKey *key, SECItem *signature, + const SECItem *digest, const unsigned char *kb, + const unsigned int kblen); +SECStatus ec_secp521r1_verify_digest(ECPublicKey *key, const SECItem *signature, + const SECItem *digest); + +SECStatus ec_secp384r1_pt_mul(SECItem *X, SECItem *k, SECItem *P); +SECStatus ec_secp384r1_pt_validate(const SECItem *px); SECStatus ec_secp384r1_scalar_validate(const SECItem *scalar); -SECStatus ec_secp521r1_scalar_validate(const SECItem *scalar); +SECStatus ec_secp384r1_sign_digest(ECPrivateKey *key, SECItem *signature, + const SECItem *digest, const unsigned char *kb, + const unsigned int kblen); +SECStatus ec_secp384r1_verify_digest(ECPublicKey *key, const SECItem *signature, + const SECItem *digest); #endif /* __ecl_h_ */ diff --git a/nss/lib/freebl/ecl/ecl_gf.c b/nss/lib/freebl/ecl/ecl_gf.c deleted file mode 100644 index 81b0077..0000000 --- a/nss/lib/freebl/ecl/ecl_gf.c +++ /dev/null @@ -1,958 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include "mpi.h" -#include "mp_gf2m.h" -#include "ecl-priv.h" -#include "mpi-priv.h" -#include <stdlib.h> - -/* Allocate memory for a new GFMethod object. */ -GFMethod * -GFMethod_new() -{ - mp_err res = MP_OKAY; - GFMethod *meth; - meth = (GFMethod *)malloc(sizeof(GFMethod)); - if (meth == NULL) - return NULL; - meth->constructed = MP_YES; - MP_DIGITS(&meth->irr) = 0; - meth->extra_free = NULL; - MP_CHECKOK(mp_init(&meth->irr)); - -CLEANUP: - if (res != MP_OKAY) { - GFMethod_free(meth); - return NULL; - } - return meth; -} - -/* Construct a generic GFMethod for arithmetic over prime fields with - * irreducible irr. */ -GFMethod * -GFMethod_consGFp(const mp_int *irr) -{ - mp_err res = MP_OKAY; - GFMethod *meth = NULL; - - meth = GFMethod_new(); - if (meth == NULL) - return NULL; - - MP_CHECKOK(mp_copy(irr, &meth->irr)); - meth->irr_arr[0] = mpl_significant_bits(irr); - meth->irr_arr[1] = meth->irr_arr[2] = meth->irr_arr[3] = - meth->irr_arr[4] = 0; - switch (MP_USED(&meth->irr)) { - /* maybe we need 1 and 2 words here as well?*/ - case 3: - meth->field_add = &ec_GFp_add_3; - meth->field_sub = &ec_GFp_sub_3; - break; - case 4: - meth->field_add = &ec_GFp_add_4; - meth->field_sub = &ec_GFp_sub_4; - break; - case 5: - meth->field_add = &ec_GFp_add_5; - meth->field_sub = &ec_GFp_sub_5; - break; - case 6: - meth->field_add = &ec_GFp_add_6; - meth->field_sub = &ec_GFp_sub_6; - break; - default: - meth->field_add = &ec_GFp_add; - meth->field_sub = &ec_GFp_sub; - } - meth->field_neg = &ec_GFp_neg; - meth->field_mod = &ec_GFp_mod; - meth->field_mul = &ec_GFp_mul; - meth->field_sqr = &ec_GFp_sqr; - meth->field_div = &ec_GFp_div; - meth->field_enc = NULL; - meth->field_dec = NULL; - meth->extra1 = NULL; - meth->extra2 = NULL; - meth->extra_free = NULL; - -CLEANUP: - if (res != MP_OKAY) { - GFMethod_free(meth); - return NULL; - } - return meth; -} - -/* Free the memory allocated (if any) to a GFMethod object. */ -void -GFMethod_free(GFMethod *meth) -{ - if (meth == NULL) - return; - if (meth->constructed == MP_NO) - return; - mp_clear(&meth->irr); - if (meth->extra_free != NULL) - meth->extra_free(meth); - free(meth); -} - -/* Wrapper functions for generic prime field arithmetic. */ - -/* Add two field elements. Assumes that 0 <= a, b < meth->irr */ -mp_err -ec_GFp_add(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth) -{ - /* PRE: 0 <= a, b < p = meth->irr POST: 0 <= r < p, r = a + b (mod p) */ - mp_err res; - - if ((res = mp_add(a, b, r)) != MP_OKAY) { - return res; - } - if (mp_cmp(r, &meth->irr) >= 0) { - return mp_sub(r, &meth->irr, r); - } - return res; -} - -/* Negates a field element. Assumes that 0 <= a < meth->irr */ -mp_err -ec_GFp_neg(const mp_int *a, mp_int *r, const GFMethod *meth) -{ - /* PRE: 0 <= a < p = meth->irr POST: 0 <= r < p, r = -a (mod p) */ - - if (mp_cmp_z(a) == 0) { - mp_zero(r); - return MP_OKAY; - } - return mp_sub(&meth->irr, a, r); -} - -/* Subtracts two field elements. Assumes that 0 <= a, b < meth->irr */ -mp_err -ec_GFp_sub(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth) -{ - mp_err res = MP_OKAY; - - /* PRE: 0 <= a, b < p = meth->irr POST: 0 <= r < p, r = a - b (mod p) */ - res = mp_sub(a, b, r); - if (res == MP_RANGE) { - MP_CHECKOK(mp_sub(b, a, r)); - if (mp_cmp_z(r) < 0) { - MP_CHECKOK(mp_add(r, &meth->irr, r)); - } - MP_CHECKOK(ec_GFp_neg(r, r, meth)); - } - if (mp_cmp_z(r) < 0) { - MP_CHECKOK(mp_add(r, &meth->irr, r)); - } -CLEANUP: - return res; -} -/* - * Inline adds for small curve lengths. - */ -/* 3 words */ -mp_err -ec_GFp_add_3(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth) -{ - mp_err res = MP_OKAY; - mp_digit a0 = 0, a1 = 0, a2 = 0; - mp_digit r0 = 0, r1 = 0, r2 = 0; - mp_digit carry; - - switch (MP_USED(a)) { - case 3: - a2 = MP_DIGIT(a, 2); - case 2: - a1 = MP_DIGIT(a, 1); - case 1: - a0 = MP_DIGIT(a, 0); - } - switch (MP_USED(b)) { - case 3: - r2 = MP_DIGIT(b, 2); - case 2: - r1 = MP_DIGIT(b, 1); - case 1: - r0 = MP_DIGIT(b, 0); - } - -#ifndef MPI_AMD64_ADD - carry = 0; - MP_ADD_CARRY(a0, r0, r0, carry); - MP_ADD_CARRY(a1, r1, r1, carry); - MP_ADD_CARRY(a2, r2, r2, carry); -#else - __asm__( - "xorq %3,%3 \n\t" - "addq %4,%0 \n\t" - "adcq %5,%1 \n\t" - "adcq %6,%2 \n\t" - "adcq $0,%3 \n\t" - : "=r"(r0), "=r"(r1), "=r"(r2), "=r"(carry) - : "r"(a0), "r"(a1), "r"(a2), - "0"(r0), "1"(r1), "2"(r2) - : "%cc"); -#endif - - MP_CHECKOK(s_mp_pad(r, 3)); - MP_DIGIT(r, 2) = r2; - MP_DIGIT(r, 1) = r1; - MP_DIGIT(r, 0) = r0; - MP_SIGN(r) = MP_ZPOS; - MP_USED(r) = 3; - - /* Do quick 'subract' if we've gone over - * (add the 2's complement of the curve field) */ - a2 = MP_DIGIT(&meth->irr, 2); - if (carry || r2 > a2 || - ((r2 == a2) && mp_cmp(r, &meth->irr) != MP_LT)) { - a1 = MP_DIGIT(&meth->irr, 1); - a0 = MP_DIGIT(&meth->irr, 0); -#ifndef MPI_AMD64_ADD - carry = 0; - MP_SUB_BORROW(r0, a0, r0, carry); - MP_SUB_BORROW(r1, a1, r1, carry); - MP_SUB_BORROW(r2, a2, r2, carry); -#else - __asm__( - "subq %3,%0 \n\t" - "sbbq %4,%1 \n\t" - "sbbq %5,%2 \n\t" - : "=r"(r0), "=r"(r1), "=r"(r2) - : "r"(a0), "r"(a1), "r"(a2), - "0"(r0), "1"(r1), "2"(r2) - : "%cc"); -#endif - MP_DIGIT(r, 2) = r2; - MP_DIGIT(r, 1) = r1; - MP_DIGIT(r, 0) = r0; - } - - s_mp_clamp(r); - -CLEANUP: - return res; -} - -/* 4 words */ -mp_err -ec_GFp_add_4(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth) -{ - mp_err res = MP_OKAY; - mp_digit a0 = 0, a1 = 0, a2 = 0, a3 = 0; - mp_digit r0 = 0, r1 = 0, r2 = 0, r3 = 0; - mp_digit carry; - - switch (MP_USED(a)) { - case 4: - a3 = MP_DIGIT(a, 3); - case 3: - a2 = MP_DIGIT(a, 2); - case 2: - a1 = MP_DIGIT(a, 1); - case 1: - a0 = MP_DIGIT(a, 0); - } - switch (MP_USED(b)) { - case 4: - r3 = MP_DIGIT(b, 3); - case 3: - r2 = MP_DIGIT(b, 2); - case 2: - r1 = MP_DIGIT(b, 1); - case 1: - r0 = MP_DIGIT(b, 0); - } - -#ifndef MPI_AMD64_ADD - carry = 0; - MP_ADD_CARRY(a0, r0, r0, carry); - MP_ADD_CARRY(a1, r1, r1, carry); - MP_ADD_CARRY(a2, r2, r2, carry); - MP_ADD_CARRY(a3, r3, r3, carry); -#else - __asm__( - "xorq %4,%4 \n\t" - "addq %5,%0 \n\t" - "adcq %6,%1 \n\t" - "adcq %7,%2 \n\t" - "adcq %8,%3 \n\t" - "adcq $0,%4 \n\t" - : "=r"(r0), "=r"(r1), "=r"(r2), "=r"(r3), "=r"(carry) - : "r"(a0), "r"(a1), "r"(a2), "r"(a3), - "0"(r0), "1"(r1), "2"(r2), "3"(r3) - : "%cc"); -#endif - - MP_CHECKOK(s_mp_pad(r, 4)); - MP_DIGIT(r, 3) = r3; - MP_DIGIT(r, 2) = r2; - MP_DIGIT(r, 1) = r1; - MP_DIGIT(r, 0) = r0; - MP_SIGN(r) = MP_ZPOS; - MP_USED(r) = 4; - - /* Do quick 'subract' if we've gone over - * (add the 2's complement of the curve field) */ - a3 = MP_DIGIT(&meth->irr, 3); - if (carry || r3 > a3 || - ((r3 == a3) && mp_cmp(r, &meth->irr) != MP_LT)) { - a2 = MP_DIGIT(&meth->irr, 2); - a1 = MP_DIGIT(&meth->irr, 1); - a0 = MP_DIGIT(&meth->irr, 0); -#ifndef MPI_AMD64_ADD - carry = 0; - MP_SUB_BORROW(r0, a0, r0, carry); - MP_SUB_BORROW(r1, a1, r1, carry); - MP_SUB_BORROW(r2, a2, r2, carry); - MP_SUB_BORROW(r3, a3, r3, carry); -#else - __asm__( - "subq %4,%0 \n\t" - "sbbq %5,%1 \n\t" - "sbbq %6,%2 \n\t" - "sbbq %7,%3 \n\t" - : "=r"(r0), "=r"(r1), "=r"(r2), "=r"(r3) - : "r"(a0), "r"(a1), "r"(a2), "r"(a3), - "0"(r0), "1"(r1), "2"(r2), "3"(r3) - : "%cc"); -#endif - MP_DIGIT(r, 3) = r3; - MP_DIGIT(r, 2) = r2; - MP_DIGIT(r, 1) = r1; - MP_DIGIT(r, 0) = r0; - } - - s_mp_clamp(r); - -CLEANUP: - return res; -} - -/* 5 words */ -mp_err -ec_GFp_add_5(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth) -{ - mp_err res = MP_OKAY; - mp_digit a0 = 0, a1 = 0, a2 = 0, a3 = 0, a4 = 0; - mp_digit r0 = 0, r1 = 0, r2 = 0, r3 = 0, r4 = 0; - mp_digit carry; - - switch (MP_USED(a)) { - case 5: - a4 = MP_DIGIT(a, 4); - case 4: - a3 = MP_DIGIT(a, 3); - case 3: - a2 = MP_DIGIT(a, 2); - case 2: - a1 = MP_DIGIT(a, 1); - case 1: - a0 = MP_DIGIT(a, 0); - } - switch (MP_USED(b)) { - case 5: - r4 = MP_DIGIT(b, 4); - case 4: - r3 = MP_DIGIT(b, 3); - case 3: - r2 = MP_DIGIT(b, 2); - case 2: - r1 = MP_DIGIT(b, 1); - case 1: - r0 = MP_DIGIT(b, 0); - } - - carry = 0; - MP_ADD_CARRY(a0, r0, r0, carry); - MP_ADD_CARRY(a1, r1, r1, carry); - MP_ADD_CARRY(a2, r2, r2, carry); - MP_ADD_CARRY(a3, r3, r3, carry); - MP_ADD_CARRY(a4, r4, r4, carry); - - MP_CHECKOK(s_mp_pad(r, 5)); - MP_DIGIT(r, 4) = r4; - MP_DIGIT(r, 3) = r3; - MP_DIGIT(r, 2) = r2; - MP_DIGIT(r, 1) = r1; - MP_DIGIT(r, 0) = r0; - MP_SIGN(r) = MP_ZPOS; - MP_USED(r) = 5; - - /* Do quick 'subract' if we've gone over - * (add the 2's complement of the curve field) */ - a4 = MP_DIGIT(&meth->irr, 4); - if (carry || r4 > a4 || - ((r4 == a4) && mp_cmp(r, &meth->irr) != MP_LT)) { - a3 = MP_DIGIT(&meth->irr, 3); - a2 = MP_DIGIT(&meth->irr, 2); - a1 = MP_DIGIT(&meth->irr, 1); - a0 = MP_DIGIT(&meth->irr, 0); - carry = 0; - MP_SUB_BORROW(r0, a0, r0, carry); - MP_SUB_BORROW(r1, a1, r1, carry); - MP_SUB_BORROW(r2, a2, r2, carry); - MP_SUB_BORROW(r3, a3, r3, carry); - MP_SUB_BORROW(r4, a4, r4, carry); - MP_DIGIT(r, 4) = r4; - MP_DIGIT(r, 3) = r3; - MP_DIGIT(r, 2) = r2; - MP_DIGIT(r, 1) = r1; - MP_DIGIT(r, 0) = r0; - } - - s_mp_clamp(r); - -CLEANUP: - return res; -} - -/* 6 words */ -mp_err -ec_GFp_add_6(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth) -{ - mp_err res = MP_OKAY; - mp_digit a0 = 0, a1 = 0, a2 = 0, a3 = 0, a4 = 0, a5 = 0; - mp_digit r0 = 0, r1 = 0, r2 = 0, r3 = 0, r4 = 0, r5 = 0; - mp_digit carry; - - switch (MP_USED(a)) { - case 6: - a5 = MP_DIGIT(a, 5); - case 5: - a4 = MP_DIGIT(a, 4); - case 4: - a3 = MP_DIGIT(a, 3); - case 3: - a2 = MP_DIGIT(a, 2); - case 2: - a1 = MP_DIGIT(a, 1); - case 1: - a0 = MP_DIGIT(a, 0); - } - switch (MP_USED(b)) { - case 6: - r5 = MP_DIGIT(b, 5); - case 5: - r4 = MP_DIGIT(b, 4); - case 4: - r3 = MP_DIGIT(b, 3); - case 3: - r2 = MP_DIGIT(b, 2); - case 2: - r1 = MP_DIGIT(b, 1); - case 1: - r0 = MP_DIGIT(b, 0); - } - - carry = 0; - MP_ADD_CARRY(a0, r0, r0, carry); - MP_ADD_CARRY(a1, r1, r1, carry); - MP_ADD_CARRY(a2, r2, r2, carry); - MP_ADD_CARRY(a3, r3, r3, carry); - MP_ADD_CARRY(a4, r4, r4, carry); - MP_ADD_CARRY(a5, r5, r5, carry); - - MP_CHECKOK(s_mp_pad(r, 6)); - MP_DIGIT(r, 5) = r5; - MP_DIGIT(r, 4) = r4; - MP_DIGIT(r, 3) = r3; - MP_DIGIT(r, 2) = r2; - MP_DIGIT(r, 1) = r1; - MP_DIGIT(r, 0) = r0; - MP_SIGN(r) = MP_ZPOS; - MP_USED(r) = 6; - - /* Do quick 'subract' if we've gone over - * (add the 2's complement of the curve field) */ - a5 = MP_DIGIT(&meth->irr, 5); - if (carry || r5 > a5 || - ((r5 == a5) && mp_cmp(r, &meth->irr) != MP_LT)) { - a4 = MP_DIGIT(&meth->irr, 4); - a3 = MP_DIGIT(&meth->irr, 3); - a2 = MP_DIGIT(&meth->irr, 2); - a1 = MP_DIGIT(&meth->irr, 1); - a0 = MP_DIGIT(&meth->irr, 0); - carry = 0; - MP_SUB_BORROW(r0, a0, r0, carry); - MP_SUB_BORROW(r1, a1, r1, carry); - MP_SUB_BORROW(r2, a2, r2, carry); - MP_SUB_BORROW(r3, a3, r3, carry); - MP_SUB_BORROW(r4, a4, r4, carry); - MP_SUB_BORROW(r5, a5, r5, carry); - MP_DIGIT(r, 5) = r5; - MP_DIGIT(r, 4) = r4; - MP_DIGIT(r, 3) = r3; - MP_DIGIT(r, 2) = r2; - MP_DIGIT(r, 1) = r1; - MP_DIGIT(r, 0) = r0; - } - - s_mp_clamp(r); - -CLEANUP: - return res; -} - -/* - * The following subraction functions do in-line subractions based - * on our curve size. - * - * ... 3 words - */ -mp_err -ec_GFp_sub_3(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth) -{ - mp_err res = MP_OKAY; - mp_digit b0 = 0, b1 = 0, b2 = 0; - mp_digit r0 = 0, r1 = 0, r2 = 0; - mp_digit borrow; - - switch (MP_USED(a)) { - case 3: - r2 = MP_DIGIT(a, 2); - case 2: - r1 = MP_DIGIT(a, 1); - case 1: - r0 = MP_DIGIT(a, 0); - } - switch (MP_USED(b)) { - case 3: - b2 = MP_DIGIT(b, 2); - case 2: - b1 = MP_DIGIT(b, 1); - case 1: - b0 = MP_DIGIT(b, 0); - } - -#ifndef MPI_AMD64_ADD - borrow = 0; - MP_SUB_BORROW(r0, b0, r0, borrow); - MP_SUB_BORROW(r1, b1, r1, borrow); - MP_SUB_BORROW(r2, b2, r2, borrow); -#else - __asm__( - "xorq %3,%3 \n\t" - "subq %4,%0 \n\t" - "sbbq %5,%1 \n\t" - "sbbq %6,%2 \n\t" - "adcq $0,%3 \n\t" - : "=r"(r0), "=r"(r1), "=r"(r2), "=r"(borrow) - : "r"(b0), "r"(b1), "r"(b2), - "0"(r0), "1"(r1), "2"(r2) - : "%cc"); -#endif - - /* Do quick 'add' if we've gone under 0 - * (subtract the 2's complement of the curve field) */ - if (borrow) { - b2 = MP_DIGIT(&meth->irr, 2); - b1 = MP_DIGIT(&meth->irr, 1); - b0 = MP_DIGIT(&meth->irr, 0); -#ifndef MPI_AMD64_ADD - borrow = 0; - MP_ADD_CARRY(b0, r0, r0, borrow); - MP_ADD_CARRY(b1, r1, r1, borrow); - MP_ADD_CARRY(b2, r2, r2, borrow); -#else - __asm__( - "addq %3,%0 \n\t" - "adcq %4,%1 \n\t" - "adcq %5,%2 \n\t" - : "=r"(r0), "=r"(r1), "=r"(r2) - : "r"(b0), "r"(b1), "r"(b2), - "0"(r0), "1"(r1), "2"(r2) - : "%cc"); -#endif - } - -#ifdef MPI_AMD64_ADD - /* compiler fakeout? */ - if ((r2 == b0) && (r1 == b0) && (r0 == b0)) { - MP_CHECKOK(s_mp_pad(r, 4)); - } -#endif - MP_CHECKOK(s_mp_pad(r, 3)); - MP_DIGIT(r, 2) = r2; - MP_DIGIT(r, 1) = r1; - MP_DIGIT(r, 0) = r0; - MP_SIGN(r) = MP_ZPOS; - MP_USED(r) = 3; - s_mp_clamp(r); - -CLEANUP: - return res; -} - -/* 4 words */ -mp_err -ec_GFp_sub_4(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth) -{ - mp_err res = MP_OKAY; - mp_digit b0 = 0, b1 = 0, b2 = 0, b3 = 0; - mp_digit r0 = 0, r1 = 0, r2 = 0, r3 = 0; - mp_digit borrow; - - switch (MP_USED(a)) { - case 4: - r3 = MP_DIGIT(a, 3); - case 3: - r2 = MP_DIGIT(a, 2); - case 2: - r1 = MP_DIGIT(a, 1); - case 1: - r0 = MP_DIGIT(a, 0); - } - switch (MP_USED(b)) { - case 4: - b3 = MP_DIGIT(b, 3); - case 3: - b2 = MP_DIGIT(b, 2); - case 2: - b1 = MP_DIGIT(b, 1); - case 1: - b0 = MP_DIGIT(b, 0); - } - -#ifndef MPI_AMD64_ADD - borrow = 0; - MP_SUB_BORROW(r0, b0, r0, borrow); - MP_SUB_BORROW(r1, b1, r1, borrow); - MP_SUB_BORROW(r2, b2, r2, borrow); - MP_SUB_BORROW(r3, b3, r3, borrow); -#else - __asm__( - "xorq %4,%4 \n\t" - "subq %5,%0 \n\t" - "sbbq %6,%1 \n\t" - "sbbq %7,%2 \n\t" - "sbbq %8,%3 \n\t" - "adcq $0,%4 \n\t" - : "=r"(r0), "=r"(r1), "=r"(r2), "=r"(r3), "=r"(borrow) - : "r"(b0), "r"(b1), "r"(b2), "r"(b3), - "0"(r0), "1"(r1), "2"(r2), "3"(r3) - : "%cc"); -#endif - - /* Do quick 'add' if we've gone under 0 - * (subtract the 2's complement of the curve field) */ - if (borrow) { - b3 = MP_DIGIT(&meth->irr, 3); - b2 = MP_DIGIT(&meth->irr, 2); - b1 = MP_DIGIT(&meth->irr, 1); - b0 = MP_DIGIT(&meth->irr, 0); -#ifndef MPI_AMD64_ADD - borrow = 0; - MP_ADD_CARRY(b0, r0, r0, borrow); - MP_ADD_CARRY(b1, r1, r1, borrow); - MP_ADD_CARRY(b2, r2, r2, borrow); - MP_ADD_CARRY(b3, r3, r3, borrow); -#else - __asm__( - "addq %4,%0 \n\t" - "adcq %5,%1 \n\t" - "adcq %6,%2 \n\t" - "adcq %7,%3 \n\t" - : "=r"(r0), "=r"(r1), "=r"(r2), "=r"(r3) - : "r"(b0), "r"(b1), "r"(b2), "r"(b3), - "0"(r0), "1"(r1), "2"(r2), "3"(r3) - : "%cc"); -#endif - } -#ifdef MPI_AMD64_ADD - /* compiler fakeout? */ - if ((r3 == b0) && (r1 == b0) && (r0 == b0)) { - MP_CHECKOK(s_mp_pad(r, 4)); - } -#endif - MP_CHECKOK(s_mp_pad(r, 4)); - MP_DIGIT(r, 3) = r3; - MP_DIGIT(r, 2) = r2; - MP_DIGIT(r, 1) = r1; - MP_DIGIT(r, 0) = r0; - MP_SIGN(r) = MP_ZPOS; - MP_USED(r) = 4; - s_mp_clamp(r); - -CLEANUP: - return res; -} - -/* 5 words */ -mp_err -ec_GFp_sub_5(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth) -{ - mp_err res = MP_OKAY; - mp_digit b0 = 0, b1 = 0, b2 = 0, b3 = 0, b4 = 0; - mp_digit r0 = 0, r1 = 0, r2 = 0, r3 = 0, r4 = 0; - mp_digit borrow; - - switch (MP_USED(a)) { - case 5: - r4 = MP_DIGIT(a, 4); - case 4: - r3 = MP_DIGIT(a, 3); - case 3: - r2 = MP_DIGIT(a, 2); - case 2: - r1 = MP_DIGIT(a, 1); - case 1: - r0 = MP_DIGIT(a, 0); - } - switch (MP_USED(b)) { - case 5: - b4 = MP_DIGIT(b, 4); - case 4: - b3 = MP_DIGIT(b, 3); - case 3: - b2 = MP_DIGIT(b, 2); - case 2: - b1 = MP_DIGIT(b, 1); - case 1: - b0 = MP_DIGIT(b, 0); - } - - borrow = 0; - MP_SUB_BORROW(r0, b0, r0, borrow); - MP_SUB_BORROW(r1, b1, r1, borrow); - MP_SUB_BORROW(r2, b2, r2, borrow); - MP_SUB_BORROW(r3, b3, r3, borrow); - MP_SUB_BORROW(r4, b4, r4, borrow); - - /* Do quick 'add' if we've gone under 0 - * (subtract the 2's complement of the curve field) */ - if (borrow) { - b4 = MP_DIGIT(&meth->irr, 4); - b3 = MP_DIGIT(&meth->irr, 3); - b2 = MP_DIGIT(&meth->irr, 2); - b1 = MP_DIGIT(&meth->irr, 1); - b0 = MP_DIGIT(&meth->irr, 0); - borrow = 0; - MP_ADD_CARRY(b0, r0, r0, borrow); - MP_ADD_CARRY(b1, r1, r1, borrow); - MP_ADD_CARRY(b2, r2, r2, borrow); - MP_ADD_CARRY(b3, r3, r3, borrow); - MP_ADD_CARRY(b4, r4, r4, borrow); - } - MP_CHECKOK(s_mp_pad(r, 5)); - MP_DIGIT(r, 4) = r4; - MP_DIGIT(r, 3) = r3; - MP_DIGIT(r, 2) = r2; - MP_DIGIT(r, 1) = r1; - MP_DIGIT(r, 0) = r0; - MP_SIGN(r) = MP_ZPOS; - MP_USED(r) = 5; - s_mp_clamp(r); - -CLEANUP: - return res; -} - -/* 6 words */ -mp_err -ec_GFp_sub_6(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth) -{ - mp_err res = MP_OKAY; - mp_digit b0 = 0, b1 = 0, b2 = 0, b3 = 0, b4 = 0, b5 = 0; - mp_digit r0 = 0, r1 = 0, r2 = 0, r3 = 0, r4 = 0, r5 = 0; - mp_digit borrow; - - switch (MP_USED(a)) { - case 6: - r5 = MP_DIGIT(a, 5); - case 5: - r4 = MP_DIGIT(a, 4); - case 4: - r3 = MP_DIGIT(a, 3); - case 3: - r2 = MP_DIGIT(a, 2); - case 2: - r1 = MP_DIGIT(a, 1); - case 1: - r0 = MP_DIGIT(a, 0); - } - switch (MP_USED(b)) { - case 6: - b5 = MP_DIGIT(b, 5); - case 5: - b4 = MP_DIGIT(b, 4); - case 4: - b3 = MP_DIGIT(b, 3); - case 3: - b2 = MP_DIGIT(b, 2); - case 2: - b1 = MP_DIGIT(b, 1); - case 1: - b0 = MP_DIGIT(b, 0); - } - - borrow = 0; - MP_SUB_BORROW(r0, b0, r0, borrow); - MP_SUB_BORROW(r1, b1, r1, borrow); - MP_SUB_BORROW(r2, b2, r2, borrow); - MP_SUB_BORROW(r3, b3, r3, borrow); - MP_SUB_BORROW(r4, b4, r4, borrow); - MP_SUB_BORROW(r5, b5, r5, borrow); - - /* Do quick 'add' if we've gone under 0 - * (subtract the 2's complement of the curve field) */ - if (borrow) { - b5 = MP_DIGIT(&meth->irr, 5); - b4 = MP_DIGIT(&meth->irr, 4); - b3 = MP_DIGIT(&meth->irr, 3); - b2 = MP_DIGIT(&meth->irr, 2); - b1 = MP_DIGIT(&meth->irr, 1); - b0 = MP_DIGIT(&meth->irr, 0); - borrow = 0; - MP_ADD_CARRY(b0, r0, r0, borrow); - MP_ADD_CARRY(b1, r1, r1, borrow); - MP_ADD_CARRY(b2, r2, r2, borrow); - MP_ADD_CARRY(b3, r3, r3, borrow); - MP_ADD_CARRY(b4, r4, r4, borrow); - MP_ADD_CARRY(b5, r5, r5, borrow); - } - - MP_CHECKOK(s_mp_pad(r, 6)); - MP_DIGIT(r, 5) = r5; - MP_DIGIT(r, 4) = r4; - MP_DIGIT(r, 3) = r3; - MP_DIGIT(r, 2) = r2; - MP_DIGIT(r, 1) = r1; - MP_DIGIT(r, 0) = r0; - MP_SIGN(r) = MP_ZPOS; - MP_USED(r) = 6; - s_mp_clamp(r); - -CLEANUP: - return res; -} - -/* Reduces an integer to a field element. */ -mp_err -ec_GFp_mod(const mp_int *a, mp_int *r, const GFMethod *meth) -{ - return mp_mod(a, &meth->irr, r); -} - -/* Multiplies two field elements. */ -mp_err -ec_GFp_mul(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth) -{ - return mp_mulmod(a, b, &meth->irr, r); -} - -/* Squares a field element. */ -mp_err -ec_GFp_sqr(const mp_int *a, mp_int *r, const GFMethod *meth) -{ - return mp_sqrmod(a, &meth->irr, r); -} - -/* Divides two field elements. If a is NULL, then returns the inverse of - * b. */ -mp_err -ec_GFp_div(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth) -{ - mp_err res = MP_OKAY; - mp_int t; - - /* If a is NULL, then return the inverse of b, otherwise return a/b. */ - if (a == NULL) { - return mp_invmod(b, &meth->irr, r); - } else { - /* MPI doesn't support divmod, so we implement it using invmod and - * mulmod. */ - MP_CHECKOK(mp_init(&t)); - MP_CHECKOK(mp_invmod(b, &meth->irr, &t)); - MP_CHECKOK(mp_mulmod(a, &t, &meth->irr, r)); - CLEANUP: - mp_clear(&t); - return res; - } -} - -/* Wrapper functions for generic binary polynomial field arithmetic. */ - -/* Adds two field elements. */ -mp_err -ec_GF2m_add(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth) -{ - return mp_badd(a, b, r); -} - -/* Negates a field element. Note that for binary polynomial fields, the - * negation of a field element is the field element itself. */ -mp_err -ec_GF2m_neg(const mp_int *a, mp_int *r, const GFMethod *meth) -{ - if (a == r) { - return MP_OKAY; - } else { - return mp_copy(a, r); - } -} - -/* Reduces a binary polynomial to a field element. */ -mp_err -ec_GF2m_mod(const mp_int *a, mp_int *r, const GFMethod *meth) -{ - return mp_bmod(a, meth->irr_arr, r); -} - -/* Multiplies two field elements. */ -mp_err -ec_GF2m_mul(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth) -{ - return mp_bmulmod(a, b, meth->irr_arr, r); -} - -/* Squares a field element. */ -mp_err -ec_GF2m_sqr(const mp_int *a, mp_int *r, const GFMethod *meth) -{ - return mp_bsqrmod(a, meth->irr_arr, r); -} - -/* Divides two field elements. If a is NULL, then returns the inverse of - * b. */ -mp_err -ec_GF2m_div(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth) -{ - mp_err res = MP_OKAY; - mp_int t; - - /* If a is NULL, then return the inverse of b, otherwise return a/b. */ - if (a == NULL) { - /* The GF(2^m) portion of MPI doesn't support invmod, so we - * compute 1/b. */ - MP_CHECKOK(mp_init(&t)); - MP_CHECKOK(mp_set_int(&t, 1)); - MP_CHECKOK(mp_bdivmod(&t, b, &meth->irr, meth->irr_arr, r)); - CLEANUP: - mp_clear(&t); - return res; - } else { - return mp_bdivmod(a, b, &meth->irr, meth->irr_arr, r); - } -} diff --git a/nss/lib/freebl/ecl/ecl_mult.c b/nss/lib/freebl/ecl/ecl_mult.c deleted file mode 100644 index ffbcbf1..0000000 --- a/nss/lib/freebl/ecl/ecl_mult.c +++ /dev/null @@ -1,305 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include "mpi.h" -#include "mplogic.h" -#include "ecl.h" -#include "ecl-priv.h" -#include <stdlib.h> - -/* Elliptic curve scalar-point multiplication. Computes R(x, y) = k * P(x, - * y). If x, y = NULL, then P is assumed to be the generator (base point) - * of the group of points on the elliptic curve. Input and output values - * are assumed to be NOT field-encoded. */ -mp_err -ECPoint_mul(const ECGroup *group, const mp_int *k, const mp_int *px, - const mp_int *py, mp_int *rx, mp_int *ry) -{ - mp_err res = MP_OKAY; - mp_int kt; - - ARGCHK((k != NULL) && (group != NULL), MP_BADARG); - MP_DIGITS(&kt) = 0; - - /* want scalar to be less than or equal to group order */ - if (mp_cmp(k, &group->order) > 0) { - MP_CHECKOK(mp_init(&kt)); - MP_CHECKOK(mp_mod(k, &group->order, &kt)); - } else { - MP_SIGN(&kt) = MP_ZPOS; - MP_USED(&kt) = MP_USED(k); - MP_ALLOC(&kt) = MP_ALLOC(k); - MP_DIGITS(&kt) = MP_DIGITS(k); - } - - if ((px == NULL) || (py == NULL)) { - if (group->base_point_mul) { - MP_CHECKOK(group->base_point_mul(&kt, rx, ry, group)); - } else { - MP_CHECKOK(group->point_mul(&kt, &group->genx, &group->geny, rx, ry, - group)); - } - } else { - if (group->meth->field_enc) { - MP_CHECKOK(group->meth->field_enc(px, rx, group->meth)); - MP_CHECKOK(group->meth->field_enc(py, ry, group->meth)); - MP_CHECKOK(group->point_mul(&kt, rx, ry, rx, ry, group)); - } else { - MP_CHECKOK(group->point_mul(&kt, px, py, rx, ry, group)); - } - } - if (group->meth->field_dec) { - MP_CHECKOK(group->meth->field_dec(rx, rx, group->meth)); - MP_CHECKOK(group->meth->field_dec(ry, ry, group->meth)); - } - -CLEANUP: - if (MP_DIGITS(&kt) != MP_DIGITS(k)) { - mp_clear(&kt); - } - return res; -} - -/* Elliptic curve scalar-point multiplication. Computes R(x, y) = k1 * G + - * k2 * P(x, y), where G is the generator (base point) of the group of - * points on the elliptic curve. Allows k1 = NULL or { k2, P } = NULL. - * Input and output values are assumed to be NOT field-encoded. */ -mp_err -ec_pts_mul_basic(const mp_int *k1, const mp_int *k2, const mp_int *px, - const mp_int *py, mp_int *rx, mp_int *ry, - const ECGroup *group) -{ - mp_err res = MP_OKAY; - mp_int sx, sy; - - ARGCHK(group != NULL, MP_BADARG); - ARGCHK(!((k1 == NULL) && ((k2 == NULL) || (px == NULL) || (py == NULL))), MP_BADARG); - - /* if some arguments are not defined used ECPoint_mul */ - if (k1 == NULL) { - return ECPoint_mul(group, k2, px, py, rx, ry); - } else if ((k2 == NULL) || (px == NULL) || (py == NULL)) { - return ECPoint_mul(group, k1, NULL, NULL, rx, ry); - } - - MP_DIGITS(&sx) = 0; - MP_DIGITS(&sy) = 0; - MP_CHECKOK(mp_init(&sx)); - MP_CHECKOK(mp_init(&sy)); - - MP_CHECKOK(ECPoint_mul(group, k1, NULL, NULL, &sx, &sy)); - MP_CHECKOK(ECPoint_mul(group, k2, px, py, rx, ry)); - - if (group->meth->field_enc) { - MP_CHECKOK(group->meth->field_enc(&sx, &sx, group->meth)); - MP_CHECKOK(group->meth->field_enc(&sy, &sy, group->meth)); - MP_CHECKOK(group->meth->field_enc(rx, rx, group->meth)); - MP_CHECKOK(group->meth->field_enc(ry, ry, group->meth)); - } - - MP_CHECKOK(group->point_add(&sx, &sy, rx, ry, rx, ry, group)); - - if (group->meth->field_dec) { - MP_CHECKOK(group->meth->field_dec(rx, rx, group->meth)); - MP_CHECKOK(group->meth->field_dec(ry, ry, group->meth)); - } - -CLEANUP: - mp_clear(&sx); - mp_clear(&sy); - return res; -} - -/* Elliptic curve scalar-point multiplication. Computes R(x, y) = k1 * G + - * k2 * P(x, y), where G is the generator (base point) of the group of - * points on the elliptic curve. Allows k1 = NULL or { k2, P } = NULL. - * Input and output values are assumed to be NOT field-encoded. Uses - * algorithm 15 (simultaneous multiple point multiplication) from Brown, - * Hankerson, Lopez, Menezes. Software Implementation of the NIST - * Elliptic Curves over Prime Fields. */ -mp_err -ec_pts_mul_simul_w2(const mp_int *k1, const mp_int *k2, const mp_int *px, - const mp_int *py, mp_int *rx, mp_int *ry, - const ECGroup *group) -{ - mp_err res = MP_OKAY; - mp_int precomp[4][4][2]; - const mp_int *a, *b; - unsigned int i, j; - int ai, bi, d; - - ARGCHK(group != NULL, MP_BADARG); - ARGCHK(!((k1 == NULL) && ((k2 == NULL) || (px == NULL) || (py == NULL))), MP_BADARG); - - /* if some arguments are not defined used ECPoint_mul */ - if (k1 == NULL) { - return ECPoint_mul(group, k2, px, py, rx, ry); - } else if ((k2 == NULL) || (px == NULL) || (py == NULL)) { - return ECPoint_mul(group, k1, NULL, NULL, rx, ry); - } - - /* initialize precomputation table */ - for (i = 0; i < 4; i++) { - for (j = 0; j < 4; j++) { - MP_DIGITS(&precomp[i][j][0]) = 0; - MP_DIGITS(&precomp[i][j][1]) = 0; - } - } - for (i = 0; i < 4; i++) { - for (j = 0; j < 4; j++) { - MP_CHECKOK(mp_init_size(&precomp[i][j][0], - ECL_MAX_FIELD_SIZE_DIGITS)); - MP_CHECKOK(mp_init_size(&precomp[i][j][1], - ECL_MAX_FIELD_SIZE_DIGITS)); - } - } - - /* fill precomputation table */ - /* assign {k1, k2} = {a, b} such that len(a) >= len(b) */ - if (mpl_significant_bits(k1) < mpl_significant_bits(k2)) { - a = k2; - b = k1; - if (group->meth->field_enc) { - MP_CHECKOK(group->meth->field_enc(px, &precomp[1][0][0], group->meth)); - MP_CHECKOK(group->meth->field_enc(py, &precomp[1][0][1], group->meth)); - } else { - MP_CHECKOK(mp_copy(px, &precomp[1][0][0])); - MP_CHECKOK(mp_copy(py, &precomp[1][0][1])); - } - MP_CHECKOK(mp_copy(&group->genx, &precomp[0][1][0])); - MP_CHECKOK(mp_copy(&group->geny, &precomp[0][1][1])); - } else { - a = k1; - b = k2; - MP_CHECKOK(mp_copy(&group->genx, &precomp[1][0][0])); - MP_CHECKOK(mp_copy(&group->geny, &precomp[1][0][1])); - if (group->meth->field_enc) { - MP_CHECKOK(group->meth->field_enc(px, &precomp[0][1][0], group->meth)); - MP_CHECKOK(group->meth->field_enc(py, &precomp[0][1][1], group->meth)); - } else { - MP_CHECKOK(mp_copy(px, &precomp[0][1][0])); - MP_CHECKOK(mp_copy(py, &precomp[0][1][1])); - } - } - /* precompute [*][0][*] */ - mp_zero(&precomp[0][0][0]); - mp_zero(&precomp[0][0][1]); - MP_CHECKOK(group->point_dbl(&precomp[1][0][0], &precomp[1][0][1], - &precomp[2][0][0], &precomp[2][0][1], group)); - MP_CHECKOK(group->point_add(&precomp[1][0][0], &precomp[1][0][1], - &precomp[2][0][0], &precomp[2][0][1], - &precomp[3][0][0], &precomp[3][0][1], group)); - /* precompute [*][1][*] */ - for (i = 1; i < 4; i++) { - MP_CHECKOK(group->point_add(&precomp[0][1][0], &precomp[0][1][1], - &precomp[i][0][0], &precomp[i][0][1], - &precomp[i][1][0], &precomp[i][1][1], group)); - } - /* precompute [*][2][*] */ - MP_CHECKOK(group->point_dbl(&precomp[0][1][0], &precomp[0][1][1], - &precomp[0][2][0], &precomp[0][2][1], group)); - for (i = 1; i < 4; i++) { - MP_CHECKOK(group->point_add(&precomp[0][2][0], &precomp[0][2][1], - &precomp[i][0][0], &precomp[i][0][1], - &precomp[i][2][0], &precomp[i][2][1], group)); - } - /* precompute [*][3][*] */ - MP_CHECKOK(group->point_add(&precomp[0][1][0], &precomp[0][1][1], - &precomp[0][2][0], &precomp[0][2][1], - &precomp[0][3][0], &precomp[0][3][1], group)); - for (i = 1; i < 4; i++) { - MP_CHECKOK(group->point_add(&precomp[0][3][0], &precomp[0][3][1], - &precomp[i][0][0], &precomp[i][0][1], - &precomp[i][3][0], &precomp[i][3][1], group)); - } - - d = (mpl_significant_bits(a) + 1) / 2; - - /* R = inf */ - mp_zero(rx); - mp_zero(ry); - - for (i = d; i-- > 0;) { - ai = MP_GET_BIT(a, 2 * i + 1); - ai <<= 1; - ai |= MP_GET_BIT(a, 2 * i); - bi = MP_GET_BIT(b, 2 * i + 1); - bi <<= 1; - bi |= MP_GET_BIT(b, 2 * i); - /* R = 2^2 * R */ - MP_CHECKOK(group->point_dbl(rx, ry, rx, ry, group)); - MP_CHECKOK(group->point_dbl(rx, ry, rx, ry, group)); - /* R = R + (ai * A + bi * B) */ - MP_CHECKOK(group->point_add(rx, ry, &precomp[ai][bi][0], - &precomp[ai][bi][1], rx, ry, group)); - } - - if (group->meth->field_dec) { - MP_CHECKOK(group->meth->field_dec(rx, rx, group->meth)); - MP_CHECKOK(group->meth->field_dec(ry, ry, group->meth)); - } - -CLEANUP: - for (i = 0; i < 4; i++) { - for (j = 0; j < 4; j++) { - mp_clear(&precomp[i][j][0]); - mp_clear(&precomp[i][j][1]); - } - } - return res; -} - -/* Elliptic curve scalar-point multiplication. Computes R(x, y) = k1 * G + - * k2 * P(x, y), where G is the generator (base point) of the group of - * points on the elliptic curve. Allows k1 = NULL or { k2, P } = NULL. - * Input and output values are assumed to be NOT field-encoded. */ -mp_err -ECPoints_mul(const ECGroup *group, const mp_int *k1, const mp_int *k2, - const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry) -{ - mp_err res = MP_OKAY; - mp_int k1t, k2t; - const mp_int *k1p, *k2p; - - MP_DIGITS(&k1t) = 0; - MP_DIGITS(&k2t) = 0; - - ARGCHK(group != NULL, MP_BADARG); - - /* want scalar to be less than or equal to group order */ - if (k1 != NULL) { - if (mp_cmp(k1, &group->order) >= 0) { - MP_CHECKOK(mp_init(&k1t)); - MP_CHECKOK(mp_mod(k1, &group->order, &k1t)); - k1p = &k1t; - } else { - k1p = k1; - } - } else { - k1p = k1; - } - if (k2 != NULL) { - if (mp_cmp(k2, &group->order) >= 0) { - MP_CHECKOK(mp_init(&k2t)); - MP_CHECKOK(mp_mod(k2, &group->order, &k2t)); - k2p = &k2t; - } else { - k2p = k2; - } - } else { - k2p = k2; - } - - /* if points_mul is defined, then use it */ - if (group->points_mul) { - res = group->points_mul(k1p, k2p, px, py, rx, ry, group); - } else { - res = ec_pts_mul_simul_w2(k1p, k2p, px, py, rx, ry, group); - } - -CLEANUP: - mp_clear(&k1t); - mp_clear(&k2t); - return res; -} diff --git a/nss/lib/freebl/ecl/ecp.h b/nss/lib/freebl/ecl/ecp.h deleted file mode 100644 index 7e54e4e..0000000 --- a/nss/lib/freebl/ecl/ecp.h +++ /dev/null @@ -1,106 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#ifndef __ecp_h_ -#define __ecp_h_ - -#include "ecl-priv.h" - -/* Checks if point P(px, py) is at infinity. Uses affine coordinates. */ -mp_err ec_GFp_pt_is_inf_aff(const mp_int *px, const mp_int *py); - -/* Sets P(px, py) to be the point at infinity. Uses affine coordinates. */ -mp_err ec_GFp_pt_set_inf_aff(mp_int *px, mp_int *py); - -/* Computes R = P + Q where R is (rx, ry), P is (px, py) and Q is (qx, - * qy). Uses affine coordinates. */ -mp_err ec_GFp_pt_add_aff(const mp_int *px, const mp_int *py, - const mp_int *qx, const mp_int *qy, mp_int *rx, - mp_int *ry, const ECGroup *group); - -/* Computes R = P - Q. Uses affine coordinates. */ -mp_err ec_GFp_pt_sub_aff(const mp_int *px, const mp_int *py, - const mp_int *qx, const mp_int *qy, mp_int *rx, - mp_int *ry, const ECGroup *group); - -/* Computes R = 2P. Uses affine coordinates. */ -mp_err ec_GFp_pt_dbl_aff(const mp_int *px, const mp_int *py, mp_int *rx, - mp_int *ry, const ECGroup *group); - -/* Validates a point on a GFp curve. */ -mp_err ec_GFp_validate_point(const mp_int *px, const mp_int *py, const ECGroup *group); - -#ifdef ECL_ENABLE_GFP_PT_MUL_AFF -/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters - * a, b and p are the elliptic curve coefficients and the prime that - * determines the field GFp. Uses affine coordinates. */ -mp_err ec_GFp_pt_mul_aff(const mp_int *n, const mp_int *px, - const mp_int *py, mp_int *rx, mp_int *ry, - const ECGroup *group); -#endif - -/* Converts a point P(px, py) from affine coordinates to Jacobian - * projective coordinates R(rx, ry, rz). */ -mp_err ec_GFp_pt_aff2jac(const mp_int *px, const mp_int *py, mp_int *rx, - mp_int *ry, mp_int *rz, const ECGroup *group); - -/* Converts a point P(px, py, pz) from Jacobian projective coordinates to - * affine coordinates R(rx, ry). */ -mp_err ec_GFp_pt_jac2aff(const mp_int *px, const mp_int *py, - const mp_int *pz, mp_int *rx, mp_int *ry, - const ECGroup *group); - -/* Checks if point P(px, py, pz) is at infinity. Uses Jacobian - * coordinates. */ -mp_err ec_GFp_pt_is_inf_jac(const mp_int *px, const mp_int *py, - const mp_int *pz); - -/* Sets P(px, py, pz) to be the point at infinity. Uses Jacobian - * coordinates. */ -mp_err ec_GFp_pt_set_inf_jac(mp_int *px, mp_int *py, mp_int *pz); - -/* Computes R = P + Q where R is (rx, ry, rz), P is (px, py, pz) and Q is - * (qx, qy, qz). Uses Jacobian coordinates. */ -mp_err ec_GFp_pt_add_jac_aff(const mp_int *px, const mp_int *py, - const mp_int *pz, const mp_int *qx, - const mp_int *qy, mp_int *rx, mp_int *ry, - mp_int *rz, const ECGroup *group); - -/* Computes R = 2P. Uses Jacobian coordinates. */ -mp_err ec_GFp_pt_dbl_jac(const mp_int *px, const mp_int *py, - const mp_int *pz, mp_int *rx, mp_int *ry, - mp_int *rz, const ECGroup *group); - -#ifdef ECL_ENABLE_GFP_PT_MUL_JAC -/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters - * a, b and p are the elliptic curve coefficients and the prime that - * determines the field GFp. Uses Jacobian coordinates. */ -mp_err ec_GFp_pt_mul_jac(const mp_int *n, const mp_int *px, - const mp_int *py, mp_int *rx, mp_int *ry, - const ECGroup *group); -#endif - -/* Computes R(x, y) = k1 * G + k2 * P(x, y), where G is the generator - * (base point) of the group of points on the elliptic curve. Allows k1 = - * NULL or { k2, P } = NULL. Implemented using mixed Jacobian-affine - * coordinates. Input and output values are assumed to be NOT - * field-encoded and are in affine form. */ -mp_err -ec_GFp_pts_mul_jac(const mp_int *k1, const mp_int *k2, const mp_int *px, - const mp_int *py, mp_int *rx, mp_int *ry, - const ECGroup *group); - -/* Computes R = nP where R is (rx, ry) and P is the base point. Elliptic - * curve points P and R can be identical. Uses mixed Modified-Jacobian - * co-ordinates for doubling and Chudnovsky Jacobian coordinates for - * additions. Assumes input is already field-encoded using field_enc, and - * returns output that is still field-encoded. Uses 5-bit window NAF - * method (algorithm 11) for scalar-point multiplication from Brown, - * Hankerson, Lopez, Menezes. Software Implementation of the NIST Elliptic - * Curves Over Prime Fields. */ -mp_err -ec_GFp_pt_mul_jm_wNAF(const mp_int *n, const mp_int *px, const mp_int *py, - mp_int *rx, mp_int *ry, const ECGroup *group); - -#endif /* __ecp_h_ */ diff --git a/nss/lib/freebl/ecl/ecp_25519.c b/nss/lib/freebl/ecl/ecp_25519.c index a417068..d465700 100644 --- a/nss/lib/freebl/ecl/ecp_25519.c +++ b/nss/lib/freebl/ecl/ecp_25519.c @@ -9,11 +9,6 @@ #endif #include "ecl-priv.h" -#include "ecp.h" -#include "mpi.h" -#include "mplogic.h" -#include "mpi-priv.h" -#include "secmpi.h" #include "secitem.h" #include "secerr.h" #include "secport.h" diff --git a/nss/lib/freebl/ecl/ecp_256.c b/nss/lib/freebl/ecl/ecp_256.c deleted file mode 100644 index ad4e630..0000000 --- a/nss/lib/freebl/ecl/ecp_256.c +++ /dev/null @@ -1,401 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include "ecp.h" -#include "mpi.h" -#include "mplogic.h" -#include "mpi-priv.h" - -/* Fast modular reduction for p256 = 2^256 - 2^224 + 2^192+ 2^96 - 1. a can be r. - * Uses algorithm 2.29 from Hankerson, Menezes, Vanstone. Guide to - * Elliptic Curve Cryptography. */ -static mp_err -ec_GFp_nistp256_mod(const mp_int *a, mp_int *r, const GFMethod *meth) -{ - mp_err res = MP_OKAY; - mp_size a_used = MP_USED(a); - int a_bits = mpl_significant_bits(a); - mp_digit carry; - -#ifdef ECL_THIRTY_TWO_BIT - mp_digit a8 = 0, a9 = 0, a10 = 0, a11 = 0, a12 = 0, a13 = 0, a14 = 0, a15 = 0; - mp_digit r0, r1, r2, r3, r4, r5, r6, r7; - int r8; /* must be a signed value ! */ -#else - mp_digit a4 = 0, a5 = 0, a6 = 0, a7 = 0; - mp_digit a4h, a4l, a5h, a5l, a6h, a6l, a7h, a7l; - mp_digit r0, r1, r2, r3; - int r4; /* must be a signed value ! */ -#endif - /* for polynomials larger than twice the field size - * use regular reduction */ - if (a_bits < 256) { - if (a == r) - return MP_OKAY; - return mp_copy(a, r); - } - if (a_bits > 512) { - MP_CHECKOK(mp_mod(a, &meth->irr, r)); - } else { - -#ifdef ECL_THIRTY_TWO_BIT - switch (a_used) { - case 16: - a15 = MP_DIGIT(a, 15); - case 15: - a14 = MP_DIGIT(a, 14); - case 14: - a13 = MP_DIGIT(a, 13); - case 13: - a12 = MP_DIGIT(a, 12); - case 12: - a11 = MP_DIGIT(a, 11); - case 11: - a10 = MP_DIGIT(a, 10); - case 10: - a9 = MP_DIGIT(a, 9); - case 9: - a8 = MP_DIGIT(a, 8); - } - - r0 = MP_DIGIT(a, 0); - r1 = MP_DIGIT(a, 1); - r2 = MP_DIGIT(a, 2); - r3 = MP_DIGIT(a, 3); - r4 = MP_DIGIT(a, 4); - r5 = MP_DIGIT(a, 5); - r6 = MP_DIGIT(a, 6); - r7 = MP_DIGIT(a, 7); - - /* sum 1 */ - carry = 0; - MP_ADD_CARRY(r3, a11, r3, carry); - MP_ADD_CARRY(r4, a12, r4, carry); - MP_ADD_CARRY(r5, a13, r5, carry); - MP_ADD_CARRY(r6, a14, r6, carry); - MP_ADD_CARRY(r7, a15, r7, carry); - r8 = carry; - carry = 0; - MP_ADD_CARRY(r3, a11, r3, carry); - MP_ADD_CARRY(r4, a12, r4, carry); - MP_ADD_CARRY(r5, a13, r5, carry); - MP_ADD_CARRY(r6, a14, r6, carry); - MP_ADD_CARRY(r7, a15, r7, carry); - r8 += carry; - carry = 0; - /* sum 2 */ - MP_ADD_CARRY(r3, a12, r3, carry); - MP_ADD_CARRY(r4, a13, r4, carry); - MP_ADD_CARRY(r5, a14, r5, carry); - MP_ADD_CARRY(r6, a15, r6, carry); - MP_ADD_CARRY(r7, 0, r7, carry); - r8 += carry; - carry = 0; - /* combine last bottom of sum 3 with second sum 2 */ - MP_ADD_CARRY(r0, a8, r0, carry); - MP_ADD_CARRY(r1, a9, r1, carry); - MP_ADD_CARRY(r2, a10, r2, carry); - MP_ADD_CARRY(r3, a12, r3, carry); - MP_ADD_CARRY(r4, a13, r4, carry); - MP_ADD_CARRY(r5, a14, r5, carry); - MP_ADD_CARRY(r6, a15, r6, carry); - MP_ADD_CARRY(r7, a15, r7, carry); /* from sum 3 */ - r8 += carry; - carry = 0; - /* sum 3 (rest of it)*/ - MP_ADD_CARRY(r6, a14, r6, carry); - MP_ADD_CARRY(r7, 0, r7, carry); - r8 += carry; - carry = 0; - /* sum 4 (rest of it)*/ - MP_ADD_CARRY(r0, a9, r0, carry); - MP_ADD_CARRY(r1, a10, r1, carry); - MP_ADD_CARRY(r2, a11, r2, carry); - MP_ADD_CARRY(r3, a13, r3, carry); - MP_ADD_CARRY(r4, a14, r4, carry); - MP_ADD_CARRY(r5, a15, r5, carry); - MP_ADD_CARRY(r6, a13, r6, carry); - MP_ADD_CARRY(r7, a8, r7, carry); - r8 += carry; - carry = 0; - /* diff 5 */ - MP_SUB_BORROW(r0, a11, r0, carry); - MP_SUB_BORROW(r1, a12, r1, carry); - MP_SUB_BORROW(r2, a13, r2, carry); - MP_SUB_BORROW(r3, 0, r3, carry); - MP_SUB_BORROW(r4, 0, r4, carry); - MP_SUB_BORROW(r5, 0, r5, carry); - MP_SUB_BORROW(r6, a8, r6, carry); - MP_SUB_BORROW(r7, a10, r7, carry); - r8 -= carry; - carry = 0; - /* diff 6 */ - MP_SUB_BORROW(r0, a12, r0, carry); - MP_SUB_BORROW(r1, a13, r1, carry); - MP_SUB_BORROW(r2, a14, r2, carry); - MP_SUB_BORROW(r3, a15, r3, carry); - MP_SUB_BORROW(r4, 0, r4, carry); - MP_SUB_BORROW(r5, 0, r5, carry); - MP_SUB_BORROW(r6, a9, r6, carry); - MP_SUB_BORROW(r7, a11, r7, carry); - r8 -= carry; - carry = 0; - /* diff 7 */ - MP_SUB_BORROW(r0, a13, r0, carry); - MP_SUB_BORROW(r1, a14, r1, carry); - MP_SUB_BORROW(r2, a15, r2, carry); - MP_SUB_BORROW(r3, a8, r3, carry); - MP_SUB_BORROW(r4, a9, r4, carry); - MP_SUB_BORROW(r5, a10, r5, carry); - MP_SUB_BORROW(r6, 0, r6, carry); - MP_SUB_BORROW(r7, a12, r7, carry); - r8 -= carry; - carry = 0; - /* diff 8 */ - MP_SUB_BORROW(r0, a14, r0, carry); - MP_SUB_BORROW(r1, a15, r1, carry); - MP_SUB_BORROW(r2, 0, r2, carry); - MP_SUB_BORROW(r3, a9, r3, carry); - MP_SUB_BORROW(r4, a10, r4, carry); - MP_SUB_BORROW(r5, a11, r5, carry); - MP_SUB_BORROW(r6, 0, r6, carry); - MP_SUB_BORROW(r7, a13, r7, carry); - r8 -= carry; - - /* reduce the overflows */ - while (r8 > 0) { - mp_digit r8_d = r8; - carry = 0; - MP_ADD_CARRY(r0, r8_d, r0, carry); - MP_ADD_CARRY(r1, 0, r1, carry); - MP_ADD_CARRY(r2, 0, r2, carry); - MP_ADD_CARRY(r3, 0 - r8_d, r3, carry); - MP_ADD_CARRY(r4, MP_DIGIT_MAX, r4, carry); - MP_ADD_CARRY(r5, MP_DIGIT_MAX, r5, carry); - MP_ADD_CARRY(r6, 0 - (r8_d + 1), r6, carry); - MP_ADD_CARRY(r7, (r8_d - 1), r7, carry); - r8 = carry; - } - - /* reduce the underflows */ - while (r8 < 0) { - mp_digit r8_d = -r8; - carry = 0; - MP_SUB_BORROW(r0, r8_d, r0, carry); - MP_SUB_BORROW(r1, 0, r1, carry); - MP_SUB_BORROW(r2, 0, r2, carry); - MP_SUB_BORROW(r3, 0 - r8_d, r3, carry); - MP_SUB_BORROW(r4, MP_DIGIT_MAX, r4, carry); - MP_SUB_BORROW(r5, MP_DIGIT_MAX, r5, carry); - MP_SUB_BORROW(r6, 0 - (r8_d + 1), r6, carry); - MP_SUB_BORROW(r7, (r8_d - 1), r7, carry); - r8 = 0 - carry; - } - if (a != r) { - MP_CHECKOK(s_mp_pad(r, 8)); - } - MP_SIGN(r) = MP_ZPOS; - MP_USED(r) = 8; - - MP_DIGIT(r, 7) = r7; - MP_DIGIT(r, 6) = r6; - MP_DIGIT(r, 5) = r5; - MP_DIGIT(r, 4) = r4; - MP_DIGIT(r, 3) = r3; - MP_DIGIT(r, 2) = r2; - MP_DIGIT(r, 1) = r1; - MP_DIGIT(r, 0) = r0; - - /* final reduction if necessary */ - if ((r7 == MP_DIGIT_MAX) && - ((r6 > 1) || ((r6 == 1) && - (r5 || r4 || r3 || - ((r2 == MP_DIGIT_MAX) && (r1 == MP_DIGIT_MAX) && (r0 == MP_DIGIT_MAX)))))) { - MP_CHECKOK(mp_sub(r, &meth->irr, r)); - } - - s_mp_clamp(r); -#else - switch (a_used) { - case 8: - a7 = MP_DIGIT(a, 7); - case 7: - a6 = MP_DIGIT(a, 6); - case 6: - a5 = MP_DIGIT(a, 5); - case 5: - a4 = MP_DIGIT(a, 4); - } - a7l = a7 << 32; - a7h = a7 >> 32; - a6l = a6 << 32; - a6h = a6 >> 32; - a5l = a5 << 32; - a5h = a5 >> 32; - a4l = a4 << 32; - a4h = a4 >> 32; - r3 = MP_DIGIT(a, 3); - r2 = MP_DIGIT(a, 2); - r1 = MP_DIGIT(a, 1); - r0 = MP_DIGIT(a, 0); - - /* sum 1 */ - carry = 0; - MP_ADD_CARRY(r1, a5h << 32, r1, carry); - MP_ADD_CARRY(r2, a6, r2, carry); - MP_ADD_CARRY(r3, a7, r3, carry); - r4 = carry; - carry = 0; - MP_ADD_CARRY(r1, a5h << 32, r1, carry); - MP_ADD_CARRY(r2, a6, r2, carry); - MP_ADD_CARRY(r3, a7, r3, carry); - r4 += carry; - /* sum 2 */ - carry = 0; - MP_ADD_CARRY(r1, a6l, r1, carry); - MP_ADD_CARRY(r2, a6h | a7l, r2, carry); - MP_ADD_CARRY(r3, a7h, r3, carry); - r4 += carry; - carry = 0; - MP_ADD_CARRY(r1, a6l, r1, carry); - MP_ADD_CARRY(r2, a6h | a7l, r2, carry); - MP_ADD_CARRY(r3, a7h, r3, carry); - r4 += carry; - - /* sum 3 */ - carry = 0; - MP_ADD_CARRY(r0, a4, r0, carry); - MP_ADD_CARRY(r1, a5l >> 32, r1, carry); - MP_ADD_CARRY(r2, 0, r2, carry); - MP_ADD_CARRY(r3, a7, r3, carry); - r4 += carry; - /* sum 4 */ - carry = 0; - MP_ADD_CARRY(r0, a4h | a5l, r0, carry); - MP_ADD_CARRY(r1, a5h | (a6h << 32), r1, carry); - MP_ADD_CARRY(r2, a7, r2, carry); - MP_ADD_CARRY(r3, a6h | a4l, r3, carry); - r4 += carry; - /* diff 5 */ - carry = 0; - MP_SUB_BORROW(r0, a5h | a6l, r0, carry); - MP_SUB_BORROW(r1, a6h, r1, carry); - MP_SUB_BORROW(r2, 0, r2, carry); - MP_SUB_BORROW(r3, (a4l >> 32) | a5l, r3, carry); - r4 -= carry; - /* diff 6 */ - carry = 0; - MP_SUB_BORROW(r0, a6, r0, carry); - MP_SUB_BORROW(r1, a7, r1, carry); - MP_SUB_BORROW(r2, 0, r2, carry); - MP_SUB_BORROW(r3, a4h | (a5h << 32), r3, carry); - r4 -= carry; - /* diff 7 */ - carry = 0; - MP_SUB_BORROW(r0, a6h | a7l, r0, carry); - MP_SUB_BORROW(r1, a7h | a4l, r1, carry); - MP_SUB_BORROW(r2, a4h | a5l, r2, carry); - MP_SUB_BORROW(r3, a6l, r3, carry); - r4 -= carry; - /* diff 8 */ - carry = 0; - MP_SUB_BORROW(r0, a7, r0, carry); - MP_SUB_BORROW(r1, a4h << 32, r1, carry); - MP_SUB_BORROW(r2, a5, r2, carry); - MP_SUB_BORROW(r3, a6h << 32, r3, carry); - r4 -= carry; - - /* reduce the overflows */ - while (r4 > 0) { - mp_digit r4_long = r4; - mp_digit r4l = (r4_long << 32); - carry = 0; - MP_ADD_CARRY(r0, r4_long, r0, carry); - MP_ADD_CARRY(r1, 0 - r4l, r1, carry); - MP_ADD_CARRY(r2, MP_DIGIT_MAX, r2, carry); - MP_ADD_CARRY(r3, r4l - r4_long - 1, r3, carry); - r4 = carry; - } - - /* reduce the underflows */ - while (r4 < 0) { - mp_digit r4_long = -r4; - mp_digit r4l = (r4_long << 32); - carry = 0; - MP_SUB_BORROW(r0, r4_long, r0, carry); - MP_SUB_BORROW(r1, 0 - r4l, r1, carry); - MP_SUB_BORROW(r2, MP_DIGIT_MAX, r2, carry); - MP_SUB_BORROW(r3, r4l - r4_long - 1, r3, carry); - r4 = 0 - carry; - } - - if (a != r) { - MP_CHECKOK(s_mp_pad(r, 4)); - } - MP_SIGN(r) = MP_ZPOS; - MP_USED(r) = 4; - - MP_DIGIT(r, 3) = r3; - MP_DIGIT(r, 2) = r2; - MP_DIGIT(r, 1) = r1; - MP_DIGIT(r, 0) = r0; - - /* final reduction if necessary */ - if ((r3 > 0xFFFFFFFF00000001ULL) || - ((r3 == 0xFFFFFFFF00000001ULL) && - (r2 || (r1 >> 32) || - (r1 == 0xFFFFFFFFULL && r0 == MP_DIGIT_MAX)))) { - /* very rare, just use mp_sub */ - MP_CHECKOK(mp_sub(r, &meth->irr, r)); - } - - s_mp_clamp(r); -#endif - } - -CLEANUP: - return res; -} - -/* Compute the square of polynomial a, reduce modulo p256. Store the - * result in r. r could be a. Uses optimized modular reduction for p256. - */ -static mp_err -ec_GFp_nistp256_sqr(const mp_int *a, mp_int *r, const GFMethod *meth) -{ - mp_err res = MP_OKAY; - - MP_CHECKOK(mp_sqr(a, r)); - MP_CHECKOK(ec_GFp_nistp256_mod(r, r, meth)); -CLEANUP: - return res; -} - -/* Compute the product of two polynomials a and b, reduce modulo p256. - * Store the result in r. r could be a or b; a could be b. Uses - * optimized modular reduction for p256. */ -static mp_err -ec_GFp_nistp256_mul(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth) -{ - mp_err res = MP_OKAY; - - MP_CHECKOK(mp_mul(a, b, r)); - MP_CHECKOK(ec_GFp_nistp256_mod(r, r, meth)); -CLEANUP: - return res; -} - -/* Wire in fast field arithmetic and precomputation of base point for - * named curves. */ -mp_err -ec_group_set_gfp256(ECGroup *group, ECCurveName name) -{ - if (name == ECCurve_NIST_P256) { - group->meth->field_mod = &ec_GFp_nistp256_mod; - group->meth->field_mul = &ec_GFp_nistp256_mul; - group->meth->field_sqr = &ec_GFp_nistp256_sqr; - } - return MP_OKAY; -} diff --git a/nss/lib/freebl/ecl/ecp_256_32.c b/nss/lib/freebl/ecl/ecp_256_32.c deleted file mode 100644 index 879396a..0000000 --- a/nss/lib/freebl/ecl/ecp_256_32.c +++ /dev/null @@ -1,1535 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -/* A 32-bit implementation of the NIST P-256 elliptic curve. */ - -#include <string.h> - -#include "prtypes.h" -#include "mpi.h" -#include "mpi-priv.h" -#include "ecp.h" - -typedef PRUint8 u8; -typedef PRUint32 u32; -typedef PRUint64 u64; - -/* Our field elements are represented as nine, unsigned 32-bit words. Freebl's - * MPI library calls them digits, but here they are called limbs, which is - * GMP's terminology. - * - * The value of an felem (field element) is: - * x[0] + (x[1] * 2**29) + (x[2] * 2**57) + ... + (x[8] * 2**228) - * - * That is, each limb is alternately 29 or 28-bits wide in little-endian - * order. - * - * This means that an felem hits 2**257, rather than 2**256 as we would like. A - * 28, 29, ... pattern would cause us to hit 2**256, but that causes problems - * when multiplying as terms end up one bit short of a limb which would require - * much bit-shifting to correct. - * - * Finally, the values stored in an felem are in Montgomery form. So the value - * |y| is stored as (y*R) mod p, where p is the P-256 prime and R is 2**257. - */ -typedef u32 limb; -#define NLIMBS 9 -typedef limb felem[NLIMBS]; - -static const limb kBottom28Bits = 0xfffffff; -static const limb kBottom29Bits = 0x1fffffff; - -/* kOne is the number 1 as an felem. It's 2**257 mod p split up into 29 and - * 28-bit words. - */ -static const felem kOne = { - 2, 0, 0, 0xffff800, - 0x1fffffff, 0xfffffff, 0x1fbfffff, 0x1ffffff, - 0 -}; -static const felem kZero = { 0 }; -static const felem kP = { - 0x1fffffff, 0xfffffff, 0x1fffffff, 0x3ff, - 0, 0, 0x200000, 0xf000000, - 0xfffffff -}; -static const felem k2P = { - 0x1ffffffe, 0xfffffff, 0x1fffffff, 0x7ff, - 0, 0, 0x400000, 0xe000000, - 0x1fffffff -}; - -/* kPrecomputed contains precomputed values to aid the calculation of scalar - * multiples of the base point, G. It's actually two, equal length, tables - * concatenated. - * - * The first table contains (x,y) felem pairs for 16 multiples of the base - * point, G. - * - * Index | Index (binary) | Value - * 0 | 0000 | 0G (all zeros, omitted) - * 1 | 0001 | G - * 2 | 0010 | 2**64G - * 3 | 0011 | 2**64G + G - * 4 | 0100 | 2**128G - * 5 | 0101 | 2**128G + G - * 6 | 0110 | 2**128G + 2**64G - * 7 | 0111 | 2**128G + 2**64G + G - * 8 | 1000 | 2**192G - * 9 | 1001 | 2**192G + G - * 10 | 1010 | 2**192G + 2**64G - * 11 | 1011 | 2**192G + 2**64G + G - * 12 | 1100 | 2**192G + 2**128G - * 13 | 1101 | 2**192G + 2**128G + G - * 14 | 1110 | 2**192G + 2**128G + 2**64G - * 15 | 1111 | 2**192G + 2**128G + 2**64G + G - * - * The second table follows the same style, but the terms are 2**32G, - * 2**96G, 2**160G, 2**224G. - * - * This is ~2KB of data. - */ -static const limb kPrecomputed[NLIMBS * 2 * 15 * 2] = { - 0x11522878, 0xe730d41, 0xdb60179, 0x4afe2ff, 0x12883add, 0xcaddd88, 0x119e7edc, 0xd4a6eab, 0x3120bee, - 0x1d2aac15, 0xf25357c, 0x19e45cdd, 0x5c721d0, 0x1992c5a5, 0xa237487, 0x154ba21, 0x14b10bb, 0xae3fe3, - 0xd41a576, 0x922fc51, 0x234994f, 0x60b60d3, 0x164586ae, 0xce95f18, 0x1fe49073, 0x3fa36cc, 0x5ebcd2c, - 0xb402f2f, 0x15c70bf, 0x1561925c, 0x5a26704, 0xda91e90, 0xcdc1c7f, 0x1ea12446, 0xe1ade1e, 0xec91f22, - 0x26f7778, 0x566847e, 0xa0bec9e, 0x234f453, 0x1a31f21a, 0xd85e75c, 0x56c7109, 0xa267a00, 0xb57c050, - 0x98fb57, 0xaa837cc, 0x60c0792, 0xcfa5e19, 0x61bab9e, 0x589e39b, 0xa324c5, 0x7d6dee7, 0x2976e4b, - 0x1fc4124a, 0xa8c244b, 0x1ce86762, 0xcd61c7e, 0x1831c8e0, 0x75774e1, 0x1d96a5a9, 0x843a649, 0xc3ab0fa, - 0x6e2e7d5, 0x7673a2a, 0x178b65e8, 0x4003e9b, 0x1a1f11c2, 0x7816ea, 0xf643e11, 0x58c43df, 0xf423fc2, - 0x19633ffa, 0x891f2b2, 0x123c231c, 0x46add8c, 0x54700dd, 0x59e2b17, 0x172db40f, 0x83e277d, 0xb0dd609, - 0xfd1da12, 0x35c6e52, 0x19ede20c, 0xd19e0c0, 0x97d0f40, 0xb015b19, 0x449e3f5, 0xe10c9e, 0x33ab581, - 0x56a67ab, 0x577734d, 0x1dddc062, 0xc57b10d, 0x149b39d, 0x26a9e7b, 0xc35df9f, 0x48764cd, 0x76dbcca, - 0xca4b366, 0xe9303ab, 0x1a7480e7, 0x57e9e81, 0x1e13eb50, 0xf466cf3, 0x6f16b20, 0x4ba3173, 0xc168c33, - 0x15cb5439, 0x6a38e11, 0x73658bd, 0xb29564f, 0x3f6dc5b, 0x53b97e, 0x1322c4c0, 0x65dd7ff, 0x3a1e4f6, - 0x14e614aa, 0x9246317, 0x1bc83aca, 0xad97eed, 0xd38ce4a, 0xf82b006, 0x341f077, 0xa6add89, 0x4894acd, - 0x9f162d5, 0xf8410ef, 0x1b266a56, 0xd7f223, 0x3e0cb92, 0xe39b672, 0x6a2901a, 0x69a8556, 0x7e7c0, - 0x9b7d8d3, 0x309a80, 0x1ad05f7f, 0xc2fb5dd, 0xcbfd41d, 0x9ceb638, 0x1051825c, 0xda0cf5b, 0x812e881, - 0x6f35669, 0x6a56f2c, 0x1df8d184, 0x345820, 0x1477d477, 0x1645db1, 0xbe80c51, 0xc22be3e, 0xe35e65a, - 0x1aeb7aa0, 0xc375315, 0xf67bc99, 0x7fdd7b9, 0x191fc1be, 0x61235d, 0x2c184e9, 0x1c5a839, 0x47a1e26, - 0xb7cb456, 0x93e225d, 0x14f3c6ed, 0xccc1ac9, 0x17fe37f3, 0x4988989, 0x1a90c502, 0x2f32042, 0xa17769b, - 0xafd8c7c, 0x8191c6e, 0x1dcdb237, 0x16200c0, 0x107b32a1, 0x66c08db, 0x10d06a02, 0x3fc93, 0x5620023, - 0x16722b27, 0x68b5c59, 0x270fcfc, 0xfad0ecc, 0xe5de1c2, 0xeab466b, 0x2fc513c, 0x407f75c, 0xbaab133, - 0x9705fe9, 0xb88b8e7, 0x734c993, 0x1e1ff8f, 0x19156970, 0xabd0f00, 0x10469ea7, 0x3293ac0, 0xcdc98aa, - 0x1d843fd, 0xe14bfe8, 0x15be825f, 0x8b5212, 0xeb3fb67, 0x81cbd29, 0xbc62f16, 0x2b6fcc7, 0xf5a4e29, - 0x13560b66, 0xc0b6ac2, 0x51ae690, 0xd41e271, 0xf3e9bd4, 0x1d70aab, 0x1029f72, 0x73e1c35, 0xee70fbc, - 0xad81baf, 0x9ecc49a, 0x86c741e, 0xfe6be30, 0x176752e7, 0x23d416, 0x1f83de85, 0x27de188, 0x66f70b8, - 0x181cd51f, 0x96b6e4c, 0x188f2335, 0xa5df759, 0x17a77eb6, 0xfeb0e73, 0x154ae914, 0x2f3ec51, 0x3826b59, - 0xb91f17d, 0x1c72949, 0x1362bf0a, 0xe23fddf, 0xa5614b0, 0xf7d8f, 0x79061, 0x823d9d2, 0x8213f39, - 0x1128ae0b, 0xd095d05, 0xb85c0c2, 0x1ecb2ef, 0x24ddc84, 0xe35e901, 0x18411a4a, 0xf5ddc3d, 0x3786689, - 0x52260e8, 0x5ae3564, 0x542b10d, 0x8d93a45, 0x19952aa4, 0x996cc41, 0x1051a729, 0x4be3499, 0x52b23aa, - 0x109f307e, 0x6f5b6bb, 0x1f84e1e7, 0x77a0cfa, 0x10c4df3f, 0x25a02ea, 0xb048035, 0xe31de66, 0xc6ecaa3, - 0x28ea335, 0x2886024, 0x1372f020, 0xf55d35, 0x15e4684c, 0xf2a9e17, 0x1a4a7529, 0xcb7beb1, 0xb2a78a1, - 0x1ab21f1f, 0x6361ccf, 0x6c9179d, 0xb135627, 0x1267b974, 0x4408bad, 0x1cbff658, 0xe3d6511, 0xc7d76f, - 0x1cc7a69, 0xe7ee31b, 0x54fab4f, 0x2b914f, 0x1ad27a30, 0xcd3579e, 0xc50124c, 0x50daa90, 0xb13f72, - 0xb06aa75, 0x70f5cc6, 0x1649e5aa, 0x84a5312, 0x329043c, 0x41c4011, 0x13d32411, 0xb04a838, 0xd760d2d, - 0x1713b532, 0xbaa0c03, 0x84022ab, 0x6bcf5c1, 0x2f45379, 0x18ae070, 0x18c9e11e, 0x20bca9a, 0x66f496b, - 0x3eef294, 0x67500d2, 0xd7f613c, 0x2dbbeb, 0xb741038, 0xe04133f, 0x1582968d, 0xbe985f7, 0x1acbc1a, - 0x1a6a939f, 0x33e50f6, 0xd665ed4, 0xb4b7bd6, 0x1e5a3799, 0x6b33847, 0x17fa56ff, 0x65ef930, 0x21dc4a, - 0x2b37659, 0x450fe17, 0xb357b65, 0xdf5efac, 0x15397bef, 0x9d35a7f, 0x112ac15f, 0x624e62e, 0xa90ae2f, - 0x107eecd2, 0x1f69bbe, 0x77d6bce, 0x5741394, 0x13c684fc, 0x950c910, 0x725522b, 0xdc78583, 0x40eeabb, - 0x1fde328a, 0xbd61d96, 0xd28c387, 0x9e77d89, 0x12550c40, 0x759cb7d, 0x367ef34, 0xae2a960, 0x91b8bdc, - 0x93462a9, 0xf469ef, 0xb2e9aef, 0xd2ca771, 0x54e1f42, 0x7aaa49, 0x6316abb, 0x2413c8e, 0x5425bf9, - 0x1bed3e3a, 0xf272274, 0x1f5e7326, 0x6416517, 0xea27072, 0x9cedea7, 0x6e7633, 0x7c91952, 0xd806dce, - 0x8e2a7e1, 0xe421e1a, 0x418c9e1, 0x1dbc890, 0x1b395c36, 0xa1dc175, 0x1dc4ef73, 0x8956f34, 0xe4b5cf2, - 0x1b0d3a18, 0x3194a36, 0x6c2641f, 0xe44124c, 0xa2f4eaa, 0xa8c25ba, 0xf927ed7, 0x627b614, 0x7371cca, - 0xba16694, 0x417bc03, 0x7c0a7e3, 0x9c35c19, 0x1168a205, 0x8b6b00d, 0x10e3edc9, 0x9c19bf2, 0x5882229, - 0x1b2b4162, 0xa5cef1a, 0x1543622b, 0x9bd433e, 0x364e04d, 0x7480792, 0x5c9b5b3, 0xe85ff25, 0x408ef57, - 0x1814cfa4, 0x121b41b, 0xd248a0f, 0x3b05222, 0x39bb16a, 0xc75966d, 0xa038113, 0xa4a1769, 0x11fbc6c, - 0x917e50e, 0xeec3da8, 0x169d6eac, 0x10c1699, 0xa416153, 0xf724912, 0x15cd60b7, 0x4acbad9, 0x5efc5fa, - 0xf150ed7, 0x122b51, 0x1104b40a, 0xcb7f442, 0xfbb28ff, 0x6ac53ca, 0x196142cc, 0x7bf0fa9, 0x957651, - 0x4e0f215, 0xed439f8, 0x3f46bd5, 0x5ace82f, 0x110916b6, 0x6db078, 0xffd7d57, 0xf2ecaac, 0xca86dec, - 0x15d6b2da, 0x965ecc9, 0x1c92b4c2, 0x1f3811, 0x1cb080f5, 0x2d8b804, 0x19d1c12d, 0xf20bd46, 0x1951fa7, - 0xa3656c3, 0x523a425, 0xfcd0692, 0xd44ddc8, 0x131f0f5b, 0xaf80e4a, 0xcd9fc74, 0x99bb618, 0x2db944c, - 0xa673090, 0x1c210e1, 0x178c8d23, 0x1474383, 0x10b8743d, 0x985a55b, 0x2e74779, 0x576138, 0x9587927, - 0x133130fa, 0xbe05516, 0x9f4d619, 0xbb62570, 0x99ec591, 0xd9468fe, 0x1d07782d, 0xfc72e0b, 0x701b298, - 0x1863863b, 0x85954b8, 0x121a0c36, 0x9e7fedf, 0xf64b429, 0x9b9d71e, 0x14e2f5d8, 0xf858d3a, 0x942eea8, - 0xda5b765, 0x6edafff, 0xa9d18cc, 0xc65e4ba, 0x1c747e86, 0xe4ea915, 0x1981d7a1, 0x8395659, 0x52ed4e2, - 0x87d43b7, 0x37ab11b, 0x19d292ce, 0xf8d4692, 0x18c3053f, 0x8863e13, 0x4c146c0, 0x6bdf55a, 0x4e4457d, - 0x16152289, 0xac78ec2, 0x1a59c5a2, 0x2028b97, 0x71c2d01, 0x295851f, 0x404747b, 0x878558d, 0x7d29aa4, - 0x13d8341f, 0x8daefd7, 0x139c972d, 0x6b7ea75, 0xd4a9dde, 0xff163d8, 0x81d55d7, 0xa5bef68, 0xb7b30d8, - 0xbe73d6f, 0xaa88141, 0xd976c81, 0x7e7a9cc, 0x18beb771, 0xd773cbd, 0x13f51951, 0x9d0c177, 0x1c49a78 -}; - -/* Field element operations: - */ - -/* NON_ZERO_TO_ALL_ONES returns: - * 0xffffffff for 0 < x <= 2**31 - * 0 for x == 0 or x > 2**31. - * - * x must be a u32 or an equivalent type such as limb. - */ -#define NON_ZERO_TO_ALL_ONES(x) ((((u32)(x)-1) >> 31) - 1) - -/* felem_reduce_carry adds a multiple of p in order to cancel |carry|, - * which is a term at 2**257. - * - * On entry: carry < 2**3, inout[0,2,...] < 2**29, inout[1,3,...] < 2**28. - * On exit: inout[0,2,..] < 2**30, inout[1,3,...] < 2**29. - */ -static void -felem_reduce_carry(felem inout, limb carry) -{ - const u32 carry_mask = NON_ZERO_TO_ALL_ONES(carry); - - inout[0] += carry << 1; - inout[3] += 0x10000000 & carry_mask; - /* carry < 2**3 thus (carry << 11) < 2**14 and we added 2**28 in the - * previous line therefore this doesn't underflow. - */ - inout[3] -= carry << 11; - inout[4] += (0x20000000 - 1) & carry_mask; - inout[5] += (0x10000000 - 1) & carry_mask; - inout[6] += (0x20000000 - 1) & carry_mask; - inout[6] -= carry << 22; - /* This may underflow if carry is non-zero but, if so, we'll fix it in the - * next line. - */ - inout[7] -= 1 & carry_mask; - inout[7] += carry << 25; -} - -/* felem_sum sets out = in+in2. - * - * On entry, in[i]+in2[i] must not overflow a 32-bit word. - * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29 - */ -static void -felem_sum(felem out, const felem in, const felem in2) -{ - limb carry = 0; - unsigned int i; - for (i = 0;; i++) { - out[i] = in[i] + in2[i]; - out[i] += carry; - carry = out[i] >> 29; - out[i] &= kBottom29Bits; - - i++; - if (i == NLIMBS) - break; - - out[i] = in[i] + in2[i]; - out[i] += carry; - carry = out[i] >> 28; - out[i] &= kBottom28Bits; - } - - felem_reduce_carry(out, carry); -} - -#define two31m3 (((limb)1) << 31) - (((limb)1) << 3) -#define two30m2 (((limb)1) << 30) - (((limb)1) << 2) -#define two30p13m2 (((limb)1) << 30) + (((limb)1) << 13) - (((limb)1) << 2) -#define two31m2 (((limb)1) << 31) - (((limb)1) << 2) -#define two31p24m2 (((limb)1) << 31) + (((limb)1) << 24) - (((limb)1) << 2) -#define two30m27m2 (((limb)1) << 30) - (((limb)1) << 27) - (((limb)1) << 2) - -/* zero31 is 0 mod p. - */ -static const felem zero31 = { - two31m3, two30m2, two31m2, two30p13m2, - two31m2, two30m2, two31p24m2, two30m27m2, - two31m2 -}; - -/* felem_diff sets out = in-in2. - * - * On entry: in[0,2,...] < 2**30, in[1,3,...] < 2**29 and - * in2[0,2,...] < 2**30, in2[1,3,...] < 2**29. - * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29. - */ -static void -felem_diff(felem out, const felem in, const felem in2) -{ - limb carry = 0; - unsigned int i; - - for (i = 0;; i++) { - out[i] = in[i] - in2[i]; - out[i] += zero31[i]; - out[i] += carry; - carry = out[i] >> 29; - out[i] &= kBottom29Bits; - - i++; - if (i == NLIMBS) - break; - - out[i] = in[i] - in2[i]; - out[i] += zero31[i]; - out[i] += carry; - carry = out[i] >> 28; - out[i] &= kBottom28Bits; - } - - felem_reduce_carry(out, carry); -} - -/* felem_reduce_degree sets out = tmp/R mod p where tmp contains 64-bit words - * with the same 29,28,... bit positions as an felem. - * - * The values in felems are in Montgomery form: x*R mod p where R = 2**257. - * Since we just multiplied two Montgomery values together, the result is - * x*y*R*R mod p. We wish to divide by R in order for the result also to be - * in Montgomery form. - * - * On entry: tmp[i] < 2**64 - * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29 - */ -static void -felem_reduce_degree(felem out, u64 tmp[17]) -{ - /* The following table may be helpful when reading this code: - * - * Limb number: 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10... - * Width (bits): 29| 28| 29| 28| 29| 28| 29| 28| 29| 28| 29 - * Start bit: 0 | 29| 57| 86|114|143|171|200|228|257|285 - * (odd phase): 0 | 28| 57| 85|114|142|171|199|228|256|285 - */ - limb tmp2[18], carry, x, xMask; - unsigned int i; - - /* tmp contains 64-bit words with the same 29,28,29-bit positions as an - * felem. So the top of an element of tmp might overlap with another - * element two positions down. The following loop eliminates this - * overlap. - */ - tmp2[0] = tmp[0] & kBottom29Bits; - - /* In the following we use "(limb) tmp[x]" and "(limb) (tmp[x]>>32)" to try - * and hint to the compiler that it can do a single-word shift by selecting - * the right register rather than doing a double-word shift and truncating - * afterwards. - */ - tmp2[1] = ((limb)tmp[0]) >> 29; - tmp2[1] |= (((limb)(tmp[0] >> 32)) << 3) & kBottom28Bits; - tmp2[1] += ((limb)tmp[1]) & kBottom28Bits; - carry = tmp2[1] >> 28; - tmp2[1] &= kBottom28Bits; - - for (i = 2; i < 17; i++) { - tmp2[i] = ((limb)(tmp[i - 2] >> 32)) >> 25; - tmp2[i] += ((limb)(tmp[i - 1])) >> 28; - tmp2[i] += (((limb)(tmp[i - 1] >> 32)) << 4) & kBottom29Bits; - tmp2[i] += ((limb)tmp[i]) & kBottom29Bits; - tmp2[i] += carry; - carry = tmp2[i] >> 29; - tmp2[i] &= kBottom29Bits; - - i++; - if (i == 17) - break; - tmp2[i] = ((limb)(tmp[i - 2] >> 32)) >> 25; - tmp2[i] += ((limb)(tmp[i - 1])) >> 29; - tmp2[i] += (((limb)(tmp[i - 1] >> 32)) << 3) & kBottom28Bits; - tmp2[i] += ((limb)tmp[i]) & kBottom28Bits; - tmp2[i] += carry; - carry = tmp2[i] >> 28; - tmp2[i] &= kBottom28Bits; - } - - tmp2[17] = ((limb)(tmp[15] >> 32)) >> 25; - tmp2[17] += ((limb)(tmp[16])) >> 29; - tmp2[17] += (((limb)(tmp[16] >> 32)) << 3); - tmp2[17] += carry; - - /* Montgomery elimination of terms: - * - * Since R is 2**257, we can divide by R with a bitwise shift if we can - * ensure that the right-most 257 bits are all zero. We can make that true - * by adding multiplies of p without affecting the value. - * - * So we eliminate limbs from right to left. Since the bottom 29 bits of p - * are all ones, then by adding tmp2[0]*p to tmp2 we'll make tmp2[0] == 0. - * We can do that for 8 further limbs and then right shift to eliminate the - * extra factor of R. - */ - for (i = 0;; i += 2) { - tmp2[i + 1] += tmp2[i] >> 29; - x = tmp2[i] & kBottom29Bits; - xMask = NON_ZERO_TO_ALL_ONES(x); - tmp2[i] = 0; - - /* The bounds calculations for this loop are tricky. Each iteration of - * the loop eliminates two words by adding values to words to their - * right. - * - * The following table contains the amounts added to each word (as an - * offset from the value of i at the top of the loop). The amounts are - * accounted for from the first and second half of the loop separately - * and are written as, for example, 28 to mean a value <2**28. - * - * Word: 3 4 5 6 7 8 9 10 - * Added in top half: 28 11 29 21 29 28 - * 28 29 - * 29 - * Added in bottom half: 29 10 28 21 28 28 - * 29 - * - * The value that is currently offset 7 will be offset 5 for the next - * iteration and then offset 3 for the iteration after that. Therefore - * the total value added will be the values added at 7, 5 and 3. - * - * The following table accumulates these values. The sums at the bottom - * are written as, for example, 29+28, to mean a value < 2**29+2**28. - * - * Word: 3 4 5 6 7 8 9 10 11 12 13 - * 28 11 10 29 21 29 28 28 28 28 28 - * 29 28 11 28 29 28 29 28 29 28 - * 29 28 21 21 29 21 29 21 - * 10 29 28 21 28 21 28 - * 28 29 28 29 28 29 28 - * 11 10 29 10 29 10 - * 29 28 11 28 11 - * 29 29 - * -------------------------------------------- - * 30+ 31+ 30+ 31+ 30+ - * 28+ 29+ 28+ 29+ 21+ - * 21+ 28+ 21+ 28+ 10 - * 10 21+ 10 21+ - * 11 11 - * - * So the greatest amount is added to tmp2[10] and tmp2[12]. If - * tmp2[10/12] has an initial value of <2**29, then the maximum value - * will be < 2**31 + 2**30 + 2**28 + 2**21 + 2**11, which is < 2**32, - * as required. - */ - tmp2[i + 3] += (x << 10) & kBottom28Bits; - tmp2[i + 4] += (x >> 18); - - tmp2[i + 6] += (x << 21) & kBottom29Bits; - tmp2[i + 7] += x >> 8; - - /* At position 200, which is the starting bit position for word 7, we - * have a factor of 0xf000000 = 2**28 - 2**24. - */ - tmp2[i + 7] += 0x10000000 & xMask; - /* Word 7 is 28 bits wide, so the 2**28 term exactly hits word 8. */ - tmp2[i + 8] += (x - 1) & xMask; - tmp2[i + 7] -= (x << 24) & kBottom28Bits; - tmp2[i + 8] -= x >> 4; - - tmp2[i + 8] += 0x20000000 & xMask; - tmp2[i + 8] -= x; - tmp2[i + 8] += (x << 28) & kBottom29Bits; - tmp2[i + 9] += ((x >> 1) - 1) & xMask; - - if (i + 1 == NLIMBS) - break; - tmp2[i + 2] += tmp2[i + 1] >> 28; - x = tmp2[i + 1] & kBottom28Bits; - xMask = NON_ZERO_TO_ALL_ONES(x); - tmp2[i + 1] = 0; - - tmp2[i + 4] += (x << 11) & kBottom29Bits; - tmp2[i + 5] += (x >> 18); - - tmp2[i + 7] += (x << 21) & kBottom28Bits; - tmp2[i + 8] += x >> 7; - - /* At position 199, which is the starting bit of the 8th word when - * dealing with a context starting on an odd word, we have a factor of - * 0x1e000000 = 2**29 - 2**25. Since we have not updated i, the 8th - * word from i+1 is i+8. - */ - tmp2[i + 8] += 0x20000000 & xMask; - tmp2[i + 9] += (x - 1) & xMask; - tmp2[i + 8] -= (x << 25) & kBottom29Bits; - tmp2[i + 9] -= x >> 4; - - tmp2[i + 9] += 0x10000000 & xMask; - tmp2[i + 9] -= x; - tmp2[i + 10] += (x - 1) & xMask; - } - - /* We merge the right shift with a carry chain. The words above 2**257 have - * widths of 28,29,... which we need to correct when copying them down. - */ - carry = 0; - for (i = 0; i < 8; i++) { - /* The maximum value of tmp2[i + 9] occurs on the first iteration and - * is < 2**30+2**29+2**28. Adding 2**29 (from tmp2[i + 10]) is - * therefore safe. - */ - out[i] = tmp2[i + 9]; - out[i] += carry; - out[i] += (tmp2[i + 10] << 28) & kBottom29Bits; - carry = out[i] >> 29; - out[i] &= kBottom29Bits; - - i++; - out[i] = tmp2[i + 9] >> 1; - out[i] += carry; - carry = out[i] >> 28; - out[i] &= kBottom28Bits; - } - - out[8] = tmp2[17]; - out[8] += carry; - carry = out[8] >> 29; - out[8] &= kBottom29Bits; - - felem_reduce_carry(out, carry); -} - -/* felem_square sets out=in*in. - * - * On entry: in[0,2,...] < 2**30, in[1,3,...] < 2**29. - * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29. - */ -static void -felem_square(felem out, const felem in) -{ - u64 tmp[17]; - - tmp[0] = ((u64)in[0]) * in[0]; - tmp[1] = ((u64)in[0]) * (in[1] << 1); - tmp[2] = ((u64)in[0]) * (in[2] << 1) + - ((u64)in[1]) * (in[1] << 1); - tmp[3] = ((u64)in[0]) * (in[3] << 1) + - ((u64)in[1]) * (in[2] << 1); - tmp[4] = ((u64)in[0]) * (in[4] << 1) + - ((u64)in[1]) * (in[3] << 2) + - ((u64)in[2]) * in[2]; - tmp[5] = ((u64)in[0]) * (in[5] << 1) + - ((u64)in[1]) * (in[4] << 1) + - ((u64)in[2]) * (in[3] << 1); - tmp[6] = ((u64)in[0]) * (in[6] << 1) + - ((u64)in[1]) * (in[5] << 2) + - ((u64)in[2]) * (in[4] << 1) + - ((u64)in[3]) * (in[3] << 1); - tmp[7] = ((u64)in[0]) * (in[7] << 1) + - ((u64)in[1]) * (in[6] << 1) + - ((u64)in[2]) * (in[5] << 1) + - ((u64)in[3]) * (in[4] << 1); - /* tmp[8] has the greatest value of 2**61 + 2**60 + 2**61 + 2**60 + 2**60, - * which is < 2**64 as required. - */ - tmp[8] = ((u64)in[0]) * (in[8] << 1) + - ((u64)in[1]) * (in[7] << 2) + - ((u64)in[2]) * (in[6] << 1) + - ((u64)in[3]) * (in[5] << 2) + - ((u64)in[4]) * in[4]; - tmp[9] = ((u64)in[1]) * (in[8] << 1) + - ((u64)in[2]) * (in[7] << 1) + - ((u64)in[3]) * (in[6] << 1) + - ((u64)in[4]) * (in[5] << 1); - tmp[10] = ((u64)in[2]) * (in[8] << 1) + - ((u64)in[3]) * (in[7] << 2) + - ((u64)in[4]) * (in[6] << 1) + - ((u64)in[5]) * (in[5] << 1); - tmp[11] = ((u64)in[3]) * (in[8] << 1) + - ((u64)in[4]) * (in[7] << 1) + - ((u64)in[5]) * (in[6] << 1); - tmp[12] = ((u64)in[4]) * (in[8] << 1) + - ((u64)in[5]) * (in[7] << 2) + - ((u64)in[6]) * in[6]; - tmp[13] = ((u64)in[5]) * (in[8] << 1) + - ((u64)in[6]) * (in[7] << 1); - tmp[14] = ((u64)in[6]) * (in[8] << 1) + - ((u64)in[7]) * (in[7] << 1); - tmp[15] = ((u64)in[7]) * (in[8] << 1); - tmp[16] = ((u64)in[8]) * in[8]; - - felem_reduce_degree(out, tmp); -} - -/* felem_mul sets out=in*in2. - * - * On entry: in[0,2,...] < 2**30, in[1,3,...] < 2**29 and - * in2[0,2,...] < 2**30, in2[1,3,...] < 2**29. - * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29. - */ -static void -felem_mul(felem out, const felem in, const felem in2) -{ - u64 tmp[17]; - - tmp[0] = ((u64)in[0]) * in2[0]; - tmp[1] = ((u64)in[0]) * (in2[1] << 0) + - ((u64)in[1]) * (in2[0] << 0); - tmp[2] = ((u64)in[0]) * (in2[2] << 0) + - ((u64)in[1]) * (in2[1] << 1) + - ((u64)in[2]) * (in2[0] << 0); - tmp[3] = ((u64)in[0]) * (in2[3] << 0) + - ((u64)in[1]) * (in2[2] << 0) + - ((u64)in[2]) * (in2[1] << 0) + - ((u64)in[3]) * (in2[0] << 0); - tmp[4] = ((u64)in[0]) * (in2[4] << 0) + - ((u64)in[1]) * (in2[3] << 1) + - ((u64)in[2]) * (in2[2] << 0) + - ((u64)in[3]) * (in2[1] << 1) + - ((u64)in[4]) * (in2[0] << 0); - tmp[5] = ((u64)in[0]) * (in2[5] << 0) + - ((u64)in[1]) * (in2[4] << 0) + - ((u64)in[2]) * (in2[3] << 0) + - ((u64)in[3]) * (in2[2] << 0) + - ((u64)in[4]) * (in2[1] << 0) + - ((u64)in[5]) * (in2[0] << 0); - tmp[6] = ((u64)in[0]) * (in2[6] << 0) + - ((u64)in[1]) * (in2[5] << 1) + - ((u64)in[2]) * (in2[4] << 0) + - ((u64)in[3]) * (in2[3] << 1) + - ((u64)in[4]) * (in2[2] << 0) + - ((u64)in[5]) * (in2[1] << 1) + - ((u64)in[6]) * (in2[0] << 0); - tmp[7] = ((u64)in[0]) * (in2[7] << 0) + - ((u64)in[1]) * (in2[6] << 0) + - ((u64)in[2]) * (in2[5] << 0) + - ((u64)in[3]) * (in2[4] << 0) + - ((u64)in[4]) * (in2[3] << 0) + - ((u64)in[5]) * (in2[2] << 0) + - ((u64)in[6]) * (in2[1] << 0) + - ((u64)in[7]) * (in2[0] << 0); - /* tmp[8] has the greatest value but doesn't overflow. See logic in - * felem_square. - */ - tmp[8] = ((u64)in[0]) * (in2[8] << 0) + - ((u64)in[1]) * (in2[7] << 1) + - ((u64)in[2]) * (in2[6] << 0) + - ((u64)in[3]) * (in2[5] << 1) + - ((u64)in[4]) * (in2[4] << 0) + - ((u64)in[5]) * (in2[3] << 1) + - ((u64)in[6]) * (in2[2] << 0) + - ((u64)in[7]) * (in2[1] << 1) + - ((u64)in[8]) * (in2[0] << 0); - tmp[9] = ((u64)in[1]) * (in2[8] << 0) + - ((u64)in[2]) * (in2[7] << 0) + - ((u64)in[3]) * (in2[6] << 0) + - ((u64)in[4]) * (in2[5] << 0) + - ((u64)in[5]) * (in2[4] << 0) + - ((u64)in[6]) * (in2[3] << 0) + - ((u64)in[7]) * (in2[2] << 0) + - ((u64)in[8]) * (in2[1] << 0); - tmp[10] = ((u64)in[2]) * (in2[8] << 0) + - ((u64)in[3]) * (in2[7] << 1) + - ((u64)in[4]) * (in2[6] << 0) + - ((u64)in[5]) * (in2[5] << 1) + - ((u64)in[6]) * (in2[4] << 0) + - ((u64)in[7]) * (in2[3] << 1) + - ((u64)in[8]) * (in2[2] << 0); - tmp[11] = ((u64)in[3]) * (in2[8] << 0) + - ((u64)in[4]) * (in2[7] << 0) + - ((u64)in[5]) * (in2[6] << 0) + - ((u64)in[6]) * (in2[5] << 0) + - ((u64)in[7]) * (in2[4] << 0) + - ((u64)in[8]) * (in2[3] << 0); - tmp[12] = ((u64)in[4]) * (in2[8] << 0) + - ((u64)in[5]) * (in2[7] << 1) + - ((u64)in[6]) * (in2[6] << 0) + - ((u64)in[7]) * (in2[5] << 1) + - ((u64)in[8]) * (in2[4] << 0); - tmp[13] = ((u64)in[5]) * (in2[8] << 0) + - ((u64)in[6]) * (in2[7] << 0) + - ((u64)in[7]) * (in2[6] << 0) + - ((u64)in[8]) * (in2[5] << 0); - tmp[14] = ((u64)in[6]) * (in2[8] << 0) + - ((u64)in[7]) * (in2[7] << 1) + - ((u64)in[8]) * (in2[6] << 0); - tmp[15] = ((u64)in[7]) * (in2[8] << 0) + - ((u64)in[8]) * (in2[7] << 0); - tmp[16] = ((u64)in[8]) * (in2[8] << 0); - - felem_reduce_degree(out, tmp); -} - -static void -felem_assign(felem out, const felem in) -{ - memcpy(out, in, sizeof(felem)); -} - -/* felem_inv calculates |out| = |in|^{-1} - * - * Based on Fermat's Little Theorem: - * a^p = a (mod p) - * a^{p-1} = 1 (mod p) - * a^{p-2} = a^{-1} (mod p) - */ -static void -felem_inv(felem out, const felem in) -{ - felem ftmp, ftmp2; - /* each e_I will hold |in|^{2^I - 1} */ - felem e2, e4, e8, e16, e32, e64; - unsigned int i; - - felem_square(ftmp, in); /* 2^1 */ - felem_mul(ftmp, in, ftmp); /* 2^2 - 2^0 */ - felem_assign(e2, ftmp); - felem_square(ftmp, ftmp); /* 2^3 - 2^1 */ - felem_square(ftmp, ftmp); /* 2^4 - 2^2 */ - felem_mul(ftmp, ftmp, e2); /* 2^4 - 2^0 */ - felem_assign(e4, ftmp); - felem_square(ftmp, ftmp); /* 2^5 - 2^1 */ - felem_square(ftmp, ftmp); /* 2^6 - 2^2 */ - felem_square(ftmp, ftmp); /* 2^7 - 2^3 */ - felem_square(ftmp, ftmp); /* 2^8 - 2^4 */ - felem_mul(ftmp, ftmp, e4); /* 2^8 - 2^0 */ - felem_assign(e8, ftmp); - for (i = 0; i < 8; i++) { - felem_square(ftmp, ftmp); - } /* 2^16 - 2^8 */ - felem_mul(ftmp, ftmp, e8); /* 2^16 - 2^0 */ - felem_assign(e16, ftmp); - for (i = 0; i < 16; i++) { - felem_square(ftmp, ftmp); - } /* 2^32 - 2^16 */ - felem_mul(ftmp, ftmp, e16); /* 2^32 - 2^0 */ - felem_assign(e32, ftmp); - for (i = 0; i < 32; i++) { - felem_square(ftmp, ftmp); - } /* 2^64 - 2^32 */ - felem_assign(e64, ftmp); - felem_mul(ftmp, ftmp, in); /* 2^64 - 2^32 + 2^0 */ - for (i = 0; i < 192; i++) { - felem_square(ftmp, ftmp); - } /* 2^256 - 2^224 + 2^192 */ - - felem_mul(ftmp2, e64, e32); /* 2^64 - 2^0 */ - for (i = 0; i < 16; i++) { - felem_square(ftmp2, ftmp2); - } /* 2^80 - 2^16 */ - felem_mul(ftmp2, ftmp2, e16); /* 2^80 - 2^0 */ - for (i = 0; i < 8; i++) { - felem_square(ftmp2, ftmp2); - } /* 2^88 - 2^8 */ - felem_mul(ftmp2, ftmp2, e8); /* 2^88 - 2^0 */ - for (i = 0; i < 4; i++) { - felem_square(ftmp2, ftmp2); - } /* 2^92 - 2^4 */ - felem_mul(ftmp2, ftmp2, e4); /* 2^92 - 2^0 */ - felem_square(ftmp2, ftmp2); /* 2^93 - 2^1 */ - felem_square(ftmp2, ftmp2); /* 2^94 - 2^2 */ - felem_mul(ftmp2, ftmp2, e2); /* 2^94 - 2^0 */ - felem_square(ftmp2, ftmp2); /* 2^95 - 2^1 */ - felem_square(ftmp2, ftmp2); /* 2^96 - 2^2 */ - felem_mul(ftmp2, ftmp2, in); /* 2^96 - 3 */ - - felem_mul(out, ftmp2, ftmp); /* 2^256 - 2^224 + 2^192 + 2^96 - 3 */ -} - -/* felem_scalar_3 sets out=3*out. - * - * On entry: out[0,2,...] < 2**30, out[1,3,...] < 2**29. - * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29. - */ -static void -felem_scalar_3(felem out) -{ - limb carry = 0; - unsigned int i; - - for (i = 0;; i++) { - out[i] *= 3; - out[i] += carry; - carry = out[i] >> 29; - out[i] &= kBottom29Bits; - - i++; - if (i == NLIMBS) - break; - - out[i] *= 3; - out[i] += carry; - carry = out[i] >> 28; - out[i] &= kBottom28Bits; - } - - felem_reduce_carry(out, carry); -} - -/* felem_scalar_4 sets out=4*out. - * - * On entry: out[0,2,...] < 2**30, out[1,3,...] < 2**29. - * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29. - */ -static void -felem_scalar_4(felem out) -{ - limb carry = 0, next_carry; - unsigned int i; - - for (i = 0;; i++) { - next_carry = out[i] >> 27; - out[i] <<= 2; - out[i] &= kBottom29Bits; - out[i] += carry; - carry = next_carry + (out[i] >> 29); - out[i] &= kBottom29Bits; - - i++; - if (i == NLIMBS) - break; - next_carry = out[i] >> 26; - out[i] <<= 2; - out[i] &= kBottom28Bits; - out[i] += carry; - carry = next_carry + (out[i] >> 28); - out[i] &= kBottom28Bits; - } - - felem_reduce_carry(out, carry); -} - -/* felem_scalar_8 sets out=8*out. - * - * On entry: out[0,2,...] < 2**30, out[1,3,...] < 2**29. - * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29. - */ -static void -felem_scalar_8(felem out) -{ - limb carry = 0, next_carry; - unsigned int i; - - for (i = 0;; i++) { - next_carry = out[i] >> 26; - out[i] <<= 3; - out[i] &= kBottom29Bits; - out[i] += carry; - carry = next_carry + (out[i] >> 29); - out[i] &= kBottom29Bits; - - i++; - if (i == NLIMBS) - break; - next_carry = out[i] >> 25; - out[i] <<= 3; - out[i] &= kBottom28Bits; - out[i] += carry; - carry = next_carry + (out[i] >> 28); - out[i] &= kBottom28Bits; - } - - felem_reduce_carry(out, carry); -} - -/* felem_is_zero_vartime returns 1 iff |in| == 0. It takes a variable amount of - * time depending on the value of |in|. - */ -static char -felem_is_zero_vartime(const felem in) -{ - limb carry; - int i; - limb tmp[NLIMBS]; - felem_assign(tmp, in); - - /* First, reduce tmp to a minimal form. - */ - do { - carry = 0; - for (i = 0;; i++) { - tmp[i] += carry; - carry = tmp[i] >> 29; - tmp[i] &= kBottom29Bits; - - i++; - if (i == NLIMBS) - break; - - tmp[i] += carry; - carry = tmp[i] >> 28; - tmp[i] &= kBottom28Bits; - } - - felem_reduce_carry(tmp, carry); - } while (carry); - - /* tmp < 2**257, so the only possible zero values are 0, p and 2p. - */ - return memcmp(tmp, kZero, sizeof(tmp)) == 0 || - memcmp(tmp, kP, sizeof(tmp)) == 0 || - memcmp(tmp, k2P, sizeof(tmp)) == 0; -} - -/* Group operations: - * - * Elements of the elliptic curve group are represented in Jacobian - * coordinates: (x, y, z). An affine point (x', y') is x'=x/z**2, y'=y/z**3 in - * Jacobian form. - */ - -/* point_double sets {x_out,y_out,z_out} = 2*{x,y,z}. - * - * See http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-dbl-2009-l - */ -static void -point_double(felem x_out, felem y_out, felem z_out, - const felem x, const felem y, const felem z) -{ - felem delta, gamma, alpha, beta, tmp, tmp2; - - felem_square(delta, z); - felem_square(gamma, y); - felem_mul(beta, x, gamma); - - felem_sum(tmp, x, delta); - felem_diff(tmp2, x, delta); - felem_mul(alpha, tmp, tmp2); - felem_scalar_3(alpha); - - felem_sum(tmp, y, z); - felem_square(tmp, tmp); - felem_diff(tmp, tmp, gamma); - felem_diff(z_out, tmp, delta); - - felem_scalar_4(beta); - felem_square(x_out, alpha); - felem_diff(x_out, x_out, beta); - felem_diff(x_out, x_out, beta); - - felem_diff(tmp, beta, x_out); - felem_mul(tmp, alpha, tmp); - felem_square(tmp2, gamma); - felem_scalar_8(tmp2); - felem_diff(y_out, tmp, tmp2); -} - -/* point_add_mixed sets {x_out,y_out,z_out} = {x1,y1,z1} + {x2,y2,1}. - * (i.e. the second point is affine.) - * - * See http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-add-2007-bl - * - * Note that this function does not handle P+P, infinity+P nor P+infinity - * correctly. - */ -static void -point_add_mixed(felem x_out, felem y_out, felem z_out, - const felem x1, const felem y1, const felem z1, - const felem x2, const felem y2) -{ - felem z1z1, z1z1z1, s2, u2, h, i, j, r, rr, v, tmp; - - felem_square(z1z1, z1); - felem_sum(tmp, z1, z1); - - felem_mul(u2, x2, z1z1); - felem_mul(z1z1z1, z1, z1z1); - felem_mul(s2, y2, z1z1z1); - felem_diff(h, u2, x1); - felem_sum(i, h, h); - felem_square(i, i); - felem_mul(j, h, i); - felem_diff(r, s2, y1); - felem_sum(r, r, r); - felem_mul(v, x1, i); - - felem_mul(z_out, tmp, h); - felem_square(rr, r); - felem_diff(x_out, rr, j); - felem_diff(x_out, x_out, v); - felem_diff(x_out, x_out, v); - - felem_diff(tmp, v, x_out); - felem_mul(y_out, tmp, r); - felem_mul(tmp, y1, j); - felem_diff(y_out, y_out, tmp); - felem_diff(y_out, y_out, tmp); -} - -/* point_add sets {x_out,y_out,z_out} = {x1,y1,z1} + {x2,y2,z2}. - * - * See http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-add-2007-bl - * - * Note that this function does not handle P+P, infinity+P nor P+infinity - * correctly. - */ -static void -point_add(felem x_out, felem y_out, felem z_out, - const felem x1, const felem y1, const felem z1, - const felem x2, const felem y2, const felem z2) -{ - felem z1z1, z1z1z1, z2z2, z2z2z2, s1, s2, u1, u2, h, i, j, r, rr, v, tmp; - - felem_square(z1z1, z1); - felem_square(z2z2, z2); - felem_mul(u1, x1, z2z2); - - felem_sum(tmp, z1, z2); - felem_square(tmp, tmp); - felem_diff(tmp, tmp, z1z1); - felem_diff(tmp, tmp, z2z2); - - felem_mul(z2z2z2, z2, z2z2); - felem_mul(s1, y1, z2z2z2); - - felem_mul(u2, x2, z1z1); - felem_mul(z1z1z1, z1, z1z1); - felem_mul(s2, y2, z1z1z1); - felem_diff(h, u2, u1); - felem_sum(i, h, h); - felem_square(i, i); - felem_mul(j, h, i); - felem_diff(r, s2, s1); - felem_sum(r, r, r); - felem_mul(v, u1, i); - - felem_mul(z_out, tmp, h); - felem_square(rr, r); - felem_diff(x_out, rr, j); - felem_diff(x_out, x_out, v); - felem_diff(x_out, x_out, v); - - felem_diff(tmp, v, x_out); - felem_mul(y_out, tmp, r); - felem_mul(tmp, s1, j); - felem_diff(y_out, y_out, tmp); - felem_diff(y_out, y_out, tmp); -} - -/* point_add_or_double_vartime sets {x_out,y_out,z_out} = {x1,y1,z1} + - * {x2,y2,z2}. - * - * See http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-add-2007-bl - * - * This function handles the case where {x1,y1,z1}={x2,y2,z2}. - */ -static void -point_add_or_double_vartime( - felem x_out, felem y_out, felem z_out, - const felem x1, const felem y1, const felem z1, - const felem x2, const felem y2, const felem z2) -{ - felem z1z1, z1z1z1, z2z2, z2z2z2, s1, s2, u1, u2, h, i, j, r, rr, v, tmp; - char x_equal, y_equal; - - felem_square(z1z1, z1); - felem_square(z2z2, z2); - felem_mul(u1, x1, z2z2); - - felem_sum(tmp, z1, z2); - felem_square(tmp, tmp); - felem_diff(tmp, tmp, z1z1); - felem_diff(tmp, tmp, z2z2); - - felem_mul(z2z2z2, z2, z2z2); - felem_mul(s1, y1, z2z2z2); - - felem_mul(u2, x2, z1z1); - felem_mul(z1z1z1, z1, z1z1); - felem_mul(s2, y2, z1z1z1); - felem_diff(h, u2, u1); - x_equal = felem_is_zero_vartime(h); - felem_sum(i, h, h); - felem_square(i, i); - felem_mul(j, h, i); - felem_diff(r, s2, s1); - y_equal = felem_is_zero_vartime(r); - if (x_equal && y_equal) { - point_double(x_out, y_out, z_out, x1, y1, z1); - return; - } - felem_sum(r, r, r); - felem_mul(v, u1, i); - - felem_mul(z_out, tmp, h); - felem_square(rr, r); - felem_diff(x_out, rr, j); - felem_diff(x_out, x_out, v); - felem_diff(x_out, x_out, v); - - felem_diff(tmp, v, x_out); - felem_mul(y_out, tmp, r); - felem_mul(tmp, s1, j); - felem_diff(y_out, y_out, tmp); - felem_diff(y_out, y_out, tmp); -} - -/* copy_conditional sets out=in if mask = 0xffffffff in constant time. - * - * On entry: mask is either 0 or 0xffffffff. - */ -static void -copy_conditional(felem out, const felem in, limb mask) -{ - int i; - - for (i = 0; i < NLIMBS; i++) { - const limb tmp = mask & (in[i] ^ out[i]); - out[i] ^= tmp; - } -} - -/* select_affine_point sets {out_x,out_y} to the index'th entry of table. - * On entry: index < 16, table[0] must be zero. - */ -static void -select_affine_point(felem out_x, felem out_y, - const limb *table, limb index) -{ - limb i, j; - - memset(out_x, 0, sizeof(felem)); - memset(out_y, 0, sizeof(felem)); - - for (i = 1; i < 16; i++) { - limb mask = i ^ index; - mask |= mask >> 2; - mask |= mask >> 1; - mask &= 1; - mask--; - for (j = 0; j < NLIMBS; j++, table++) { - out_x[j] |= *table & mask; - } - for (j = 0; j < NLIMBS; j++, table++) { - out_y[j] |= *table & mask; - } - } -} - -/* select_jacobian_point sets {out_x,out_y,out_z} to the index'th entry of - * table. On entry: index < 16, table[0] must be zero. - */ -static void -select_jacobian_point(felem out_x, felem out_y, felem out_z, - const limb *table, limb index) -{ - limb i, j; - - memset(out_x, 0, sizeof(felem)); - memset(out_y, 0, sizeof(felem)); - memset(out_z, 0, sizeof(felem)); - - /* The implicit value at index 0 is all zero. We don't need to perform that - * iteration of the loop because we already set out_* to zero. - */ - table += 3 * NLIMBS; - - for (i = 1; i < 16; i++) { - limb mask = i ^ index; - mask |= mask >> 2; - mask |= mask >> 1; - mask &= 1; - mask--; - for (j = 0; j < NLIMBS; j++, table++) { - out_x[j] |= *table & mask; - } - for (j = 0; j < NLIMBS; j++, table++) { - out_y[j] |= *table & mask; - } - for (j = 0; j < NLIMBS; j++, table++) { - out_z[j] |= *table & mask; - } - } -} - -/* get_bit returns the bit'th bit of scalar. */ -static char -get_bit(const u8 scalar[32], int bit) -{ - return ((scalar[bit >> 3]) >> (bit & 7)) & 1; -} - -/* scalar_base_mult sets {nx,ny,nz} = scalar*G where scalar is a little-endian - * number. Note that the value of scalar must be less than the order of the - * group. - */ -static void -scalar_base_mult(felem nx, felem ny, felem nz, const u8 scalar[32]) -{ - int i, j; - limb n_is_infinity_mask = -1, p_is_noninfinite_mask, mask; - u32 table_offset; - - felem px, py; - felem tx, ty, tz; - - memset(nx, 0, sizeof(felem)); - memset(ny, 0, sizeof(felem)); - memset(nz, 0, sizeof(felem)); - - /* The loop adds bits at positions 0, 64, 128 and 192, followed by - * positions 32,96,160 and 224 and does this 32 times. - */ - for (i = 0; i < 32; i++) { - if (i) { - point_double(nx, ny, nz, nx, ny, nz); - } - table_offset = 0; - for (j = 0; j <= 32; j += 32) { - char bit0 = get_bit(scalar, 31 - i + j); - char bit1 = get_bit(scalar, 95 - i + j); - char bit2 = get_bit(scalar, 159 - i + j); - char bit3 = get_bit(scalar, 223 - i + j); - limb index = bit0 | (bit1 << 1) | (bit2 << 2) | (bit3 << 3); - - select_affine_point(px, py, kPrecomputed + table_offset, index); - table_offset += 30 * NLIMBS; - - /* Since scalar is less than the order of the group, we know that - * {nx,ny,nz} != {px,py,1}, unless both are zero, which we handle - * below. - */ - point_add_mixed(tx, ty, tz, nx, ny, nz, px, py); - /* The result of point_add_mixed is incorrect if {nx,ny,nz} is zero - * (a.k.a. the point at infinity). We handle that situation by - * copying the point from the table. - */ - copy_conditional(nx, px, n_is_infinity_mask); - copy_conditional(ny, py, n_is_infinity_mask); - copy_conditional(nz, kOne, n_is_infinity_mask); - - /* Equally, the result is also wrong if the point from the table is - * zero, which happens when the index is zero. We handle that by - * only copying from {tx,ty,tz} to {nx,ny,nz} if index != 0. - */ - p_is_noninfinite_mask = NON_ZERO_TO_ALL_ONES(index); - mask = p_is_noninfinite_mask & ~n_is_infinity_mask; - copy_conditional(nx, tx, mask); - copy_conditional(ny, ty, mask); - copy_conditional(nz, tz, mask); - /* If p was not zero, then n is now non-zero. */ - n_is_infinity_mask &= ~p_is_noninfinite_mask; - } - } -} - -/* point_to_affine converts a Jacobian point to an affine point. If the input - * is the point at infinity then it returns (0, 0) in constant time. - */ -static void -point_to_affine(felem x_out, felem y_out, - const felem nx, const felem ny, const felem nz) -{ - felem z_inv, z_inv_sq; - felem_inv(z_inv, nz); - felem_square(z_inv_sq, z_inv); - felem_mul(x_out, nx, z_inv_sq); - felem_mul(z_inv, z_inv, z_inv_sq); - felem_mul(y_out, ny, z_inv); -} - -/* scalar_mult sets {nx,ny,nz} = scalar*{x,y}. */ -static void -scalar_mult(felem nx, felem ny, felem nz, - const felem x, const felem y, const u8 scalar[32]) -{ - int i; - felem px, py, pz, tx, ty, tz; - felem precomp[16][3]; - limb n_is_infinity_mask, index, p_is_noninfinite_mask, mask; - - /* We precompute 0,1,2,... times {x,y}. */ - memset(precomp, 0, sizeof(felem) * 3); - memcpy(&precomp[1][0], x, sizeof(felem)); - memcpy(&precomp[1][1], y, sizeof(felem)); - memcpy(&precomp[1][2], kOne, sizeof(felem)); - - for (i = 2; i < 16; i += 2) { - point_double(precomp[i][0], precomp[i][1], precomp[i][2], - precomp[i / 2][0], precomp[i / 2][1], precomp[i / 2][2]); - - point_add_mixed(precomp[i + 1][0], precomp[i + 1][1], precomp[i + 1][2], - precomp[i][0], precomp[i][1], precomp[i][2], x, y); - } - - memset(nx, 0, sizeof(felem)); - memset(ny, 0, sizeof(felem)); - memset(nz, 0, sizeof(felem)); - n_is_infinity_mask = -1; - - /* We add in a window of four bits each iteration and do this 64 times. */ - for (i = 0; i < 64; i++) { - if (i) { - point_double(nx, ny, nz, nx, ny, nz); - point_double(nx, ny, nz, nx, ny, nz); - point_double(nx, ny, nz, nx, ny, nz); - point_double(nx, ny, nz, nx, ny, nz); - } - - index = scalar[31 - i / 2]; - if ((i & 1) == 1) { - index &= 15; - } else { - index >>= 4; - } - - /* See the comments in scalar_base_mult about handling infinities. */ - select_jacobian_point(px, py, pz, precomp[0][0], index); - point_add(tx, ty, tz, nx, ny, nz, px, py, pz); - copy_conditional(nx, px, n_is_infinity_mask); - copy_conditional(ny, py, n_is_infinity_mask); - copy_conditional(nz, pz, n_is_infinity_mask); - - p_is_noninfinite_mask = NON_ZERO_TO_ALL_ONES(index); - mask = p_is_noninfinite_mask & ~n_is_infinity_mask; - copy_conditional(nx, tx, mask); - copy_conditional(ny, ty, mask); - copy_conditional(nz, tz, mask); - n_is_infinity_mask &= ~p_is_noninfinite_mask; - } -} - -/* Interface with Freebl: */ - -/* BYTESWAP_MP_DIGIT_TO_LE swaps the bytes of a mp_digit to - * little-endian order. - */ -#ifdef IS_BIG_ENDIAN -#ifdef __APPLE__ -#include <libkern/OSByteOrder.h> -#define BYTESWAP32(x) OSSwapInt32(x) -#define BYTESWAP64(x) OSSwapInt64(x) -#else -#define BYTESWAP32(x) \ - (((x) >> 24) | (((x) >> 8) & 0xff00) | (((x)&0xff00) << 8) | ((x) << 24)) -#define BYTESWAP64(x) \ - (((x) >> 56) | (((x) >> 40) & 0xff00) | \ - (((x) >> 24) & 0xff0000) | (((x) >> 8) & 0xff000000) | \ - (((x)&0xff000000) << 8) | (((x)&0xff0000) << 24) | \ - (((x)&0xff00) << 40) | ((x) << 56)) -#endif - -#ifdef MP_USE_UINT_DIGIT -#define BYTESWAP_MP_DIGIT_TO_LE(x) BYTESWAP32(x) -#else -#define BYTESWAP_MP_DIGIT_TO_LE(x) BYTESWAP64(x) -#endif -#endif /* IS_BIG_ENDIAN */ - -#ifdef MP_USE_UINT_DIGIT -static const mp_digit kRInvDigits[8] = { - 0x80000000, 1, 0xffffffff, 0, - 0x80000001, 0xfffffffe, 1, 0x7fffffff -}; -#else -static const mp_digit kRInvDigits[4] = { - PR_UINT64(0x180000000), 0xffffffff, - PR_UINT64(0xfffffffe80000001), PR_UINT64(0x7fffffff00000001) -}; -#endif -#define MP_DIGITS_IN_256_BITS (32 / sizeof(mp_digit)) -static const mp_int kRInv = { - MP_ZPOS, - MP_DIGITS_IN_256_BITS, - MP_DIGITS_IN_256_BITS, - (mp_digit *)kRInvDigits -}; - -static const limb kTwo28 = 0x10000000; -static const limb kTwo29 = 0x20000000; - -/* to_montgomery sets out = R*in. */ -static mp_err -to_montgomery(felem out, const mp_int *in, const ECGroup *group) -{ - /* There are no MPI functions for bitshift operations and we wish to shift - * in 257 bits left so we move the digits 256-bits left and then multiply - * by two. - */ - mp_int in_shifted; - int i; - mp_err res; - - MP_CHECKOK(mp_init(&in_shifted)); - MP_CHECKOK(s_mp_pad(&in_shifted, MP_USED(in) + MP_DIGITS_IN_256_BITS)); - memcpy(&MP_DIGIT(&in_shifted, MP_DIGITS_IN_256_BITS), - MP_DIGITS(in), - MP_USED(in) * sizeof(mp_digit)); - MP_CHECKOK(mp_mul_2(&in_shifted, &in_shifted)); - MP_CHECKOK(group->meth->field_mod(&in_shifted, &in_shifted, group->meth)); - - for (i = 0;; i++) { - out[i] = MP_DIGIT(&in_shifted, 0) & kBottom29Bits; - MP_CHECKOK(mp_div_d(&in_shifted, kTwo29, &in_shifted, NULL)); - - i++; - if (i == NLIMBS) - break; - out[i] = MP_DIGIT(&in_shifted, 0) & kBottom28Bits; - MP_CHECKOK(mp_div_d(&in_shifted, kTwo28, &in_shifted, NULL)); - } - -CLEANUP: - mp_clear(&in_shifted); - return res; -} - -/* from_montgomery sets out=in/R. */ -static mp_err -from_montgomery(mp_int *out, const felem in, - const ECGroup *group) -{ - mp_int result, tmp; - mp_err res; - int i; - - MP_CHECKOK(mp_init(&result)); - MP_CHECKOK(mp_init(&tmp)); - - MP_CHECKOK(mp_add_d(&tmp, in[NLIMBS - 1], &result)); - for (i = NLIMBS - 2; i >= 0; i--) { - if ((i & 1) == 0) { - MP_CHECKOK(mp_mul_d(&result, kTwo29, &tmp)); - } else { - MP_CHECKOK(mp_mul_d(&result, kTwo28, &tmp)); - } - MP_CHECKOK(mp_add_d(&tmp, in[i], &result)); - } - - MP_CHECKOK(mp_mul(&result, &kRInv, out)); - MP_CHECKOK(group->meth->field_mod(out, out, group->meth)); - -CLEANUP: - mp_clear(&result); - mp_clear(&tmp); - return res; -} - -/* scalar_from_mp_int sets out_scalar=n, where n < the group order. */ -static void -scalar_from_mp_int(u8 out_scalar[32], const mp_int *n) -{ - /* We require that |n| is less than the order of the group and therefore it - * will fit into |out_scalar|. However, these is a timing side-channel here - * that we cannot avoid: if |n| is sufficiently small it may be one or more - * words too short and we'll copy less data. - */ - memset(out_scalar, 0, 32); -#ifdef IS_LITTLE_ENDIAN - memcpy(out_scalar, MP_DIGITS(n), MP_USED(n) * sizeof(mp_digit)); -#else - { - mp_size i; - mp_digit swapped[MP_DIGITS_IN_256_BITS]; - for (i = 0; i < MP_USED(n); i++) { - swapped[i] = BYTESWAP_MP_DIGIT_TO_LE(MP_DIGIT(n, i)); - } - memcpy(out_scalar, swapped, MP_USED(n) * sizeof(mp_digit)); - } -#endif -} - -/* ec_GFp_nistp256_base_point_mul sets {out_x,out_y} = nG, where n is < the - * order of the group. - */ -static mp_err -ec_GFp_nistp256_base_point_mul(const mp_int *n, - mp_int *out_x, mp_int *out_y, - const ECGroup *group) -{ - u8 scalar[32]; - felem x, y, z, x_affine, y_affine; - mp_err res; - - /* FIXME(agl): test that n < order. */ - - scalar_from_mp_int(scalar, n); - scalar_base_mult(x, y, z, scalar); - point_to_affine(x_affine, y_affine, x, y, z); - MP_CHECKOK(from_montgomery(out_x, x_affine, group)); - MP_CHECKOK(from_montgomery(out_y, y_affine, group)); - -CLEANUP: - return res; -} - -/* ec_GFp_nistp256_point_mul sets {out_x,out_y} = n*{in_x,in_y}, where n is < - * the order of the group. - */ -static mp_err -ec_GFp_nistp256_point_mul(const mp_int *n, - const mp_int *in_x, const mp_int *in_y, - mp_int *out_x, mp_int *out_y, - const ECGroup *group) -{ - u8 scalar[32]; - felem x, y, z, x_affine, y_affine, px, py; - mp_err res; - - scalar_from_mp_int(scalar, n); - - MP_CHECKOK(to_montgomery(px, in_x, group)); - MP_CHECKOK(to_montgomery(py, in_y, group)); - - scalar_mult(x, y, z, px, py, scalar); - point_to_affine(x_affine, y_affine, x, y, z); - MP_CHECKOK(from_montgomery(out_x, x_affine, group)); - MP_CHECKOK(from_montgomery(out_y, y_affine, group)); - -CLEANUP: - return res; -} - -/* ec_GFp_nistp256_point_mul_vartime sets {out_x,out_y} = n1*G + - * n2*{in_x,in_y}, where n1 and n2 are < the order of the group. - * - * As indicated by the name, this function operates in variable time. This - * is safe because it's used for signature validation which doesn't deal - * with secrets. - */ -static mp_err -ec_GFp_nistp256_points_mul_vartime( - const mp_int *n1, const mp_int *n2, - const mp_int *in_x, const mp_int *in_y, - mp_int *out_x, mp_int *out_y, - const ECGroup *group) -{ - u8 scalar1[32], scalar2[32]; - felem x1, y1, z1, x2, y2, z2, x_affine, y_affine, px, py; - mp_err res = MP_OKAY; - - /* If n2 == NULL, this is just a base-point multiplication. */ - if (n2 == NULL) { - return ec_GFp_nistp256_base_point_mul(n1, out_x, out_y, group); - } - - /* If n1 == nULL, this is just an arbitary-point multiplication. */ - if (n1 == NULL) { - return ec_GFp_nistp256_point_mul(n2, in_x, in_y, out_x, out_y, group); - } - - /* If both scalars are zero, then the result is the point at infinity. */ - if (mp_cmp_z(n1) == 0 && mp_cmp_z(n2) == 0) { - mp_zero(out_x); - mp_zero(out_y); - return res; - } - - scalar_from_mp_int(scalar1, n1); - scalar_from_mp_int(scalar2, n2); - - MP_CHECKOK(to_montgomery(px, in_x, group)); - MP_CHECKOK(to_montgomery(py, in_y, group)); - scalar_base_mult(x1, y1, z1, scalar1); - scalar_mult(x2, y2, z2, px, py, scalar2); - - if (mp_cmp_z(n2) == 0) { - /* If n2 == 0, then {x2,y2,z2} is zero and the result is just - * {x1,y1,z1}. */ - } else if (mp_cmp_z(n1) == 0) { - /* If n1 == 0, then {x1,y1,z1} is zero and the result is just - * {x2,y2,z2}. */ - memcpy(x1, x2, sizeof(x2)); - memcpy(y1, y2, sizeof(y2)); - memcpy(z1, z2, sizeof(z2)); - } else { - /* This function handles the case where {x1,y1,z1} == {x2,y2,z2}. */ - point_add_or_double_vartime(x1, y1, z1, x1, y1, z1, x2, y2, z2); - } - - point_to_affine(x_affine, y_affine, x1, y1, z1); - MP_CHECKOK(from_montgomery(out_x, x_affine, group)); - MP_CHECKOK(from_montgomery(out_y, y_affine, group)); - -CLEANUP: - return res; -} - -/* Wire in fast point multiplication for named curves. */ -mp_err -ec_group_set_gfp256_32(ECGroup *group, ECCurveName name) -{ - if (name == ECCurve_NIST_P256) { - group->base_point_mul = &ec_GFp_nistp256_base_point_mul; - group->point_mul = &ec_GFp_nistp256_point_mul; - group->points_mul = &ec_GFp_nistp256_points_mul_vartime; - } - return MP_OKAY; -} diff --git a/nss/lib/freebl/ecl/ecp_384.c b/nss/lib/freebl/ecl/ecp_384.c deleted file mode 100644 index 702fd97..0000000 --- a/nss/lib/freebl/ecl/ecp_384.c +++ /dev/null @@ -1,258 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include "ecp.h" -#include "mpi.h" -#include "mplogic.h" -#include "mpi-priv.h" - -/* Fast modular reduction for p384 = 2^384 - 2^128 - 2^96 + 2^32 - 1. a can be r. - * Uses algorithm 2.30 from Hankerson, Menezes, Vanstone. Guide to - * Elliptic Curve Cryptography. */ -static mp_err -ec_GFp_nistp384_mod(const mp_int *a, mp_int *r, const GFMethod *meth) -{ - mp_err res = MP_OKAY; - int a_bits = mpl_significant_bits(a); - int i; - - /* m1, m2 are statically-allocated mp_int of exactly the size we need */ - mp_int m[10]; - -#ifdef ECL_THIRTY_TWO_BIT - mp_digit s[10][12]; - for (i = 0; i < 10; i++) { - MP_SIGN(&m[i]) = MP_ZPOS; - MP_ALLOC(&m[i]) = 12; - MP_USED(&m[i]) = 12; - MP_DIGITS(&m[i]) = s[i]; - } -#else - mp_digit s[10][6]; - for (i = 0; i < 10; i++) { - MP_SIGN(&m[i]) = MP_ZPOS; - MP_ALLOC(&m[i]) = 6; - MP_USED(&m[i]) = 6; - MP_DIGITS(&m[i]) = s[i]; - } -#endif - -#ifdef ECL_THIRTY_TWO_BIT - /* for polynomials larger than twice the field size or polynomials - * not using all words, use regular reduction */ - if ((a_bits > 768) || (a_bits <= 736)) { - MP_CHECKOK(mp_mod(a, &meth->irr, r)); - } else { - for (i = 0; i < 12; i++) { - s[0][i] = MP_DIGIT(a, i); - } - s[1][0] = 0; - s[1][1] = 0; - s[1][2] = 0; - s[1][3] = 0; - s[1][4] = MP_DIGIT(a, 21); - s[1][5] = MP_DIGIT(a, 22); - s[1][6] = MP_DIGIT(a, 23); - s[1][7] = 0; - s[1][8] = 0; - s[1][9] = 0; - s[1][10] = 0; - s[1][11] = 0; - for (i = 0; i < 12; i++) { - s[2][i] = MP_DIGIT(a, i + 12); - } - s[3][0] = MP_DIGIT(a, 21); - s[3][1] = MP_DIGIT(a, 22); - s[3][2] = MP_DIGIT(a, 23); - for (i = 3; i < 12; i++) { - s[3][i] = MP_DIGIT(a, i + 9); - } - s[4][0] = 0; - s[4][1] = MP_DIGIT(a, 23); - s[4][2] = 0; - s[4][3] = MP_DIGIT(a, 20); - for (i = 4; i < 12; i++) { - s[4][i] = MP_DIGIT(a, i + 8); - } - s[5][0] = 0; - s[5][1] = 0; - s[5][2] = 0; - s[5][3] = 0; - s[5][4] = MP_DIGIT(a, 20); - s[5][5] = MP_DIGIT(a, 21); - s[5][6] = MP_DIGIT(a, 22); - s[5][7] = MP_DIGIT(a, 23); - s[5][8] = 0; - s[5][9] = 0; - s[5][10] = 0; - s[5][11] = 0; - s[6][0] = MP_DIGIT(a, 20); - s[6][1] = 0; - s[6][2] = 0; - s[6][3] = MP_DIGIT(a, 21); - s[6][4] = MP_DIGIT(a, 22); - s[6][5] = MP_DIGIT(a, 23); - s[6][6] = 0; - s[6][7] = 0; - s[6][8] = 0; - s[6][9] = 0; - s[6][10] = 0; - s[6][11] = 0; - s[7][0] = MP_DIGIT(a, 23); - for (i = 1; i < 12; i++) { - s[7][i] = MP_DIGIT(a, i + 11); - } - s[8][0] = 0; - s[8][1] = MP_DIGIT(a, 20); - s[8][2] = MP_DIGIT(a, 21); - s[8][3] = MP_DIGIT(a, 22); - s[8][4] = MP_DIGIT(a, 23); - s[8][5] = 0; - s[8][6] = 0; - s[8][7] = 0; - s[8][8] = 0; - s[8][9] = 0; - s[8][10] = 0; - s[8][11] = 0; - s[9][0] = 0; - s[9][1] = 0; - s[9][2] = 0; - s[9][3] = MP_DIGIT(a, 23); - s[9][4] = MP_DIGIT(a, 23); - s[9][5] = 0; - s[9][6] = 0; - s[9][7] = 0; - s[9][8] = 0; - s[9][9] = 0; - s[9][10] = 0; - s[9][11] = 0; - - MP_CHECKOK(mp_add(&m[0], &m[1], r)); - MP_CHECKOK(mp_add(r, &m[1], r)); - MP_CHECKOK(mp_add(r, &m[2], r)); - MP_CHECKOK(mp_add(r, &m[3], r)); - MP_CHECKOK(mp_add(r, &m[4], r)); - MP_CHECKOK(mp_add(r, &m[5], r)); - MP_CHECKOK(mp_add(r, &m[6], r)); - MP_CHECKOK(mp_sub(r, &m[7], r)); - MP_CHECKOK(mp_sub(r, &m[8], r)); - MP_CHECKOK(mp_submod(r, &m[9], &meth->irr, r)); - s_mp_clamp(r); - } -#else - /* for polynomials larger than twice the field size or polynomials - * not using all words, use regular reduction */ - if ((a_bits > 768) || (a_bits <= 736)) { - MP_CHECKOK(mp_mod(a, &meth->irr, r)); - } else { - for (i = 0; i < 6; i++) { - s[0][i] = MP_DIGIT(a, i); - } - s[1][0] = 0; - s[1][1] = 0; - s[1][2] = (MP_DIGIT(a, 10) >> 32) | (MP_DIGIT(a, 11) << 32); - s[1][3] = MP_DIGIT(a, 11) >> 32; - s[1][4] = 0; - s[1][5] = 0; - for (i = 0; i < 6; i++) { - s[2][i] = MP_DIGIT(a, i + 6); - } - s[3][0] = (MP_DIGIT(a, 10) >> 32) | (MP_DIGIT(a, 11) << 32); - s[3][1] = (MP_DIGIT(a, 11) >> 32) | (MP_DIGIT(a, 6) << 32); - for (i = 2; i < 6; i++) { - s[3][i] = (MP_DIGIT(a, i + 4) >> 32) | (MP_DIGIT(a, i + 5) << 32); - } - s[4][0] = (MP_DIGIT(a, 11) >> 32) << 32; - s[4][1] = MP_DIGIT(a, 10) << 32; - for (i = 2; i < 6; i++) { - s[4][i] = MP_DIGIT(a, i + 4); - } - s[5][0] = 0; - s[5][1] = 0; - s[5][2] = MP_DIGIT(a, 10); - s[5][3] = MP_DIGIT(a, 11); - s[5][4] = 0; - s[5][5] = 0; - s[6][0] = (MP_DIGIT(a, 10) << 32) >> 32; - s[6][1] = (MP_DIGIT(a, 10) >> 32) << 32; - s[6][2] = MP_DIGIT(a, 11); - s[6][3] = 0; - s[6][4] = 0; - s[6][5] = 0; - s[7][0] = (MP_DIGIT(a, 11) >> 32) | (MP_DIGIT(a, 6) << 32); - for (i = 1; i < 6; i++) { - s[7][i] = (MP_DIGIT(a, i + 5) >> 32) | (MP_DIGIT(a, i + 6) << 32); - } - s[8][0] = MP_DIGIT(a, 10) << 32; - s[8][1] = (MP_DIGIT(a, 10) >> 32) | (MP_DIGIT(a, 11) << 32); - s[8][2] = MP_DIGIT(a, 11) >> 32; - s[8][3] = 0; - s[8][4] = 0; - s[8][5] = 0; - s[9][0] = 0; - s[9][1] = (MP_DIGIT(a, 11) >> 32) << 32; - s[9][2] = MP_DIGIT(a, 11) >> 32; - s[9][3] = 0; - s[9][4] = 0; - s[9][5] = 0; - - MP_CHECKOK(mp_add(&m[0], &m[1], r)); - MP_CHECKOK(mp_add(r, &m[1], r)); - MP_CHECKOK(mp_add(r, &m[2], r)); - MP_CHECKOK(mp_add(r, &m[3], r)); - MP_CHECKOK(mp_add(r, &m[4], r)); - MP_CHECKOK(mp_add(r, &m[5], r)); - MP_CHECKOK(mp_add(r, &m[6], r)); - MP_CHECKOK(mp_sub(r, &m[7], r)); - MP_CHECKOK(mp_sub(r, &m[8], r)); - MP_CHECKOK(mp_submod(r, &m[9], &meth->irr, r)); - s_mp_clamp(r); - } -#endif - -CLEANUP: - return res; -} - -/* Compute the square of polynomial a, reduce modulo p384. Store the - * result in r. r could be a. Uses optimized modular reduction for p384. - */ -static mp_err -ec_GFp_nistp384_sqr(const mp_int *a, mp_int *r, const GFMethod *meth) -{ - mp_err res = MP_OKAY; - - MP_CHECKOK(mp_sqr(a, r)); - MP_CHECKOK(ec_GFp_nistp384_mod(r, r, meth)); -CLEANUP: - return res; -} - -/* Compute the product of two polynomials a and b, reduce modulo p384. - * Store the result in r. r could be a or b; a could be b. Uses - * optimized modular reduction for p384. */ -static mp_err -ec_GFp_nistp384_mul(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth) -{ - mp_err res = MP_OKAY; - - MP_CHECKOK(mp_mul(a, b, r)); - MP_CHECKOK(ec_GFp_nistp384_mod(r, r, meth)); -CLEANUP: - return res; -} - -/* Wire in fast field arithmetic and precomputation of base point for - * named curves. */ -mp_err -ec_group_set_gfp384(ECGroup *group, ECCurveName name) -{ - if (name == ECCurve_NIST_P384) { - group->meth->field_mod = &ec_GFp_nistp384_mod; - group->meth->field_mul = &ec_GFp_nistp384_mul; - group->meth->field_sqr = &ec_GFp_nistp384_sqr; - } - return MP_OKAY; -} diff --git a/nss/lib/freebl/ecl/ecp_521.c b/nss/lib/freebl/ecl/ecp_521.c deleted file mode 100644 index 6ca0dbb..0000000 --- a/nss/lib/freebl/ecl/ecp_521.c +++ /dev/null @@ -1,137 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include "ecp.h" -#include "mpi.h" -#include "mplogic.h" -#include "mpi-priv.h" - -#define ECP521_DIGITS ECL_CURVE_DIGITS(521) - -/* Fast modular reduction for p521 = 2^521 - 1. a can be r. Uses - * algorithm 2.31 from Hankerson, Menezes, Vanstone. Guide to - * Elliptic Curve Cryptography. */ -static mp_err -ec_GFp_nistp521_mod(const mp_int *a, mp_int *r, const GFMethod *meth) -{ - mp_err res = MP_OKAY; - int a_bits = mpl_significant_bits(a); - unsigned int i; - - /* m1, m2 are statically-allocated mp_int of exactly the size we need */ - mp_int m1; - - mp_digit s1[ECP521_DIGITS] = { 0 }; - - MP_SIGN(&m1) = MP_ZPOS; - MP_ALLOC(&m1) = ECP521_DIGITS; - MP_USED(&m1) = ECP521_DIGITS; - MP_DIGITS(&m1) = s1; - - if (a_bits < 521) { - if (a == r) - return MP_OKAY; - return mp_copy(a, r); - } - /* for polynomials larger than twice the field size or polynomials - * not using all words, use regular reduction */ - if (a_bits > (521 * 2)) { - MP_CHECKOK(mp_mod(a, &meth->irr, r)); - } else { -#define FIRST_DIGIT (ECP521_DIGITS - 1) - for (i = FIRST_DIGIT; i < MP_USED(a) - 1; i++) { - s1[i - FIRST_DIGIT] = (MP_DIGIT(a, i) >> 9) | (MP_DIGIT(a, 1 + i) << (MP_DIGIT_BIT - 9)); - } - s1[i - FIRST_DIGIT] = MP_DIGIT(a, i) >> 9; - - if (a != r) { - MP_CHECKOK(s_mp_pad(r, ECP521_DIGITS)); - for (i = 0; i < ECP521_DIGITS; i++) { - MP_DIGIT(r, i) = MP_DIGIT(a, i); - } - } - MP_USED(r) = ECP521_DIGITS; - MP_DIGIT(r, FIRST_DIGIT) &= 0x1FF; - - MP_CHECKOK(s_mp_add(r, &m1)); - if (MP_DIGIT(r, FIRST_DIGIT) & 0x200) { - MP_CHECKOK(s_mp_add_d(r, 1)); - MP_DIGIT(r, FIRST_DIGIT) &= 0x1FF; - } else if (s_mp_cmp(r, &meth->irr) == 0) { - mp_zero(r); - } - s_mp_clamp(r); - } - -CLEANUP: - return res; -} - -/* Compute the square of polynomial a, reduce modulo p521. Store the - * result in r. r could be a. Uses optimized modular reduction for p521. - */ -static mp_err -ec_GFp_nistp521_sqr(const mp_int *a, mp_int *r, const GFMethod *meth) -{ - mp_err res = MP_OKAY; - - MP_CHECKOK(mp_sqr(a, r)); - MP_CHECKOK(ec_GFp_nistp521_mod(r, r, meth)); -CLEANUP: - return res; -} - -/* Compute the product of two polynomials a and b, reduce modulo p521. - * Store the result in r. r could be a or b; a could be b. Uses - * optimized modular reduction for p521. */ -static mp_err -ec_GFp_nistp521_mul(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth) -{ - mp_err res = MP_OKAY; - - MP_CHECKOK(mp_mul(a, b, r)); - MP_CHECKOK(ec_GFp_nistp521_mod(r, r, meth)); -CLEANUP: - return res; -} - -/* Divides two field elements. If a is NULL, then returns the inverse of - * b. */ -static mp_err -ec_GFp_nistp521_div(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth) -{ - mp_err res = MP_OKAY; - mp_int t; - - /* If a is NULL, then return the inverse of b, otherwise return a/b. */ - if (a == NULL) { - return mp_invmod(b, &meth->irr, r); - } else { - /* MPI doesn't support divmod, so we implement it using invmod and - * mulmod. */ - MP_CHECKOK(mp_init(&t)); - MP_CHECKOK(mp_invmod(b, &meth->irr, &t)); - MP_CHECKOK(mp_mul(a, &t, r)); - MP_CHECKOK(ec_GFp_nistp521_mod(r, r, meth)); - CLEANUP: - mp_clear(&t); - return res; - } -} - -/* Wire in fast field arithmetic and precomputation of base point for - * named curves. */ -mp_err -ec_group_set_gfp521(ECGroup *group, ECCurveName name) -{ - if (name == ECCurve_NIST_P521) { - group->meth->field_mod = &ec_GFp_nistp521_mod; - group->meth->field_mul = &ec_GFp_nistp521_mul; - group->meth->field_sqr = &ec_GFp_nistp521_sqr; - group->meth->field_div = &ec_GFp_nistp521_div; - } - return MP_OKAY; -} diff --git a/nss/lib/freebl/ecl/ecp_aff.c b/nss/lib/freebl/ecl/ecp_aff.c deleted file mode 100644 index 2f8802e..0000000 --- a/nss/lib/freebl/ecl/ecp_aff.c +++ /dev/null @@ -1,308 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include "ecp.h" -#include "mplogic.h" -#include <stdlib.h> - -/* Checks if point P(px, py) is at infinity. Uses affine coordinates. */ -mp_err -ec_GFp_pt_is_inf_aff(const mp_int *px, const mp_int *py) -{ - - if ((mp_cmp_z(px) == 0) && (mp_cmp_z(py) == 0)) { - return MP_YES; - } else { - return MP_NO; - } -} - -/* Sets P(px, py) to be the point at infinity. Uses affine coordinates. */ -mp_err -ec_GFp_pt_set_inf_aff(mp_int *px, mp_int *py) -{ - mp_zero(px); - mp_zero(py); - return MP_OKAY; -} - -/* Computes R = P + Q based on IEEE P1363 A.10.1. Elliptic curve points P, - * Q, and R can all be identical. Uses affine coordinates. Assumes input - * is already field-encoded using field_enc, and returns output that is - * still field-encoded. */ -mp_err -ec_GFp_pt_add_aff(const mp_int *px, const mp_int *py, const mp_int *qx, - const mp_int *qy, mp_int *rx, mp_int *ry, - const ECGroup *group) -{ - mp_err res = MP_OKAY; - mp_int lambda, temp, tempx, tempy; - - MP_DIGITS(&lambda) = 0; - MP_DIGITS(&temp) = 0; - MP_DIGITS(&tempx) = 0; - MP_DIGITS(&tempy) = 0; - MP_CHECKOK(mp_init(&lambda)); - MP_CHECKOK(mp_init(&temp)); - MP_CHECKOK(mp_init(&tempx)); - MP_CHECKOK(mp_init(&tempy)); - /* if P = inf, then R = Q */ - if (ec_GFp_pt_is_inf_aff(px, py) == 0) { - MP_CHECKOK(mp_copy(qx, rx)); - MP_CHECKOK(mp_copy(qy, ry)); - res = MP_OKAY; - goto CLEANUP; - } - /* if Q = inf, then R = P */ - if (ec_GFp_pt_is_inf_aff(qx, qy) == 0) { - MP_CHECKOK(mp_copy(px, rx)); - MP_CHECKOK(mp_copy(py, ry)); - res = MP_OKAY; - goto CLEANUP; - } - /* if px != qx, then lambda = (py-qy) / (px-qx) */ - if (mp_cmp(px, qx) != 0) { - MP_CHECKOK(group->meth->field_sub(py, qy, &tempy, group->meth)); - MP_CHECKOK(group->meth->field_sub(px, qx, &tempx, group->meth)); - MP_CHECKOK(group->meth->field_div(&tempy, &tempx, &lambda, group->meth)); - } else { - /* if py != qy or qy = 0, then R = inf */ - if (((mp_cmp(py, qy) != 0)) || (mp_cmp_z(qy) == 0)) { - mp_zero(rx); - mp_zero(ry); - res = MP_OKAY; - goto CLEANUP; - } - /* lambda = (3qx^2+a) / (2qy) */ - MP_CHECKOK(group->meth->field_sqr(qx, &tempx, group->meth)); - MP_CHECKOK(mp_set_int(&temp, 3)); - if (group->meth->field_enc) { - MP_CHECKOK(group->meth->field_enc(&temp, &temp, group->meth)); - } - MP_CHECKOK(group->meth->field_mul(&tempx, &temp, &tempx, group->meth)); - MP_CHECKOK(group->meth->field_add(&tempx, &group->curvea, &tempx, group->meth)); - MP_CHECKOK(mp_set_int(&temp, 2)); - if (group->meth->field_enc) { - MP_CHECKOK(group->meth->field_enc(&temp, &temp, group->meth)); - } - MP_CHECKOK(group->meth->field_mul(qy, &temp, &tempy, group->meth)); - MP_CHECKOK(group->meth->field_div(&tempx, &tempy, &lambda, group->meth)); - } - /* rx = lambda^2 - px - qx */ - MP_CHECKOK(group->meth->field_sqr(&lambda, &tempx, group->meth)); - MP_CHECKOK(group->meth->field_sub(&tempx, px, &tempx, group->meth)); - MP_CHECKOK(group->meth->field_sub(&tempx, qx, &tempx, group->meth)); - /* ry = (x1-x2) * lambda - y1 */ - MP_CHECKOK(group->meth->field_sub(qx, &tempx, &tempy, group->meth)); - MP_CHECKOK(group->meth->field_mul(&tempy, &lambda, &tempy, group->meth)); - MP_CHECKOK(group->meth->field_sub(&tempy, qy, &tempy, group->meth)); - MP_CHECKOK(mp_copy(&tempx, rx)); - MP_CHECKOK(mp_copy(&tempy, ry)); - -CLEANUP: - mp_clear(&lambda); - mp_clear(&temp); - mp_clear(&tempx); - mp_clear(&tempy); - return res; -} - -/* Computes R = P - Q. Elliptic curve points P, Q, and R can all be - * identical. Uses affine coordinates. Assumes input is already - * field-encoded using field_enc, and returns output that is still - * field-encoded. */ -mp_err -ec_GFp_pt_sub_aff(const mp_int *px, const mp_int *py, const mp_int *qx, - const mp_int *qy, mp_int *rx, mp_int *ry, - const ECGroup *group) -{ - mp_err res = MP_OKAY; - mp_int nqy; - - MP_DIGITS(&nqy) = 0; - MP_CHECKOK(mp_init(&nqy)); - /* nqy = -qy */ - MP_CHECKOK(group->meth->field_neg(qy, &nqy, group->meth)); - res = group->point_add(px, py, qx, &nqy, rx, ry, group); -CLEANUP: - mp_clear(&nqy); - return res; -} - -/* Computes R = 2P. Elliptic curve points P and R can be identical. Uses - * affine coordinates. Assumes input is already field-encoded using - * field_enc, and returns output that is still field-encoded. */ -mp_err -ec_GFp_pt_dbl_aff(const mp_int *px, const mp_int *py, mp_int *rx, - mp_int *ry, const ECGroup *group) -{ - return ec_GFp_pt_add_aff(px, py, px, py, rx, ry, group); -} - -/* by default, this routine is unused and thus doesn't need to be compiled */ -#ifdef ECL_ENABLE_GFP_PT_MUL_AFF -/* Computes R = nP based on IEEE P1363 A.10.3. Elliptic curve points P and - * R can be identical. Uses affine coordinates. Assumes input is already - * field-encoded using field_enc, and returns output that is still - * field-encoded. */ -mp_err -ec_GFp_pt_mul_aff(const mp_int *n, const mp_int *px, const mp_int *py, - mp_int *rx, mp_int *ry, const ECGroup *group) -{ - mp_err res = MP_OKAY; - mp_int k, k3, qx, qy, sx, sy; - int b1, b3, i, l; - - MP_DIGITS(&k) = 0; - MP_DIGITS(&k3) = 0; - MP_DIGITS(&qx) = 0; - MP_DIGITS(&qy) = 0; - MP_DIGITS(&sx) = 0; - MP_DIGITS(&sy) = 0; - MP_CHECKOK(mp_init(&k)); - MP_CHECKOK(mp_init(&k3)); - MP_CHECKOK(mp_init(&qx)); - MP_CHECKOK(mp_init(&qy)); - MP_CHECKOK(mp_init(&sx)); - MP_CHECKOK(mp_init(&sy)); - - /* if n = 0 then r = inf */ - if (mp_cmp_z(n) == 0) { - mp_zero(rx); - mp_zero(ry); - res = MP_OKAY; - goto CLEANUP; - } - /* Q = P, k = n */ - MP_CHECKOK(mp_copy(px, &qx)); - MP_CHECKOK(mp_copy(py, &qy)); - MP_CHECKOK(mp_copy(n, &k)); - /* if n < 0 then Q = -Q, k = -k */ - if (mp_cmp_z(n) < 0) { - MP_CHECKOK(group->meth->field_neg(&qy, &qy, group->meth)); - MP_CHECKOK(mp_neg(&k, &k)); - } -#ifdef ECL_DEBUG /* basic double and add method */ - l = mpl_significant_bits(&k) - 1; - MP_CHECKOK(mp_copy(&qx, &sx)); - MP_CHECKOK(mp_copy(&qy, &sy)); - for (i = l - 1; i >= 0; i--) { - /* S = 2S */ - MP_CHECKOK(group->point_dbl(&sx, &sy, &sx, &sy, group)); - /* if k_i = 1, then S = S + Q */ - if (mpl_get_bit(&k, i) != 0) { - MP_CHECKOK(group->point_add(&sx, &sy, &qx, &qy, &sx, &sy, group)); - } - } -#else /* double and add/subtract method from \ - * standard */ - /* k3 = 3 * k */ - MP_CHECKOK(mp_set_int(&k3, 3)); - MP_CHECKOK(mp_mul(&k, &k3, &k3)); - /* S = Q */ - MP_CHECKOK(mp_copy(&qx, &sx)); - MP_CHECKOK(mp_copy(&qy, &sy)); - /* l = index of high order bit in binary representation of 3*k */ - l = mpl_significant_bits(&k3) - 1; - /* for i = l-1 downto 1 */ - for (i = l - 1; i >= 1; i--) { - /* S = 2S */ - MP_CHECKOK(group->point_dbl(&sx, &sy, &sx, &sy, group)); - b3 = MP_GET_BIT(&k3, i); - b1 = MP_GET_BIT(&k, i); - /* if k3_i = 1 and k_i = 0, then S = S + Q */ - if ((b3 == 1) && (b1 == 0)) { - MP_CHECKOK(group->point_add(&sx, &sy, &qx, &qy, &sx, &sy, group)); - /* if k3_i = 0 and k_i = 1, then S = S - Q */ - } else if ((b3 == 0) && (b1 == 1)) { - MP_CHECKOK(group->point_sub(&sx, &sy, &qx, &qy, &sx, &sy, group)); - } - } -#endif - /* output S */ - MP_CHECKOK(mp_copy(&sx, rx)); - MP_CHECKOK(mp_copy(&sy, ry)); - -CLEANUP: - mp_clear(&k); - mp_clear(&k3); - mp_clear(&qx); - mp_clear(&qy); - mp_clear(&sx); - mp_clear(&sy); - return res; -} -#endif - -/* Validates a point on a GFp curve. */ -mp_err -ec_GFp_validate_point(const mp_int *px, const mp_int *py, const ECGroup *group) -{ - mp_err res = MP_NO; - mp_int accl, accr, tmp, pxt, pyt; - - MP_DIGITS(&accl) = 0; - MP_DIGITS(&accr) = 0; - MP_DIGITS(&tmp) = 0; - MP_DIGITS(&pxt) = 0; - MP_DIGITS(&pyt) = 0; - MP_CHECKOK(mp_init(&accl)); - MP_CHECKOK(mp_init(&accr)); - MP_CHECKOK(mp_init(&tmp)); - MP_CHECKOK(mp_init(&pxt)); - MP_CHECKOK(mp_init(&pyt)); - - /* 1: Verify that publicValue is not the point at infinity */ - if (ec_GFp_pt_is_inf_aff(px, py) == MP_YES) { - res = MP_NO; - goto CLEANUP; - } - /* 2: Verify that the coordinates of publicValue are elements - * of the field. - */ - if ((MP_SIGN(px) == MP_NEG) || (mp_cmp(px, &group->meth->irr) >= 0) || - (MP_SIGN(py) == MP_NEG) || (mp_cmp(py, &group->meth->irr) >= 0)) { - res = MP_NO; - goto CLEANUP; - } - /* 3: Verify that publicValue is on the curve. */ - if (group->meth->field_enc) { - group->meth->field_enc(px, &pxt, group->meth); - group->meth->field_enc(py, &pyt, group->meth); - } else { - MP_CHECKOK(mp_copy(px, &pxt)); - MP_CHECKOK(mp_copy(py, &pyt)); - } - /* left-hand side: y^2 */ - MP_CHECKOK(group->meth->field_sqr(&pyt, &accl, group->meth)); - /* right-hand side: x^3 + a*x + b = (x^2 + a)*x + b by Horner's rule */ - MP_CHECKOK(group->meth->field_sqr(&pxt, &tmp, group->meth)); - MP_CHECKOK(group->meth->field_add(&tmp, &group->curvea, &tmp, group->meth)); - MP_CHECKOK(group->meth->field_mul(&tmp, &pxt, &accr, group->meth)); - MP_CHECKOK(group->meth->field_add(&accr, &group->curveb, &accr, group->meth)); - /* check LHS - RHS == 0 */ - MP_CHECKOK(group->meth->field_sub(&accl, &accr, &accr, group->meth)); - if (mp_cmp_z(&accr) != 0) { - res = MP_NO; - goto CLEANUP; - } - /* 4: Verify that the order of the curve times the publicValue - * is the point at infinity. - */ - MP_CHECKOK(ECPoint_mul(group, &group->order, px, py, &pxt, &pyt)); - if (ec_GFp_pt_is_inf_aff(&pxt, &pyt) != MP_YES) { - res = MP_NO; - goto CLEANUP; - } - - res = MP_YES; - -CLEANUP: - mp_clear(&accl); - mp_clear(&accr); - mp_clear(&tmp); - mp_clear(&pxt); - mp_clear(&pyt); - return res; -} diff --git a/nss/lib/freebl/ecl/ecp_jac.c b/nss/lib/freebl/ecl/ecp_jac.c deleted file mode 100644 index 535e759..0000000 --- a/nss/lib/freebl/ecl/ecp_jac.c +++ /dev/null @@ -1,513 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include "ecp.h" -#include "mplogic.h" -#include <stdlib.h> -#ifdef ECL_DEBUG -#include <assert.h> -#endif - -/* Converts a point P(px, py) from affine coordinates to Jacobian - * projective coordinates R(rx, ry, rz). Assumes input is already - * field-encoded using field_enc, and returns output that is still - * field-encoded. */ -mp_err -ec_GFp_pt_aff2jac(const mp_int *px, const mp_int *py, mp_int *rx, - mp_int *ry, mp_int *rz, const ECGroup *group) -{ - mp_err res = MP_OKAY; - - if (ec_GFp_pt_is_inf_aff(px, py) == MP_YES) { - MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, rz)); - } else { - MP_CHECKOK(mp_copy(px, rx)); - MP_CHECKOK(mp_copy(py, ry)); - MP_CHECKOK(mp_set_int(rz, 1)); - if (group->meth->field_enc) { - MP_CHECKOK(group->meth->field_enc(rz, rz, group->meth)); - } - } -CLEANUP: - return res; -} - -/* Converts a point P(px, py, pz) from Jacobian projective coordinates to - * affine coordinates R(rx, ry). P and R can share x and y coordinates. - * Assumes input is already field-encoded using field_enc, and returns - * output that is still field-encoded. */ -mp_err -ec_GFp_pt_jac2aff(const mp_int *px, const mp_int *py, const mp_int *pz, - mp_int *rx, mp_int *ry, const ECGroup *group) -{ - mp_err res = MP_OKAY; - mp_int z1, z2, z3; - - MP_DIGITS(&z1) = 0; - MP_DIGITS(&z2) = 0; - MP_DIGITS(&z3) = 0; - MP_CHECKOK(mp_init(&z1)); - MP_CHECKOK(mp_init(&z2)); - MP_CHECKOK(mp_init(&z3)); - - /* if point at infinity, then set point at infinity and exit */ - if (ec_GFp_pt_is_inf_jac(px, py, pz) == MP_YES) { - MP_CHECKOK(ec_GFp_pt_set_inf_aff(rx, ry)); - goto CLEANUP; - } - - /* transform (px, py, pz) into (px / pz^2, py / pz^3) */ - if (mp_cmp_d(pz, 1) == 0) { - MP_CHECKOK(mp_copy(px, rx)); - MP_CHECKOK(mp_copy(py, ry)); - } else { - MP_CHECKOK(group->meth->field_div(NULL, pz, &z1, group->meth)); - MP_CHECKOK(group->meth->field_sqr(&z1, &z2, group->meth)); - MP_CHECKOK(group->meth->field_mul(&z1, &z2, &z3, group->meth)); - MP_CHECKOK(group->meth->field_mul(px, &z2, rx, group->meth)); - MP_CHECKOK(group->meth->field_mul(py, &z3, ry, group->meth)); - } - -CLEANUP: - mp_clear(&z1); - mp_clear(&z2); - mp_clear(&z3); - return res; -} - -/* Checks if point P(px, py, pz) is at infinity. Uses Jacobian - * coordinates. */ -mp_err -ec_GFp_pt_is_inf_jac(const mp_int *px, const mp_int *py, const mp_int *pz) -{ - return mp_cmp_z(pz); -} - -/* Sets P(px, py, pz) to be the point at infinity. Uses Jacobian - * coordinates. */ -mp_err -ec_GFp_pt_set_inf_jac(mp_int *px, mp_int *py, mp_int *pz) -{ - mp_zero(pz); - return MP_OKAY; -} - -/* Computes R = P + Q where R is (rx, ry, rz), P is (px, py, pz) and Q is - * (qx, qy, 1). Elliptic curve points P, Q, and R can all be identical. - * Uses mixed Jacobian-affine coordinates. Assumes input is already - * field-encoded using field_enc, and returns output that is still - * field-encoded. Uses equation (2) from Brown, Hankerson, Lopez, and - * Menezes. Software Implementation of the NIST Elliptic Curves Over Prime - * Fields. */ -mp_err -ec_GFp_pt_add_jac_aff(const mp_int *px, const mp_int *py, const mp_int *pz, - const mp_int *qx, const mp_int *qy, mp_int *rx, - mp_int *ry, mp_int *rz, const ECGroup *group) -{ - mp_err res = MP_OKAY; - mp_int A, B, C, D, C2, C3; - - MP_DIGITS(&A) = 0; - MP_DIGITS(&B) = 0; - MP_DIGITS(&C) = 0; - MP_DIGITS(&D) = 0; - MP_DIGITS(&C2) = 0; - MP_DIGITS(&C3) = 0; - MP_CHECKOK(mp_init(&A)); - MP_CHECKOK(mp_init(&B)); - MP_CHECKOK(mp_init(&C)); - MP_CHECKOK(mp_init(&D)); - MP_CHECKOK(mp_init(&C2)); - MP_CHECKOK(mp_init(&C3)); - - /* If either P or Q is the point at infinity, then return the other - * point */ - if (ec_GFp_pt_is_inf_jac(px, py, pz) == MP_YES) { - MP_CHECKOK(ec_GFp_pt_aff2jac(qx, qy, rx, ry, rz, group)); - goto CLEANUP; - } - if (ec_GFp_pt_is_inf_aff(qx, qy) == MP_YES) { - MP_CHECKOK(mp_copy(px, rx)); - MP_CHECKOK(mp_copy(py, ry)); - MP_CHECKOK(mp_copy(pz, rz)); - goto CLEANUP; - } - - /* A = qx * pz^2, B = qy * pz^3 */ - MP_CHECKOK(group->meth->field_sqr(pz, &A, group->meth)); - MP_CHECKOK(group->meth->field_mul(&A, pz, &B, group->meth)); - MP_CHECKOK(group->meth->field_mul(&A, qx, &A, group->meth)); - MP_CHECKOK(group->meth->field_mul(&B, qy, &B, group->meth)); - - /* C = A - px, D = B - py */ - MP_CHECKOK(group->meth->field_sub(&A, px, &C, group->meth)); - MP_CHECKOK(group->meth->field_sub(&B, py, &D, group->meth)); - - if (mp_cmp_z(&C) == 0) { - /* P == Q or P == -Q */ - if (mp_cmp_z(&D) == 0) { - /* P == Q */ - /* It is cheaper to double (qx, qy, 1) than (px, py, pz). */ - MP_DIGIT(&D, 0) = 1; /* Set D to 1. */ - MP_CHECKOK(ec_GFp_pt_dbl_jac(qx, qy, &D, rx, ry, rz, group)); - } else { - /* P == -Q */ - MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, rz)); - } - goto CLEANUP; - } - - /* C2 = C^2, C3 = C^3 */ - MP_CHECKOK(group->meth->field_sqr(&C, &C2, group->meth)); - MP_CHECKOK(group->meth->field_mul(&C, &C2, &C3, group->meth)); - - /* rz = pz * C */ - MP_CHECKOK(group->meth->field_mul(pz, &C, rz, group->meth)); - - /* C = px * C^2 */ - MP_CHECKOK(group->meth->field_mul(px, &C2, &C, group->meth)); - /* A = D^2 */ - MP_CHECKOK(group->meth->field_sqr(&D, &A, group->meth)); - - /* rx = D^2 - (C^3 + 2 * (px * C^2)) */ - MP_CHECKOK(group->meth->field_add(&C, &C, rx, group->meth)); - MP_CHECKOK(group->meth->field_add(&C3, rx, rx, group->meth)); - MP_CHECKOK(group->meth->field_sub(&A, rx, rx, group->meth)); - - /* C3 = py * C^3 */ - MP_CHECKOK(group->meth->field_mul(py, &C3, &C3, group->meth)); - - /* ry = D * (px * C^2 - rx) - py * C^3 */ - MP_CHECKOK(group->meth->field_sub(&C, rx, ry, group->meth)); - MP_CHECKOK(group->meth->field_mul(&D, ry, ry, group->meth)); - MP_CHECKOK(group->meth->field_sub(ry, &C3, ry, group->meth)); - -CLEANUP: - mp_clear(&A); - mp_clear(&B); - mp_clear(&C); - mp_clear(&D); - mp_clear(&C2); - mp_clear(&C3); - return res; -} - -/* Computes R = 2P. Elliptic curve points P and R can be identical. Uses - * Jacobian coordinates. - * - * Assumes input is already field-encoded using field_enc, and returns - * output that is still field-encoded. - * - * This routine implements Point Doubling in the Jacobian Projective - * space as described in the paper "Efficient elliptic curve exponentiation - * using mixed coordinates", by H. Cohen, A Miyaji, T. Ono. - */ -mp_err -ec_GFp_pt_dbl_jac(const mp_int *px, const mp_int *py, const mp_int *pz, - mp_int *rx, mp_int *ry, mp_int *rz, const ECGroup *group) -{ - mp_err res = MP_OKAY; - mp_int t0, t1, M, S; - - MP_DIGITS(&t0) = 0; - MP_DIGITS(&t1) = 0; - MP_DIGITS(&M) = 0; - MP_DIGITS(&S) = 0; - MP_CHECKOK(mp_init(&t0)); - MP_CHECKOK(mp_init(&t1)); - MP_CHECKOK(mp_init(&M)); - MP_CHECKOK(mp_init(&S)); - - /* P == inf or P == -P */ - if (ec_GFp_pt_is_inf_jac(px, py, pz) == MP_YES || mp_cmp_z(py) == 0) { - MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, rz)); - goto CLEANUP; - } - - if (mp_cmp_d(pz, 1) == 0) { - /* M = 3 * px^2 + a */ - MP_CHECKOK(group->meth->field_sqr(px, &t0, group->meth)); - MP_CHECKOK(group->meth->field_add(&t0, &t0, &M, group->meth)); - MP_CHECKOK(group->meth->field_add(&t0, &M, &t0, group->meth)); - MP_CHECKOK(group->meth->field_add(&t0, &group->curvea, &M, group->meth)); - } else if (MP_SIGN(&group->curvea) == MP_NEG && - MP_USED(&group->curvea) == 1 && - MP_DIGIT(&group->curvea, 0) == 3) { - /* M = 3 * (px + pz^2) * (px - pz^2) */ - MP_CHECKOK(group->meth->field_sqr(pz, &M, group->meth)); - MP_CHECKOK(group->meth->field_add(px, &M, &t0, group->meth)); - MP_CHECKOK(group->meth->field_sub(px, &M, &t1, group->meth)); - MP_CHECKOK(group->meth->field_mul(&t0, &t1, &M, group->meth)); - MP_CHECKOK(group->meth->field_add(&M, &M, &t0, group->meth)); - MP_CHECKOK(group->meth->field_add(&t0, &M, &M, group->meth)); - } else { - /* M = 3 * (px^2) + a * (pz^4) */ - MP_CHECKOK(group->meth->field_sqr(px, &t0, group->meth)); - MP_CHECKOK(group->meth->field_add(&t0, &t0, &M, group->meth)); - MP_CHECKOK(group->meth->field_add(&t0, &M, &t0, group->meth)); - MP_CHECKOK(group->meth->field_sqr(pz, &M, group->meth)); - MP_CHECKOK(group->meth->field_sqr(&M, &M, group->meth)); - MP_CHECKOK(group->meth->field_mul(&M, &group->curvea, &M, group->meth)); - MP_CHECKOK(group->meth->field_add(&M, &t0, &M, group->meth)); - } - - /* rz = 2 * py * pz */ - /* t0 = 4 * py^2 */ - if (mp_cmp_d(pz, 1) == 0) { - MP_CHECKOK(group->meth->field_add(py, py, rz, group->meth)); - MP_CHECKOK(group->meth->field_sqr(rz, &t0, group->meth)); - } else { - MP_CHECKOK(group->meth->field_add(py, py, &t0, group->meth)); - MP_CHECKOK(group->meth->field_mul(&t0, pz, rz, group->meth)); - MP_CHECKOK(group->meth->field_sqr(&t0, &t0, group->meth)); - } - - /* S = 4 * px * py^2 = px * (2 * py)^2 */ - MP_CHECKOK(group->meth->field_mul(px, &t0, &S, group->meth)); - - /* rx = M^2 - 2 * S */ - MP_CHECKOK(group->meth->field_add(&S, &S, &t1, group->meth)); - MP_CHECKOK(group->meth->field_sqr(&M, rx, group->meth)); - MP_CHECKOK(group->meth->field_sub(rx, &t1, rx, group->meth)); - - /* ry = M * (S - rx) - 8 * py^4 */ - MP_CHECKOK(group->meth->field_sqr(&t0, &t1, group->meth)); - if (mp_isodd(&t1)) { - MP_CHECKOK(mp_add(&t1, &group->meth->irr, &t1)); - } - MP_CHECKOK(mp_div_2(&t1, &t1)); - MP_CHECKOK(group->meth->field_sub(&S, rx, &S, group->meth)); - MP_CHECKOK(group->meth->field_mul(&M, &S, &M, group->meth)); - MP_CHECKOK(group->meth->field_sub(&M, &t1, ry, group->meth)); - -CLEANUP: - mp_clear(&t0); - mp_clear(&t1); - mp_clear(&M); - mp_clear(&S); - return res; -} - -/* by default, this routine is unused and thus doesn't need to be compiled */ -#ifdef ECL_ENABLE_GFP_PT_MUL_JAC -/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters - * a, b and p are the elliptic curve coefficients and the prime that - * determines the field GFp. Elliptic curve points P and R can be - * identical. Uses mixed Jacobian-affine coordinates. Assumes input is - * already field-encoded using field_enc, and returns output that is still - * field-encoded. Uses 4-bit window method. */ -mp_err -ec_GFp_pt_mul_jac(const mp_int *n, const mp_int *px, const mp_int *py, - mp_int *rx, mp_int *ry, const ECGroup *group) -{ - mp_err res = MP_OKAY; - mp_int precomp[16][2], rz; - int i, ni, d; - - MP_DIGITS(&rz) = 0; - for (i = 0; i < 16; i++) { - MP_DIGITS(&precomp[i][0]) = 0; - MP_DIGITS(&precomp[i][1]) = 0; - } - - ARGCHK(group != NULL, MP_BADARG); - ARGCHK((n != NULL) && (px != NULL) && (py != NULL), MP_BADARG); - - /* initialize precomputation table */ - for (i = 0; i < 16; i++) { - MP_CHECKOK(mp_init(&precomp[i][0])); - MP_CHECKOK(mp_init(&precomp[i][1])); - } - - /* fill precomputation table */ - mp_zero(&precomp[0][0]); - mp_zero(&precomp[0][1]); - MP_CHECKOK(mp_copy(px, &precomp[1][0])); - MP_CHECKOK(mp_copy(py, &precomp[1][1])); - for (i = 2; i < 16; i++) { - MP_CHECKOK(group->point_add(&precomp[1][0], &precomp[1][1], - &precomp[i - 1][0], &precomp[i - 1][1], - &precomp[i][0], &precomp[i][1], group)); - } - - d = (mpl_significant_bits(n) + 3) / 4; - - /* R = inf */ - MP_CHECKOK(mp_init(&rz)); - MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, &rz)); - - for (i = d - 1; i >= 0; i--) { - /* compute window ni */ - ni = MP_GET_BIT(n, 4 * i + 3); - ni <<= 1; - ni |= MP_GET_BIT(n, 4 * i + 2); - ni <<= 1; - ni |= MP_GET_BIT(n, 4 * i + 1); - ni <<= 1; - ni |= MP_GET_BIT(n, 4 * i); - /* R = 2^4 * R */ - MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group)); - MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group)); - MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group)); - MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group)); - /* R = R + (ni * P) */ - MP_CHECKOK(ec_GFp_pt_add_jac_aff(rx, ry, &rz, &precomp[ni][0], &precomp[ni][1], rx, ry, - &rz, group)); - } - - /* convert result S to affine coordinates */ - MP_CHECKOK(ec_GFp_pt_jac2aff(rx, ry, &rz, rx, ry, group)); - -CLEANUP: - mp_clear(&rz); - for (i = 0; i < 16; i++) { - mp_clear(&precomp[i][0]); - mp_clear(&precomp[i][1]); - } - return res; -} -#endif - -/* Elliptic curve scalar-point multiplication. Computes R(x, y) = k1 * G + - * k2 * P(x, y), where G is the generator (base point) of the group of - * points on the elliptic curve. Allows k1 = NULL or { k2, P } = NULL. - * Uses mixed Jacobian-affine coordinates. Input and output values are - * assumed to be NOT field-encoded. Uses algorithm 15 (simultaneous - * multiple point multiplication) from Brown, Hankerson, Lopez, Menezes. - * Software Implementation of the NIST Elliptic Curves over Prime Fields. */ -mp_err -ec_GFp_pts_mul_jac(const mp_int *k1, const mp_int *k2, const mp_int *px, - const mp_int *py, mp_int *rx, mp_int *ry, - const ECGroup *group) -{ - mp_err res = MP_OKAY; - mp_int precomp[4][4][2]; - mp_int rz; - const mp_int *a, *b; - unsigned int i, j; - int ai, bi, d; - - for (i = 0; i < 4; i++) { - for (j = 0; j < 4; j++) { - MP_DIGITS(&precomp[i][j][0]) = 0; - MP_DIGITS(&precomp[i][j][1]) = 0; - } - } - MP_DIGITS(&rz) = 0; - - ARGCHK(group != NULL, MP_BADARG); - ARGCHK(!((k1 == NULL) && ((k2 == NULL) || (px == NULL) || (py == NULL))), MP_BADARG); - - /* if some arguments are not defined used ECPoint_mul */ - if (k1 == NULL) { - return ECPoint_mul(group, k2, px, py, rx, ry); - } else if ((k2 == NULL) || (px == NULL) || (py == NULL)) { - return ECPoint_mul(group, k1, NULL, NULL, rx, ry); - } - - /* initialize precomputation table */ - for (i = 0; i < 4; i++) { - for (j = 0; j < 4; j++) { - MP_CHECKOK(mp_init(&precomp[i][j][0])); - MP_CHECKOK(mp_init(&precomp[i][j][1])); - } - } - - /* fill precomputation table */ - /* assign {k1, k2} = {a, b} such that len(a) >= len(b) */ - if (mpl_significant_bits(k1) < mpl_significant_bits(k2)) { - a = k2; - b = k1; - if (group->meth->field_enc) { - MP_CHECKOK(group->meth->field_enc(px, &precomp[1][0][0], group->meth)); - MP_CHECKOK(group->meth->field_enc(py, &precomp[1][0][1], group->meth)); - } else { - MP_CHECKOK(mp_copy(px, &precomp[1][0][0])); - MP_CHECKOK(mp_copy(py, &precomp[1][0][1])); - } - MP_CHECKOK(mp_copy(&group->genx, &precomp[0][1][0])); - MP_CHECKOK(mp_copy(&group->geny, &precomp[0][1][1])); - } else { - a = k1; - b = k2; - MP_CHECKOK(mp_copy(&group->genx, &precomp[1][0][0])); - MP_CHECKOK(mp_copy(&group->geny, &precomp[1][0][1])); - if (group->meth->field_enc) { - MP_CHECKOK(group->meth->field_enc(px, &precomp[0][1][0], group->meth)); - MP_CHECKOK(group->meth->field_enc(py, &precomp[0][1][1], group->meth)); - } else { - MP_CHECKOK(mp_copy(px, &precomp[0][1][0])); - MP_CHECKOK(mp_copy(py, &precomp[0][1][1])); - } - } - /* precompute [*][0][*] */ - mp_zero(&precomp[0][0][0]); - mp_zero(&precomp[0][0][1]); - MP_CHECKOK(group->point_dbl(&precomp[1][0][0], &precomp[1][0][1], - &precomp[2][0][0], &precomp[2][0][1], group)); - MP_CHECKOK(group->point_add(&precomp[1][0][0], &precomp[1][0][1], - &precomp[2][0][0], &precomp[2][0][1], - &precomp[3][0][0], &precomp[3][0][1], group)); - /* precompute [*][1][*] */ - for (i = 1; i < 4; i++) { - MP_CHECKOK(group->point_add(&precomp[0][1][0], &precomp[0][1][1], - &precomp[i][0][0], &precomp[i][0][1], - &precomp[i][1][0], &precomp[i][1][1], group)); - } - /* precompute [*][2][*] */ - MP_CHECKOK(group->point_dbl(&precomp[0][1][0], &precomp[0][1][1], - &precomp[0][2][0], &precomp[0][2][1], group)); - for (i = 1; i < 4; i++) { - MP_CHECKOK(group->point_add(&precomp[0][2][0], &precomp[0][2][1], - &precomp[i][0][0], &precomp[i][0][1], - &precomp[i][2][0], &precomp[i][2][1], group)); - } - /* precompute [*][3][*] */ - MP_CHECKOK(group->point_add(&precomp[0][1][0], &precomp[0][1][1], - &precomp[0][2][0], &precomp[0][2][1], - &precomp[0][3][0], &precomp[0][3][1], group)); - for (i = 1; i < 4; i++) { - MP_CHECKOK(group->point_add(&precomp[0][3][0], &precomp[0][3][1], - &precomp[i][0][0], &precomp[i][0][1], - &precomp[i][3][0], &precomp[i][3][1], group)); - } - - d = (mpl_significant_bits(a) + 1) / 2; - - /* R = inf */ - MP_CHECKOK(mp_init(&rz)); - MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, &rz)); - - for (i = d; i-- > 0;) { - ai = MP_GET_BIT(a, 2 * i + 1); - ai <<= 1; - ai |= MP_GET_BIT(a, 2 * i); - bi = MP_GET_BIT(b, 2 * i + 1); - bi <<= 1; - bi |= MP_GET_BIT(b, 2 * i); - /* R = 2^2 * R */ - MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group)); - MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group)); - /* R = R + (ai * A + bi * B) */ - MP_CHECKOK(ec_GFp_pt_add_jac_aff(rx, ry, &rz, &precomp[ai][bi][0], &precomp[ai][bi][1], - rx, ry, &rz, group)); - } - - MP_CHECKOK(ec_GFp_pt_jac2aff(rx, ry, &rz, rx, ry, group)); - - if (group->meth->field_dec) { - MP_CHECKOK(group->meth->field_dec(rx, rx, group->meth)); - MP_CHECKOK(group->meth->field_dec(ry, ry, group->meth)); - } - -CLEANUP: - mp_clear(&rz); - for (i = 0; i < 4; i++) { - for (j = 0; j < 4; j++) { - mp_clear(&precomp[i][j][0]); - mp_clear(&precomp[i][j][1]); - } - } - return res; -} diff --git a/nss/lib/freebl/ecl/ecp_jm.c b/nss/lib/freebl/ecl/ecp_jm.c deleted file mode 100644 index 7998421..0000000 --- a/nss/lib/freebl/ecl/ecp_jm.c +++ /dev/null @@ -1,297 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include "ecp.h" -#include "ecl-priv.h" -#include "mplogic.h" -#include <stdlib.h> - -#define MAX_SCRATCH 6 - -/* Computes R = 2P. Elliptic curve points P and R can be identical. Uses - * Modified Jacobian coordinates. - * - * Assumes input is already field-encoded using field_enc, and returns - * output that is still field-encoded. - * - */ -static mp_err -ec_GFp_pt_dbl_jm(const mp_int *px, const mp_int *py, const mp_int *pz, - const mp_int *paz4, mp_int *rx, mp_int *ry, mp_int *rz, - mp_int *raz4, mp_int scratch[], const ECGroup *group) -{ - mp_err res = MP_OKAY; - mp_int *t0, *t1, *M, *S; - - t0 = &scratch[0]; - t1 = &scratch[1]; - M = &scratch[2]; - S = &scratch[3]; - -#if MAX_SCRATCH < 4 -#error "Scratch array defined too small " -#endif - - /* Check for point at infinity */ - if (ec_GFp_pt_is_inf_jac(px, py, pz) == MP_YES) { - /* Set r = pt at infinity by setting rz = 0 */ - - MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, rz)); - goto CLEANUP; - } - - /* M = 3 (px^2) + a*(pz^4) */ - MP_CHECKOK(group->meth->field_sqr(px, t0, group->meth)); - MP_CHECKOK(group->meth->field_add(t0, t0, M, group->meth)); - MP_CHECKOK(group->meth->field_add(t0, M, t0, group->meth)); - MP_CHECKOK(group->meth->field_add(t0, paz4, M, group->meth)); - - /* rz = 2 * py * pz */ - MP_CHECKOK(group->meth->field_mul(py, pz, S, group->meth)); - MP_CHECKOK(group->meth->field_add(S, S, rz, group->meth)); - - /* t0 = 2y^2 , t1 = 8y^4 */ - MP_CHECKOK(group->meth->field_sqr(py, t0, group->meth)); - MP_CHECKOK(group->meth->field_add(t0, t0, t0, group->meth)); - MP_CHECKOK(group->meth->field_sqr(t0, t1, group->meth)); - MP_CHECKOK(group->meth->field_add(t1, t1, t1, group->meth)); - - /* S = 4 * px * py^2 = 2 * px * t0 */ - MP_CHECKOK(group->meth->field_mul(px, t0, S, group->meth)); - MP_CHECKOK(group->meth->field_add(S, S, S, group->meth)); - - /* rx = M^2 - 2S */ - MP_CHECKOK(group->meth->field_sqr(M, rx, group->meth)); - MP_CHECKOK(group->meth->field_sub(rx, S, rx, group->meth)); - MP_CHECKOK(group->meth->field_sub(rx, S, rx, group->meth)); - - /* ry = M * (S - rx) - t1 */ - MP_CHECKOK(group->meth->field_sub(S, rx, S, group->meth)); - MP_CHECKOK(group->meth->field_mul(S, M, ry, group->meth)); - MP_CHECKOK(group->meth->field_sub(ry, t1, ry, group->meth)); - - /* ra*z^4 = 2*t1*(apz4) */ - MP_CHECKOK(group->meth->field_mul(paz4, t1, raz4, group->meth)); - MP_CHECKOK(group->meth->field_add(raz4, raz4, raz4, group->meth)); - -CLEANUP: - return res; -} - -/* Computes R = P + Q where R is (rx, ry, rz), P is (px, py, pz) and Q is - * (qx, qy, 1). Elliptic curve points P, Q, and R can all be identical. - * Uses mixed Modified_Jacobian-affine coordinates. Assumes input is - * already field-encoded using field_enc, and returns output that is still - * field-encoded. */ -static mp_err -ec_GFp_pt_add_jm_aff(const mp_int *px, const mp_int *py, const mp_int *pz, - const mp_int *paz4, const mp_int *qx, - const mp_int *qy, mp_int *rx, mp_int *ry, mp_int *rz, - mp_int *raz4, mp_int scratch[], const ECGroup *group) -{ - mp_err res = MP_OKAY; - mp_int *A, *B, *C, *D, *C2, *C3; - - A = &scratch[0]; - B = &scratch[1]; - C = &scratch[2]; - D = &scratch[3]; - C2 = &scratch[4]; - C3 = &scratch[5]; - -#if MAX_SCRATCH < 6 -#error "Scratch array defined too small " -#endif - - /* If either P or Q is the point at infinity, then return the other - * point */ - if (ec_GFp_pt_is_inf_jac(px, py, pz) == MP_YES) { - MP_CHECKOK(ec_GFp_pt_aff2jac(qx, qy, rx, ry, rz, group)); - MP_CHECKOK(group->meth->field_sqr(rz, raz4, group->meth)); - MP_CHECKOK(group->meth->field_sqr(raz4, raz4, group->meth)); - MP_CHECKOK(group->meth->field_mul(raz4, &group->curvea, raz4, group->meth)); - goto CLEANUP; - } - if (ec_GFp_pt_is_inf_aff(qx, qy) == MP_YES) { - MP_CHECKOK(mp_copy(px, rx)); - MP_CHECKOK(mp_copy(py, ry)); - MP_CHECKOK(mp_copy(pz, rz)); - MP_CHECKOK(mp_copy(paz4, raz4)); - goto CLEANUP; - } - - /* A = qx * pz^2, B = qy * pz^3 */ - MP_CHECKOK(group->meth->field_sqr(pz, A, group->meth)); - MP_CHECKOK(group->meth->field_mul(A, pz, B, group->meth)); - MP_CHECKOK(group->meth->field_mul(A, qx, A, group->meth)); - MP_CHECKOK(group->meth->field_mul(B, qy, B, group->meth)); - - /* Check P == Q */ - if (mp_cmp(A, px) == 0) { - if (mp_cmp(B, py) == 0) { - /* If Px == Qx && Py == Qy, double P. */ - return ec_GFp_pt_dbl_jm(px, py, pz, paz4, rx, ry, rz, raz4, - scratch, group); - } - /* If Px == Qx && Py != Qy, return point at infinity. */ - return ec_GFp_pt_set_inf_jac(rx, ry, rz); - } - - /* C = A - px, D = B - py */ - MP_CHECKOK(group->meth->field_sub(A, px, C, group->meth)); - MP_CHECKOK(group->meth->field_sub(B, py, D, group->meth)); - - /* C2 = C^2, C3 = C^3 */ - MP_CHECKOK(group->meth->field_sqr(C, C2, group->meth)); - MP_CHECKOK(group->meth->field_mul(C, C2, C3, group->meth)); - - /* rz = pz * C */ - MP_CHECKOK(group->meth->field_mul(pz, C, rz, group->meth)); - - /* C = px * C^2 */ - MP_CHECKOK(group->meth->field_mul(px, C2, C, group->meth)); - /* A = D^2 */ - MP_CHECKOK(group->meth->field_sqr(D, A, group->meth)); - - /* rx = D^2 - (C^3 + 2 * (px * C^2)) */ - MP_CHECKOK(group->meth->field_add(C, C, rx, group->meth)); - MP_CHECKOK(group->meth->field_add(C3, rx, rx, group->meth)); - MP_CHECKOK(group->meth->field_sub(A, rx, rx, group->meth)); - - /* C3 = py * C^3 */ - MP_CHECKOK(group->meth->field_mul(py, C3, C3, group->meth)); - - /* ry = D * (px * C^2 - rx) - py * C^3 */ - MP_CHECKOK(group->meth->field_sub(C, rx, ry, group->meth)); - MP_CHECKOK(group->meth->field_mul(D, ry, ry, group->meth)); - MP_CHECKOK(group->meth->field_sub(ry, C3, ry, group->meth)); - - /* raz4 = a * rz^4 */ - MP_CHECKOK(group->meth->field_sqr(rz, raz4, group->meth)); - MP_CHECKOK(group->meth->field_sqr(raz4, raz4, group->meth)); - MP_CHECKOK(group->meth->field_mul(raz4, &group->curvea, raz4, group->meth)); -CLEANUP: - return res; -} - -/* Computes R = nP where R is (rx, ry) and P is the base point. Elliptic - * curve points P and R can be identical. Uses mixed Modified-Jacobian - * co-ordinates for doubling and Chudnovsky Jacobian coordinates for - * additions. Assumes input is already field-encoded using field_enc, and - * returns output that is still field-encoded. Uses 5-bit window NAF - * method (algorithm 11) for scalar-point multiplication from Brown, - * Hankerson, Lopez, Menezes. Software Implementation of the NIST Elliptic - * Curves Over Prime Fields. */ -mp_err -ec_GFp_pt_mul_jm_wNAF(const mp_int *n, const mp_int *px, const mp_int *py, - mp_int *rx, mp_int *ry, const ECGroup *group) -{ - mp_err res = MP_OKAY; - mp_int precomp[16][2], rz, tpx, tpy; - mp_int raz4; - mp_int scratch[MAX_SCRATCH]; - signed char *naf = NULL; - int i, orderBitSize = 0; - - MP_DIGITS(&rz) = 0; - MP_DIGITS(&raz4) = 0; - MP_DIGITS(&tpx) = 0; - MP_DIGITS(&tpy) = 0; - for (i = 0; i < 16; i++) { - MP_DIGITS(&precomp[i][0]) = 0; - MP_DIGITS(&precomp[i][1]) = 0; - } - for (i = 0; i < MAX_SCRATCH; i++) { - MP_DIGITS(&scratch[i]) = 0; - } - - ARGCHK(group != NULL, MP_BADARG); - ARGCHK((n != NULL) && (px != NULL) && (py != NULL), MP_BADARG); - - /* initialize precomputation table */ - MP_CHECKOK(mp_init(&tpx)); - MP_CHECKOK(mp_init(&tpy)); - ; - MP_CHECKOK(mp_init(&rz)); - MP_CHECKOK(mp_init(&raz4)); - - for (i = 0; i < 16; i++) { - MP_CHECKOK(mp_init(&precomp[i][0])); - MP_CHECKOK(mp_init(&precomp[i][1])); - } - for (i = 0; i < MAX_SCRATCH; i++) { - MP_CHECKOK(mp_init(&scratch[i])); - } - - /* Set out[8] = P */ - MP_CHECKOK(mp_copy(px, &precomp[8][0])); - MP_CHECKOK(mp_copy(py, &precomp[8][1])); - - /* Set (tpx, tpy) = 2P */ - MP_CHECKOK(group->point_dbl(&precomp[8][0], &precomp[8][1], &tpx, &tpy, - group)); - - /* Set 3P, 5P, ..., 15P */ - for (i = 8; i < 15; i++) { - MP_CHECKOK(group->point_add(&precomp[i][0], &precomp[i][1], &tpx, &tpy, - &precomp[i + 1][0], &precomp[i + 1][1], - group)); - } - - /* Set -15P, -13P, ..., -P */ - for (i = 0; i < 8; i++) { - MP_CHECKOK(mp_copy(&precomp[15 - i][0], &precomp[i][0])); - MP_CHECKOK(group->meth->field_neg(&precomp[15 - i][1], &precomp[i][1], - group->meth)); - } - - /* R = inf */ - MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, &rz)); - - orderBitSize = mpl_significant_bits(&group->order); - - /* Allocate memory for NAF */ - naf = (signed char *)malloc(sizeof(signed char) * (orderBitSize + 1)); - if (naf == NULL) { - res = MP_MEM; - goto CLEANUP; - } - - /* Compute 5NAF */ - ec_compute_wNAF(naf, orderBitSize, n, 5); - - /* wNAF method */ - for (i = orderBitSize; i >= 0; i--) { - /* R = 2R */ - ec_GFp_pt_dbl_jm(rx, ry, &rz, &raz4, rx, ry, &rz, - &raz4, scratch, group); - if (naf[i] != 0) { - ec_GFp_pt_add_jm_aff(rx, ry, &rz, &raz4, - &precomp[(naf[i] + 15) / 2][0], - &precomp[(naf[i] + 15) / 2][1], rx, ry, - &rz, &raz4, scratch, group); - } - } - - /* convert result S to affine coordinates */ - MP_CHECKOK(ec_GFp_pt_jac2aff(rx, ry, &rz, rx, ry, group)); - -CLEANUP: - for (i = 0; i < MAX_SCRATCH; i++) { - mp_clear(&scratch[i]); - } - for (i = 0; i < 16; i++) { - mp_clear(&precomp[i][0]); - mp_clear(&precomp[i][1]); - } - mp_clear(&tpx); - mp_clear(&tpy); - mp_clear(&rz); - mp_clear(&raz4); - if (naf) { - memset(naf, 0, orderBitSize + 1); - } - free(naf); - return res; -} diff --git a/nss/lib/freebl/ecl/ecp_mont.c b/nss/lib/freebl/ecl/ecp_mont.c deleted file mode 100644 index 779685b..0000000 --- a/nss/lib/freebl/ecl/ecp_mont.c +++ /dev/null @@ -1,154 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -/* Uses Montgomery reduction for field arithmetic. See mpi/mpmontg.c for - * code implementation. */ - -#include "mpi.h" -#include "mplogic.h" -#include "mpi-priv.h" -#include "ecl-priv.h" -#include "ecp.h" -#include <stdlib.h> -#include <stdio.h> - -/* Construct a generic GFMethod for arithmetic over prime fields with - * irreducible irr. */ -GFMethod * -GFMethod_consGFp_mont(const mp_int *irr) -{ - mp_err res = MP_OKAY; - GFMethod *meth = NULL; - mp_mont_modulus *mmm; - - meth = GFMethod_consGFp(irr); - if (meth == NULL) - return NULL; - - mmm = (mp_mont_modulus *)malloc(sizeof(mp_mont_modulus)); - if (mmm == NULL) { - res = MP_MEM; - goto CLEANUP; - } - - meth->field_mul = &ec_GFp_mul_mont; - meth->field_sqr = &ec_GFp_sqr_mont; - meth->field_div = &ec_GFp_div_mont; - meth->field_enc = &ec_GFp_enc_mont; - meth->field_dec = &ec_GFp_dec_mont; - meth->extra1 = mmm; - meth->extra2 = NULL; - meth->extra_free = &ec_GFp_extra_free_mont; - - mmm->N = meth->irr; - mmm->n0prime = 0 - s_mp_invmod_radix(MP_DIGIT(&meth->irr, 0)); - -CLEANUP: - if (res != MP_OKAY) { - GFMethod_free(meth); - return NULL; - } - return meth; -} - -/* Wrapper functions for generic prime field arithmetic. */ - -/* Field multiplication using Montgomery reduction. */ -mp_err -ec_GFp_mul_mont(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth) -{ - mp_err res = MP_OKAY; - -#ifdef MP_MONT_USE_MP_MUL - /* if MP_MONT_USE_MP_MUL is defined, then the function s_mp_mul_mont - * is not implemented and we have to use mp_mul and s_mp_redc directly - */ - MP_CHECKOK(mp_mul(a, b, r)); - MP_CHECKOK(s_mp_redc(r, (mp_mont_modulus *)meth->extra1)); -#else - mp_int s; - - MP_DIGITS(&s) = 0; - /* s_mp_mul_mont doesn't allow source and destination to be the same */ - if ((a == r) || (b == r)) { - MP_CHECKOK(mp_init(&s)); - MP_CHECKOK(s_mp_mul_mont(a, b, &s, (mp_mont_modulus *)meth->extra1)); - MP_CHECKOK(mp_copy(&s, r)); - mp_clear(&s); - } else { - return s_mp_mul_mont(a, b, r, (mp_mont_modulus *)meth->extra1); - } -#endif -CLEANUP: - return res; -} - -/* Field squaring using Montgomery reduction. */ -mp_err -ec_GFp_sqr_mont(const mp_int *a, mp_int *r, const GFMethod *meth) -{ - return ec_GFp_mul_mont(a, a, r, meth); -} - -/* Field division using Montgomery reduction. */ -mp_err -ec_GFp_div_mont(const mp_int *a, const mp_int *b, mp_int *r, - const GFMethod *meth) -{ - mp_err res = MP_OKAY; - - /* if A=aZ represents a encoded in montgomery coordinates with Z and # - * and \ respectively represent multiplication and division in - * montgomery coordinates, then A\B = (a/b)Z = (A/B)Z and Binv = - * (1/b)Z = (1/B)(Z^2) where B # Binv = Z */ - MP_CHECKOK(ec_GFp_div(a, b, r, meth)); - MP_CHECKOK(ec_GFp_enc_mont(r, r, meth)); - if (a == NULL) { - MP_CHECKOK(ec_GFp_enc_mont(r, r, meth)); - } -CLEANUP: - return res; -} - -/* Encode a field element in Montgomery form. See s_mp_to_mont in - * mpi/mpmontg.c */ -mp_err -ec_GFp_enc_mont(const mp_int *a, mp_int *r, const GFMethod *meth) -{ - mp_mont_modulus *mmm; - mp_err res = MP_OKAY; - - mmm = (mp_mont_modulus *)meth->extra1; - MP_CHECKOK(mp_copy(a, r)); - MP_CHECKOK(s_mp_lshd(r, MP_USED(&mmm->N))); - MP_CHECKOK(mp_mod(r, &mmm->N, r)); -CLEANUP: - return res; -} - -/* Decode a field element from Montgomery form. */ -mp_err -ec_GFp_dec_mont(const mp_int *a, mp_int *r, const GFMethod *meth) -{ - mp_err res = MP_OKAY; - - if (a != r) { - MP_CHECKOK(mp_copy(a, r)); - } - MP_CHECKOK(s_mp_redc(r, (mp_mont_modulus *)meth->extra1)); -CLEANUP: - return res; -} - -/* Free the memory allocated to the extra fields of Montgomery GFMethod - * object. */ -void -ec_GFp_extra_free_mont(GFMethod *meth) -{ - if (meth->extra1 != NULL) { - free(meth->extra1); - meth->extra1 = NULL; - } -} diff --git a/nss/lib/freebl/ecl/ecp_secp256r1.c b/nss/lib/freebl/ecl/ecp_secp256r1.c index 044f6a7..90e1975 100644 --- a/nss/lib/freebl/ecl/ecp_secp256r1.c +++ b/nss/lib/freebl/ecl/ecp_secp256r1.c @@ -153,30 +153,45 @@ ec_secp256r1_pt_mul(SECItem *X, SECItem *k, SECItem *P) */ SECStatus -ec_secp256r1_sign_digest(ECPrivateKey *key, SECItem *signature, +ec_secp256r1_sign_digest(ECPrivateKey *ecPrivKey, SECItem *signature, const SECItem *digest, const unsigned char *kb, const unsigned int kblen) { SECStatus res = SECSuccess; - if (!key || !signature || !digest || !kb || - !key->privateValue.data || + if (!ecPrivKey || !signature || !digest || !kb || + !ecPrivKey->privateValue.data || !signature->data || !digest->data || - key->ecParams.name != ECCurve_NIST_P256) { + ecPrivKey->ecParams.name != ECCurve_NIST_P256) { PORT_SetError(SEC_ERROR_INVALID_ARGS); res = SECFailure; return res; } - if (key->privateValue.len != 32 || - kblen == 0 || - digest->len == 0 || - signature->len < 64) { + if (kblen == 0 || digest->len == 0 || signature->len < 64) { PORT_SetError(SEC_ERROR_INPUT_LEN); res = SECFailure; return res; } + // Private keys should be 32 bytes, but some software trims leading zeros, + // and some software produces 33 byte keys with a leading zero. We'll + // accept these variants. + uint8_t padded_key_data[32] = { 0 }; + uint8_t *key; + SECItem *privKey = &ecPrivKey->privateValue; + if (privKey->len == 32) { + key = privKey->data; + } else if (privKey->len == 33 && privKey->data[0] == 0) { + key = privKey->data + 1; + } else if (privKey->len < 32) { + memcpy(padded_key_data + 32 - privKey->len, privKey->data, privKey->len); + key = padded_key_data; + } else { + PORT_SetError(SEC_ERROR_INPUT_LEN); + return SECFailure; + } + uint8_t hash[32] = { 0 }; if (digest->len < 32) { memcpy(hash + 32 - digest->len, digest->data, digest->len); @@ -192,8 +207,7 @@ ec_secp256r1_sign_digest(ECPrivateKey *key, SECItem *signature, } bool b = Hacl_P256_ecdsa_sign_p256_without_hash( - signature->data, 32, hash, - key->privateValue.data, nonce); + signature->data, 32, hash, key, nonce); if (!b) { PORT_SetError(SEC_ERROR_BAD_KEY); res = SECFailure; @@ -214,6 +228,9 @@ ec_secp256r1_verify_digest(ECPublicKey *key, const SECItem *signature, { SECStatus res = SECSuccess; + unsigned char _padded_sig_data[64] = { 0 }; + unsigned char *sig_r, *sig_s; + if (!key || !signature || !digest || !key->publicValue.data || !signature->data || !digest->data || @@ -223,9 +240,10 @@ ec_secp256r1_verify_digest(ECPublicKey *key, const SECItem *signature, return res; } - if (key->publicValue.len != 65 || - digest->len == 0 || - signature->len != 64) { + unsigned int olen = key->ecParams.order.len; + if (signature->len == 0 || signature->len % 2 != 0 || + signature->len > 2 * olen || + digest->len == 0 || key->publicValue.len != 65) { PORT_SetError(SEC_ERROR_INPUT_LEN); res = SECFailure; return res; @@ -237,6 +255,24 @@ ec_secp256r1_verify_digest(ECPublicKey *key, const SECItem *signature, return res; } + /* P-256 signature has to be 64 bytes long, pad it with 0s if it isn't */ + if (signature->len != 64) { + unsigned split = signature->len / 2; + unsigned pad = 32 - split; + + unsigned char *o_sig = signature->data; + unsigned char *p_sig = _padded_sig_data; + + memcpy(p_sig + pad, o_sig, split); + memcpy(p_sig + 32 + pad, o_sig + split, split); + + sig_r = p_sig; + sig_s = p_sig + 32; + } else { + sig_r = signature->data; + sig_s = signature->data + 32; + } + uint8_t hash[32] = { 0 }; if (digest->len < 32) { memcpy(hash + 32 - digest->len, digest->data, digest->len); @@ -247,7 +283,7 @@ ec_secp256r1_verify_digest(ECPublicKey *key, const SECItem *signature, bool b = Hacl_P256_ecdsa_verif_without_hash( 32, hash, key->publicValue.data + 1, - signature->data, signature->data + 32); + sig_r, sig_s); if (!b) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); res = SECFailure; diff --git a/nss/lib/freebl/ecl/ecp_secp384r1.c b/nss/lib/freebl/ecl/ecp_secp384r1.c index 1359036..e617cec 100644 --- a/nss/lib/freebl/ecl/ecp_secp384r1.c +++ b/nss/lib/freebl/ecl/ecp_secp384r1.c @@ -1,20411 +1,287 @@ -/* Autogenerated: ECCKiila https://gitlab.com/nisec/ecckiila */ -/*- - * MIT License - * - - * Copyright (c) 2020 Luis Rivera-Zamarripa, Jesús-Javier Chi-Domínguez, Billy Bob Brumley - * - - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - - * The above copyright notice and this permission notice shall be included in all - * copies or substantial portions of the Software. - * - - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ -#if defined(__SIZEOF_INT128__) && !defined(PEDANTIC) - -#include "ecp_secp384r1.h" -#include <stdint.h> -#include <string.h> -#define LIMB_BITS 64 -#define LIMB_CNT 6 -/* Field elements */ -typedef uint64_t fe_t[LIMB_CNT]; -typedef uint64_t limb_t; - -#define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) -#define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) - -/* Projective points */ -typedef struct { - fe_t X; - fe_t Y; - fe_t Z; -} pt_prj_t; - -/* Affine points */ -typedef struct { - fe_t X; - fe_t Y; -} pt_aff_t; - -/* BEGIN verbatim fiat code https://github.com/mit-plv/fiat-crypto */ -/*- - * MIT License - * - * Copyright (c) 2015-2021 the fiat-crypto authors (see the AUTHORS file). - * https://github.com/mit-plv/fiat-crypto/blob/master/AUTHORS - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -/* Autogenerated: word_by_word_montgomery --static --use-value-barrier secp384r1 64 '2^384 - 2^128 - 2^96 + 2^32 - 1' */ -/* curve description: secp384r1 */ -/* machine_wordsize = 64 (from "64") */ -/* requested operations: (all) */ -/* m = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff (from "2^384 - 2^128 - 2^96 + 2^32 - 1") */ -/* */ -/* NOTE: In addition to the bounds specified above each function, all */ -/* functions synthesized for this Montgomery arithmetic require the */ -/* input to be strictly less than the prime modulus (m), and also */ -/* require the input to be in the unique saturated representation. */ -/* All functions also ensure that these two properties are true of */ -/* return values. */ -/* */ -/* Computed values: */ -/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */ -/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) in */ -/* if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 */ - -#include <stdint.h> -typedef unsigned char fiat_secp384r1_uint1; -typedef signed char fiat_secp384r1_int1; -#ifdef __GNUC__ -#define FIAT_SECP384R1_FIAT_EXTENSION __extension__ -#define FIAT_SECP384R1_FIAT_INLINE __inline__ -#else -#define FIAT_SECP384R1_FIAT_EXTENSION -#define FIAT_SECP384R1_FIAT_INLINE -#endif - -FIAT_SECP384R1_FIAT_EXTENSION typedef signed __int128 fiat_secp384r1_int128; -FIAT_SECP384R1_FIAT_EXTENSION typedef unsigned __int128 fiat_secp384r1_uint128; - -/* The type fiat_secp384r1_montgomery_domain_field_element is a field element in the Montgomery domain. */ -/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ -typedef uint64_t fiat_secp384r1_montgomery_domain_field_element[6]; +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -/* The type fiat_secp384r1_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */ -/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ -typedef uint64_t fiat_secp384r1_non_montgomery_domain_field_element[6]; - -#if (-1 & 3) != 3 -#error "This code only works on a two's complement system" +#ifdef FREEBL_NO_DEPEND +#include "../stubs.h" #endif -#if !defined(FIAT_SECP384R1_NO_ASM) && (defined(__GNUC__) || defined(__clang__)) -static __inline__ uint64_t -fiat_secp384r1_value_barrier_u64(uint64_t a) -{ - __asm__("" - : "+r"(a) - : /* no inputs */); - return a; -} -#else -#define fiat_secp384r1_value_barrier_u64(x) (x) -#endif +#include "ecl-priv.h" +#include "secitem.h" +#include "secerr.h" +#include "secmpi.h" +#include "../verified/Hacl_P384.h" /* - * The function fiat_secp384r1_addcarryx_u64 is an addition with carry. - * - * Postconditions: - * out1 = (arg1 + arg2 + arg3) mod 2^64 - * out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ - * - * Input Bounds: - * arg1: [0x0 ~> 0x1] - * arg2: [0x0 ~> 0xffffffffffffffff] - * arg3: [0x0 ~> 0xffffffffffffffff] - * Output Bounds: - * out1: [0x0 ~> 0xffffffffffffffff] - * out2: [0x0 ~> 0x1] + * Point Validation for P-384. */ -static void -fiat_secp384r1_addcarryx_u64(uint64_t *out1, - fiat_secp384r1_uint1 *out2, - fiat_secp384r1_uint1 arg1, - uint64_t arg2, uint64_t arg3) -{ - fiat_secp384r1_uint128 x1; - uint64_t x2; - fiat_secp384r1_uint1 x3; - x1 = ((arg1 + (fiat_secp384r1_uint128)arg2) + arg3); - x2 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); - x3 = (fiat_secp384r1_uint1)(x1 >> 64); - *out1 = x2; - *out2 = x3; -} -/* - * The function fiat_secp384r1_subborrowx_u64 is a subtraction with borrow. - * - * Postconditions: - * out1 = (-arg1 + arg2 + -arg3) mod 2^64 - * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ - * - * Input Bounds: - * arg1: [0x0 ~> 0x1] - * arg2: [0x0 ~> 0xffffffffffffffff] - * arg3: [0x0 ~> 0xffffffffffffffff] - * Output Bounds: - * out1: [0x0 ~> 0xffffffffffffffff] - * out2: [0x0 ~> 0x1] - */ -static void -fiat_secp384r1_subborrowx_u64(uint64_t *out1, - fiat_secp384r1_uint1 *out2, - fiat_secp384r1_uint1 arg1, - uint64_t arg2, uint64_t arg3) +SECStatus +ec_secp384r1_pt_validate(const SECItem *pt) { - fiat_secp384r1_int128 x1; - fiat_secp384r1_int1 x2; - uint64_t x3; - x1 = ((arg2 - (fiat_secp384r1_int128)arg1) - arg3); - x2 = (fiat_secp384r1_int1)(x1 >> 64); - x3 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); - *out1 = x3; - *out2 = (fiat_secp384r1_uint1)(0x0 - x2); -} - -/* - * The function fiat_secp384r1_mulx_u64 is a multiplication, returning the full double-width result. - * - * Postconditions: - * out1 = (arg1 * arg2) mod 2^64 - * out2 = ⌊arg1 * arg2 / 2^64⌋ - * - * Input Bounds: - * arg1: [0x0 ~> 0xffffffffffffffff] - * arg2: [0x0 ~> 0xffffffffffffffff] - * Output Bounds: - * out1: [0x0 ~> 0xffffffffffffffff] - * out2: [0x0 ~> 0xffffffffffffffff] - */ -static void -fiat_secp384r1_mulx_u64(uint64_t *out1, uint64_t *out2, - uint64_t arg1, uint64_t arg2) -{ - fiat_secp384r1_uint128 x1; - uint64_t x2; - uint64_t x3; - x1 = ((fiat_secp384r1_uint128)arg1 * arg2); - x2 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); - x3 = (uint64_t)(x1 >> 64); - *out1 = x2; - *out2 = x3; -} - -/* - * The function fiat_secp384r1_cmovznz_u64 is a single-word conditional move. - * - * Postconditions: - * out1 = (if arg1 = 0 then arg2 else arg3) - * - * Input Bounds: - * arg1: [0x0 ~> 0x1] - * arg2: [0x0 ~> 0xffffffffffffffff] - * arg3: [0x0 ~> 0xffffffffffffffff] - * Output Bounds: - * out1: [0x0 ~> 0xffffffffffffffff] - */ -static void -fiat_secp384r1_cmovznz_u64(uint64_t *out1, - fiat_secp384r1_uint1 arg1, uint64_t arg2, - uint64_t arg3) -{ - fiat_secp384r1_uint1 x1; - uint64_t x2; - uint64_t x3; - x1 = (!(!arg1)); - x2 = ((fiat_secp384r1_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); - x3 = ((fiat_secp384r1_value_barrier_u64(x2) & arg3) | - (fiat_secp384r1_value_barrier_u64((~x2)) & arg2)); - *out1 = x3; -} - -/* - * The function fiat_secp384r1_mul multiplies two field elements in the Montgomery domain. - * - * Preconditions: - * 0 ≤ eval arg1 < m - * 0 ≤ eval arg2 < m - * Postconditions: - * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m - * 0 ≤ eval out1 < m - * - */ -static void -fiat_secp384r1_mul( - fiat_secp384r1_montgomery_domain_field_element out1, - const fiat_secp384r1_montgomery_domain_field_element arg1, - const fiat_secp384r1_montgomery_domain_field_element arg2) -{ - uint64_t x1; - uint64_t x2; - uint64_t x3; - uint64_t x4; - uint64_t x5; - uint64_t x6; - uint64_t x7; - uint64_t x8; - uint64_t x9; - uint64_t x10; - uint64_t x11; - uint64_t x12; - uint64_t x13; - uint64_t x14; - uint64_t x15; - uint64_t x16; - uint64_t x17; - uint64_t x18; - uint64_t x19; - fiat_secp384r1_uint1 x20; - uint64_t x21; - fiat_secp384r1_uint1 x22; - uint64_t x23; - fiat_secp384r1_uint1 x24; - uint64_t x25; - fiat_secp384r1_uint1 x26; - uint64_t x27; - fiat_secp384r1_uint1 x28; - uint64_t x29; - uint64_t x30; - uint64_t x31; - uint64_t x32; - uint64_t x33; - uint64_t x34; - uint64_t x35; - uint64_t x36; - uint64_t x37; - uint64_t x38; - uint64_t x39; - uint64_t x40; - uint64_t x41; - uint64_t x42; - uint64_t x43; - uint64_t x44; - fiat_secp384r1_uint1 x45; - uint64_t x46; - fiat_secp384r1_uint1 x47; - uint64_t x48; - fiat_secp384r1_uint1 x49; - uint64_t x50; - fiat_secp384r1_uint1 x51; - uint64_t x52; - fiat_secp384r1_uint1 x53; - uint64_t x54; - uint64_t x55; - fiat_secp384r1_uint1 x56; - uint64_t x57; - fiat_secp384r1_uint1 x58; - uint64_t x59; - fiat_secp384r1_uint1 x60; - uint64_t x61; - fiat_secp384r1_uint1 x62; - uint64_t x63; - fiat_secp384r1_uint1 x64; - uint64_t x65; - fiat_secp384r1_uint1 x66; - uint64_t x67; - fiat_secp384r1_uint1 x68; - uint64_t x69; - uint64_t x70; - uint64_t x71; - uint64_t x72; - uint64_t x73; - uint64_t x74; - uint64_t x75; - uint64_t x76; - uint64_t x77; - uint64_t x78; - uint64_t x79; - uint64_t x80; - uint64_t x81; - fiat_secp384r1_uint1 x82; - uint64_t x83; - fiat_secp384r1_uint1 x84; - uint64_t x85; - fiat_secp384r1_uint1 x86; - uint64_t x87; - fiat_secp384r1_uint1 x88; - uint64_t x89; - fiat_secp384r1_uint1 x90; - uint64_t x91; - uint64_t x92; - fiat_secp384r1_uint1 x93; - uint64_t x94; - fiat_secp384r1_uint1 x95; - uint64_t x96; - fiat_secp384r1_uint1 x97; - uint64_t x98; - fiat_secp384r1_uint1 x99; - uint64_t x100; - fiat_secp384r1_uint1 x101; - uint64_t x102; - fiat_secp384r1_uint1 x103; - uint64_t x104; - fiat_secp384r1_uint1 x105; - uint64_t x106; - uint64_t x107; - uint64_t x108; - uint64_t x109; - uint64_t x110; - uint64_t x111; - uint64_t x112; - uint64_t x113; - uint64_t x114; - uint64_t x115; - uint64_t x116; - uint64_t x117; - uint64_t x118; - uint64_t x119; - uint64_t x120; - fiat_secp384r1_uint1 x121; - uint64_t x122; - fiat_secp384r1_uint1 x123; - uint64_t x124; - fiat_secp384r1_uint1 x125; - uint64_t x126; - fiat_secp384r1_uint1 x127; - uint64_t x128; - fiat_secp384r1_uint1 x129; - uint64_t x130; - uint64_t x131; - fiat_secp384r1_uint1 x132; - uint64_t x133; - fiat_secp384r1_uint1 x134; - uint64_t x135; - fiat_secp384r1_uint1 x136; - uint64_t x137; - fiat_secp384r1_uint1 x138; - uint64_t x139; - fiat_secp384r1_uint1 x140; - uint64_t x141; - fiat_secp384r1_uint1 x142; - uint64_t x143; - fiat_secp384r1_uint1 x144; - uint64_t x145; - uint64_t x146; - uint64_t x147; - uint64_t x148; - uint64_t x149; - uint64_t x150; - uint64_t x151; - uint64_t x152; - uint64_t x153; - uint64_t x154; - uint64_t x155; - uint64_t x156; - uint64_t x157; - uint64_t x158; - fiat_secp384r1_uint1 x159; - uint64_t x160; - fiat_secp384r1_uint1 x161; - uint64_t x162; - fiat_secp384r1_uint1 x163; - uint64_t x164; - fiat_secp384r1_uint1 x165; - uint64_t x166; - fiat_secp384r1_uint1 x167; - uint64_t x168; - uint64_t x169; - fiat_secp384r1_uint1 x170; - uint64_t x171; - fiat_secp384r1_uint1 x172; - uint64_t x173; - fiat_secp384r1_uint1 x174; - uint64_t x175; - fiat_secp384r1_uint1 x176; - uint64_t x177; - fiat_secp384r1_uint1 x178; - uint64_t x179; - fiat_secp384r1_uint1 x180; - uint64_t x181; - fiat_secp384r1_uint1 x182; - uint64_t x183; - uint64_t x184; - uint64_t x185; - uint64_t x186; - uint64_t x187; - uint64_t x188; - uint64_t x189; - uint64_t x190; - uint64_t x191; - uint64_t x192; - uint64_t x193; - uint64_t x194; - uint64_t x195; - uint64_t x196; - uint64_t x197; - fiat_secp384r1_uint1 x198; - uint64_t x199; - fiat_secp384r1_uint1 x200; - uint64_t x201; - fiat_secp384r1_uint1 x202; - uint64_t x203; - fiat_secp384r1_uint1 x204; - uint64_t x205; - fiat_secp384r1_uint1 x206; - uint64_t x207; - uint64_t x208; - fiat_secp384r1_uint1 x209; - uint64_t x210; - fiat_secp384r1_uint1 x211; - uint64_t x212; - fiat_secp384r1_uint1 x213; - uint64_t x214; - fiat_secp384r1_uint1 x215; - uint64_t x216; - fiat_secp384r1_uint1 x217; - uint64_t x218; - fiat_secp384r1_uint1 x219; - uint64_t x220; - fiat_secp384r1_uint1 x221; - uint64_t x222; - uint64_t x223; - uint64_t x224; - uint64_t x225; - uint64_t x226; - uint64_t x227; - uint64_t x228; - uint64_t x229; - uint64_t x230; - uint64_t x231; - uint64_t x232; - uint64_t x233; - uint64_t x234; - uint64_t x235; - fiat_secp384r1_uint1 x236; - uint64_t x237; - fiat_secp384r1_uint1 x238; - uint64_t x239; - fiat_secp384r1_uint1 x240; - uint64_t x241; - fiat_secp384r1_uint1 x242; - uint64_t x243; - fiat_secp384r1_uint1 x244; - uint64_t x245; - uint64_t x246; - fiat_secp384r1_uint1 x247; - uint64_t x248; - fiat_secp384r1_uint1 x249; - uint64_t x250; - fiat_secp384r1_uint1 x251; - uint64_t x252; - fiat_secp384r1_uint1 x253; - uint64_t x254; - fiat_secp384r1_uint1 x255; - uint64_t x256; - fiat_secp384r1_uint1 x257; - uint64_t x258; - fiat_secp384r1_uint1 x259; - uint64_t x260; - uint64_t x261; - uint64_t x262; - uint64_t x263; - uint64_t x264; - uint64_t x265; - uint64_t x266; - uint64_t x267; - uint64_t x268; - uint64_t x269; - uint64_t x270; - uint64_t x271; - uint64_t x272; - uint64_t x273; - uint64_t x274; - fiat_secp384r1_uint1 x275; - uint64_t x276; - fiat_secp384r1_uint1 x277; - uint64_t x278; - fiat_secp384r1_uint1 x279; - uint64_t x280; - fiat_secp384r1_uint1 x281; - uint64_t x282; - fiat_secp384r1_uint1 x283; - uint64_t x284; - uint64_t x285; - fiat_secp384r1_uint1 x286; - uint64_t x287; - fiat_secp384r1_uint1 x288; - uint64_t x289; - fiat_secp384r1_uint1 x290; - uint64_t x291; - fiat_secp384r1_uint1 x292; - uint64_t x293; - fiat_secp384r1_uint1 x294; - uint64_t x295; - fiat_secp384r1_uint1 x296; - uint64_t x297; - fiat_secp384r1_uint1 x298; - uint64_t x299; - uint64_t x300; - uint64_t x301; - uint64_t x302; - uint64_t x303; - uint64_t x304; - uint64_t x305; - uint64_t x306; - uint64_t x307; - uint64_t x308; - uint64_t x309; - uint64_t x310; - uint64_t x311; - uint64_t x312; - fiat_secp384r1_uint1 x313; - uint64_t x314; - fiat_secp384r1_uint1 x315; - uint64_t x316; - fiat_secp384r1_uint1 x317; - uint64_t x318; - fiat_secp384r1_uint1 x319; - uint64_t x320; - fiat_secp384r1_uint1 x321; - uint64_t x322; - uint64_t x323; - fiat_secp384r1_uint1 x324; - uint64_t x325; - fiat_secp384r1_uint1 x326; - uint64_t x327; - fiat_secp384r1_uint1 x328; - uint64_t x329; - fiat_secp384r1_uint1 x330; - uint64_t x331; - fiat_secp384r1_uint1 x332; - uint64_t x333; - fiat_secp384r1_uint1 x334; - uint64_t x335; - fiat_secp384r1_uint1 x336; - uint64_t x337; - uint64_t x338; - uint64_t x339; - uint64_t x340; - uint64_t x341; - uint64_t x342; - uint64_t x343; - uint64_t x344; - uint64_t x345; - uint64_t x346; - uint64_t x347; - uint64_t x348; - uint64_t x349; - uint64_t x350; - uint64_t x351; - fiat_secp384r1_uint1 x352; - uint64_t x353; - fiat_secp384r1_uint1 x354; - uint64_t x355; - fiat_secp384r1_uint1 x356; - uint64_t x357; - fiat_secp384r1_uint1 x358; - uint64_t x359; - fiat_secp384r1_uint1 x360; - uint64_t x361; - uint64_t x362; - fiat_secp384r1_uint1 x363; - uint64_t x364; - fiat_secp384r1_uint1 x365; - uint64_t x366; - fiat_secp384r1_uint1 x367; - uint64_t x368; - fiat_secp384r1_uint1 x369; - uint64_t x370; - fiat_secp384r1_uint1 x371; - uint64_t x372; - fiat_secp384r1_uint1 x373; - uint64_t x374; - fiat_secp384r1_uint1 x375; - uint64_t x376; - uint64_t x377; - uint64_t x378; - uint64_t x379; - uint64_t x380; - uint64_t x381; - uint64_t x382; - uint64_t x383; - uint64_t x384; - uint64_t x385; - uint64_t x386; - uint64_t x387; - uint64_t x388; - uint64_t x389; - fiat_secp384r1_uint1 x390; - uint64_t x391; - fiat_secp384r1_uint1 x392; - uint64_t x393; - fiat_secp384r1_uint1 x394; - uint64_t x395; - fiat_secp384r1_uint1 x396; - uint64_t x397; - fiat_secp384r1_uint1 x398; - uint64_t x399; - uint64_t x400; - fiat_secp384r1_uint1 x401; - uint64_t x402; - fiat_secp384r1_uint1 x403; - uint64_t x404; - fiat_secp384r1_uint1 x405; - uint64_t x406; - fiat_secp384r1_uint1 x407; - uint64_t x408; - fiat_secp384r1_uint1 x409; - uint64_t x410; - fiat_secp384r1_uint1 x411; - uint64_t x412; - fiat_secp384r1_uint1 x413; - uint64_t x414; - uint64_t x415; - uint64_t x416; - uint64_t x417; - uint64_t x418; - uint64_t x419; - uint64_t x420; - uint64_t x421; - uint64_t x422; - uint64_t x423; - uint64_t x424; - uint64_t x425; - uint64_t x426; - uint64_t x427; - uint64_t x428; - fiat_secp384r1_uint1 x429; - uint64_t x430; - fiat_secp384r1_uint1 x431; - uint64_t x432; - fiat_secp384r1_uint1 x433; - uint64_t x434; - fiat_secp384r1_uint1 x435; - uint64_t x436; - fiat_secp384r1_uint1 x437; - uint64_t x438; - uint64_t x439; - fiat_secp384r1_uint1 x440; - uint64_t x441; - fiat_secp384r1_uint1 x442; - uint64_t x443; - fiat_secp384r1_uint1 x444; - uint64_t x445; - fiat_secp384r1_uint1 x446; - uint64_t x447; - fiat_secp384r1_uint1 x448; - uint64_t x449; - fiat_secp384r1_uint1 x450; - uint64_t x451; - fiat_secp384r1_uint1 x452; - uint64_t x453; - uint64_t x454; - fiat_secp384r1_uint1 x455; - uint64_t x456; - fiat_secp384r1_uint1 x457; - uint64_t x458; - fiat_secp384r1_uint1 x459; - uint64_t x460; - fiat_secp384r1_uint1 x461; - uint64_t x462; - fiat_secp384r1_uint1 x463; - uint64_t x464; - fiat_secp384r1_uint1 x465; - uint64_t x466; - fiat_secp384r1_uint1 x467; - uint64_t x468; - uint64_t x469; - uint64_t x470; - uint64_t x471; - uint64_t x472; - uint64_t x473; - x1 = (arg1[1]); - x2 = (arg1[2]); - x3 = (arg1[3]); - x4 = (arg1[4]); - x5 = (arg1[5]); - x6 = (arg1[0]); - fiat_secp384r1_mulx_u64(&x7, &x8, x6, (arg2[5])); - fiat_secp384r1_mulx_u64(&x9, &x10, x6, (arg2[4])); - fiat_secp384r1_mulx_u64(&x11, &x12, x6, (arg2[3])); - fiat_secp384r1_mulx_u64(&x13, &x14, x6, (arg2[2])); - fiat_secp384r1_mulx_u64(&x15, &x16, x6, (arg2[1])); - fiat_secp384r1_mulx_u64(&x17, &x18, x6, (arg2[0])); - fiat_secp384r1_addcarryx_u64(&x19, &x20, 0x0, x18, x15); - fiat_secp384r1_addcarryx_u64(&x21, &x22, x20, x16, x13); - fiat_secp384r1_addcarryx_u64(&x23, &x24, x22, x14, x11); - fiat_secp384r1_addcarryx_u64(&x25, &x26, x24, x12, x9); - fiat_secp384r1_addcarryx_u64(&x27, &x28, x26, x10, x7); - x29 = (x28 + x8); - fiat_secp384r1_mulx_u64(&x30, &x31, x17, UINT64_C(0x100000001)); - fiat_secp384r1_mulx_u64(&x32, &x33, x30, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x34, &x35, x30, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x36, &x37, x30, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x38, &x39, x30, UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_mulx_u64(&x40, &x41, x30, UINT64_C(0xffffffff00000000)); - fiat_secp384r1_mulx_u64(&x42, &x43, x30, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u64(&x44, &x45, 0x0, x43, x40); - fiat_secp384r1_addcarryx_u64(&x46, &x47, x45, x41, x38); - fiat_secp384r1_addcarryx_u64(&x48, &x49, x47, x39, x36); - fiat_secp384r1_addcarryx_u64(&x50, &x51, x49, x37, x34); - fiat_secp384r1_addcarryx_u64(&x52, &x53, x51, x35, x32); - x54 = (x53 + x33); - fiat_secp384r1_addcarryx_u64(&x55, &x56, 0x0, x17, x42); - fiat_secp384r1_addcarryx_u64(&x57, &x58, x56, x19, x44); - fiat_secp384r1_addcarryx_u64(&x59, &x60, x58, x21, x46); - fiat_secp384r1_addcarryx_u64(&x61, &x62, x60, x23, x48); - fiat_secp384r1_addcarryx_u64(&x63, &x64, x62, x25, x50); - fiat_secp384r1_addcarryx_u64(&x65, &x66, x64, x27, x52); - fiat_secp384r1_addcarryx_u64(&x67, &x68, x66, x29, x54); - fiat_secp384r1_mulx_u64(&x69, &x70, x1, (arg2[5])); - fiat_secp384r1_mulx_u64(&x71, &x72, x1, (arg2[4])); - fiat_secp384r1_mulx_u64(&x73, &x74, x1, (arg2[3])); - fiat_secp384r1_mulx_u64(&x75, &x76, x1, (arg2[2])); - fiat_secp384r1_mulx_u64(&x77, &x78, x1, (arg2[1])); - fiat_secp384r1_mulx_u64(&x79, &x80, x1, (arg2[0])); - fiat_secp384r1_addcarryx_u64(&x81, &x82, 0x0, x80, x77); - fiat_secp384r1_addcarryx_u64(&x83, &x84, x82, x78, x75); - fiat_secp384r1_addcarryx_u64(&x85, &x86, x84, x76, x73); - fiat_secp384r1_addcarryx_u64(&x87, &x88, x86, x74, x71); - fiat_secp384r1_addcarryx_u64(&x89, &x90, x88, x72, x69); - x91 = (x90 + x70); - fiat_secp384r1_addcarryx_u64(&x92, &x93, 0x0, x57, x79); - fiat_secp384r1_addcarryx_u64(&x94, &x95, x93, x59, x81); - fiat_secp384r1_addcarryx_u64(&x96, &x97, x95, x61, x83); - fiat_secp384r1_addcarryx_u64(&x98, &x99, x97, x63, x85); - fiat_secp384r1_addcarryx_u64(&x100, &x101, x99, x65, x87); - fiat_secp384r1_addcarryx_u64(&x102, &x103, x101, x67, x89); - fiat_secp384r1_addcarryx_u64(&x104, &x105, x103, x68, x91); - fiat_secp384r1_mulx_u64(&x106, &x107, x92, UINT64_C(0x100000001)); - fiat_secp384r1_mulx_u64(&x108, &x109, x106, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x110, &x111, x106, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x112, &x113, x106, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x114, &x115, x106, UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_mulx_u64(&x116, &x117, x106, UINT64_C(0xffffffff00000000)); - fiat_secp384r1_mulx_u64(&x118, &x119, x106, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u64(&x120, &x121, 0x0, x119, x116); - fiat_secp384r1_addcarryx_u64(&x122, &x123, x121, x117, x114); - fiat_secp384r1_addcarryx_u64(&x124, &x125, x123, x115, x112); - fiat_secp384r1_addcarryx_u64(&x126, &x127, x125, x113, x110); - fiat_secp384r1_addcarryx_u64(&x128, &x129, x127, x111, x108); - x130 = (x129 + x109); - fiat_secp384r1_addcarryx_u64(&x131, &x132, 0x0, x92, x118); - fiat_secp384r1_addcarryx_u64(&x133, &x134, x132, x94, x120); - fiat_secp384r1_addcarryx_u64(&x135, &x136, x134, x96, x122); - fiat_secp384r1_addcarryx_u64(&x137, &x138, x136, x98, x124); - fiat_secp384r1_addcarryx_u64(&x139, &x140, x138, x100, x126); - fiat_secp384r1_addcarryx_u64(&x141, &x142, x140, x102, x128); - fiat_secp384r1_addcarryx_u64(&x143, &x144, x142, x104, x130); - x145 = ((uint64_t)x144 + x105); - fiat_secp384r1_mulx_u64(&x146, &x147, x2, (arg2[5])); - fiat_secp384r1_mulx_u64(&x148, &x149, x2, (arg2[4])); - fiat_secp384r1_mulx_u64(&x150, &x151, x2, (arg2[3])); - fiat_secp384r1_mulx_u64(&x152, &x153, x2, (arg2[2])); - fiat_secp384r1_mulx_u64(&x154, &x155, x2, (arg2[1])); - fiat_secp384r1_mulx_u64(&x156, &x157, x2, (arg2[0])); - fiat_secp384r1_addcarryx_u64(&x158, &x159, 0x0, x157, x154); - fiat_secp384r1_addcarryx_u64(&x160, &x161, x159, x155, x152); - fiat_secp384r1_addcarryx_u64(&x162, &x163, x161, x153, x150); - fiat_secp384r1_addcarryx_u64(&x164, &x165, x163, x151, x148); - fiat_secp384r1_addcarryx_u64(&x166, &x167, x165, x149, x146); - x168 = (x167 + x147); - fiat_secp384r1_addcarryx_u64(&x169, &x170, 0x0, x133, x156); - fiat_secp384r1_addcarryx_u64(&x171, &x172, x170, x135, x158); - fiat_secp384r1_addcarryx_u64(&x173, &x174, x172, x137, x160); - fiat_secp384r1_addcarryx_u64(&x175, &x176, x174, x139, x162); - fiat_secp384r1_addcarryx_u64(&x177, &x178, x176, x141, x164); - fiat_secp384r1_addcarryx_u64(&x179, &x180, x178, x143, x166); - fiat_secp384r1_addcarryx_u64(&x181, &x182, x180, x145, x168); - fiat_secp384r1_mulx_u64(&x183, &x184, x169, UINT64_C(0x100000001)); - fiat_secp384r1_mulx_u64(&x185, &x186, x183, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x187, &x188, x183, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x189, &x190, x183, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x191, &x192, x183, UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_mulx_u64(&x193, &x194, x183, UINT64_C(0xffffffff00000000)); - fiat_secp384r1_mulx_u64(&x195, &x196, x183, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u64(&x197, &x198, 0x0, x196, x193); - fiat_secp384r1_addcarryx_u64(&x199, &x200, x198, x194, x191); - fiat_secp384r1_addcarryx_u64(&x201, &x202, x200, x192, x189); - fiat_secp384r1_addcarryx_u64(&x203, &x204, x202, x190, x187); - fiat_secp384r1_addcarryx_u64(&x205, &x206, x204, x188, x185); - x207 = (x206 + x186); - fiat_secp384r1_addcarryx_u64(&x208, &x209, 0x0, x169, x195); - fiat_secp384r1_addcarryx_u64(&x210, &x211, x209, x171, x197); - fiat_secp384r1_addcarryx_u64(&x212, &x213, x211, x173, x199); - fiat_secp384r1_addcarryx_u64(&x214, &x215, x213, x175, x201); - fiat_secp384r1_addcarryx_u64(&x216, &x217, x215, x177, x203); - fiat_secp384r1_addcarryx_u64(&x218, &x219, x217, x179, x205); - fiat_secp384r1_addcarryx_u64(&x220, &x221, x219, x181, x207); - x222 = ((uint64_t)x221 + x182); - fiat_secp384r1_mulx_u64(&x223, &x224, x3, (arg2[5])); - fiat_secp384r1_mulx_u64(&x225, &x226, x3, (arg2[4])); - fiat_secp384r1_mulx_u64(&x227, &x228, x3, (arg2[3])); - fiat_secp384r1_mulx_u64(&x229, &x230, x3, (arg2[2])); - fiat_secp384r1_mulx_u64(&x231, &x232, x3, (arg2[1])); - fiat_secp384r1_mulx_u64(&x233, &x234, x3, (arg2[0])); - fiat_secp384r1_addcarryx_u64(&x235, &x236, 0x0, x234, x231); - fiat_secp384r1_addcarryx_u64(&x237, &x238, x236, x232, x229); - fiat_secp384r1_addcarryx_u64(&x239, &x240, x238, x230, x227); - fiat_secp384r1_addcarryx_u64(&x241, &x242, x240, x228, x225); - fiat_secp384r1_addcarryx_u64(&x243, &x244, x242, x226, x223); - x245 = (x244 + x224); - fiat_secp384r1_addcarryx_u64(&x246, &x247, 0x0, x210, x233); - fiat_secp384r1_addcarryx_u64(&x248, &x249, x247, x212, x235); - fiat_secp384r1_addcarryx_u64(&x250, &x251, x249, x214, x237); - fiat_secp384r1_addcarryx_u64(&x252, &x253, x251, x216, x239); - fiat_secp384r1_addcarryx_u64(&x254, &x255, x253, x218, x241); - fiat_secp384r1_addcarryx_u64(&x256, &x257, x255, x220, x243); - fiat_secp384r1_addcarryx_u64(&x258, &x259, x257, x222, x245); - fiat_secp384r1_mulx_u64(&x260, &x261, x246, UINT64_C(0x100000001)); - fiat_secp384r1_mulx_u64(&x262, &x263, x260, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x264, &x265, x260, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x266, &x267, x260, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x268, &x269, x260, UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_mulx_u64(&x270, &x271, x260, UINT64_C(0xffffffff00000000)); - fiat_secp384r1_mulx_u64(&x272, &x273, x260, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u64(&x274, &x275, 0x0, x273, x270); - fiat_secp384r1_addcarryx_u64(&x276, &x277, x275, x271, x268); - fiat_secp384r1_addcarryx_u64(&x278, &x279, x277, x269, x266); - fiat_secp384r1_addcarryx_u64(&x280, &x281, x279, x267, x264); - fiat_secp384r1_addcarryx_u64(&x282, &x283, x281, x265, x262); - x284 = (x283 + x263); - fiat_secp384r1_addcarryx_u64(&x285, &x286, 0x0, x246, x272); - fiat_secp384r1_addcarryx_u64(&x287, &x288, x286, x248, x274); - fiat_secp384r1_addcarryx_u64(&x289, &x290, x288, x250, x276); - fiat_secp384r1_addcarryx_u64(&x291, &x292, x290, x252, x278); - fiat_secp384r1_addcarryx_u64(&x293, &x294, x292, x254, x280); - fiat_secp384r1_addcarryx_u64(&x295, &x296, x294, x256, x282); - fiat_secp384r1_addcarryx_u64(&x297, &x298, x296, x258, x284); - x299 = ((uint64_t)x298 + x259); - fiat_secp384r1_mulx_u64(&x300, &x301, x4, (arg2[5])); - fiat_secp384r1_mulx_u64(&x302, &x303, x4, (arg2[4])); - fiat_secp384r1_mulx_u64(&x304, &x305, x4, (arg2[3])); - fiat_secp384r1_mulx_u64(&x306, &x307, x4, (arg2[2])); - fiat_secp384r1_mulx_u64(&x308, &x309, x4, (arg2[1])); - fiat_secp384r1_mulx_u64(&x310, &x311, x4, (arg2[0])); - fiat_secp384r1_addcarryx_u64(&x312, &x313, 0x0, x311, x308); - fiat_secp384r1_addcarryx_u64(&x314, &x315, x313, x309, x306); - fiat_secp384r1_addcarryx_u64(&x316, &x317, x315, x307, x304); - fiat_secp384r1_addcarryx_u64(&x318, &x319, x317, x305, x302); - fiat_secp384r1_addcarryx_u64(&x320, &x321, x319, x303, x300); - x322 = (x321 + x301); - fiat_secp384r1_addcarryx_u64(&x323, &x324, 0x0, x287, x310); - fiat_secp384r1_addcarryx_u64(&x325, &x326, x324, x289, x312); - fiat_secp384r1_addcarryx_u64(&x327, &x328, x326, x291, x314); - fiat_secp384r1_addcarryx_u64(&x329, &x330, x328, x293, x316); - fiat_secp384r1_addcarryx_u64(&x331, &x332, x330, x295, x318); - fiat_secp384r1_addcarryx_u64(&x333, &x334, x332, x297, x320); - fiat_secp384r1_addcarryx_u64(&x335, &x336, x334, x299, x322); - fiat_secp384r1_mulx_u64(&x337, &x338, x323, UINT64_C(0x100000001)); - fiat_secp384r1_mulx_u64(&x339, &x340, x337, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x341, &x342, x337, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x343, &x344, x337, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x345, &x346, x337, UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_mulx_u64(&x347, &x348, x337, UINT64_C(0xffffffff00000000)); - fiat_secp384r1_mulx_u64(&x349, &x350, x337, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u64(&x351, &x352, 0x0, x350, x347); - fiat_secp384r1_addcarryx_u64(&x353, &x354, x352, x348, x345); - fiat_secp384r1_addcarryx_u64(&x355, &x356, x354, x346, x343); - fiat_secp384r1_addcarryx_u64(&x357, &x358, x356, x344, x341); - fiat_secp384r1_addcarryx_u64(&x359, &x360, x358, x342, x339); - x361 = (x360 + x340); - fiat_secp384r1_addcarryx_u64(&x362, &x363, 0x0, x323, x349); - fiat_secp384r1_addcarryx_u64(&x364, &x365, x363, x325, x351); - fiat_secp384r1_addcarryx_u64(&x366, &x367, x365, x327, x353); - fiat_secp384r1_addcarryx_u64(&x368, &x369, x367, x329, x355); - fiat_secp384r1_addcarryx_u64(&x370, &x371, x369, x331, x357); - fiat_secp384r1_addcarryx_u64(&x372, &x373, x371, x333, x359); - fiat_secp384r1_addcarryx_u64(&x374, &x375, x373, x335, x361); - x376 = ((uint64_t)x375 + x336); - fiat_secp384r1_mulx_u64(&x377, &x378, x5, (arg2[5])); - fiat_secp384r1_mulx_u64(&x379, &x380, x5, (arg2[4])); - fiat_secp384r1_mulx_u64(&x381, &x382, x5, (arg2[3])); - fiat_secp384r1_mulx_u64(&x383, &x384, x5, (arg2[2])); - fiat_secp384r1_mulx_u64(&x385, &x386, x5, (arg2[1])); - fiat_secp384r1_mulx_u64(&x387, &x388, x5, (arg2[0])); - fiat_secp384r1_addcarryx_u64(&x389, &x390, 0x0, x388, x385); - fiat_secp384r1_addcarryx_u64(&x391, &x392, x390, x386, x383); - fiat_secp384r1_addcarryx_u64(&x393, &x394, x392, x384, x381); - fiat_secp384r1_addcarryx_u64(&x395, &x396, x394, x382, x379); - fiat_secp384r1_addcarryx_u64(&x397, &x398, x396, x380, x377); - x399 = (x398 + x378); - fiat_secp384r1_addcarryx_u64(&x400, &x401, 0x0, x364, x387); - fiat_secp384r1_addcarryx_u64(&x402, &x403, x401, x366, x389); - fiat_secp384r1_addcarryx_u64(&x404, &x405, x403, x368, x391); - fiat_secp384r1_addcarryx_u64(&x406, &x407, x405, x370, x393); - fiat_secp384r1_addcarryx_u64(&x408, &x409, x407, x372, x395); - fiat_secp384r1_addcarryx_u64(&x410, &x411, x409, x374, x397); - fiat_secp384r1_addcarryx_u64(&x412, &x413, x411, x376, x399); - fiat_secp384r1_mulx_u64(&x414, &x415, x400, UINT64_C(0x100000001)); - fiat_secp384r1_mulx_u64(&x416, &x417, x414, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x418, &x419, x414, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x420, &x421, x414, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x422, &x423, x414, UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_mulx_u64(&x424, &x425, x414, UINT64_C(0xffffffff00000000)); - fiat_secp384r1_mulx_u64(&x426, &x427, x414, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u64(&x428, &x429, 0x0, x427, x424); - fiat_secp384r1_addcarryx_u64(&x430, &x431, x429, x425, x422); - fiat_secp384r1_addcarryx_u64(&x432, &x433, x431, x423, x420); - fiat_secp384r1_addcarryx_u64(&x434, &x435, x433, x421, x418); - fiat_secp384r1_addcarryx_u64(&x436, &x437, x435, x419, x416); - x438 = (x437 + x417); - fiat_secp384r1_addcarryx_u64(&x439, &x440, 0x0, x400, x426); - fiat_secp384r1_addcarryx_u64(&x441, &x442, x440, x402, x428); - fiat_secp384r1_addcarryx_u64(&x443, &x444, x442, x404, x430); - fiat_secp384r1_addcarryx_u64(&x445, &x446, x444, x406, x432); - fiat_secp384r1_addcarryx_u64(&x447, &x448, x446, x408, x434); - fiat_secp384r1_addcarryx_u64(&x449, &x450, x448, x410, x436); - fiat_secp384r1_addcarryx_u64(&x451, &x452, x450, x412, x438); - x453 = ((uint64_t)x452 + x413); - fiat_secp384r1_subborrowx_u64(&x454, &x455, 0x0, x441, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u64(&x456, &x457, x455, x443, - UINT64_C(0xffffffff00000000)); - fiat_secp384r1_subborrowx_u64(&x458, &x459, x457, x445, - UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_subborrowx_u64(&x460, &x461, x459, x447, - UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_subborrowx_u64(&x462, &x463, x461, x449, - UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_subborrowx_u64(&x464, &x465, x463, x451, - UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_subborrowx_u64(&x466, &x467, x465, x453, 0x0); - fiat_secp384r1_cmovznz_u64(&x468, x467, x454, x441); - fiat_secp384r1_cmovznz_u64(&x469, x467, x456, x443); - fiat_secp384r1_cmovznz_u64(&x470, x467, x458, x445); - fiat_secp384r1_cmovznz_u64(&x471, x467, x460, x447); - fiat_secp384r1_cmovznz_u64(&x472, x467, x462, x449); - fiat_secp384r1_cmovznz_u64(&x473, x467, x464, x451); - out1[0] = x468; - out1[1] = x469; - out1[2] = x470; - out1[3] = x471; - out1[4] = x472; - out1[5] = x473; -} - -/* - * The function fiat_secp384r1_square squares a field element in the Montgomery domain. - * - * Preconditions: - * 0 ≤ eval arg1 < m - * Postconditions: - * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m - * 0 ≤ eval out1 < m - * - */ -static void -fiat_secp384r1_square( - fiat_secp384r1_montgomery_domain_field_element out1, - const fiat_secp384r1_montgomery_domain_field_element arg1) -{ - uint64_t x1; - uint64_t x2; - uint64_t x3; - uint64_t x4; - uint64_t x5; - uint64_t x6; - uint64_t x7; - uint64_t x8; - uint64_t x9; - uint64_t x10; - uint64_t x11; - uint64_t x12; - uint64_t x13; - uint64_t x14; - uint64_t x15; - uint64_t x16; - uint64_t x17; - uint64_t x18; - uint64_t x19; - fiat_secp384r1_uint1 x20; - uint64_t x21; - fiat_secp384r1_uint1 x22; - uint64_t x23; - fiat_secp384r1_uint1 x24; - uint64_t x25; - fiat_secp384r1_uint1 x26; - uint64_t x27; - fiat_secp384r1_uint1 x28; - uint64_t x29; - uint64_t x30; - uint64_t x31; - uint64_t x32; - uint64_t x33; - uint64_t x34; - uint64_t x35; - uint64_t x36; - uint64_t x37; - uint64_t x38; - uint64_t x39; - uint64_t x40; - uint64_t x41; - uint64_t x42; - uint64_t x43; - uint64_t x44; - fiat_secp384r1_uint1 x45; - uint64_t x46; - fiat_secp384r1_uint1 x47; - uint64_t x48; - fiat_secp384r1_uint1 x49; - uint64_t x50; - fiat_secp384r1_uint1 x51; - uint64_t x52; - fiat_secp384r1_uint1 x53; - uint64_t x54; - uint64_t x55; - fiat_secp384r1_uint1 x56; - uint64_t x57; - fiat_secp384r1_uint1 x58; - uint64_t x59; - fiat_secp384r1_uint1 x60; - uint64_t x61; - fiat_secp384r1_uint1 x62; - uint64_t x63; - fiat_secp384r1_uint1 x64; - uint64_t x65; - fiat_secp384r1_uint1 x66; - uint64_t x67; - fiat_secp384r1_uint1 x68; - uint64_t x69; - uint64_t x70; - uint64_t x71; - uint64_t x72; - uint64_t x73; - uint64_t x74; - uint64_t x75; - uint64_t x76; - uint64_t x77; - uint64_t x78; - uint64_t x79; - uint64_t x80; - uint64_t x81; - fiat_secp384r1_uint1 x82; - uint64_t x83; - fiat_secp384r1_uint1 x84; - uint64_t x85; - fiat_secp384r1_uint1 x86; - uint64_t x87; - fiat_secp384r1_uint1 x88; - uint64_t x89; - fiat_secp384r1_uint1 x90; - uint64_t x91; - uint64_t x92; - fiat_secp384r1_uint1 x93; - uint64_t x94; - fiat_secp384r1_uint1 x95; - uint64_t x96; - fiat_secp384r1_uint1 x97; - uint64_t x98; - fiat_secp384r1_uint1 x99; - uint64_t x100; - fiat_secp384r1_uint1 x101; - uint64_t x102; - fiat_secp384r1_uint1 x103; - uint64_t x104; - fiat_secp384r1_uint1 x105; - uint64_t x106; - uint64_t x107; - uint64_t x108; - uint64_t x109; - uint64_t x110; - uint64_t x111; - uint64_t x112; - uint64_t x113; - uint64_t x114; - uint64_t x115; - uint64_t x116; - uint64_t x117; - uint64_t x118; - uint64_t x119; - uint64_t x120; - fiat_secp384r1_uint1 x121; - uint64_t x122; - fiat_secp384r1_uint1 x123; - uint64_t x124; - fiat_secp384r1_uint1 x125; - uint64_t x126; - fiat_secp384r1_uint1 x127; - uint64_t x128; - fiat_secp384r1_uint1 x129; - uint64_t x130; - uint64_t x131; - fiat_secp384r1_uint1 x132; - uint64_t x133; - fiat_secp384r1_uint1 x134; - uint64_t x135; - fiat_secp384r1_uint1 x136; - uint64_t x137; - fiat_secp384r1_uint1 x138; - uint64_t x139; - fiat_secp384r1_uint1 x140; - uint64_t x141; - fiat_secp384r1_uint1 x142; - uint64_t x143; - fiat_secp384r1_uint1 x144; - uint64_t x145; - uint64_t x146; - uint64_t x147; - uint64_t x148; - uint64_t x149; - uint64_t x150; - uint64_t x151; - uint64_t x152; - uint64_t x153; - uint64_t x154; - uint64_t x155; - uint64_t x156; - uint64_t x157; - uint64_t x158; - fiat_secp384r1_uint1 x159; - uint64_t x160; - fiat_secp384r1_uint1 x161; - uint64_t x162; - fiat_secp384r1_uint1 x163; - uint64_t x164; - fiat_secp384r1_uint1 x165; - uint64_t x166; - fiat_secp384r1_uint1 x167; - uint64_t x168; - uint64_t x169; - fiat_secp384r1_uint1 x170; - uint64_t x171; - fiat_secp384r1_uint1 x172; - uint64_t x173; - fiat_secp384r1_uint1 x174; - uint64_t x175; - fiat_secp384r1_uint1 x176; - uint64_t x177; - fiat_secp384r1_uint1 x178; - uint64_t x179; - fiat_secp384r1_uint1 x180; - uint64_t x181; - fiat_secp384r1_uint1 x182; - uint64_t x183; - uint64_t x184; - uint64_t x185; - uint64_t x186; - uint64_t x187; - uint64_t x188; - uint64_t x189; - uint64_t x190; - uint64_t x191; - uint64_t x192; - uint64_t x193; - uint64_t x194; - uint64_t x195; - uint64_t x196; - uint64_t x197; - fiat_secp384r1_uint1 x198; - uint64_t x199; - fiat_secp384r1_uint1 x200; - uint64_t x201; - fiat_secp384r1_uint1 x202; - uint64_t x203; - fiat_secp384r1_uint1 x204; - uint64_t x205; - fiat_secp384r1_uint1 x206; - uint64_t x207; - uint64_t x208; - fiat_secp384r1_uint1 x209; - uint64_t x210; - fiat_secp384r1_uint1 x211; - uint64_t x212; - fiat_secp384r1_uint1 x213; - uint64_t x214; - fiat_secp384r1_uint1 x215; - uint64_t x216; - fiat_secp384r1_uint1 x217; - uint64_t x218; - fiat_secp384r1_uint1 x219; - uint64_t x220; - fiat_secp384r1_uint1 x221; - uint64_t x222; - uint64_t x223; - uint64_t x224; - uint64_t x225; - uint64_t x226; - uint64_t x227; - uint64_t x228; - uint64_t x229; - uint64_t x230; - uint64_t x231; - uint64_t x232; - uint64_t x233; - uint64_t x234; - uint64_t x235; - fiat_secp384r1_uint1 x236; - uint64_t x237; - fiat_secp384r1_uint1 x238; - uint64_t x239; - fiat_secp384r1_uint1 x240; - uint64_t x241; - fiat_secp384r1_uint1 x242; - uint64_t x243; - fiat_secp384r1_uint1 x244; - uint64_t x245; - uint64_t x246; - fiat_secp384r1_uint1 x247; - uint64_t x248; - fiat_secp384r1_uint1 x249; - uint64_t x250; - fiat_secp384r1_uint1 x251; - uint64_t x252; - fiat_secp384r1_uint1 x253; - uint64_t x254; - fiat_secp384r1_uint1 x255; - uint64_t x256; - fiat_secp384r1_uint1 x257; - uint64_t x258; - fiat_secp384r1_uint1 x259; - uint64_t x260; - uint64_t x261; - uint64_t x262; - uint64_t x263; - uint64_t x264; - uint64_t x265; - uint64_t x266; - uint64_t x267; - uint64_t x268; - uint64_t x269; - uint64_t x270; - uint64_t x271; - uint64_t x272; - uint64_t x273; - uint64_t x274; - fiat_secp384r1_uint1 x275; - uint64_t x276; - fiat_secp384r1_uint1 x277; - uint64_t x278; - fiat_secp384r1_uint1 x279; - uint64_t x280; - fiat_secp384r1_uint1 x281; - uint64_t x282; - fiat_secp384r1_uint1 x283; - uint64_t x284; - uint64_t x285; - fiat_secp384r1_uint1 x286; - uint64_t x287; - fiat_secp384r1_uint1 x288; - uint64_t x289; - fiat_secp384r1_uint1 x290; - uint64_t x291; - fiat_secp384r1_uint1 x292; - uint64_t x293; - fiat_secp384r1_uint1 x294; - uint64_t x295; - fiat_secp384r1_uint1 x296; - uint64_t x297; - fiat_secp384r1_uint1 x298; - uint64_t x299; - uint64_t x300; - uint64_t x301; - uint64_t x302; - uint64_t x303; - uint64_t x304; - uint64_t x305; - uint64_t x306; - uint64_t x307; - uint64_t x308; - uint64_t x309; - uint64_t x310; - uint64_t x311; - uint64_t x312; - fiat_secp384r1_uint1 x313; - uint64_t x314; - fiat_secp384r1_uint1 x315; - uint64_t x316; - fiat_secp384r1_uint1 x317; - uint64_t x318; - fiat_secp384r1_uint1 x319; - uint64_t x320; - fiat_secp384r1_uint1 x321; - uint64_t x322; - uint64_t x323; - fiat_secp384r1_uint1 x324; - uint64_t x325; - fiat_secp384r1_uint1 x326; - uint64_t x327; - fiat_secp384r1_uint1 x328; - uint64_t x329; - fiat_secp384r1_uint1 x330; - uint64_t x331; - fiat_secp384r1_uint1 x332; - uint64_t x333; - fiat_secp384r1_uint1 x334; - uint64_t x335; - fiat_secp384r1_uint1 x336; - uint64_t x337; - uint64_t x338; - uint64_t x339; - uint64_t x340; - uint64_t x341; - uint64_t x342; - uint64_t x343; - uint64_t x344; - uint64_t x345; - uint64_t x346; - uint64_t x347; - uint64_t x348; - uint64_t x349; - uint64_t x350; - uint64_t x351; - fiat_secp384r1_uint1 x352; - uint64_t x353; - fiat_secp384r1_uint1 x354; - uint64_t x355; - fiat_secp384r1_uint1 x356; - uint64_t x357; - fiat_secp384r1_uint1 x358; - uint64_t x359; - fiat_secp384r1_uint1 x360; - uint64_t x361; - uint64_t x362; - fiat_secp384r1_uint1 x363; - uint64_t x364; - fiat_secp384r1_uint1 x365; - uint64_t x366; - fiat_secp384r1_uint1 x367; - uint64_t x368; - fiat_secp384r1_uint1 x369; - uint64_t x370; - fiat_secp384r1_uint1 x371; - uint64_t x372; - fiat_secp384r1_uint1 x373; - uint64_t x374; - fiat_secp384r1_uint1 x375; - uint64_t x376; - uint64_t x377; - uint64_t x378; - uint64_t x379; - uint64_t x380; - uint64_t x381; - uint64_t x382; - uint64_t x383; - uint64_t x384; - uint64_t x385; - uint64_t x386; - uint64_t x387; - uint64_t x388; - uint64_t x389; - fiat_secp384r1_uint1 x390; - uint64_t x391; - fiat_secp384r1_uint1 x392; - uint64_t x393; - fiat_secp384r1_uint1 x394; - uint64_t x395; - fiat_secp384r1_uint1 x396; - uint64_t x397; - fiat_secp384r1_uint1 x398; - uint64_t x399; - uint64_t x400; - fiat_secp384r1_uint1 x401; - uint64_t x402; - fiat_secp384r1_uint1 x403; - uint64_t x404; - fiat_secp384r1_uint1 x405; - uint64_t x406; - fiat_secp384r1_uint1 x407; - uint64_t x408; - fiat_secp384r1_uint1 x409; - uint64_t x410; - fiat_secp384r1_uint1 x411; - uint64_t x412; - fiat_secp384r1_uint1 x413; - uint64_t x414; - uint64_t x415; - uint64_t x416; - uint64_t x417; - uint64_t x418; - uint64_t x419; - uint64_t x420; - uint64_t x421; - uint64_t x422; - uint64_t x423; - uint64_t x424; - uint64_t x425; - uint64_t x426; - uint64_t x427; - uint64_t x428; - fiat_secp384r1_uint1 x429; - uint64_t x430; - fiat_secp384r1_uint1 x431; - uint64_t x432; - fiat_secp384r1_uint1 x433; - uint64_t x434; - fiat_secp384r1_uint1 x435; - uint64_t x436; - fiat_secp384r1_uint1 x437; - uint64_t x438; - uint64_t x439; - fiat_secp384r1_uint1 x440; - uint64_t x441; - fiat_secp384r1_uint1 x442; - uint64_t x443; - fiat_secp384r1_uint1 x444; - uint64_t x445; - fiat_secp384r1_uint1 x446; - uint64_t x447; - fiat_secp384r1_uint1 x448; - uint64_t x449; - fiat_secp384r1_uint1 x450; - uint64_t x451; - fiat_secp384r1_uint1 x452; - uint64_t x453; - uint64_t x454; - fiat_secp384r1_uint1 x455; - uint64_t x456; - fiat_secp384r1_uint1 x457; - uint64_t x458; - fiat_secp384r1_uint1 x459; - uint64_t x460; - fiat_secp384r1_uint1 x461; - uint64_t x462; - fiat_secp384r1_uint1 x463; - uint64_t x464; - fiat_secp384r1_uint1 x465; - uint64_t x466; - fiat_secp384r1_uint1 x467; - uint64_t x468; - uint64_t x469; - uint64_t x470; - uint64_t x471; - uint64_t x472; - uint64_t x473; - x1 = (arg1[1]); - x2 = (arg1[2]); - x3 = (arg1[3]); - x4 = (arg1[4]); - x5 = (arg1[5]); - x6 = (arg1[0]); - fiat_secp384r1_mulx_u64(&x7, &x8, x6, (arg1[5])); - fiat_secp384r1_mulx_u64(&x9, &x10, x6, (arg1[4])); - fiat_secp384r1_mulx_u64(&x11, &x12, x6, (arg1[3])); - fiat_secp384r1_mulx_u64(&x13, &x14, x6, (arg1[2])); - fiat_secp384r1_mulx_u64(&x15, &x16, x6, (arg1[1])); - fiat_secp384r1_mulx_u64(&x17, &x18, x6, (arg1[0])); - fiat_secp384r1_addcarryx_u64(&x19, &x20, 0x0, x18, x15); - fiat_secp384r1_addcarryx_u64(&x21, &x22, x20, x16, x13); - fiat_secp384r1_addcarryx_u64(&x23, &x24, x22, x14, x11); - fiat_secp384r1_addcarryx_u64(&x25, &x26, x24, x12, x9); - fiat_secp384r1_addcarryx_u64(&x27, &x28, x26, x10, x7); - x29 = (x28 + x8); - fiat_secp384r1_mulx_u64(&x30, &x31, x17, UINT64_C(0x100000001)); - fiat_secp384r1_mulx_u64(&x32, &x33, x30, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x34, &x35, x30, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x36, &x37, x30, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x38, &x39, x30, UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_mulx_u64(&x40, &x41, x30, UINT64_C(0xffffffff00000000)); - fiat_secp384r1_mulx_u64(&x42, &x43, x30, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u64(&x44, &x45, 0x0, x43, x40); - fiat_secp384r1_addcarryx_u64(&x46, &x47, x45, x41, x38); - fiat_secp384r1_addcarryx_u64(&x48, &x49, x47, x39, x36); - fiat_secp384r1_addcarryx_u64(&x50, &x51, x49, x37, x34); - fiat_secp384r1_addcarryx_u64(&x52, &x53, x51, x35, x32); - x54 = (x53 + x33); - fiat_secp384r1_addcarryx_u64(&x55, &x56, 0x0, x17, x42); - fiat_secp384r1_addcarryx_u64(&x57, &x58, x56, x19, x44); - fiat_secp384r1_addcarryx_u64(&x59, &x60, x58, x21, x46); - fiat_secp384r1_addcarryx_u64(&x61, &x62, x60, x23, x48); - fiat_secp384r1_addcarryx_u64(&x63, &x64, x62, x25, x50); - fiat_secp384r1_addcarryx_u64(&x65, &x66, x64, x27, x52); - fiat_secp384r1_addcarryx_u64(&x67, &x68, x66, x29, x54); - fiat_secp384r1_mulx_u64(&x69, &x70, x1, (arg1[5])); - fiat_secp384r1_mulx_u64(&x71, &x72, x1, (arg1[4])); - fiat_secp384r1_mulx_u64(&x73, &x74, x1, (arg1[3])); - fiat_secp384r1_mulx_u64(&x75, &x76, x1, (arg1[2])); - fiat_secp384r1_mulx_u64(&x77, &x78, x1, (arg1[1])); - fiat_secp384r1_mulx_u64(&x79, &x80, x1, (arg1[0])); - fiat_secp384r1_addcarryx_u64(&x81, &x82, 0x0, x80, x77); - fiat_secp384r1_addcarryx_u64(&x83, &x84, x82, x78, x75); - fiat_secp384r1_addcarryx_u64(&x85, &x86, x84, x76, x73); - fiat_secp384r1_addcarryx_u64(&x87, &x88, x86, x74, x71); - fiat_secp384r1_addcarryx_u64(&x89, &x90, x88, x72, x69); - x91 = (x90 + x70); - fiat_secp384r1_addcarryx_u64(&x92, &x93, 0x0, x57, x79); - fiat_secp384r1_addcarryx_u64(&x94, &x95, x93, x59, x81); - fiat_secp384r1_addcarryx_u64(&x96, &x97, x95, x61, x83); - fiat_secp384r1_addcarryx_u64(&x98, &x99, x97, x63, x85); - fiat_secp384r1_addcarryx_u64(&x100, &x101, x99, x65, x87); - fiat_secp384r1_addcarryx_u64(&x102, &x103, x101, x67, x89); - fiat_secp384r1_addcarryx_u64(&x104, &x105, x103, x68, x91); - fiat_secp384r1_mulx_u64(&x106, &x107, x92, UINT64_C(0x100000001)); - fiat_secp384r1_mulx_u64(&x108, &x109, x106, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x110, &x111, x106, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x112, &x113, x106, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x114, &x115, x106, UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_mulx_u64(&x116, &x117, x106, UINT64_C(0xffffffff00000000)); - fiat_secp384r1_mulx_u64(&x118, &x119, x106, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u64(&x120, &x121, 0x0, x119, x116); - fiat_secp384r1_addcarryx_u64(&x122, &x123, x121, x117, x114); - fiat_secp384r1_addcarryx_u64(&x124, &x125, x123, x115, x112); - fiat_secp384r1_addcarryx_u64(&x126, &x127, x125, x113, x110); - fiat_secp384r1_addcarryx_u64(&x128, &x129, x127, x111, x108); - x130 = (x129 + x109); - fiat_secp384r1_addcarryx_u64(&x131, &x132, 0x0, x92, x118); - fiat_secp384r1_addcarryx_u64(&x133, &x134, x132, x94, x120); - fiat_secp384r1_addcarryx_u64(&x135, &x136, x134, x96, x122); - fiat_secp384r1_addcarryx_u64(&x137, &x138, x136, x98, x124); - fiat_secp384r1_addcarryx_u64(&x139, &x140, x138, x100, x126); - fiat_secp384r1_addcarryx_u64(&x141, &x142, x140, x102, x128); - fiat_secp384r1_addcarryx_u64(&x143, &x144, x142, x104, x130); - x145 = ((uint64_t)x144 + x105); - fiat_secp384r1_mulx_u64(&x146, &x147, x2, (arg1[5])); - fiat_secp384r1_mulx_u64(&x148, &x149, x2, (arg1[4])); - fiat_secp384r1_mulx_u64(&x150, &x151, x2, (arg1[3])); - fiat_secp384r1_mulx_u64(&x152, &x153, x2, (arg1[2])); - fiat_secp384r1_mulx_u64(&x154, &x155, x2, (arg1[1])); - fiat_secp384r1_mulx_u64(&x156, &x157, x2, (arg1[0])); - fiat_secp384r1_addcarryx_u64(&x158, &x159, 0x0, x157, x154); - fiat_secp384r1_addcarryx_u64(&x160, &x161, x159, x155, x152); - fiat_secp384r1_addcarryx_u64(&x162, &x163, x161, x153, x150); - fiat_secp384r1_addcarryx_u64(&x164, &x165, x163, x151, x148); - fiat_secp384r1_addcarryx_u64(&x166, &x167, x165, x149, x146); - x168 = (x167 + x147); - fiat_secp384r1_addcarryx_u64(&x169, &x170, 0x0, x133, x156); - fiat_secp384r1_addcarryx_u64(&x171, &x172, x170, x135, x158); - fiat_secp384r1_addcarryx_u64(&x173, &x174, x172, x137, x160); - fiat_secp384r1_addcarryx_u64(&x175, &x176, x174, x139, x162); - fiat_secp384r1_addcarryx_u64(&x177, &x178, x176, x141, x164); - fiat_secp384r1_addcarryx_u64(&x179, &x180, x178, x143, x166); - fiat_secp384r1_addcarryx_u64(&x181, &x182, x180, x145, x168); - fiat_secp384r1_mulx_u64(&x183, &x184, x169, UINT64_C(0x100000001)); - fiat_secp384r1_mulx_u64(&x185, &x186, x183, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x187, &x188, x183, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x189, &x190, x183, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x191, &x192, x183, UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_mulx_u64(&x193, &x194, x183, UINT64_C(0xffffffff00000000)); - fiat_secp384r1_mulx_u64(&x195, &x196, x183, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u64(&x197, &x198, 0x0, x196, x193); - fiat_secp384r1_addcarryx_u64(&x199, &x200, x198, x194, x191); - fiat_secp384r1_addcarryx_u64(&x201, &x202, x200, x192, x189); - fiat_secp384r1_addcarryx_u64(&x203, &x204, x202, x190, x187); - fiat_secp384r1_addcarryx_u64(&x205, &x206, x204, x188, x185); - x207 = (x206 + x186); - fiat_secp384r1_addcarryx_u64(&x208, &x209, 0x0, x169, x195); - fiat_secp384r1_addcarryx_u64(&x210, &x211, x209, x171, x197); - fiat_secp384r1_addcarryx_u64(&x212, &x213, x211, x173, x199); - fiat_secp384r1_addcarryx_u64(&x214, &x215, x213, x175, x201); - fiat_secp384r1_addcarryx_u64(&x216, &x217, x215, x177, x203); - fiat_secp384r1_addcarryx_u64(&x218, &x219, x217, x179, x205); - fiat_secp384r1_addcarryx_u64(&x220, &x221, x219, x181, x207); - x222 = ((uint64_t)x221 + x182); - fiat_secp384r1_mulx_u64(&x223, &x224, x3, (arg1[5])); - fiat_secp384r1_mulx_u64(&x225, &x226, x3, (arg1[4])); - fiat_secp384r1_mulx_u64(&x227, &x228, x3, (arg1[3])); - fiat_secp384r1_mulx_u64(&x229, &x230, x3, (arg1[2])); - fiat_secp384r1_mulx_u64(&x231, &x232, x3, (arg1[1])); - fiat_secp384r1_mulx_u64(&x233, &x234, x3, (arg1[0])); - fiat_secp384r1_addcarryx_u64(&x235, &x236, 0x0, x234, x231); - fiat_secp384r1_addcarryx_u64(&x237, &x238, x236, x232, x229); - fiat_secp384r1_addcarryx_u64(&x239, &x240, x238, x230, x227); - fiat_secp384r1_addcarryx_u64(&x241, &x242, x240, x228, x225); - fiat_secp384r1_addcarryx_u64(&x243, &x244, x242, x226, x223); - x245 = (x244 + x224); - fiat_secp384r1_addcarryx_u64(&x246, &x247, 0x0, x210, x233); - fiat_secp384r1_addcarryx_u64(&x248, &x249, x247, x212, x235); - fiat_secp384r1_addcarryx_u64(&x250, &x251, x249, x214, x237); - fiat_secp384r1_addcarryx_u64(&x252, &x253, x251, x216, x239); - fiat_secp384r1_addcarryx_u64(&x254, &x255, x253, x218, x241); - fiat_secp384r1_addcarryx_u64(&x256, &x257, x255, x220, x243); - fiat_secp384r1_addcarryx_u64(&x258, &x259, x257, x222, x245); - fiat_secp384r1_mulx_u64(&x260, &x261, x246, UINT64_C(0x100000001)); - fiat_secp384r1_mulx_u64(&x262, &x263, x260, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x264, &x265, x260, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x266, &x267, x260, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x268, &x269, x260, UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_mulx_u64(&x270, &x271, x260, UINT64_C(0xffffffff00000000)); - fiat_secp384r1_mulx_u64(&x272, &x273, x260, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u64(&x274, &x275, 0x0, x273, x270); - fiat_secp384r1_addcarryx_u64(&x276, &x277, x275, x271, x268); - fiat_secp384r1_addcarryx_u64(&x278, &x279, x277, x269, x266); - fiat_secp384r1_addcarryx_u64(&x280, &x281, x279, x267, x264); - fiat_secp384r1_addcarryx_u64(&x282, &x283, x281, x265, x262); - x284 = (x283 + x263); - fiat_secp384r1_addcarryx_u64(&x285, &x286, 0x0, x246, x272); - fiat_secp384r1_addcarryx_u64(&x287, &x288, x286, x248, x274); - fiat_secp384r1_addcarryx_u64(&x289, &x290, x288, x250, x276); - fiat_secp384r1_addcarryx_u64(&x291, &x292, x290, x252, x278); - fiat_secp384r1_addcarryx_u64(&x293, &x294, x292, x254, x280); - fiat_secp384r1_addcarryx_u64(&x295, &x296, x294, x256, x282); - fiat_secp384r1_addcarryx_u64(&x297, &x298, x296, x258, x284); - x299 = ((uint64_t)x298 + x259); - fiat_secp384r1_mulx_u64(&x300, &x301, x4, (arg1[5])); - fiat_secp384r1_mulx_u64(&x302, &x303, x4, (arg1[4])); - fiat_secp384r1_mulx_u64(&x304, &x305, x4, (arg1[3])); - fiat_secp384r1_mulx_u64(&x306, &x307, x4, (arg1[2])); - fiat_secp384r1_mulx_u64(&x308, &x309, x4, (arg1[1])); - fiat_secp384r1_mulx_u64(&x310, &x311, x4, (arg1[0])); - fiat_secp384r1_addcarryx_u64(&x312, &x313, 0x0, x311, x308); - fiat_secp384r1_addcarryx_u64(&x314, &x315, x313, x309, x306); - fiat_secp384r1_addcarryx_u64(&x316, &x317, x315, x307, x304); - fiat_secp384r1_addcarryx_u64(&x318, &x319, x317, x305, x302); - fiat_secp384r1_addcarryx_u64(&x320, &x321, x319, x303, x300); - x322 = (x321 + x301); - fiat_secp384r1_addcarryx_u64(&x323, &x324, 0x0, x287, x310); - fiat_secp384r1_addcarryx_u64(&x325, &x326, x324, x289, x312); - fiat_secp384r1_addcarryx_u64(&x327, &x328, x326, x291, x314); - fiat_secp384r1_addcarryx_u64(&x329, &x330, x328, x293, x316); - fiat_secp384r1_addcarryx_u64(&x331, &x332, x330, x295, x318); - fiat_secp384r1_addcarryx_u64(&x333, &x334, x332, x297, x320); - fiat_secp384r1_addcarryx_u64(&x335, &x336, x334, x299, x322); - fiat_secp384r1_mulx_u64(&x337, &x338, x323, UINT64_C(0x100000001)); - fiat_secp384r1_mulx_u64(&x339, &x340, x337, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x341, &x342, x337, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x343, &x344, x337, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x345, &x346, x337, UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_mulx_u64(&x347, &x348, x337, UINT64_C(0xffffffff00000000)); - fiat_secp384r1_mulx_u64(&x349, &x350, x337, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u64(&x351, &x352, 0x0, x350, x347); - fiat_secp384r1_addcarryx_u64(&x353, &x354, x352, x348, x345); - fiat_secp384r1_addcarryx_u64(&x355, &x356, x354, x346, x343); - fiat_secp384r1_addcarryx_u64(&x357, &x358, x356, x344, x341); - fiat_secp384r1_addcarryx_u64(&x359, &x360, x358, x342, x339); - x361 = (x360 + x340); - fiat_secp384r1_addcarryx_u64(&x362, &x363, 0x0, x323, x349); - fiat_secp384r1_addcarryx_u64(&x364, &x365, x363, x325, x351); - fiat_secp384r1_addcarryx_u64(&x366, &x367, x365, x327, x353); - fiat_secp384r1_addcarryx_u64(&x368, &x369, x367, x329, x355); - fiat_secp384r1_addcarryx_u64(&x370, &x371, x369, x331, x357); - fiat_secp384r1_addcarryx_u64(&x372, &x373, x371, x333, x359); - fiat_secp384r1_addcarryx_u64(&x374, &x375, x373, x335, x361); - x376 = ((uint64_t)x375 + x336); - fiat_secp384r1_mulx_u64(&x377, &x378, x5, (arg1[5])); - fiat_secp384r1_mulx_u64(&x379, &x380, x5, (arg1[4])); - fiat_secp384r1_mulx_u64(&x381, &x382, x5, (arg1[3])); - fiat_secp384r1_mulx_u64(&x383, &x384, x5, (arg1[2])); - fiat_secp384r1_mulx_u64(&x385, &x386, x5, (arg1[1])); - fiat_secp384r1_mulx_u64(&x387, &x388, x5, (arg1[0])); - fiat_secp384r1_addcarryx_u64(&x389, &x390, 0x0, x388, x385); - fiat_secp384r1_addcarryx_u64(&x391, &x392, x390, x386, x383); - fiat_secp384r1_addcarryx_u64(&x393, &x394, x392, x384, x381); - fiat_secp384r1_addcarryx_u64(&x395, &x396, x394, x382, x379); - fiat_secp384r1_addcarryx_u64(&x397, &x398, x396, x380, x377); - x399 = (x398 + x378); - fiat_secp384r1_addcarryx_u64(&x400, &x401, 0x0, x364, x387); - fiat_secp384r1_addcarryx_u64(&x402, &x403, x401, x366, x389); - fiat_secp384r1_addcarryx_u64(&x404, &x405, x403, x368, x391); - fiat_secp384r1_addcarryx_u64(&x406, &x407, x405, x370, x393); - fiat_secp384r1_addcarryx_u64(&x408, &x409, x407, x372, x395); - fiat_secp384r1_addcarryx_u64(&x410, &x411, x409, x374, x397); - fiat_secp384r1_addcarryx_u64(&x412, &x413, x411, x376, x399); - fiat_secp384r1_mulx_u64(&x414, &x415, x400, UINT64_C(0x100000001)); - fiat_secp384r1_mulx_u64(&x416, &x417, x414, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x418, &x419, x414, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x420, &x421, x414, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x422, &x423, x414, UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_mulx_u64(&x424, &x425, x414, UINT64_C(0xffffffff00000000)); - fiat_secp384r1_mulx_u64(&x426, &x427, x414, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u64(&x428, &x429, 0x0, x427, x424); - fiat_secp384r1_addcarryx_u64(&x430, &x431, x429, x425, x422); - fiat_secp384r1_addcarryx_u64(&x432, &x433, x431, x423, x420); - fiat_secp384r1_addcarryx_u64(&x434, &x435, x433, x421, x418); - fiat_secp384r1_addcarryx_u64(&x436, &x437, x435, x419, x416); - x438 = (x437 + x417); - fiat_secp384r1_addcarryx_u64(&x439, &x440, 0x0, x400, x426); - fiat_secp384r1_addcarryx_u64(&x441, &x442, x440, x402, x428); - fiat_secp384r1_addcarryx_u64(&x443, &x444, x442, x404, x430); - fiat_secp384r1_addcarryx_u64(&x445, &x446, x444, x406, x432); - fiat_secp384r1_addcarryx_u64(&x447, &x448, x446, x408, x434); - fiat_secp384r1_addcarryx_u64(&x449, &x450, x448, x410, x436); - fiat_secp384r1_addcarryx_u64(&x451, &x452, x450, x412, x438); - x453 = ((uint64_t)x452 + x413); - fiat_secp384r1_subborrowx_u64(&x454, &x455, 0x0, x441, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u64(&x456, &x457, x455, x443, - UINT64_C(0xffffffff00000000)); - fiat_secp384r1_subborrowx_u64(&x458, &x459, x457, x445, - UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_subborrowx_u64(&x460, &x461, x459, x447, - UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_subborrowx_u64(&x462, &x463, x461, x449, - UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_subborrowx_u64(&x464, &x465, x463, x451, - UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_subborrowx_u64(&x466, &x467, x465, x453, 0x0); - fiat_secp384r1_cmovznz_u64(&x468, x467, x454, x441); - fiat_secp384r1_cmovznz_u64(&x469, x467, x456, x443); - fiat_secp384r1_cmovznz_u64(&x470, x467, x458, x445); - fiat_secp384r1_cmovznz_u64(&x471, x467, x460, x447); - fiat_secp384r1_cmovznz_u64(&x472, x467, x462, x449); - fiat_secp384r1_cmovznz_u64(&x473, x467, x464, x451); - out1[0] = x468; - out1[1] = x469; - out1[2] = x470; - out1[3] = x471; - out1[4] = x472; - out1[5] = x473; -} - -/* - * The function fiat_secp384r1_add adds two field elements in the Montgomery domain. - * - * Preconditions: - * 0 ≤ eval arg1 < m - * 0 ≤ eval arg2 < m - * Postconditions: - * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m - * 0 ≤ eval out1 < m - * - */ -static void -fiat_secp384r1_add( - fiat_secp384r1_montgomery_domain_field_element out1, - const fiat_secp384r1_montgomery_domain_field_element arg1, - const fiat_secp384r1_montgomery_domain_field_element arg2) -{ - uint64_t x1; - fiat_secp384r1_uint1 x2; - uint64_t x3; - fiat_secp384r1_uint1 x4; - uint64_t x5; - fiat_secp384r1_uint1 x6; - uint64_t x7; - fiat_secp384r1_uint1 x8; - uint64_t x9; - fiat_secp384r1_uint1 x10; - uint64_t x11; - fiat_secp384r1_uint1 x12; - uint64_t x13; - fiat_secp384r1_uint1 x14; - uint64_t x15; - fiat_secp384r1_uint1 x16; - uint64_t x17; - fiat_secp384r1_uint1 x18; - uint64_t x19; - fiat_secp384r1_uint1 x20; - uint64_t x21; - fiat_secp384r1_uint1 x22; - uint64_t x23; - fiat_secp384r1_uint1 x24; - uint64_t x25; - fiat_secp384r1_uint1 x26; - uint64_t x27; - uint64_t x28; - uint64_t x29; - uint64_t x30; - uint64_t x31; - uint64_t x32; - fiat_secp384r1_addcarryx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); - fiat_secp384r1_addcarryx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1])); - fiat_secp384r1_addcarryx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2])); - fiat_secp384r1_addcarryx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3])); - fiat_secp384r1_addcarryx_u64(&x9, &x10, x8, (arg1[4]), (arg2[4])); - fiat_secp384r1_addcarryx_u64(&x11, &x12, x10, (arg1[5]), (arg2[5])); - fiat_secp384r1_subborrowx_u64(&x13, &x14, 0x0, x1, UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u64(&x15, &x16, x14, x3, - UINT64_C(0xffffffff00000000)); - fiat_secp384r1_subborrowx_u64(&x17, &x18, x16, x5, - UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_subborrowx_u64(&x19, &x20, x18, x7, - UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_subborrowx_u64(&x21, &x22, x20, x9, - UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_subborrowx_u64(&x23, &x24, x22, x11, - UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_subborrowx_u64(&x25, &x26, x24, x12, 0x0); - fiat_secp384r1_cmovznz_u64(&x27, x26, x13, x1); - fiat_secp384r1_cmovznz_u64(&x28, x26, x15, x3); - fiat_secp384r1_cmovznz_u64(&x29, x26, x17, x5); - fiat_secp384r1_cmovznz_u64(&x30, x26, x19, x7); - fiat_secp384r1_cmovznz_u64(&x31, x26, x21, x9); - fiat_secp384r1_cmovznz_u64(&x32, x26, x23, x11); - out1[0] = x27; - out1[1] = x28; - out1[2] = x29; - out1[3] = x30; - out1[4] = x31; - out1[5] = x32; -} - -/* - * The function fiat_secp384r1_sub subtracts two field elements in the Montgomery domain. - * - * Preconditions: - * 0 ≤ eval arg1 < m - * 0 ≤ eval arg2 < m - * Postconditions: - * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m - * 0 ≤ eval out1 < m - * - */ -static void -fiat_secp384r1_sub( - fiat_secp384r1_montgomery_domain_field_element out1, - const fiat_secp384r1_montgomery_domain_field_element arg1, - const fiat_secp384r1_montgomery_domain_field_element arg2) -{ - uint64_t x1; - fiat_secp384r1_uint1 x2; - uint64_t x3; - fiat_secp384r1_uint1 x4; - uint64_t x5; - fiat_secp384r1_uint1 x6; - uint64_t x7; - fiat_secp384r1_uint1 x8; - uint64_t x9; - fiat_secp384r1_uint1 x10; - uint64_t x11; - fiat_secp384r1_uint1 x12; - uint64_t x13; - uint64_t x14; - fiat_secp384r1_uint1 x15; - uint64_t x16; - fiat_secp384r1_uint1 x17; - uint64_t x18; - fiat_secp384r1_uint1 x19; - uint64_t x20; - fiat_secp384r1_uint1 x21; - uint64_t x22; - fiat_secp384r1_uint1 x23; - uint64_t x24; - fiat_secp384r1_uint1 x25; - fiat_secp384r1_subborrowx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); - fiat_secp384r1_subborrowx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1])); - fiat_secp384r1_subborrowx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2])); - fiat_secp384r1_subborrowx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3])); - fiat_secp384r1_subborrowx_u64(&x9, &x10, x8, (arg1[4]), (arg2[4])); - fiat_secp384r1_subborrowx_u64(&x11, &x12, x10, (arg1[5]), (arg2[5])); - fiat_secp384r1_cmovznz_u64(&x13, x12, 0x0, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_addcarryx_u64(&x14, &x15, 0x0, x1, - (x13 & UINT32_C(0xffffffff))); - fiat_secp384r1_addcarryx_u64(&x16, &x17, x15, x3, - (x13 & UINT64_C(0xffffffff00000000))); - fiat_secp384r1_addcarryx_u64(&x18, &x19, x17, x5, - (x13 & UINT64_C(0xfffffffffffffffe))); - fiat_secp384r1_addcarryx_u64(&x20, &x21, x19, x7, x13); - fiat_secp384r1_addcarryx_u64(&x22, &x23, x21, x9, x13); - fiat_secp384r1_addcarryx_u64(&x24, &x25, x23, x11, x13); - out1[0] = x14; - out1[1] = x16; - out1[2] = x18; - out1[3] = x20; - out1[4] = x22; - out1[5] = x24; -} - -/* - * The function fiat_secp384r1_opp negates a field element in the Montgomery domain. - * - * Preconditions: - * 0 ≤ eval arg1 < m - * Postconditions: - * eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m - * 0 ≤ eval out1 < m - * - */ -static void -fiat_secp384r1_opp( - fiat_secp384r1_montgomery_domain_field_element out1, - const fiat_secp384r1_montgomery_domain_field_element arg1) -{ - uint64_t x1; - fiat_secp384r1_uint1 x2; - uint64_t x3; - fiat_secp384r1_uint1 x4; - uint64_t x5; - fiat_secp384r1_uint1 x6; - uint64_t x7; - fiat_secp384r1_uint1 x8; - uint64_t x9; - fiat_secp384r1_uint1 x10; - uint64_t x11; - fiat_secp384r1_uint1 x12; - uint64_t x13; - uint64_t x14; - fiat_secp384r1_uint1 x15; - uint64_t x16; - fiat_secp384r1_uint1 x17; - uint64_t x18; - fiat_secp384r1_uint1 x19; - uint64_t x20; - fiat_secp384r1_uint1 x21; - uint64_t x22; - fiat_secp384r1_uint1 x23; - uint64_t x24; - fiat_secp384r1_uint1 x25; - fiat_secp384r1_subborrowx_u64(&x1, &x2, 0x0, 0x0, (arg1[0])); - fiat_secp384r1_subborrowx_u64(&x3, &x4, x2, 0x0, (arg1[1])); - fiat_secp384r1_subborrowx_u64(&x5, &x6, x4, 0x0, (arg1[2])); - fiat_secp384r1_subborrowx_u64(&x7, &x8, x6, 0x0, (arg1[3])); - fiat_secp384r1_subborrowx_u64(&x9, &x10, x8, 0x0, (arg1[4])); - fiat_secp384r1_subborrowx_u64(&x11, &x12, x10, 0x0, (arg1[5])); - fiat_secp384r1_cmovznz_u64(&x13, x12, 0x0, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_addcarryx_u64(&x14, &x15, 0x0, x1, - (x13 & UINT32_C(0xffffffff))); - fiat_secp384r1_addcarryx_u64(&x16, &x17, x15, x3, - (x13 & UINT64_C(0xffffffff00000000))); - fiat_secp384r1_addcarryx_u64(&x18, &x19, x17, x5, - (x13 & UINT64_C(0xfffffffffffffffe))); - fiat_secp384r1_addcarryx_u64(&x20, &x21, x19, x7, x13); - fiat_secp384r1_addcarryx_u64(&x22, &x23, x21, x9, x13); - fiat_secp384r1_addcarryx_u64(&x24, &x25, x23, x11, x13); - out1[0] = x14; - out1[1] = x16; - out1[2] = x18; - out1[3] = x20; - out1[4] = x22; - out1[5] = x24; -} - -/* - * The function fiat_secp384r1_from_montgomery translates a field element out of the Montgomery domain. - * - * Preconditions: - * 0 ≤ eval arg1 < m - * Postconditions: - * eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^6) mod m - * 0 ≤ eval out1 < m - * - */ -static void -fiat_secp384r1_from_montgomery( - fiat_secp384r1_non_montgomery_domain_field_element out1, - const fiat_secp384r1_montgomery_domain_field_element arg1) -{ - uint64_t x1; - uint64_t x2; - uint64_t x3; - uint64_t x4; - uint64_t x5; - uint64_t x6; - uint64_t x7; - uint64_t x8; - uint64_t x9; - uint64_t x10; - uint64_t x11; - uint64_t x12; - uint64_t x13; - uint64_t x14; - uint64_t x15; - uint64_t x16; - fiat_secp384r1_uint1 x17; - uint64_t x18; - fiat_secp384r1_uint1 x19; - uint64_t x20; - fiat_secp384r1_uint1 x21; - uint64_t x22; - fiat_secp384r1_uint1 x23; - uint64_t x24; - fiat_secp384r1_uint1 x25; - uint64_t x26; - fiat_secp384r1_uint1 x27; - uint64_t x28; - fiat_secp384r1_uint1 x29; - uint64_t x30; - fiat_secp384r1_uint1 x31; - uint64_t x32; - fiat_secp384r1_uint1 x33; - uint64_t x34; - fiat_secp384r1_uint1 x35; - uint64_t x36; - fiat_secp384r1_uint1 x37; - uint64_t x38; - fiat_secp384r1_uint1 x39; - uint64_t x40; - fiat_secp384r1_uint1 x41; - uint64_t x42; - fiat_secp384r1_uint1 x43; - uint64_t x44; - fiat_secp384r1_uint1 x45; - uint64_t x46; - fiat_secp384r1_uint1 x47; - uint64_t x48; - fiat_secp384r1_uint1 x49; - uint64_t x50; - fiat_secp384r1_uint1 x51; - uint64_t x52; - uint64_t x53; - uint64_t x54; - uint64_t x55; - uint64_t x56; - uint64_t x57; - uint64_t x58; - uint64_t x59; - uint64_t x60; - uint64_t x61; - uint64_t x62; - uint64_t x63; - uint64_t x64; - uint64_t x65; - uint64_t x66; - fiat_secp384r1_uint1 x67; - uint64_t x68; - fiat_secp384r1_uint1 x69; - uint64_t x70; - fiat_secp384r1_uint1 x71; - uint64_t x72; - fiat_secp384r1_uint1 x73; - uint64_t x74; - fiat_secp384r1_uint1 x75; - uint64_t x76; - fiat_secp384r1_uint1 x77; - uint64_t x78; - fiat_secp384r1_uint1 x79; - uint64_t x80; - fiat_secp384r1_uint1 x81; - uint64_t x82; - fiat_secp384r1_uint1 x83; - uint64_t x84; - fiat_secp384r1_uint1 x85; - uint64_t x86; - fiat_secp384r1_uint1 x87; - uint64_t x88; - fiat_secp384r1_uint1 x89; - uint64_t x90; - fiat_secp384r1_uint1 x91; - uint64_t x92; - fiat_secp384r1_uint1 x93; - uint64_t x94; - fiat_secp384r1_uint1 x95; - uint64_t x96; - fiat_secp384r1_uint1 x97; - uint64_t x98; - fiat_secp384r1_uint1 x99; - uint64_t x100; - fiat_secp384r1_uint1 x101; - uint64_t x102; - uint64_t x103; - uint64_t x104; - uint64_t x105; - uint64_t x106; - uint64_t x107; - uint64_t x108; - uint64_t x109; - uint64_t x110; - uint64_t x111; - uint64_t x112; - uint64_t x113; - uint64_t x114; - uint64_t x115; - uint64_t x116; - fiat_secp384r1_uint1 x117; - uint64_t x118; - fiat_secp384r1_uint1 x119; - uint64_t x120; - fiat_secp384r1_uint1 x121; - uint64_t x122; - fiat_secp384r1_uint1 x123; - uint64_t x124; - fiat_secp384r1_uint1 x125; - uint64_t x126; - fiat_secp384r1_uint1 x127; - uint64_t x128; - fiat_secp384r1_uint1 x129; - uint64_t x130; - fiat_secp384r1_uint1 x131; - uint64_t x132; - fiat_secp384r1_uint1 x133; - uint64_t x134; - fiat_secp384r1_uint1 x135; - uint64_t x136; - fiat_secp384r1_uint1 x137; - uint64_t x138; - fiat_secp384r1_uint1 x139; - uint64_t x140; - fiat_secp384r1_uint1 x141; - uint64_t x142; - fiat_secp384r1_uint1 x143; - uint64_t x144; - fiat_secp384r1_uint1 x145; - uint64_t x146; - fiat_secp384r1_uint1 x147; - uint64_t x148; - fiat_secp384r1_uint1 x149; - uint64_t x150; - fiat_secp384r1_uint1 x151; - uint64_t x152; - uint64_t x153; - uint64_t x154; - uint64_t x155; - uint64_t x156; - uint64_t x157; - uint64_t x158; - uint64_t x159; - uint64_t x160; - uint64_t x161; - uint64_t x162; - uint64_t x163; - uint64_t x164; - uint64_t x165; - uint64_t x166; - fiat_secp384r1_uint1 x167; - uint64_t x168; - fiat_secp384r1_uint1 x169; - uint64_t x170; - fiat_secp384r1_uint1 x171; - uint64_t x172; - fiat_secp384r1_uint1 x173; - uint64_t x174; - fiat_secp384r1_uint1 x175; - uint64_t x176; - fiat_secp384r1_uint1 x177; - uint64_t x178; - fiat_secp384r1_uint1 x179; - uint64_t x180; - fiat_secp384r1_uint1 x181; - uint64_t x182; - fiat_secp384r1_uint1 x183; - uint64_t x184; - fiat_secp384r1_uint1 x185; - uint64_t x186; - fiat_secp384r1_uint1 x187; - uint64_t x188; - fiat_secp384r1_uint1 x189; - uint64_t x190; - fiat_secp384r1_uint1 x191; - uint64_t x192; - fiat_secp384r1_uint1 x193; - uint64_t x194; - fiat_secp384r1_uint1 x195; - uint64_t x196; - fiat_secp384r1_uint1 x197; - uint64_t x198; - fiat_secp384r1_uint1 x199; - uint64_t x200; - fiat_secp384r1_uint1 x201; - uint64_t x202; - uint64_t x203; - uint64_t x204; - uint64_t x205; - uint64_t x206; - uint64_t x207; - uint64_t x208; - uint64_t x209; - uint64_t x210; - uint64_t x211; - uint64_t x212; - uint64_t x213; - uint64_t x214; - uint64_t x215; - uint64_t x216; - fiat_secp384r1_uint1 x217; - uint64_t x218; - fiat_secp384r1_uint1 x219; - uint64_t x220; - fiat_secp384r1_uint1 x221; - uint64_t x222; - fiat_secp384r1_uint1 x223; - uint64_t x224; - fiat_secp384r1_uint1 x225; - uint64_t x226; - fiat_secp384r1_uint1 x227; - uint64_t x228; - fiat_secp384r1_uint1 x229; - uint64_t x230; - fiat_secp384r1_uint1 x231; - uint64_t x232; - fiat_secp384r1_uint1 x233; - uint64_t x234; - fiat_secp384r1_uint1 x235; - uint64_t x236; - fiat_secp384r1_uint1 x237; - uint64_t x238; - fiat_secp384r1_uint1 x239; - uint64_t x240; - fiat_secp384r1_uint1 x241; - uint64_t x242; - fiat_secp384r1_uint1 x243; - uint64_t x244; - fiat_secp384r1_uint1 x245; - uint64_t x246; - fiat_secp384r1_uint1 x247; - uint64_t x248; - fiat_secp384r1_uint1 x249; - uint64_t x250; - fiat_secp384r1_uint1 x251; - uint64_t x252; - uint64_t x253; - uint64_t x254; - uint64_t x255; - uint64_t x256; - uint64_t x257; - uint64_t x258; - uint64_t x259; - uint64_t x260; - uint64_t x261; - uint64_t x262; - uint64_t x263; - uint64_t x264; - uint64_t x265; - uint64_t x266; - fiat_secp384r1_uint1 x267; - uint64_t x268; - fiat_secp384r1_uint1 x269; - uint64_t x270; - fiat_secp384r1_uint1 x271; - uint64_t x272; - fiat_secp384r1_uint1 x273; - uint64_t x274; - fiat_secp384r1_uint1 x275; - uint64_t x276; - fiat_secp384r1_uint1 x277; - uint64_t x278; - fiat_secp384r1_uint1 x279; - uint64_t x280; - fiat_secp384r1_uint1 x281; - uint64_t x282; - fiat_secp384r1_uint1 x283; - uint64_t x284; - fiat_secp384r1_uint1 x285; - uint64_t x286; - fiat_secp384r1_uint1 x287; - uint64_t x288; - fiat_secp384r1_uint1 x289; - uint64_t x290; - fiat_secp384r1_uint1 x291; - uint64_t x292; - fiat_secp384r1_uint1 x293; - uint64_t x294; - fiat_secp384r1_uint1 x295; - uint64_t x296; - fiat_secp384r1_uint1 x297; - uint64_t x298; - fiat_secp384r1_uint1 x299; - uint64_t x300; - fiat_secp384r1_uint1 x301; - uint64_t x302; - fiat_secp384r1_uint1 x303; - uint64_t x304; - uint64_t x305; - uint64_t x306; - uint64_t x307; - uint64_t x308; - uint64_t x309; - x1 = (arg1[0]); - fiat_secp384r1_mulx_u64(&x2, &x3, x1, UINT64_C(0x100000001)); - fiat_secp384r1_mulx_u64(&x4, &x5, x2, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x6, &x7, x2, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x8, &x9, x2, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x10, &x11, x2, UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_mulx_u64(&x12, &x13, x2, UINT64_C(0xffffffff00000000)); - fiat_secp384r1_mulx_u64(&x14, &x15, x2, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u64(&x16, &x17, 0x0, x15, x12); - fiat_secp384r1_addcarryx_u64(&x18, &x19, x17, x13, x10); - fiat_secp384r1_addcarryx_u64(&x20, &x21, x19, x11, x8); - fiat_secp384r1_addcarryx_u64(&x22, &x23, x21, x9, x6); - fiat_secp384r1_addcarryx_u64(&x24, &x25, x23, x7, x4); - fiat_secp384r1_addcarryx_u64(&x26, &x27, 0x0, x1, x14); - fiat_secp384r1_addcarryx_u64(&x28, &x29, x27, 0x0, x16); - fiat_secp384r1_addcarryx_u64(&x30, &x31, x29, 0x0, x18); - fiat_secp384r1_addcarryx_u64(&x32, &x33, x31, 0x0, x20); - fiat_secp384r1_addcarryx_u64(&x34, &x35, x33, 0x0, x22); - fiat_secp384r1_addcarryx_u64(&x36, &x37, x35, 0x0, x24); - fiat_secp384r1_addcarryx_u64(&x38, &x39, x37, 0x0, (x25 + x5)); - fiat_secp384r1_addcarryx_u64(&x40, &x41, 0x0, x28, (arg1[1])); - fiat_secp384r1_addcarryx_u64(&x42, &x43, x41, x30, 0x0); - fiat_secp384r1_addcarryx_u64(&x44, &x45, x43, x32, 0x0); - fiat_secp384r1_addcarryx_u64(&x46, &x47, x45, x34, 0x0); - fiat_secp384r1_addcarryx_u64(&x48, &x49, x47, x36, 0x0); - fiat_secp384r1_addcarryx_u64(&x50, &x51, x49, x38, 0x0); - fiat_secp384r1_mulx_u64(&x52, &x53, x40, UINT64_C(0x100000001)); - fiat_secp384r1_mulx_u64(&x54, &x55, x52, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x56, &x57, x52, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x58, &x59, x52, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x60, &x61, x52, UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_mulx_u64(&x62, &x63, x52, UINT64_C(0xffffffff00000000)); - fiat_secp384r1_mulx_u64(&x64, &x65, x52, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u64(&x66, &x67, 0x0, x65, x62); - fiat_secp384r1_addcarryx_u64(&x68, &x69, x67, x63, x60); - fiat_secp384r1_addcarryx_u64(&x70, &x71, x69, x61, x58); - fiat_secp384r1_addcarryx_u64(&x72, &x73, x71, x59, x56); - fiat_secp384r1_addcarryx_u64(&x74, &x75, x73, x57, x54); - fiat_secp384r1_addcarryx_u64(&x76, &x77, 0x0, x40, x64); - fiat_secp384r1_addcarryx_u64(&x78, &x79, x77, x42, x66); - fiat_secp384r1_addcarryx_u64(&x80, &x81, x79, x44, x68); - fiat_secp384r1_addcarryx_u64(&x82, &x83, x81, x46, x70); - fiat_secp384r1_addcarryx_u64(&x84, &x85, x83, x48, x72); - fiat_secp384r1_addcarryx_u64(&x86, &x87, x85, x50, x74); - fiat_secp384r1_addcarryx_u64(&x88, &x89, x87, ((uint64_t)x51 + x39), - (x75 + x55)); - fiat_secp384r1_addcarryx_u64(&x90, &x91, 0x0, x78, (arg1[2])); - fiat_secp384r1_addcarryx_u64(&x92, &x93, x91, x80, 0x0); - fiat_secp384r1_addcarryx_u64(&x94, &x95, x93, x82, 0x0); - fiat_secp384r1_addcarryx_u64(&x96, &x97, x95, x84, 0x0); - fiat_secp384r1_addcarryx_u64(&x98, &x99, x97, x86, 0x0); - fiat_secp384r1_addcarryx_u64(&x100, &x101, x99, x88, 0x0); - fiat_secp384r1_mulx_u64(&x102, &x103, x90, UINT64_C(0x100000001)); - fiat_secp384r1_mulx_u64(&x104, &x105, x102, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x106, &x107, x102, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x108, &x109, x102, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x110, &x111, x102, UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_mulx_u64(&x112, &x113, x102, UINT64_C(0xffffffff00000000)); - fiat_secp384r1_mulx_u64(&x114, &x115, x102, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u64(&x116, &x117, 0x0, x115, x112); - fiat_secp384r1_addcarryx_u64(&x118, &x119, x117, x113, x110); - fiat_secp384r1_addcarryx_u64(&x120, &x121, x119, x111, x108); - fiat_secp384r1_addcarryx_u64(&x122, &x123, x121, x109, x106); - fiat_secp384r1_addcarryx_u64(&x124, &x125, x123, x107, x104); - fiat_secp384r1_addcarryx_u64(&x126, &x127, 0x0, x90, x114); - fiat_secp384r1_addcarryx_u64(&x128, &x129, x127, x92, x116); - fiat_secp384r1_addcarryx_u64(&x130, &x131, x129, x94, x118); - fiat_secp384r1_addcarryx_u64(&x132, &x133, x131, x96, x120); - fiat_secp384r1_addcarryx_u64(&x134, &x135, x133, x98, x122); - fiat_secp384r1_addcarryx_u64(&x136, &x137, x135, x100, x124); - fiat_secp384r1_addcarryx_u64(&x138, &x139, x137, ((uint64_t)x101 + x89), - (x125 + x105)); - fiat_secp384r1_addcarryx_u64(&x140, &x141, 0x0, x128, (arg1[3])); - fiat_secp384r1_addcarryx_u64(&x142, &x143, x141, x130, 0x0); - fiat_secp384r1_addcarryx_u64(&x144, &x145, x143, x132, 0x0); - fiat_secp384r1_addcarryx_u64(&x146, &x147, x145, x134, 0x0); - fiat_secp384r1_addcarryx_u64(&x148, &x149, x147, x136, 0x0); - fiat_secp384r1_addcarryx_u64(&x150, &x151, x149, x138, 0x0); - fiat_secp384r1_mulx_u64(&x152, &x153, x140, UINT64_C(0x100000001)); - fiat_secp384r1_mulx_u64(&x154, &x155, x152, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x156, &x157, x152, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x158, &x159, x152, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x160, &x161, x152, UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_mulx_u64(&x162, &x163, x152, UINT64_C(0xffffffff00000000)); - fiat_secp384r1_mulx_u64(&x164, &x165, x152, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u64(&x166, &x167, 0x0, x165, x162); - fiat_secp384r1_addcarryx_u64(&x168, &x169, x167, x163, x160); - fiat_secp384r1_addcarryx_u64(&x170, &x171, x169, x161, x158); - fiat_secp384r1_addcarryx_u64(&x172, &x173, x171, x159, x156); - fiat_secp384r1_addcarryx_u64(&x174, &x175, x173, x157, x154); - fiat_secp384r1_addcarryx_u64(&x176, &x177, 0x0, x140, x164); - fiat_secp384r1_addcarryx_u64(&x178, &x179, x177, x142, x166); - fiat_secp384r1_addcarryx_u64(&x180, &x181, x179, x144, x168); - fiat_secp384r1_addcarryx_u64(&x182, &x183, x181, x146, x170); - fiat_secp384r1_addcarryx_u64(&x184, &x185, x183, x148, x172); - fiat_secp384r1_addcarryx_u64(&x186, &x187, x185, x150, x174); - fiat_secp384r1_addcarryx_u64(&x188, &x189, x187, ((uint64_t)x151 + x139), - (x175 + x155)); - fiat_secp384r1_addcarryx_u64(&x190, &x191, 0x0, x178, (arg1[4])); - fiat_secp384r1_addcarryx_u64(&x192, &x193, x191, x180, 0x0); - fiat_secp384r1_addcarryx_u64(&x194, &x195, x193, x182, 0x0); - fiat_secp384r1_addcarryx_u64(&x196, &x197, x195, x184, 0x0); - fiat_secp384r1_addcarryx_u64(&x198, &x199, x197, x186, 0x0); - fiat_secp384r1_addcarryx_u64(&x200, &x201, x199, x188, 0x0); - fiat_secp384r1_mulx_u64(&x202, &x203, x190, UINT64_C(0x100000001)); - fiat_secp384r1_mulx_u64(&x204, &x205, x202, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x206, &x207, x202, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x208, &x209, x202, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x210, &x211, x202, UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_mulx_u64(&x212, &x213, x202, UINT64_C(0xffffffff00000000)); - fiat_secp384r1_mulx_u64(&x214, &x215, x202, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u64(&x216, &x217, 0x0, x215, x212); - fiat_secp384r1_addcarryx_u64(&x218, &x219, x217, x213, x210); - fiat_secp384r1_addcarryx_u64(&x220, &x221, x219, x211, x208); - fiat_secp384r1_addcarryx_u64(&x222, &x223, x221, x209, x206); - fiat_secp384r1_addcarryx_u64(&x224, &x225, x223, x207, x204); - fiat_secp384r1_addcarryx_u64(&x226, &x227, 0x0, x190, x214); - fiat_secp384r1_addcarryx_u64(&x228, &x229, x227, x192, x216); - fiat_secp384r1_addcarryx_u64(&x230, &x231, x229, x194, x218); - fiat_secp384r1_addcarryx_u64(&x232, &x233, x231, x196, x220); - fiat_secp384r1_addcarryx_u64(&x234, &x235, x233, x198, x222); - fiat_secp384r1_addcarryx_u64(&x236, &x237, x235, x200, x224); - fiat_secp384r1_addcarryx_u64(&x238, &x239, x237, ((uint64_t)x201 + x189), - (x225 + x205)); - fiat_secp384r1_addcarryx_u64(&x240, &x241, 0x0, x228, (arg1[5])); - fiat_secp384r1_addcarryx_u64(&x242, &x243, x241, x230, 0x0); - fiat_secp384r1_addcarryx_u64(&x244, &x245, x243, x232, 0x0); - fiat_secp384r1_addcarryx_u64(&x246, &x247, x245, x234, 0x0); - fiat_secp384r1_addcarryx_u64(&x248, &x249, x247, x236, 0x0); - fiat_secp384r1_addcarryx_u64(&x250, &x251, x249, x238, 0x0); - fiat_secp384r1_mulx_u64(&x252, &x253, x240, UINT64_C(0x100000001)); - fiat_secp384r1_mulx_u64(&x254, &x255, x252, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x256, &x257, x252, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x258, &x259, x252, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x260, &x261, x252, UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_mulx_u64(&x262, &x263, x252, UINT64_C(0xffffffff00000000)); - fiat_secp384r1_mulx_u64(&x264, &x265, x252, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u64(&x266, &x267, 0x0, x265, x262); - fiat_secp384r1_addcarryx_u64(&x268, &x269, x267, x263, x260); - fiat_secp384r1_addcarryx_u64(&x270, &x271, x269, x261, x258); - fiat_secp384r1_addcarryx_u64(&x272, &x273, x271, x259, x256); - fiat_secp384r1_addcarryx_u64(&x274, &x275, x273, x257, x254); - fiat_secp384r1_addcarryx_u64(&x276, &x277, 0x0, x240, x264); - fiat_secp384r1_addcarryx_u64(&x278, &x279, x277, x242, x266); - fiat_secp384r1_addcarryx_u64(&x280, &x281, x279, x244, x268); - fiat_secp384r1_addcarryx_u64(&x282, &x283, x281, x246, x270); - fiat_secp384r1_addcarryx_u64(&x284, &x285, x283, x248, x272); - fiat_secp384r1_addcarryx_u64(&x286, &x287, x285, x250, x274); - fiat_secp384r1_addcarryx_u64(&x288, &x289, x287, ((uint64_t)x251 + x239), - (x275 + x255)); - fiat_secp384r1_subborrowx_u64(&x290, &x291, 0x0, x278, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u64(&x292, &x293, x291, x280, - UINT64_C(0xffffffff00000000)); - fiat_secp384r1_subborrowx_u64(&x294, &x295, x293, x282, - UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_subborrowx_u64(&x296, &x297, x295, x284, - UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_subborrowx_u64(&x298, &x299, x297, x286, - UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_subborrowx_u64(&x300, &x301, x299, x288, - UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_subborrowx_u64(&x302, &x303, x301, x289, 0x0); - fiat_secp384r1_cmovznz_u64(&x304, x303, x290, x278); - fiat_secp384r1_cmovznz_u64(&x305, x303, x292, x280); - fiat_secp384r1_cmovznz_u64(&x306, x303, x294, x282); - fiat_secp384r1_cmovznz_u64(&x307, x303, x296, x284); - fiat_secp384r1_cmovznz_u64(&x308, x303, x298, x286); - fiat_secp384r1_cmovznz_u64(&x309, x303, x300, x288); - out1[0] = x304; - out1[1] = x305; - out1[2] = x306; - out1[3] = x307; - out1[4] = x308; - out1[5] = x309; -} - -/* - * The function fiat_secp384r1_to_montgomery translates a field element into the Montgomery domain. - * - * Preconditions: - * 0 ≤ eval arg1 < m - * Postconditions: - * eval (from_montgomery out1) mod m = eval arg1 mod m - * 0 ≤ eval out1 < m - * - */ -static void -fiat_secp384r1_to_montgomery( - fiat_secp384r1_montgomery_domain_field_element out1, - const fiat_secp384r1_non_montgomery_domain_field_element arg1) -{ - uint64_t x1; - uint64_t x2; - uint64_t x3; - uint64_t x4; - uint64_t x5; - uint64_t x6; - uint64_t x7; - uint64_t x8; - uint64_t x9; - uint64_t x10; - uint64_t x11; - uint64_t x12; - uint64_t x13; - uint64_t x14; - uint64_t x15; - fiat_secp384r1_uint1 x16; - uint64_t x17; - fiat_secp384r1_uint1 x18; - uint64_t x19; - fiat_secp384r1_uint1 x20; - uint64_t x21; - fiat_secp384r1_uint1 x22; - uint64_t x23; - uint64_t x24; - uint64_t x25; - uint64_t x26; - uint64_t x27; - uint64_t x28; - uint64_t x29; - uint64_t x30; - uint64_t x31; - uint64_t x32; - uint64_t x33; - uint64_t x34; - uint64_t x35; - uint64_t x36; - uint64_t x37; - fiat_secp384r1_uint1 x38; - uint64_t x39; - fiat_secp384r1_uint1 x40; - uint64_t x41; - fiat_secp384r1_uint1 x42; - uint64_t x43; - fiat_secp384r1_uint1 x44; - uint64_t x45; - fiat_secp384r1_uint1 x46; - uint64_t x47; - fiat_secp384r1_uint1 x48; - uint64_t x49; - fiat_secp384r1_uint1 x50; - uint64_t x51; - fiat_secp384r1_uint1 x52; - uint64_t x53; - fiat_secp384r1_uint1 x54; - uint64_t x55; - fiat_secp384r1_uint1 x56; - uint64_t x57; - fiat_secp384r1_uint1 x58; - uint64_t x59; - fiat_secp384r1_uint1 x60; - uint64_t x61; - uint64_t x62; - uint64_t x63; - uint64_t x64; - uint64_t x65; - uint64_t x66; - uint64_t x67; - uint64_t x68; - uint64_t x69; - fiat_secp384r1_uint1 x70; - uint64_t x71; - fiat_secp384r1_uint1 x72; - uint64_t x73; - fiat_secp384r1_uint1 x74; - uint64_t x75; - fiat_secp384r1_uint1 x76; - uint64_t x77; - fiat_secp384r1_uint1 x78; - uint64_t x79; - fiat_secp384r1_uint1 x80; - uint64_t x81; - fiat_secp384r1_uint1 x82; - uint64_t x83; - fiat_secp384r1_uint1 x84; - uint64_t x85; - fiat_secp384r1_uint1 x86; - uint64_t x87; - fiat_secp384r1_uint1 x88; - uint64_t x89; - uint64_t x90; - uint64_t x91; - uint64_t x92; - uint64_t x93; - uint64_t x94; - uint64_t x95; - uint64_t x96; - uint64_t x97; - uint64_t x98; - uint64_t x99; - uint64_t x100; - uint64_t x101; - uint64_t x102; - uint64_t x103; - fiat_secp384r1_uint1 x104; - uint64_t x105; - fiat_secp384r1_uint1 x106; - uint64_t x107; - fiat_secp384r1_uint1 x108; - uint64_t x109; - fiat_secp384r1_uint1 x110; - uint64_t x111; - fiat_secp384r1_uint1 x112; - uint64_t x113; - fiat_secp384r1_uint1 x114; - uint64_t x115; - fiat_secp384r1_uint1 x116; - uint64_t x117; - fiat_secp384r1_uint1 x118; - uint64_t x119; - fiat_secp384r1_uint1 x120; - uint64_t x121; - fiat_secp384r1_uint1 x122; - uint64_t x123; - fiat_secp384r1_uint1 x124; - uint64_t x125; - fiat_secp384r1_uint1 x126; - uint64_t x127; - uint64_t x128; - uint64_t x129; - uint64_t x130; - uint64_t x131; - uint64_t x132; - uint64_t x133; - uint64_t x134; - uint64_t x135; - fiat_secp384r1_uint1 x136; - uint64_t x137; - fiat_secp384r1_uint1 x138; - uint64_t x139; - fiat_secp384r1_uint1 x140; - uint64_t x141; - fiat_secp384r1_uint1 x142; - uint64_t x143; - fiat_secp384r1_uint1 x144; - uint64_t x145; - fiat_secp384r1_uint1 x146; - uint64_t x147; - fiat_secp384r1_uint1 x148; - uint64_t x149; - fiat_secp384r1_uint1 x150; - uint64_t x151; - fiat_secp384r1_uint1 x152; - uint64_t x153; - fiat_secp384r1_uint1 x154; - uint64_t x155; - uint64_t x156; - uint64_t x157; - uint64_t x158; - uint64_t x159; - uint64_t x160; - uint64_t x161; - uint64_t x162; - uint64_t x163; - uint64_t x164; - uint64_t x165; - uint64_t x166; - uint64_t x167; - uint64_t x168; - uint64_t x169; - fiat_secp384r1_uint1 x170; - uint64_t x171; - fiat_secp384r1_uint1 x172; - uint64_t x173; - fiat_secp384r1_uint1 x174; - uint64_t x175; - fiat_secp384r1_uint1 x176; - uint64_t x177; - fiat_secp384r1_uint1 x178; - uint64_t x179; - fiat_secp384r1_uint1 x180; - uint64_t x181; - fiat_secp384r1_uint1 x182; - uint64_t x183; - fiat_secp384r1_uint1 x184; - uint64_t x185; - fiat_secp384r1_uint1 x186; - uint64_t x187; - fiat_secp384r1_uint1 x188; - uint64_t x189; - fiat_secp384r1_uint1 x190; - uint64_t x191; - fiat_secp384r1_uint1 x192; - uint64_t x193; - uint64_t x194; - uint64_t x195; - uint64_t x196; - uint64_t x197; - uint64_t x198; - uint64_t x199; - uint64_t x200; - uint64_t x201; - fiat_secp384r1_uint1 x202; - uint64_t x203; - fiat_secp384r1_uint1 x204; - uint64_t x205; - fiat_secp384r1_uint1 x206; - uint64_t x207; - fiat_secp384r1_uint1 x208; - uint64_t x209; - fiat_secp384r1_uint1 x210; - uint64_t x211; - fiat_secp384r1_uint1 x212; - uint64_t x213; - fiat_secp384r1_uint1 x214; - uint64_t x215; - fiat_secp384r1_uint1 x216; - uint64_t x217; - fiat_secp384r1_uint1 x218; - uint64_t x219; - fiat_secp384r1_uint1 x220; - uint64_t x221; - uint64_t x222; - uint64_t x223; - uint64_t x224; - uint64_t x225; - uint64_t x226; - uint64_t x227; - uint64_t x228; - uint64_t x229; - uint64_t x230; - uint64_t x231; - uint64_t x232; - uint64_t x233; - uint64_t x234; - uint64_t x235; - fiat_secp384r1_uint1 x236; - uint64_t x237; - fiat_secp384r1_uint1 x238; - uint64_t x239; - fiat_secp384r1_uint1 x240; - uint64_t x241; - fiat_secp384r1_uint1 x242; - uint64_t x243; - fiat_secp384r1_uint1 x244; - uint64_t x245; - fiat_secp384r1_uint1 x246; - uint64_t x247; - fiat_secp384r1_uint1 x248; - uint64_t x249; - fiat_secp384r1_uint1 x250; - uint64_t x251; - fiat_secp384r1_uint1 x252; - uint64_t x253; - fiat_secp384r1_uint1 x254; - uint64_t x255; - fiat_secp384r1_uint1 x256; - uint64_t x257; - fiat_secp384r1_uint1 x258; - uint64_t x259; - uint64_t x260; - uint64_t x261; - uint64_t x262; - uint64_t x263; - uint64_t x264; - uint64_t x265; - uint64_t x266; - uint64_t x267; - fiat_secp384r1_uint1 x268; - uint64_t x269; - fiat_secp384r1_uint1 x270; - uint64_t x271; - fiat_secp384r1_uint1 x272; - uint64_t x273; - fiat_secp384r1_uint1 x274; - uint64_t x275; - fiat_secp384r1_uint1 x276; - uint64_t x277; - fiat_secp384r1_uint1 x278; - uint64_t x279; - fiat_secp384r1_uint1 x280; - uint64_t x281; - fiat_secp384r1_uint1 x282; - uint64_t x283; - fiat_secp384r1_uint1 x284; - uint64_t x285; - fiat_secp384r1_uint1 x286; - uint64_t x287; - uint64_t x288; - uint64_t x289; - uint64_t x290; - uint64_t x291; - uint64_t x292; - uint64_t x293; - uint64_t x294; - uint64_t x295; - uint64_t x296; - uint64_t x297; - uint64_t x298; - uint64_t x299; - uint64_t x300; - uint64_t x301; - fiat_secp384r1_uint1 x302; - uint64_t x303; - fiat_secp384r1_uint1 x304; - uint64_t x305; - fiat_secp384r1_uint1 x306; - uint64_t x307; - fiat_secp384r1_uint1 x308; - uint64_t x309; - fiat_secp384r1_uint1 x310; - uint64_t x311; - fiat_secp384r1_uint1 x312; - uint64_t x313; - fiat_secp384r1_uint1 x314; - uint64_t x315; - fiat_secp384r1_uint1 x316; - uint64_t x317; - fiat_secp384r1_uint1 x318; - uint64_t x319; - fiat_secp384r1_uint1 x320; - uint64_t x321; - fiat_secp384r1_uint1 x322; - uint64_t x323; - fiat_secp384r1_uint1 x324; - uint64_t x325; - uint64_t x326; - uint64_t x327; - uint64_t x328; - uint64_t x329; - uint64_t x330; - uint64_t x331; - uint64_t x332; - uint64_t x333; - fiat_secp384r1_uint1 x334; - uint64_t x335; - fiat_secp384r1_uint1 x336; - uint64_t x337; - fiat_secp384r1_uint1 x338; - uint64_t x339; - fiat_secp384r1_uint1 x340; - uint64_t x341; - fiat_secp384r1_uint1 x342; - uint64_t x343; - fiat_secp384r1_uint1 x344; - uint64_t x345; - fiat_secp384r1_uint1 x346; - uint64_t x347; - fiat_secp384r1_uint1 x348; - uint64_t x349; - fiat_secp384r1_uint1 x350; - uint64_t x351; - fiat_secp384r1_uint1 x352; - uint64_t x353; - uint64_t x354; - uint64_t x355; - uint64_t x356; - uint64_t x357; - uint64_t x358; - uint64_t x359; - uint64_t x360; - uint64_t x361; - uint64_t x362; - uint64_t x363; - uint64_t x364; - uint64_t x365; - uint64_t x366; - uint64_t x367; - fiat_secp384r1_uint1 x368; - uint64_t x369; - fiat_secp384r1_uint1 x370; - uint64_t x371; - fiat_secp384r1_uint1 x372; - uint64_t x373; - fiat_secp384r1_uint1 x374; - uint64_t x375; - fiat_secp384r1_uint1 x376; - uint64_t x377; - fiat_secp384r1_uint1 x378; - uint64_t x379; - fiat_secp384r1_uint1 x380; - uint64_t x381; - fiat_secp384r1_uint1 x382; - uint64_t x383; - fiat_secp384r1_uint1 x384; - uint64_t x385; - fiat_secp384r1_uint1 x386; - uint64_t x387; - fiat_secp384r1_uint1 x388; - uint64_t x389; - fiat_secp384r1_uint1 x390; - uint64_t x391; - fiat_secp384r1_uint1 x392; - uint64_t x393; - fiat_secp384r1_uint1 x394; - uint64_t x395; - fiat_secp384r1_uint1 x396; - uint64_t x397; - fiat_secp384r1_uint1 x398; - uint64_t x399; - fiat_secp384r1_uint1 x400; - uint64_t x401; - fiat_secp384r1_uint1 x402; - uint64_t x403; - fiat_secp384r1_uint1 x404; - uint64_t x405; - uint64_t x406; - uint64_t x407; - uint64_t x408; - uint64_t x409; - uint64_t x410; - x1 = (arg1[1]); - x2 = (arg1[2]); - x3 = (arg1[3]); - x4 = (arg1[4]); - x5 = (arg1[5]); - x6 = (arg1[0]); - fiat_secp384r1_mulx_u64(&x7, &x8, x6, UINT64_C(0x200000000)); - fiat_secp384r1_mulx_u64(&x9, &x10, x6, UINT64_C(0xfffffffe00000000)); - fiat_secp384r1_mulx_u64(&x11, &x12, x6, UINT64_C(0x200000000)); - fiat_secp384r1_mulx_u64(&x13, &x14, x6, UINT64_C(0xfffffffe00000001)); - fiat_secp384r1_addcarryx_u64(&x15, &x16, 0x0, x14, x11); - fiat_secp384r1_addcarryx_u64(&x17, &x18, x16, x12, x9); - fiat_secp384r1_addcarryx_u64(&x19, &x20, x18, x10, x7); - fiat_secp384r1_addcarryx_u64(&x21, &x22, x20, x8, x6); - fiat_secp384r1_mulx_u64(&x23, &x24, x13, UINT64_C(0x100000001)); - fiat_secp384r1_mulx_u64(&x25, &x26, x23, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x27, &x28, x23, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x29, &x30, x23, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x31, &x32, x23, UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_mulx_u64(&x33, &x34, x23, UINT64_C(0xffffffff00000000)); - fiat_secp384r1_mulx_u64(&x35, &x36, x23, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u64(&x37, &x38, 0x0, x36, x33); - fiat_secp384r1_addcarryx_u64(&x39, &x40, x38, x34, x31); - fiat_secp384r1_addcarryx_u64(&x41, &x42, x40, x32, x29); - fiat_secp384r1_addcarryx_u64(&x43, &x44, x42, x30, x27); - fiat_secp384r1_addcarryx_u64(&x45, &x46, x44, x28, x25); - fiat_secp384r1_addcarryx_u64(&x47, &x48, 0x0, x13, x35); - fiat_secp384r1_addcarryx_u64(&x49, &x50, x48, x15, x37); - fiat_secp384r1_addcarryx_u64(&x51, &x52, x50, x17, x39); - fiat_secp384r1_addcarryx_u64(&x53, &x54, x52, x19, x41); - fiat_secp384r1_addcarryx_u64(&x55, &x56, x54, x21, x43); - fiat_secp384r1_addcarryx_u64(&x57, &x58, x56, x22, x45); - fiat_secp384r1_addcarryx_u64(&x59, &x60, x58, 0x0, (x46 + x26)); - fiat_secp384r1_mulx_u64(&x61, &x62, x1, UINT64_C(0x200000000)); - fiat_secp384r1_mulx_u64(&x63, &x64, x1, UINT64_C(0xfffffffe00000000)); - fiat_secp384r1_mulx_u64(&x65, &x66, x1, UINT64_C(0x200000000)); - fiat_secp384r1_mulx_u64(&x67, &x68, x1, UINT64_C(0xfffffffe00000001)); - fiat_secp384r1_addcarryx_u64(&x69, &x70, 0x0, x68, x65); - fiat_secp384r1_addcarryx_u64(&x71, &x72, x70, x66, x63); - fiat_secp384r1_addcarryx_u64(&x73, &x74, x72, x64, x61); - fiat_secp384r1_addcarryx_u64(&x75, &x76, x74, x62, x1); - fiat_secp384r1_addcarryx_u64(&x77, &x78, 0x0, x49, x67); - fiat_secp384r1_addcarryx_u64(&x79, &x80, x78, x51, x69); - fiat_secp384r1_addcarryx_u64(&x81, &x82, x80, x53, x71); - fiat_secp384r1_addcarryx_u64(&x83, &x84, x82, x55, x73); - fiat_secp384r1_addcarryx_u64(&x85, &x86, x84, x57, x75); - fiat_secp384r1_addcarryx_u64(&x87, &x88, x86, x59, x76); - fiat_secp384r1_mulx_u64(&x89, &x90, x77, UINT64_C(0x100000001)); - fiat_secp384r1_mulx_u64(&x91, &x92, x89, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x93, &x94, x89, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x95, &x96, x89, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x97, &x98, x89, UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_mulx_u64(&x99, &x100, x89, UINT64_C(0xffffffff00000000)); - fiat_secp384r1_mulx_u64(&x101, &x102, x89, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u64(&x103, &x104, 0x0, x102, x99); - fiat_secp384r1_addcarryx_u64(&x105, &x106, x104, x100, x97); - fiat_secp384r1_addcarryx_u64(&x107, &x108, x106, x98, x95); - fiat_secp384r1_addcarryx_u64(&x109, &x110, x108, x96, x93); - fiat_secp384r1_addcarryx_u64(&x111, &x112, x110, x94, x91); - fiat_secp384r1_addcarryx_u64(&x113, &x114, 0x0, x77, x101); - fiat_secp384r1_addcarryx_u64(&x115, &x116, x114, x79, x103); - fiat_secp384r1_addcarryx_u64(&x117, &x118, x116, x81, x105); - fiat_secp384r1_addcarryx_u64(&x119, &x120, x118, x83, x107); - fiat_secp384r1_addcarryx_u64(&x121, &x122, x120, x85, x109); - fiat_secp384r1_addcarryx_u64(&x123, &x124, x122, x87, x111); - fiat_secp384r1_addcarryx_u64(&x125, &x126, x124, ((uint64_t)x88 + x60), - (x112 + x92)); - fiat_secp384r1_mulx_u64(&x127, &x128, x2, UINT64_C(0x200000000)); - fiat_secp384r1_mulx_u64(&x129, &x130, x2, UINT64_C(0xfffffffe00000000)); - fiat_secp384r1_mulx_u64(&x131, &x132, x2, UINT64_C(0x200000000)); - fiat_secp384r1_mulx_u64(&x133, &x134, x2, UINT64_C(0xfffffffe00000001)); - fiat_secp384r1_addcarryx_u64(&x135, &x136, 0x0, x134, x131); - fiat_secp384r1_addcarryx_u64(&x137, &x138, x136, x132, x129); - fiat_secp384r1_addcarryx_u64(&x139, &x140, x138, x130, x127); - fiat_secp384r1_addcarryx_u64(&x141, &x142, x140, x128, x2); - fiat_secp384r1_addcarryx_u64(&x143, &x144, 0x0, x115, x133); - fiat_secp384r1_addcarryx_u64(&x145, &x146, x144, x117, x135); - fiat_secp384r1_addcarryx_u64(&x147, &x148, x146, x119, x137); - fiat_secp384r1_addcarryx_u64(&x149, &x150, x148, x121, x139); - fiat_secp384r1_addcarryx_u64(&x151, &x152, x150, x123, x141); - fiat_secp384r1_addcarryx_u64(&x153, &x154, x152, x125, x142); - fiat_secp384r1_mulx_u64(&x155, &x156, x143, UINT64_C(0x100000001)); - fiat_secp384r1_mulx_u64(&x157, &x158, x155, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x159, &x160, x155, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x161, &x162, x155, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x163, &x164, x155, UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_mulx_u64(&x165, &x166, x155, UINT64_C(0xffffffff00000000)); - fiat_secp384r1_mulx_u64(&x167, &x168, x155, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u64(&x169, &x170, 0x0, x168, x165); - fiat_secp384r1_addcarryx_u64(&x171, &x172, x170, x166, x163); - fiat_secp384r1_addcarryx_u64(&x173, &x174, x172, x164, x161); - fiat_secp384r1_addcarryx_u64(&x175, &x176, x174, x162, x159); - fiat_secp384r1_addcarryx_u64(&x177, &x178, x176, x160, x157); - fiat_secp384r1_addcarryx_u64(&x179, &x180, 0x0, x143, x167); - fiat_secp384r1_addcarryx_u64(&x181, &x182, x180, x145, x169); - fiat_secp384r1_addcarryx_u64(&x183, &x184, x182, x147, x171); - fiat_secp384r1_addcarryx_u64(&x185, &x186, x184, x149, x173); - fiat_secp384r1_addcarryx_u64(&x187, &x188, x186, x151, x175); - fiat_secp384r1_addcarryx_u64(&x189, &x190, x188, x153, x177); - fiat_secp384r1_addcarryx_u64(&x191, &x192, x190, ((uint64_t)x154 + x126), - (x178 + x158)); - fiat_secp384r1_mulx_u64(&x193, &x194, x3, UINT64_C(0x200000000)); - fiat_secp384r1_mulx_u64(&x195, &x196, x3, UINT64_C(0xfffffffe00000000)); - fiat_secp384r1_mulx_u64(&x197, &x198, x3, UINT64_C(0x200000000)); - fiat_secp384r1_mulx_u64(&x199, &x200, x3, UINT64_C(0xfffffffe00000001)); - fiat_secp384r1_addcarryx_u64(&x201, &x202, 0x0, x200, x197); - fiat_secp384r1_addcarryx_u64(&x203, &x204, x202, x198, x195); - fiat_secp384r1_addcarryx_u64(&x205, &x206, x204, x196, x193); - fiat_secp384r1_addcarryx_u64(&x207, &x208, x206, x194, x3); - fiat_secp384r1_addcarryx_u64(&x209, &x210, 0x0, x181, x199); - fiat_secp384r1_addcarryx_u64(&x211, &x212, x210, x183, x201); - fiat_secp384r1_addcarryx_u64(&x213, &x214, x212, x185, x203); - fiat_secp384r1_addcarryx_u64(&x215, &x216, x214, x187, x205); - fiat_secp384r1_addcarryx_u64(&x217, &x218, x216, x189, x207); - fiat_secp384r1_addcarryx_u64(&x219, &x220, x218, x191, x208); - fiat_secp384r1_mulx_u64(&x221, &x222, x209, UINT64_C(0x100000001)); - fiat_secp384r1_mulx_u64(&x223, &x224, x221, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x225, &x226, x221, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x227, &x228, x221, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x229, &x230, x221, UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_mulx_u64(&x231, &x232, x221, UINT64_C(0xffffffff00000000)); - fiat_secp384r1_mulx_u64(&x233, &x234, x221, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u64(&x235, &x236, 0x0, x234, x231); - fiat_secp384r1_addcarryx_u64(&x237, &x238, x236, x232, x229); - fiat_secp384r1_addcarryx_u64(&x239, &x240, x238, x230, x227); - fiat_secp384r1_addcarryx_u64(&x241, &x242, x240, x228, x225); - fiat_secp384r1_addcarryx_u64(&x243, &x244, x242, x226, x223); - fiat_secp384r1_addcarryx_u64(&x245, &x246, 0x0, x209, x233); - fiat_secp384r1_addcarryx_u64(&x247, &x248, x246, x211, x235); - fiat_secp384r1_addcarryx_u64(&x249, &x250, x248, x213, x237); - fiat_secp384r1_addcarryx_u64(&x251, &x252, x250, x215, x239); - fiat_secp384r1_addcarryx_u64(&x253, &x254, x252, x217, x241); - fiat_secp384r1_addcarryx_u64(&x255, &x256, x254, x219, x243); - fiat_secp384r1_addcarryx_u64(&x257, &x258, x256, ((uint64_t)x220 + x192), - (x244 + x224)); - fiat_secp384r1_mulx_u64(&x259, &x260, x4, UINT64_C(0x200000000)); - fiat_secp384r1_mulx_u64(&x261, &x262, x4, UINT64_C(0xfffffffe00000000)); - fiat_secp384r1_mulx_u64(&x263, &x264, x4, UINT64_C(0x200000000)); - fiat_secp384r1_mulx_u64(&x265, &x266, x4, UINT64_C(0xfffffffe00000001)); - fiat_secp384r1_addcarryx_u64(&x267, &x268, 0x0, x266, x263); - fiat_secp384r1_addcarryx_u64(&x269, &x270, x268, x264, x261); - fiat_secp384r1_addcarryx_u64(&x271, &x272, x270, x262, x259); - fiat_secp384r1_addcarryx_u64(&x273, &x274, x272, x260, x4); - fiat_secp384r1_addcarryx_u64(&x275, &x276, 0x0, x247, x265); - fiat_secp384r1_addcarryx_u64(&x277, &x278, x276, x249, x267); - fiat_secp384r1_addcarryx_u64(&x279, &x280, x278, x251, x269); - fiat_secp384r1_addcarryx_u64(&x281, &x282, x280, x253, x271); - fiat_secp384r1_addcarryx_u64(&x283, &x284, x282, x255, x273); - fiat_secp384r1_addcarryx_u64(&x285, &x286, x284, x257, x274); - fiat_secp384r1_mulx_u64(&x287, &x288, x275, UINT64_C(0x100000001)); - fiat_secp384r1_mulx_u64(&x289, &x290, x287, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x291, &x292, x287, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x293, &x294, x287, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x295, &x296, x287, UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_mulx_u64(&x297, &x298, x287, UINT64_C(0xffffffff00000000)); - fiat_secp384r1_mulx_u64(&x299, &x300, x287, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u64(&x301, &x302, 0x0, x300, x297); - fiat_secp384r1_addcarryx_u64(&x303, &x304, x302, x298, x295); - fiat_secp384r1_addcarryx_u64(&x305, &x306, x304, x296, x293); - fiat_secp384r1_addcarryx_u64(&x307, &x308, x306, x294, x291); - fiat_secp384r1_addcarryx_u64(&x309, &x310, x308, x292, x289); - fiat_secp384r1_addcarryx_u64(&x311, &x312, 0x0, x275, x299); - fiat_secp384r1_addcarryx_u64(&x313, &x314, x312, x277, x301); - fiat_secp384r1_addcarryx_u64(&x315, &x316, x314, x279, x303); - fiat_secp384r1_addcarryx_u64(&x317, &x318, x316, x281, x305); - fiat_secp384r1_addcarryx_u64(&x319, &x320, x318, x283, x307); - fiat_secp384r1_addcarryx_u64(&x321, &x322, x320, x285, x309); - fiat_secp384r1_addcarryx_u64(&x323, &x324, x322, ((uint64_t)x286 + x258), - (x310 + x290)); - fiat_secp384r1_mulx_u64(&x325, &x326, x5, UINT64_C(0x200000000)); - fiat_secp384r1_mulx_u64(&x327, &x328, x5, UINT64_C(0xfffffffe00000000)); - fiat_secp384r1_mulx_u64(&x329, &x330, x5, UINT64_C(0x200000000)); - fiat_secp384r1_mulx_u64(&x331, &x332, x5, UINT64_C(0xfffffffe00000001)); - fiat_secp384r1_addcarryx_u64(&x333, &x334, 0x0, x332, x329); - fiat_secp384r1_addcarryx_u64(&x335, &x336, x334, x330, x327); - fiat_secp384r1_addcarryx_u64(&x337, &x338, x336, x328, x325); - fiat_secp384r1_addcarryx_u64(&x339, &x340, x338, x326, x5); - fiat_secp384r1_addcarryx_u64(&x341, &x342, 0x0, x313, x331); - fiat_secp384r1_addcarryx_u64(&x343, &x344, x342, x315, x333); - fiat_secp384r1_addcarryx_u64(&x345, &x346, x344, x317, x335); - fiat_secp384r1_addcarryx_u64(&x347, &x348, x346, x319, x337); - fiat_secp384r1_addcarryx_u64(&x349, &x350, x348, x321, x339); - fiat_secp384r1_addcarryx_u64(&x351, &x352, x350, x323, x340); - fiat_secp384r1_mulx_u64(&x353, &x354, x341, UINT64_C(0x100000001)); - fiat_secp384r1_mulx_u64(&x355, &x356, x353, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x357, &x358, x353, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x359, &x360, x353, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_mulx_u64(&x361, &x362, x353, UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_mulx_u64(&x363, &x364, x353, UINT64_C(0xffffffff00000000)); - fiat_secp384r1_mulx_u64(&x365, &x366, x353, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u64(&x367, &x368, 0x0, x366, x363); - fiat_secp384r1_addcarryx_u64(&x369, &x370, x368, x364, x361); - fiat_secp384r1_addcarryx_u64(&x371, &x372, x370, x362, x359); - fiat_secp384r1_addcarryx_u64(&x373, &x374, x372, x360, x357); - fiat_secp384r1_addcarryx_u64(&x375, &x376, x374, x358, x355); - fiat_secp384r1_addcarryx_u64(&x377, &x378, 0x0, x341, x365); - fiat_secp384r1_addcarryx_u64(&x379, &x380, x378, x343, x367); - fiat_secp384r1_addcarryx_u64(&x381, &x382, x380, x345, x369); - fiat_secp384r1_addcarryx_u64(&x383, &x384, x382, x347, x371); - fiat_secp384r1_addcarryx_u64(&x385, &x386, x384, x349, x373); - fiat_secp384r1_addcarryx_u64(&x387, &x388, x386, x351, x375); - fiat_secp384r1_addcarryx_u64(&x389, &x390, x388, ((uint64_t)x352 + x324), - (x376 + x356)); - fiat_secp384r1_subborrowx_u64(&x391, &x392, 0x0, x379, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u64(&x393, &x394, x392, x381, - UINT64_C(0xffffffff00000000)); - fiat_secp384r1_subborrowx_u64(&x395, &x396, x394, x383, - UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_subborrowx_u64(&x397, &x398, x396, x385, - UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_subborrowx_u64(&x399, &x400, x398, x387, - UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_subborrowx_u64(&x401, &x402, x400, x389, - UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_subborrowx_u64(&x403, &x404, x402, x390, 0x0); - fiat_secp384r1_cmovznz_u64(&x405, x404, x391, x379); - fiat_secp384r1_cmovznz_u64(&x406, x404, x393, x381); - fiat_secp384r1_cmovznz_u64(&x407, x404, x395, x383); - fiat_secp384r1_cmovznz_u64(&x408, x404, x397, x385); - fiat_secp384r1_cmovznz_u64(&x409, x404, x399, x387); - fiat_secp384r1_cmovznz_u64(&x410, x404, x401, x389); - out1[0] = x405; - out1[1] = x406; - out1[2] = x407; - out1[3] = x408; - out1[4] = x409; - out1[5] = x410; -} - -/* - * The function fiat_secp384r1_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. - * - * Preconditions: - * 0 ≤ eval arg1 < m - * Postconditions: - * out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 - * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [0x0 ~> 0xffffffffffffffff] - */ -static void -fiat_secp384r1_nonzero(uint64_t *out1, const uint64_t arg1[6]) -{ - uint64_t x1; - x1 = ((arg1[0]) | - ((arg1[1]) | ((arg1[2]) | ((arg1[3]) | ((arg1[4]) | (arg1[5])))))); - *out1 = x1; -} - -/* - * The function fiat_secp384r1_selectznz is a multi-limb conditional select. - * - * Postconditions: - * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) - * - * Input Bounds: - * arg1: [0x0 ~> 0x1] - * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -static void -fiat_secp384r1_selectznz(uint64_t out1[6], - fiat_secp384r1_uint1 arg1, - const uint64_t arg2[6], - const uint64_t arg3[6]) -{ - uint64_t x1; - uint64_t x2; - uint64_t x3; - uint64_t x4; - uint64_t x5; - uint64_t x6; - fiat_secp384r1_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0])); - fiat_secp384r1_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1])); - fiat_secp384r1_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2])); - fiat_secp384r1_cmovznz_u64(&x4, arg1, (arg2[3]), (arg3[3])); - fiat_secp384r1_cmovznz_u64(&x5, arg1, (arg2[4]), (arg3[4])); - fiat_secp384r1_cmovznz_u64(&x6, arg1, (arg2[5]), (arg3[5])); - out1[0] = x1; - out1[1] = x2; - out1[2] = x3; - out1[3] = x4; - out1[4] = x5; - out1[5] = x6; -} - -/* - * The function fiat_secp384r1_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. - * - * Preconditions: - * 0 ≤ eval arg1 < m - * Postconditions: - * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..47] - * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] - */ -static void -fiat_secp384r1_to_bytes(uint8_t out1[48], const uint64_t arg1[6]) -{ - uint64_t x1; - uint64_t x2; - uint64_t x3; - uint64_t x4; - uint64_t x5; - uint64_t x6; - uint8_t x7; - uint64_t x8; - uint8_t x9; - uint64_t x10; - uint8_t x11; - uint64_t x12; - uint8_t x13; - uint64_t x14; - uint8_t x15; - uint64_t x16; - uint8_t x17; - uint64_t x18; - uint8_t x19; - uint8_t x20; - uint8_t x21; - uint64_t x22; - uint8_t x23; - uint64_t x24; - uint8_t x25; - uint64_t x26; - uint8_t x27; - uint64_t x28; - uint8_t x29; - uint64_t x30; - uint8_t x31; - uint64_t x32; - uint8_t x33; - uint8_t x34; - uint8_t x35; - uint64_t x36; - uint8_t x37; - uint64_t x38; - uint8_t x39; - uint64_t x40; - uint8_t x41; - uint64_t x42; - uint8_t x43; - uint64_t x44; - uint8_t x45; - uint64_t x46; - uint8_t x47; - uint8_t x48; - uint8_t x49; - uint64_t x50; - uint8_t x51; - uint64_t x52; - uint8_t x53; - uint64_t x54; - uint8_t x55; - uint64_t x56; - uint8_t x57; - uint64_t x58; - uint8_t x59; - uint64_t x60; - uint8_t x61; - uint8_t x62; - uint8_t x63; - uint64_t x64; - uint8_t x65; - uint64_t x66; - uint8_t x67; - uint64_t x68; - uint8_t x69; - uint64_t x70; - uint8_t x71; - uint64_t x72; - uint8_t x73; - uint64_t x74; - uint8_t x75; - uint8_t x76; - uint8_t x77; - uint64_t x78; - uint8_t x79; - uint64_t x80; - uint8_t x81; - uint64_t x82; - uint8_t x83; - uint64_t x84; - uint8_t x85; - uint64_t x86; - uint8_t x87; - uint64_t x88; - uint8_t x89; - uint8_t x90; - x1 = (arg1[5]); - x2 = (arg1[4]); - x3 = (arg1[3]); - x4 = (arg1[2]); - x5 = (arg1[1]); - x6 = (arg1[0]); - x7 = (uint8_t)(x6 & UINT8_C(0xff)); - x8 = (x6 >> 8); - x9 = (uint8_t)(x8 & UINT8_C(0xff)); - x10 = (x8 >> 8); - x11 = (uint8_t)(x10 & UINT8_C(0xff)); - x12 = (x10 >> 8); - x13 = (uint8_t)(x12 & UINT8_C(0xff)); - x14 = (x12 >> 8); - x15 = (uint8_t)(x14 & UINT8_C(0xff)); - x16 = (x14 >> 8); - x17 = (uint8_t)(x16 & UINT8_C(0xff)); - x18 = (x16 >> 8); - x19 = (uint8_t)(x18 & UINT8_C(0xff)); - x20 = (uint8_t)(x18 >> 8); - x21 = (uint8_t)(x5 & UINT8_C(0xff)); - x22 = (x5 >> 8); - x23 = (uint8_t)(x22 & UINT8_C(0xff)); - x24 = (x22 >> 8); - x25 = (uint8_t)(x24 & UINT8_C(0xff)); - x26 = (x24 >> 8); - x27 = (uint8_t)(x26 & UINT8_C(0xff)); - x28 = (x26 >> 8); - x29 = (uint8_t)(x28 & UINT8_C(0xff)); - x30 = (x28 >> 8); - x31 = (uint8_t)(x30 & UINT8_C(0xff)); - x32 = (x30 >> 8); - x33 = (uint8_t)(x32 & UINT8_C(0xff)); - x34 = (uint8_t)(x32 >> 8); - x35 = (uint8_t)(x4 & UINT8_C(0xff)); - x36 = (x4 >> 8); - x37 = (uint8_t)(x36 & UINT8_C(0xff)); - x38 = (x36 >> 8); - x39 = (uint8_t)(x38 & UINT8_C(0xff)); - x40 = (x38 >> 8); - x41 = (uint8_t)(x40 & UINT8_C(0xff)); - x42 = (x40 >> 8); - x43 = (uint8_t)(x42 & UINT8_C(0xff)); - x44 = (x42 >> 8); - x45 = (uint8_t)(x44 & UINT8_C(0xff)); - x46 = (x44 >> 8); - x47 = (uint8_t)(x46 & UINT8_C(0xff)); - x48 = (uint8_t)(x46 >> 8); - x49 = (uint8_t)(x3 & UINT8_C(0xff)); - x50 = (x3 >> 8); - x51 = (uint8_t)(x50 & UINT8_C(0xff)); - x52 = (x50 >> 8); - x53 = (uint8_t)(x52 & UINT8_C(0xff)); - x54 = (x52 >> 8); - x55 = (uint8_t)(x54 & UINT8_C(0xff)); - x56 = (x54 >> 8); - x57 = (uint8_t)(x56 & UINT8_C(0xff)); - x58 = (x56 >> 8); - x59 = (uint8_t)(x58 & UINT8_C(0xff)); - x60 = (x58 >> 8); - x61 = (uint8_t)(x60 & UINT8_C(0xff)); - x62 = (uint8_t)(x60 >> 8); - x63 = (uint8_t)(x2 & UINT8_C(0xff)); - x64 = (x2 >> 8); - x65 = (uint8_t)(x64 & UINT8_C(0xff)); - x66 = (x64 >> 8); - x67 = (uint8_t)(x66 & UINT8_C(0xff)); - x68 = (x66 >> 8); - x69 = (uint8_t)(x68 & UINT8_C(0xff)); - x70 = (x68 >> 8); - x71 = (uint8_t)(x70 & UINT8_C(0xff)); - x72 = (x70 >> 8); - x73 = (uint8_t)(x72 & UINT8_C(0xff)); - x74 = (x72 >> 8); - x75 = (uint8_t)(x74 & UINT8_C(0xff)); - x76 = (uint8_t)(x74 >> 8); - x77 = (uint8_t)(x1 & UINT8_C(0xff)); - x78 = (x1 >> 8); - x79 = (uint8_t)(x78 & UINT8_C(0xff)); - x80 = (x78 >> 8); - x81 = (uint8_t)(x80 & UINT8_C(0xff)); - x82 = (x80 >> 8); - x83 = (uint8_t)(x82 & UINT8_C(0xff)); - x84 = (x82 >> 8); - x85 = (uint8_t)(x84 & UINT8_C(0xff)); - x86 = (x84 >> 8); - x87 = (uint8_t)(x86 & UINT8_C(0xff)); - x88 = (x86 >> 8); - x89 = (uint8_t)(x88 & UINT8_C(0xff)); - x90 = (uint8_t)(x88 >> 8); - out1[0] = x7; - out1[1] = x9; - out1[2] = x11; - out1[3] = x13; - out1[4] = x15; - out1[5] = x17; - out1[6] = x19; - out1[7] = x20; - out1[8] = x21; - out1[9] = x23; - out1[10] = x25; - out1[11] = x27; - out1[12] = x29; - out1[13] = x31; - out1[14] = x33; - out1[15] = x34; - out1[16] = x35; - out1[17] = x37; - out1[18] = x39; - out1[19] = x41; - out1[20] = x43; - out1[21] = x45; - out1[22] = x47; - out1[23] = x48; - out1[24] = x49; - out1[25] = x51; - out1[26] = x53; - out1[27] = x55; - out1[28] = x57; - out1[29] = x59; - out1[30] = x61; - out1[31] = x62; - out1[32] = x63; - out1[33] = x65; - out1[34] = x67; - out1[35] = x69; - out1[36] = x71; - out1[37] = x73; - out1[38] = x75; - out1[39] = x76; - out1[40] = x77; - out1[41] = x79; - out1[42] = x81; - out1[43] = x83; - out1[44] = x85; - out1[45] = x87; - out1[46] = x89; - out1[47] = x90; -} - -/* - * The function fiat_secp384r1_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. - * - * Preconditions: - * 0 ≤ bytes_eval arg1 < m - * Postconditions: - * eval out1 mod m = bytes_eval arg1 mod m - * 0 ≤ eval out1 < m - * - * Input Bounds: - * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -static void -fiat_secp384r1_from_bytes(uint64_t out1[6], - const uint8_t arg1[48]) -{ - uint64_t x1; - uint64_t x2; - uint64_t x3; - uint64_t x4; - uint64_t x5; - uint64_t x6; - uint64_t x7; - uint8_t x8; - uint64_t x9; - uint64_t x10; - uint64_t x11; - uint64_t x12; - uint64_t x13; - uint64_t x14; - uint64_t x15; - uint8_t x16; - uint64_t x17; - uint64_t x18; - uint64_t x19; - uint64_t x20; - uint64_t x21; - uint64_t x22; - uint64_t x23; - uint8_t x24; - uint64_t x25; - uint64_t x26; - uint64_t x27; - uint64_t x28; - uint64_t x29; - uint64_t x30; - uint64_t x31; - uint8_t x32; - uint64_t x33; - uint64_t x34; - uint64_t x35; - uint64_t x36; - uint64_t x37; - uint64_t x38; - uint64_t x39; - uint8_t x40; - uint64_t x41; - uint64_t x42; - uint64_t x43; - uint64_t x44; - uint64_t x45; - uint64_t x46; - uint64_t x47; - uint8_t x48; - uint64_t x49; - uint64_t x50; - uint64_t x51; - uint64_t x52; - uint64_t x53; - uint64_t x54; - uint64_t x55; - uint64_t x56; - uint64_t x57; - uint64_t x58; - uint64_t x59; - uint64_t x60; - uint64_t x61; - uint64_t x62; - uint64_t x63; - uint64_t x64; - uint64_t x65; - uint64_t x66; - uint64_t x67; - uint64_t x68; - uint64_t x69; - uint64_t x70; - uint64_t x71; - uint64_t x72; - uint64_t x73; - uint64_t x74; - uint64_t x75; - uint64_t x76; - uint64_t x77; - uint64_t x78; - uint64_t x79; - uint64_t x80; - uint64_t x81; - uint64_t x82; - uint64_t x83; - uint64_t x84; - uint64_t x85; - uint64_t x86; - uint64_t x87; - uint64_t x88; - uint64_t x89; - uint64_t x90; - x1 = ((uint64_t)(arg1[47]) << 56); - x2 = ((uint64_t)(arg1[46]) << 48); - x3 = ((uint64_t)(arg1[45]) << 40); - x4 = ((uint64_t)(arg1[44]) << 32); - x5 = ((uint64_t)(arg1[43]) << 24); - x6 = ((uint64_t)(arg1[42]) << 16); - x7 = ((uint64_t)(arg1[41]) << 8); - x8 = (arg1[40]); - x9 = ((uint64_t)(arg1[39]) << 56); - x10 = ((uint64_t)(arg1[38]) << 48); - x11 = ((uint64_t)(arg1[37]) << 40); - x12 = ((uint64_t)(arg1[36]) << 32); - x13 = ((uint64_t)(arg1[35]) << 24); - x14 = ((uint64_t)(arg1[34]) << 16); - x15 = ((uint64_t)(arg1[33]) << 8); - x16 = (arg1[32]); - x17 = ((uint64_t)(arg1[31]) << 56); - x18 = ((uint64_t)(arg1[30]) << 48); - x19 = ((uint64_t)(arg1[29]) << 40); - x20 = ((uint64_t)(arg1[28]) << 32); - x21 = ((uint64_t)(arg1[27]) << 24); - x22 = ((uint64_t)(arg1[26]) << 16); - x23 = ((uint64_t)(arg1[25]) << 8); - x24 = (arg1[24]); - x25 = ((uint64_t)(arg1[23]) << 56); - x26 = ((uint64_t)(arg1[22]) << 48); - x27 = ((uint64_t)(arg1[21]) << 40); - x28 = ((uint64_t)(arg1[20]) << 32); - x29 = ((uint64_t)(arg1[19]) << 24); - x30 = ((uint64_t)(arg1[18]) << 16); - x31 = ((uint64_t)(arg1[17]) << 8); - x32 = (arg1[16]); - x33 = ((uint64_t)(arg1[15]) << 56); - x34 = ((uint64_t)(arg1[14]) << 48); - x35 = ((uint64_t)(arg1[13]) << 40); - x36 = ((uint64_t)(arg1[12]) << 32); - x37 = ((uint64_t)(arg1[11]) << 24); - x38 = ((uint64_t)(arg1[10]) << 16); - x39 = ((uint64_t)(arg1[9]) << 8); - x40 = (arg1[8]); - x41 = ((uint64_t)(arg1[7]) << 56); - x42 = ((uint64_t)(arg1[6]) << 48); - x43 = ((uint64_t)(arg1[5]) << 40); - x44 = ((uint64_t)(arg1[4]) << 32); - x45 = ((uint64_t)(arg1[3]) << 24); - x46 = ((uint64_t)(arg1[2]) << 16); - x47 = ((uint64_t)(arg1[1]) << 8); - x48 = (arg1[0]); - x49 = (x47 + (uint64_t)x48); - x50 = (x46 + x49); - x51 = (x45 + x50); - x52 = (x44 + x51); - x53 = (x43 + x52); - x54 = (x42 + x53); - x55 = (x41 + x54); - x56 = (x39 + (uint64_t)x40); - x57 = (x38 + x56); - x58 = (x37 + x57); - x59 = (x36 + x58); - x60 = (x35 + x59); - x61 = (x34 + x60); - x62 = (x33 + x61); - x63 = (x31 + (uint64_t)x32); - x64 = (x30 + x63); - x65 = (x29 + x64); - x66 = (x28 + x65); - x67 = (x27 + x66); - x68 = (x26 + x67); - x69 = (x25 + x68); - x70 = (x23 + (uint64_t)x24); - x71 = (x22 + x70); - x72 = (x21 + x71); - x73 = (x20 + x72); - x74 = (x19 + x73); - x75 = (x18 + x74); - x76 = (x17 + x75); - x77 = (x15 + (uint64_t)x16); - x78 = (x14 + x77); - x79 = (x13 + x78); - x80 = (x12 + x79); - x81 = (x11 + x80); - x82 = (x10 + x81); - x83 = (x9 + x82); - x84 = (x7 + (uint64_t)x8); - x85 = (x6 + x84); - x86 = (x5 + x85); - x87 = (x4 + x86); - x88 = (x3 + x87); - x89 = (x2 + x88); - x90 = (x1 + x89); - out1[0] = x55; - out1[1] = x62; - out1[2] = x69; - out1[3] = x76; - out1[4] = x83; - out1[5] = x90; -} - -/* - * The function fiat_secp384r1_divstep computes a divstep. - * - * Preconditions: - * 0 ≤ eval arg4 < m - * 0 ≤ eval arg5 < m - * Postconditions: - * out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) - * twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) - * twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) - * eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) - * eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) - * 0 ≤ eval out5 < m - * 0 ≤ eval out5 < m - * 0 ≤ eval out2 < m - * 0 ≤ eval out3 < m - * - * Input Bounds: - * arg1: [0x0 ~> 0xffffffffffffffff] - * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * arg5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [0x0 ~> 0xffffffffffffffff] - * out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * out3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * out4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * out5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -static void -fiat_secp384r1_divstep( - uint64_t *out1, uint64_t out2[7], uint64_t out3[7], uint64_t out4[6], - uint64_t out5[6], uint64_t arg1, const uint64_t arg2[7], - const uint64_t arg3[7], const uint64_t arg4[6], const uint64_t arg5[6]) -{ - uint64_t x1; - fiat_secp384r1_uint1 x2; - fiat_secp384r1_uint1 x3; - uint64_t x4; - fiat_secp384r1_uint1 x5; - uint64_t x6; - uint64_t x7; - uint64_t x8; - uint64_t x9; - uint64_t x10; - uint64_t x11; - uint64_t x12; - uint64_t x13; - uint64_t x14; - fiat_secp384r1_uint1 x15; - uint64_t x16; - fiat_secp384r1_uint1 x17; - uint64_t x18; - fiat_secp384r1_uint1 x19; - uint64_t x20; - fiat_secp384r1_uint1 x21; - uint64_t x22; - fiat_secp384r1_uint1 x23; - uint64_t x24; - fiat_secp384r1_uint1 x25; - uint64_t x26; - fiat_secp384r1_uint1 x27; - uint64_t x28; - uint64_t x29; - uint64_t x30; - uint64_t x31; - uint64_t x32; - uint64_t x33; - uint64_t x34; - uint64_t x35; - uint64_t x36; - uint64_t x37; - uint64_t x38; - uint64_t x39; - uint64_t x40; - uint64_t x41; - fiat_secp384r1_uint1 x42; - uint64_t x43; - fiat_secp384r1_uint1 x44; - uint64_t x45; - fiat_secp384r1_uint1 x46; - uint64_t x47; - fiat_secp384r1_uint1 x48; - uint64_t x49; - fiat_secp384r1_uint1 x50; - uint64_t x51; - fiat_secp384r1_uint1 x52; - uint64_t x53; - fiat_secp384r1_uint1 x54; - uint64_t x55; - fiat_secp384r1_uint1 x56; - uint64_t x57; - fiat_secp384r1_uint1 x58; - uint64_t x59; - fiat_secp384r1_uint1 x60; - uint64_t x61; - fiat_secp384r1_uint1 x62; - uint64_t x63; - fiat_secp384r1_uint1 x64; - uint64_t x65; - fiat_secp384r1_uint1 x66; - uint64_t x67; - uint64_t x68; - uint64_t x69; - uint64_t x70; - uint64_t x71; - uint64_t x72; - uint64_t x73; - fiat_secp384r1_uint1 x74; - uint64_t x75; - fiat_secp384r1_uint1 x76; - uint64_t x77; - fiat_secp384r1_uint1 x78; - uint64_t x79; - fiat_secp384r1_uint1 x80; - uint64_t x81; - fiat_secp384r1_uint1 x82; - uint64_t x83; - fiat_secp384r1_uint1 x84; - uint64_t x85; - uint64_t x86; - fiat_secp384r1_uint1 x87; - uint64_t x88; - fiat_secp384r1_uint1 x89; - uint64_t x90; - fiat_secp384r1_uint1 x91; - uint64_t x92; - fiat_secp384r1_uint1 x93; - uint64_t x94; - fiat_secp384r1_uint1 x95; - uint64_t x96; - fiat_secp384r1_uint1 x97; - uint64_t x98; - uint64_t x99; - uint64_t x100; - uint64_t x101; - uint64_t x102; - uint64_t x103; - fiat_secp384r1_uint1 x104; - uint64_t x105; - uint64_t x106; - uint64_t x107; - uint64_t x108; - uint64_t x109; - uint64_t x110; - uint64_t x111; - uint64_t x112; - fiat_secp384r1_uint1 x113; - uint64_t x114; - fiat_secp384r1_uint1 x115; - uint64_t x116; - fiat_secp384r1_uint1 x117; - uint64_t x118; - fiat_secp384r1_uint1 x119; - uint64_t x120; - fiat_secp384r1_uint1 x121; - uint64_t x122; - fiat_secp384r1_uint1 x123; - uint64_t x124; - fiat_secp384r1_uint1 x125; - uint64_t x126; - uint64_t x127; - uint64_t x128; - uint64_t x129; - uint64_t x130; - uint64_t x131; - uint64_t x132; - fiat_secp384r1_uint1 x133; - uint64_t x134; - fiat_secp384r1_uint1 x135; - uint64_t x136; - fiat_secp384r1_uint1 x137; - uint64_t x138; - fiat_secp384r1_uint1 x139; - uint64_t x140; - fiat_secp384r1_uint1 x141; - uint64_t x142; - fiat_secp384r1_uint1 x143; - uint64_t x144; - fiat_secp384r1_uint1 x145; - uint64_t x146; - fiat_secp384r1_uint1 x147; - uint64_t x148; - fiat_secp384r1_uint1 x149; - uint64_t x150; - fiat_secp384r1_uint1 x151; - uint64_t x152; - fiat_secp384r1_uint1 x153; - uint64_t x154; - fiat_secp384r1_uint1 x155; - uint64_t x156; - fiat_secp384r1_uint1 x157; - uint64_t x158; - fiat_secp384r1_uint1 x159; - uint64_t x160; - uint64_t x161; - uint64_t x162; - uint64_t x163; - uint64_t x164; - uint64_t x165; - uint64_t x166; - uint64_t x167; - uint64_t x168; - uint64_t x169; - uint64_t x170; - uint64_t x171; - uint64_t x172; - uint64_t x173; - uint64_t x174; - uint64_t x175; - uint64_t x176; - uint64_t x177; - uint64_t x178; - fiat_secp384r1_addcarryx_u64(&x1, &x2, 0x0, (~arg1), 0x1); - x3 = (fiat_secp384r1_uint1)((fiat_secp384r1_uint1)(x1 >> 63) & - (fiat_secp384r1_uint1)((arg3[0]) & 0x1)); - fiat_secp384r1_addcarryx_u64(&x4, &x5, 0x0, (~arg1), 0x1); - fiat_secp384r1_cmovznz_u64(&x6, x3, arg1, x4); - fiat_secp384r1_cmovznz_u64(&x7, x3, (arg2[0]), (arg3[0])); - fiat_secp384r1_cmovznz_u64(&x8, x3, (arg2[1]), (arg3[1])); - fiat_secp384r1_cmovznz_u64(&x9, x3, (arg2[2]), (arg3[2])); - fiat_secp384r1_cmovznz_u64(&x10, x3, (arg2[3]), (arg3[3])); - fiat_secp384r1_cmovznz_u64(&x11, x3, (arg2[4]), (arg3[4])); - fiat_secp384r1_cmovznz_u64(&x12, x3, (arg2[5]), (arg3[5])); - fiat_secp384r1_cmovznz_u64(&x13, x3, (arg2[6]), (arg3[6])); - fiat_secp384r1_addcarryx_u64(&x14, &x15, 0x0, 0x1, (~(arg2[0]))); - fiat_secp384r1_addcarryx_u64(&x16, &x17, x15, 0x0, (~(arg2[1]))); - fiat_secp384r1_addcarryx_u64(&x18, &x19, x17, 0x0, (~(arg2[2]))); - fiat_secp384r1_addcarryx_u64(&x20, &x21, x19, 0x0, (~(arg2[3]))); - fiat_secp384r1_addcarryx_u64(&x22, &x23, x21, 0x0, (~(arg2[4]))); - fiat_secp384r1_addcarryx_u64(&x24, &x25, x23, 0x0, (~(arg2[5]))); - fiat_secp384r1_addcarryx_u64(&x26, &x27, x25, 0x0, (~(arg2[6]))); - fiat_secp384r1_cmovznz_u64(&x28, x3, (arg3[0]), x14); - fiat_secp384r1_cmovznz_u64(&x29, x3, (arg3[1]), x16); - fiat_secp384r1_cmovznz_u64(&x30, x3, (arg3[2]), x18); - fiat_secp384r1_cmovznz_u64(&x31, x3, (arg3[3]), x20); - fiat_secp384r1_cmovznz_u64(&x32, x3, (arg3[4]), x22); - fiat_secp384r1_cmovznz_u64(&x33, x3, (arg3[5]), x24); - fiat_secp384r1_cmovznz_u64(&x34, x3, (arg3[6]), x26); - fiat_secp384r1_cmovznz_u64(&x35, x3, (arg4[0]), (arg5[0])); - fiat_secp384r1_cmovznz_u64(&x36, x3, (arg4[1]), (arg5[1])); - fiat_secp384r1_cmovznz_u64(&x37, x3, (arg4[2]), (arg5[2])); - fiat_secp384r1_cmovznz_u64(&x38, x3, (arg4[3]), (arg5[3])); - fiat_secp384r1_cmovznz_u64(&x39, x3, (arg4[4]), (arg5[4])); - fiat_secp384r1_cmovznz_u64(&x40, x3, (arg4[5]), (arg5[5])); - fiat_secp384r1_addcarryx_u64(&x41, &x42, 0x0, x35, x35); - fiat_secp384r1_addcarryx_u64(&x43, &x44, x42, x36, x36); - fiat_secp384r1_addcarryx_u64(&x45, &x46, x44, x37, x37); - fiat_secp384r1_addcarryx_u64(&x47, &x48, x46, x38, x38); - fiat_secp384r1_addcarryx_u64(&x49, &x50, x48, x39, x39); - fiat_secp384r1_addcarryx_u64(&x51, &x52, x50, x40, x40); - fiat_secp384r1_subborrowx_u64(&x53, &x54, 0x0, x41, UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u64(&x55, &x56, x54, x43, - UINT64_C(0xffffffff00000000)); - fiat_secp384r1_subborrowx_u64(&x57, &x58, x56, x45, - UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_subborrowx_u64(&x59, &x60, x58, x47, - UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_subborrowx_u64(&x61, &x62, x60, x49, - UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_subborrowx_u64(&x63, &x64, x62, x51, - UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_subborrowx_u64(&x65, &x66, x64, x52, 0x0); - x67 = (arg4[5]); - x68 = (arg4[4]); - x69 = (arg4[3]); - x70 = (arg4[2]); - x71 = (arg4[1]); - x72 = (arg4[0]); - fiat_secp384r1_subborrowx_u64(&x73, &x74, 0x0, 0x0, x72); - fiat_secp384r1_subborrowx_u64(&x75, &x76, x74, 0x0, x71); - fiat_secp384r1_subborrowx_u64(&x77, &x78, x76, 0x0, x70); - fiat_secp384r1_subborrowx_u64(&x79, &x80, x78, 0x0, x69); - fiat_secp384r1_subborrowx_u64(&x81, &x82, x80, 0x0, x68); - fiat_secp384r1_subborrowx_u64(&x83, &x84, x82, 0x0, x67); - fiat_secp384r1_cmovznz_u64(&x85, x84, 0x0, UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_addcarryx_u64(&x86, &x87, 0x0, x73, - (x85 & UINT32_C(0xffffffff))); - fiat_secp384r1_addcarryx_u64(&x88, &x89, x87, x75, - (x85 & UINT64_C(0xffffffff00000000))); - fiat_secp384r1_addcarryx_u64(&x90, &x91, x89, x77, - (x85 & UINT64_C(0xfffffffffffffffe))); - fiat_secp384r1_addcarryx_u64(&x92, &x93, x91, x79, x85); - fiat_secp384r1_addcarryx_u64(&x94, &x95, x93, x81, x85); - fiat_secp384r1_addcarryx_u64(&x96, &x97, x95, x83, x85); - fiat_secp384r1_cmovznz_u64(&x98, x3, (arg5[0]), x86); - fiat_secp384r1_cmovznz_u64(&x99, x3, (arg5[1]), x88); - fiat_secp384r1_cmovznz_u64(&x100, x3, (arg5[2]), x90); - fiat_secp384r1_cmovznz_u64(&x101, x3, (arg5[3]), x92); - fiat_secp384r1_cmovznz_u64(&x102, x3, (arg5[4]), x94); - fiat_secp384r1_cmovznz_u64(&x103, x3, (arg5[5]), x96); - x104 = (fiat_secp384r1_uint1)(x28 & 0x1); - fiat_secp384r1_cmovznz_u64(&x105, x104, 0x0, x7); - fiat_secp384r1_cmovznz_u64(&x106, x104, 0x0, x8); - fiat_secp384r1_cmovznz_u64(&x107, x104, 0x0, x9); - fiat_secp384r1_cmovznz_u64(&x108, x104, 0x0, x10); - fiat_secp384r1_cmovznz_u64(&x109, x104, 0x0, x11); - fiat_secp384r1_cmovznz_u64(&x110, x104, 0x0, x12); - fiat_secp384r1_cmovznz_u64(&x111, x104, 0x0, x13); - fiat_secp384r1_addcarryx_u64(&x112, &x113, 0x0, x28, x105); - fiat_secp384r1_addcarryx_u64(&x114, &x115, x113, x29, x106); - fiat_secp384r1_addcarryx_u64(&x116, &x117, x115, x30, x107); - fiat_secp384r1_addcarryx_u64(&x118, &x119, x117, x31, x108); - fiat_secp384r1_addcarryx_u64(&x120, &x121, x119, x32, x109); - fiat_secp384r1_addcarryx_u64(&x122, &x123, x121, x33, x110); - fiat_secp384r1_addcarryx_u64(&x124, &x125, x123, x34, x111); - fiat_secp384r1_cmovznz_u64(&x126, x104, 0x0, x35); - fiat_secp384r1_cmovznz_u64(&x127, x104, 0x0, x36); - fiat_secp384r1_cmovznz_u64(&x128, x104, 0x0, x37); - fiat_secp384r1_cmovznz_u64(&x129, x104, 0x0, x38); - fiat_secp384r1_cmovznz_u64(&x130, x104, 0x0, x39); - fiat_secp384r1_cmovznz_u64(&x131, x104, 0x0, x40); - fiat_secp384r1_addcarryx_u64(&x132, &x133, 0x0, x98, x126); - fiat_secp384r1_addcarryx_u64(&x134, &x135, x133, x99, x127); - fiat_secp384r1_addcarryx_u64(&x136, &x137, x135, x100, x128); - fiat_secp384r1_addcarryx_u64(&x138, &x139, x137, x101, x129); - fiat_secp384r1_addcarryx_u64(&x140, &x141, x139, x102, x130); - fiat_secp384r1_addcarryx_u64(&x142, &x143, x141, x103, x131); - fiat_secp384r1_subborrowx_u64(&x144, &x145, 0x0, x132, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u64(&x146, &x147, x145, x134, - UINT64_C(0xffffffff00000000)); - fiat_secp384r1_subborrowx_u64(&x148, &x149, x147, x136, - UINT64_C(0xfffffffffffffffe)); - fiat_secp384r1_subborrowx_u64(&x150, &x151, x149, x138, - UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_subborrowx_u64(&x152, &x153, x151, x140, - UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_subborrowx_u64(&x154, &x155, x153, x142, - UINT64_C(0xffffffffffffffff)); - fiat_secp384r1_subborrowx_u64(&x156, &x157, x155, x143, 0x0); - fiat_secp384r1_addcarryx_u64(&x158, &x159, 0x0, x6, 0x1); - x160 = ((x112 >> 1) | ((x114 << 63) & UINT64_C(0xffffffffffffffff))); - x161 = ((x114 >> 1) | ((x116 << 63) & UINT64_C(0xffffffffffffffff))); - x162 = ((x116 >> 1) | ((x118 << 63) & UINT64_C(0xffffffffffffffff))); - x163 = ((x118 >> 1) | ((x120 << 63) & UINT64_C(0xffffffffffffffff))); - x164 = ((x120 >> 1) | ((x122 << 63) & UINT64_C(0xffffffffffffffff))); - x165 = ((x122 >> 1) | ((x124 << 63) & UINT64_C(0xffffffffffffffff))); - x166 = ((x124 & UINT64_C(0x8000000000000000)) | (x124 >> 1)); - fiat_secp384r1_cmovznz_u64(&x167, x66, x53, x41); - fiat_secp384r1_cmovznz_u64(&x168, x66, x55, x43); - fiat_secp384r1_cmovznz_u64(&x169, x66, x57, x45); - fiat_secp384r1_cmovznz_u64(&x170, x66, x59, x47); - fiat_secp384r1_cmovznz_u64(&x171, x66, x61, x49); - fiat_secp384r1_cmovznz_u64(&x172, x66, x63, x51); - fiat_secp384r1_cmovznz_u64(&x173, x157, x144, x132); - fiat_secp384r1_cmovznz_u64(&x174, x157, x146, x134); - fiat_secp384r1_cmovznz_u64(&x175, x157, x148, x136); - fiat_secp384r1_cmovznz_u64(&x176, x157, x150, x138); - fiat_secp384r1_cmovznz_u64(&x177, x157, x152, x140); - fiat_secp384r1_cmovznz_u64(&x178, x157, x154, x142); - *out1 = x158; - out2[0] = x7; - out2[1] = x8; - out2[2] = x9; - out2[3] = x10; - out2[4] = x11; - out2[5] = x12; - out2[6] = x13; - out3[0] = x160; - out3[1] = x161; - out3[2] = x162; - out3[3] = x163; - out3[4] = x164; - out3[5] = x165; - out3[6] = x166; - out4[0] = x167; - out4[1] = x168; - out4[2] = x169; - out4[3] = x170; - out4[4] = x171; - out4[5] = x172; - out5[0] = x173; - out5[1] = x174; - out5[2] = x175; - out5[3] = x176; - out5[4] = x177; - out5[5] = x178; -} - -/* END verbatim fiat code */ - -/* curve-related constants */ - -static const limb_t const_one[6] = { - UINT64_C(0xFFFFFFFF00000001), UINT64_C(0x00000000FFFFFFFF), - UINT64_C(0x0000000000000001), UINT64_C(0x0000000000000000), - UINT64_C(0x0000000000000000), UINT64_C(0x0000000000000000) -}; - -static const limb_t const_b[6] = { - UINT64_C(0x081188719D412DCC), UINT64_C(0xF729ADD87A4C32EC), - UINT64_C(0x77F2209B1920022E), UINT64_C(0xE3374BEE94938AE2), - UINT64_C(0xB62B21F41F022094), UINT64_C(0xCD08114B604FBFF9) -}; - -static const limb_t const_divstep[6] = { - UINT64_C(0xFFFFC80000005000), UINT64_C(0xFFFFB3FFFFFF83FF), - UINT64_C(0xFFFFF7FFFFFFFFFF), UINT64_C(0xFFFFEBFFFFFFEFFF), - UINT64_C(0x00000BFFFFFFF3FF), UINT64_C(0x0000500000003000) -}; - -static const limb_t const_psat[6] = { - UINT64_C(0x00000000FFFFFFFF), UINT64_C(0xFFFFFFFF00000000), - UINT64_C(0xFFFFFFFFFFFFFFFE), UINT64_C(0xFFFFFFFFFFFFFFFF), - UINT64_C(0xFFFFFFFFFFFFFFFF), UINT64_C(0xFFFFFFFFFFFFFFFF) -}; - -/* LUT for scalar multiplication by comb interleaving */ -static const pt_aff_t lut_cmb[21][16] = { - { - { { UINT64_C(0x3DD0756649C0B528), UINT64_C(0x20E378E2A0D6CE38), - UINT64_C(0x879C3AFC541B4D6E), UINT64_C(0x6454868459A30EFF), - UINT64_C(0x812FF723614EDE2B), UINT64_C(0x4D3AADC2299E1513) }, - { UINT64_C(0x23043DAD4B03A4FE), UINT64_C(0xA1BFA8BF7BB4A9AC), - UINT64_C(0x8BADE7562E83B050), UINT64_C(0xC6C3521968F4FFD9), - UINT64_C(0xDD8002263969A840), UINT64_C(0x2B78ABC25A15C5E9) } }, - { { UINT64_C(0x05E4DBE6C1DC4073), UINT64_C(0xC54EA9FFF04F779C), - UINT64_C(0x6B2034E9A170CCF0), UINT64_C(0x3A48D732D51C6C3E), - UINT64_C(0xE36F7E2D263AA470), UINT64_C(0xD283FE68E7C1C3AC) }, - { UINT64_C(0x7E284821C04EE157), UINT64_C(0x92D789A77AE0E36D), - UINT64_C(0x132663C04EF67446), UINT64_C(0x68012D5AD2E1D0B4), - UINT64_C(0xF6DB68B15102B339), UINT64_C(0x465465FC983292AF) } }, - { { UINT64_C(0xBB595EBA68F1F0DF), UINT64_C(0xC185C0CBCC873466), - UINT64_C(0x7F1EB1B5293C703B), UINT64_C(0x60DB2CF5AACC05E6), - UINT64_C(0xC676B987E2E8E4C6), UINT64_C(0xE1BB26B11D178FFB) }, - { UINT64_C(0x2B694BA07073FA21), UINT64_C(0x22C16E2E72F34566), - UINT64_C(0x80B61B3101C35B99), UINT64_C(0x4B237FAF982C0411), - UINT64_C(0xE6C5944024DE236D), UINT64_C(0x4DB1C9D6E209E4A3) } }, - { { UINT64_C(0xDF13B9D17D69222B), UINT64_C(0x4CE6415F874774B1), - UINT64_C(0x731EDCF8211FAA95), UINT64_C(0x5F4215D1659753ED), - UINT64_C(0xF893DB589DB2DF55), UINT64_C(0x932C9F811C89025B) }, - { UINT64_C(0x0996B2207706A61E), UINT64_C(0x135349D5A8641C79), - UINT64_C(0x65AAD76F50130844), UINT64_C(0x0FF37C0401FFF780), - UINT64_C(0xF57F238E693B0706), UINT64_C(0xD90A16B6AF6C9B3E) } }, - { { UINT64_C(0x2F5D200E2353B92F), UINT64_C(0xE35D87293FD7E4F9), - UINT64_C(0x26094833A96D745D), UINT64_C(0xDC351DC13CBFFF3F), - UINT64_C(0x26D464C6DAD54D6A), UINT64_C(0x5CAB1D1D53636C6A) }, - { UINT64_C(0xF2813072B18EC0B0), UINT64_C(0x3777E270D742AA2F), - UINT64_C(0x27F061C7033CA7C2), UINT64_C(0xA6ECACCC68EAD0D8), - UINT64_C(0x7D9429F4EE69A754), UINT64_C(0xE770633431E8F5C6) } }, - { { UINT64_C(0xC7708B19B68B8C7D), UINT64_C(0x4532077C44377ABA), - UINT64_C(0x0DCC67706CDAD64F), UINT64_C(0x01B8BF56147B6602), - UINT64_C(0xF8D89885F0561D79), UINT64_C(0x9C19E9FC7BA9C437) }, - { UINT64_C(0x764EB146BDC4BA25), UINT64_C(0x604FE46BAC144B83), - UINT64_C(0x3CE813298A77E780), UINT64_C(0x2E070F36FE9E682E), - UINT64_C(0x41821D0C3A53287A), UINT64_C(0x9AA62F9F3533F918) } }, - { { UINT64_C(0x9B7AEB7E75CCBDFB), UINT64_C(0xB25E28C5F6749A95), - UINT64_C(0x8A7A8E4633B7D4AE), UINT64_C(0xDB5203A8D9C1BD56), - UINT64_C(0xD2657265ED22DF97), UINT64_C(0xB51C56E18CF23C94) }, - { UINT64_C(0xF4D394596C3D812D), UINT64_C(0xD8E88F1A87CAE0C2), - UINT64_C(0x789A2A48CF4D0FE3), UINT64_C(0xB7FEAC2DFEC38D60), - UINT64_C(0x81FDBD1C3B490EC3), UINT64_C(0x4617ADB7CC6979E1) } }, - { { UINT64_C(0x446AD8884709F4A9), UINT64_C(0x2B7210E2EC3DABD8), - UINT64_C(0x83CCF19550E07B34), UINT64_C(0x59500917789B3075), - UINT64_C(0x0FC01FD4EB085993), UINT64_C(0xFB62D26F4903026B) }, - { UINT64_C(0x2309CC9D6FE989BB), UINT64_C(0x61609CBD144BD586), - UINT64_C(0x4B23D3A0DE06610C), UINT64_C(0xDDDC2866D898F470), - UINT64_C(0x8733FC41400C5797), UINT64_C(0x5A68C6FED0BC2716) } }, - { { UINT64_C(0x8903E1304B4A3CD0), UINT64_C(0x3EA4EA4C8FF1F43E), - UINT64_C(0xE6FC3F2AF655A10D), UINT64_C(0x7BE3737D524FFEFC), - UINT64_C(0x9F6928555330455E), UINT64_C(0x524F166EE475CE70) }, - { UINT64_C(0x3FCC69CD6C12F055), UINT64_C(0x4E23B6FFD5B9C0DA), - UINT64_C(0x49CE6993336BF183), UINT64_C(0xF87D6D854A54504A), - UINT64_C(0x25EB5DF1B3C2677A), UINT64_C(0xAC37986F55B164C9) } }, - { { UINT64_C(0x82A2ED4ABAA84C08), UINT64_C(0x22C4CC5F41A8C912), - UINT64_C(0xCA109C3B154AAD5E), UINT64_C(0x23891298FC38538E), - UINT64_C(0xB3B6639C539802AE), UINT64_C(0xFA0F1F450390D706) }, - { UINT64_C(0x46B78E5DB0DC21D0), UINT64_C(0xA8C72D3CC3DA2EAC), - UINT64_C(0x9170B3786FF2F643), UINT64_C(0x3F5A799BB67F30C3), - UINT64_C(0x15D1DC778264B672), UINT64_C(0xA1D47B23E9577764) } }, - { { UINT64_C(0x08265E510422CE2F), UINT64_C(0x88E0D496DD2F9E21), - UINT64_C(0x30128AA06177F75D), UINT64_C(0x2E59AB62BD9EBE69), - UINT64_C(0x1B1A0F6C5DF0E537), UINT64_C(0xAB16C626DAC012B5) }, - { UINT64_C(0x8014214B008C5DE7), UINT64_C(0xAA740A9E38F17BEA), - UINT64_C(0x262EBB498A149098), UINT64_C(0xB454111E8527CD59), - UINT64_C(0x266AD15AACEA5817), UINT64_C(0x21824F411353CCBA) } }, - { { UINT64_C(0xD1B4E74D12E3683B), UINT64_C(0x990ED20B569B8EF6), - UINT64_C(0xB9D3DD25429C0A18), UINT64_C(0x1C75B8AB2A351783), - UINT64_C(0x61E4CA2B905432F0), UINT64_C(0x80826A69EEA8F224) }, - { UINT64_C(0x7FC33A6BEC52ABAD), UINT64_C(0x0BCCA3F0A65E4813), - UINT64_C(0x7AD8A132A527CEBE), UINT64_C(0xF0138950EAF22C7E), - UINT64_C(0x282D2437566718C1), UINT64_C(0x9DFCCB0DE2212559) } }, - { { UINT64_C(0x1E93722758CE3B83), UINT64_C(0xBB280DFA3CB3FB36), - UINT64_C(0x57D0F3D2E2BE174A), UINT64_C(0x9BD51B99208ABE1E), - UINT64_C(0x3809AB50DE248024), UINT64_C(0xC29C6E2CA5BB7331) }, - { UINT64_C(0x9944FD2E61124F05), UINT64_C(0x83CCBC4E9009E391), - UINT64_C(0x01628F059424A3CC), UINT64_C(0xD6A2F51DEA8E4344), - UINT64_C(0xDA3E1A3D4CEBC96E), UINT64_C(0x1FE6FB42E97809DC) } }, - { { UINT64_C(0xA04482D2467D66E4), UINT64_C(0xCF1912934D78291D), - UINT64_C(0x8E0D4168482396F9), UINT64_C(0x7228E2D5D18F14D0), - UINT64_C(0x2F7E8D509C6A58FE), UINT64_C(0xE8CA780E373E5AEC) }, - { UINT64_C(0x42AAD1D61B68E9F8), UINT64_C(0x58A6D7F569E2F8F4), - UINT64_C(0xD779ADFE31DA1BEA), UINT64_C(0x7D26540638C85A85), - UINT64_C(0x67E67195D44D3CDF), UINT64_C(0x17820A0BC5134ED7) } }, - { { UINT64_C(0x019D6AC5D3021470), UINT64_C(0x25846B66780443D6), - UINT64_C(0xCE3C15ED55C97647), UINT64_C(0x3DC22D490E3FEB0F), - UINT64_C(0x2065B7CBA7DF26E4), UINT64_C(0xC8B00AE8187CEA1F) }, - { UINT64_C(0x1A5284A0865DDED3), UINT64_C(0x293C164920C83DE2), - UINT64_C(0xAB178D26CCE851B3), UINT64_C(0x8E6DB10B404505FB), - UINT64_C(0xF6F57E7190C82033), UINT64_C(0x1D2A1C015977F16C) } }, - { { UINT64_C(0xA39C89317C8906A4), UINT64_C(0xB6E7ECDD9E821EE6), - UINT64_C(0x2ECF8340F0DF4FE6), UINT64_C(0xD42F7DC953C14965), - UINT64_C(0x1AFB51A3E3BA8285), UINT64_C(0x6C07C4040A3305D1) }, - { UINT64_C(0xDAB83288127FC1DA), UINT64_C(0xBC0A699B374C4B08), - UINT64_C(0x402A9BAB42EB20DD), UINT64_C(0xD7DD464F045A7A1C), - UINT64_C(0x5B3D0D6D36BEECC4), UINT64_C(0x475A3E756398A19D) } }, - }, - { - { { UINT64_C(0x31BDB48372876AE8), UINT64_C(0xE3325D98961ED1BF), - UINT64_C(0x18C042469B6FC64D), UINT64_C(0x0DCC15FA15786B8C), - UINT64_C(0x81ACDB068E63DA4A), UINT64_C(0xD3A4B643DADA70FB) }, - { UINT64_C(0x46361AFEDEA424EB), UINT64_C(0xDC2D2CAE89B92970), - UINT64_C(0xF389B61B615694E6), UINT64_C(0x7036DEF1872951D2), - UINT64_C(0x40FD3BDAD93BADC7), UINT64_C(0x45AB6321380A68D3) } }, - { { UINT64_C(0x23C1F74481A2703A), UINT64_C(0x1A5D075CB9859136), - UINT64_C(0xA4F82C9D5AFD1BFD), UINT64_C(0xA3D1E9A4F89D76FE), - UINT64_C(0x964F705075702F80), UINT64_C(0x182BF349F56C089D) }, - { UINT64_C(0xE205FA8FBE0DA6E1), UINT64_C(0x32905EB90A40F8F3), - UINT64_C(0x331A1004356D4395), UINT64_C(0x58B78901FDBBDFDE), - UINT64_C(0xA52A15979BA00E71), UINT64_C(0xE0092E1F55497A30) } }, - { { UINT64_C(0x5562A85670EE8F39), UINT64_C(0x86B0C11764E52A9C), - UINT64_C(0xC19F317409C75B8C), UINT64_C(0x21C7CC3124923F80), - UINT64_C(0xE63FE47F8F5B291E), UINT64_C(0x3D6D3C050DC08B05) }, - { UINT64_C(0x58AE455EEE0C39A1), UINT64_C(0x78BEA4310AD97942), - UINT64_C(0x42C7C97F3EE3989C), UINT64_C(0xC1B03AF5F38759AE), - UINT64_C(0x1A673C75BCF46899), UINT64_C(0x4831B7D38D508C7D) } }, - { { UINT64_C(0x76512D1BC552E354), UINT64_C(0x2B7EB6DF273020FD), - UINT64_C(0xD1C73AA8025A5F25), UINT64_C(0x2ABA19295CBD2A40), - UINT64_C(0xB53CADC3C88D61C6), UINT64_C(0x7E66A95E098290F3) }, - { UINT64_C(0x72800ECBAF4C5073), UINT64_C(0x81F2725E9DC63FAF), - UINT64_C(0x14BF92A7282BA9D1), UINT64_C(0x90629672BD5F1BB2), - UINT64_C(0x362F68EBA97C6C96), UINT64_C(0xB1D3BB8B7EA9D601) } }, - { { UINT64_C(0x73878F7FA9C94429), UINT64_C(0xB35C3BC8456CA6D8), - UINT64_C(0xD96F0B3CF721923A), UINT64_C(0x28D8F06CE6D44FA1), - UINT64_C(0x94EFDCDCD5CD671A), UINT64_C(0x0299AB933F97D481) }, - { UINT64_C(0xB7CED6EA2FD1D324), UINT64_C(0xBD6832087E932EC2), - UINT64_C(0x24ED31FBCB755A6E), UINT64_C(0xA636098EE48781D2), - UINT64_C(0x8687C63CF0A4F297), UINT64_C(0xBB52344007478526) } }, - { { UINT64_C(0x2E5F741934124B56), UINT64_C(0x1F223AE14B3F02CA), - UINT64_C(0x6345B427E8336C7E), UINT64_C(0x92123E16F5D0E3D0), - UINT64_C(0xDAF0D14D45E79F3A), UINT64_C(0x6ACA67656F3BD0C6) }, - { UINT64_C(0xF6169FAB403813F4), UINT64_C(0x31DC39C0334A4C59), - UINT64_C(0x74C46753D589866D), UINT64_C(0x5741511D984C6A5D), - UINT64_C(0xF263128797FED2D3), UINT64_C(0x5687CA1B11614886) } }, - { { UINT64_C(0x076D902A33836D4B), UINT64_C(0xEC6C5C4324AFB557), - UINT64_C(0xA0FE2D1CA0516A0F), UINT64_C(0x6FB8D73700D22ECC), - UINT64_C(0xF1DE9077DAF1D7B3), UINT64_C(0xE4695F77D4C0C1EB) }, - { UINT64_C(0x5F0FD8A8B4375573), UINT64_C(0x762383595E50944F), - UINT64_C(0x65EA2F28635CD76F), UINT64_C(0x0854776925FDE7B0), - UINT64_C(0xB2345A2E51944304), UINT64_C(0x86EFA2F7A16C980D) } }, - { { UINT64_C(0x4CCBE2D0BF4D1D63), UINT64_C(0x32E33401397366D5), - UINT64_C(0xC83AFDDE71BDA2CE), UINT64_C(0x8DACE2AC478ED9E6), - UINT64_C(0x3AC6A559763FDD9E), UINT64_C(0x0FFDB04CB398558F) }, - { UINT64_C(0x6C1B99B2AFB9D6B8), UINT64_C(0x572BA39C27F815DD), - UINT64_C(0x9DE73EE70DBCF842), UINT64_C(0x2A3ED58929267B88), - UINT64_C(0xD46A7FD315EBBBB3), UINT64_C(0xD1D01863E29400C7) } }, - { { UINT64_C(0x8FB101D1E1F89EC5), UINT64_C(0xB87A1F53F8508042), - UINT64_C(0x28C8DB240ED7BEEF), UINT64_C(0x3940F845ACE8660A), - UINT64_C(0x4EACB619C6D453FD), UINT64_C(0x2E044C982BAD6160) }, - { UINT64_C(0x8792854880B16C02), UINT64_C(0xF0D4BEB3C0A9EB64), - UINT64_C(0xD785B4AFC183C195), UINT64_C(0x23AAB0E65E6C46EA), - UINT64_C(0x30F7E104A930FECA), UINT64_C(0x6A1A7B8BD55C10FB) } }, - { { UINT64_C(0xDA74EAEBDBFED1AA), UINT64_C(0xC8A59223DF0B025C), - UINT64_C(0x7EF7DC85D5B627F7), UINT64_C(0x02A13AE1197D7624), - UINT64_C(0x119E9BE12F785A9B), UINT64_C(0xC0B7572F00D6B219) }, - { UINT64_C(0x9B1E51266D4CAF30), UINT64_C(0xA16A51170A840BD1), - UINT64_C(0x5BE17B910E9CCF43), UINT64_C(0x5BDBEDDD69CF2C9C), - UINT64_C(0x9FFBFBCF4CF4F289), UINT64_C(0xE1A621836C355CE9) } }, - { { UINT64_C(0x056199D9A7B2FCCF), UINT64_C(0x51F2E7B6CE1D784E), - UINT64_C(0xA1D09C47339E2FF0), UINT64_C(0xC8E64890B836D0A9), - UINT64_C(0x2F781DCBC0D07EBE), UINT64_C(0x5CF3C2AD3ACF934C) }, - { UINT64_C(0xE55DB190A17E26AE), UINT64_C(0xC9C61E1F91245513), - UINT64_C(0x83D7E6CF61998C15), UINT64_C(0x4DB33C85E41D38E3), - UINT64_C(0x74D5F91DC2FEE43D), UINT64_C(0x7EBBDB4536BBC826) } }, - { { UINT64_C(0xE20EC7E9CB655A9D), UINT64_C(0x4977EB925C47D421), - UINT64_C(0xA237E12C3B9D72FA), UINT64_C(0xCAAEDBC1CBF7B145), - UINT64_C(0x5200F5B23B77AAA3), UINT64_C(0x32EDED55BDBE5380) }, - { UINT64_C(0x74E38A40E7C9B80A), UINT64_C(0x3A3F0CF8AB6DE911), - UINT64_C(0x56DCDD7AAD16AAF0), UINT64_C(0x3D2924498E861D5E), - UINT64_C(0xD6C61878985733E2), UINT64_C(0x2401FE7D6AA6CD5B) } }, - { { UINT64_C(0xABB3DC75B42E3686), UINT64_C(0xAE712419B4C57E61), - UINT64_C(0x2C565F72B21B009B), UINT64_C(0xA5F1DA2E710C3699), - UINT64_C(0x771099A0A5EBA59A), UINT64_C(0x4DA88F4AC10017A0) }, - { UINT64_C(0x987FFFD31927B56D), UINT64_C(0xB98CB8ECC4E33478), - UINT64_C(0xB224A971C2248166), UINT64_C(0x5470F554DE1DC794), - UINT64_C(0xD747CC24E31FF983), UINT64_C(0xB91745E9B5B22DAE) } }, - { { UINT64_C(0x6CCBFED072F34420), UINT64_C(0x95045E4DA53039D2), - UINT64_C(0x3B6C11545A793944), UINT64_C(0xAA114145DDB6B799), - UINT64_C(0xABC15CA4252B7637), UINT64_C(0x5745A35BA5744634) }, - { UINT64_C(0x05DC6BDEDA596FC0), UINT64_C(0xCD52C18CA8020881), - UINT64_C(0x03FA9F47D296BAD0), UINT64_C(0xD8E2C1297268E139), - UINT64_C(0x58C1A98D9EC450B0), UINT64_C(0x909638DADE48B20D) } }, - { { UINT64_C(0x7AFC30D49B7F8311), UINT64_C(0x82A0042242368EA3), - UINT64_C(0xBFF951986F5F9865), UINT64_C(0x9B24F612FC0A070F), - UINT64_C(0x22C06CF2620F489D), UINT64_C(0x3C7ED052780F7DBB) }, - { UINT64_C(0xDB87AB1834DAFE9B), UINT64_C(0x20C03B409C4BBCA1), - UINT64_C(0x5D718CF059A42341), UINT64_C(0x9863170669E84538), - UINT64_C(0x5557192BD27D64E1), UINT64_C(0x08B4EC52DA822766) } }, - { { UINT64_C(0xB2D986F6D66C1A59), UINT64_C(0x927DEB1678E0E423), - UINT64_C(0x9E673CDE49C3DEDC), UINT64_C(0xFA362D84F7ECB6CF), - UINT64_C(0x078E5F401BA17340), UINT64_C(0x934CA5D11F4E489C) }, - { UINT64_C(0xC03C073164EEF493), UINT64_C(0x631A353BD7931A7E), - UINT64_C(0x8E7CC3BB65DD74F1), UINT64_C(0xD55864C5702676A5), - UINT64_C(0x6D306AC4439F04BD), UINT64_C(0x58544F672BAFED57) } }, - }, - { - { { UINT64_C(0xB083BA6AEC074AEA), UINT64_C(0x46FAC5EF7F0B505B), - UINT64_C(0x95367A21FC82DC03), UINT64_C(0x227BE26A9D3679D8), - UINT64_C(0xC70F6D6C7E9724C0), UINT64_C(0xCD68C757F9EBEC0F) }, - { UINT64_C(0x29DDE03E8FF321B2), UINT64_C(0xF84AD7BB031939DC), - UINT64_C(0xDAF590C90F602F4B), UINT64_C(0x17C5288849722BC4), - UINT64_C(0xA8DF99F0089B22B6), UINT64_C(0xC21BC5D4E59B9B90) } }, - { { UINT64_C(0x4936C6A08A31973F), UINT64_C(0x54D442FA83B8C205), - UINT64_C(0x03AEE8B45714F2C6), UINT64_C(0x139BD6923F5AC25A), - UINT64_C(0x6A2E42BAB5B33794), UINT64_C(0x50FA11643FF7BBA9) }, - { UINT64_C(0xB61D8643F7E2C099), UINT64_C(0x2366C993BD5C6637), - UINT64_C(0x62110E1472EB77FA), UINT64_C(0x3D5B96F13B99C635), - UINT64_C(0x956ECF64F674C9F2), UINT64_C(0xC56F7E51EF2BA250) } }, - { { UINT64_C(0x246FFCB6FF602C1B), UINT64_C(0x1E1A1D746E1258E0), - UINT64_C(0xB4B43AE2250E6676), UINT64_C(0x95C1B5F0924CE5FA), - UINT64_C(0x2555795BEBD8C776), UINT64_C(0x4C1E03DCACD9D9D0) }, - { UINT64_C(0xE1D74AA69CE90C61), UINT64_C(0xA88C0769A9C4B9F9), - UINT64_C(0xDF74DF2795AF56DE), UINT64_C(0x24B10C5FB331B6F4), - UINT64_C(0xB0A6DF9A6559E137), UINT64_C(0x6ACC1B8FC06637F2) } }, - { { UINT64_C(0xBD8C086834B4E381), UINT64_C(0x278CACC730DFF271), - UINT64_C(0x87ED12DE02459389), UINT64_C(0x3F7D98FFDEF840B6), - UINT64_C(0x71EEE0CB5F0B56E1), UINT64_C(0x462B5C9BD8D9BE87) }, - { UINT64_C(0xE6B50B5A98094C0F), UINT64_C(0x26F3B274508C67CE), - UINT64_C(0x418B1BD17CB1F992), UINT64_C(0x607818ED4FF11827), - UINT64_C(0xE630D93A9B042C63), UINT64_C(0x38B9EFF38C779AE3) } }, - { { UINT64_C(0xE8767D36729C5431), UINT64_C(0xA8BD07C0BB94642C), - UINT64_C(0x0C11FC8E58F2E5B2), UINT64_C(0xD8912D48547533FE), - UINT64_C(0xAAE14F5E230D91FB), UINT64_C(0xC122051A676DFBA0) }, - { UINT64_C(0x9ED4501F5EA93078), UINT64_C(0x2758515CBD4BEE0A), - UINT64_C(0x97733C6C94D21F52), UINT64_C(0x139BCD6D4AD306A2), - UINT64_C(0x0AAECBDC298123CC), UINT64_C(0x102B8A311CB7C7C9) } }, - { { UINT64_C(0x22A28E59FAF46675), UINT64_C(0x1075730810A31E7D), - UINT64_C(0xC7EEAC842B4C2F4F), UINT64_C(0xBA370148B5EF5184), - UINT64_C(0x4A5A28668732E055), UINT64_C(0x14B8DCDCB887C36F) }, - { UINT64_C(0xDBA8C85C433F093D), UINT64_C(0x73DF549D1C9A201C), - UINT64_C(0x69AA0D7B70F927D8), UINT64_C(0xFA3A8685D7D2493A), - UINT64_C(0x6F48A2550A7F4013), UINT64_C(0xD20C8BF9DD393067) } }, - { { UINT64_C(0x4EC874EA81625E78), UINT64_C(0x8B8D8B5A3FBE9267), - UINT64_C(0xA3D9D1649421EC2F), UINT64_C(0x490E92D9880EA295), - UINT64_C(0x745D1EDCD8F3B6DA), UINT64_C(0x0116628B8F18BA03) }, - { UINT64_C(0x0FF6BCE0834EADCE), UINT64_C(0x464697F2000827F7), - UINT64_C(0x08DCCF84498D724E), UINT64_C(0x7896D3651E88304C), - UINT64_C(0xE63EBCCE135E3622), UINT64_C(0xFB942E8EDC007521) } }, - { { UINT64_C(0xBB155A66A3688621), UINT64_C(0xED2FD7CDF91B52A3), - UINT64_C(0x52798F5DEA20CB88), UINT64_C(0x069CE105373F7DD8), - UINT64_C(0xF9392EC78CA78F6B), UINT64_C(0xB3013E256B335169) }, - { UINT64_C(0x1D92F8006B11715C), UINT64_C(0xADD4050EFF9DC464), - UINT64_C(0x2AC226598465B84A), UINT64_C(0x2729D646465B2BD6), - UINT64_C(0x6202344AE4EFF9DD), UINT64_C(0x51F3198FCD9B90B9) } }, - { { UINT64_C(0x17CE54EFE5F0AE1D), UINT64_C(0x984E8204B09852AF), - UINT64_C(0x3365B37AC4B27A71), UINT64_C(0x720E3152A00E0A9C), - UINT64_C(0x3692F70D925BD606), UINT64_C(0xBE6E699D7BC7E9AB) }, - { UINT64_C(0xD75C041F4C89A3C0), UINT64_C(0x8B9F592D8DC100C0), - UINT64_C(0x30750F3AAD228F71), UINT64_C(0x1B9ECF84E8B17A11), - UINT64_C(0xDF2025620FBFA8A2), UINT64_C(0x45C811FCAA1B6D67) } }, - { { UINT64_C(0xEC5B84B71A5151F8), UINT64_C(0x118E59E8550AB2D2), - UINT64_C(0x2CCDEDA4049BD735), UINT64_C(0xC99CBA719CD62F0F), - UINT64_C(0x69B8040A62C9E4F8), UINT64_C(0x16F1A31A110B8283) }, - { UINT64_C(0x53F6380298E908A3), UINT64_C(0x308CB6EFD862F9DE), - UINT64_C(0xE185DAD8A521A95A), UINT64_C(0x4D8FE9A4097F75CA), - UINT64_C(0xD1ECCEC71CA07D53), UINT64_C(0x13DFA1DC0DB07E83) } }, - { { UINT64_C(0xDDAF9DC60F591A76), UINT64_C(0xE1A6D7CC1685F412), - UINT64_C(0x153DE557002B6E8D), UINT64_C(0x730C38BCC6DA37D9), - UINT64_C(0xAE1806220914B597), UINT64_C(0x84F98103DD8C3A0A) }, - { UINT64_C(0x369C53988DA205B0), UINT64_C(0xA3D95B813888A720), - UINT64_C(0x1F3F8BBFE10E2806), UINT64_C(0x48663DF54530D1F3), - UINT64_C(0x320523B43E377713), UINT64_C(0xE8B1A575C7894814) } }, - { { UINT64_C(0x330668712EE8EA07), UINT64_C(0xC6FB4EC560DA199D), - UINT64_C(0x33231860F4370A05), UINT64_C(0x7ABECE72C6DE4E26), - UINT64_C(0xDE8D4BD8EBDECE7A), UINT64_C(0xC90EE6571CBE93C7) }, - { UINT64_C(0x0246751B85AC2509), UINT64_C(0xD0EF142C30380245), - UINT64_C(0x086DF9C47C76E39C), UINT64_C(0x68F1304FB789FB56), - UINT64_C(0x23E4CB98A5E4BD56), UINT64_C(0x69A4C63C64663DCA) } }, - { { UINT64_C(0x6C72B6AF7CB34E63), UINT64_C(0x073C40CD6DFC23FE), - UINT64_C(0xBDEEE7A1C936693A), UINT64_C(0xBC858E806EFAD378), - UINT64_C(0xEAD719FFF5BE55D4), UINT64_C(0xC8C3238F04552F5F) }, - { UINT64_C(0x0952C068928D5784), UINT64_C(0x89DFDF2294C58F2B), - UINT64_C(0x332DEDF367502C50), UINT64_C(0x3ED2FA3AAC0BE258), - UINT64_C(0xAEDC9B8A7C5C8244), UINT64_C(0x43A761B9DC0EA34F) } }, - { { UINT64_C(0x8FD683A2CC5E21A5), UINT64_C(0x5F444C6EFBA2BB68), - UINT64_C(0x709ACD0EAF05586D), UINT64_C(0x8EFA54D2DE8FB348), - UINT64_C(0x35276B7134CFE29E), UINT64_C(0x77A06FCD941EAC8C) }, - { UINT64_C(0x5815792D928322DD), UINT64_C(0x82FF356B67F7CB59), - UINT64_C(0x71E40A78304980F4), UINT64_C(0xC8645C273667D021), - UINT64_C(0xE785741CAEBAE28F), UINT64_C(0xB2C1BC7553ECAC37) } }, - { { UINT64_C(0x633EB24F1D0A74DB), UINT64_C(0xF1F55E56FA752512), - UINT64_C(0x75FECA688EFE11DE), UINT64_C(0xC80FD91CE6BF19EC), - UINT64_C(0xAD0BAFEC2A14C908), UINT64_C(0x4E1C4ACAADE4031F) }, - { UINT64_C(0x463A815B1EB1549A), UINT64_C(0x5AD4253C668F1298), - UINT64_C(0x5CB3866238A37151), UINT64_C(0x34BB1CCFAFF16B96), - UINT64_C(0xDCA93B13EE731AB0), UINT64_C(0x9F3CE5CC9BE01A0B) } }, - { { UINT64_C(0x75DB5723A110D331), UINT64_C(0x67C66F6A7123D89F), - UINT64_C(0x27ABBD4B4009D570), UINT64_C(0xACDA6F84C73451BC), - UINT64_C(0xE4B9A23905575ACF), UINT64_C(0x3C2DB7EFAB2D3D6C) }, - { UINT64_C(0x01CCDD0829115145), UINT64_C(0x9E0602FE57B5814A), - UINT64_C(0x679B35C287862838), UINT64_C(0x0277DC4C38AD598D), - UINT64_C(0xEF80A2136D896DD4), UINT64_C(0xC8812213E7B9047B) } }, - }, - { - { { UINT64_C(0xAC6DBDF6EDC9CE62), UINT64_C(0xA58F5B440F9C006E), - UINT64_C(0x16694DE3DC28E1B0), UINT64_C(0x2D039CF2A6647711), - UINT64_C(0xA13BBE6FC5B08B4B), UINT64_C(0xE44DA93010EBD8CE) }, - { UINT64_C(0xCD47208719649A16), UINT64_C(0xE18F4E44683E5DF1), - UINT64_C(0xB3F66303929BFA28), UINT64_C(0x7C378E43818249BF), - UINT64_C(0x76068C80847F7CD9), UINT64_C(0xEE3DB6D1987EBA16) } }, - { { UINT64_C(0xCBBD8576C42A2F52), UINT64_C(0x9ACC6F709D2B06BB), - UINT64_C(0xE5CB56202E6B72A4), UINT64_C(0x5738EA0E7C024443), - UINT64_C(0x8ED06170B55368F3), UINT64_C(0xE54C99BB1AEED44F) }, - { UINT64_C(0x3D90A6B2E2E0D8B2), UINT64_C(0x21718977CF7B2856), - UINT64_C(0x089093DCC5612AEC), UINT64_C(0xC272EF6F99C1BACC), - UINT64_C(0x47DB3B43DC43EAAD), UINT64_C(0x730F30E40832D891) } }, - { { UINT64_C(0x9FFE55630C7FECDB), UINT64_C(0x55CC67B6F88101E5), - UINT64_C(0x3039F981CBEFA3C7), UINT64_C(0x2AB06883667BFD64), - UINT64_C(0x9007A2574340E3DF), UINT64_C(0x1AC3F3FA5A3A49CA) }, - { UINT64_C(0x9C7BE629C97E20FD), UINT64_C(0xF61823D3A3DAE003), - UINT64_C(0xFFE7FF39E7380DBA), UINT64_C(0x620BB9B59FACC3B8), - UINT64_C(0x2DDCB8CD31AE422C), UINT64_C(0x1DE3BCFAD12C3C43) } }, - { { UINT64_C(0x8C074946D6E0F9A9), UINT64_C(0x662FA99551C3B05B), - UINT64_C(0x6CDAE96904BB2048), UINT64_C(0x6DEC9594D6DC8B60), - UINT64_C(0x8D26586954438BBC), UINT64_C(0x88E983E31B0E95A5) }, - { UINT64_C(0x8189F11460CBF838), UINT64_C(0x77190697771DC46B), - UINT64_C(0x775775A227F8EC1A), UINT64_C(0x7A125240607E3739), - UINT64_C(0xAFAE84E74F793E4E), UINT64_C(0x44FA17F35BF5BAF4) } }, - { { UINT64_C(0xA21E69A5D03AC439), UINT64_C(0x2069C5FC88AA8094), - UINT64_C(0xB041EEA78C08F206), UINT64_C(0x55B9D4613D65B8ED), - UINT64_C(0x951EA25CD392C7C4), UINT64_C(0x4B9A1CEC9D166232) }, - { UINT64_C(0xC184FCD8FCF931A4), UINT64_C(0xBA59AD44063AD374), - UINT64_C(0x1868AD2A1AA9796F), UINT64_C(0x38A34018DFF29832), - UINT64_C(0x01FC880103DF8070), UINT64_C(0x1282CCE048DD334A) } }, - { { UINT64_C(0x76AA955726D8503C), UINT64_C(0xBE962B636BC3E3D0), - UINT64_C(0xF5CA93E597DE8841), UINT64_C(0x1561B05EAF3F2C16), - UINT64_C(0x34BE00AAD34BFF98), UINT64_C(0xEA21E6E9D23D2925) }, - { UINT64_C(0x55713230394C3AFB), UINT64_C(0xEAF0529BD6C8BECA), - UINT64_C(0xFF38A743202B9A11), UINT64_C(0xA13E39FC6D3A398B), - UINT64_C(0x8CBD644B86E2615A), UINT64_C(0x92063988191057EC) } }, - { { UINT64_C(0x787835CE13F89146), UINT64_C(0x7FCD42CC69446C3F), - UINT64_C(0x0DA2AA98840E679D), UINT64_C(0x44F2052318779A1B), - UINT64_C(0xE3A3B34FEFBF5935), UINT64_C(0xA5D2CFD0B9947B70) }, - { UINT64_C(0xAE2AF4EF27F4E16F), UINT64_C(0xA7FA70D2B9D21322), - UINT64_C(0x68084919B3FD566B), UINT64_C(0xF04D71C8D7AAD6AB), - UINT64_C(0xDBEA21E410BC4260), UINT64_C(0xAA7DC6658D949B42) } }, - { { UINT64_C(0xD8E958A06CCB8213), UINT64_C(0x118D9DB991900B54), - UINT64_C(0x09BB9D4985E8CED6), UINT64_C(0x410E9FB524019281), - UINT64_C(0x3B31B4E16D74C86E), UINT64_C(0x52BC0252020BB77D) }, - { UINT64_C(0x5616A26F27092CE4), UINT64_C(0x67774DBCA08F65CD), - UINT64_C(0x560AD494C08BD569), UINT64_C(0xBE26DA36AD498783), - UINT64_C(0x0276C8AB7F019C91), UINT64_C(0x09843ADA5248266E) } }, - { { UINT64_C(0xA0AE88A77D963CF2), UINT64_C(0x91EF8986D0E84920), - UINT64_C(0xC7EFE344F8C58104), UINT64_C(0x0A25D9FDECA20773), - UINT64_C(0x9D989FAA00D8F1D5), UINT64_C(0x4204C8CEC8B06264) }, - { UINT64_C(0x717C12E0BE1A2796), UINT64_C(0x1FA4BA8CC190C728), - UINT64_C(0xA245CA8D8C8A59BA), UINT64_C(0xE3C374757672B935), - UINT64_C(0x083D5E402E4D6375), UINT64_C(0x0B8D5AB35455E16E) } }, - { { UINT64_C(0x1DB17DBFEED765D4), UINT64_C(0xBBC9B1BEA5DDB965), - UINT64_C(0x1948F76DDFC12ABC), UINT64_C(0x2C2714E5134EF489), - UINT64_C(0x60CE2EE8741C600F), UINT64_C(0x32396F22F80E6E63) }, - { UINT64_C(0x421DAC7522537F59), UINT64_C(0x58FB73C649475DF5), - UINT64_C(0x0ABF28856F18F1C7), UINT64_C(0x364744689A398D16), - UINT64_C(0x87A661A7BF673B87), UINT64_C(0x3E80698F73819E17) } }, - { { UINT64_C(0xDFE4979353784CC4), UINT64_C(0x4280EAB0486D508F), - UINT64_C(0x119593FFE534F5A4), UINT64_C(0x98AEFADD9F63242F), - UINT64_C(0x9AE6A24AC4829CAE), UINT64_C(0xF2373CA558E8BA80) }, - { UINT64_C(0x4017AF7E51765FB3), UINT64_C(0xD1E40F7CAF4AEC4B), - UINT64_C(0x87372C7A0898E3BC), UINT64_C(0x688982B285452CA9), - UINT64_C(0x71E0B4BFB1E50BCA), UINT64_C(0x21FD2DBFF70E714A) } }, - { { UINT64_C(0xEE6E8820FB78DDAC), UINT64_C(0x0BAED29C063892CD), - UINT64_C(0x5F33049C28C0588D), UINT64_C(0x90C2515E18DBC432), - UINT64_C(0xB8A1B1433B4CB0BD), UINT64_C(0x0AB5C0C968103043) }, - { UINT64_C(0xF3788FA04005EC40), UINT64_C(0x82571C99039EE115), - UINT64_C(0xEE8FCED593260BED), UINT64_C(0x5A9BAF7910836D18), - UINT64_C(0x7C258B09C46AA4F6), UINT64_C(0x46ECC5E837F53D31) } }, - { { UINT64_C(0xFA32C0DCBFE0DD98), UINT64_C(0x66EFAFC4962B1066), - UINT64_C(0xBA81D33E64BDF5EB), UINT64_C(0x36C28536FC7FC512), - UINT64_C(0x0C95176BE0B4FA97), UINT64_C(0x47DDE29B3B9BC64A) }, - { UINT64_C(0x08D986FD5C173B36), UINT64_C(0x46D84B526CF3F28C), - UINT64_C(0x6F6ED6C3F026BDB9), UINT64_C(0xAC90668B68206DC5), - UINT64_C(0xE8ED5D98ECBE4E70), UINT64_C(0xCFFF61DDDC1A6974) } }, - { { UINT64_C(0xFF5C3A2977B1A5C1), UINT64_C(0x10C27E4A0DDF995D), - UINT64_C(0xCB745F77E23363E3), UINT64_C(0xD765DF6F32F399A3), - UINT64_C(0xF0CA0C2F8A99E109), UINT64_C(0xC3A6BFB71E025CA0) }, - { UINT64_C(0x830B2C0A4F9D9FA5), UINT64_C(0xAE914CACBD1A84E5), - UINT64_C(0x30B35ED8A4FEBCC1), UINT64_C(0xCB902B4684CFBF2E), - UINT64_C(0x0BD4762825FC6375), UINT64_C(0xA858A53C85509D04) } }, - { { UINT64_C(0x8B995D0C552E0A3F), UINT64_C(0xEDBD4E9417BE9FF7), - UINT64_C(0x3432E83995085178), UINT64_C(0x0FE5C18180C256F5), - UINT64_C(0x05A64EA8EBF9597C), UINT64_C(0x6ED44BB13F80371F) }, - { UINT64_C(0x6A29A05EFE4C12EE), UINT64_C(0x3E436A43E0BB83B3), - UINT64_C(0x38365D9A74D72921), UINT64_C(0x3F5EE823C38E1ED7), - UINT64_C(0x09A53213E8FA063F), UINT64_C(0x1E7FE47AB435E713) } }, - { { UINT64_C(0xE4D9BC94FDDD17F3), UINT64_C(0xC74B8FEDC1016C20), - UINT64_C(0x095DE39BB49C060E), UINT64_C(0xDBCC67958AC0DF00), - UINT64_C(0x4CF6BAEB1C34F4DF), UINT64_C(0x72C55C21E8390170) }, - { UINT64_C(0x4F17BFD2F6C48E79), UINT64_C(0x18BF4DA0017A80BA), - UINT64_C(0xCF51D829BCF4B138), UINT64_C(0x598AEE5FF48F8B0D), - UINT64_C(0x83FAEE5620F10809), UINT64_C(0x4615D4DC779F0850) } }, - }, - { - { { UINT64_C(0x22313DEE5852B59B), UINT64_C(0x6F56C8E8B6A0B37F), - UINT64_C(0x43D6EEAEA76EC380), UINT64_C(0xA16551360275AD36), - UINT64_C(0xE5C1B65ADF095BDA), UINT64_C(0xBD1FFA8D367C44B0) }, - { UINT64_C(0xE2B419C26B48AF2B), UINT64_C(0x57BBBD973DA194C8), - UINT64_C(0xB5FBE51FA2BAFF05), UINT64_C(0xA0594D706269B5D0), - UINT64_C(0x0B07B70523E8D667), UINT64_C(0xAE1976B563E016E7) } }, - { { UINT64_C(0x2FDE4893FBECAAAE), UINT64_C(0x444346DE30332229), - UINT64_C(0x157B8A5B09456ED5), UINT64_C(0x73606A7925797C6C), - UINT64_C(0xA9D0F47C33C14C06), UINT64_C(0x7BC8962CFAF971CA) }, - { UINT64_C(0x6E763C5165909DFD), UINT64_C(0x1BBBE41B14A9BF42), - UINT64_C(0xD95B7ECBC49E9EFC), UINT64_C(0x0C317927B38F2B59), - UINT64_C(0x97912B53B3C397DB), UINT64_C(0xCB3879AA45C7ABC7) } }, - { { UINT64_C(0xCD81BDCF24359B81), UINT64_C(0x6FD326E2DB4C321C), - UINT64_C(0x4CB0228BF8EBE39C), UINT64_C(0x496A9DCEB2CDD852), - UINT64_C(0x0F115A1AD0E9B3AF), UINT64_C(0xAA08BF36D8EEEF8A) }, - { UINT64_C(0x5232A51506E5E739), UINT64_C(0x21FAE9D58407A551), - UINT64_C(0x289D18B08994B4E8), UINT64_C(0xB4E346A809097A52), - UINT64_C(0xC641510F324621D0), UINT64_C(0xC567FD4A95A41AB8) } }, - { { UINT64_C(0x261578C7D57C8DE9), UINT64_C(0xB9BC491F3836C5C8), - UINT64_C(0x993266B414C8038F), UINT64_C(0xBACAD755FAA7CC39), - UINT64_C(0x418C4DEFD69B7E27), UINT64_C(0x53FDC5CDAE751533) }, - { UINT64_C(0x6F3BD329C3EEA63A), UINT64_C(0xA7A22091E53DD29E), - UINT64_C(0xB7164F73DC4C54EC), UINT64_C(0xCA66290D44D3D74E), - UINT64_C(0xF77C62424C9EA511), UINT64_C(0x34337F551F714C49) } }, - { { UINT64_C(0x5ED2B216A64B6C4B), UINT64_C(0x1C38794F3AAE640D), - UINT64_C(0x30BBAEE08905794F), UINT64_C(0x0D9EE41EC8699CFB), - UINT64_C(0xAF38DAF2CF7B7C29), UINT64_C(0x0D6A05CA43E53513) }, - { UINT64_C(0xBE96C6442606AB56), UINT64_C(0x13E7A072E9EB9734), - UINT64_C(0xF96694455FF50CD7), UINT64_C(0x68EF26B547DA6F1D), - UINT64_C(0xF002873823687CB7), UINT64_C(0x5ED9C8766217C1CE) } }, - { { UINT64_C(0x423BA5130A3A9691), UINT64_C(0xF421B1E7B3179296), - UINT64_C(0x6B51BCDB1A871E1B), UINT64_C(0x6E3BB5B5464E4300), - UINT64_C(0x24171E2EFC6C54CC), UINT64_C(0xA9DFA947D3E58DC2) }, - { UINT64_C(0x175B33099DE9CFA7), UINT64_C(0x707B25292D1015DA), - UINT64_C(0xCBB95F17993EA65A), UINT64_C(0x935150630447450D), - UINT64_C(0x0F47B2051B2753C9), UINT64_C(0x4A0BAB14E7D427CF) } }, - { { UINT64_C(0xA39DEF39B5AA7CA1), UINT64_C(0x591CB173C47C33DF), - UINT64_C(0xA09DAC796BBAB872), UINT64_C(0x3EF9D7CF7208BA2F), - UINT64_C(0x3CC189317A0A34FC), UINT64_C(0xAE31C62BBCC3380F) }, - { UINT64_C(0xD72A67940287C0B4), UINT64_C(0x3373382C68E334F1), - UINT64_C(0xD0310CA8BD20C6A6), UINT64_C(0xA2734B8742C033FD), - UINT64_C(0xA5D390F18DCE4509), UINT64_C(0xFC84E74B3E1AFCB5) } }, - { { UINT64_C(0xB028334DF2CD8A9C), UINT64_C(0xB8719291570F76F6), - UINT64_C(0x662A386E01065A2D), UINT64_C(0xDF1634CB53D940AE), - UINT64_C(0x625A7B838F5B41F9), UINT64_C(0xA033E4FEEE6AA1B4) }, - { UINT64_C(0x51E9D4631E42BABB), UINT64_C(0x660BC2E40D388468), - UINT64_C(0x3F702189FCBB114A), UINT64_C(0x6B46FE35B414CA78), - UINT64_C(0x328F6CF24A57316B), UINT64_C(0x917423B5381AD156) } }, - { { UINT64_C(0xAC19306E5373A607), UINT64_C(0x471DF8E3191D0969), - UINT64_C(0x380ADE35B9720D83), UINT64_C(0x7423FDF548F1FD5C), - UINT64_C(0x8B090C9F49CABC95), UINT64_C(0xB768E8CDC9842F2F) }, - { UINT64_C(0x399F456DE56162D6), UINT64_C(0xBB6BA2404F326791), - UINT64_C(0x8F4FBA3B342590BE), UINT64_C(0x053986B93DFB6B3E), - UINT64_C(0xBB6739F1190C7425), UINT64_C(0x32D4A55332F7E95F) } }, - { { UINT64_C(0x0205A0EC0DDBFB21), UINT64_C(0x3010327D33AC3407), - UINT64_C(0xCF2F4DB33348999B), UINT64_C(0x660DB9F41551604A), - UINT64_C(0xC346C69A5D38D335), UINT64_C(0x64AAB3D338882479) }, - { UINT64_C(0xA096B5E76AE44403), UINT64_C(0x6B4C9571645F76CD), - UINT64_C(0x72E1CD5F4711120F), UINT64_C(0x93EC42ACF27CC3E1), - UINT64_C(0x2D18D004A72ABB12), UINT64_C(0x232E9568C9841A04) } }, - { { UINT64_C(0xFF01DB223CC7F908), UINT64_C(0x9F214F8FD13CDD3B), - UINT64_C(0x38DADBB7E0B014B5), UINT64_C(0x2C548CCC94245C95), - UINT64_C(0x714BE331809AFCE3), UINT64_C(0xBCC644109BFE957E) }, - { UINT64_C(0xC21C2D215B957F80), UINT64_C(0xBA2D4FDCBB8A4C42), - UINT64_C(0xFA6CD4AF74817CEC), UINT64_C(0x9E7FB523C528EAD6), - UINT64_C(0xAED781FF7714B10E), UINT64_C(0xB52BB59294F04455) } }, - { { UINT64_C(0xA578BD69868CC68B), UINT64_C(0xA40FDC8D603F2C08), - UINT64_C(0x53D79BD12D81B042), UINT64_C(0x1B136AF3A7587EAB), - UINT64_C(0x1ED4F939868A16DB), UINT64_C(0x775A61FBD0B98273) }, - { UINT64_C(0xBA5C12A6E56BEF8C), UINT64_C(0xF926CE52DDDC8595), - UINT64_C(0xA13F5C8F586FE1F8), UINT64_C(0xEAC9F7F2060DBB54), - UINT64_C(0x70C0AC3A51AF4342), UINT64_C(0xC16E303C79CDA450) } }, - { { UINT64_C(0xD0DADD6C8113F4EA), UINT64_C(0xF14E392207BDF09F), - UINT64_C(0x3FE5E9C2AA7D877C), UINT64_C(0x9EA95C1948779264), - UINT64_C(0xE93F65A74FCB8344), UINT64_C(0x9F40837E76D925A4) }, - { UINT64_C(0x0EA6DA3F8271FFC7), UINT64_C(0x557FA529CC8F9B19), - UINT64_C(0x2613DBF178E6DDFD), UINT64_C(0x7A7523B836B1E954), - UINT64_C(0x20EB3168406A87FB), UINT64_C(0x64C21C1403ABA56A) } }, - { { UINT64_C(0xE86C9C2DC032DD5F), UINT64_C(0x158CEB8E86F16A21), - UINT64_C(0x0279FF5368326AF1), UINT64_C(0x1FFE2E2B59F12BA5), - UINT64_C(0xD75A46DB86826D45), UINT64_C(0xE19B48411E33E6AC) }, - { UINT64_C(0x5F0CC5240E52991C), UINT64_C(0x645871F98B116286), - UINT64_C(0xAB3B4B1EFCAEC5D3), UINT64_C(0x994C8DF051D0F698), - UINT64_C(0x06F890AFE5D13040), UINT64_C(0x72D9DC235F96C7C2) } }, - { { UINT64_C(0x7C018DEEE7886A80), UINT64_C(0xFA2093308786E4A3), - UINT64_C(0xCEC8E2A3A4415CA1), UINT64_C(0x5C736FC1CC83CC60), - UINT64_C(0xFEF9788CF00C259F), UINT64_C(0xED5C01CBDD29A6AD) }, - { UINT64_C(0x87834A033E20825B), UINT64_C(0x13B1239D123F9358), - UINT64_C(0x7E8869D0FBC286C1), UINT64_C(0xC4AB5AA324CE8609), - UINT64_C(0x38716BEEB6349208), UINT64_C(0x0BDF4F99B322AE21) } }, - { { UINT64_C(0x6B97A2BF53E3494B), UINT64_C(0xA8AA05C570F7A13E), - UINT64_C(0x209709C2F1305B51), UINT64_C(0x57B31888DAB76F2C), - UINT64_C(0x75B2ECD7AA2A406A), UINT64_C(0x88801A00A35374A4) }, - { UINT64_C(0xE1458D1C45C0471B), UINT64_C(0x5760E306322C1AB0), - UINT64_C(0x789A0AF1AD6AB0A6), UINT64_C(0x74398DE1F458B9CE), - UINT64_C(0x1652FF9F32E0C65F), UINT64_C(0xFAF1F9D5FFFB3A52) } }, - }, - { - { { UINT64_C(0xA05C751CD1D1B007), UINT64_C(0x016C213B0213E478), - UINT64_C(0x9C56E26CF4C98FEE), UINT64_C(0x6084F8B9E7B3A7C7), - UINT64_C(0xA0B042F6DECC1646), UINT64_C(0x4A6F3C1AFBF3A0BC) }, - { UINT64_C(0x94524C2C51C9F909), UINT64_C(0xF3B3AD403A6D3748), - UINT64_C(0x18792D6E7CE1F9F5), UINT64_C(0x8EBC2FD7FC0C34FA), - UINT64_C(0x032A9F41780A1693), UINT64_C(0x34F9801E56A60019) } }, - { { UINT64_C(0xB398290CF0DB3751), UINT64_C(0x01170580BA42C976), - UINT64_C(0x3E71AA2956560B89), UINT64_C(0x80817AAC50E6647B), - UINT64_C(0x35C833ADA0BE42DA), UINT64_C(0xFA3C6148F1BABA4E) }, - { UINT64_C(0xC57BE645CD8F6253), UINT64_C(0x77CEE46BC657AD0D), - UINT64_C(0x830077310DEFD908), UINT64_C(0x92FE9BCE899CBA56), - UINT64_C(0x48450EC4BCEFFB5A), UINT64_C(0xE615148DF2F5F4BF) } }, - { { UINT64_C(0xF55EDABB90B86166), UINT64_C(0x27F7D784075430A2), - UINT64_C(0xF53E822B9BF17161), UINT64_C(0x4A5B3B93AFE808DC), - UINT64_C(0x590BBBDED7272F55), UINT64_C(0x233D63FAEAEA79A1) }, - { UINT64_C(0xD7042BEAFE1EBA07), UINT64_C(0xD2B9AEA010750D7E), - UINT64_C(0xD8D1E69031078AA5), UINT64_C(0x9E837F187E37BC8B), - UINT64_C(0x9558FF4F85008975), UINT64_C(0x93EDB837421FE867) } }, - { { UINT64_C(0xAA6489DF83D55B5A), UINT64_C(0xEA092E4986BF27F7), - UINT64_C(0x4D8943A95FA2EFEC), UINT64_C(0xC9BAAE53720E1A8C), - UINT64_C(0xC055444B95A4F8A3), UINT64_C(0x93BD01E8A7C1206B) }, - { UINT64_C(0xD97765B6714A27DF), UINT64_C(0xD622D954193F1B16), - UINT64_C(0x115CC35AF1503B15), UINT64_C(0x1DD5359FA9FA21F8), - UINT64_C(0x197C32996DFED1F1), UINT64_C(0xDEE8B7C9F77F2679) } }, - { { UINT64_C(0x5405179F394FD855), UINT64_C(0xC9D6E24449FDFB33), - UINT64_C(0x70EBCAB4BD903393), UINT64_C(0x0D3A3899A2C56780), - UINT64_C(0x012C7256683D1A0A), UINT64_C(0xC688FC8880A48F3B) }, - { UINT64_C(0x180957546F7DF527), UINT64_C(0x9E339B4B71315D16), - UINT64_C(0x90560C28A956BB12), UINT64_C(0x2BECEA60D42EEE8D), - UINT64_C(0x82AEB9A750632653), UINT64_C(0xED34353EDFA5CD6A) } }, - { { UINT64_C(0x82154D2C91AECCE4), UINT64_C(0x312C60705041887F), - UINT64_C(0xECF589F3FB9FBD71), UINT64_C(0x67660A7DB524BDE4), - UINT64_C(0xE99B029D724ACF23), UINT64_C(0xDF06E4AF6D1CD891) }, - { UINT64_C(0x07806CB580EE304D), UINT64_C(0x0C70BB9F7443A8F8), - UINT64_C(0x01EC341408B0830A), UINT64_C(0xFD7B63C35A81510B), - UINT64_C(0xE90A0A39453B5F93), UINT64_C(0xAB700F8F9BC71725) } }, - { { UINT64_C(0x9401AEC2B9F00793), UINT64_C(0x064EC4F4B997F0BF), - UINT64_C(0xDC0CC1FD849240C8), UINT64_C(0x39A75F37B6E92D72), - UINT64_C(0xAA43CA5D0224A4AB), UINT64_C(0x9C4D632554614C47) }, - { UINT64_C(0x1767366FC6709DA3), UINT64_C(0xA6B482D123479232), - UINT64_C(0x54DC6DDC84D63E85), UINT64_C(0x0ACCB5ADC99D3B9E), - UINT64_C(0x211716BBE8AA3ABF), UINT64_C(0xD0FE25AD69EC6406) } }, - { { UINT64_C(0x0D5C1769DF85C705), UINT64_C(0x7086C93DA409DCD1), - UINT64_C(0x9710839D0E8D75D8), UINT64_C(0x17B7DB75EBDD4177), - UINT64_C(0xAF69EB58F649A809), UINT64_C(0x6EF19EA28A84E220) }, - { UINT64_C(0x36EB5C6665C278B2), UINT64_C(0xD2A1512881EA9D65), - UINT64_C(0x4FCBA840769300AD), UINT64_C(0xC2052CCDC8E536E5), - UINT64_C(0x9CAEE014AC263B8F), UINT64_C(0x56F7ED7AF9239663) } }, - { { UINT64_C(0xF6FA251FAC9E09E1), UINT64_C(0xA3775605955A2853), - UINT64_C(0x977B8D21F2A4BD78), UINT64_C(0xF68AA7FF3E096410), - UINT64_C(0x01AB055265F88419), UINT64_C(0xC4C8D77EBB93F64E) }, - { UINT64_C(0x718251113451FE64), UINT64_C(0xFA0F905B46F9BAF0), - UINT64_C(0x79BE3BF3CA49EF1A), UINT64_C(0x831109B26CB02071), - UINT64_C(0x765F935FC4DDBFE5), UINT64_C(0x6F99CD1480E5A3BA) } }, - { { UINT64_C(0xD2E8DA04234F91FF), UINT64_C(0x4DED4D6D813867AA), - UINT64_C(0x3B50175DE0A0D945), UINT64_C(0x55AC74064EB78137), - UINT64_C(0xE9FA7F6EE1D47730), UINT64_C(0x2C1715315CBF2176) }, - { UINT64_C(0xA521788F2BE7A47D), UINT64_C(0x95B15A273FCF1AB3), - UINT64_C(0xAADA6401F28A946A), UINT64_C(0x628B2EF48B4E898B), - UINT64_C(0x0E6F46296D6592CC), UINT64_C(0x997C7094A723CADD) } }, - { { UINT64_C(0x878BCE116AFE80C6), UINT64_C(0xA89ABC9D007BBA38), - UINT64_C(0xB0C1F87BA7CC267F), UINT64_C(0x86D33B9D5104FF04), - UINT64_C(0xB0504B1B2EF1BA42), UINT64_C(0x21693048B2827E88) }, - { UINT64_C(0x11F1CCD579CFCD14), UINT64_C(0x59C09FFA94AD227E), - UINT64_C(0x95A4ADCB3EA91ACF), UINT64_C(0x1346238BB4370BAA), - UINT64_C(0xB099D2023E1367B0), UINT64_C(0xCF5BBDE690F23CEA) } }, - { { UINT64_C(0x453299BBBCB3BE5E), UINT64_C(0x123C588E38E9FF97), - UINT64_C(0x8C115DD9F6A2E521), UINT64_C(0x6E333C11FF7D4B98), - UINT64_C(0x9DD061E5DA73E736), UINT64_C(0xC6AB7B3A5CA53056) }, - { UINT64_C(0xF1EF3EE35B30A76B), UINT64_C(0xADD6B44A961BA11F), - UINT64_C(0x7BB00B752CA6E030), UINT64_C(0x270272E82FE270AD), - UINT64_C(0x23BC6F4F241A9239), UINT64_C(0x88581E130BB94A94) } }, - { { UINT64_C(0xBD225A6924EEF67F), UINT64_C(0x7CFD96140412CEB7), - UINT64_C(0xF6DE167999AC298E), UINT64_C(0xB20FD895ED6C3571), - UINT64_C(0x03C73B7861836C56), UINT64_C(0xEE3C3A16ABA6CB34) }, - { UINT64_C(0x9E8C56674138408A), UINT64_C(0xEC25FCB12DD6EBDF), - UINT64_C(0xC54C33FDDBBDF6E3), UINT64_C(0x93E0913B4A3C9DD4), - UINT64_C(0x66D7D13535EDEED4), UINT64_C(0xD29A36C4453FB66E) } }, - { { UINT64_C(0x7F192F039F1943AF), UINT64_C(0x6488163F4E0B5FB0), - UINT64_C(0x66A45C6953599226), UINT64_C(0x924E2E439AD15A73), - UINT64_C(0x8B553DB742A99D76), UINT64_C(0x4BC6B53B0451F521) }, - { UINT64_C(0xC029B5EF101F8AD6), UINT64_C(0x6A4DA71CC507EED9), - UINT64_C(0x3ADFAEC030BB22F3), UINT64_C(0x81BCAF7AB514F85B), - UINT64_C(0x2E1E6EFF5A7E60D3), UINT64_C(0x5270ABC0AE39D42F) } }, - { { UINT64_C(0x86D56DEB3901F0F8), UINT64_C(0x1D0BC792EED5F650), - UINT64_C(0x1A2DDFD8CA1114A3), UINT64_C(0x94ABF4B1F1DD316D), - UINT64_C(0xF72179E43D9F18EF), UINT64_C(0x52A0921E9AA2CABF) }, - { UINT64_C(0xECDA9E27A7452883), UINT64_C(0x7E90850AAFD771B4), - UINT64_C(0xD40F87EA9CC0465C), UINT64_C(0x8CFCB60A865CDA36), - UINT64_C(0x3DBEC2CC7C650942), UINT64_C(0x071A4EE7E718CA9D) } }, - { { UINT64_C(0x73C0E4FF276AC5F3), UINT64_C(0xE7BA5A6ABDB97EA1), - UINT64_C(0x638CA54EC5808398), UINT64_C(0x8258DC82413855E5), - UINT64_C(0x35DDD2E957F07614), UINT64_C(0xF98DD6921DC13BF9) }, - { UINT64_C(0x3A4C0088F16DCD84), UINT64_C(0xF192EADD833D83F9), - UINT64_C(0x3C26C931A6D61D29), UINT64_C(0x589FDD52DE0AD7A1), - UINT64_C(0x7CD83DD20442D37F), UINT64_C(0x1E47E777403ECBFC) } }, - }, - { - { { UINT64_C(0x2AF8ED8170D4D7BC), UINT64_C(0xABC3E15FB632435C), - UINT64_C(0x4C0E726F78219356), UINT64_C(0x8C1962A1B87254C4), - UINT64_C(0x30796A71C9E7691A), UINT64_C(0xD453EF19A75A12EE) }, - { UINT64_C(0x535F42C213AE4964), UINT64_C(0x86831C3C0DA9586A), - UINT64_C(0xB7F1EF35E39A7A58), UINT64_C(0xA2789AE2D459B91A), - UINT64_C(0xEADBCA7F02FD429D), UINT64_C(0x94F215D465290F57) } }, - { { UINT64_C(0x37ED2BE51CFB79AC), UINT64_C(0x801946F3E7AF84C3), - UINT64_C(0xB061AD8AE77C2F00), UINT64_C(0xE87E1A9A44DE16A8), - UINT64_C(0xDF4F57C87EE490FF), UINT64_C(0x4E793B49005993ED) }, - { UINT64_C(0xE1036387BCCB593F), UINT64_C(0xF174941195E09B80), - UINT64_C(0x59CB20D15AB42F91), UINT64_C(0xA738A18DAC0FF033), - UINT64_C(0xDA501A2E2AC1E7F4), UINT64_C(0x1B67EDA084D8A6E0) } }, - { { UINT64_C(0x1D27EFCE1080E90B), UINT64_C(0xA28152463FD01DC6), - UINT64_C(0x99A3FB83CAA26D18), UINT64_C(0xD27E6133B82BABBE), - UINT64_C(0x61030DFDD783DD60), UINT64_C(0x295A291373C78CB8) }, - { UINT64_C(0x8707A2CF68BE6A92), UINT64_C(0xC9C2FB98EEB3474A), - UINT64_C(0x7C3FD412A2B176B8), UINT64_C(0xD5B52E2FC7202101), - UINT64_C(0x24A63030F0A6D536), UINT64_C(0x05842DE304648EC0) } }, - { { UINT64_C(0x67477CDC30577AC9), UINT64_C(0x51DD9775244F92A8), - UINT64_C(0x31FD60B9917EEC66), UINT64_C(0xACD95BD4D66C5C1D), - UINT64_C(0x2E0551F3BF9508BA), UINT64_C(0x121168E1688CB243) }, - { UINT64_C(0x8C0397404540D230), UINT64_C(0xC4ED3CF6009ECDF9), - UINT64_C(0x191825E144DB62AF), UINT64_C(0x3EE8ACABC4A030DA), - UINT64_C(0x8AB154A894081504), UINT64_C(0x1FE09E4B486C9CD0) } }, - { { UINT64_C(0x512F82F9D113450B), UINT64_C(0x5878C9012DBC9197), - UINT64_C(0xDB87412BE13F355B), UINT64_C(0x0A0A4A9B935B8A5E), - UINT64_C(0x818587BDF25A5351), UINT64_C(0xE807931031E3D9C7) }, - { UINT64_C(0x8B1D47C7611BC1B1), UINT64_C(0x51722B5872A823F2), - UINT64_C(0x6F97EE8A53B36B3E), UINT64_C(0x6E085AAC946DD453), - UINT64_C(0x2EC5057DE65E6533), UINT64_C(0xF82D9D714BB18801) } }, - { { UINT64_C(0xAD81FA938BA5AA8E), UINT64_C(0x723E628E8F7AA69E), - UINT64_C(0x0BA7C2DEEF35937C), UINT64_C(0x83A43EC56DECFB40), - UINT64_C(0xF520F849E60C4F2D), UINT64_C(0x8260E8AE457E3B5E) }, - { UINT64_C(0x7CE874F0BF1D9ED7), UINT64_C(0x5FDE35537F1A5466), - UINT64_C(0x5A63777C0C162DBB), UINT64_C(0x0FD04F8CDAD87289), - UINT64_C(0xCA2D9E0E640761D5), UINT64_C(0x4615CFF838501ADB) } }, - { { UINT64_C(0x9422789B110B4A25), UINT64_C(0x5C26779F70AD8CC1), - UINT64_C(0x4EE6A748EC4F1E14), UINT64_C(0xFB584A0D5C7AB5E0), - UINT64_C(0xED1DCB0BFB21EE66), UINT64_C(0xDBED1F0011C6863C) }, - { UINT64_C(0xD2969269B1B1D187), UINT64_C(0xF7D0C3F2AFE964E6), - UINT64_C(0xE05EE93F12BB865E), UINT64_C(0x1AFB7BEEED79118E), - UINT64_C(0x220AF1380F0FE453), UINT64_C(0x1463AA1A52782AB9) } }, - { { UINT64_C(0x7C139D56D7DBE5F9), UINT64_C(0xFC16E6110B83685B), - UINT64_C(0xFA723C029018463C), UINT64_C(0xC472458C840BF5D7), - UINT64_C(0x4D8093590AF07591), UINT64_C(0x418D88303308DFD9) }, - { UINT64_C(0x9B381E040C365AE3), UINT64_C(0x3780BF33F8190FD1), - UINT64_C(0x45397418DD03E854), UINT64_C(0xA95D030F4E51E491), - UINT64_C(0x87C8C686E3286CEA), UINT64_C(0x01C773BF900B5F83) } }, - { { UINT64_C(0xDABE347578673B02), UINT64_C(0x4F0F25CEF6E7395E), - UINT64_C(0x3117ABB9D181AD45), UINT64_C(0x4B559F88AA13DE0B), - UINT64_C(0xFD8EFE78EA7C9745), UINT64_C(0x080600475DD21682) }, - { UINT64_C(0xC0F5DE4BD4C86FFC), UINT64_C(0x4BB14B1EF21AB6A2), - UINT64_C(0xACB53A6CF50C1D12), UINT64_C(0x46AAC4505CC9162E), - UINT64_C(0x049C51E02DE240B6), UINT64_C(0xBB2DC016E383C3B0) } }, - { { UINT64_C(0xA3C56AD28E438C92), UINT64_C(0x7C43F98FB2CEAF1A), - UINT64_C(0x397C44F7E2150778), UINT64_C(0x48D17AB771A24131), - UINT64_C(0xCC5138631E2ACDA9), UINT64_C(0x2C76A55EF0C9BAC9) }, - { UINT64_C(0x4D74CDCE7EA4BB7B), UINT64_C(0x834BD5BFB1B3C2BA), - UINT64_C(0x46E2911ECCC310A4), UINT64_C(0xD3DE84AA0FC1BF13), - UINT64_C(0x27F2892F80A03AD3), UINT64_C(0x85B476203BD2F08B) } }, - { { UINT64_C(0xAB1CB818567AF533), UINT64_C(0x273B4537BAC2705A), - UINT64_C(0x133066C422C84AB6), UINT64_C(0xC3590DE64830BFC1), - UINT64_C(0xEA2978695E4742D0), UINT64_C(0xF6D8C6944F3164C0) }, - { UINT64_C(0x09E85F3DC1249588), UINT64_C(0x6C2BB05D4EC64DF7), - UINT64_C(0xD267115E8B78000F), UINT64_C(0x07C5D7AEC7E4A316), - UINT64_C(0xCB1187BA4619E5BD), UINT64_C(0x57B1D4EFA43F7EEE) } }, - { { UINT64_C(0x3618891FC8176A96), UINT64_C(0x62C4B084E5808B97), - UINT64_C(0xDE5585464DD95D6E), UINT64_C(0x27A8133E730B2EA4), - UINT64_C(0xE07CEEC36AF318A0), UINT64_C(0x0ACC1286CE24FD2C) }, - { UINT64_C(0x8A48FE4ADD4D307C), UINT64_C(0x71A9BA9C18CDE0DA), - UINT64_C(0x655E2B66D5D79747), UINT64_C(0x409FE856A79AEDC7), - UINT64_C(0xC5A9F244D287E5CF), UINT64_C(0xCCE103844E82EC39) } }, - { { UINT64_C(0x00675BA7F25D364C), UINT64_C(0x7A7F162968D36BDF), - UINT64_C(0x35EC468AA9E23F29), UINT64_C(0xF797AC502D926E6C), - UINT64_C(0x639BA4534B4F4376), UINT64_C(0xD71B430F51FF9519) }, - { UINT64_C(0xB8C439EC2CF5635C), UINT64_C(0x0CE4C8D181980393), - UINT64_C(0x4C5362A964123B15), UINT64_C(0x6E0421E0FFDCF096), - UINT64_C(0x624A855F10D1F914), UINT64_C(0x7D8F3AB7614DCD29) } }, - { { UINT64_C(0xD9219ADAB3493CE0), UINT64_C(0x971B243A52F09AE5), - UINT64_C(0xC16C9BF8E24E3674), UINT64_C(0x026D408DCE68C7CD), - UINT64_C(0xF9B33DD9358209E3), UINT64_C(0x02D0595DF3B2A206) }, - { UINT64_C(0xBF99427160D15640), UINT64_C(0x6DA7A04E15B5466A), - UINT64_C(0x03AA4ED81CADB50D), UINT64_C(0x1548F029129A4253), - UINT64_C(0x41741F7EB842865A), UINT64_C(0x859FE0A4A3F88C98) } }, - { { UINT64_C(0x80DE085A05FD7553), UINT64_C(0x4A4AB91EB897566B), - UINT64_C(0x33BCD4752F1C173F), UINT64_C(0x4E238896C100C013), - UINT64_C(0x1C88500DD614B34B), UINT64_C(0x0401C5F6C3BA9E23) }, - { UINT64_C(0x8E8003C4D0AF0DE5), UINT64_C(0x19B1DFB59D0DCBB9), - UINT64_C(0x4A3640A9EBEF7AB6), UINT64_C(0xEDAFD65B959B15F6), - UINT64_C(0x8092EF7F7FB95821), UINT64_C(0xAB8DD52ECE2E45D1) } }, - { { UINT64_C(0xD1F2D6B8B9CFE6BF), UINT64_C(0x6358810B00073F6F), - UINT64_C(0x5FCE5993D712106E), UINT64_C(0x5EE6B2711C024C91), - UINT64_C(0xD0248FF5453DB663), UINT64_C(0xD6D81CB2ADB835E8) }, - { UINT64_C(0x8696CFECFDFCB4C7), UINT64_C(0x696B7FCB53BC9045), - UINT64_C(0xAB4D3807DDA56981), UINT64_C(0x2F9980521E4B943B), - UINT64_C(0x8AA76ADB166B7F18), UINT64_C(0x6393430152A2D7ED) } }, - }, - { - { { UINT64_C(0xBBCCCE39A368EFF6), UINT64_C(0xD8CAABDF8CEB5C43), - UINT64_C(0x9EAE35A5D2252FDA), UINT64_C(0xA8F4F20954E7DD49), - UINT64_C(0xA56D72A6295100FD), UINT64_C(0x20FC1FE856767727) }, - { UINT64_C(0xBF60B2480BBAA5AB), UINT64_C(0xA4F3CE5A313911F2), - UINT64_C(0xC2A67AD4B93DAB9C), UINT64_C(0x18CD0ED022D71F39), - UINT64_C(0x04380C425F304DB2), UINT64_C(0x26420CBB6729C821) } }, - { { UINT64_C(0x26BD07D6BDFBCAE8), UINT64_C(0x10B5173FDF01A80A), - UINT64_C(0xD831C5466798B96C), UINT64_C(0x1D6B41081D3F3859), - UINT64_C(0x501D38EC991B9EC7), UINT64_C(0x26319283D78431A9) }, - { UINT64_C(0x8B85BAF7118B343C), UINT64_C(0x4696CDDD58DEF7D0), - UINT64_C(0xEFC7C1107ACDCF58), UINT64_C(0xD9AF415C848D5842), - UINT64_C(0x6B5A06BC0AC7FDAC), UINT64_C(0x7D623E0DA344319B) } }, - { { UINT64_C(0x4C0D78060C9D3547), UINT64_C(0x993F048DCF2AED47), - UINT64_C(0x5217C453E4B57E22), UINT64_C(0xB4669E35F4172B28), - UINT64_C(0x509A3CD049F999F8), UINT64_C(0xD19F863287C69D41) }, - { UINT64_C(0xE14D01E84C8FDED0), UINT64_C(0x342880FDEAFD9E1C), - UINT64_C(0x0E17BFF270DC2BF0), UINT64_C(0x46560B7BC0186400), - UINT64_C(0xE28C7B9C49A4DD34), UINT64_C(0x182119160F325D06) } }, - { { UINT64_C(0x46D70888D7E02E18), UINT64_C(0x7C806954D9F11FD9), - UINT64_C(0xE4948FCA4FBEA271), UINT64_C(0x7D6C7765BD80A9DF), - UINT64_C(0x1B470EA6F3871C71), UINT64_C(0xD62DE2448330A570) }, - { UINT64_C(0xDAECDDC1C659C3A7), UINT64_C(0x8621E513077F7AFC), - UINT64_C(0x56C7CD84CAEEEF13), UINT64_C(0xC60C910FC685A356), - UINT64_C(0xE68BC5C59DD93DDC), UINT64_C(0xD904E89FFEB64895) } }, - { { UINT64_C(0x75D874FB8BA7917A), UINT64_C(0x18FA7F53FD043BD4), - UINT64_C(0x212A0AD71FC3979E), UINT64_C(0x5703A7D95D6EAC0E), - UINT64_C(0x222F7188017DEAD5), UINT64_C(0x1EC687B70F6C1817) }, - { UINT64_C(0x23412FC3238BACB6), UINT64_C(0xB85D70E954CED154), - UINT64_C(0xD4E06722BDA674D0), UINT64_C(0x3EA5F17836F5A0C2), - UINT64_C(0x7E7D79CFF5C6D2CA), UINT64_C(0x1FFF94643DBB3C73) } }, - { { UINT64_C(0x916E19D0F163E4A8), UINT64_C(0x1E6740E71489DF17), - UINT64_C(0x1EAF9723339F3A47), UINT64_C(0x22F0ED1A124B8DAD), - UINT64_C(0x39C9166C49C3DD04), UINT64_C(0x628E7FD4CE1E9ACC) }, - { UINT64_C(0x124DDF2740031676), UINT64_C(0x002569391EDDB9BE), - UINT64_C(0xD39E25E7D360B0DA), UINT64_C(0x6E3015A84AA6C4C9), - UINT64_C(0xC6A2F643623EDA09), UINT64_C(0xBEFF2D1250AA99FB) } }, - { { UINT64_C(0x1FEEF7CE93EE8089), UINT64_C(0xC6B180BC252DD7BD), - UINT64_C(0xA16FB20B1788F051), UINT64_C(0xD86FD392E046ED39), - UINT64_C(0xDA0A36119378CE1D), UINT64_C(0x121EF3E7A5F7A61D) }, - { UINT64_C(0x94D2206192D13CAE), UINT64_C(0x5076046A77C72E08), - UINT64_C(0xF18BC2337D2308B9), UINT64_C(0x004DB3C517F977B1), - UINT64_C(0xD05AE3990471C11D), UINT64_C(0x86A2A55785CD1726) } }, - { { UINT64_C(0xB8D9B28672107804), UINT64_C(0xB5A7C4133303B79B), - UINT64_C(0x927EEF785FA37DED), UINT64_C(0xA1C5CF1EAD67DABA), - UINT64_C(0xAA5E3FB27360E7C7), UINT64_C(0x8354E61A0A0C0993) }, - { UINT64_C(0x2EC73AF97F5458CC), UINT64_C(0xDE4CB48848474325), - UINT64_C(0x2DD134C77209BC69), UINT64_C(0xB70C5567451A2ABE), - UINT64_C(0x2CD1B2008E293018), UINT64_C(0x15F8DA7AD33C0D72) } }, - { { UINT64_C(0x5DC386D0A8790657), UINT64_C(0xA4FDF676BC4D88BB), - UINT64_C(0x1B21F38F48BC6C49), UINT64_C(0xCDCC7FAA543A7003), - UINT64_C(0xEA97E7AA8C9CF72C), UINT64_C(0xA6B883F450D938A8) }, - { UINT64_C(0x51936F3AA3A10F27), UINT64_C(0x0170785FDECC76BF), - UINT64_C(0x7539ECE1908C578A), UINT64_C(0x5D9C8A8E0F3E8C25), - UINT64_C(0x8681B43B9E4717A7), UINT64_C(0x94F42507A9D83E39) } }, - { { UINT64_C(0xBBE11CA8A55ADDE7), UINT64_C(0x39E6F5CF3BC0896B), - UINT64_C(0x1447314E1D2D8D94), UINT64_C(0x45B481255B012F8A), - UINT64_C(0x41AD23FA08AD5283), UINT64_C(0x837243E241D13774) }, - { UINT64_C(0x1FC0BD9DBADCAA46), UINT64_C(0x8DF164ED26E84CAE), - UINT64_C(0x8FF70EC041017176), UINT64_C(0x23AD4BCE5C848BA7), - UINT64_C(0x89246FDE97A19CBB), UINT64_C(0xA5EF987B78397991) } }, - { { UINT64_C(0x111AF1B74757964D), UINT64_C(0x1D25D351DDBBF258), - UINT64_C(0x4161E7767D2B06D6), UINT64_C(0x6EFD26911CAC0C5B), - UINT64_C(0x633B95DB211BFAEB), UINT64_C(0x9BEDFA5AE2BDF701) }, - { UINT64_C(0xADAC2B0B73E099C8), UINT64_C(0x436F0023BFB16BFF), - UINT64_C(0xB91B100230F55854), UINT64_C(0xAF6A2097F4C6C8B7), - UINT64_C(0x3FF65CED3AD7B3D9), UINT64_C(0x6FA2626F330E56DF) } }, - { { UINT64_C(0x3D28BF2DFFCCFD07), UINT64_C(0x0514F6FFD989603B), - UINT64_C(0xB95196295514787A), UINT64_C(0xA1848121C3DB4E9C), - UINT64_C(0x47FE2E392A3D4595), UINT64_C(0x506F5D8211B73ED4) }, - { UINT64_C(0xA2257AE7A600D8BB), UINT64_C(0xD659DBD10F9F122C), - UINT64_C(0xDB0FDC6764DF160F), UINT64_C(0xFF3793397CB19690), - UINT64_C(0xDF4366B898E72EC1), UINT64_C(0x97E72BECDF437EB8) } }, - { { UINT64_C(0x81DCEA271C81E5D9), UINT64_C(0x7E1B6CDA6717FC49), - UINT64_C(0xAA36B3B511EAE80D), UINT64_C(0x1306687C3CD7CBB3), - UINT64_C(0xED670235C4E89064), UINT64_C(0x9D3B000958A94760) }, - { UINT64_C(0x5A64E158E6A6333C), UINT64_C(0x1A8B4A3649453203), - UINT64_C(0xF1CAD7241F77CC21), UINT64_C(0x693EBB4B70518EF7), - UINT64_C(0xFB47BD810F39C91A), UINT64_C(0xCFE63DA2FA4BC64B) } }, - { { UINT64_C(0x82C1C684EAA66108), UINT64_C(0xE32262184CFE79FC), - UINT64_C(0x3F28B72B849C720E), UINT64_C(0x137FB3558FEE1CA8), - UINT64_C(0x4D18A9CDE4F90C4E), UINT64_C(0xC0344227CC3E46FA) }, - { UINT64_C(0x4FD5C08E79CDA392), UINT64_C(0x65DB20DB8ADC87B5), - UINT64_C(0x86F95D5B916C1B84), UINT64_C(0x7EDA387117BB2B7C), - UINT64_C(0x18CCF7E7669A533B), UINT64_C(0x5E92421CECAD0E06) } }, - { { UINT64_C(0x26063E124174B08B), UINT64_C(0xE621D9BE70DE8E4D), - UINT64_C(0xAEA0FD0F5ECDF350), UINT64_C(0x0D9F69E49C20E5C9), - UINT64_C(0xD3DADEB90BBE2918), UINT64_C(0xD7B9B5DB58AA2F71) }, - { UINT64_C(0x7A971DD73364CAF8), UINT64_C(0x702616A3C25D4BE4), - UINT64_C(0xA30F0FA1A9E30071), UINT64_C(0x98AB24385573BC69), - UINT64_C(0xCBC63CDF6FEC2E22), UINT64_C(0x965F90EDCC901B9B) } }, - { { UINT64_C(0xD53B592D71E15BB3), UINT64_C(0x1F03C0E98820E0D0), - UINT64_C(0xCE93947D3CCCB726), UINT64_C(0x2790FEE01D547590), - UINT64_C(0x4401D847C59CDD7A), UINT64_C(0x72D69120A926DD9D) }, - { UINT64_C(0x38B8F21D4229F289), UINT64_C(0x9F412E407FE978AF), - UINT64_C(0xAE07901BCDB59AF1), UINT64_C(0x1E6BE5EBD1D4715E), - UINT64_C(0x3715BD8B18C96BEF), UINT64_C(0x4B71F6E6E11B3798) } }, - }, - { - { { UINT64_C(0x11A8FDE5F0CE2DF4), UINT64_C(0xBC70CA3EFA8D26DF), - UINT64_C(0x6818C275C74DFE82), UINT64_C(0x2B0294AC38373A50), - UINT64_C(0x584C4061E8E5F88F), UINT64_C(0x1C05C1CA7342383A) }, - { UINT64_C(0x263895B3911430EC), UINT64_C(0xEF9B0032A5171453), - UINT64_C(0x144359DA84DA7F0C), UINT64_C(0x76E3095A924A09F2), - UINT64_C(0x612986E3D69AD835), UINT64_C(0x70E03ADA392122AF) } }, - { { UINT64_C(0xFEB707EE67AAD17B), UINT64_C(0xBB21B28783042995), - UINT64_C(0x26DE16459A0D32BA), UINT64_C(0x9A2FF38A1FFB9266), - UINT64_C(0x4E5AD96D8F578B4A), UINT64_C(0x26CC0655883E7443) }, - { UINT64_C(0x1D8EECAB2EE9367A), UINT64_C(0x42B84337881DE2F8), - UINT64_C(0xE49B2FAED758AE41), UINT64_C(0x6A9A22904A85D867), - UINT64_C(0x2FB89DCEE68CBA86), UINT64_C(0xBC2526357F09A982) } }, - { { UINT64_C(0xADC794368C61AAAC), UINT64_C(0x24C7FD135E926563), - UINT64_C(0xEF9FAAA40406C129), UINT64_C(0xF4E6388C8B658D3C), - UINT64_C(0x7262BEB41E435BAF), UINT64_C(0x3BF622CCFDAEAC99) }, - { UINT64_C(0xD359F7D84E1AEDDC), UINT64_C(0x05DC4F8CD78C17B7), - UINT64_C(0xB18CF03229498BA5), UINT64_C(0xC67388CA85BF35AD), - UINT64_C(0x8A7A6AA262AA4BC8), UINT64_C(0x0B8F458E72F4627A) } }, - { { UINT64_C(0x3FB812EEC68E4488), UINT64_C(0x53C5EAA460EF7281), - UINT64_C(0xE57241838FBEFBE4), UINT64_C(0x2B7D49F4A4B24A05), - UINT64_C(0x23B138D0710C0A43), UINT64_C(0x16A5B4C1A85EC1DB) }, - { UINT64_C(0x7CC1F3D7305FEB02), UINT64_C(0x52F7947D5B6C1B54), - UINT64_C(0x1BDA23128F56981C), UINT64_C(0x68663EAEB4080A01), - UINT64_C(0x8DD7BA7E9F999B7F), UINT64_C(0xD8768D19B686580C) } }, - { { UINT64_C(0xBCD0E0AD7AFDDA94), UINT64_C(0x95A0DBBE34A30687), - UINT64_C(0xBBE3C3DF8C5E2665), UINT64_C(0x742BECD8EBF2BC16), - UINT64_C(0x300CEB483FA163A6), UINT64_C(0x0C5D02EE4663354B) }, - { UINT64_C(0xE4FB9AD6B5E606A4), UINT64_C(0x93F507B8CF49FF95), - UINT64_C(0x9406A90C585C193B), UINT64_C(0xAD1440C14ECF9517), - UINT64_C(0x184CB4759CEA53F1), UINT64_C(0x6855C4748EF11302) } }, - { { UINT64_C(0x00ECB523EDCAFA52), UINT64_C(0x0DA0AE0E086F69D3), - UINT64_C(0xC384DE15C242F347), UINT64_C(0xFB050E6E848C12B7), - UINT64_C(0x22F6765464E015CE), UINT64_C(0xCBDC2A487CA122F2) }, - { UINT64_C(0xA940D973445FB02C), UINT64_C(0x00F31E783767D89D), - UINT64_C(0x2B65A237613DABDD), UINT64_C(0x2BE0AB05C875AE09), - UINT64_C(0xB22E54FDBA204F8E), UINT64_C(0x65E2029D0F7687B9) } }, - { { UINT64_C(0xFFD825381855A71C), UINT64_C(0x26A330B3438BD8D8), - UINT64_C(0x89628311F9D8C5F9), UINT64_C(0x8D5FB9CF953738A0), - UINT64_C(0xCB7159C9EDFCD4E5), UINT64_C(0xD64E52302064C7C2) }, - { UINT64_C(0xF858ED80689F3CFE), UINT64_C(0x4830E30956128B67), - UINT64_C(0x2E1692DAE0E90688), UINT64_C(0xAB818913CA9CC232), - UINT64_C(0xE2E30C23A5D229A6), UINT64_C(0xA544E8B10E740E23) } }, - { { UINT64_C(0x1C15E569DC61E6CC), UINT64_C(0x8FD7296758FC7800), - UINT64_C(0xE61E7DB737A9DFC5), UINT64_C(0x3F34A9C65AFD7822), - UINT64_C(0x0A11274219E80773), UINT64_C(0xA353460C4760FC58) }, - { UINT64_C(0x2FB7DEEBB3124C71), UINT64_C(0x484636272D4009CC), - UINT64_C(0x399D1933C3A10370), UINT64_C(0x7EB1945054388DBD), - UINT64_C(0x8ECCE6397C2A006A), UINT64_C(0x3D565DAF55C932A0) } }, - { { UINT64_C(0xCEF57A9FD9ADAE53), UINT64_C(0xE2EB27D7F83FD8CD), - UINT64_C(0x4AC8F7199BBD2DDE), UINT64_C(0x604283AAE91ABFB7), - UINT64_C(0xB6A4E11534799F87), UINT64_C(0x2B253224E4C2A8F3) }, - { UINT64_C(0xC34F8B92C8782294), UINT64_C(0xC74D697DFCC2CB6B), - UINT64_C(0xD990411BC2C84C46), UINT64_C(0x2807B5C631EA4955), - UINT64_C(0x14AE2B93B9EB27F5), UINT64_C(0xF0AE96A76163EDFA) } }, - { { UINT64_C(0xA7BDCBB442DB7180), UINT64_C(0xC9FAA41FEDCA752F), - UINT64_C(0x147F91B4E820F401), UINT64_C(0x1E6CEF86F5F2645F), - UINT64_C(0xB4AB4D7F31FE711D), UINT64_C(0xCE68FB3C743EF882) }, - { UINT64_C(0xB9D7D6823EF2FCFF), UINT64_C(0xF6893811020DCAFD), - UINT64_C(0x30D9A50CBF81E760), UINT64_C(0x7F247D06B9B87228), - UINT64_C(0x143D4FEC5F40CFC0), UINT64_C(0x21D78D73329B2A88) } }, - { { UINT64_C(0x06B3FF8AED3F2055), UINT64_C(0x50482C77522BE214), - UINT64_C(0x8DF69CD8DDF54620), UINT64_C(0x6D1DB204F78A1165), - UINT64_C(0x459AE4A29AFE6BF2), UINT64_C(0xC23A9FFD24AC871E) }, - { UINT64_C(0xB7FD22E389E85D81), UINT64_C(0x297F1F6B122E9978), - UINT64_C(0xAB283D66144BE1CE), UINT64_C(0xC1F90AC2C00C614E), - UINT64_C(0x5465576E3224CD09), UINT64_C(0x8E8D910D441B6059) } }, - { { UINT64_C(0xF73A060AAAA228BC), UINT64_C(0xCF1B078356EFF87D), - UINT64_C(0x11EF17C0A54C9133), UINT64_C(0x9E476B1576A4DAA5), - UINT64_C(0x5624FEAC8018FB92), UINT64_C(0x9826A0FCCFEEC1B9) }, - { UINT64_C(0xB732F7FE2DFE2046), UINT64_C(0x9260BD9F3B40DA6A), - UINT64_C(0xCC9F908F4F231773), UINT64_C(0x4827FEB9DAFC0D55), - UINT64_C(0x07D32E85538ACE95), UINT64_C(0xAD9F897CB8EDAF37) } }, - { { UINT64_C(0x2F75B82FE3415498), UINT64_C(0xF99CAC5FF1015F30), - UINT64_C(0x766408247D7F25DE), UINT64_C(0x714BC9CDEE74C047), - UINT64_C(0x70F847BF07448879), UINT64_C(0xA14481DE072165C0) }, - { UINT64_C(0x9BFA59E3DB1140A8), UINT64_C(0x7B9C7FF0FCD13502), - UINT64_C(0xF4D7538E68459ABF), UINT64_C(0xED93A791C8FC6AD2), - UINT64_C(0xA8BBE2A8B51BD9B2), UINT64_C(0x084B5A279FB34008) } }, - { { UINT64_C(0xB3BB9545EB138C84), UINT64_C(0x59C3489C3FC88BFD), - UINT64_C(0x3A97FF6385F53EC7), UINT64_C(0x40FDF5A60AA69C3D), - UINT64_C(0x0E8CCEC753D19668), UINT64_C(0x0AA72EF933FAA661) }, - { UINT64_C(0xF5C5A6CF9B1E684B), UINT64_C(0x630F937131A22EA1), - UINT64_C(0x06B2AAC2AC60F7EA), UINT64_C(0xB181CAE25BC37D80), - UINT64_C(0x4601A929247B13EA), UINT64_C(0x8A71C3865F739797) } }, - { { UINT64_C(0x545387B3AB134786), UINT64_C(0x3179BB061599B64A), - UINT64_C(0xB0A6198607593574), UINT64_C(0xC7E39B2163FA7C3B), - UINT64_C(0xA1173F8691585D13), UINT64_C(0x09D5CC8ECB9525CD) }, - { UINT64_C(0xAAD44FFD8F3A3451), UINT64_C(0x702B04F225820CC5), - UINT64_C(0xE90CAC491CB66C17), UINT64_C(0x40F6B547EE161DC4), - UINT64_C(0xC08BB8B41BA4AC4E), UINT64_C(0x7DC064FBAE5A6BC1) } }, - { { UINT64_C(0x90A5E8719D76DDC7), UINT64_C(0x39DC8FAEEDFC8E2E), - UINT64_C(0x98467A235B079C62), UINT64_C(0xE25E378505450C98), - UINT64_C(0x2FE23A4D96140083), UINT64_C(0x65CE3B9AE9900312) }, - { UINT64_C(0x1D87D0886B72B5D9), UINT64_C(0x72F53220FD9AFC82), - UINT64_C(0xC63C7C159E1F71FA), UINT64_C(0x90DF26EA8D449637), - UINT64_C(0x97089F40C1C2B215), UINT64_C(0x83AF266442317FAA) } }, - }, - { - { { UINT64_C(0xFA2DB51A8D688E31), UINT64_C(0x225B696CA09C88D4), - UINT64_C(0x9F88AF1D6059171F), UINT64_C(0x1C5FEA5E782A0993), - UINT64_C(0xE0FB15884EC710D3), UINT64_C(0xFAF372E5D32CE365) }, - { UINT64_C(0xD9F896AB26506F45), UINT64_C(0x8D3503388373C724), - UINT64_C(0x1B76992DCA6E7342), UINT64_C(0x76338FCA6FD0C08B), - UINT64_C(0xC3EA4C65A00F5C23), UINT64_C(0xDFAB29B3B316B35B) } }, - { { UINT64_C(0x84E5541F483AEBF9), UINT64_C(0x8ADFF7DC49165772), - UINT64_C(0xE0A43AD69BEAAD3C), UINT64_C(0x97DD1820F51C2714), - UINT64_C(0xAC2B4CB457EA5B0C), UINT64_C(0x87DBD011D11767CA) }, - { UINT64_C(0x18CCF36CBFC7957A), UINT64_C(0xD4A088411BC79227), - UINT64_C(0x9811CE43D8D292A8), UINT64_C(0x72C5FC68D58C4EE7), - UINT64_C(0x5BC0F0BED35C65A7), UINT64_C(0x0B446DBCCBBF9669) } }, - { { UINT64_C(0x7EBA3DA69CEE9BCE), UINT64_C(0x3E2C1248D5377750), - UINT64_C(0x8C917D982B93D8B2), UINT64_C(0xCA8FC6AC7CAD1F75), - UINT64_C(0x5F581F19A0FF150A), UINT64_C(0x872CC14AE08327FA) }, - { UINT64_C(0xC774F187E9333188), UINT64_C(0x528ED4AC497AF7E8), - UINT64_C(0xCE036E9B8AD72B10), UINT64_C(0x463F9EBB917986CF), - UINT64_C(0xBE5163281325CF9B), UINT64_C(0xD28D5C50DD7E5FEA) } }, - { { UINT64_C(0x714C1D1BDD58BBE3), UINT64_C(0x85BA01AE039AFD0F), - UINT64_C(0x7F23EA3A6951AC80), UINT64_C(0x5C599290AC00C837), - UINT64_C(0xF6EFA2B3BF24CC1B), UINT64_C(0x393D8E421E84462B) }, - { UINT64_C(0x9BDA627DF8B89453), UINT64_C(0xE66FFF2EB23E0D1B), - UINT64_C(0xD1EE7089C3B94EC2), UINT64_C(0xF75DBA6E3031699A), - UINT64_C(0x8FF75F79242B2453), UINT64_C(0xE721EDEB289BFED4) } }, - { { UINT64_C(0x083215A1C1390FA8), UINT64_C(0x901D686A6DCE8CE0), - UINT64_C(0x4AB1BA62837073FF), UINT64_C(0x10C287AA34BEABA5), - UINT64_C(0xB4931AF446985239), UINT64_C(0x07639899B053C4DC) }, - { UINT64_C(0x29E7F44DE721EECD), UINT64_C(0x6581718257B3FF48), - UINT64_C(0x198542E25054E2E0), UINT64_C(0x923C9E1584616DE8), - UINT64_C(0x2A9C15E1AD465BB9), UINT64_C(0xD8D4EFC716319245) } }, - { { UINT64_C(0x72DC79439961A674), UINT64_C(0x839A0A52A0E13668), - UINT64_C(0xD7A53FA9334945EA), UINT64_C(0xDB21DB77E7AA25DB), - UINT64_C(0xB6675A7D66E96DA3), UINT64_C(0x2C31C406E66F33C0) }, - { UINT64_C(0x45020B626EC7B9CB), UINT64_C(0xFF46E9CD0391F267), - UINT64_C(0x7DABD7440FA2F221), UINT64_C(0x9A32364B9D4A2A3E), - UINT64_C(0xF0F84AE852D2E47A), UINT64_C(0xD0B872BB888F488A) } }, - { { UINT64_C(0x531E4CEFC9790EEF), UINT64_C(0xF7B5735E2B8D1A58), - UINT64_C(0xB8882F1EEF568511), UINT64_C(0xAFB08D1C86A86DB3), - UINT64_C(0x88CB9DF2F54DE8C7), UINT64_C(0xA44234F19A683282) }, - { UINT64_C(0xBC1B3D3AA6E9AB2E), UINT64_C(0xEFA071FB87FC99EE), - UINT64_C(0xFA3C737DA102DC0F), UINT64_C(0xDF3248A6D6A0CBD2), - UINT64_C(0x6E62A4FF1ECC1BF4), UINT64_C(0xF718F940C8F1BC17) } }, - { { UINT64_C(0x2C8B0AAD4F63F026), UINT64_C(0x2AFF623850B253CC), - UINT64_C(0xCAB3E94210C4D122), UINT64_C(0x52B59F0407CD2816), - UINT64_C(0x22322803982C41FC), UINT64_C(0x38844E668CF50B19) }, - { UINT64_C(0x42A959F7BE3264CD), UINT64_C(0xBDDC24BD6C983524), - UINT64_C(0xA489EB0C462B8640), UINT64_C(0xB7C0509298029BE7), - UINT64_C(0xD5546B5FA1ADDC64), UINT64_C(0xE7CAC1FCA0C655AF) } }, - { { UINT64_C(0x1454719847636F97), UINT64_C(0x6FA67481EBCDCCFF), - UINT64_C(0xC164872F395D3258), UINT64_C(0xB8CECAFEEE6ACDBC), - UINT64_C(0x3FBFE5F3A933F180), UINT64_C(0xEC20CAC2898C3B1E) }, - { UINT64_C(0x6A031BEE87DA73F9), UINT64_C(0xD1E667D15C5AF46E), - UINT64_C(0xCB3DC1681DC6EEF9), UINT64_C(0x2DD1BD9433D310C0), - UINT64_C(0x0F78D4939207E438), UINT64_C(0xC233D544A99C0E75) } }, - { { UINT64_C(0x228F19F19E2A0113), UINT64_C(0x58495BE50E1A5D37), - UINT64_C(0x97E08F6938D7F364), UINT64_C(0x1EC3BA3E510759B0), - UINT64_C(0x3682F19AE03CD40D), UINT64_C(0xC87745D8F9E16D68) }, - { UINT64_C(0xFD527AB509A642EA), UINT64_C(0x6308EEBDF9C81F27), - UINT64_C(0xFA9F666C550C5D68), UINT64_C(0xDEBA436F584AB153), - UINT64_C(0x1D4861D35B63E939), UINT64_C(0x073BED9BC9850221) } }, - { { UINT64_C(0x802BCCF08B171246), UINT64_C(0xFFF7D15A733B072F), - UINT64_C(0xEA3862664CBFA4EF), UINT64_C(0x9E5B5073D635946B), - UINT64_C(0x16E9A979FA81BE95), UINT64_C(0x41E8716EB14F701F) }, - { UINT64_C(0x25782E0F101A6719), UINT64_C(0x442C4875C9D66959), - UINT64_C(0x52D845D92B85D153), UINT64_C(0xFF9251382E831117), - UINT64_C(0x01B700CC8E02434B), UINT64_C(0xD2DB7F8EEC0BAE3E) } }, - { { UINT64_C(0x1B225300966A4872), UINT64_C(0x40C149BE566F537B), - UINT64_C(0x3335F4D2CB680021), UINT64_C(0x773D0263778E5F5F), - UINT64_C(0x1D9B7602666FA9ED), UINT64_C(0x52490A102E6200CF) }, - { UINT64_C(0x8434C7DD961F290B), UINT64_C(0x773AC15664456446), - UINT64_C(0x5E2BB78947B712BB), UINT64_C(0xFD3BCBFDBE0974AD), - UINT64_C(0x71AE9351791AD5D8), UINT64_C(0x1EE738BA6F4E1400) } }, - { { UINT64_C(0x2FA428AB0BE8E26E), UINT64_C(0xFEFF0600BB4CF9FC), - UINT64_C(0x76F25CA9B2EA5FB0), UINT64_C(0xAB7FECF06835C5F4), - UINT64_C(0x649D077219D5F328), UINT64_C(0xABE7B895ACBCB12E) }, - { UINT64_C(0xF2D1031AD69B1EA8), UINT64_C(0x46065D5DC60B0BBB), - UINT64_C(0xB0908DC185D798FF), UINT64_C(0x4E2420F0D2C9B18A), - UINT64_C(0x6B3A9BDDD30432A2), UINT64_C(0x501C3383C9B134AD) } }, - { { UINT64_C(0x608F096798A21284), UINT64_C(0x5361BE86059CCEDE), - UINT64_C(0x3A40655CAFD87EF7), UINT64_C(0x03CF311759083AA2), - UINT64_C(0x57DB5F61B6C366D9), UINT64_C(0x29DC275B6DD0D232) }, - { UINT64_C(0xBDAB24DD8FA67501), UINT64_C(0x5928F77565D08C37), - UINT64_C(0x9448A856645D466A), UINT64_C(0x6E6B5E2EC0E927A5), - UINT64_C(0xE884D546E80C6871), UINT64_C(0x10C881C953A9A851) } }, - { { UINT64_C(0x355053749B627AA5), UINT64_C(0xE7CA1B577976677B), - UINT64_C(0x812397124976CE17), UINT64_C(0x96E9080B96DA31B9), - UINT64_C(0x458254ABCC64AA1F), UINT64_C(0xFEFF682148E674C9) }, - { UINT64_C(0x8772F37A021F1488), UINT64_C(0x2E274E18AB56345C), - UINT64_C(0x7C7BE61C29823B76), UINT64_C(0x275DB7B29EEFB39E), - UINT64_C(0x83B10ED4BF5CBCEF), UINT64_C(0x40D7F5B4518E5183) } }, - { { UINT64_C(0x315CCC01F960B41B), UINT64_C(0x90B417C91D99E722), - UINT64_C(0x84AFAA0D013463E0), UINT64_C(0xF133C5D813E6D9E1), - UINT64_C(0xD95C6ADC525B7430), UINT64_C(0x082C61AD7A25106A) }, - { UINT64_C(0xABC1966DBA1CE179), UINT64_C(0xE0578B77A5DB529A), - UINT64_C(0x10988C05EC84107D), UINT64_C(0xFCADE5D71B207F83), - UINT64_C(0x0BEB6FDBC5BA83DB), UINT64_C(0x1C39B86D57537E34) } }, - }, - { - { { UINT64_C(0x5B0B5D692A7AECED), UINT64_C(0x4C03450C01DC545F), - UINT64_C(0x72AD0A4A404A3458), UINT64_C(0x1DE8E2559F467B60), - UINT64_C(0xA4B3570590634809), UINT64_C(0x76F30205706F0178) }, - { UINT64_C(0x588D21AB4454F0E5), UINT64_C(0xD22DF54964134928), - UINT64_C(0xF4E7E73D241BCD90), UINT64_C(0xB8D8A1D22FACC7CC), - UINT64_C(0x483C35A71D25D2A0), UINT64_C(0x7F8D25451EF9F608) } }, - { { UINT64_C(0xCB51F03954EBC926), UINT64_C(0xE235D356B8D4A7BB), - UINT64_C(0x93C8FAFAB41FE1A6), UINT64_C(0x6297701DA719F254), - UINT64_C(0x6E9165BC644F5CDE), UINT64_C(0x6506329D0C11C542) }, - { UINT64_C(0xA2564809A92B4250), UINT64_C(0x0E9AC173889C2E3E), - UINT64_C(0x286A592622B1D1BE), UINT64_C(0x86A3D7526ECDD041), - UINT64_C(0x4B867E0A649F9524), UINT64_C(0x1FE7D95A0629CB0F) } }, - { { UINT64_C(0xF4F66843CA5BAF54), UINT64_C(0x298DB357EFE7DB78), - UINT64_C(0xF607E86E7365712F), UINT64_C(0xD58822988A822BC0), - UINT64_C(0x2CFBD63AC61299B3), UINT64_C(0x6F713D9B67167B1A) }, - { UINT64_C(0x750F673FDE0B077A), UINT64_C(0x07482708EE2178DA), - UINT64_C(0x5E6D5BD169123C75), UINT64_C(0x6A93D1B6EAB99B37), - UINT64_C(0x6EF4F7E68CAEC6A3), UINT64_C(0x7BE411D6CF3ED818) } }, - { { UINT64_C(0xF92B307363A0A7D2), UINT64_C(0x32DA431C881DC8CF), - UINT64_C(0xE51BD5EDC578E3A3), UINT64_C(0xEFDA70D29587FA22), - UINT64_C(0xCFEC17089B2EBA85), UINT64_C(0x6AB51A4BAF7BA530) }, - { UINT64_C(0x5AC155AE98174812), UINT64_C(0xCAF07A71CCB076E3), - UINT64_C(0x280E86C2C38718A7), UINT64_C(0x9D12DE73D63745B7), - UINT64_C(0x0E8EA855BF8A79AA), UINT64_C(0x5EB2BED8BD705BF7) } }, - { { UINT64_C(0x33FE9578AE16DE53), UINT64_C(0x3AE85EB510BEC902), - UINT64_C(0xC4F4965844AF850E), UINT64_C(0x6EA222B3087DD658), - UINT64_C(0xB255E6FDA51F1447), UINT64_C(0xB35E4997117E3F48) }, - { UINT64_C(0x562E813B05616CA1), UINT64_C(0xDF5925D68A61E156), - UINT64_C(0xB2FA8125571C728B), UINT64_C(0x00864805A2F2D1CF), - UINT64_C(0x2DC26F411BCCB6FF), UINT64_C(0xEBD5E09363AE37DD) } }, - { { UINT64_C(0xD2D68BB30A285611), UINT64_C(0x3EAE7596DC8378F2), - UINT64_C(0x2DC6CCC66CC688A3), UINT64_C(0xC45E5713011F5DFB), - UINT64_C(0x6B9C4F6C62D34487), UINT64_C(0xFAD6F0771FC65551) }, - { UINT64_C(0x5E3266E062B23B52), UINT64_C(0xF1DAF319E98F4715), - UINT64_C(0x064D12EA3ED0AE83), UINT64_C(0x5CCF9326564125CB), - UINT64_C(0x09057022C63C1E9F), UINT64_C(0x7171972CDC9B5D2E) } }, - { { UINT64_C(0x2364FD9AEABD21B2), UINT64_C(0x3CE5F4BB9174AD6D), - UINT64_C(0xA4D6D5D0B38688C0), UINT64_C(0x2292A2D26D87FD7D), - UINT64_C(0x2A7D1B534CA02E54), UINT64_C(0x7BEE6E7EB4185715) }, - { UINT64_C(0x73E546098FC63ACD), UINT64_C(0xF4D93A124064E09D), - UINT64_C(0xD20E157A2B92DAA5), UINT64_C(0x90D125DBC4B81A00), - UINT64_C(0xCB951C9E7682DE13), UINT64_C(0x1ABE58F427987545) } }, - { { UINT64_C(0x6D35164030C70C8D), UINT64_C(0x8047D811CE2361B8), - UINT64_C(0x3F8B3D4FDF8E2C81), UINT64_C(0x5D59547733FA1F6C), - UINT64_C(0xF769FE5AE29B8A91), UINT64_C(0x26F0E606D737B2A2) }, - { UINT64_C(0x70CBFA5DB8B31C6A), UINT64_C(0x0F883B4A863D3AEA), - UINT64_C(0x156A4479E386AE2F), UINT64_C(0xA17A2FCDADE8A684), - UINT64_C(0x78BDF958E2A7E335), UINT64_C(0xD1B4E6733B9E3041) } }, - { { UINT64_C(0x1EAF48EC449A6D11), UINT64_C(0x6B94B8E46D2FA7B9), - UINT64_C(0x1D75D269728E4C1B), UINT64_C(0x91123819DD304E2C), - UINT64_C(0x0B34CAE388804F4B), UINT64_C(0x2BA192FBC5495E9A) }, - { UINT64_C(0xC93FF6EFFF4D24BF), UINT64_C(0xF8C2C0B00342BA78), - UINT64_C(0x8041F769831EB94C), UINT64_C(0x353100747782985E), - UINT64_C(0xC755320B3AF84E83), UINT64_C(0x384B6D266F497E7F) } }, - { { UINT64_C(0xEF92CD5917E6BD17), UINT64_C(0xA087305BA426965C), - UINT64_C(0x13895CE7AC47F773), UINT64_C(0xB85F2A9FE0BB2867), - UINT64_C(0x2926E6AA7CD7C58E), UINT64_C(0xE544EDA6450459C5) }, - { UINT64_C(0x73DBC351B90A9849), UINT64_C(0x961183F6848EBE86), - UINT64_C(0xC45BB21080534712), UINT64_C(0x379D08D7A654D9A3), - UINT64_C(0x5B97CEF2BD3FFA9C), UINT64_C(0x0F469F34DDC2FCE5) } }, - { { UINT64_C(0x6D1461080642F38D), UINT64_C(0x055171A0D21EB887), - UINT64_C(0x28DFFAB4D0DCEB28), UINT64_C(0x0D0E631298DE9CCD), - UINT64_C(0x750A9156118C3C3F), UINT64_C(0x8C1F1390B049D799) }, - { UINT64_C(0xE4823858439607C5), UINT64_C(0x947E9BA05C111EAB), - UINT64_C(0x39C95616A355DF2E), UINT64_C(0xF5F6B98E10E54BDA), - UINT64_C(0xB0E0B33D142B876A), UINT64_C(0x71197D73EA18C90C) } }, - { { UINT64_C(0x36A5139DF52BE819), UINT64_C(0xF60DDF3429A45D2B), - UINT64_C(0x0727EFECE9220E34), UINT64_C(0x431D33864EF7F446), - UINT64_C(0xC3165A64FCC4962C), UINT64_C(0xB7D926E1D64362BB) }, - { UINT64_C(0x216BC61FD45F9350), UINT64_C(0xA974CB2FBBAED815), - UINT64_C(0x31DF342D86FB2F76), UINT64_C(0x3AB67E0501D78314), - UINT64_C(0x7AA951E0DEE33ED2), UINT64_C(0x318FBBBDCEC78D94) } }, - { { UINT64_C(0xAD7EFB65B8FE0204), UINT64_C(0x0432E1C5230AB7F7), - UINT64_C(0x7563A62D9C967400), UINT64_C(0xD88B9C743524D4FF), - UINT64_C(0x16A1991CF1A823E3), UINT64_C(0xCF2F9BFEFA6F0FFB) }, - { UINT64_C(0x55AAA946A50CA61F), UINT64_C(0x8CBBD3C8FED4CAB3), - UINT64_C(0x03A0FAB87651365A), UINT64_C(0x46B5234B62DC3913), - UINT64_C(0xFD875B28B558CBBD), UINT64_C(0xA48EC3AE11CEB361) } }, - { { UINT64_C(0x5DD131A1B3ADBD8B), UINT64_C(0xF9FBCA3A29B45EF8), - UINT64_C(0x022048669341EE18), UINT64_C(0x8D13B89583BF9618), - UINT64_C(0x0E395BAEE807459C), UINT64_C(0xB9C110CCB190E7DB) }, - { UINT64_C(0xA0DC345225D25063), UINT64_C(0x2FB78EC802371462), - UINT64_C(0xC3A9E7BB8975C2D5), UINT64_C(0x9466687285A78264), - UINT64_C(0x480D2CC28029AA92), UINT64_C(0x237086C75655726D) } }, - { { UINT64_C(0x197F14BB65EB9EEE), UINT64_C(0xFC93125C9F12E5FD), - UINT64_C(0x9C20BC538BFBAE5E), UINT64_C(0xB35E21544BC053BA), - UINT64_C(0xE5FA9CC721C3898E), UINT64_C(0x502D72FFD42F950F) }, - { UINT64_C(0x6812D38AD1EB8C31), UINT64_C(0x1F77F3F1080D30BB), - UINT64_C(0x18D128335A8B1E98), UINT64_C(0x7FD39FA9299196CE), - UINT64_C(0xFB8C9F11CF4ED6D6), UINT64_C(0x4C00F604D6363194) } }, - { { UINT64_C(0x5C8AFCF9FA2A21C2), UINT64_C(0x71CBF2821928D133), - UINT64_C(0x56BEF28E42B29506), UINT64_C(0xAFBA250C70323DE2), - UINT64_C(0x3FE208D17DED2C30), UINT64_C(0xBD2CD213CE9AA598) }, - { UINT64_C(0x52C5EC52CFEED070), UINT64_C(0x0A7223E7D3DA336B), - UINT64_C(0x7156A4EDCE156B46), UINT64_C(0x9AF6C499ED7E6159), - UINT64_C(0x9D7A679713C029AD), UINT64_C(0xE5B5C9249018DC77) } }, - }, - { - { { UINT64_C(0x3F2EFF53DE1E4E55), UINT64_C(0x6B749943E4D3ECC4), - UINT64_C(0xAF10B18A0DDE190D), UINT64_C(0xF491B98DA26B0409), - UINT64_C(0x66080782A2B1D944), UINT64_C(0x59277DC697E8C541) }, - { UINT64_C(0xFDBFC5F6006F18AA), UINT64_C(0x435D165BFADD8BE1), - UINT64_C(0x8E5D263857645EF4), UINT64_C(0x31BCFDA6A0258363), - UINT64_C(0xF5330AB8D35D2503), UINT64_C(0xB71369F0C7CAB285) } }, - { { UINT64_C(0xE6A19DCC40ACC5A8), UINT64_C(0x1C3A1FF1DBC6DBF8), - UINT64_C(0xB4D89B9FC6455613), UINT64_C(0x6CB0FE44A7390D0E), - UINT64_C(0xADE197A459EA135A), UINT64_C(0xDA6AA86520680982) }, - { UINT64_C(0x03DB9BE95A442C1B), UINT64_C(0x221A2D732BFB93F2), - UINT64_C(0x44DEE8D4753C196C), UINT64_C(0x59ADCC700B7C6FF5), - UINT64_C(0xC6260EC24CA1B142), UINT64_C(0x4C3CB5C646CBD4F2) } }, - { { UINT64_C(0x8A15D6FEA417111F), UINT64_C(0xFE4A16BD71D93FCC), - UINT64_C(0x7A7EE38C55BBE732), UINT64_C(0xEFF146A51FF94A9D), - UINT64_C(0xE572D13EDD585AB5), UINT64_C(0xD879790E06491A5D) }, - { UINT64_C(0x9C84E1C52A58CB2E), UINT64_C(0xD79D13746C938630), - UINT64_C(0xDB12CD9B385F06C7), UINT64_C(0x0C93EB977A7759C3), - UINT64_C(0xF1F5B0FE683BD706), UINT64_C(0x541E4F7285EC3D50) } }, - { { UINT64_C(0x9A0E153581833608), UINT64_C(0x5CCE871E6E2833AC), - UINT64_C(0xC17059EAFB29777C), UINT64_C(0x7E40E5FAE354CAFD), - UINT64_C(0x9CF594054D07C371), UINT64_C(0x64CE36B2A71C3945) }, - { UINT64_C(0x69309E9656CAF487), UINT64_C(0x3D719E9F1AE3454B), - UINT64_C(0xF2164070E25823B6), UINT64_C(0xEAD851BD0BC27359), - UINT64_C(0x3D21BFE8B0925094), UINT64_C(0xA783B1E934A97F4E) } }, - { { UINT64_C(0x406B0C269546491A), UINT64_C(0x9E5E15E2F293C4E5), - UINT64_C(0xC60D641315B164DB), UINT64_C(0x0DA46F530C75A78E), - UINT64_C(0x7C599BB7EA0C656B), UINT64_C(0x0F07A5121B1A8122) }, - { UINT64_C(0x14C7204A15172686), UINT64_C(0x8FAEDFF85165625D), - UINT64_C(0x20F260CE37AEDE40), UINT64_C(0xC81F771E8F357FFE), - UINT64_C(0x25499197B0912557), UINT64_C(0x736197DC4C739C74) } }, - { { UINT64_C(0x6151BAB1381B3462), UINT64_C(0x27E5A07843DBD344), - UINT64_C(0x2CB05BD6A1C3E9FB), UINT64_C(0x2A75976027CF2A11), - UINT64_C(0x0ADCF9DBFF43E702), UINT64_C(0x4BBF03E21F484146) }, - { UINT64_C(0x0E74997F55B6521A), UINT64_C(0x15629231ADE17086), - UINT64_C(0x7F143E867493FC58), UINT64_C(0x60869095AF8B9670), - UINT64_C(0x482CFCD77E524869), UINT64_C(0x9E8060C31D454756) } }, - { { UINT64_C(0xE495747AC88B4D3B), UINT64_C(0xB7559835AE8A948F), - UINT64_C(0x67EEF3A9DEB56853), UINT64_C(0x0E20E2699DEE5ADF), - UINT64_C(0x9031AF6761F0A1AA), UINT64_C(0x76669D32683402BC) }, - { UINT64_C(0x90BD231306718B16), UINT64_C(0xE1B22A21864EFDAC), - UINT64_C(0xE4FFE9096620089F), UINT64_C(0xB84C842E3428E2D9), - UINT64_C(0x0E28C880FE3871FC), UINT64_C(0x8932F6983F21C200) } }, - { { UINT64_C(0x603F00CE6C90EA5D), UINT64_C(0x6473930740A2F693), - UINT64_C(0xAF65148B2174E517), UINT64_C(0x162FC2CAF784AE74), - UINT64_C(0x0D9A88254D5F6458), UINT64_C(0x0C2D586143AACE93) }, - { UINT64_C(0xBF1EADDE9F73CBFC), UINT64_C(0xDE9C34C09C68BBCA), - UINT64_C(0x6D95602D67EF8A1A), UINT64_C(0x0AF2581BA791B241), - UINT64_C(0x14F7736112CAD604), UINT64_C(0x19F2354DE2ACD1AD) } }, - { { UINT64_C(0x272F78F60D60F263), UINT64_C(0xE7A8F4AF208FD785), - UINT64_C(0x10E191C636554F2C), UINT64_C(0x06D88551FD5CD0B3), - UINT64_C(0x29BF856857069C27), UINT64_C(0x3CE7ECD828AA6FAD) }, - { UINT64_C(0x7D8A92D0E9F1A1D8), UINT64_C(0xD40C7FF8D30B5725), - UINT64_C(0x16BE6CB2F54CAEB8), UINT64_C(0x14CA471A14CB0A91), - UINT64_C(0xD5FF15B802733CAE), UINT64_C(0xCAF88D87DAA76580) } }, - { { UINT64_C(0x39430E222C046592), UINT64_C(0x6CDAE81F1AD26706), - UINT64_C(0x8C102159A25D9106), UINT64_C(0x9A44057227CA9F30), - UINT64_C(0x8D34C43070287FBC), UINT64_C(0x9003A45529DB8AFA) }, - { UINT64_C(0x91364CC37FD971AD), UINT64_C(0x7B3AA0489C60EDB7), - UINT64_C(0x58B0E008526F4DD8), UINT64_C(0xB7674454D86D98AE), - UINT64_C(0xC25F4051B2B45747), UINT64_C(0x8243BF9CCC043E8F) } }, - { { UINT64_C(0xA89641C643A0C387), UINT64_C(0x6D92205C87B9AB17), - UINT64_C(0x37D691F4DAA0E102), UINT64_C(0xEB3E52D7CDE5312E), - UINT64_C(0x60D3C09916F518A2), UINT64_C(0x7854C0518A378EEB) }, - { UINT64_C(0x7359DB514BBCAAC5), UINT64_C(0xF5B1B68C1713F102), - UINT64_C(0xDAEAE645E4398DE5), UINT64_C(0x8C8ACB6CD1ABFB82), - UINT64_C(0x2E8B76C3136423E2), UINT64_C(0x509DCB2DA8BA015E) } }, - { { UINT64_C(0x2FF368159AD9C59C), UINT64_C(0xB189A4E8658E65B9), - UINT64_C(0x7D33DDBBEA786AD2), UINT64_C(0x96D0D648C0D2DC05), - UINT64_C(0x05E49256BFA03BE9), UINT64_C(0x0EA4E7A68BAF5A1C) }, - { UINT64_C(0x3DDCE0B09F9AD5A8), UINT64_C(0xF78091959E49C2CB), - UINT64_C(0xBFCEF29D21782C2F), UINT64_C(0xE57AD39FC41BFD97), - UINT64_C(0xC04B93E81355AD19), UINT64_C(0xAABC9E6E59440F9F) } }, - { { UINT64_C(0x7AA481035B6459DA), UINT64_C(0x83EF74770166E880), - UINT64_C(0x536182B1511CCE80), UINT64_C(0xAFDD2EEE73CA55AA), - UINT64_C(0xAB910D0DA8716143), UINT64_C(0x8BEAA42B83707250) }, - { UINT64_C(0x4BCCFD898DA2AB3D), UINT64_C(0x1DBF68A9EC6AA105), - UINT64_C(0x32CE610868EB42DA), UINT64_C(0x5C2C2C858EA62E37), - UINT64_C(0x1ED2791FCD3088A7), UINT64_C(0x496B4FEBFF05070C) } }, - { { UINT64_C(0x9FA9121A0AA629C5), UINT64_C(0xE286CFF157558BEC), - UINT64_C(0x4D9D657E59813A4D), UINT64_C(0xC4676A1626103519), - UINT64_C(0x616160B32BD4DF80), UINT64_C(0x26FB78CC30FBAE87) }, - { UINT64_C(0x096070138F0F66BD), UINT64_C(0xDD4E2D0C03D9B90D), - UINT64_C(0x5D3A8912600D1B12), UINT64_C(0xF76DD52F4308E126), - UINT64_C(0x97CC04099E4FCCA6), UINT64_C(0x0CFBE31104C4DF7B) } }, - { { UINT64_C(0x6CA62C1228437A23), UINT64_C(0x0DAF335340E7A003), - UINT64_C(0x1FD07DF0D20F8079), UINT64_C(0xEAE7969C3BBC9749), - UINT64_C(0x55861AFA9ECAD022), UINT64_C(0xEC41DAD91FBC3D4C) }, - { UINT64_C(0x1FE4CB40DA8B261B), UINT64_C(0xC2671AB6427C5C9D), - UINT64_C(0xDFCDA7B8261D4939), UINT64_C(0x9E7B802B2072C0B9), - UINT64_C(0x3AFEE900C7828CC2), UINT64_C(0x3488BF28F6DE987F) } }, - { { UINT64_C(0x33B9F2DE7BE1F89E), UINT64_C(0xD4E80821299B15C9), - UINT64_C(0x87A3067A0E13F37F), UINT64_C(0x6D4C09ED55FD239F), - UINT64_C(0x48B1042D92EF014F), UINT64_C(0xA382B2E0B385A759) }, - { UINT64_C(0xBF571BB07F6F84F8), UINT64_C(0x25AFFA370CE87F50), - UINT64_C(0x826906D3FE54F1BC), UINT64_C(0x6B0421F4C53AE76A), - UINT64_C(0x44F85A3A4855EB3C), UINT64_C(0xF49E21518D1F2B27) } }, - }, - { - { { UINT64_C(0xC0426B775E3C647B), UINT64_C(0xBFCBD9398CF05348), - UINT64_C(0x31D312E3172C0D3D), UINT64_C(0x5F49FDE6EE754737), - UINT64_C(0x895530F06DA7EE61), UINT64_C(0xCF281B0AE8B3A5FB) }, - { UINT64_C(0xFD14973541B8A543), UINT64_C(0x41A625A73080DD30), - UINT64_C(0xE2BAAE07653908CF), UINT64_C(0xC3D01436BA02A278), - UINT64_C(0xA0D0222E7B21B8F8), UINT64_C(0xFDC270E9D7EC1297) } }, - { { UINT64_C(0x06A67BD29F101E64), UINT64_C(0xCB6E0AC7E1733A4A), - UINT64_C(0xEE0B5D5197BC62D2), UINT64_C(0x52B1703924C51874), - UINT64_C(0xFED1F42382A1A0D5), UINT64_C(0x55D90569DB6270AC) }, - { UINT64_C(0x36BE4A9C5D73D533), UINT64_C(0xBE9266D6976ED4D5), - UINT64_C(0xC17436D3B8F8074B), UINT64_C(0x3BB4D399718545C6), - UINT64_C(0x8E1EA3555C757D21), UINT64_C(0xF7EDBC978C474366) } }, - { { UINT64_C(0xEC72C6506EA83242), UINT64_C(0xF7DE7BE51B2D237F), - UINT64_C(0x3C5E22001819EFB0), UINT64_C(0xDF5AB6D68CDDE870), - UINT64_C(0x75A44E9D92A87AEE), UINT64_C(0xBDDC46F4BCF77F19) }, - { UINT64_C(0x8191EFBD669B674D), UINT64_C(0x52884DF9ED71768F), - UINT64_C(0xE62BE58265CF242C), UINT64_C(0xAE99A3B180B1D17B), - UINT64_C(0x48CBB44692DE59A9), UINT64_C(0xD3C226CF2DCB3CE2) } }, - { { UINT64_C(0x9580CDFB9FD94EC4), UINT64_C(0xED273A6C28631AD9), - UINT64_C(0x5D3D5F77C327F3E7), UINT64_C(0x05D5339C35353C5F), - UINT64_C(0xC56FB5FE5C258EB1), UINT64_C(0xEFF8425EEDCE1F79) }, - { UINT64_C(0xAB7AA141CF83CF9C), UINT64_C(0xBD2A690A207D6D4F), - UINT64_C(0xE1241491458D9E52), UINT64_C(0xDD2448CCAA7F0F31), - UINT64_C(0xEC58D3C7F0FDA7AB), UINT64_C(0x7B6E122DC91BBA4D) } }, - { { UINT64_C(0x2A2DEDAFB1B48156), UINT64_C(0xA0A2C63ABB93DB87), - UINT64_C(0xC655907808ACD99E), UINT64_C(0x03EA42AFFE4AC331), - UINT64_C(0x43D2C14AEB180ED6), UINT64_C(0xC2F293DDB1156A1A) }, - { UINT64_C(0x1FAFABF5A9D81249), UINT64_C(0x39ADDEAD9A8EEE87), - UINT64_C(0x21E206F2119E2E92), UINT64_C(0xBC5DCC2ED74DCEB6), - UINT64_C(0x86647FA30A73A358), UINT64_C(0xEAD8BEA42F53F642) } }, - { { UINT64_C(0x636225F591C09091), UINT64_C(0xCCF5070A71BDCFDF), - UINT64_C(0x0EF8D625B9668EE2), UINT64_C(0x57BDF6CDB5E04E4F), - UINT64_C(0xFC6AB0A67C75EA43), UINT64_C(0xEB6B8AFBF7FD6EF3) }, - { UINT64_C(0x5B2AEEF02A3DF404), UINT64_C(0x31FD3B48B9823197), - UINT64_C(0x56226DB683A7EB23), UINT64_C(0x3772C21E5BB1ED2F), - UINT64_C(0x3E833624CD1ABA6A), UINT64_C(0xBAE58FFAAC672DAD) } }, - { { UINT64_C(0xCE92224D31BA1705), UINT64_C(0x022C6ED2F0197F63), - UINT64_C(0x21F18D99A4DC1113), UINT64_C(0x5CD04DE803616BF1), - UINT64_C(0x6F9006799FF12E08), UINT64_C(0xF59A331548E61DDF) }, - { UINT64_C(0x9474D42CB51BD024), UINT64_C(0x11A0A4139051E49D), - UINT64_C(0x79C92705DCE70EDB), UINT64_C(0x113CE27834198426), - UINT64_C(0x8978396FEA8616D2), UINT64_C(0x9A2A14D0EA894C36) } }, - { { UINT64_C(0x4F1E1254604F6E4A), UINT64_C(0x4513B0880187D585), - UINT64_C(0x9022F25719E0F482), UINT64_C(0x51FB2A80E2239DBF), - UINT64_C(0x49940D9E998ED9D5), UINT64_C(0x0583D2416C932C5D) }, - { UINT64_C(0x1188CEC8F25B73F7), UINT64_C(0xA28788CB3B3D06CD), - UINT64_C(0xDEA194ECA083DB5A), UINT64_C(0xD93A4F7E22DF4272), - UINT64_C(0x8D84E4BF6A009C49), UINT64_C(0x893D8DD93E3E4A9E) } }, - { { UINT64_C(0x35E909EA33D31160), UINT64_C(0x5020316857172F1E), - UINT64_C(0x2707FC4451F3D866), UINT64_C(0xEB9D2018D2442A5D), - UINT64_C(0x904D72095DBFE378), UINT64_C(0x6DB132A35F13CF77) }, - { UINT64_C(0x9D842BA67A3AF54B), UINT64_C(0x4E16EA195AA5B4F9), - UINT64_C(0x2BBA457CAF24228E), UINT64_C(0xCC04B3BB16F3C5FE), - UINT64_C(0xBAFAC51677E64944), UINT64_C(0x31580A34F08BCEE0) } }, - { { UINT64_C(0xC6808DEE20C30ACA), UINT64_C(0xDADD216FA3EA2056), - UINT64_C(0xD331394E7A4A9F9D), UINT64_C(0x9E0441AD424C4026), - UINT64_C(0xAEED102F0AEB5350), UINT64_C(0xC6697FBBD45B09DA) }, - { UINT64_C(0x52A2590EDEAC1496), UINT64_C(0x7142B831250B87AF), - UINT64_C(0xBEF2E68B6D0784A8), UINT64_C(0x5F62593AA5F71CEF), - UINT64_C(0x3B8F7616B5DA51A3), UINT64_C(0xC7A6FA0DB680F5FE) } }, - { { UINT64_C(0x36C21DE699C8227C), UINT64_C(0xBEE3E867C26813B1), - UINT64_C(0x9B05F2E6BDD91549), UINT64_C(0x34FF2B1FA7D1110F), - UINT64_C(0x8E6953B937F67FD0), UINT64_C(0x56C7F18BC3183E20) }, - { UINT64_C(0x48AF46DE9E2019ED), UINT64_C(0xDEAF972EF551BBBF), - UINT64_C(0x88EE38F8CC5E3EEF), UINT64_C(0xFB8D7A44392D6BAF), - UINT64_C(0x32293BFC0127187D), UINT64_C(0x7689E767E58647CC) } }, - { { UINT64_C(0x00CE901B52168013), UINT64_C(0xC6BF8E38837AAE71), - UINT64_C(0xD6F11EFA167677D8), UINT64_C(0xE53BB48586C8E5CF), - UINT64_C(0x671167CEC48E74AB), UINT64_C(0x8A40218C8AD720A7) }, - { UINT64_C(0x81E827A6E7C1191A), UINT64_C(0x54058F8DADDB153D), - UINT64_C(0x0BAF29250D950FA2), UINT64_C(0xC244674D576DDA13), - UINT64_C(0x8C4630AE41BCD13B), UINT64_C(0x6C2127BF5A077419) } }, - { { UINT64_C(0xCF977FD5A83C501F), UINT64_C(0xD7C6DF36B6AB176F), - UINT64_C(0x117F6331397BC6B5), UINT64_C(0x72A6078BF7A2D491), - UINT64_C(0xE5A2AAED5242FE2E), UINT64_C(0x88ECFFDCFEBDC212) }, - { UINT64_C(0xF2DBBF50CE33BA21), UINT64_C(0xE1343B76CEB19F07), - UINT64_C(0x1F32D4C9D2C28F71), UINT64_C(0x93FC64B418587685), - UINT64_C(0x39CEEF9BBA1F8BD1), UINT64_C(0x99C36A788D6D6BB0) } }, - { { UINT64_C(0x0D0638173E9561CF), UINT64_C(0x1D8646AA3D33704D), - UINT64_C(0x8C4513847A08BA33), UINT64_C(0x96446BD3E02D6624), - UINT64_C(0x749849F02D6F4166), UINT64_C(0xE364DA0114268BF0) }, - { UINT64_C(0x7CE4587E9AEBFCFD), UINT64_C(0xD468606456234393), - UINT64_C(0x00231D5116DF73B2), UINT64_C(0xF6A969B77279C78C), - UINT64_C(0x1FF1F6B66CB4117C), UINT64_C(0x30AEBC39D3EAB680) } }, - { { UINT64_C(0x5CC97E6493EF00B9), UINT64_C(0xDAE13841972345AE), - UINT64_C(0x858391844788F43C), UINT64_C(0xD0FF521EE2E6CF3E), - UINT64_C(0xAED14A5B4B707C86), UINT64_C(0x7EAAE4A6D2523CF7) }, - { UINT64_C(0x266472C5024C8AC6), UINT64_C(0xE47E1522C0170051), - UINT64_C(0x7B83DA6173826BAE), UINT64_C(0xE97E19F5CF543F0D), - UINT64_C(0x5D5248FA20BF38E2), UINT64_C(0x8A7C2F7DDF56A037) } }, - { { UINT64_C(0xB04659DD87B0526C), UINT64_C(0x593C604A2307565E), - UINT64_C(0x49E522257C630AB8), UINT64_C(0x24C1D0C6DCE9CD23), - UINT64_C(0x6FDB241C85177079), UINT64_C(0x5F521D19F250C351) }, - { UINT64_C(0xFB56134BA6FB61DF), UINT64_C(0xA4E70D69D75C07ED), - UINT64_C(0xB7A824487D8825A8), UINT64_C(0xA3AEA7D4DD64BBCC), - UINT64_C(0xD53E6E6C8692F539), UINT64_C(0x8DDDA83BF7AA4BC0) } }, - }, - { - { { UINT64_C(0x140A0F9FDD93D50A), UINT64_C(0x4799FFDE83B7ABAC), - UINT64_C(0x78FF7C2304A1F742), UINT64_C(0xC0568F51195BA34E), - UINT64_C(0xE97183603B7F78B4), UINT64_C(0x9CFD1FF1F9EFAA53) }, - { UINT64_C(0xE924D2C5BB06022E), UINT64_C(0x9987FA86FAA2AF6D), - UINT64_C(0x4B12E73F6EE37E0F), UINT64_C(0x1836FDFA5E5A1DDE), - UINT64_C(0x7F1B92259DCD6416), UINT64_C(0xCB2C1B4D677544D8) } }, - { { UINT64_C(0x0254486D9C213D95), UINT64_C(0x68A9DB56CB2F6E94), - UINT64_C(0xFB5858BA000F5491), UINT64_C(0x1315BDD934009FB6), - UINT64_C(0xB18A8E0AC42BDE30), UINT64_C(0xFDCF93D1F1070358) }, - { UINT64_C(0xBEB1DB753022937E), UINT64_C(0x9B9ECA7ACAC20DB4), - UINT64_C(0x152214D4E4122B20), UINT64_C(0xD3E673F2AABCCC7B), - UINT64_C(0x94C50F64AED07571), UINT64_C(0xD767059AE66B4F17) } }, - { { UINT64_C(0x40336B12DCD6D14B), UINT64_C(0xF6BCFF5DE3B4919C), - UINT64_C(0xC337048D9C841F0C), UINT64_C(0x4CE6D0251D617F50), - UINT64_C(0x00FEF2198117D379), UINT64_C(0x18B7C4E9F95BE243) }, - { UINT64_C(0x98DE119E38DF08FF), UINT64_C(0xDFD803BD8D772D20), - UINT64_C(0x94125B720F9678BD), UINT64_C(0xFC5B57CD334ACE30), - UINT64_C(0x09486527B7E86E04), UINT64_C(0xFE9F8BCC6E552039) } }, - { { UINT64_C(0x3B75C45BD6F5A10E), UINT64_C(0xFD4680F4C1C35F38), - UINT64_C(0x5450227DF8E0A113), UINT64_C(0x5E69F1AE73DDBA24), - UINT64_C(0x2007B80E57F24645), UINT64_C(0xC63695DC3D159741) }, - { UINT64_C(0xCBE54D294530F623), UINT64_C(0x986AD5732869586B), - UINT64_C(0xE19F70594CC39F73), UINT64_C(0x80F00AB32B1B8DA9), - UINT64_C(0xB765AAF973F68D26), UINT64_C(0xBC79A394E993F829) } }, - { { UINT64_C(0x9C441043F310D2A0), UINT64_C(0x2865EE58DC5EB106), - UINT64_C(0x71A959229CB8065C), UINT64_C(0x8EB3A733A052AF0F), - UINT64_C(0x56009F42B09D716E), UINT64_C(0xA7F923C5ABCBE6AD) }, - { UINT64_C(0x263B7669FA375C01), UINT64_C(0x641C47E521EF27A2), - UINT64_C(0xA89B474EB08FFD25), UINT64_C(0x5BE8EC3FF0A239F3), - UINT64_C(0x0E79957A242A6C5A), UINT64_C(0x1DFB26D00C6C75F5) } }, - { { UINT64_C(0x2FD97B9B9DFBF22A), UINT64_C(0xDEC16CC85643532D), - UINT64_C(0xDF0E6E3960FEE7C3), UINT64_C(0xD09AD7B6545860C8), - UINT64_C(0xCC16E98473FC3B7C), UINT64_C(0x6CE734C10D4E1555) }, - { UINT64_C(0xC6EFE68B4B5F6032), UINT64_C(0x3A64F34C14F54073), - UINT64_C(0x25DA689CAC44DC95), UINT64_C(0x990C477E5358AD8A), - UINT64_C(0x00E958A5F36DA7DE), UINT64_C(0x902B7360C9B6F161) } }, - { { UINT64_C(0x454AB42C9347B90A), UINT64_C(0xCAEBE64AA698B02B), - UINT64_C(0x119CDC69FB86FA40), UINT64_C(0x2E5CB7ADC3109281), - UINT64_C(0x67BB1EC5CD0C3D00), UINT64_C(0x5D430BC783F25BBF) }, - { UINT64_C(0x69FD84A85CDE0ABB), UINT64_C(0x69DA263E9816B688), - UINT64_C(0xE52D93DF0E53CBB8), UINT64_C(0x42CF6F25ADD2D5A7), - UINT64_C(0x227BA59DC87CA88F), UINT64_C(0x7A1CA876DA738554) } }, - { { UINT64_C(0x3FA5C1051CAC82C4), UINT64_C(0x23C760878A78C9BE), - UINT64_C(0xE98CDAD61C5CFA42), UINT64_C(0x09C302520A6C0421), - UINT64_C(0x149BAC7C42FC61B9), UINT64_C(0x3A1C22AC3004A3E2) }, - { UINT64_C(0xDE6B0D6E202C7FED), UINT64_C(0xB2457377E7E63052), - UINT64_C(0x31725FD43706B3EF), UINT64_C(0xE16A347D2B1AFDBF), - UINT64_C(0xBE4850C48C29CF66), UINT64_C(0x8F51CC4D2939F23C) } }, - { { UINT64_C(0x169E025B219AE6C1), UINT64_C(0x55FF526F116E1CA1), - UINT64_C(0x01B810A3B191F55D), UINT64_C(0x2D98127229588A69), - UINT64_C(0x53C9377048B92199), UINT64_C(0x8C7DD84E8A85236F) }, - { UINT64_C(0x293D48B6CAACF958), UINT64_C(0x1F084ACB43572B30), - UINT64_C(0x628BFA2DFAD91F28), UINT64_C(0x8D627B11829386AF), - UINT64_C(0x3EC1DD00D44A77BE), UINT64_C(0x8D3B0D08649AC7F0) } }, - { { UINT64_C(0x00A93DAA177513BF), UINT64_C(0x2EF0B96F42AD79E1), - UINT64_C(0x81F5AAF1A07129D9), UINT64_C(0xFC04B7EF923F2449), - UINT64_C(0x855DA79560CDB1B7), UINT64_C(0xB1EB5DABAD5D61D4) }, - { UINT64_C(0xD2CEF1AE353FD028), UINT64_C(0xC21D54399EE94847), - UINT64_C(0x9ED552BB0380C1A8), UINT64_C(0xB156FE7A2BAC328F), - UINT64_C(0xBB7E01967213C6A4), UINT64_C(0x36002A331701ED5B) } }, - { { UINT64_C(0x20B1632ADDC9EF4D), UINT64_C(0x2A35FF4C272D082B), - UINT64_C(0x30D39923F6CC9BD3), UINT64_C(0x6D879BC2E65C9D08), - UINT64_C(0xCE8274E16FA9983C), UINT64_C(0x652371E80EB7424F) }, - { UINT64_C(0x32B77503C5C35282), UINT64_C(0xD7306333C885A931), - UINT64_C(0x8A16D71972955AA8), UINT64_C(0x5548F1637D51F882), - UINT64_C(0xB311DC66BABA59EF), UINT64_C(0x773D54480DB8F627) } }, - { { UINT64_C(0x59B1B1347A62EB3B), UINT64_C(0x0F8CE157CCEEFB34), - UINT64_C(0x3FE842A8A798CB2B), UINT64_C(0xD01BC6260BF4161D), - UINT64_C(0x55EF6E554D016FDB), UINT64_C(0xCB561503B242B201) }, - { UINT64_C(0x076EBC73AF4199C1), UINT64_C(0x39DEDCBB697244F7), - UINT64_C(0x9D184733040162BC), UINT64_C(0x902992C17F6B5FA6), - UINT64_C(0xAD1DE754BB4952B5), UINT64_C(0x7ACF1B93A121F6C8) } }, - { { UINT64_C(0x7A56867C325C9B9A), UINT64_C(0x1A143999F3DC3D6A), - UINT64_C(0xCE10959003F5BCB8), UINT64_C(0x034E9035D6EEE5B7), - UINT64_C(0x2AFA81C8495DF1BC), UINT64_C(0x5EAB52DC08924D02) }, - { UINT64_C(0xEE6AA014AA181904), UINT64_C(0xE62DEF09310AD621), - UINT64_C(0x6C9792FCC7538A03), UINT64_C(0xA89D3E883E41D789), - UINT64_C(0xD60FA11C9F94AE83), UINT64_C(0x5E16A8C2E0D6234A) } }, - { { UINT64_C(0x87EC053DA9242F3B), UINT64_C(0x99544637F0E03545), - UINT64_C(0xEA0633FF6B7019E9), UINT64_C(0x8CB8AE0768DDDB5B), - UINT64_C(0x892E7C841A811AC7), UINT64_C(0xC7EF19EB73664249) }, - { UINT64_C(0xD1B5819ACD1489E3), UINT64_C(0xF9C80FB0DE45D24A), - UINT64_C(0x045C21A683BB7491), UINT64_C(0xA65325BE73F7A47D), - UINT64_C(0x08D09F0E9C394F0C), UINT64_C(0xE7FB21C6268D4F08) } }, - { { UINT64_C(0xC4CCAB956CA95C18), UINT64_C(0x563FFD56BC42E040), - UINT64_C(0xFA3C64D8E701C604), UINT64_C(0xC88D4426B0ABAFEE), - UINT64_C(0x1A353E5E8542E4C3), UINT64_C(0x9A2D8B7CED726186) }, - { UINT64_C(0xD61CE19042D097FA), UINT64_C(0x6A63E280799A748B), - UINT64_C(0x0F48D0633225486B), UINT64_C(0x848F8FE142A3C443), - UINT64_C(0x2CCDE2508493CEF4), UINT64_C(0x5450A50845E77E7C) } }, - { { UINT64_C(0xD0F4E24803112816), UINT64_C(0xFCAD9DDBCCBE9E16), - UINT64_C(0x177999BF5AE01EA0), UINT64_C(0xD20C78B9CE832DCE), - UINT64_C(0x3CC694FB50C8C646), UINT64_C(0x24D75968C93D4887) }, - { UINT64_C(0x9F06366A87BC08AF), UINT64_C(0x59FAB50E7FD0DF2A), - UINT64_C(0x5FFCC7F76C4CC234), UINT64_C(0x87198DD765F52D86), - UINT64_C(0x5B9C94B0A855DF04), UINT64_C(0xD8BA6C738A067AD7) } }, - }, - { - { { UINT64_C(0x9E9AF3151C4C9D90), UINT64_C(0x8665C5A9D12E0A89), - UINT64_C(0x204ABD9258286493), UINT64_C(0x79959889B2E09205), - UINT64_C(0x0C727A3DFE56B101), UINT64_C(0xF366244C8B657F26) }, - { UINT64_C(0xDE35D954CCA65BE2), UINT64_C(0x52EE1230B0FD41CE), - UINT64_C(0xFA03261F36019FEE), UINT64_C(0xAFDA42D966511D8F), - UINT64_C(0xF63211DD821148B9), UINT64_C(0x7B56AF7E6F13A3E1) } }, - { { UINT64_C(0x47FE47995913E184), UINT64_C(0x5BBE584C82145900), - UINT64_C(0xB76CFA8B9A867173), UINT64_C(0x9BC87BF0514BF471), - UINT64_C(0x37392DCE71DCF1FC), UINT64_C(0xEC3EFAE03AD1EFA8) }, - { UINT64_C(0xBBEA5A3414876451), UINT64_C(0x96E5F5436217090F), - UINT64_C(0x5B3D4ECD9B1665A9), UINT64_C(0xE7B0DF26E329DF22), - UINT64_C(0x18FB438E0BAA808D), UINT64_C(0x90757EBFDD516FAF) } }, - { { UINT64_C(0x1E6F9A95D5A98D68), UINT64_C(0x759EA7DF849DA828), - UINT64_C(0x365D56256E8B4198), UINT64_C(0xE1B9C53B7A4A53F9), - UINT64_C(0x55DC1D50E32B9B16), UINT64_C(0xA4657EBBBB6D5701) }, - { UINT64_C(0x4C270249EACC76E2), UINT64_C(0xBE49EC75162B1CC7), - UINT64_C(0x19A95B610689902B), UINT64_C(0xDD5706BFA4CFC5A8), - UINT64_C(0xD33BDB7314E5B424), UINT64_C(0x21311BD1E69EBA87) } }, - { { UINT64_C(0x75BA2F9B72A21ACC), UINT64_C(0x356688D4A28EDB4C), - UINT64_C(0x3C339E0B610D080F), UINT64_C(0x614AC29333A99C2F), - UINT64_C(0xA5E23AF2AA580AFF), UINT64_C(0xA6BCB860E1FDBA3A) }, - { UINT64_C(0xAA603365B43F9425), UINT64_C(0xAE8D7126F7EE4635), - UINT64_C(0xA2B2524456330A32), UINT64_C(0xC396B5BB9E025AA3), - UINT64_C(0xABBF77FAF8A0D5CF), UINT64_C(0xB322EE30EA31C83B) } }, - { { UINT64_C(0x048813847890E234), UINT64_C(0x387F1159672E70C6), - UINT64_C(0x1468A6147B307F75), UINT64_C(0x56335B52ED85EC96), - UINT64_C(0xDA1BB60FD45BCAE9), UINT64_C(0x4D94F3F0F9FAEADD) }, - { UINT64_C(0x6C6A7183FC78D86B), UINT64_C(0xA425B5C73018DEC6), - UINT64_C(0xB1549C332D877399), UINT64_C(0x6C41C50C92B2BC37), - UINT64_C(0x3A9F380C83EE0DDB), UINT64_C(0xDED5FEB6C4599E73) } }, - { { UINT64_C(0x14D34C210B7F8354), UINT64_C(0x1475A1CD9177CE45), - UINT64_C(0x9F5F764A9B926E4B), UINT64_C(0x77260D1E05DD21FE), - UINT64_C(0x3C882480C4B937F7), UINT64_C(0xC92DCD39722372F2) }, - { UINT64_C(0xF636A1BEEC6F657E), UINT64_C(0xB0E6C3121D30DD35), - UINT64_C(0xFE4B0528E4654EFE), UINT64_C(0x1C4A682021D230D2), - UINT64_C(0x615D2E4898FA45AB), UINT64_C(0x1F35D6D801FDBABF) } }, - { { UINT64_C(0xA636EEB83A7B10D1), UINT64_C(0x4E1AE352F4A29E73), - UINT64_C(0x01704F5FE6BB1EC7), UINT64_C(0x75C04F720EF020AE), - UINT64_C(0x448D8CEE5A31E6A6), UINT64_C(0xE40A9C29208F994B) }, - { UINT64_C(0x69E09A30FD8F9D5D), UINT64_C(0xE6A5F7EB449BAB7E), - UINT64_C(0xF25BC18A2AA1768B), UINT64_C(0x9449E4043C841234), - UINT64_C(0x7A3BF43E016A7BEF), UINT64_C(0xF25803E82A150B60) } }, - { { UINT64_C(0xE44A2A57B215F9E0), UINT64_C(0x38B34DCE19066F0A), - UINT64_C(0x8BB91DAD40BB1BFB), UINT64_C(0x64C9F775E67735FC), - UINT64_C(0xDE14241788D613CD), UINT64_C(0xC5014FF51901D88D) }, - { UINT64_C(0xA250341DF38116B0), UINT64_C(0xF96B9DD49D6CBCB2), - UINT64_C(0x15EC6C7276B3FAC2), UINT64_C(0x88F1952F8124C1E9), - UINT64_C(0x6B72F8EA975BE4F5), UINT64_C(0x23D288FF061F7530) } }, - { { UINT64_C(0xEBFE3E5FAFB96CE3), UINT64_C(0x2275EDFBB1979537), - UINT64_C(0xC37AB9E8C97BA741), UINT64_C(0x446E4B1063D7C626), - UINT64_C(0xB73E2DCED025EB02), UINT64_C(0x1F952B517669EEA7) }, - { UINT64_C(0xABDD00F66069A424), UINT64_C(0x1C0F9D9BDC298BFB), - UINT64_C(0x831B1FD3EB757B33), UINT64_C(0xD7DBE18359D60B32), - UINT64_C(0x663D1F369EF094B3), UINT64_C(0x1BD5732E67F7F11A) } }, - { { UINT64_C(0x3C7FB3F5C75D8892), UINT64_C(0x2CFF9A0CBA68DA69), - UINT64_C(0x76455E8B60EC740B), UINT64_C(0x4B8D67FF167B88F0), - UINT64_C(0xEDEC0C025A4186B1), UINT64_C(0x127C462DBEBF35AB) }, - { UINT64_C(0x9159C67E049430FC), UINT64_C(0x86B21DD2E7747320), - UINT64_C(0x0E0E01520CF27B89), UINT64_C(0x705F28F5CD1316B6), - UINT64_C(0x76751691BEAEA8A8), UINT64_C(0x4C73E282360C5B69) } }, - { { UINT64_C(0x46BCC0D5FD7B3D74), UINT64_C(0x6F13C20E0DC4F410), - UINT64_C(0x98A1AF7D72F11CDF), UINT64_C(0x6099FD837928881C), - UINT64_C(0x66976356371BB94B), UINT64_C(0x673FBA7219B945AB) }, - { UINT64_C(0xE4D8FA6EAED00700), UINT64_C(0xEA2313EC5C71A9F7), - UINT64_C(0xF9ED8268F99D4AEA), UINT64_C(0xADD8916442AB59C7), - UINT64_C(0xB37EB26F3F3A2D45), UINT64_C(0x0B39BD7AA924841E) } }, - { { UINT64_C(0xD811EB32E03CDBBB), UINT64_C(0x12055F1D7CC3610E), - UINT64_C(0x6B23A1A0A9046E3F), UINT64_C(0x4D7121229DD4A749), - UINT64_C(0xB0C2ACA1B1BF0AC3), UINT64_C(0x71EFF575C1B0432F) }, - { UINT64_C(0x6CD814922B44E285), UINT64_C(0x3088BD9CD87E8D20), - UINT64_C(0xACE218E5F567E8FA), UINT64_C(0xB3FA0424CF90CBBB), - UINT64_C(0xADBDA751770734D3), UINT64_C(0xBCD78BAD5AD6569A) } }, - { { UINT64_C(0xCADB31FA7F39641F), UINT64_C(0x3EF3E295825E5562), - UINT64_C(0x4893C633F4094C64), UINT64_C(0x52F685F18ADDF432), - UINT64_C(0x9FD887AB7FDC9373), UINT64_C(0x47A9ADA0E8680E8B) }, - { UINT64_C(0x579313B7F0CD44F6), UINT64_C(0xAC4B8668E188AE2E), - UINT64_C(0x648F43698FB145BD), UINT64_C(0xE0460AB374629E31), - UINT64_C(0xC25F28758FF2B05F), UINT64_C(0x4720C2B62D31EAEA) } }, - { { UINT64_C(0x4603CDF413D48F80), UINT64_C(0x9ADB50E2A49725DA), - UINT64_C(0x8CD3305065DF63F0), UINT64_C(0x58D8B3BBCD643003), - UINT64_C(0x170A4F4AB739826B), UINT64_C(0x857772B51EAD0E17) }, - { UINT64_C(0x01B78152E65320F1), UINT64_C(0xA6B4D845B7503FC0), - UINT64_C(0x0F5089B93DD50798), UINT64_C(0x488F200F5690B6BE), - UINT64_C(0x220B4ADF9E096F36), UINT64_C(0x474D7C9F8CE5BC7C) } }, - { { UINT64_C(0xFED8C058C745F8C9), UINT64_C(0xB683179E291262D1), - UINT64_C(0x26ABD367D15EE88C), UINT64_C(0x29E8EED3F60A6249), - UINT64_C(0xED6008BB1E02D6E1), UINT64_C(0xD82ECF4CA6B12B8D) }, - { UINT64_C(0x9929D021AAE4FA22), UINT64_C(0xBE4DEF14336A1AB3), - UINT64_C(0x529B7E098C80A312), UINT64_C(0xB059188DEE0EB0CE), - UINT64_C(0x1E42979A16DEAB7F), UINT64_C(0x2411034984EE9477) } }, - { { UINT64_C(0xD65246852BE579CC), UINT64_C(0x849316F1C456FDED), - UINT64_C(0xC51B7DA42D1B67DA), UINT64_C(0xC25B539E41BC6D6A), - UINT64_C(0xE3B7CCA3A9BF8BED), UINT64_C(0x813EF18C045C15E4) }, - { UINT64_C(0x5F3789A1697982C4), UINT64_C(0x4C1253698C435566), - UINT64_C(0x00A7AE6EDC0A92C6), UINT64_C(0x1ABC929B2F64A053), - UINT64_C(0xF4925C4C38666B44), UINT64_C(0xA81044B00F3DE7F6) } }, - }, - { - { { UINT64_C(0xBCC88422C2EC3731), UINT64_C(0x78A3E4D410DC4EC2), - UINT64_C(0x745DA1EF2571D6B1), UINT64_C(0xF01C2921739A956E), - UINT64_C(0xEFFD8065E4BFFC16), UINT64_C(0x6EFE62A1F36FE72C) }, - { UINT64_C(0xF49E90D20F4629A4), UINT64_C(0xADD1DCC78CE646F4), - UINT64_C(0xCB78B583B7240D91), UINT64_C(0x2E1A7C3C03F8387F), - UINT64_C(0x16566C223200F2D9), UINT64_C(0x2361B14BAAF80A84) } }, - { { UINT64_C(0xDB1CFFD2B5733309), UINT64_C(0x24BC250B0F9DD939), - UINT64_C(0xA4181E5AA3C1DB85), UINT64_C(0xE5183E51AC55D391), - UINT64_C(0x2793D5EFEFD270D0), UINT64_C(0x7D56F63DC0631546) }, - { UINT64_C(0xECB40A590C1EE59D), UINT64_C(0xE613A9E4BB5BFA2C), - UINT64_C(0xA89B14AB6C5830F9), UINT64_C(0x4DC477DCA03F201E), - UINT64_C(0x5604F5DAC88C54F6), UINT64_C(0xD49264DC2ACFC66E) } }, - { { UINT64_C(0x283DD7F01C4DFA95), UINT64_C(0xB898CC2C62C0B160), - UINT64_C(0xBA08C095870282AA), UINT64_C(0xB02B00D8F4E36324), - UINT64_C(0x53AADDC0604CECF2), UINT64_C(0xF1F927D384DDD24E) }, - { UINT64_C(0x34BC00A0E2ABC9E1), UINT64_C(0x2DA1227D60289F88), - UINT64_C(0x5228EAAACEF68F74), UINT64_C(0x40A790D23C029351), - UINT64_C(0xE0E9AF5C8442E3B7), UINT64_C(0xA3214142A9F141E0) } }, - { { UINT64_C(0x72F4949EF9A58E3D), UINT64_C(0x738C700BA48660A6), - UINT64_C(0x71B04726092A5805), UINT64_C(0xAD5C3C110F5CDB72), - UINT64_C(0xD4951F9E554BFC49), UINT64_C(0xEE594EE56131EBE7) }, - { UINT64_C(0x37DA59F33C1AF0A9), UINT64_C(0xD7AFC73BCB040A63), - UINT64_C(0xD020962A4D89FA65), UINT64_C(0x2610C61E71D824F5), - UINT64_C(0x9C917DA73C050E31), UINT64_C(0x3840F92FE6E7EBFB) } }, - { { UINT64_C(0x50FBD7FE8D8B8CED), UINT64_C(0xC7282F7547D240AE), - UINT64_C(0x79646A471930FF73), UINT64_C(0x2E0BAC4E2F7F5A77), - UINT64_C(0x0EE44FA526127E0B), UINT64_C(0x678881B782BC2AA7) }, - { UINT64_C(0xB9E5D38467F5F497), UINT64_C(0x8F94A7D4A9B7106B), - UINT64_C(0xBF7E0B079D329F68), UINT64_C(0x169B93EA45D192FB), - UINT64_C(0xCCAA946720DBE8C0), UINT64_C(0xD4513A50938F9574) } }, - { { UINT64_C(0x841C96B4054CB874), UINT64_C(0xD75B1AF1A3C26834), - UINT64_C(0x7237169DEE6575F0), UINT64_C(0xD71FC7E50322AADC), - UINT64_C(0xD7A23F1E949E3A8E), UINT64_C(0x77E2D102DD31D8C7) }, - { UINT64_C(0x5AD69D09D10F5A1F), UINT64_C(0x526C9CB4B99D9A0B), - UINT64_C(0x521BB10B972B237D), UINT64_C(0x1E4CD42FA326F342), - UINT64_C(0x5BB6DB27F0F126CA), UINT64_C(0x587AF22CA4A515AD) } }, - { { UINT64_C(0x1123A531B12E542F), UINT64_C(0x1D01A64DB9EB2811), - UINT64_C(0xA4A3515BF2D70F87), UINT64_C(0xFA205234B4BD0270), - UINT64_C(0x74B818305EDA26B9), UINT64_C(0x9305D6E656578E75) }, - { UINT64_C(0xF38E69DE9F11BE19), UINT64_C(0x1E2A5C2344DBE89F), - UINT64_C(0x1077E7BCFD286654), UINT64_C(0xD36698940FCA4741), - UINT64_C(0x893BF904278F8497), UINT64_C(0xD6AC5F83EB3E14F4) } }, - { { UINT64_C(0x327B9DAB488F5F74), UINT64_C(0x2B44F4B8CAB7364F), - UINT64_C(0xB4A6D22D19B6C6BD), UINT64_C(0xA087E613FC77CD3E), - UINT64_C(0x4558E327B0B49BC7), UINT64_C(0x188805BECD835D35) }, - { UINT64_C(0x592F293CC1DC1007), UINT64_C(0xFAEE660F6AF02B44), - UINT64_C(0x5BFBB3BF904035F2), UINT64_C(0xD7C9AE6079C07E70), - UINT64_C(0xC5287DD4234896C2), UINT64_C(0xC4CE4523CB0E4121) } }, - { { UINT64_C(0x3626B40658344831), UINT64_C(0xABCCE3568E55C984), - UINT64_C(0x495CC81C77241602), UINT64_C(0x4FB796766D70DF8F), - UINT64_C(0x6354B37C5B071DCA), UINT64_C(0x2CAD80A48C0FC0AD) }, - { UINT64_C(0x18AADD51F68739B4), UINT64_C(0x1BFBB17747F09C6C), - UINT64_C(0x9355EA19A8FD51C4), UINT64_C(0x3D512A84EE58DB7B), - UINT64_C(0x70842AFDE9237640), UINT64_C(0x36F515CAACAF858D) } }, - { { UINT64_C(0x3DDEC7C47E768B23), UINT64_C(0x97E13C53036D43ED), - UINT64_C(0x871E59253A39AB5F), UINT64_C(0x9AF292DE07E68E2B), - UINT64_C(0x411583494A40112E), UINT64_C(0xCDBB46AF3D4D97E6) }, - { UINT64_C(0x2F8912933C0EBE40), UINT64_C(0x696C7EEE3EBAD1E5), - UINT64_C(0x8A5F3B6933B50D99), UINT64_C(0xB7BC48407ED47DDE), - UINT64_C(0x3A6F8E6C1E6706D8), UINT64_C(0x6A1479433D84BB8F) } }, - { { UINT64_C(0xEC3A9C78603AE8D1), UINT64_C(0xBFE07E37228C29E5), - UINT64_C(0xB0385C5B396DBC2B), UINT64_C(0x7C14FE83DF85F41F), - UINT64_C(0xE2E64676ADFD463E), UINT64_C(0x5BEF10AA8BF9F23D) }, - { UINT64_C(0xFA83EA0DF6BAB6DA), UINT64_C(0xCD0C8BA5966BF7E3), - UINT64_C(0xD62216B498501C2E), UINT64_C(0xB7F298A4C3E69F2D), - UINT64_C(0x42CEF13B9C8740F4), UINT64_C(0xBB317E520DD64307) } }, - { { UINT64_C(0x22B6245C3FFEE775), UINT64_C(0x5C3F60BEB37CE7AA), - UINT64_C(0xDE195D40E1FEC0DF), UINT64_C(0x3BFAFBC5A0A82074), - UINT64_C(0xC36EC86AC72CA86A), UINT64_C(0x5606285113FD43EA) }, - { UINT64_C(0x8686BE808E0B03A4), UINT64_C(0xC3BD1F93D540D440), - UINT64_C(0x13E4EBC0BF96CEC5), UINT64_C(0xE8E239849190C844), - UINT64_C(0x183593A600844802), UINT64_C(0x467168794D206878) } }, - { { UINT64_C(0x358F394DB6F63D19), UINT64_C(0xA75D48496B052194), - UINT64_C(0x584035905C8D7975), UINT64_C(0x86DC9B6B6CBFBD77), - UINT64_C(0x2DB04D77647A51E5), UINT64_C(0x5E9A5B02F8950D88) }, - { UINT64_C(0xCE69A7E5017168B0), UINT64_C(0x94630FACC4843AD3), - UINT64_C(0xB3B9D7361EFC44FF), UINT64_C(0xE729E9B6B14D7F93), - UINT64_C(0xA071FC60E0ED0ABC), UINT64_C(0xFC1A99718C8D9B83) } }, - { { UINT64_C(0x49686031D138E975), UINT64_C(0x648640385A8EF0D1), - UINT64_C(0x32679713E7F7DE49), UINT64_C(0x5913234929D1CD1D), - UINT64_C(0x849AA23A20BE9ED2), UINT64_C(0x15D303E1284B3F33) }, - { UINT64_C(0x37309475B63F9FE9), UINT64_C(0x327BAC8B45B7256A), - UINT64_C(0x291CD227D17FC5D3), UINT64_C(0x8291D8CDA973EDF1), - UINT64_C(0xF3843562437ABA09), UINT64_C(0x33FFB704271D0785) } }, - { { UINT64_C(0x5248D6E447E11E5E), UINT64_C(0x0F66FC3C269C7ED3), - UINT64_C(0x18C0D2B9903E346E), UINT64_C(0xD81D9D974BEAE1B8), - UINT64_C(0x610326B0FC30FDF3), UINT64_C(0x2B13687019A7DFCD) }, - { UINT64_C(0xEC75F70AB9527676), UINT64_C(0x90829F5129A3D897), - UINT64_C(0x92FE180997980302), UINT64_C(0xA3F2498E68474991), - UINT64_C(0x6A66307B0F22BBAD), UINT64_C(0x32014B9120378557) } }, - { { UINT64_C(0x72CD7D553CD98610), UINT64_C(0xC3D560B074504ADF), - UINT64_C(0x23F0A982CEBB5D5D), UINT64_C(0x1431C15BB839DDB8), - UINT64_C(0x7E207CD8CEB72207), UINT64_C(0x28E0A848E7EFB28D) }, - { UINT64_C(0xD22561FE1BD96F6E), UINT64_C(0x04812C1862A8236B), - UINT64_C(0xA0BF2334975491FA), UINT64_C(0x294F42A6435DF87F), - UINT64_C(0x2772B783A5D6F4F6), UINT64_C(0x348F92ED2724F853) } }, - }, - { - { { UINT64_C(0xC20FB9111A42E5E7), UINT64_C(0x075A678B81D12863), - UINT64_C(0x12BCBC6A5CC0AA89), UINT64_C(0x5279C6AB4FB9F01E), - UINT64_C(0xBC8E178911AE1B89), UINT64_C(0xAE74A706C290003C) }, - { UINT64_C(0x9949D6EC79DF3F45), UINT64_C(0xBA18E26296C8D37F), - UINT64_C(0x68DE6EE2DD2275BF), UINT64_C(0xA9E4FFF8C419F1D5), - UINT64_C(0xBC759CA4A52B5A40), UINT64_C(0xFF18CBD863B0996D) } }, - { { UINT64_C(0x73C57FDED7DD47E5), UINT64_C(0xB0FE5479D49A7F5D), - UINT64_C(0xD25C71F1CFB9821E), UINT64_C(0x9427E209CF6A1D68), - UINT64_C(0xBF3C3916ACD24E64), UINT64_C(0x7E9F5583BDA7B8B5) }, - { UINT64_C(0xE7C5F7C8CF971E11), UINT64_C(0xEC16D5D73C7F035E), - UINT64_C(0x818DC472E66B277C), UINT64_C(0x4413FD47B2816F1E), - UINT64_C(0x40F262AF48383C6D), UINT64_C(0xFB0575844F190537) } }, - { { UINT64_C(0x487EDC0708962F6B), UINT64_C(0x6002F1E7190A7E55), - UINT64_C(0x7FC62BEA10FDBA0C), UINT64_C(0xC836BBC52C3DBF33), - UINT64_C(0x4FDFB5C34F7D2A46), UINT64_C(0x824654DEDCA0DF71) }, - { UINT64_C(0x30A076760C23902B), UINT64_C(0x7F1EBB9377FBBF37), - UINT64_C(0xD307D49DFACC13DB), UINT64_C(0x148D673AAE1A261A), - UINT64_C(0xE008F95B52D98650), UINT64_C(0xC76144409F558FDE) } }, - { { UINT64_C(0x17CD6AF69CB16650), UINT64_C(0x86CC27C169F4EEBE), - UINT64_C(0x7E495B1D78822432), UINT64_C(0xFED338E31B974525), - UINT64_C(0x527743D386F3CE21), UINT64_C(0x87948AD3B515C896) }, - { UINT64_C(0x9FDE7039B17F2FB8), UINT64_C(0xA2FA9A5FD9B89D96), - UINT64_C(0x5D46600B36FF74DC), UINT64_C(0x8EA74B048302C3C9), - UINT64_C(0xD560F570F744B5EB), UINT64_C(0xC921023BFE762402) } }, - { { UINT64_C(0xA35AB657FFF4C8ED), UINT64_C(0x017C61248A5FABD7), - UINT64_C(0x5646302509ACDA28), UINT64_C(0x6038D36114CF238A), - UINT64_C(0x1428B1B6AF1B9F07), UINT64_C(0x5827FF447482E95C) }, - { UINT64_C(0xCB997E18780FF362), UINT64_C(0x2B89D702E0BCAC1E), - UINT64_C(0xC632A0B5A837DDC8), UINT64_C(0xF3EFCF1F59762647), - UINT64_C(0xE9BA309A38B0D60A), UINT64_C(0x05DEABDD20B5FB37) } }, - { { UINT64_C(0xD44E5DBACB8AF047), UINT64_C(0x15400CB4943CFE82), - UINT64_C(0xDBD695759DF88B67), UINT64_C(0x8299DB2BB2405A7D), - UINT64_C(0x46E3BF770B1D80CD), UINT64_C(0xC50CF66CE82BA3D9) }, - { UINT64_C(0xB2910A07F2F747A9), UINT64_C(0xF6B669DB5ADC89C1), - UINT64_C(0x3B5EF1A09052B081), UINT64_C(0x0F5D5ED3B594ACE2), - UINT64_C(0xDA30B8D5D5F01320), UINT64_C(0x0D688C5EAAFCD58F) } }, - { { UINT64_C(0x5EEE3A312A161074), UINT64_C(0x6BAAAE56EFE2BE37), - UINT64_C(0xF9787F61E3D78698), UINT64_C(0xC6836B2650630A30), - UINT64_C(0x7445B85D1445DEF1), UINT64_C(0xD72016A2D568A6A5) }, - { UINT64_C(0x9DD6F533E355614F), UINT64_C(0x637E7E5F91E04588), - UINT64_C(0x42E142F3B9FB1391), UINT64_C(0x0D07C05C41AFE5DA), - UINT64_C(0xD7CD25C81394EDF1), UINT64_C(0xEBE6A0FCB99288EE) } }, - { { UINT64_C(0xB8E63B7BBABBAD86), UINT64_C(0x63226A9F90D66766), - UINT64_C(0x263818365CF26666), UINT64_C(0xCCBD142D4CADD0BF), - UINT64_C(0xA070965E9AC29470), UINT64_C(0x6BDCA26025FF23ED) }, - { UINT64_C(0xD4E00FD487DCA7B3), UINT64_C(0xA50978339E0E8734), - UINT64_C(0xF73F162E048173A4), UINT64_C(0xD23F91969C3C2FA2), - UINT64_C(0x9AB98B45E4AC397A), UINT64_C(0x2BAA0300543F2D4B) } }, - { { UINT64_C(0xBBBE15E7C658C445), UINT64_C(0xB8CBCB20C28941D1), - UINT64_C(0x65549BE2027D6540), UINT64_C(0xEBBCA8021E8EF4F4), - UINT64_C(0x18214B4BD2ACA397), UINT64_C(0xCBEC7DE2E31784A3) }, - { UINT64_C(0x96F0533F0116FDF3), UINT64_C(0x68911C905C8F5EE1), - UINT64_C(0x7DE9A3AED568603A), UINT64_C(0x3F56C52C6A3AD7B7), - UINT64_C(0x5BE9AFCA670B4D0E), UINT64_C(0x628BFEEE375DFE2F) } }, - { { UINT64_C(0x97DAE81BDD4ADDB3), UINT64_C(0x12D2CF4E8704761B), - UINT64_C(0x5E820B403247788D), UINT64_C(0x82234B620051CA80), - UINT64_C(0x0C62704D6CB5EA74), UINT64_C(0xDE56042023941593) }, - { UINT64_C(0xB3912A3CF1B04145), UINT64_C(0xE3967CD7AF93688D), - UINT64_C(0x2E2DCD2F58DABB4B), UINT64_C(0x6564836F0E303911), - UINT64_C(0x1F10F19BECE07C5C), UINT64_C(0xB47F07EED8919126) } }, - { { UINT64_C(0xE3545085E9A2EEC9), UINT64_C(0x81866A972C8E51FE), - UINT64_C(0xD2BA7DB550027243), UINT64_C(0x29DAEAB54AE87DE4), - UINT64_C(0x5EF3D4B8684F9497), UINT64_C(0xE2DACE3B9D5D6873) }, - { UINT64_C(0xF012C951FFD29C9C), UINT64_C(0x48289445ADBADA14), - UINT64_C(0x8751F50D89558C49), UINT64_C(0x75511A4F99E35BEE), - UINT64_C(0xEF802D6E7D59AA5F), UINT64_C(0x14FCAD65A2A795E2) } }, - { { UINT64_C(0xC8EB00E808CB8F2C), UINT64_C(0x686075322B45BD86), - UINT64_C(0x7A29B45959969713), UINT64_C(0x5FA15B9BD684201B), - UINT64_C(0x1A853190B9E538EE), UINT64_C(0x4150605CD573D043) }, - { UINT64_C(0xEF011D3BEB9FBB68), UINT64_C(0x6727998266AE32B6), - UINT64_C(0x861B86EA445DE5EC), UINT64_C(0x62837D18A34A50E1), - UINT64_C(0x228C006ABF5F0663), UINT64_C(0xE007FDE7396DB36A) } }, - { { UINT64_C(0xDEE4F8815A916A55), UINT64_C(0x20DC0370F39C82CB), - UINT64_C(0xD9A7161540F09821), UINT64_C(0xD50AD8BFF7273492), - UINT64_C(0xA06F7D1232E7C4BF), UINT64_C(0xFA0F61544C5CEA36) }, - { UINT64_C(0xF4FD9BED5FC49CFE), UINT64_C(0xD8CB45D1C9291678), - UINT64_C(0x94DB86CC7B92C9F2), UINT64_C(0x09CA5F3873C81169), - UINT64_C(0x109F40B0AEED06F0), UINT64_C(0x9F0360B214DCAA0A) } }, - { { UINT64_C(0x4189B70DE12AD3E7), UINT64_C(0x5208ADB210B06607), - UINT64_C(0xEBD8E2A2EE8497FA), UINT64_C(0x61B1BD67E04F2ECB), - UINT64_C(0x0E2DDA724F3F5F99), UINT64_C(0xD5D96740F747B16D) }, - { UINT64_C(0x308A48F6A6BF397F), UINT64_C(0x7021C3E523A93595), - UINT64_C(0xF10B022936470AA0), UINT64_C(0x7761E8EC4E03295B), - UINT64_C(0x16EFEF5807339770), UINT64_C(0x0D55D2DD5DA5DAA2) } }, - { { UINT64_C(0x915EA6A38A22F87A), UINT64_C(0x191151C12E5A088E), - UINT64_C(0x190252F17F1D5CBE), UINT64_C(0xE43F59C33B0EC99B), - UINT64_C(0xBE8588D4FF2A6135), UINT64_C(0x103877CC2ECB4B9F) }, - { UINT64_C(0x8F4147E5023CF92B), UINT64_C(0xC24384CC0CC2085B), - UINT64_C(0x6A2DB4A2D082D311), UINT64_C(0x06283811ED7BA9AE), - UINT64_C(0xE9A3F5322A8E1592), UINT64_C(0xAC20F0F45A59E894) } }, - { { UINT64_C(0x788CAA5274AAB4B1), UINT64_C(0xEB84ABA12FEAFC7E), - UINT64_C(0x31DA71DAAC04FF77), UINT64_C(0x39D12EB924E4D0BF), - UINT64_C(0x4F2F292F87A34EF8), UINT64_C(0x9B324372A237A8ED) }, - { UINT64_C(0xBB2D04B12EE3A82D), UINT64_C(0xED4FF367D18D36B2), - UINT64_C(0x99D231EEA6EA0138), UINT64_C(0x7C2D4F064F92E04A), - UINT64_C(0x78A82AB2CA272FD0), UINT64_C(0x7EC41340AB8CDC32) } }, - }, - { - { { UINT64_C(0xD23658C8D2E15A8C), UINT64_C(0x23F93DF716BA28CA), - UINT64_C(0x6DAB10EC082210F1), UINT64_C(0xFB1ADD91BFC36490), - UINT64_C(0xEDA8B02F9A4F2D14), UINT64_C(0x9060318C56560443) }, - { UINT64_C(0x6C01479E64711AB2), UINT64_C(0x41446FC7E337EB85), - UINT64_C(0x4DCF3C1D71888397), UINT64_C(0x87A9C04E13C34FD2), - UINT64_C(0xFE0E08EC510C15AC), UINT64_C(0xFC0D0413C0F495D2) } }, - { { UINT64_C(0xEB05C516156636C2), UINT64_C(0x2F613ABA090E93FC), - UINT64_C(0xCFD573CD489576F5), UINT64_C(0xE6535380535A8D57), - UINT64_C(0x13947314671436C4), UINT64_C(0x1172FB0C5F0A122D) }, - { UINT64_C(0xAECC7EC1C12F58F6), UINT64_C(0xFE42F9578E41AFD2), - UINT64_C(0xDF96F6523D4221AA), UINT64_C(0xFEF5649F2851996B), - UINT64_C(0x46FB9F26D5CFB67E), UINT64_C(0xB047BFC7EF5C4052) } }, - { { UINT64_C(0x5CBDC442F4484374), UINT64_C(0x6B156957F92452EF), - UINT64_C(0x58A26886C118D02A), UINT64_C(0x87FF74E675AAF276), - UINT64_C(0xB133BE95F65F6EC1), UINT64_C(0xA89B62844B1B8D32) }, - { UINT64_C(0xDD8A8EF309C81004), UINT64_C(0x7F8225DB0CF21991), - UINT64_C(0xD525A6DB26623FAF), UINT64_C(0xF2368D40BAE15453), - UINT64_C(0x55D6A84D84F89FC9), UINT64_C(0xAF38358A86021A3E) } }, - { { UINT64_C(0xBD048BDCFF52E280), UINT64_C(0x8A51D0B2526A1795), - UINT64_C(0x40AAA758A985AC0F), UINT64_C(0x6039BCDCF2C7ACE9), - UINT64_C(0x712092CC6AEC347D), UINT64_C(0x7976D0906B5ACAB7) }, - { UINT64_C(0x1EBCF80D6EED9617), UINT64_C(0xB3A63149B0F404A4), - UINT64_C(0x3FDD3D1AD0B610EF), UINT64_C(0xDD3F6F9498C28AC7), - UINT64_C(0x650B77943A59750F), UINT64_C(0xEC59BAB12D3991AC) } }, - { { UINT64_C(0x01F40E882E552766), UINT64_C(0x1FE3D50966F5354F), - UINT64_C(0x0E46D006B3A8EA7F), UINT64_C(0xF75AB629F831CD6A), - UINT64_C(0xDAD808D791465119), UINT64_C(0x442405AF17EF9B10) }, - { UINT64_C(0xD5FE0A96672BDFCB), UINT64_C(0xA9DFA422355DBDEC), - UINT64_C(0xFDB79AA179B25636), UINT64_C(0xE7F26FFDEECE8AEC), - UINT64_C(0xB59255507EDD5AA2), UINT64_C(0x2C8F6FF08EB3A6C2) } }, - { { UINT64_C(0x88887756757D6136), UINT64_C(0xAD9AC18388B92E72), - UINT64_C(0x92CB2FC48785D3EB), UINT64_C(0xD1A542FE9319764B), - UINT64_C(0xAF4CC78F626A62F8), UINT64_C(0x7F3F5FC926BFFAAE) }, - { UINT64_C(0x0A203D4340AE2231), UINT64_C(0xA8BFD9E0387898E8), - UINT64_C(0x1A0C379C474B7DDD), UINT64_C(0x03855E0A34FD49EA), - UINT64_C(0x02B26223B3EF4AE1), UINT64_C(0x804BD8CFE399E0A3) } }, - { { UINT64_C(0x11A9F3D0DE865713), UINT64_C(0x81E36B6BBDE98821), - UINT64_C(0x324996C86AA891D0), UINT64_C(0x7B95BDC1395682B5), - UINT64_C(0x47BF2219C1600563), UINT64_C(0x7A473F50643E38B4) }, - { UINT64_C(0x0911F50AF5738288), UINT64_C(0xDF947A706F9C415B), - UINT64_C(0xBDB994F267A067F6), UINT64_C(0x3F4BEC1B88BE96CD), - UINT64_C(0x9820E931E56DD6D9), UINT64_C(0xB138F14F0A80F419) } }, - { { UINT64_C(0xA11A1A8F0429077A), UINT64_C(0x2BB1E33D10351C68), - UINT64_C(0x3C25ABFE89459A27), UINT64_C(0x2D0091B86B8AC774), - UINT64_C(0xDAFC78533B2415D9), UINT64_C(0xDE713CF19201680D) }, - { UINT64_C(0x8E5F445D68889D57), UINT64_C(0x608B209C60EABF5B), - UINT64_C(0x10EC0ACCF9CFA408), UINT64_C(0xD5256B9D4D1EE754), - UINT64_C(0xFF866BAB0AA6C18D), UINT64_C(0x9D196DB8ACB90A45) } }, - { { UINT64_C(0xA46D76A9B9B081B2), UINT64_C(0xFC743A1062163C25), - UINT64_C(0xCD2A5C8D7761C392), UINT64_C(0x39BDDE0BBE808583), - UINT64_C(0x7C416021B98E4DFE), UINT64_C(0xF930E56365913A44) }, - { UINT64_C(0xC3555F7E7585CF3C), UINT64_C(0xC737E3833D6333D5), - UINT64_C(0x5B60DBA4B430B03D), UINT64_C(0x42B715EBE7555404), - UINT64_C(0x571BDF5B7C7796E3), UINT64_C(0x33DC62C66DB6331F) } }, - { { UINT64_C(0x3FB9CCB0E61DEE59), UINT64_C(0xC5185F2318B14DB9), - UINT64_C(0x1B2ADC4F845EF36C), UINT64_C(0x195D5B505C1A33AB), - UINT64_C(0x8CEA528E421F59D2), UINT64_C(0x7DFCCECFD2931CEA) }, - { UINT64_C(0x51FFA1D58CF7E3F7), UINT64_C(0xF01B7886BDC9FB43), - UINT64_C(0xD65AB610261A0D35), UINT64_C(0x84BCBAFD7574A554), - UINT64_C(0x4B119956FAD70208), UINT64_C(0xDDC329C24FAB5243) } }, - { { UINT64_C(0x1A08AA579CE92177), UINT64_C(0x3395E557DC2B5C36), - UINT64_C(0xFDFE7041394ED04E), UINT64_C(0xB797EB24C6DFCDDE), - UINT64_C(0x284A6B2ACB9DE5D6), UINT64_C(0xE0BD95C807222765) }, - { UINT64_C(0x114A951B9FE678A7), UINT64_C(0xE7ECD0BD9E4954EC), - UINT64_C(0x7D4096FE79F0B8A9), UINT64_C(0xBDB26E9A09724FE2), - UINT64_C(0x08741AD8F787AF95), UINT64_C(0x2BF9727224045AD8) } }, - { { UINT64_C(0xAB1FEDD9A9451D57), UINT64_C(0xDF4D91DF483E38C9), - UINT64_C(0x2D54D31124E9CF8E), UINT64_C(0x9C2A5AF87A22EEB6), - UINT64_C(0xBD9861EF0A43F123), UINT64_C(0x581EA6A238A18B7B) }, - { UINT64_C(0xAF339C85296470A3), UINT64_C(0xF9603FCDAFD8203E), - UINT64_C(0x95D0535096763C28), UINT64_C(0x15445C16860EC831), - UINT64_C(0x2AFB87286867A323), UINT64_C(0x4B152D6D0C4838BF) } }, - { { UINT64_C(0x45BA0E4F837CACBA), UINT64_C(0x7ADB38AEC0725275), - UINT64_C(0x19C82831942D3C28), UINT64_C(0x94F4731D6D0FE7DD), - UINT64_C(0xC3C07E134898F1E6), UINT64_C(0x76350EACED410B51) }, - { UINT64_C(0x0FA8BECAF99AACFC), UINT64_C(0x2834D86F65FAF9CF), - UINT64_C(0x8E62846A6F3866AF), UINT64_C(0xDAA9BD4F3DFD6A2B), - UINT64_C(0xC27115BBA6132655), UINT64_C(0x83972DF7BD5A32C2) } }, - { { UINT64_C(0xA330CB5BD513B825), UINT64_C(0xAE18B2D3EE37BEC3), - UINT64_C(0xFC3AB80AF780A902), UINT64_C(0xD7835BE2D607DDF1), - UINT64_C(0x8120F7675B6E4C2B), UINT64_C(0xAA8C385967E78CCB) }, - { UINT64_C(0xA8DA8CE2AA0ED321), UINT64_C(0xCB8846FDD766341A), - UINT64_C(0xF2A342EE33DC9D9A), UINT64_C(0xA519E0BED0A18A80), - UINT64_C(0x9CDAA39CAF48DF4C), UINT64_C(0xA4B500CA7E0C19EE) } }, - { { UINT64_C(0x83A7FD2F8217001B), UINT64_C(0x4F6FCF064296A8BA), - UINT64_C(0x7D74864391619927), UINT64_C(0x174C1075941E4D41), - UINT64_C(0x037EDEBDA64F5A6C), UINT64_C(0xCF64DB3A6E29DC56) }, - { UINT64_C(0x150B3ACE37C0B9F4), UINT64_C(0x1323234A7168178B), - UINT64_C(0x1CE47014EF4D1879), UINT64_C(0xA22E374217FB4D5C), - UINT64_C(0x69B81822D985F794), UINT64_C(0x199C21C4081D7214) } }, - { { UINT64_C(0x160BC7A18F04B4D2), UINT64_C(0x79CA81DDB10DE174), - UINT64_C(0xE2A280B02DA1E9C7), UINT64_C(0xB4F6BD991D6A0A29), - UINT64_C(0x57CF3EDD1C5B8F27), UINT64_C(0x7E34FC57158C2FD4) }, - { UINT64_C(0x828CFD89CAC93459), UINT64_C(0x9E631B6FB7AF499F), - UINT64_C(0xF4DC8BC0DA26C135), UINT64_C(0x6128ED3937186735), - UINT64_C(0xBB45538B67BF0BA5), UINT64_C(0x1ADDD4C10064A3AB) } }, - }, - { - { { UINT64_C(0xC32730E8DD14D47E), UINT64_C(0xCDC1FD42C0F01E0F), - UINT64_C(0x2BACFDBF3F5CD846), UINT64_C(0x45F364167272D4DD), - UINT64_C(0xDD813A795EB75776), UINT64_C(0xB57885E450997BE2) }, - { UINT64_C(0xDA054E2BDB8C9829), UINT64_C(0x4161D820AAB5A594), - UINT64_C(0x4C428F31026116A3), UINT64_C(0x372AF9A0DCD85E91), - UINT64_C(0xFDA6E903673ADC2D), UINT64_C(0x4526B8ACA8DB59E6) } }, - { { UINT64_C(0x68FE359DE23A8472), UINT64_C(0x43EB12BD4CE3C101), - UINT64_C(0x0EC652C3FC704935), UINT64_C(0x1EEFF1F952E4E22D), - UINT64_C(0xBA6777CB083E3ADA), UINT64_C(0xAB52D7DC8BEFC871) }, - { UINT64_C(0x4EDE689F497CBD59), UINT64_C(0xC8AE42B927577DD9), - UINT64_C(0xE0F080517AB83C27), UINT64_C(0x1F3D5F252C8C1F48), - UINT64_C(0x57991607AF241AAC), UINT64_C(0xC4458B0AB8A337E0) } }, - { { UINT64_C(0x3DBB3FA651DD1BA9), UINT64_C(0xE53C1C4D545E960B), - UINT64_C(0x35AC6574793CE803), UINT64_C(0xB2697DC783DBCE4F), - UINT64_C(0xE35C5BF2E13CF6B0), UINT64_C(0x35034280B0C4A164) }, - { UINT64_C(0xAA490908D9C0D3C1), UINT64_C(0x2CCE614DCB4D2E90), - UINT64_C(0xF646E96C54D504E4), UINT64_C(0xD74E7541B73310A3), - UINT64_C(0xEAD7159618BDE5DA), UINT64_C(0x96E7F4A8AA09AEF7) } }, - { { UINT64_C(0xA8393A245D6E5F48), UINT64_C(0x2C8D7EA2F9175CE8), - UINT64_C(0xD8824E0255A20268), UINT64_C(0x9DD9A272A446BCC6), - UINT64_C(0xC929CDED5351499B), UINT64_C(0xEA5AD9ECCFE76535) }, - { UINT64_C(0x26F3D7D9DC32D001), UINT64_C(0x51C3BE8343EB9689), - UINT64_C(0x91FDCC06759E6DDB), UINT64_C(0xAC2E1904E302B891), - UINT64_C(0xAD25C645C207E1F7), UINT64_C(0x28A70F0DAB3DEB4A) } }, - { { UINT64_C(0x922D7F9703BEA8F1), UINT64_C(0x3AD820D4584570BE), - UINT64_C(0x0CE0A8503CD46B43), UINT64_C(0x4C07911FAE66743D), - UINT64_C(0x66519EB9FDA60023), UINT64_C(0x7F83004BEC2ACD9C) }, - { UINT64_C(0x001E0B80C3117EAD), UINT64_C(0xBB72D5410722BA25), - UINT64_C(0x3AF7DB966E9A5078), UINT64_C(0x86C5774E701B6B4C), - UINT64_C(0xBD2C0E8E37824DB5), UINT64_C(0x3AE3028CBFAC286D) } }, - { { UINT64_C(0x83D4D4A8A33E071B), UINT64_C(0x881C0A9261444BB5), - UINT64_C(0xEEA1E292520E3BC3), UINT64_C(0x5A5F4C3C2AAAB729), - UINT64_C(0x0B766C5EE63C7C94), UINT64_C(0x62BB8A9FBB2CC79C) }, - { UINT64_C(0x97ADC7D2AA5DC49D), UINT64_C(0x30CC26B331718681), - UINT64_C(0xAC86E6FF56E86EDE), UINT64_C(0x37BCA7A2CD52F7F2), - UINT64_C(0x734D2C949CE6D87F), UINT64_C(0x06A71D71C2F7E0CA) } }, - { { UINT64_C(0x559DCF75C6357D33), UINT64_C(0x4616D940652517DE), - UINT64_C(0x3D576B981CCF207B), UINT64_C(0x51E2D1EF1979F631), - UINT64_C(0x57517DDD06AE8296), UINT64_C(0x309A3D7FD6E7151F) }, - { UINT64_C(0xBA2A23E60E3A6FE5), UINT64_C(0x76CF674AD28B22C3), - UINT64_C(0xD235AD07F8B808C3), UINT64_C(0x7BBF4C586B71213A), - UINT64_C(0x0676792E93271EBB), UINT64_C(0x2CFD2C7605B1FC31) } }, - { { UINT64_C(0x4258E5C037A450F5), UINT64_C(0xC3245F1B52D2B118), - UINT64_C(0x6DF7B48482BC5963), UINT64_C(0xE520DA4D9C273D1E), - UINT64_C(0xED78E0122C3010E5), UINT64_C(0x112229483C1D4C05) }, - { UINT64_C(0xE3DAE5AFC692B490), UINT64_C(0x3272BD10C197F793), - UINT64_C(0xF7EAE411E709ACAA), UINT64_C(0x00B0C95F778270A6), - UINT64_C(0x4DA76EE1220D4350), UINT64_C(0x521E1461AB71E308) } }, - { { UINT64_C(0x7B654323343196A3), UINT64_C(0x35D442ADB0C95250), - UINT64_C(0x38AF50E6E264FF17), UINT64_C(0x28397A412030D2EA), - UINT64_C(0x8F1D84E9F74EEDA1), UINT64_C(0xD521F92DE6FB3C52) }, - { UINT64_C(0xAF358D7795733811), UINT64_C(0xEBFDDD0193ABFE94), - UINT64_C(0x05D8A028D18D99DE), UINT64_C(0x5A664019B5D5BDD9), - UINT64_C(0x3DF172822AA12FE8), UINT64_C(0xB42E006FB889A28E) } }, - { { UINT64_C(0xCF10E97DBC35CB1A), UINT64_C(0xC70A7BBD994DEDC5), - UINT64_C(0x76A5327C37D04FB9), UINT64_C(0x87539F76A76E0CDA), - UINT64_C(0xE9FE493FCD60A6B1), UINT64_C(0xA4574796132F01C0) }, - { UINT64_C(0xC43B85EBDB70B167), UINT64_C(0x81D5039A98551DFA), - UINT64_C(0x6B56FBE91D979FA4), UINT64_C(0x49714FD78615098F), - UINT64_C(0xB10E1CEA94DECAB5), UINT64_C(0x8342EBA3480EF6E3) } }, - { { UINT64_C(0xE1E030B0B3677288), UINT64_C(0x2978174C8D5CE3AF), - UINT64_C(0xAFC0271CF7B2DE98), UINT64_C(0x745BC6F3B99C20B5), - UINT64_C(0x9F6EDCED1E3BB4E5), UINT64_C(0x58D3EE4E73C8C1FC) }, - { UINT64_C(0x1F3535F47FD30124), UINT64_C(0xF366AC705FA62502), - UINT64_C(0x4C4C1FDD965363FE), UINT64_C(0x8B2C77771DE2CA2B), - UINT64_C(0x0CB54743882F1173), UINT64_C(0x94B6B8C071343331) } }, - { { UINT64_C(0x75AF014165B8B35B), UINT64_C(0x6D7B84854670A1F5), - UINT64_C(0x6EAA3A47A3B6D376), UINT64_C(0xD7E673D2CB3E5B66), - UINT64_C(0xC0338E6C9589AB38), UINT64_C(0x4BE26CB309440FAA) }, - { UINT64_C(0x82CB05E7394F9AA3), UINT64_C(0xC45C8A8A7F7792EA), - UINT64_C(0x37E5E33BB687DC70), UINT64_C(0x63853219DFE48E49), - UINT64_C(0x087951C16D0E5C8C), UINT64_C(0x7696A8C72BC27310) } }, - { { UINT64_C(0xA05736D5B67E834A), UINT64_C(0xDD2AA0F29098D42A), - UINT64_C(0x09F0C1D849C69DDC), UINT64_C(0x81F8BC1C8FF0F0F3), - UINT64_C(0x36FD3A4F03037775), UINT64_C(0x8286717D4B06DF5C) }, - { UINT64_C(0xB878F496A9079EA2), UINT64_C(0xA5642426D7DC796D), - UINT64_C(0x29B9351A67FDAC2B), UINT64_C(0x93774C0E1D543CDE), - UINT64_C(0x4F8793BA1A8E31C4), UINT64_C(0x7C9F3F3A6C94798A) } }, - { { UINT64_C(0x23C5AD11CB8ECDB8), UINT64_C(0x1E88D25E485A6A02), - UINT64_C(0xB27CBE84F1E268AE), UINT64_C(0xDDA80238F4CD0475), - UINT64_C(0x4F88857B49F8EB1B), UINT64_C(0x91B1221F52FB07F9) }, - { UINT64_C(0x7CE974608637FA67), UINT64_C(0x528B3CF4632198D8), - UINT64_C(0x33365AB3F6623769), UINT64_C(0x6FEBCFFF3A83A30F), - UINT64_C(0x398F4C999BD341EB), UINT64_C(0x180712BBB33A333C) } }, - { { UINT64_C(0x2B8655A2D93429E7), UINT64_C(0x99D600BB75C8B9EE), - UINT64_C(0x9FC1AF8B88FCA6CD), UINT64_C(0x2FB533867C311F80), - UINT64_C(0x20743ECBE8A71EEE), UINT64_C(0xEC3713C4E848B49E) }, - { UINT64_C(0x5B2037B5BB886817), UINT64_C(0x40EF5AC2307DBAF4), - UINT64_C(0xC2888AF21B3F643D), UINT64_C(0x0D8252E19D5A4190), - UINT64_C(0x06CC0BEC2DB52A8A), UINT64_C(0xB84B98EAAB94E969) } }, - { { UINT64_C(0x2E7AC078A0321E0E), UINT64_C(0x5C5A1168EF3DAAB6), - UINT64_C(0xD2D573CBADDD454A), UINT64_C(0x27E149E236259CC7), - UINT64_C(0x1EDFD469A63F47F1), UINT64_C(0x039AD674F1BD2CFD) }, - { UINT64_C(0xBFA633FC3077D3CC), UINT64_C(0x14A7C82F2FD64E9F), - UINT64_C(0xAAA650149D824999), UINT64_C(0x41AB113B21760F2E), - UINT64_C(0x23E646C51CAE260A), UINT64_C(0x08062C8F68DC5159) } }, - }, - { - { { UINT64_C(0x2E7D0A16204BE028), UINT64_C(0x4F1D082ED0E41851), - UINT64_C(0x15F1DDC63EB317F9), UINT64_C(0xF02750715ADF71D7), - UINT64_C(0x2CE33C2EEE858BC3), UINT64_C(0xA24C76D1DA73B71A) }, - { UINT64_C(0x9EF6A70A6C70C483), UINT64_C(0xEFCF170505CF9612), - UINT64_C(0x9F5BF5A67502DE64), UINT64_C(0xD11122A1A4701973), - UINT64_C(0x82CFAAC2A2EA7B24), UINT64_C(0x6CAD67CC0A4582E1) } }, - { { UINT64_C(0x597A26FFB4DC8600), UINT64_C(0x264A09F3F9288555), - UINT64_C(0x0B06AFF65C27F5F6), UINT64_C(0xCE5AB665D8D544E6), - UINT64_C(0x92F031BE99275C32), UINT64_C(0xAF51C5BBF42E0E7C) }, - { UINT64_C(0x5BB28B061E37B36D), UINT64_C(0x583FBA6A8473543A), - UINT64_C(0xE73FD299F93FB7DC), UINT64_C(0xFCD999A86E2CCAD9), - UINT64_C(0xB8C8A6DF334D4F57), UINT64_C(0x5ADB28DD9A2ACC9B) } }, - { { UINT64_C(0x5ADF3D9A111792B9), UINT64_C(0x1C77A3054F1E0D09), - UINT64_C(0xF9FBCE33A82D3736), UINT64_C(0xF307823E718C8AA3), - UINT64_C(0x860578CF416CCF69), UINT64_C(0xB942ADD81EF8465B) }, - { UINT64_C(0x9EE0CF97CD9472E1), UINT64_C(0xE6792EEFB01528A8), - UINT64_C(0xF99B9A8DC09DA90B), UINT64_C(0x1F521C2DCBF3CCB8), - UINT64_C(0x6BF6694891A62632), UINT64_C(0xCC7A9CEB854FE9DA) } }, - { { UINT64_C(0x46303171491CCB92), UINT64_C(0xA80A8C0D2771235B), - UINT64_C(0xD8E497FFF172C7CF), UINT64_C(0x7F7009D735B193CF), - UINT64_C(0x6B9FD3F7F19DF4BC), UINT64_C(0xADA548C3B46F1E37) }, - { UINT64_C(0x87C6EAA9C7A20270), UINT64_C(0xEF2245D6AE78EF99), - UINT64_C(0x2A121042539EAB95), UINT64_C(0x29A6D5D779B8F5CC), - UINT64_C(0x33803A10B77840DC), UINT64_C(0xFEDD3A7011A6A30F) } }, - { { UINT64_C(0xFA070E22142403D1), UINT64_C(0x68FF316015C6F7F5), - UINT64_C(0xE09F04E6223A0CE8), UINT64_C(0x22BBD01853E14183), - UINT64_C(0x35D9FAFCCF45B75B), UINT64_C(0x3A34819D7ECEEC88) }, - { UINT64_C(0xD9CF7568D33262D2), UINT64_C(0x431036D5841D1505), - UINT64_C(0x0C8005659EB2A79A), UINT64_C(0x8E77D9F05F7EDC6A), - UINT64_C(0x19E12D0565E800AA), UINT64_C(0x335C8D36B7784E7C) } }, - { { UINT64_C(0x8B2FC4E96484FD40), UINT64_C(0xEE702764A35D24EA), - UINT64_C(0x15B28AC7B871C3F3), UINT64_C(0x805B4048E097047F), - UINT64_C(0xD6F1B8DF647CAD2F), UINT64_C(0xF1D5B458DC7DD67F) }, - { UINT64_C(0x324C529C25148803), UINT64_C(0xF6185EBE21274FAF), - UINT64_C(0xAF14751E95148B55), UINT64_C(0x283ED89D28F284F4), - UINT64_C(0x93AD20E74CBEBF1A), UINT64_C(0x5F6EC65D882935E1) } }, - { { UINT64_C(0xE222EBA4A4DCEFE9), UINT64_C(0x63AD235FEC1CEB74), - UINT64_C(0x2E0BF749E05B18E7), UINT64_C(0x547BD050B48BDD87), - UINT64_C(0x0490C970F5AA2FC4), UINT64_C(0xCED5E4CF2B431390) }, - { UINT64_C(0x07D8270451D2898E), UINT64_C(0x44B72442083B57D4), - UINT64_C(0xA4ADA2305037FCE8), UINT64_C(0x55F7905E50510DA6), - UINT64_C(0xD8EE724F8D890A98), UINT64_C(0x925A8E7C11B85640) } }, - { { UINT64_C(0x5BFA10CD1CA459ED), UINT64_C(0x593F085A6DCF56BF), - UINT64_C(0xE6F0AD9BC0579C3E), UINT64_C(0xC11C95A22527C1AD), - UINT64_C(0x7CFA71E1CF1CB8B3), UINT64_C(0xEDCFF8331D6DC79D) }, - { UINT64_C(0x581C4BBE432521C9), UINT64_C(0xBF620096144E11A0), - UINT64_C(0x54C38B71BE3A107B), UINT64_C(0xED555E37E2606EC0), - UINT64_C(0x3FB148B8D721D034), UINT64_C(0x79D53DAD0091BC90) } }, - { { UINT64_C(0xE32068C5B7082C80), UINT64_C(0x4140FFD27A144E22), - UINT64_C(0x5811D2F09EDD9E86), UINT64_C(0xCDD79B5FC572C465), - UINT64_C(0x3563FED1C97BF450), UINT64_C(0x985C1444F2CE5C9C) }, - { UINT64_C(0x260AE79799950F1C), UINT64_C(0x659F4F40765E9DED), - UINT64_C(0x2A412D662E3BC286), UINT64_C(0xE865E62CF87E0C82), - UINT64_C(0xD63D3A9A6C05E7D7), UINT64_C(0x96725D678686F89A) } }, - { { UINT64_C(0xC99A5E4CAB7EA0F5), UINT64_C(0xC9860A1AC5393FA9), - UINT64_C(0x9ED83CEE8FDEEFC0), UINT64_C(0xE3EA8B4C5ED6869A), - UINT64_C(0x89A85463D2EED3A9), UINT64_C(0x2CD91B6DE421A622) }, - { UINT64_C(0x6FEC1EF32C91C41D), UINT64_C(0xB1540D1F8171037D), - UINT64_C(0x4FE4991A1C010E5B), UINT64_C(0x28A3469FFC1C7368), - UINT64_C(0xE1EEECD1AF118781), UINT64_C(0x1BCCB97799EF3531) } }, - { { UINT64_C(0x63D3B638C4DAB7B8), UINT64_C(0xD92133B63F7F5BAB), - UINT64_C(0x2573EE2009FB6069), UINT64_C(0x771FABDF890A1686), - UINT64_C(0x1D0BA21FA77AFFF5), UINT64_C(0x83145FCCBA3DD2C0) }, - { UINT64_C(0xFA073A812D115C20), UINT64_C(0x6AB7A9D319176F27), - UINT64_C(0xAF62CF939AC639EE), UINT64_C(0xF73848B92CCD1319), - UINT64_C(0x3B6132343C71659D), UINT64_C(0xF8E0011C10AB3826) } }, - { { UINT64_C(0x0501F0360282FFA5), UINT64_C(0xC39A5CF4D9E0F15A), - UINT64_C(0x48D8C7299A3D1F3C), UINT64_C(0xB5FC136B64E18EDA), - UINT64_C(0xE81B53D97E58FEF0), UINT64_C(0x0D534055F7B0F28D) }, - { UINT64_C(0x47B8DE127A80619B), UINT64_C(0x60E2A2B381F9E55D), - UINT64_C(0x6E9624D7CF564CC5), UINT64_C(0xFDF18A216BDEDFFF), - UINT64_C(0x3787DE38C0D5FC82), UINT64_C(0xCBCAA347497A6B11) } }, - { { UINT64_C(0x6E7EF35EB226465A), UINT64_C(0x4B4699195F8A2BAF), - UINT64_C(0x44B3A3CF1120D93F), UINT64_C(0xB052C8B668F34AD1), - UINT64_C(0x27EC574BEF7632DD), UINT64_C(0xAEBEA108685DE26F) }, - { UINT64_C(0xDA33236BE39424B6), UINT64_C(0xB1BD94A9EBCC22AD), - UINT64_C(0x6DDEE6CC2CDFB5D5), UINT64_C(0xBDAED9276F14069A), - UINT64_C(0x2ADE427C2A247CB7), UINT64_C(0xCE96B436ED156A40) } }, - { { UINT64_C(0xDDDCA36081F3F819), UINT64_C(0x4AF4A49FD419B96A), - UINT64_C(0x746C65257CB966B9), UINT64_C(0x01E390886F610023), - UINT64_C(0x05ECB38D98DD33FC), UINT64_C(0x962B971B8F84EDF4) }, - { UINT64_C(0xEB32C0A56A6F2602), UINT64_C(0xF026AF71562D60F2), - UINT64_C(0xA9E246BF84615FAB), UINT64_C(0xAD96709275DBAE01), - UINT64_C(0xBF97C79B3ECE5D07), UINT64_C(0xE06266C774EAA3D3) } }, - { { UINT64_C(0x161A01572E6DBB6E), UINT64_C(0xB8AF490460FA8F47), - UINT64_C(0xE4336C4400197F22), UINT64_C(0xF811AFFA9CEDCE0E), - UINT64_C(0xB1DD7685F94C2EF1), UINT64_C(0xEEDC0F4BCA957BB0) }, - { UINT64_C(0xD319FD574AA76BB1), UINT64_C(0xB3525D7C16CD7CCB), - UINT64_C(0x7B22DA9CA97DD072), UINT64_C(0x99DB84BD38A83E71), - UINT64_C(0x4939BC8DC0EDD8BE), UINT64_C(0x06D524EA903A932C) } }, - { { UINT64_C(0x4BC950EC0E31F639), UINT64_C(0xB7ABD3DC6016BE30), - UINT64_C(0x3B0F44736703DAD0), UINT64_C(0xCC405F8B0AC1C4EA), - UINT64_C(0x9BED5E57176C3FEE), UINT64_C(0xF452481036AE36C2) }, - { UINT64_C(0xC1EDBB8315D7B503), UINT64_C(0x943B1156E30F3657), - UINT64_C(0x984E9EEF98377805), UINT64_C(0x291AE7AC36CF1DEB), - UINT64_C(0xFED8748CA9F66DF3), UINT64_C(0xECA758BBFEA8FA5D) } }, - }, - { - { { UINT64_C(0xACC787EF2DD1B249), UINT64_C(0x736E1030D82976F1), - UINT64_C(0x0A6940FAA01B3649), UINT64_C(0xE00B926BC42341E7), - UINT64_C(0x911508D0DE8FFD6C), UINT64_C(0x4DCF8D465276B0CB) }, - { UINT64_C(0x23AD0A90CC3CAD8D), UINT64_C(0x2A92E54CADED962A), - UINT64_C(0x93FBEC4DF231BFAF), UINT64_C(0x9544BC774798987A), - UINT64_C(0x48084E2508E29F60), UINT64_C(0x0C0D2F4332DE5869) } }, - { { UINT64_C(0x6778F9703A9ABC13), UINT64_C(0xFD014FAC3D2B166B), - UINT64_C(0x1FE4FC783C6FED60), UINT64_C(0x04295FA8AA7C69C5), - UINT64_C(0xA01DE56D7C123175), UINT64_C(0x0FA0D3A83D9A713A) }, - { UINT64_C(0xA7A6E5E3E3E08ADD), UINT64_C(0xBD77E94B1AC58F85), - UINT64_C(0x078F6FD2B7321A9C), UINT64_C(0x9564601E911EF6D9), - UINT64_C(0x31C5C1B2415C6BEF), UINT64_C(0xE6C0C91ED3212C62) } }, - { { UINT64_C(0xBA7BD23C0D16022F), UINT64_C(0xE9CF4750198BE288), - UINT64_C(0x304E316947DEEC65), UINT64_C(0xCF65B41F96EEB288), - UINT64_C(0x17E99C17927E9E3B), UINT64_C(0x82225546F6630A80) }, - { UINT64_C(0x15122B8ACA067BD9), UINT64_C(0xE2673205B77B4E98), - UINT64_C(0x130375659407CA63), UINT64_C(0x53624F548B621602), - UINT64_C(0x96AF2CB1EAE4BD06), UINT64_C(0x576ECD1C8FA20829) } }, - { { UINT64_C(0xA551CE107E02D2D0), UINT64_C(0x1584ED249D13DBC7), - UINT64_C(0x082017AD4DA7B6D8), UINT64_C(0x81918A8FE054BC48), - UINT64_C(0x677DB48E572DC384), UINT64_C(0x2EF822966155484C) }, - { UINT64_C(0xC3DB14C641B9C231), UINT64_C(0x910A87D14A766192), - UINT64_C(0x93D5CC8610AB8E0F), UINT64_C(0x4194D548AE57CA1B), - UINT64_C(0xFAF3A1D6267FC37A), UINT64_C(0x70EC236413B87C97) } }, - { { UINT64_C(0x064B565B5E12756A), UINT64_C(0x953B7BD1AE49C98E), - UINT64_C(0xE0CE8284F7001D91), UINT64_C(0x1546060BF31108D0), - UINT64_C(0xDBC2C3F46779B6E2), UINT64_C(0x157AA47DE0DD07CF) }, - { UINT64_C(0xBF4A1C6FF23B261E), UINT64_C(0x5B8EED30654F4BE5), - UINT64_C(0xDF5896D36B20CCD8), UINT64_C(0x56920E2C559ED23D), - UINT64_C(0x901F342EFA6E3E27), UINT64_C(0x745C747C896CA082) } }, - { { UINT64_C(0xDBCCD5752944EC84), UINT64_C(0x54A2A935A5FF65FE), - UINT64_C(0x88C92A5E1A1319B6), UINT64_C(0x9537C28F82DA96C1), - UINT64_C(0xB683647435F93C46), UINT64_C(0xEC526A1D65B0846C) }, - { UINT64_C(0x6F12AFBDF382C412), UINT64_C(0x5EBC81D89E99FA06), - UINT64_C(0x97B5D672869B93BD), UINT64_C(0x2983C310377E12AA), - UINT64_C(0x4875968124D681EA), UINT64_C(0x1E0BD106287FD767) } }, - { { UINT64_C(0x0AC75A3E7231247F), UINT64_C(0x65C20DE6EF27AD3A), - UINT64_C(0x87EB6CF1BD02EEE5), UINT64_C(0x264ACA7A00147E03), - UINT64_C(0xEBC78581AE2A9437), UINT64_C(0x9929964E6316BFA5) }, - { UINT64_C(0xDC09E0409AF207EF), UINT64_C(0x3ECFFE2D0C9D8658), - UINT64_C(0x547EA735DFB43D38), UINT64_C(0x5485247BD04B1B20), - UINT64_C(0xB18D3F02BFD8B609), UINT64_C(0xEEB3E805CCE73705) } }, - { { UINT64_C(0xDAB1A525DB93850F), UINT64_C(0x18ADAA238365B7D5), - UINT64_C(0x58485C90113FC8C7), UINT64_C(0x80C3DBB9348AD323), - UINT64_C(0xAF892FB5E16ADCA1), UINT64_C(0x2183C879979F005A) }, - { UINT64_C(0x20FA1A940643A99E), UINT64_C(0x2741221C1A1609CB), - UINT64_C(0x1C1687E53C2FBDDC), UINT64_C(0xDCCF329ED420D6CF), - UINT64_C(0x75D5577D2B7197D1), UINT64_C(0x4C3C3875C8729D9C) } }, - { { UINT64_C(0x5E79F995E5CBDCB9), UINT64_C(0x03139824A742FCC7), - UINT64_C(0x6D0C214A239EF4A1), UINT64_C(0x53A27952401A2944), - UINT64_C(0xF42A1B34C10BCDF0), UINT64_C(0x426BAA437CF38061) }, - { UINT64_C(0x16A53139A96AD0C8), UINT64_C(0x627F1D316BAD5301), - UINT64_C(0x5AF748774ACCD627), UINT64_C(0x3C58A1C5B55B0FB8), - UINT64_C(0xFAA57B91F4399A6A), UINT64_C(0xBAD283FBC28094B8) } }, - { { UINT64_C(0xBA32AC6183E10A93), UINT64_C(0x1C91F6B4EC06BDB0), - UINT64_C(0x42E6CFBC65F60C93), UINT64_C(0xEFE33BC82C0CDCBE), - UINT64_C(0xE0FE1D094D6414F2), UINT64_C(0x4C11231676FA5C5B) }, - { UINT64_C(0x812C1DC62E26200A), UINT64_C(0xD6C413C5EE879D25), - UINT64_C(0xBEADE255BCA8BAFE), UINT64_C(0x0EAF4AE2CE2BA0E7), - UINT64_C(0x66E9FFB0C4F4408A), UINT64_C(0xB36A86D79782C7AD) } }, - { { UINT64_C(0x10FCD1F4BAD8D1C7), UINT64_C(0xC903816A4502F645), - UINT64_C(0x7FAC1CC1A503B895), UINT64_C(0x8BCD60410778900C), - UINT64_C(0x5A5F22025BCF2784), UINT64_C(0x9B157E8710EDB896) }, - { UINT64_C(0x4C58DA69F602A8B1), UINT64_C(0xD55132F859EC9D7E), - UINT64_C(0x155B719AA26D4870), UINT64_C(0x25AAFCA336441746), - UINT64_C(0x01F83338DD3B6B30), UINT64_C(0xD52BB5C1551917CC) } }, - { { UINT64_C(0xA0B6207B6135066A), UINT64_C(0xB3409F842AEC8CBD), - UINT64_C(0x5EBFD43619D87DF0), UINT64_C(0xCB4C209BE8526DE2), - UINT64_C(0xD764085B21E1A230), UINT64_C(0x96F915540899964A) }, - { UINT64_C(0xB0BEC8EFA57D122A), UINT64_C(0xC572EC565D9D0B33), - UINT64_C(0xEBE2A780CFA7C72C), UINT64_C(0x52D40CDB9EF3295C), - UINT64_C(0x640045840DE74DFE), UINT64_C(0xA6846432C0809716) } }, - { { UINT64_C(0x0D09E8CD02C979BC), UINT64_C(0xEC4B21F6409F4F2A), - UINT64_C(0x68125C7013FB07CA), UINT64_C(0x1C4CFC176FDFA72A), - UINT64_C(0xC9E71B9E04539FCD), UINT64_C(0x94B7103D8BA70797) }, - { UINT64_C(0x6B81E82FB33FDE83), UINT64_C(0x7CA9A8CAEABAFD4B), - UINT64_C(0xADD85A67EAB819CE), UINT64_C(0xAEC2548398E99FFC), - UINT64_C(0x938D6440274A07B6), UINT64_C(0x0A5C7097564A6AA0) } }, - { { UINT64_C(0x7284FF502F4FCEB6), UINT64_C(0x0A28715A78D0D5CB), - UINT64_C(0xE70B7014BFCE187C), UINT64_C(0xA6B538F57A17148D), - UINT64_C(0x1DAB07C9DD427166), UINT64_C(0x5C5578B0149D23CA) }, - { UINT64_C(0x875E2056875B5EDE), UINT64_C(0xCBF44B6D02C893B9), - UINT64_C(0x5715A77E5C2993FB), UINT64_C(0xAF3281463410597E), - UINT64_C(0x65DF418F42DC49DF), UINT64_C(0x7AC9C720A9EE52F6) } }, - { { UINT64_C(0xB1C9AA0762955486), UINT64_C(0xCBF35BE3245061D7), - UINT64_C(0x811E1BD38CF4DDC0), UINT64_C(0xD9D4589C948F7C84), - UINT64_C(0x30D09A0FCB0F996D), UINT64_C(0x1A1B3B7A590E7704) }, - { UINT64_C(0xA848E3492082768D), UINT64_C(0x9FEBD4929A249DF4), - UINT64_C(0x503420AF5F20439A), UINT64_C(0x0CBE52B68E2BFCD4), - UINT64_C(0xB1D5E261118C91B2), UINT64_C(0x93CFF6DA71D8F2BC) } }, - { { UINT64_C(0x5F5BC06B8AB58944), UINT64_C(0xE4BED5384979882D), - UINT64_C(0x57C30362D79B0EB1), UINT64_C(0x391AE2C1EF7C56D8), - UINT64_C(0x28BC2E97ADD98625), UINT64_C(0xFA8E86B81B257107) }, - { UINT64_C(0x5E4859F86118C715), UINT64_C(0x91C83324524C71DD), - UINT64_C(0xFB2092436D2F5E6D), UINT64_C(0x6B4FE21F2A900A43), - UINT64_C(0x241F75D632A73C1F), UINT64_C(0xF5BC46295AE89613) } }, + SECStatus res = SECSuccess; + if (!pt || !pt->data) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + res = SECFailure; + return res; } -}; - -/*- - * Finite field inversion. - * Computed with Bernstein-Yang algorithm. - * https://tches.iacr.org/index.php/TCHES/article/view/8298 - * Based on https://github.com/mit-plv/fiat-crypto/tree/master/inversion/c - * NB: this is not a real fiat-crypto function, just named that way for consistency. - */ -static void -fiat_secp384r1_inv(fe_t output, const fe_t t1) -{ - int i; - fe_t v1, r1, v2; - limb_t *r2 = output; - limb_t f1[LIMB_CNT + 1], g1[LIMB_CNT + 1], f2[LIMB_CNT + 1], - g2[LIMB_CNT + 1]; - limb_t d2, d1 = 1; - - fe_copy(g1, t1); - g1[LIMB_CNT] = 0; - fe_copy(f1, const_psat); - f1[LIMB_CNT] = 0; - fe_copy(r1, const_one); - fe_set_zero(v1); - /* 1110 divstep iterations */ - for (i = 0; i < 555; i++) { - fiat_secp384r1_divstep(&d2, f2, g2, v2, r2, d1, f1, g1, v1, r1); - fiat_secp384r1_divstep(&d1, f1, g1, v1, r1, d2, f2, g2, v2, r2); + if (pt->len != 97) { + PORT_SetError(SEC_ERROR_BAD_KEY); + res = SECFailure; + return res; } - fiat_secp384r1_opp(output, v1); - fiat_secp384r1_selectznz(output, f1[LIMB_CNT] >> (LIMB_BITS - 1), v1, - output); - fiat_secp384r1_mul(output, output, const_divstep); -} - -/*- - * Q := 2P, both projective, Q and P same pointers OK - * Autogenerated: op3/dbl_proj.op3 - * https://eprint.iacr.org/2015/1060 Alg 6 - * ASSERT: a = -3 - */ -static void -point_double(pt_prj_t *Q, const pt_prj_t *P) -{ - /* temporary variables */ - fe_t t0, t1, t2, t3, t4; - /* constants */ - const limb_t *b = const_b; - /* set pointers for legacy curve arith */ - const limb_t *X = P->X; - const limb_t *Y = P->Y; - const limb_t *Z = P->Z; - limb_t *X3 = Q->X; - limb_t *Y3 = Q->Y; - limb_t *Z3 = Q->Z; - - /* the curve arith formula */ - fiat_secp384r1_square(t0, X); - fiat_secp384r1_square(t1, Y); - fiat_secp384r1_square(t2, Z); - fiat_secp384r1_mul(t3, X, Y); - fiat_secp384r1_add(t3, t3, t3); - fiat_secp384r1_mul(t4, Y, Z); - fiat_secp384r1_mul(Z3, X, Z); - fiat_secp384r1_add(Z3, Z3, Z3); - fiat_secp384r1_mul(Y3, b, t2); - fiat_secp384r1_sub(Y3, Y3, Z3); - fiat_secp384r1_add(X3, Y3, Y3); - fiat_secp384r1_add(Y3, X3, Y3); - fiat_secp384r1_sub(X3, t1, Y3); - fiat_secp384r1_add(Y3, t1, Y3); - fiat_secp384r1_mul(Y3, X3, Y3); - fiat_secp384r1_mul(X3, X3, t3); - fiat_secp384r1_add(t3, t2, t2); - fiat_secp384r1_add(t2, t2, t3); - fiat_secp384r1_mul(Z3, b, Z3); - fiat_secp384r1_sub(Z3, Z3, t2); - fiat_secp384r1_sub(Z3, Z3, t0); - fiat_secp384r1_add(t3, Z3, Z3); - fiat_secp384r1_add(Z3, Z3, t3); - fiat_secp384r1_add(t3, t0, t0); - fiat_secp384r1_add(t0, t3, t0); - fiat_secp384r1_sub(t0, t0, t2); - fiat_secp384r1_mul(t0, t0, Z3); - fiat_secp384r1_add(Y3, Y3, t0); - fiat_secp384r1_add(t0, t4, t4); - fiat_secp384r1_mul(Z3, t0, Z3); - fiat_secp384r1_sub(X3, X3, Z3); - fiat_secp384r1_mul(Z3, t0, t1); - fiat_secp384r1_add(Z3, Z3, Z3); - fiat_secp384r1_add(Z3, Z3, Z3); -} - -/*- - * R := Q + P where R and Q are projective, P affine. - * R and Q same pointers OK - * R and P same pointers not OK - * Autogenerated: op3/add_mixed.op3 - * https://eprint.iacr.org/2015/1060 Alg 5 - * ASSERT: a = -3 - */ -static void -point_add_mixed(pt_prj_t *R, const pt_prj_t *Q, const pt_aff_t *P) -{ - /* temporary variables */ - fe_t t0, t1, t2, t3, t4; - /* constants */ - const limb_t *b = const_b; - /* set pointers for legacy curve arith */ - const limb_t *X1 = Q->X; - const limb_t *Y1 = Q->Y; - const limb_t *Z1 = Q->Z; - const limb_t *X2 = P->X; - const limb_t *Y2 = P->Y; - fe_t X3; - fe_t Y3; - fe_t Z3; - limb_t nz; - - /* check P for affine inf */ - fiat_secp384r1_nonzero(&nz, P->Y); - - /* the curve arith formula */ - fiat_secp384r1_mul(t0, X1, X2); - fiat_secp384r1_mul(t1, Y1, Y2); - fiat_secp384r1_add(t3, X2, Y2); - fiat_secp384r1_add(t4, X1, Y1); - fiat_secp384r1_mul(t3, t3, t4); - fiat_secp384r1_add(t4, t0, t1); - fiat_secp384r1_sub(t3, t3, t4); - fiat_secp384r1_mul(t4, Y2, Z1); - fiat_secp384r1_add(t4, t4, Y1); - fiat_secp384r1_mul(Y3, X2, Z1); - fiat_secp384r1_add(Y3, Y3, X1); - fiat_secp384r1_mul(Z3, b, Z1); - fiat_secp384r1_sub(X3, Y3, Z3); - fiat_secp384r1_add(Z3, X3, X3); - fiat_secp384r1_add(X3, X3, Z3); - fiat_secp384r1_sub(Z3, t1, X3); - fiat_secp384r1_add(X3, t1, X3); - fiat_secp384r1_mul(Y3, b, Y3); - fiat_secp384r1_add(t1, Z1, Z1); - fiat_secp384r1_add(t2, t1, Z1); - fiat_secp384r1_sub(Y3, Y3, t2); - fiat_secp384r1_sub(Y3, Y3, t0); - fiat_secp384r1_add(t1, Y3, Y3); - fiat_secp384r1_add(Y3, t1, Y3); - fiat_secp384r1_add(t1, t0, t0); - fiat_secp384r1_add(t0, t1, t0); - fiat_secp384r1_sub(t0, t0, t2); - fiat_secp384r1_mul(t1, t4, Y3); - fiat_secp384r1_mul(t2, t0, Y3); - fiat_secp384r1_mul(Y3, X3, Z3); - fiat_secp384r1_add(Y3, Y3, t2); - fiat_secp384r1_mul(X3, t3, X3); - fiat_secp384r1_sub(X3, X3, t1); - fiat_secp384r1_mul(Z3, t4, Z3); - fiat_secp384r1_mul(t1, t3, t0); - fiat_secp384r1_add(Z3, Z3, t1); - - /* if P is inf, throw all that away and take Q */ - fiat_secp384r1_selectznz(R->X, nz, Q->X, X3); - fiat_secp384r1_selectznz(R->Y, nz, Q->Y, Y3); - fiat_secp384r1_selectznz(R->Z, nz, Q->Z, Z3); -} - -/*- - * R := Q + P all projective. - * R and Q same pointers OK - * R and P same pointers not OK - * Autogenerated: op3/add_proj.op3 - * https://eprint.iacr.org/2015/1060 Alg 4 - * ASSERT: a = -3 - */ -static void -point_add_proj(pt_prj_t *R, const pt_prj_t *Q, const pt_prj_t *P) -{ - /* temporary variables */ - fe_t t0, t1, t2, t3, t4, t5; - /* constants */ - const limb_t *b = const_b; - /* set pointers for legacy curve arith */ - const limb_t *X1 = Q->X; - const limb_t *Y1 = Q->Y; - const limb_t *Z1 = Q->Z; - const limb_t *X2 = P->X; - const limb_t *Y2 = P->Y; - const limb_t *Z2 = P->Z; - limb_t *X3 = R->X; - limb_t *Y3 = R->Y; - limb_t *Z3 = R->Z; - - /* the curve arith formula */ - fiat_secp384r1_mul(t0, X1, X2); - fiat_secp384r1_mul(t1, Y1, Y2); - fiat_secp384r1_mul(t2, Z1, Z2); - fiat_secp384r1_add(t3, X1, Y1); - fiat_secp384r1_add(t4, X2, Y2); - fiat_secp384r1_mul(t3, t3, t4); - fiat_secp384r1_add(t4, t0, t1); - fiat_secp384r1_sub(t3, t3, t4); - fiat_secp384r1_add(t4, Y1, Z1); - fiat_secp384r1_add(t5, Y2, Z2); - fiat_secp384r1_mul(t4, t4, t5); - fiat_secp384r1_add(t5, t1, t2); - fiat_secp384r1_sub(t4, t4, t5); - fiat_secp384r1_add(X3, X1, Z1); - fiat_secp384r1_add(Y3, X2, Z2); - fiat_secp384r1_mul(X3, X3, Y3); - fiat_secp384r1_add(Y3, t0, t2); - fiat_secp384r1_sub(Y3, X3, Y3); - fiat_secp384r1_mul(Z3, b, t2); - fiat_secp384r1_sub(X3, Y3, Z3); - fiat_secp384r1_add(Z3, X3, X3); - fiat_secp384r1_add(X3, X3, Z3); - fiat_secp384r1_sub(Z3, t1, X3); - fiat_secp384r1_add(X3, t1, X3); - fiat_secp384r1_mul(Y3, b, Y3); - fiat_secp384r1_add(t1, t2, t2); - fiat_secp384r1_add(t2, t1, t2); - fiat_secp384r1_sub(Y3, Y3, t2); - fiat_secp384r1_sub(Y3, Y3, t0); - fiat_secp384r1_add(t1, Y3, Y3); - fiat_secp384r1_add(Y3, t1, Y3); - fiat_secp384r1_add(t1, t0, t0); - fiat_secp384r1_add(t0, t1, t0); - fiat_secp384r1_sub(t0, t0, t2); - fiat_secp384r1_mul(t1, t4, Y3); - fiat_secp384r1_mul(t2, t0, Y3); - fiat_secp384r1_mul(Y3, X3, Z3); - fiat_secp384r1_add(Y3, Y3, t2); - fiat_secp384r1_mul(X3, t3, X3); - fiat_secp384r1_sub(X3, X3, t1); - fiat_secp384r1_mul(Z3, t4, Z3); - fiat_secp384r1_mul(t1, t3, t0); - fiat_secp384r1_add(Z3, Z3, t1); -} - -/* constants */ -#define RADIX 5 -#define DRADIX (1 << RADIX) -#define DRADIX_WNAF ((DRADIX) << 1) - -/*- - * precomp for wnaf scalar multiplication: - * precomp[0] = 1P - * precomp[1] = 3P - * precomp[2] = 5P - * precomp[3] = 7P - * precomp[4] = 9P - * ... - */ -static void -precomp_wnaf(pt_prj_t precomp[DRADIX / 2], const pt_aff_t *P) -{ - int i; - - fe_copy(precomp[0].X, P->X); - fe_copy(precomp[0].Y, P->Y); - fe_copy(precomp[0].Z, const_one); - point_double(&precomp[DRADIX / 2 - 1], &precomp[0]); - - for (i = 1; i < DRADIX / 2; i++) - point_add_proj(&precomp[i], &precomp[DRADIX / 2 - 1], &precomp[i - 1]); -} - -/* fetch a scalar bit */ -static int -scalar_get_bit(const unsigned char in[48], int idx) -{ - int widx, rshift; - - widx = idx >> 3; - rshift = idx & 0x7; - - if (idx < 0 || widx >= 48) - return 0; - - return (in[widx] >> rshift) & 0x1; -} - -/*- - * Compute "regular" wnaf representation of a scalar. - * See "Exponent Recoding and Regular Exponentiation Algorithms", - * Tunstall et al., AfricaCrypt 2009, Alg 6. - * It forces an odd scalar and outputs digits in - * {\pm 1, \pm 3, \pm 5, \pm 7, \pm 9, ...} - * i.e. signed odd digits with _no zeroes_ -- that makes it "regular". - */ -static void -scalar_rwnaf(int8_t out[77], const unsigned char in[48]) -{ - int i; - int8_t window, d; - - window = (in[0] & (DRADIX_WNAF - 1)) | 1; - for (i = 0; i < 76; i++) { - d = (window & (DRADIX_WNAF - 1)) - DRADIX; - out[i] = d; - window = (window - d) >> RADIX; - window += scalar_get_bit(in, (i + 1) * RADIX + 1) << 1; - window += scalar_get_bit(in, (i + 1) * RADIX + 2) << 2; - window += scalar_get_bit(in, (i + 1) * RADIX + 3) << 3; - window += scalar_get_bit(in, (i + 1) * RADIX + 4) << 4; - window += scalar_get_bit(in, (i + 1) * RADIX + 5) << 5; + if (pt->data[0] != EC_POINT_FORM_UNCOMPRESSED) { + PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM); + res = SECFailure; + return res; } - out[i] = window; -} -/*- - * Compute "textbook" wnaf representation of a scalar. - * NB: not constant time - */ -static void -scalar_wnaf(int8_t out[385], const unsigned char in[48]) -{ - int i; - int8_t window, d; + bool b = Hacl_P384_validate_public_key(pt->data + 1); - window = in[0] & (DRADIX_WNAF - 1); - for (i = 0; i < 385; i++) { - d = 0; - if ((window & 1) && ((d = window & (DRADIX_WNAF - 1)) & DRADIX)) - d -= DRADIX_WNAF; - out[i] = d; - window = (window - d) >> 1; - window += scalar_get_bit(in, i + 1 + RADIX) << RADIX; + if (!b) { + PORT_SetError(SEC_ERROR_BAD_KEY); + res = SECFailure; } + return res; } -/*- - * Simultaneous scalar multiplication: interleaved "textbook" wnaf. - * NB: not constant time +/* + * Scalar Validation for P-384. */ -static void -var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[48], - const unsigned char b[48], const pt_aff_t *P) -{ - int i, d, is_neg, is_inf = 1, flipped = 0; - int8_t anaf[385] = { 0 }; - int8_t bnaf[385] = { 0 }; - pt_prj_t Q = { { 0 }, { 0 }, { 0 } }; - pt_prj_t precomp[DRADIX / 2]; - - precomp_wnaf(precomp, P); - scalar_wnaf(anaf, a); - scalar_wnaf(bnaf, b); - - for (i = 384; i >= 0; i--) { - if (!is_inf) - point_double(&Q, &Q); - if ((d = bnaf[i])) { - if ((is_neg = d < 0) != flipped) { - fiat_secp384r1_opp(Q.Y, Q.Y); - flipped ^= 1; - } - d = (is_neg) ? (-d - 1) >> 1 : (d - 1) >> 1; - if (is_inf) { - /* initialize accumulator */ - fe_copy(Q.X, &precomp[d].X); - fe_copy(Q.Y, &precomp[d].Y); - fe_copy(Q.Z, &precomp[d].Z); - is_inf = 0; - } else - point_add_proj(&Q, &Q, &precomp[d]); - } - if ((d = anaf[i])) { - if ((is_neg = d < 0) != flipped) { - fiat_secp384r1_opp(Q.Y, Q.Y); - flipped ^= 1; - } - d = (is_neg) ? (-d - 1) >> 1 : (d - 1) >> 1; - if (is_inf) { - /* initialize accumulator */ - fe_copy(Q.X, &lut_cmb[0][d].X); - fe_copy(Q.Y, &lut_cmb[0][d].Y); - fe_copy(Q.Z, const_one); - is_inf = 0; - } else - point_add_mixed(&Q, &Q, &lut_cmb[0][d]); - } - } - - if (is_inf) { - /* initialize accumulator to inf: all-zero scalars */ - fe_set_zero(Q.X); - fe_copy(Q.Y, const_one); - fe_set_zero(Q.Z); - } - - if (flipped) { - /* correct sign */ - fiat_secp384r1_opp(Q.Y, Q.Y); - } - /* convert to affine -- NB depends on coordinate system */ - fiat_secp384r1_inv(Q.Z, Q.Z); - fiat_secp384r1_mul(out->X, Q.X, Q.Z); - fiat_secp384r1_mul(out->Y, Q.Y, Q.Z); -} - -/*- - * Variable point scalar multiplication with "regular" wnaf. - * Here "regular" means _no zeroes_, so the sequence of - * EC arithmetic ops is fixed. - */ -static void -var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[48], - const pt_aff_t *P) +SECStatus +ec_secp384r1_scalar_validate(const SECItem *scalar) { - int i, j, d, diff, is_neg; - int8_t rnaf[77] = { 0 }; - pt_prj_t Q = { { 0 }, { 0 }, { 0 } }, lut = { { 0 }, { 0 }, { 0 } }; - pt_prj_t precomp[DRADIX / 2]; - - precomp_wnaf(precomp, P); - scalar_rwnaf(rnaf, scalar); - -#if defined(_MSC_VER) - /* result still unsigned: yes we know */ -#pragma warning(push) -#pragma warning(disable : 4146) -#endif - - /* initialize accumulator to high digit */ - d = (rnaf[76] - 1) >> 1; - for (j = 0; j < DRADIX / 2; j++) { - diff = (1 - (-(d ^ j) >> (8 * sizeof(int) - 1))) & 1; - fiat_secp384r1_selectznz(Q.X, diff, Q.X, precomp[j].X); - fiat_secp384r1_selectznz(Q.Y, diff, Q.Y, precomp[j].Y); - fiat_secp384r1_selectznz(Q.Z, diff, Q.Z, precomp[j].Z); + SECStatus res = SECSuccess; + if (!scalar || !scalar->data) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + res = SECFailure; + return res; } - for (i = 75; i >= 0; i--) { - for (j = 0; j < RADIX; j++) - point_double(&Q, &Q); - d = rnaf[i]; - /* is_neg = (d < 0) ? 1 : 0 */ - is_neg = (d >> (8 * sizeof(int) - 1)) & 1; - /* d = abs(d) */ - d = (d ^ -is_neg) + is_neg; - d = (d - 1) >> 1; - for (j = 0; j < DRADIX / 2; j++) { - diff = (1 - (-(d ^ j) >> (8 * sizeof(int) - 1))) & 1; - fiat_secp384r1_selectznz(lut.X, diff, lut.X, precomp[j].X); - fiat_secp384r1_selectznz(lut.Y, diff, lut.Y, precomp[j].Y); - fiat_secp384r1_selectznz(lut.Z, diff, lut.Z, precomp[j].Z); - } - /* negate lut point if digit is negative */ - fiat_secp384r1_opp(out->Y, lut.Y); - fiat_secp384r1_selectznz(lut.Y, is_neg, lut.Y, out->Y); - point_add_proj(&Q, &Q, &lut); + if (scalar->len != 48) { + PORT_SetError(SEC_ERROR_BAD_KEY); + res = SECFailure; + return res; } -#if defined(_MSC_VER) -#pragma warning(pop) -#endif - - /* conditionally subtract P if the scalar was even */ - fe_copy(lut.X, precomp[0].X); - fiat_secp384r1_opp(lut.Y, precomp[0].Y); - fe_copy(lut.Z, precomp[0].Z); - point_add_proj(&lut, &lut, &Q); - fiat_secp384r1_selectznz(Q.X, scalar[0] & 1, lut.X, Q.X); - fiat_secp384r1_selectznz(Q.Y, scalar[0] & 1, lut.Y, Q.Y); - fiat_secp384r1_selectznz(Q.Z, scalar[0] & 1, lut.Z, Q.Z); - - /* convert to affine -- NB depends on coordinate system */ - fiat_secp384r1_inv(Q.Z, Q.Z); - fiat_secp384r1_mul(out->X, Q.X, Q.Z); - fiat_secp384r1_mul(out->Y, Q.Y, Q.Z); -} - -/*- - * Fixed scalar multiplication: comb with interleaving. - */ -static void -fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[48]) -{ - int i, j, k, d, diff, is_neg = 0; - int8_t rnaf[77] = { 0 }; - pt_prj_t Q = { { 0 }, { 0 }, { 0 } }, R = { { 0 }, { 0 }, { 0 } }; - pt_aff_t lut = { { 0 }, { 0 } }; - - scalar_rwnaf(rnaf, scalar); - - /* initalize accumulator to inf */ - fe_set_zero(Q.X); - fe_copy(Q.Y, const_one); - fe_set_zero(Q.Z); + bool b = Hacl_P384_validate_private_key(scalar->data); -#if defined(_MSC_VER) - /* result still unsigned: yes we know */ -#pragma warning(push) -#pragma warning(disable : 4146) -#endif - - for (i = 3; i >= 0; i--) { - for (j = 0; i != 3 && j < RADIX; j++) - point_double(&Q, &Q); - for (j = 0; j < 21; j++) { - if (j * 4 + i > 76) - continue; - d = rnaf[j * 4 + i]; - /* is_neg = (d < 0) ? 1 : 0 */ - is_neg = (d >> (8 * sizeof(int) - 1)) & 1; - /* d = abs(d) */ - d = (d ^ -is_neg) + is_neg; - d = (d - 1) >> 1; - for (k = 0; k < DRADIX / 2; k++) { - diff = (1 - (-(d ^ k) >> (8 * sizeof(int) - 1))) & 1; - fiat_secp384r1_selectznz(lut.X, diff, lut.X, lut_cmb[j][k].X); - fiat_secp384r1_selectznz(lut.Y, diff, lut.Y, lut_cmb[j][k].Y); - } - /* negate lut point if digit is negative */ - fiat_secp384r1_opp(out->Y, lut.Y); - fiat_secp384r1_selectznz(lut.Y, is_neg, lut.Y, out->Y); - point_add_mixed(&Q, &Q, &lut); - } + if (!b) { + PORT_SetError(SEC_ERROR_BAD_KEY); + res = SECFailure; } - -#if defined(_MSC_VER) -#pragma warning(pop) -#endif - - /* conditionally subtract P if the scalar was even */ - fe_copy(lut.X, lut_cmb[0][0].X); - fiat_secp384r1_opp(lut.Y, lut_cmb[0][0].Y); - point_add_mixed(&R, &Q, &lut); - fiat_secp384r1_selectznz(Q.X, scalar[0] & 1, R.X, Q.X); - fiat_secp384r1_selectznz(Q.Y, scalar[0] & 1, R.Y, Q.Y); - fiat_secp384r1_selectznz(Q.Z, scalar[0] & 1, R.Z, Q.Z); - - /* convert to affine -- NB depends on coordinate system */ - fiat_secp384r1_inv(Q.Z, Q.Z); - fiat_secp384r1_mul(out->X, Q.X, Q.Z); - fiat_secp384r1_mul(out->Y, Q.Y, Q.Z); -} - -/*- - * Wrapper: simultaneous scalar mutiplication. - * outx, outy := a * G + b * P - * where P = (inx, iny). - * Everything is LE byte ordering. - */ -void -point_mul_two_secp384r1(unsigned char outx[48], unsigned char outy[48], - const unsigned char a[48], - const unsigned char b[48], - const unsigned char inx[48], - const unsigned char iny[48]) -{ - pt_aff_t P; - - fiat_secp384r1_from_bytes(P.X, inx); - fiat_secp384r1_from_bytes(P.Y, iny); - fiat_secp384r1_to_montgomery(P.X, P.X); - fiat_secp384r1_to_montgomery(P.Y, P.Y); - /* simultaneous scalar multiplication */ - var_smul_wnaf_two(&P, a, b, &P); - - fiat_secp384r1_from_montgomery(P.X, P.X); - fiat_secp384r1_from_montgomery(P.Y, P.Y); - fiat_secp384r1_to_bytes(outx, P.X); - fiat_secp384r1_to_bytes(outy, P.Y); -} - -/*- - * Wrapper: fixed scalar mutiplication. - * outx, outy := scalar * G - * Everything is LE byte ordering. - */ -void -point_mul_g_secp384r1(unsigned char outx[48], unsigned char outy[48], - const unsigned char scalar[48]) -{ - pt_aff_t P; - - /* fixed scmul function */ - fixed_smul_cmb(&P, scalar); - fiat_secp384r1_from_montgomery(P.X, P.X); - fiat_secp384r1_from_montgomery(P.Y, P.Y); - fiat_secp384r1_to_bytes(outx, P.X); - fiat_secp384r1_to_bytes(outy, P.Y); -} - -/*- - * Wrapper: variable point scalar mutiplication. - * outx, outy := scalar * P - * where P = (inx, iny). - * Everything is LE byte ordering. - */ -void -point_mul_secp384r1(unsigned char outx[48], unsigned char outy[48], - const unsigned char scalar[48], - const unsigned char inx[48], - const unsigned char iny[48]) -{ - pt_aff_t P; - - fiat_secp384r1_from_bytes(P.X, inx); - fiat_secp384r1_from_bytes(P.Y, iny); - fiat_secp384r1_to_montgomery(P.X, P.X); - fiat_secp384r1_to_montgomery(P.Y, P.Y); - /* var scmul function */ - var_smul_rwnaf(&P, scalar, &P); - fiat_secp384r1_from_montgomery(P.X, P.X); - fiat_secp384r1_from_montgomery(P.Y, P.Y); - fiat_secp384r1_to_bytes(outx, P.X); - fiat_secp384r1_to_bytes(outy, P.Y); -} - -#else /* __SIZEOF_INT128__ */ - -#include "ecp_secp384r1.h" -#include <stdint.h> -#include <string.h> -#define LIMB_BITS 32 -#define LIMB_CNT 12 -/* Field elements */ -typedef uint32_t fe_t[LIMB_CNT]; -typedef uint32_t limb_t; - -#define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) -#define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) - -/* Projective points */ -typedef struct { - fe_t X; - fe_t Y; - fe_t Z; -} pt_prj_t; - -/* Affine points */ -typedef struct { - fe_t X; - fe_t Y; -} pt_aff_t; - -/* BEGIN verbatim fiat code https://github.com/mit-plv/fiat-crypto */ -/*- - * MIT License - * - * Copyright (c) 2015-2021 the fiat-crypto authors (see the AUTHORS file). - * https://github.com/mit-plv/fiat-crypto/blob/master/AUTHORS - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -/* Autogenerated: word_by_word_montgomery --static --use-value-barrier secp384r1 32 '2^384 - 2^128 - 2^96 + 2^32 - 1' */ -/* curve description: secp384r1 */ -/* machine_wordsize = 32 (from "32") */ -/* requested operations: (all) */ -/* m = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff (from "2^384 - 2^128 - 2^96 + 2^32 - 1") */ -/* */ -/* NOTE: In addition to the bounds specified above each function, all */ -/* functions synthesized for this Montgomery arithmetic require the */ -/* input to be strictly less than the prime modulus (m), and also */ -/* require the input to be in the unique saturated representation. */ -/* All functions also ensure that these two properties are true of */ -/* return values. */ -/* */ -/* Computed values: */ -/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */ -/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) in */ -/* if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 */ - -#include <stdint.h> -typedef unsigned char fiat_secp384r1_uint1; -typedef signed char fiat_secp384r1_int1; -#ifdef __GNUC__ -#define FIAT_SECP384R1_FIAT_INLINE __inline__ -#else -#define FIAT_SECP384R1_FIAT_INLINE -#endif - -/* The type fiat_secp384r1_montgomery_domain_field_element is a field element in the Montgomery domain. */ -/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */ -typedef uint32_t fiat_secp384r1_montgomery_domain_field_element[12]; - -/* The type fiat_secp384r1_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */ -/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */ -typedef uint32_t fiat_secp384r1_non_montgomery_domain_field_element[12]; - -#if (-1 & 3) != 3 -#error "This code only works on a two's complement system" -#endif - -#if !defined(FIAT_SECP384R1_NO_ASM) && (defined(__GNUC__) || defined(__clang__)) -static __inline__ uint32_t -fiat_secp384r1_value_barrier_u32(uint32_t a) -{ - __asm__("" - : "+r"(a) - : /* no inputs */); - return a; + return res; } -#else -#define fiat_secp384r1_value_barrier_u32(x) (x) -#endif /* - * The function fiat_secp384r1_addcarryx_u32 is an addition with carry. - * - * Postconditions: - * out1 = (arg1 + arg2 + arg3) mod 2^32 - * out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋ - * - * Input Bounds: - * arg1: [0x0 ~> 0x1] - * arg2: [0x0 ~> 0xffffffff] - * arg3: [0x0 ~> 0xffffffff] - * Output Bounds: - * out1: [0x0 ~> 0xffffffff] - * out2: [0x0 ~> 0x1] + * Scalar multiplication for P-384. + * If P == NULL, the base point is used. + * Returns X = k*P */ -static void -fiat_secp384r1_addcarryx_u32(uint32_t *out1, - fiat_secp384r1_uint1 *out2, - fiat_secp384r1_uint1 arg1, - uint32_t arg2, uint32_t arg3) -{ - uint64_t x1; - uint32_t x2; - fiat_secp384r1_uint1 x3; - x1 = ((arg1 + (uint64_t)arg2) + arg3); - x2 = (uint32_t)(x1 & UINT32_C(0xffffffff)); - x3 = (fiat_secp384r1_uint1)(x1 >> 32); - *out1 = x2; - *out2 = x3; -} - -/* - * The function fiat_secp384r1_subborrowx_u32 is a subtraction with borrow. - * - * Postconditions: - * out1 = (-arg1 + arg2 + -arg3) mod 2^32 - * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋ - * - * Input Bounds: - * arg1: [0x0 ~> 0x1] - * arg2: [0x0 ~> 0xffffffff] - * arg3: [0x0 ~> 0xffffffff] - * Output Bounds: - * out1: [0x0 ~> 0xffffffff] - * out2: [0x0 ~> 0x1] - */ -static void -fiat_secp384r1_subborrowx_u32(uint32_t *out1, - fiat_secp384r1_uint1 *out2, - fiat_secp384r1_uint1 arg1, - uint32_t arg2, uint32_t arg3) -{ - int64_t x1; - fiat_secp384r1_int1 x2; - uint32_t x3; - x1 = ((arg2 - (int64_t)arg1) - arg3); - x2 = (fiat_secp384r1_int1)(x1 >> 32); - x3 = (uint32_t)(x1 & UINT32_C(0xffffffff)); - *out1 = x3; - *out2 = (fiat_secp384r1_uint1)(0x0 - x2); -} -/* - * The function fiat_secp384r1_mulx_u32 is a multiplication, returning the full double-width result. - * - * Postconditions: - * out1 = (arg1 * arg2) mod 2^32 - * out2 = ⌊arg1 * arg2 / 2^32⌋ - * - * Input Bounds: - * arg1: [0x0 ~> 0xffffffff] - * arg2: [0x0 ~> 0xffffffff] - * Output Bounds: - * out1: [0x0 ~> 0xffffffff] - * out2: [0x0 ~> 0xffffffff] - */ -static void -fiat_secp384r1_mulx_u32(uint32_t *out1, uint32_t *out2, - uint32_t arg1, uint32_t arg2) +SECStatus +ec_secp384r1_pt_mul(SECItem *X, SECItem *k, SECItem *P) { - uint64_t x1; - uint32_t x2; - uint32_t x3; - x1 = ((uint64_t)arg1 * arg2); - x2 = (uint32_t)(x1 & UINT32_C(0xffffffff)); - x3 = (uint32_t)(x1 >> 32); - *out1 = x2; - *out2 = x3; -} + SECStatus res = SECSuccess; + if (!P) { + uint8_t derived[96] = { 0 }; -/* - * The function fiat_secp384r1_cmovznz_u32 is a single-word conditional move. - * - * Postconditions: - * out1 = (if arg1 = 0 then arg2 else arg3) - * - * Input Bounds: - * arg1: [0x0 ~> 0x1] - * arg2: [0x0 ~> 0xffffffff] - * arg3: [0x0 ~> 0xffffffff] - * Output Bounds: - * out1: [0x0 ~> 0xffffffff] - */ -static void -fiat_secp384r1_cmovznz_u32(uint32_t *out1, - fiat_secp384r1_uint1 arg1, uint32_t arg2, - uint32_t arg3) -{ - fiat_secp384r1_uint1 x1; - uint32_t x2; - uint32_t x3; - x1 = (!(!arg1)); - x2 = ((fiat_secp384r1_int1)(0x0 - x1) & UINT32_C(0xffffffff)); - x3 = ((fiat_secp384r1_value_barrier_u32(x2) & arg3) | - (fiat_secp384r1_value_barrier_u32((~x2)) & arg2)); - *out1 = x3; -} - -/* - * The function fiat_secp384r1_mul multiplies two field elements in the Montgomery domain. - * - * Preconditions: - * 0 ≤ eval arg1 < m - * 0 ≤ eval arg2 < m - * Postconditions: - * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m - * 0 ≤ eval out1 < m - * - */ -static void -fiat_secp384r1_mul( - fiat_secp384r1_montgomery_domain_field_element out1, - const fiat_secp384r1_montgomery_domain_field_element arg1, - const fiat_secp384r1_montgomery_domain_field_element arg2) -{ - uint32_t x1; - uint32_t x2; - uint32_t x3; - uint32_t x4; - uint32_t x5; - uint32_t x6; - uint32_t x7; - uint32_t x8; - uint32_t x9; - uint32_t x10; - uint32_t x11; - uint32_t x12; - uint32_t x13; - uint32_t x14; - uint32_t x15; - uint32_t x16; - uint32_t x17; - uint32_t x18; - uint32_t x19; - uint32_t x20; - uint32_t x21; - uint32_t x22; - uint32_t x23; - uint32_t x24; - uint32_t x25; - uint32_t x26; - uint32_t x27; - uint32_t x28; - uint32_t x29; - uint32_t x30; - uint32_t x31; - uint32_t x32; - uint32_t x33; - uint32_t x34; - uint32_t x35; - uint32_t x36; - uint32_t x37; - fiat_secp384r1_uint1 x38; - uint32_t x39; - fiat_secp384r1_uint1 x40; - uint32_t x41; - fiat_secp384r1_uint1 x42; - uint32_t x43; - fiat_secp384r1_uint1 x44; - uint32_t x45; - fiat_secp384r1_uint1 x46; - uint32_t x47; - fiat_secp384r1_uint1 x48; - uint32_t x49; - fiat_secp384r1_uint1 x50; - uint32_t x51; - fiat_secp384r1_uint1 x52; - uint32_t x53; - fiat_secp384r1_uint1 x54; - uint32_t x55; - fiat_secp384r1_uint1 x56; - uint32_t x57; - fiat_secp384r1_uint1 x58; - uint32_t x59; - uint32_t x60; - uint32_t x61; - uint32_t x62; - uint32_t x63; - uint32_t x64; - uint32_t x65; - uint32_t x66; - uint32_t x67; - uint32_t x68; - uint32_t x69; - uint32_t x70; - uint32_t x71; - uint32_t x72; - uint32_t x73; - uint32_t x74; - uint32_t x75; - uint32_t x76; - uint32_t x77; - uint32_t x78; - uint32_t x79; - uint32_t x80; - fiat_secp384r1_uint1 x81; - uint32_t x82; - fiat_secp384r1_uint1 x83; - uint32_t x84; - fiat_secp384r1_uint1 x85; - uint32_t x86; - fiat_secp384r1_uint1 x87; - uint32_t x88; - fiat_secp384r1_uint1 x89; - uint32_t x90; - fiat_secp384r1_uint1 x91; - uint32_t x92; - fiat_secp384r1_uint1 x93; - uint32_t x94; - fiat_secp384r1_uint1 x95; - uint32_t x96; - uint32_t x97; - fiat_secp384r1_uint1 x98; - uint32_t x99; - fiat_secp384r1_uint1 x100; - uint32_t x101; - fiat_secp384r1_uint1 x102; - uint32_t x103; - fiat_secp384r1_uint1 x104; - uint32_t x105; - fiat_secp384r1_uint1 x106; - uint32_t x107; - fiat_secp384r1_uint1 x108; - uint32_t x109; - fiat_secp384r1_uint1 x110; - uint32_t x111; - fiat_secp384r1_uint1 x112; - uint32_t x113; - fiat_secp384r1_uint1 x114; - uint32_t x115; - fiat_secp384r1_uint1 x116; - uint32_t x117; - fiat_secp384r1_uint1 x118; - uint32_t x119; - fiat_secp384r1_uint1 x120; - uint32_t x121; - fiat_secp384r1_uint1 x122; - uint32_t x123; - uint32_t x124; - uint32_t x125; - uint32_t x126; - uint32_t x127; - uint32_t x128; - uint32_t x129; - uint32_t x130; - uint32_t x131; - uint32_t x132; - uint32_t x133; - uint32_t x134; - uint32_t x135; - uint32_t x136; - uint32_t x137; - uint32_t x138; - uint32_t x139; - uint32_t x140; - uint32_t x141; - uint32_t x142; - uint32_t x143; - uint32_t x144; - uint32_t x145; - uint32_t x146; - uint32_t x147; - fiat_secp384r1_uint1 x148; - uint32_t x149; - fiat_secp384r1_uint1 x150; - uint32_t x151; - fiat_secp384r1_uint1 x152; - uint32_t x153; - fiat_secp384r1_uint1 x154; - uint32_t x155; - fiat_secp384r1_uint1 x156; - uint32_t x157; - fiat_secp384r1_uint1 x158; - uint32_t x159; - fiat_secp384r1_uint1 x160; - uint32_t x161; - fiat_secp384r1_uint1 x162; - uint32_t x163; - fiat_secp384r1_uint1 x164; - uint32_t x165; - fiat_secp384r1_uint1 x166; - uint32_t x167; - fiat_secp384r1_uint1 x168; - uint32_t x169; - uint32_t x170; - fiat_secp384r1_uint1 x171; - uint32_t x172; - fiat_secp384r1_uint1 x173; - uint32_t x174; - fiat_secp384r1_uint1 x175; - uint32_t x176; - fiat_secp384r1_uint1 x177; - uint32_t x178; - fiat_secp384r1_uint1 x179; - uint32_t x180; - fiat_secp384r1_uint1 x181; - uint32_t x182; - fiat_secp384r1_uint1 x183; - uint32_t x184; - fiat_secp384r1_uint1 x185; - uint32_t x186; - fiat_secp384r1_uint1 x187; - uint32_t x188; - fiat_secp384r1_uint1 x189; - uint32_t x190; - fiat_secp384r1_uint1 x191; - uint32_t x192; - fiat_secp384r1_uint1 x193; - uint32_t x194; - fiat_secp384r1_uint1 x195; - uint32_t x196; - uint32_t x197; - uint32_t x198; - uint32_t x199; - uint32_t x200; - uint32_t x201; - uint32_t x202; - uint32_t x203; - uint32_t x204; - uint32_t x205; - uint32_t x206; - uint32_t x207; - uint32_t x208; - uint32_t x209; - uint32_t x210; - uint32_t x211; - uint32_t x212; - uint32_t x213; - uint32_t x214; - uint32_t x215; - uint32_t x216; - fiat_secp384r1_uint1 x217; - uint32_t x218; - fiat_secp384r1_uint1 x219; - uint32_t x220; - fiat_secp384r1_uint1 x221; - uint32_t x222; - fiat_secp384r1_uint1 x223; - uint32_t x224; - fiat_secp384r1_uint1 x225; - uint32_t x226; - fiat_secp384r1_uint1 x227; - uint32_t x228; - fiat_secp384r1_uint1 x229; - uint32_t x230; - fiat_secp384r1_uint1 x231; - uint32_t x232; - uint32_t x233; - fiat_secp384r1_uint1 x234; - uint32_t x235; - fiat_secp384r1_uint1 x236; - uint32_t x237; - fiat_secp384r1_uint1 x238; - uint32_t x239; - fiat_secp384r1_uint1 x240; - uint32_t x241; - fiat_secp384r1_uint1 x242; - uint32_t x243; - fiat_secp384r1_uint1 x244; - uint32_t x245; - fiat_secp384r1_uint1 x246; - uint32_t x247; - fiat_secp384r1_uint1 x248; - uint32_t x249; - fiat_secp384r1_uint1 x250; - uint32_t x251; - fiat_secp384r1_uint1 x252; - uint32_t x253; - fiat_secp384r1_uint1 x254; - uint32_t x255; - fiat_secp384r1_uint1 x256; - uint32_t x257; - fiat_secp384r1_uint1 x258; - uint32_t x259; - uint32_t x260; - uint32_t x261; - uint32_t x262; - uint32_t x263; - uint32_t x264; - uint32_t x265; - uint32_t x266; - uint32_t x267; - uint32_t x268; - uint32_t x269; - uint32_t x270; - uint32_t x271; - uint32_t x272; - uint32_t x273; - uint32_t x274; - uint32_t x275; - uint32_t x276; - uint32_t x277; - uint32_t x278; - uint32_t x279; - uint32_t x280; - uint32_t x281; - uint32_t x282; - uint32_t x283; - uint32_t x284; - fiat_secp384r1_uint1 x285; - uint32_t x286; - fiat_secp384r1_uint1 x287; - uint32_t x288; - fiat_secp384r1_uint1 x289; - uint32_t x290; - fiat_secp384r1_uint1 x291; - uint32_t x292; - fiat_secp384r1_uint1 x293; - uint32_t x294; - fiat_secp384r1_uint1 x295; - uint32_t x296; - fiat_secp384r1_uint1 x297; - uint32_t x298; - fiat_secp384r1_uint1 x299; - uint32_t x300; - fiat_secp384r1_uint1 x301; - uint32_t x302; - fiat_secp384r1_uint1 x303; - uint32_t x304; - fiat_secp384r1_uint1 x305; - uint32_t x306; - uint32_t x307; - fiat_secp384r1_uint1 x308; - uint32_t x309; - fiat_secp384r1_uint1 x310; - uint32_t x311; - fiat_secp384r1_uint1 x312; - uint32_t x313; - fiat_secp384r1_uint1 x314; - uint32_t x315; - fiat_secp384r1_uint1 x316; - uint32_t x317; - fiat_secp384r1_uint1 x318; - uint32_t x319; - fiat_secp384r1_uint1 x320; - uint32_t x321; - fiat_secp384r1_uint1 x322; - uint32_t x323; - fiat_secp384r1_uint1 x324; - uint32_t x325; - fiat_secp384r1_uint1 x326; - uint32_t x327; - fiat_secp384r1_uint1 x328; - uint32_t x329; - fiat_secp384r1_uint1 x330; - uint32_t x331; - fiat_secp384r1_uint1 x332; - uint32_t x333; - uint32_t x334; - uint32_t x335; - uint32_t x336; - uint32_t x337; - uint32_t x338; - uint32_t x339; - uint32_t x340; - uint32_t x341; - uint32_t x342; - uint32_t x343; - uint32_t x344; - uint32_t x345; - uint32_t x346; - uint32_t x347; - uint32_t x348; - uint32_t x349; - uint32_t x350; - uint32_t x351; - uint32_t x352; - uint32_t x353; - fiat_secp384r1_uint1 x354; - uint32_t x355; - fiat_secp384r1_uint1 x356; - uint32_t x357; - fiat_secp384r1_uint1 x358; - uint32_t x359; - fiat_secp384r1_uint1 x360; - uint32_t x361; - fiat_secp384r1_uint1 x362; - uint32_t x363; - fiat_secp384r1_uint1 x364; - uint32_t x365; - fiat_secp384r1_uint1 x366; - uint32_t x367; - fiat_secp384r1_uint1 x368; - uint32_t x369; - uint32_t x370; - fiat_secp384r1_uint1 x371; - uint32_t x372; - fiat_secp384r1_uint1 x373; - uint32_t x374; - fiat_secp384r1_uint1 x375; - uint32_t x376; - fiat_secp384r1_uint1 x377; - uint32_t x378; - fiat_secp384r1_uint1 x379; - uint32_t x380; - fiat_secp384r1_uint1 x381; - uint32_t x382; - fiat_secp384r1_uint1 x383; - uint32_t x384; - fiat_secp384r1_uint1 x385; - uint32_t x386; - fiat_secp384r1_uint1 x387; - uint32_t x388; - fiat_secp384r1_uint1 x389; - uint32_t x390; - fiat_secp384r1_uint1 x391; - uint32_t x392; - fiat_secp384r1_uint1 x393; - uint32_t x394; - fiat_secp384r1_uint1 x395; - uint32_t x396; - uint32_t x397; - uint32_t x398; - uint32_t x399; - uint32_t x400; - uint32_t x401; - uint32_t x402; - uint32_t x403; - uint32_t x404; - uint32_t x405; - uint32_t x406; - uint32_t x407; - uint32_t x408; - uint32_t x409; - uint32_t x410; - uint32_t x411; - uint32_t x412; - uint32_t x413; - uint32_t x414; - uint32_t x415; - uint32_t x416; - uint32_t x417; - uint32_t x418; - uint32_t x419; - uint32_t x420; - uint32_t x421; - fiat_secp384r1_uint1 x422; - uint32_t x423; - fiat_secp384r1_uint1 x424; - uint32_t x425; - fiat_secp384r1_uint1 x426; - uint32_t x427; - fiat_secp384r1_uint1 x428; - uint32_t x429; - fiat_secp384r1_uint1 x430; - uint32_t x431; - fiat_secp384r1_uint1 x432; - uint32_t x433; - fiat_secp384r1_uint1 x434; - uint32_t x435; - fiat_secp384r1_uint1 x436; - uint32_t x437; - fiat_secp384r1_uint1 x438; - uint32_t x439; - fiat_secp384r1_uint1 x440; - uint32_t x441; - fiat_secp384r1_uint1 x442; - uint32_t x443; - uint32_t x444; - fiat_secp384r1_uint1 x445; - uint32_t x446; - fiat_secp384r1_uint1 x447; - uint32_t x448; - fiat_secp384r1_uint1 x449; - uint32_t x450; - fiat_secp384r1_uint1 x451; - uint32_t x452; - fiat_secp384r1_uint1 x453; - uint32_t x454; - fiat_secp384r1_uint1 x455; - uint32_t x456; - fiat_secp384r1_uint1 x457; - uint32_t x458; - fiat_secp384r1_uint1 x459; - uint32_t x460; - fiat_secp384r1_uint1 x461; - uint32_t x462; - fiat_secp384r1_uint1 x463; - uint32_t x464; - fiat_secp384r1_uint1 x465; - uint32_t x466; - fiat_secp384r1_uint1 x467; - uint32_t x468; - fiat_secp384r1_uint1 x469; - uint32_t x470; - uint32_t x471; - uint32_t x472; - uint32_t x473; - uint32_t x474; - uint32_t x475; - uint32_t x476; - uint32_t x477; - uint32_t x478; - uint32_t x479; - uint32_t x480; - uint32_t x481; - uint32_t x482; - uint32_t x483; - uint32_t x484; - uint32_t x485; - uint32_t x486; - uint32_t x487; - uint32_t x488; - uint32_t x489; - uint32_t x490; - fiat_secp384r1_uint1 x491; - uint32_t x492; - fiat_secp384r1_uint1 x493; - uint32_t x494; - fiat_secp384r1_uint1 x495; - uint32_t x496; - fiat_secp384r1_uint1 x497; - uint32_t x498; - fiat_secp384r1_uint1 x499; - uint32_t x500; - fiat_secp384r1_uint1 x501; - uint32_t x502; - fiat_secp384r1_uint1 x503; - uint32_t x504; - fiat_secp384r1_uint1 x505; - uint32_t x506; - uint32_t x507; - fiat_secp384r1_uint1 x508; - uint32_t x509; - fiat_secp384r1_uint1 x510; - uint32_t x511; - fiat_secp384r1_uint1 x512; - uint32_t x513; - fiat_secp384r1_uint1 x514; - uint32_t x515; - fiat_secp384r1_uint1 x516; - uint32_t x517; - fiat_secp384r1_uint1 x518; - uint32_t x519; - fiat_secp384r1_uint1 x520; - uint32_t x521; - fiat_secp384r1_uint1 x522; - uint32_t x523; - fiat_secp384r1_uint1 x524; - uint32_t x525; - fiat_secp384r1_uint1 x526; - uint32_t x527; - fiat_secp384r1_uint1 x528; - uint32_t x529; - fiat_secp384r1_uint1 x530; - uint32_t x531; - fiat_secp384r1_uint1 x532; - uint32_t x533; - uint32_t x534; - uint32_t x535; - uint32_t x536; - uint32_t x537; - uint32_t x538; - uint32_t x539; - uint32_t x540; - uint32_t x541; - uint32_t x542; - uint32_t x543; - uint32_t x544; - uint32_t x545; - uint32_t x546; - uint32_t x547; - uint32_t x548; - uint32_t x549; - uint32_t x550; - uint32_t x551; - uint32_t x552; - uint32_t x553; - uint32_t x554; - uint32_t x555; - uint32_t x556; - uint32_t x557; - uint32_t x558; - fiat_secp384r1_uint1 x559; - uint32_t x560; - fiat_secp384r1_uint1 x561; - uint32_t x562; - fiat_secp384r1_uint1 x563; - uint32_t x564; - fiat_secp384r1_uint1 x565; - uint32_t x566; - fiat_secp384r1_uint1 x567; - uint32_t x568; - fiat_secp384r1_uint1 x569; - uint32_t x570; - fiat_secp384r1_uint1 x571; - uint32_t x572; - fiat_secp384r1_uint1 x573; - uint32_t x574; - fiat_secp384r1_uint1 x575; - uint32_t x576; - fiat_secp384r1_uint1 x577; - uint32_t x578; - fiat_secp384r1_uint1 x579; - uint32_t x580; - uint32_t x581; - fiat_secp384r1_uint1 x582; - uint32_t x583; - fiat_secp384r1_uint1 x584; - uint32_t x585; - fiat_secp384r1_uint1 x586; - uint32_t x587; - fiat_secp384r1_uint1 x588; - uint32_t x589; - fiat_secp384r1_uint1 x590; - uint32_t x591; - fiat_secp384r1_uint1 x592; - uint32_t x593; - fiat_secp384r1_uint1 x594; - uint32_t x595; - fiat_secp384r1_uint1 x596; - uint32_t x597; - fiat_secp384r1_uint1 x598; - uint32_t x599; - fiat_secp384r1_uint1 x600; - uint32_t x601; - fiat_secp384r1_uint1 x602; - uint32_t x603; - fiat_secp384r1_uint1 x604; - uint32_t x605; - fiat_secp384r1_uint1 x606; - uint32_t x607; - uint32_t x608; - uint32_t x609; - uint32_t x610; - uint32_t x611; - uint32_t x612; - uint32_t x613; - uint32_t x614; - uint32_t x615; - uint32_t x616; - uint32_t x617; - uint32_t x618; - uint32_t x619; - uint32_t x620; - uint32_t x621; - uint32_t x622; - uint32_t x623; - uint32_t x624; - uint32_t x625; - uint32_t x626; - uint32_t x627; - fiat_secp384r1_uint1 x628; - uint32_t x629; - fiat_secp384r1_uint1 x630; - uint32_t x631; - fiat_secp384r1_uint1 x632; - uint32_t x633; - fiat_secp384r1_uint1 x634; - uint32_t x635; - fiat_secp384r1_uint1 x636; - uint32_t x637; - fiat_secp384r1_uint1 x638; - uint32_t x639; - fiat_secp384r1_uint1 x640; - uint32_t x641; - fiat_secp384r1_uint1 x642; - uint32_t x643; - uint32_t x644; - fiat_secp384r1_uint1 x645; - uint32_t x646; - fiat_secp384r1_uint1 x647; - uint32_t x648; - fiat_secp384r1_uint1 x649; - uint32_t x650; - fiat_secp384r1_uint1 x651; - uint32_t x652; - fiat_secp384r1_uint1 x653; - uint32_t x654; - fiat_secp384r1_uint1 x655; - uint32_t x656; - fiat_secp384r1_uint1 x657; - uint32_t x658; - fiat_secp384r1_uint1 x659; - uint32_t x660; - fiat_secp384r1_uint1 x661; - uint32_t x662; - fiat_secp384r1_uint1 x663; - uint32_t x664; - fiat_secp384r1_uint1 x665; - uint32_t x666; - fiat_secp384r1_uint1 x667; - uint32_t x668; - fiat_secp384r1_uint1 x669; - uint32_t x670; - uint32_t x671; - uint32_t x672; - uint32_t x673; - uint32_t x674; - uint32_t x675; - uint32_t x676; - uint32_t x677; - uint32_t x678; - uint32_t x679; - uint32_t x680; - uint32_t x681; - uint32_t x682; - uint32_t x683; - uint32_t x684; - uint32_t x685; - uint32_t x686; - uint32_t x687; - uint32_t x688; - uint32_t x689; - uint32_t x690; - uint32_t x691; - uint32_t x692; - uint32_t x693; - uint32_t x694; - uint32_t x695; - fiat_secp384r1_uint1 x696; - uint32_t x697; - fiat_secp384r1_uint1 x698; - uint32_t x699; - fiat_secp384r1_uint1 x700; - uint32_t x701; - fiat_secp384r1_uint1 x702; - uint32_t x703; - fiat_secp384r1_uint1 x704; - uint32_t x705; - fiat_secp384r1_uint1 x706; - uint32_t x707; - fiat_secp384r1_uint1 x708; - uint32_t x709; - fiat_secp384r1_uint1 x710; - uint32_t x711; - fiat_secp384r1_uint1 x712; - uint32_t x713; - fiat_secp384r1_uint1 x714; - uint32_t x715; - fiat_secp384r1_uint1 x716; - uint32_t x717; - uint32_t x718; - fiat_secp384r1_uint1 x719; - uint32_t x720; - fiat_secp384r1_uint1 x721; - uint32_t x722; - fiat_secp384r1_uint1 x723; - uint32_t x724; - fiat_secp384r1_uint1 x725; - uint32_t x726; - fiat_secp384r1_uint1 x727; - uint32_t x728; - fiat_secp384r1_uint1 x729; - uint32_t x730; - fiat_secp384r1_uint1 x731; - uint32_t x732; - fiat_secp384r1_uint1 x733; - uint32_t x734; - fiat_secp384r1_uint1 x735; - uint32_t x736; - fiat_secp384r1_uint1 x737; - uint32_t x738; - fiat_secp384r1_uint1 x739; - uint32_t x740; - fiat_secp384r1_uint1 x741; - uint32_t x742; - fiat_secp384r1_uint1 x743; - uint32_t x744; - uint32_t x745; - uint32_t x746; - uint32_t x747; - uint32_t x748; - uint32_t x749; - uint32_t x750; - uint32_t x751; - uint32_t x752; - uint32_t x753; - uint32_t x754; - uint32_t x755; - uint32_t x756; - uint32_t x757; - uint32_t x758; - uint32_t x759; - uint32_t x760; - uint32_t x761; - uint32_t x762; - uint32_t x763; - uint32_t x764; - fiat_secp384r1_uint1 x765; - uint32_t x766; - fiat_secp384r1_uint1 x767; - uint32_t x768; - fiat_secp384r1_uint1 x769; - uint32_t x770; - fiat_secp384r1_uint1 x771; - uint32_t x772; - fiat_secp384r1_uint1 x773; - uint32_t x774; - fiat_secp384r1_uint1 x775; - uint32_t x776; - fiat_secp384r1_uint1 x777; - uint32_t x778; - fiat_secp384r1_uint1 x779; - uint32_t x780; - uint32_t x781; - fiat_secp384r1_uint1 x782; - uint32_t x783; - fiat_secp384r1_uint1 x784; - uint32_t x785; - fiat_secp384r1_uint1 x786; - uint32_t x787; - fiat_secp384r1_uint1 x788; - uint32_t x789; - fiat_secp384r1_uint1 x790; - uint32_t x791; - fiat_secp384r1_uint1 x792; - uint32_t x793; - fiat_secp384r1_uint1 x794; - uint32_t x795; - fiat_secp384r1_uint1 x796; - uint32_t x797; - fiat_secp384r1_uint1 x798; - uint32_t x799; - fiat_secp384r1_uint1 x800; - uint32_t x801; - fiat_secp384r1_uint1 x802; - uint32_t x803; - fiat_secp384r1_uint1 x804; - uint32_t x805; - fiat_secp384r1_uint1 x806; - uint32_t x807; - uint32_t x808; - uint32_t x809; - uint32_t x810; - uint32_t x811; - uint32_t x812; - uint32_t x813; - uint32_t x814; - uint32_t x815; - uint32_t x816; - uint32_t x817; - uint32_t x818; - uint32_t x819; - uint32_t x820; - uint32_t x821; - uint32_t x822; - uint32_t x823; - uint32_t x824; - uint32_t x825; - uint32_t x826; - uint32_t x827; - uint32_t x828; - uint32_t x829; - uint32_t x830; - uint32_t x831; - uint32_t x832; - fiat_secp384r1_uint1 x833; - uint32_t x834; - fiat_secp384r1_uint1 x835; - uint32_t x836; - fiat_secp384r1_uint1 x837; - uint32_t x838; - fiat_secp384r1_uint1 x839; - uint32_t x840; - fiat_secp384r1_uint1 x841; - uint32_t x842; - fiat_secp384r1_uint1 x843; - uint32_t x844; - fiat_secp384r1_uint1 x845; - uint32_t x846; - fiat_secp384r1_uint1 x847; - uint32_t x848; - fiat_secp384r1_uint1 x849; - uint32_t x850; - fiat_secp384r1_uint1 x851; - uint32_t x852; - fiat_secp384r1_uint1 x853; - uint32_t x854; - uint32_t x855; - fiat_secp384r1_uint1 x856; - uint32_t x857; - fiat_secp384r1_uint1 x858; - uint32_t x859; - fiat_secp384r1_uint1 x860; - uint32_t x861; - fiat_secp384r1_uint1 x862; - uint32_t x863; - fiat_secp384r1_uint1 x864; - uint32_t x865; - fiat_secp384r1_uint1 x866; - uint32_t x867; - fiat_secp384r1_uint1 x868; - uint32_t x869; - fiat_secp384r1_uint1 x870; - uint32_t x871; - fiat_secp384r1_uint1 x872; - uint32_t x873; - fiat_secp384r1_uint1 x874; - uint32_t x875; - fiat_secp384r1_uint1 x876; - uint32_t x877; - fiat_secp384r1_uint1 x878; - uint32_t x879; - fiat_secp384r1_uint1 x880; - uint32_t x881; - uint32_t x882; - uint32_t x883; - uint32_t x884; - uint32_t x885; - uint32_t x886; - uint32_t x887; - uint32_t x888; - uint32_t x889; - uint32_t x890; - uint32_t x891; - uint32_t x892; - uint32_t x893; - uint32_t x894; - uint32_t x895; - uint32_t x896; - uint32_t x897; - uint32_t x898; - uint32_t x899; - uint32_t x900; - uint32_t x901; - fiat_secp384r1_uint1 x902; - uint32_t x903; - fiat_secp384r1_uint1 x904; - uint32_t x905; - fiat_secp384r1_uint1 x906; - uint32_t x907; - fiat_secp384r1_uint1 x908; - uint32_t x909; - fiat_secp384r1_uint1 x910; - uint32_t x911; - fiat_secp384r1_uint1 x912; - uint32_t x913; - fiat_secp384r1_uint1 x914; - uint32_t x915; - fiat_secp384r1_uint1 x916; - uint32_t x917; - uint32_t x918; - fiat_secp384r1_uint1 x919; - uint32_t x920; - fiat_secp384r1_uint1 x921; - uint32_t x922; - fiat_secp384r1_uint1 x923; - uint32_t x924; - fiat_secp384r1_uint1 x925; - uint32_t x926; - fiat_secp384r1_uint1 x927; - uint32_t x928; - fiat_secp384r1_uint1 x929; - uint32_t x930; - fiat_secp384r1_uint1 x931; - uint32_t x932; - fiat_secp384r1_uint1 x933; - uint32_t x934; - fiat_secp384r1_uint1 x935; - uint32_t x936; - fiat_secp384r1_uint1 x937; - uint32_t x938; - fiat_secp384r1_uint1 x939; - uint32_t x940; - fiat_secp384r1_uint1 x941; - uint32_t x942; - fiat_secp384r1_uint1 x943; - uint32_t x944; - uint32_t x945; - uint32_t x946; - uint32_t x947; - uint32_t x948; - uint32_t x949; - uint32_t x950; - uint32_t x951; - uint32_t x952; - uint32_t x953; - uint32_t x954; - uint32_t x955; - uint32_t x956; - uint32_t x957; - uint32_t x958; - uint32_t x959; - uint32_t x960; - uint32_t x961; - uint32_t x962; - uint32_t x963; - uint32_t x964; - uint32_t x965; - uint32_t x966; - uint32_t x967; - uint32_t x968; - uint32_t x969; - fiat_secp384r1_uint1 x970; - uint32_t x971; - fiat_secp384r1_uint1 x972; - uint32_t x973; - fiat_secp384r1_uint1 x974; - uint32_t x975; - fiat_secp384r1_uint1 x976; - uint32_t x977; - fiat_secp384r1_uint1 x978; - uint32_t x979; - fiat_secp384r1_uint1 x980; - uint32_t x981; - fiat_secp384r1_uint1 x982; - uint32_t x983; - fiat_secp384r1_uint1 x984; - uint32_t x985; - fiat_secp384r1_uint1 x986; - uint32_t x987; - fiat_secp384r1_uint1 x988; - uint32_t x989; - fiat_secp384r1_uint1 x990; - uint32_t x991; - uint32_t x992; - fiat_secp384r1_uint1 x993; - uint32_t x994; - fiat_secp384r1_uint1 x995; - uint32_t x996; - fiat_secp384r1_uint1 x997; - uint32_t x998; - fiat_secp384r1_uint1 x999; - uint32_t x1000; - fiat_secp384r1_uint1 x1001; - uint32_t x1002; - fiat_secp384r1_uint1 x1003; - uint32_t x1004; - fiat_secp384r1_uint1 x1005; - uint32_t x1006; - fiat_secp384r1_uint1 x1007; - uint32_t x1008; - fiat_secp384r1_uint1 x1009; - uint32_t x1010; - fiat_secp384r1_uint1 x1011; - uint32_t x1012; - fiat_secp384r1_uint1 x1013; - uint32_t x1014; - fiat_secp384r1_uint1 x1015; - uint32_t x1016; - fiat_secp384r1_uint1 x1017; - uint32_t x1018; - uint32_t x1019; - uint32_t x1020; - uint32_t x1021; - uint32_t x1022; - uint32_t x1023; - uint32_t x1024; - uint32_t x1025; - uint32_t x1026; - uint32_t x1027; - uint32_t x1028; - uint32_t x1029; - uint32_t x1030; - uint32_t x1031; - uint32_t x1032; - uint32_t x1033; - uint32_t x1034; - uint32_t x1035; - uint32_t x1036; - uint32_t x1037; - uint32_t x1038; - fiat_secp384r1_uint1 x1039; - uint32_t x1040; - fiat_secp384r1_uint1 x1041; - uint32_t x1042; - fiat_secp384r1_uint1 x1043; - uint32_t x1044; - fiat_secp384r1_uint1 x1045; - uint32_t x1046; - fiat_secp384r1_uint1 x1047; - uint32_t x1048; - fiat_secp384r1_uint1 x1049; - uint32_t x1050; - fiat_secp384r1_uint1 x1051; - uint32_t x1052; - fiat_secp384r1_uint1 x1053; - uint32_t x1054; - uint32_t x1055; - fiat_secp384r1_uint1 x1056; - uint32_t x1057; - fiat_secp384r1_uint1 x1058; - uint32_t x1059; - fiat_secp384r1_uint1 x1060; - uint32_t x1061; - fiat_secp384r1_uint1 x1062; - uint32_t x1063; - fiat_secp384r1_uint1 x1064; - uint32_t x1065; - fiat_secp384r1_uint1 x1066; - uint32_t x1067; - fiat_secp384r1_uint1 x1068; - uint32_t x1069; - fiat_secp384r1_uint1 x1070; - uint32_t x1071; - fiat_secp384r1_uint1 x1072; - uint32_t x1073; - fiat_secp384r1_uint1 x1074; - uint32_t x1075; - fiat_secp384r1_uint1 x1076; - uint32_t x1077; - fiat_secp384r1_uint1 x1078; - uint32_t x1079; - fiat_secp384r1_uint1 x1080; - uint32_t x1081; - uint32_t x1082; - uint32_t x1083; - uint32_t x1084; - uint32_t x1085; - uint32_t x1086; - uint32_t x1087; - uint32_t x1088; - uint32_t x1089; - uint32_t x1090; - uint32_t x1091; - uint32_t x1092; - uint32_t x1093; - uint32_t x1094; - uint32_t x1095; - uint32_t x1096; - uint32_t x1097; - uint32_t x1098; - uint32_t x1099; - uint32_t x1100; - uint32_t x1101; - uint32_t x1102; - uint32_t x1103; - uint32_t x1104; - uint32_t x1105; - uint32_t x1106; - fiat_secp384r1_uint1 x1107; - uint32_t x1108; - fiat_secp384r1_uint1 x1109; - uint32_t x1110; - fiat_secp384r1_uint1 x1111; - uint32_t x1112; - fiat_secp384r1_uint1 x1113; - uint32_t x1114; - fiat_secp384r1_uint1 x1115; - uint32_t x1116; - fiat_secp384r1_uint1 x1117; - uint32_t x1118; - fiat_secp384r1_uint1 x1119; - uint32_t x1120; - fiat_secp384r1_uint1 x1121; - uint32_t x1122; - fiat_secp384r1_uint1 x1123; - uint32_t x1124; - fiat_secp384r1_uint1 x1125; - uint32_t x1126; - fiat_secp384r1_uint1 x1127; - uint32_t x1128; - uint32_t x1129; - fiat_secp384r1_uint1 x1130; - uint32_t x1131; - fiat_secp384r1_uint1 x1132; - uint32_t x1133; - fiat_secp384r1_uint1 x1134; - uint32_t x1135; - fiat_secp384r1_uint1 x1136; - uint32_t x1137; - fiat_secp384r1_uint1 x1138; - uint32_t x1139; - fiat_secp384r1_uint1 x1140; - uint32_t x1141; - fiat_secp384r1_uint1 x1142; - uint32_t x1143; - fiat_secp384r1_uint1 x1144; - uint32_t x1145; - fiat_secp384r1_uint1 x1146; - uint32_t x1147; - fiat_secp384r1_uint1 x1148; - uint32_t x1149; - fiat_secp384r1_uint1 x1150; - uint32_t x1151; - fiat_secp384r1_uint1 x1152; - uint32_t x1153; - fiat_secp384r1_uint1 x1154; - uint32_t x1155; - uint32_t x1156; - uint32_t x1157; - uint32_t x1158; - uint32_t x1159; - uint32_t x1160; - uint32_t x1161; - uint32_t x1162; - uint32_t x1163; - uint32_t x1164; - uint32_t x1165; - uint32_t x1166; - uint32_t x1167; - uint32_t x1168; - uint32_t x1169; - uint32_t x1170; - uint32_t x1171; - uint32_t x1172; - uint32_t x1173; - uint32_t x1174; - uint32_t x1175; - fiat_secp384r1_uint1 x1176; - uint32_t x1177; - fiat_secp384r1_uint1 x1178; - uint32_t x1179; - fiat_secp384r1_uint1 x1180; - uint32_t x1181; - fiat_secp384r1_uint1 x1182; - uint32_t x1183; - fiat_secp384r1_uint1 x1184; - uint32_t x1185; - fiat_secp384r1_uint1 x1186; - uint32_t x1187; - fiat_secp384r1_uint1 x1188; - uint32_t x1189; - fiat_secp384r1_uint1 x1190; - uint32_t x1191; - uint32_t x1192; - fiat_secp384r1_uint1 x1193; - uint32_t x1194; - fiat_secp384r1_uint1 x1195; - uint32_t x1196; - fiat_secp384r1_uint1 x1197; - uint32_t x1198; - fiat_secp384r1_uint1 x1199; - uint32_t x1200; - fiat_secp384r1_uint1 x1201; - uint32_t x1202; - fiat_secp384r1_uint1 x1203; - uint32_t x1204; - fiat_secp384r1_uint1 x1205; - uint32_t x1206; - fiat_secp384r1_uint1 x1207; - uint32_t x1208; - fiat_secp384r1_uint1 x1209; - uint32_t x1210; - fiat_secp384r1_uint1 x1211; - uint32_t x1212; - fiat_secp384r1_uint1 x1213; - uint32_t x1214; - fiat_secp384r1_uint1 x1215; - uint32_t x1216; - fiat_secp384r1_uint1 x1217; - uint32_t x1218; - uint32_t x1219; - uint32_t x1220; - uint32_t x1221; - uint32_t x1222; - uint32_t x1223; - uint32_t x1224; - uint32_t x1225; - uint32_t x1226; - uint32_t x1227; - uint32_t x1228; - uint32_t x1229; - uint32_t x1230; - uint32_t x1231; - uint32_t x1232; - uint32_t x1233; - uint32_t x1234; - uint32_t x1235; - uint32_t x1236; - uint32_t x1237; - uint32_t x1238; - uint32_t x1239; - uint32_t x1240; - uint32_t x1241; - uint32_t x1242; - uint32_t x1243; - fiat_secp384r1_uint1 x1244; - uint32_t x1245; - fiat_secp384r1_uint1 x1246; - uint32_t x1247; - fiat_secp384r1_uint1 x1248; - uint32_t x1249; - fiat_secp384r1_uint1 x1250; - uint32_t x1251; - fiat_secp384r1_uint1 x1252; - uint32_t x1253; - fiat_secp384r1_uint1 x1254; - uint32_t x1255; - fiat_secp384r1_uint1 x1256; - uint32_t x1257; - fiat_secp384r1_uint1 x1258; - uint32_t x1259; - fiat_secp384r1_uint1 x1260; - uint32_t x1261; - fiat_secp384r1_uint1 x1262; - uint32_t x1263; - fiat_secp384r1_uint1 x1264; - uint32_t x1265; - uint32_t x1266; - fiat_secp384r1_uint1 x1267; - uint32_t x1268; - fiat_secp384r1_uint1 x1269; - uint32_t x1270; - fiat_secp384r1_uint1 x1271; - uint32_t x1272; - fiat_secp384r1_uint1 x1273; - uint32_t x1274; - fiat_secp384r1_uint1 x1275; - uint32_t x1276; - fiat_secp384r1_uint1 x1277; - uint32_t x1278; - fiat_secp384r1_uint1 x1279; - uint32_t x1280; - fiat_secp384r1_uint1 x1281; - uint32_t x1282; - fiat_secp384r1_uint1 x1283; - uint32_t x1284; - fiat_secp384r1_uint1 x1285; - uint32_t x1286; - fiat_secp384r1_uint1 x1287; - uint32_t x1288; - fiat_secp384r1_uint1 x1289; - uint32_t x1290; - fiat_secp384r1_uint1 x1291; - uint32_t x1292; - uint32_t x1293; - uint32_t x1294; - uint32_t x1295; - uint32_t x1296; - uint32_t x1297; - uint32_t x1298; - uint32_t x1299; - uint32_t x1300; - uint32_t x1301; - uint32_t x1302; - uint32_t x1303; - uint32_t x1304; - uint32_t x1305; - uint32_t x1306; - uint32_t x1307; - uint32_t x1308; - uint32_t x1309; - uint32_t x1310; - uint32_t x1311; - uint32_t x1312; - fiat_secp384r1_uint1 x1313; - uint32_t x1314; - fiat_secp384r1_uint1 x1315; - uint32_t x1316; - fiat_secp384r1_uint1 x1317; - uint32_t x1318; - fiat_secp384r1_uint1 x1319; - uint32_t x1320; - fiat_secp384r1_uint1 x1321; - uint32_t x1322; - fiat_secp384r1_uint1 x1323; - uint32_t x1324; - fiat_secp384r1_uint1 x1325; - uint32_t x1326; - fiat_secp384r1_uint1 x1327; - uint32_t x1328; - uint32_t x1329; - fiat_secp384r1_uint1 x1330; - uint32_t x1331; - fiat_secp384r1_uint1 x1332; - uint32_t x1333; - fiat_secp384r1_uint1 x1334; - uint32_t x1335; - fiat_secp384r1_uint1 x1336; - uint32_t x1337; - fiat_secp384r1_uint1 x1338; - uint32_t x1339; - fiat_secp384r1_uint1 x1340; - uint32_t x1341; - fiat_secp384r1_uint1 x1342; - uint32_t x1343; - fiat_secp384r1_uint1 x1344; - uint32_t x1345; - fiat_secp384r1_uint1 x1346; - uint32_t x1347; - fiat_secp384r1_uint1 x1348; - uint32_t x1349; - fiat_secp384r1_uint1 x1350; - uint32_t x1351; - fiat_secp384r1_uint1 x1352; - uint32_t x1353; - fiat_secp384r1_uint1 x1354; - uint32_t x1355; - uint32_t x1356; - uint32_t x1357; - uint32_t x1358; - uint32_t x1359; - uint32_t x1360; - uint32_t x1361; - uint32_t x1362; - uint32_t x1363; - uint32_t x1364; - uint32_t x1365; - uint32_t x1366; - uint32_t x1367; - uint32_t x1368; - uint32_t x1369; - uint32_t x1370; - uint32_t x1371; - uint32_t x1372; - uint32_t x1373; - uint32_t x1374; - uint32_t x1375; - uint32_t x1376; - uint32_t x1377; - uint32_t x1378; - uint32_t x1379; - uint32_t x1380; - fiat_secp384r1_uint1 x1381; - uint32_t x1382; - fiat_secp384r1_uint1 x1383; - uint32_t x1384; - fiat_secp384r1_uint1 x1385; - uint32_t x1386; - fiat_secp384r1_uint1 x1387; - uint32_t x1388; - fiat_secp384r1_uint1 x1389; - uint32_t x1390; - fiat_secp384r1_uint1 x1391; - uint32_t x1392; - fiat_secp384r1_uint1 x1393; - uint32_t x1394; - fiat_secp384r1_uint1 x1395; - uint32_t x1396; - fiat_secp384r1_uint1 x1397; - uint32_t x1398; - fiat_secp384r1_uint1 x1399; - uint32_t x1400; - fiat_secp384r1_uint1 x1401; - uint32_t x1402; - uint32_t x1403; - fiat_secp384r1_uint1 x1404; - uint32_t x1405; - fiat_secp384r1_uint1 x1406; - uint32_t x1407; - fiat_secp384r1_uint1 x1408; - uint32_t x1409; - fiat_secp384r1_uint1 x1410; - uint32_t x1411; - fiat_secp384r1_uint1 x1412; - uint32_t x1413; - fiat_secp384r1_uint1 x1414; - uint32_t x1415; - fiat_secp384r1_uint1 x1416; - uint32_t x1417; - fiat_secp384r1_uint1 x1418; - uint32_t x1419; - fiat_secp384r1_uint1 x1420; - uint32_t x1421; - fiat_secp384r1_uint1 x1422; - uint32_t x1423; - fiat_secp384r1_uint1 x1424; - uint32_t x1425; - fiat_secp384r1_uint1 x1426; - uint32_t x1427; - fiat_secp384r1_uint1 x1428; - uint32_t x1429; - uint32_t x1430; - uint32_t x1431; - uint32_t x1432; - uint32_t x1433; - uint32_t x1434; - uint32_t x1435; - uint32_t x1436; - uint32_t x1437; - uint32_t x1438; - uint32_t x1439; - uint32_t x1440; - uint32_t x1441; - uint32_t x1442; - uint32_t x1443; - uint32_t x1444; - uint32_t x1445; - uint32_t x1446; - uint32_t x1447; - uint32_t x1448; - uint32_t x1449; - fiat_secp384r1_uint1 x1450; - uint32_t x1451; - fiat_secp384r1_uint1 x1452; - uint32_t x1453; - fiat_secp384r1_uint1 x1454; - uint32_t x1455; - fiat_secp384r1_uint1 x1456; - uint32_t x1457; - fiat_secp384r1_uint1 x1458; - uint32_t x1459; - fiat_secp384r1_uint1 x1460; - uint32_t x1461; - fiat_secp384r1_uint1 x1462; - uint32_t x1463; - fiat_secp384r1_uint1 x1464; - uint32_t x1465; - uint32_t x1466; - fiat_secp384r1_uint1 x1467; - uint32_t x1468; - fiat_secp384r1_uint1 x1469; - uint32_t x1470; - fiat_secp384r1_uint1 x1471; - uint32_t x1472; - fiat_secp384r1_uint1 x1473; - uint32_t x1474; - fiat_secp384r1_uint1 x1475; - uint32_t x1476; - fiat_secp384r1_uint1 x1477; - uint32_t x1478; - fiat_secp384r1_uint1 x1479; - uint32_t x1480; - fiat_secp384r1_uint1 x1481; - uint32_t x1482; - fiat_secp384r1_uint1 x1483; - uint32_t x1484; - fiat_secp384r1_uint1 x1485; - uint32_t x1486; - fiat_secp384r1_uint1 x1487; - uint32_t x1488; - fiat_secp384r1_uint1 x1489; - uint32_t x1490; - fiat_secp384r1_uint1 x1491; - uint32_t x1492; - uint32_t x1493; - uint32_t x1494; - uint32_t x1495; - uint32_t x1496; - uint32_t x1497; - uint32_t x1498; - uint32_t x1499; - uint32_t x1500; - uint32_t x1501; - uint32_t x1502; - uint32_t x1503; - uint32_t x1504; - uint32_t x1505; - uint32_t x1506; - uint32_t x1507; - uint32_t x1508; - uint32_t x1509; - uint32_t x1510; - uint32_t x1511; - uint32_t x1512; - uint32_t x1513; - uint32_t x1514; - uint32_t x1515; - uint32_t x1516; - uint32_t x1517; - fiat_secp384r1_uint1 x1518; - uint32_t x1519; - fiat_secp384r1_uint1 x1520; - uint32_t x1521; - fiat_secp384r1_uint1 x1522; - uint32_t x1523; - fiat_secp384r1_uint1 x1524; - uint32_t x1525; - fiat_secp384r1_uint1 x1526; - uint32_t x1527; - fiat_secp384r1_uint1 x1528; - uint32_t x1529; - fiat_secp384r1_uint1 x1530; - uint32_t x1531; - fiat_secp384r1_uint1 x1532; - uint32_t x1533; - fiat_secp384r1_uint1 x1534; - uint32_t x1535; - fiat_secp384r1_uint1 x1536; - uint32_t x1537; - fiat_secp384r1_uint1 x1538; - uint32_t x1539; - uint32_t x1540; - fiat_secp384r1_uint1 x1541; - uint32_t x1542; - fiat_secp384r1_uint1 x1543; - uint32_t x1544; - fiat_secp384r1_uint1 x1545; - uint32_t x1546; - fiat_secp384r1_uint1 x1547; - uint32_t x1548; - fiat_secp384r1_uint1 x1549; - uint32_t x1550; - fiat_secp384r1_uint1 x1551; - uint32_t x1552; - fiat_secp384r1_uint1 x1553; - uint32_t x1554; - fiat_secp384r1_uint1 x1555; - uint32_t x1556; - fiat_secp384r1_uint1 x1557; - uint32_t x1558; - fiat_secp384r1_uint1 x1559; - uint32_t x1560; - fiat_secp384r1_uint1 x1561; - uint32_t x1562; - fiat_secp384r1_uint1 x1563; - uint32_t x1564; - fiat_secp384r1_uint1 x1565; - uint32_t x1566; - uint32_t x1567; - uint32_t x1568; - uint32_t x1569; - uint32_t x1570; - uint32_t x1571; - uint32_t x1572; - uint32_t x1573; - uint32_t x1574; - uint32_t x1575; - uint32_t x1576; - uint32_t x1577; - uint32_t x1578; - uint32_t x1579; - uint32_t x1580; - uint32_t x1581; - uint32_t x1582; - uint32_t x1583; - uint32_t x1584; - uint32_t x1585; - uint32_t x1586; - fiat_secp384r1_uint1 x1587; - uint32_t x1588; - fiat_secp384r1_uint1 x1589; - uint32_t x1590; - fiat_secp384r1_uint1 x1591; - uint32_t x1592; - fiat_secp384r1_uint1 x1593; - uint32_t x1594; - fiat_secp384r1_uint1 x1595; - uint32_t x1596; - fiat_secp384r1_uint1 x1597; - uint32_t x1598; - fiat_secp384r1_uint1 x1599; - uint32_t x1600; - fiat_secp384r1_uint1 x1601; - uint32_t x1602; - uint32_t x1603; - fiat_secp384r1_uint1 x1604; - uint32_t x1605; - fiat_secp384r1_uint1 x1606; - uint32_t x1607; - fiat_secp384r1_uint1 x1608; - uint32_t x1609; - fiat_secp384r1_uint1 x1610; - uint32_t x1611; - fiat_secp384r1_uint1 x1612; - uint32_t x1613; - fiat_secp384r1_uint1 x1614; - uint32_t x1615; - fiat_secp384r1_uint1 x1616; - uint32_t x1617; - fiat_secp384r1_uint1 x1618; - uint32_t x1619; - fiat_secp384r1_uint1 x1620; - uint32_t x1621; - fiat_secp384r1_uint1 x1622; - uint32_t x1623; - fiat_secp384r1_uint1 x1624; - uint32_t x1625; - fiat_secp384r1_uint1 x1626; - uint32_t x1627; - fiat_secp384r1_uint1 x1628; - uint32_t x1629; - uint32_t x1630; - fiat_secp384r1_uint1 x1631; - uint32_t x1632; - fiat_secp384r1_uint1 x1633; - uint32_t x1634; - fiat_secp384r1_uint1 x1635; - uint32_t x1636; - fiat_secp384r1_uint1 x1637; - uint32_t x1638; - fiat_secp384r1_uint1 x1639; - uint32_t x1640; - fiat_secp384r1_uint1 x1641; - uint32_t x1642; - fiat_secp384r1_uint1 x1643; - uint32_t x1644; - fiat_secp384r1_uint1 x1645; - uint32_t x1646; - fiat_secp384r1_uint1 x1647; - uint32_t x1648; - fiat_secp384r1_uint1 x1649; - uint32_t x1650; - fiat_secp384r1_uint1 x1651; - uint32_t x1652; - fiat_secp384r1_uint1 x1653; - uint32_t x1654; - fiat_secp384r1_uint1 x1655; - uint32_t x1656; - uint32_t x1657; - uint32_t x1658; - uint32_t x1659; - uint32_t x1660; - uint32_t x1661; - uint32_t x1662; - uint32_t x1663; - uint32_t x1664; - uint32_t x1665; - uint32_t x1666; - uint32_t x1667; - x1 = (arg1[1]); - x2 = (arg1[2]); - x3 = (arg1[3]); - x4 = (arg1[4]); - x5 = (arg1[5]); - x6 = (arg1[6]); - x7 = (arg1[7]); - x8 = (arg1[8]); - x9 = (arg1[9]); - x10 = (arg1[10]); - x11 = (arg1[11]); - x12 = (arg1[0]); - fiat_secp384r1_mulx_u32(&x13, &x14, x12, (arg2[11])); - fiat_secp384r1_mulx_u32(&x15, &x16, x12, (arg2[10])); - fiat_secp384r1_mulx_u32(&x17, &x18, x12, (arg2[9])); - fiat_secp384r1_mulx_u32(&x19, &x20, x12, (arg2[8])); - fiat_secp384r1_mulx_u32(&x21, &x22, x12, (arg2[7])); - fiat_secp384r1_mulx_u32(&x23, &x24, x12, (arg2[6])); - fiat_secp384r1_mulx_u32(&x25, &x26, x12, (arg2[5])); - fiat_secp384r1_mulx_u32(&x27, &x28, x12, (arg2[4])); - fiat_secp384r1_mulx_u32(&x29, &x30, x12, (arg2[3])); - fiat_secp384r1_mulx_u32(&x31, &x32, x12, (arg2[2])); - fiat_secp384r1_mulx_u32(&x33, &x34, x12, (arg2[1])); - fiat_secp384r1_mulx_u32(&x35, &x36, x12, (arg2[0])); - fiat_secp384r1_addcarryx_u32(&x37, &x38, 0x0, x36, x33); - fiat_secp384r1_addcarryx_u32(&x39, &x40, x38, x34, x31); - fiat_secp384r1_addcarryx_u32(&x41, &x42, x40, x32, x29); - fiat_secp384r1_addcarryx_u32(&x43, &x44, x42, x30, x27); - fiat_secp384r1_addcarryx_u32(&x45, &x46, x44, x28, x25); - fiat_secp384r1_addcarryx_u32(&x47, &x48, x46, x26, x23); - fiat_secp384r1_addcarryx_u32(&x49, &x50, x48, x24, x21); - fiat_secp384r1_addcarryx_u32(&x51, &x52, x50, x22, x19); - fiat_secp384r1_addcarryx_u32(&x53, &x54, x52, x20, x17); - fiat_secp384r1_addcarryx_u32(&x55, &x56, x54, x18, x15); - fiat_secp384r1_addcarryx_u32(&x57, &x58, x56, x16, x13); - x59 = (x58 + x14); - fiat_secp384r1_mulx_u32(&x60, &x61, x35, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x62, &x63, x35, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x64, &x65, x35, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x66, &x67, x35, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x68, &x69, x35, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x70, &x71, x35, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x72, &x73, x35, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x74, &x75, x35, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x76, &x77, x35, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x78, &x79, x35, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x80, &x81, 0x0, x77, x74); - fiat_secp384r1_addcarryx_u32(&x82, &x83, x81, x75, x72); - fiat_secp384r1_addcarryx_u32(&x84, &x85, x83, x73, x70); - fiat_secp384r1_addcarryx_u32(&x86, &x87, x85, x71, x68); - fiat_secp384r1_addcarryx_u32(&x88, &x89, x87, x69, x66); - fiat_secp384r1_addcarryx_u32(&x90, &x91, x89, x67, x64); - fiat_secp384r1_addcarryx_u32(&x92, &x93, x91, x65, x62); - fiat_secp384r1_addcarryx_u32(&x94, &x95, x93, x63, x60); - x96 = (x95 + x61); - fiat_secp384r1_addcarryx_u32(&x97, &x98, 0x0, x35, x78); - fiat_secp384r1_addcarryx_u32(&x99, &x100, x98, x37, x79); - fiat_secp384r1_addcarryx_u32(&x101, &x102, x100, x39, 0x0); - fiat_secp384r1_addcarryx_u32(&x103, &x104, x102, x41, x76); - fiat_secp384r1_addcarryx_u32(&x105, &x106, x104, x43, x80); - fiat_secp384r1_addcarryx_u32(&x107, &x108, x106, x45, x82); - fiat_secp384r1_addcarryx_u32(&x109, &x110, x108, x47, x84); - fiat_secp384r1_addcarryx_u32(&x111, &x112, x110, x49, x86); - fiat_secp384r1_addcarryx_u32(&x113, &x114, x112, x51, x88); - fiat_secp384r1_addcarryx_u32(&x115, &x116, x114, x53, x90); - fiat_secp384r1_addcarryx_u32(&x117, &x118, x116, x55, x92); - fiat_secp384r1_addcarryx_u32(&x119, &x120, x118, x57, x94); - fiat_secp384r1_addcarryx_u32(&x121, &x122, x120, x59, x96); - fiat_secp384r1_mulx_u32(&x123, &x124, x1, (arg2[11])); - fiat_secp384r1_mulx_u32(&x125, &x126, x1, (arg2[10])); - fiat_secp384r1_mulx_u32(&x127, &x128, x1, (arg2[9])); - fiat_secp384r1_mulx_u32(&x129, &x130, x1, (arg2[8])); - fiat_secp384r1_mulx_u32(&x131, &x132, x1, (arg2[7])); - fiat_secp384r1_mulx_u32(&x133, &x134, x1, (arg2[6])); - fiat_secp384r1_mulx_u32(&x135, &x136, x1, (arg2[5])); - fiat_secp384r1_mulx_u32(&x137, &x138, x1, (arg2[4])); - fiat_secp384r1_mulx_u32(&x139, &x140, x1, (arg2[3])); - fiat_secp384r1_mulx_u32(&x141, &x142, x1, (arg2[2])); - fiat_secp384r1_mulx_u32(&x143, &x144, x1, (arg2[1])); - fiat_secp384r1_mulx_u32(&x145, &x146, x1, (arg2[0])); - fiat_secp384r1_addcarryx_u32(&x147, &x148, 0x0, x146, x143); - fiat_secp384r1_addcarryx_u32(&x149, &x150, x148, x144, x141); - fiat_secp384r1_addcarryx_u32(&x151, &x152, x150, x142, x139); - fiat_secp384r1_addcarryx_u32(&x153, &x154, x152, x140, x137); - fiat_secp384r1_addcarryx_u32(&x155, &x156, x154, x138, x135); - fiat_secp384r1_addcarryx_u32(&x157, &x158, x156, x136, x133); - fiat_secp384r1_addcarryx_u32(&x159, &x160, x158, x134, x131); - fiat_secp384r1_addcarryx_u32(&x161, &x162, x160, x132, x129); - fiat_secp384r1_addcarryx_u32(&x163, &x164, x162, x130, x127); - fiat_secp384r1_addcarryx_u32(&x165, &x166, x164, x128, x125); - fiat_secp384r1_addcarryx_u32(&x167, &x168, x166, x126, x123); - x169 = (x168 + x124); - fiat_secp384r1_addcarryx_u32(&x170, &x171, 0x0, x99, x145); - fiat_secp384r1_addcarryx_u32(&x172, &x173, x171, x101, x147); - fiat_secp384r1_addcarryx_u32(&x174, &x175, x173, x103, x149); - fiat_secp384r1_addcarryx_u32(&x176, &x177, x175, x105, x151); - fiat_secp384r1_addcarryx_u32(&x178, &x179, x177, x107, x153); - fiat_secp384r1_addcarryx_u32(&x180, &x181, x179, x109, x155); - fiat_secp384r1_addcarryx_u32(&x182, &x183, x181, x111, x157); - fiat_secp384r1_addcarryx_u32(&x184, &x185, x183, x113, x159); - fiat_secp384r1_addcarryx_u32(&x186, &x187, x185, x115, x161); - fiat_secp384r1_addcarryx_u32(&x188, &x189, x187, x117, x163); - fiat_secp384r1_addcarryx_u32(&x190, &x191, x189, x119, x165); - fiat_secp384r1_addcarryx_u32(&x192, &x193, x191, x121, x167); - fiat_secp384r1_addcarryx_u32(&x194, &x195, x193, x122, x169); - fiat_secp384r1_mulx_u32(&x196, &x197, x170, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x198, &x199, x170, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x200, &x201, x170, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x202, &x203, x170, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x204, &x205, x170, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x206, &x207, x170, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x208, &x209, x170, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x210, &x211, x170, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x212, &x213, x170, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x214, &x215, x170, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x216, &x217, 0x0, x213, x210); - fiat_secp384r1_addcarryx_u32(&x218, &x219, x217, x211, x208); - fiat_secp384r1_addcarryx_u32(&x220, &x221, x219, x209, x206); - fiat_secp384r1_addcarryx_u32(&x222, &x223, x221, x207, x204); - fiat_secp384r1_addcarryx_u32(&x224, &x225, x223, x205, x202); - fiat_secp384r1_addcarryx_u32(&x226, &x227, x225, x203, x200); - fiat_secp384r1_addcarryx_u32(&x228, &x229, x227, x201, x198); - fiat_secp384r1_addcarryx_u32(&x230, &x231, x229, x199, x196); - x232 = (x231 + x197); - fiat_secp384r1_addcarryx_u32(&x233, &x234, 0x0, x170, x214); - fiat_secp384r1_addcarryx_u32(&x235, &x236, x234, x172, x215); - fiat_secp384r1_addcarryx_u32(&x237, &x238, x236, x174, 0x0); - fiat_secp384r1_addcarryx_u32(&x239, &x240, x238, x176, x212); - fiat_secp384r1_addcarryx_u32(&x241, &x242, x240, x178, x216); - fiat_secp384r1_addcarryx_u32(&x243, &x244, x242, x180, x218); - fiat_secp384r1_addcarryx_u32(&x245, &x246, x244, x182, x220); - fiat_secp384r1_addcarryx_u32(&x247, &x248, x246, x184, x222); - fiat_secp384r1_addcarryx_u32(&x249, &x250, x248, x186, x224); - fiat_secp384r1_addcarryx_u32(&x251, &x252, x250, x188, x226); - fiat_secp384r1_addcarryx_u32(&x253, &x254, x252, x190, x228); - fiat_secp384r1_addcarryx_u32(&x255, &x256, x254, x192, x230); - fiat_secp384r1_addcarryx_u32(&x257, &x258, x256, x194, x232); - x259 = ((uint32_t)x258 + x195); - fiat_secp384r1_mulx_u32(&x260, &x261, x2, (arg2[11])); - fiat_secp384r1_mulx_u32(&x262, &x263, x2, (arg2[10])); - fiat_secp384r1_mulx_u32(&x264, &x265, x2, (arg2[9])); - fiat_secp384r1_mulx_u32(&x266, &x267, x2, (arg2[8])); - fiat_secp384r1_mulx_u32(&x268, &x269, x2, (arg2[7])); - fiat_secp384r1_mulx_u32(&x270, &x271, x2, (arg2[6])); - fiat_secp384r1_mulx_u32(&x272, &x273, x2, (arg2[5])); - fiat_secp384r1_mulx_u32(&x274, &x275, x2, (arg2[4])); - fiat_secp384r1_mulx_u32(&x276, &x277, x2, (arg2[3])); - fiat_secp384r1_mulx_u32(&x278, &x279, x2, (arg2[2])); - fiat_secp384r1_mulx_u32(&x280, &x281, x2, (arg2[1])); - fiat_secp384r1_mulx_u32(&x282, &x283, x2, (arg2[0])); - fiat_secp384r1_addcarryx_u32(&x284, &x285, 0x0, x283, x280); - fiat_secp384r1_addcarryx_u32(&x286, &x287, x285, x281, x278); - fiat_secp384r1_addcarryx_u32(&x288, &x289, x287, x279, x276); - fiat_secp384r1_addcarryx_u32(&x290, &x291, x289, x277, x274); - fiat_secp384r1_addcarryx_u32(&x292, &x293, x291, x275, x272); - fiat_secp384r1_addcarryx_u32(&x294, &x295, x293, x273, x270); - fiat_secp384r1_addcarryx_u32(&x296, &x297, x295, x271, x268); - fiat_secp384r1_addcarryx_u32(&x298, &x299, x297, x269, x266); - fiat_secp384r1_addcarryx_u32(&x300, &x301, x299, x267, x264); - fiat_secp384r1_addcarryx_u32(&x302, &x303, x301, x265, x262); - fiat_secp384r1_addcarryx_u32(&x304, &x305, x303, x263, x260); - x306 = (x305 + x261); - fiat_secp384r1_addcarryx_u32(&x307, &x308, 0x0, x235, x282); - fiat_secp384r1_addcarryx_u32(&x309, &x310, x308, x237, x284); - fiat_secp384r1_addcarryx_u32(&x311, &x312, x310, x239, x286); - fiat_secp384r1_addcarryx_u32(&x313, &x314, x312, x241, x288); - fiat_secp384r1_addcarryx_u32(&x315, &x316, x314, x243, x290); - fiat_secp384r1_addcarryx_u32(&x317, &x318, x316, x245, x292); - fiat_secp384r1_addcarryx_u32(&x319, &x320, x318, x247, x294); - fiat_secp384r1_addcarryx_u32(&x321, &x322, x320, x249, x296); - fiat_secp384r1_addcarryx_u32(&x323, &x324, x322, x251, x298); - fiat_secp384r1_addcarryx_u32(&x325, &x326, x324, x253, x300); - fiat_secp384r1_addcarryx_u32(&x327, &x328, x326, x255, x302); - fiat_secp384r1_addcarryx_u32(&x329, &x330, x328, x257, x304); - fiat_secp384r1_addcarryx_u32(&x331, &x332, x330, x259, x306); - fiat_secp384r1_mulx_u32(&x333, &x334, x307, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x335, &x336, x307, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x337, &x338, x307, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x339, &x340, x307, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x341, &x342, x307, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x343, &x344, x307, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x345, &x346, x307, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x347, &x348, x307, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x349, &x350, x307, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x351, &x352, x307, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x353, &x354, 0x0, x350, x347); - fiat_secp384r1_addcarryx_u32(&x355, &x356, x354, x348, x345); - fiat_secp384r1_addcarryx_u32(&x357, &x358, x356, x346, x343); - fiat_secp384r1_addcarryx_u32(&x359, &x360, x358, x344, x341); - fiat_secp384r1_addcarryx_u32(&x361, &x362, x360, x342, x339); - fiat_secp384r1_addcarryx_u32(&x363, &x364, x362, x340, x337); - fiat_secp384r1_addcarryx_u32(&x365, &x366, x364, x338, x335); - fiat_secp384r1_addcarryx_u32(&x367, &x368, x366, x336, x333); - x369 = (x368 + x334); - fiat_secp384r1_addcarryx_u32(&x370, &x371, 0x0, x307, x351); - fiat_secp384r1_addcarryx_u32(&x372, &x373, x371, x309, x352); - fiat_secp384r1_addcarryx_u32(&x374, &x375, x373, x311, 0x0); - fiat_secp384r1_addcarryx_u32(&x376, &x377, x375, x313, x349); - fiat_secp384r1_addcarryx_u32(&x378, &x379, x377, x315, x353); - fiat_secp384r1_addcarryx_u32(&x380, &x381, x379, x317, x355); - fiat_secp384r1_addcarryx_u32(&x382, &x383, x381, x319, x357); - fiat_secp384r1_addcarryx_u32(&x384, &x385, x383, x321, x359); - fiat_secp384r1_addcarryx_u32(&x386, &x387, x385, x323, x361); - fiat_secp384r1_addcarryx_u32(&x388, &x389, x387, x325, x363); - fiat_secp384r1_addcarryx_u32(&x390, &x391, x389, x327, x365); - fiat_secp384r1_addcarryx_u32(&x392, &x393, x391, x329, x367); - fiat_secp384r1_addcarryx_u32(&x394, &x395, x393, x331, x369); - x396 = ((uint32_t)x395 + x332); - fiat_secp384r1_mulx_u32(&x397, &x398, x3, (arg2[11])); - fiat_secp384r1_mulx_u32(&x399, &x400, x3, (arg2[10])); - fiat_secp384r1_mulx_u32(&x401, &x402, x3, (arg2[9])); - fiat_secp384r1_mulx_u32(&x403, &x404, x3, (arg2[8])); - fiat_secp384r1_mulx_u32(&x405, &x406, x3, (arg2[7])); - fiat_secp384r1_mulx_u32(&x407, &x408, x3, (arg2[6])); - fiat_secp384r1_mulx_u32(&x409, &x410, x3, (arg2[5])); - fiat_secp384r1_mulx_u32(&x411, &x412, x3, (arg2[4])); - fiat_secp384r1_mulx_u32(&x413, &x414, x3, (arg2[3])); - fiat_secp384r1_mulx_u32(&x415, &x416, x3, (arg2[2])); - fiat_secp384r1_mulx_u32(&x417, &x418, x3, (arg2[1])); - fiat_secp384r1_mulx_u32(&x419, &x420, x3, (arg2[0])); - fiat_secp384r1_addcarryx_u32(&x421, &x422, 0x0, x420, x417); - fiat_secp384r1_addcarryx_u32(&x423, &x424, x422, x418, x415); - fiat_secp384r1_addcarryx_u32(&x425, &x426, x424, x416, x413); - fiat_secp384r1_addcarryx_u32(&x427, &x428, x426, x414, x411); - fiat_secp384r1_addcarryx_u32(&x429, &x430, x428, x412, x409); - fiat_secp384r1_addcarryx_u32(&x431, &x432, x430, x410, x407); - fiat_secp384r1_addcarryx_u32(&x433, &x434, x432, x408, x405); - fiat_secp384r1_addcarryx_u32(&x435, &x436, x434, x406, x403); - fiat_secp384r1_addcarryx_u32(&x437, &x438, x436, x404, x401); - fiat_secp384r1_addcarryx_u32(&x439, &x440, x438, x402, x399); - fiat_secp384r1_addcarryx_u32(&x441, &x442, x440, x400, x397); - x443 = (x442 + x398); - fiat_secp384r1_addcarryx_u32(&x444, &x445, 0x0, x372, x419); - fiat_secp384r1_addcarryx_u32(&x446, &x447, x445, x374, x421); - fiat_secp384r1_addcarryx_u32(&x448, &x449, x447, x376, x423); - fiat_secp384r1_addcarryx_u32(&x450, &x451, x449, x378, x425); - fiat_secp384r1_addcarryx_u32(&x452, &x453, x451, x380, x427); - fiat_secp384r1_addcarryx_u32(&x454, &x455, x453, x382, x429); - fiat_secp384r1_addcarryx_u32(&x456, &x457, x455, x384, x431); - fiat_secp384r1_addcarryx_u32(&x458, &x459, x457, x386, x433); - fiat_secp384r1_addcarryx_u32(&x460, &x461, x459, x388, x435); - fiat_secp384r1_addcarryx_u32(&x462, &x463, x461, x390, x437); - fiat_secp384r1_addcarryx_u32(&x464, &x465, x463, x392, x439); - fiat_secp384r1_addcarryx_u32(&x466, &x467, x465, x394, x441); - fiat_secp384r1_addcarryx_u32(&x468, &x469, x467, x396, x443); - fiat_secp384r1_mulx_u32(&x470, &x471, x444, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x472, &x473, x444, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x474, &x475, x444, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x476, &x477, x444, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x478, &x479, x444, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x480, &x481, x444, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x482, &x483, x444, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x484, &x485, x444, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x486, &x487, x444, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x488, &x489, x444, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x490, &x491, 0x0, x487, x484); - fiat_secp384r1_addcarryx_u32(&x492, &x493, x491, x485, x482); - fiat_secp384r1_addcarryx_u32(&x494, &x495, x493, x483, x480); - fiat_secp384r1_addcarryx_u32(&x496, &x497, x495, x481, x478); - fiat_secp384r1_addcarryx_u32(&x498, &x499, x497, x479, x476); - fiat_secp384r1_addcarryx_u32(&x500, &x501, x499, x477, x474); - fiat_secp384r1_addcarryx_u32(&x502, &x503, x501, x475, x472); - fiat_secp384r1_addcarryx_u32(&x504, &x505, x503, x473, x470); - x506 = (x505 + x471); - fiat_secp384r1_addcarryx_u32(&x507, &x508, 0x0, x444, x488); - fiat_secp384r1_addcarryx_u32(&x509, &x510, x508, x446, x489); - fiat_secp384r1_addcarryx_u32(&x511, &x512, x510, x448, 0x0); - fiat_secp384r1_addcarryx_u32(&x513, &x514, x512, x450, x486); - fiat_secp384r1_addcarryx_u32(&x515, &x516, x514, x452, x490); - fiat_secp384r1_addcarryx_u32(&x517, &x518, x516, x454, x492); - fiat_secp384r1_addcarryx_u32(&x519, &x520, x518, x456, x494); - fiat_secp384r1_addcarryx_u32(&x521, &x522, x520, x458, x496); - fiat_secp384r1_addcarryx_u32(&x523, &x524, x522, x460, x498); - fiat_secp384r1_addcarryx_u32(&x525, &x526, x524, x462, x500); - fiat_secp384r1_addcarryx_u32(&x527, &x528, x526, x464, x502); - fiat_secp384r1_addcarryx_u32(&x529, &x530, x528, x466, x504); - fiat_secp384r1_addcarryx_u32(&x531, &x532, x530, x468, x506); - x533 = ((uint32_t)x532 + x469); - fiat_secp384r1_mulx_u32(&x534, &x535, x4, (arg2[11])); - fiat_secp384r1_mulx_u32(&x536, &x537, x4, (arg2[10])); - fiat_secp384r1_mulx_u32(&x538, &x539, x4, (arg2[9])); - fiat_secp384r1_mulx_u32(&x540, &x541, x4, (arg2[8])); - fiat_secp384r1_mulx_u32(&x542, &x543, x4, (arg2[7])); - fiat_secp384r1_mulx_u32(&x544, &x545, x4, (arg2[6])); - fiat_secp384r1_mulx_u32(&x546, &x547, x4, (arg2[5])); - fiat_secp384r1_mulx_u32(&x548, &x549, x4, (arg2[4])); - fiat_secp384r1_mulx_u32(&x550, &x551, x4, (arg2[3])); - fiat_secp384r1_mulx_u32(&x552, &x553, x4, (arg2[2])); - fiat_secp384r1_mulx_u32(&x554, &x555, x4, (arg2[1])); - fiat_secp384r1_mulx_u32(&x556, &x557, x4, (arg2[0])); - fiat_secp384r1_addcarryx_u32(&x558, &x559, 0x0, x557, x554); - fiat_secp384r1_addcarryx_u32(&x560, &x561, x559, x555, x552); - fiat_secp384r1_addcarryx_u32(&x562, &x563, x561, x553, x550); - fiat_secp384r1_addcarryx_u32(&x564, &x565, x563, x551, x548); - fiat_secp384r1_addcarryx_u32(&x566, &x567, x565, x549, x546); - fiat_secp384r1_addcarryx_u32(&x568, &x569, x567, x547, x544); - fiat_secp384r1_addcarryx_u32(&x570, &x571, x569, x545, x542); - fiat_secp384r1_addcarryx_u32(&x572, &x573, x571, x543, x540); - fiat_secp384r1_addcarryx_u32(&x574, &x575, x573, x541, x538); - fiat_secp384r1_addcarryx_u32(&x576, &x577, x575, x539, x536); - fiat_secp384r1_addcarryx_u32(&x578, &x579, x577, x537, x534); - x580 = (x579 + x535); - fiat_secp384r1_addcarryx_u32(&x581, &x582, 0x0, x509, x556); - fiat_secp384r1_addcarryx_u32(&x583, &x584, x582, x511, x558); - fiat_secp384r1_addcarryx_u32(&x585, &x586, x584, x513, x560); - fiat_secp384r1_addcarryx_u32(&x587, &x588, x586, x515, x562); - fiat_secp384r1_addcarryx_u32(&x589, &x590, x588, x517, x564); - fiat_secp384r1_addcarryx_u32(&x591, &x592, x590, x519, x566); - fiat_secp384r1_addcarryx_u32(&x593, &x594, x592, x521, x568); - fiat_secp384r1_addcarryx_u32(&x595, &x596, x594, x523, x570); - fiat_secp384r1_addcarryx_u32(&x597, &x598, x596, x525, x572); - fiat_secp384r1_addcarryx_u32(&x599, &x600, x598, x527, x574); - fiat_secp384r1_addcarryx_u32(&x601, &x602, x600, x529, x576); - fiat_secp384r1_addcarryx_u32(&x603, &x604, x602, x531, x578); - fiat_secp384r1_addcarryx_u32(&x605, &x606, x604, x533, x580); - fiat_secp384r1_mulx_u32(&x607, &x608, x581, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x609, &x610, x581, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x611, &x612, x581, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x613, &x614, x581, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x615, &x616, x581, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x617, &x618, x581, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x619, &x620, x581, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x621, &x622, x581, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x623, &x624, x581, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x625, &x626, x581, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x627, &x628, 0x0, x624, x621); - fiat_secp384r1_addcarryx_u32(&x629, &x630, x628, x622, x619); - fiat_secp384r1_addcarryx_u32(&x631, &x632, x630, x620, x617); - fiat_secp384r1_addcarryx_u32(&x633, &x634, x632, x618, x615); - fiat_secp384r1_addcarryx_u32(&x635, &x636, x634, x616, x613); - fiat_secp384r1_addcarryx_u32(&x637, &x638, x636, x614, x611); - fiat_secp384r1_addcarryx_u32(&x639, &x640, x638, x612, x609); - fiat_secp384r1_addcarryx_u32(&x641, &x642, x640, x610, x607); - x643 = (x642 + x608); - fiat_secp384r1_addcarryx_u32(&x644, &x645, 0x0, x581, x625); - fiat_secp384r1_addcarryx_u32(&x646, &x647, x645, x583, x626); - fiat_secp384r1_addcarryx_u32(&x648, &x649, x647, x585, 0x0); - fiat_secp384r1_addcarryx_u32(&x650, &x651, x649, x587, x623); - fiat_secp384r1_addcarryx_u32(&x652, &x653, x651, x589, x627); - fiat_secp384r1_addcarryx_u32(&x654, &x655, x653, x591, x629); - fiat_secp384r1_addcarryx_u32(&x656, &x657, x655, x593, x631); - fiat_secp384r1_addcarryx_u32(&x658, &x659, x657, x595, x633); - fiat_secp384r1_addcarryx_u32(&x660, &x661, x659, x597, x635); - fiat_secp384r1_addcarryx_u32(&x662, &x663, x661, x599, x637); - fiat_secp384r1_addcarryx_u32(&x664, &x665, x663, x601, x639); - fiat_secp384r1_addcarryx_u32(&x666, &x667, x665, x603, x641); - fiat_secp384r1_addcarryx_u32(&x668, &x669, x667, x605, x643); - x670 = ((uint32_t)x669 + x606); - fiat_secp384r1_mulx_u32(&x671, &x672, x5, (arg2[11])); - fiat_secp384r1_mulx_u32(&x673, &x674, x5, (arg2[10])); - fiat_secp384r1_mulx_u32(&x675, &x676, x5, (arg2[9])); - fiat_secp384r1_mulx_u32(&x677, &x678, x5, (arg2[8])); - fiat_secp384r1_mulx_u32(&x679, &x680, x5, (arg2[7])); - fiat_secp384r1_mulx_u32(&x681, &x682, x5, (arg2[6])); - fiat_secp384r1_mulx_u32(&x683, &x684, x5, (arg2[5])); - fiat_secp384r1_mulx_u32(&x685, &x686, x5, (arg2[4])); - fiat_secp384r1_mulx_u32(&x687, &x688, x5, (arg2[3])); - fiat_secp384r1_mulx_u32(&x689, &x690, x5, (arg2[2])); - fiat_secp384r1_mulx_u32(&x691, &x692, x5, (arg2[1])); - fiat_secp384r1_mulx_u32(&x693, &x694, x5, (arg2[0])); - fiat_secp384r1_addcarryx_u32(&x695, &x696, 0x0, x694, x691); - fiat_secp384r1_addcarryx_u32(&x697, &x698, x696, x692, x689); - fiat_secp384r1_addcarryx_u32(&x699, &x700, x698, x690, x687); - fiat_secp384r1_addcarryx_u32(&x701, &x702, x700, x688, x685); - fiat_secp384r1_addcarryx_u32(&x703, &x704, x702, x686, x683); - fiat_secp384r1_addcarryx_u32(&x705, &x706, x704, x684, x681); - fiat_secp384r1_addcarryx_u32(&x707, &x708, x706, x682, x679); - fiat_secp384r1_addcarryx_u32(&x709, &x710, x708, x680, x677); - fiat_secp384r1_addcarryx_u32(&x711, &x712, x710, x678, x675); - fiat_secp384r1_addcarryx_u32(&x713, &x714, x712, x676, x673); - fiat_secp384r1_addcarryx_u32(&x715, &x716, x714, x674, x671); - x717 = (x716 + x672); - fiat_secp384r1_addcarryx_u32(&x718, &x719, 0x0, x646, x693); - fiat_secp384r1_addcarryx_u32(&x720, &x721, x719, x648, x695); - fiat_secp384r1_addcarryx_u32(&x722, &x723, x721, x650, x697); - fiat_secp384r1_addcarryx_u32(&x724, &x725, x723, x652, x699); - fiat_secp384r1_addcarryx_u32(&x726, &x727, x725, x654, x701); - fiat_secp384r1_addcarryx_u32(&x728, &x729, x727, x656, x703); - fiat_secp384r1_addcarryx_u32(&x730, &x731, x729, x658, x705); - fiat_secp384r1_addcarryx_u32(&x732, &x733, x731, x660, x707); - fiat_secp384r1_addcarryx_u32(&x734, &x735, x733, x662, x709); - fiat_secp384r1_addcarryx_u32(&x736, &x737, x735, x664, x711); - fiat_secp384r1_addcarryx_u32(&x738, &x739, x737, x666, x713); - fiat_secp384r1_addcarryx_u32(&x740, &x741, x739, x668, x715); - fiat_secp384r1_addcarryx_u32(&x742, &x743, x741, x670, x717); - fiat_secp384r1_mulx_u32(&x744, &x745, x718, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x746, &x747, x718, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x748, &x749, x718, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x750, &x751, x718, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x752, &x753, x718, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x754, &x755, x718, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x756, &x757, x718, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x758, &x759, x718, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x760, &x761, x718, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x762, &x763, x718, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x764, &x765, 0x0, x761, x758); - fiat_secp384r1_addcarryx_u32(&x766, &x767, x765, x759, x756); - fiat_secp384r1_addcarryx_u32(&x768, &x769, x767, x757, x754); - fiat_secp384r1_addcarryx_u32(&x770, &x771, x769, x755, x752); - fiat_secp384r1_addcarryx_u32(&x772, &x773, x771, x753, x750); - fiat_secp384r1_addcarryx_u32(&x774, &x775, x773, x751, x748); - fiat_secp384r1_addcarryx_u32(&x776, &x777, x775, x749, x746); - fiat_secp384r1_addcarryx_u32(&x778, &x779, x777, x747, x744); - x780 = (x779 + x745); - fiat_secp384r1_addcarryx_u32(&x781, &x782, 0x0, x718, x762); - fiat_secp384r1_addcarryx_u32(&x783, &x784, x782, x720, x763); - fiat_secp384r1_addcarryx_u32(&x785, &x786, x784, x722, 0x0); - fiat_secp384r1_addcarryx_u32(&x787, &x788, x786, x724, x760); - fiat_secp384r1_addcarryx_u32(&x789, &x790, x788, x726, x764); - fiat_secp384r1_addcarryx_u32(&x791, &x792, x790, x728, x766); - fiat_secp384r1_addcarryx_u32(&x793, &x794, x792, x730, x768); - fiat_secp384r1_addcarryx_u32(&x795, &x796, x794, x732, x770); - fiat_secp384r1_addcarryx_u32(&x797, &x798, x796, x734, x772); - fiat_secp384r1_addcarryx_u32(&x799, &x800, x798, x736, x774); - fiat_secp384r1_addcarryx_u32(&x801, &x802, x800, x738, x776); - fiat_secp384r1_addcarryx_u32(&x803, &x804, x802, x740, x778); - fiat_secp384r1_addcarryx_u32(&x805, &x806, x804, x742, x780); - x807 = ((uint32_t)x806 + x743); - fiat_secp384r1_mulx_u32(&x808, &x809, x6, (arg2[11])); - fiat_secp384r1_mulx_u32(&x810, &x811, x6, (arg2[10])); - fiat_secp384r1_mulx_u32(&x812, &x813, x6, (arg2[9])); - fiat_secp384r1_mulx_u32(&x814, &x815, x6, (arg2[8])); - fiat_secp384r1_mulx_u32(&x816, &x817, x6, (arg2[7])); - fiat_secp384r1_mulx_u32(&x818, &x819, x6, (arg2[6])); - fiat_secp384r1_mulx_u32(&x820, &x821, x6, (arg2[5])); - fiat_secp384r1_mulx_u32(&x822, &x823, x6, (arg2[4])); - fiat_secp384r1_mulx_u32(&x824, &x825, x6, (arg2[3])); - fiat_secp384r1_mulx_u32(&x826, &x827, x6, (arg2[2])); - fiat_secp384r1_mulx_u32(&x828, &x829, x6, (arg2[1])); - fiat_secp384r1_mulx_u32(&x830, &x831, x6, (arg2[0])); - fiat_secp384r1_addcarryx_u32(&x832, &x833, 0x0, x831, x828); - fiat_secp384r1_addcarryx_u32(&x834, &x835, x833, x829, x826); - fiat_secp384r1_addcarryx_u32(&x836, &x837, x835, x827, x824); - fiat_secp384r1_addcarryx_u32(&x838, &x839, x837, x825, x822); - fiat_secp384r1_addcarryx_u32(&x840, &x841, x839, x823, x820); - fiat_secp384r1_addcarryx_u32(&x842, &x843, x841, x821, x818); - fiat_secp384r1_addcarryx_u32(&x844, &x845, x843, x819, x816); - fiat_secp384r1_addcarryx_u32(&x846, &x847, x845, x817, x814); - fiat_secp384r1_addcarryx_u32(&x848, &x849, x847, x815, x812); - fiat_secp384r1_addcarryx_u32(&x850, &x851, x849, x813, x810); - fiat_secp384r1_addcarryx_u32(&x852, &x853, x851, x811, x808); - x854 = (x853 + x809); - fiat_secp384r1_addcarryx_u32(&x855, &x856, 0x0, x783, x830); - fiat_secp384r1_addcarryx_u32(&x857, &x858, x856, x785, x832); - fiat_secp384r1_addcarryx_u32(&x859, &x860, x858, x787, x834); - fiat_secp384r1_addcarryx_u32(&x861, &x862, x860, x789, x836); - fiat_secp384r1_addcarryx_u32(&x863, &x864, x862, x791, x838); - fiat_secp384r1_addcarryx_u32(&x865, &x866, x864, x793, x840); - fiat_secp384r1_addcarryx_u32(&x867, &x868, x866, x795, x842); - fiat_secp384r1_addcarryx_u32(&x869, &x870, x868, x797, x844); - fiat_secp384r1_addcarryx_u32(&x871, &x872, x870, x799, x846); - fiat_secp384r1_addcarryx_u32(&x873, &x874, x872, x801, x848); - fiat_secp384r1_addcarryx_u32(&x875, &x876, x874, x803, x850); - fiat_secp384r1_addcarryx_u32(&x877, &x878, x876, x805, x852); - fiat_secp384r1_addcarryx_u32(&x879, &x880, x878, x807, x854); - fiat_secp384r1_mulx_u32(&x881, &x882, x855, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x883, &x884, x855, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x885, &x886, x855, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x887, &x888, x855, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x889, &x890, x855, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x891, &x892, x855, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x893, &x894, x855, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x895, &x896, x855, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x897, &x898, x855, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x899, &x900, x855, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x901, &x902, 0x0, x898, x895); - fiat_secp384r1_addcarryx_u32(&x903, &x904, x902, x896, x893); - fiat_secp384r1_addcarryx_u32(&x905, &x906, x904, x894, x891); - fiat_secp384r1_addcarryx_u32(&x907, &x908, x906, x892, x889); - fiat_secp384r1_addcarryx_u32(&x909, &x910, x908, x890, x887); - fiat_secp384r1_addcarryx_u32(&x911, &x912, x910, x888, x885); - fiat_secp384r1_addcarryx_u32(&x913, &x914, x912, x886, x883); - fiat_secp384r1_addcarryx_u32(&x915, &x916, x914, x884, x881); - x917 = (x916 + x882); - fiat_secp384r1_addcarryx_u32(&x918, &x919, 0x0, x855, x899); - fiat_secp384r1_addcarryx_u32(&x920, &x921, x919, x857, x900); - fiat_secp384r1_addcarryx_u32(&x922, &x923, x921, x859, 0x0); - fiat_secp384r1_addcarryx_u32(&x924, &x925, x923, x861, x897); - fiat_secp384r1_addcarryx_u32(&x926, &x927, x925, x863, x901); - fiat_secp384r1_addcarryx_u32(&x928, &x929, x927, x865, x903); - fiat_secp384r1_addcarryx_u32(&x930, &x931, x929, x867, x905); - fiat_secp384r1_addcarryx_u32(&x932, &x933, x931, x869, x907); - fiat_secp384r1_addcarryx_u32(&x934, &x935, x933, x871, x909); - fiat_secp384r1_addcarryx_u32(&x936, &x937, x935, x873, x911); - fiat_secp384r1_addcarryx_u32(&x938, &x939, x937, x875, x913); - fiat_secp384r1_addcarryx_u32(&x940, &x941, x939, x877, x915); - fiat_secp384r1_addcarryx_u32(&x942, &x943, x941, x879, x917); - x944 = ((uint32_t)x943 + x880); - fiat_secp384r1_mulx_u32(&x945, &x946, x7, (arg2[11])); - fiat_secp384r1_mulx_u32(&x947, &x948, x7, (arg2[10])); - fiat_secp384r1_mulx_u32(&x949, &x950, x7, (arg2[9])); - fiat_secp384r1_mulx_u32(&x951, &x952, x7, (arg2[8])); - fiat_secp384r1_mulx_u32(&x953, &x954, x7, (arg2[7])); - fiat_secp384r1_mulx_u32(&x955, &x956, x7, (arg2[6])); - fiat_secp384r1_mulx_u32(&x957, &x958, x7, (arg2[5])); - fiat_secp384r1_mulx_u32(&x959, &x960, x7, (arg2[4])); - fiat_secp384r1_mulx_u32(&x961, &x962, x7, (arg2[3])); - fiat_secp384r1_mulx_u32(&x963, &x964, x7, (arg2[2])); - fiat_secp384r1_mulx_u32(&x965, &x966, x7, (arg2[1])); - fiat_secp384r1_mulx_u32(&x967, &x968, x7, (arg2[0])); - fiat_secp384r1_addcarryx_u32(&x969, &x970, 0x0, x968, x965); - fiat_secp384r1_addcarryx_u32(&x971, &x972, x970, x966, x963); - fiat_secp384r1_addcarryx_u32(&x973, &x974, x972, x964, x961); - fiat_secp384r1_addcarryx_u32(&x975, &x976, x974, x962, x959); - fiat_secp384r1_addcarryx_u32(&x977, &x978, x976, x960, x957); - fiat_secp384r1_addcarryx_u32(&x979, &x980, x978, x958, x955); - fiat_secp384r1_addcarryx_u32(&x981, &x982, x980, x956, x953); - fiat_secp384r1_addcarryx_u32(&x983, &x984, x982, x954, x951); - fiat_secp384r1_addcarryx_u32(&x985, &x986, x984, x952, x949); - fiat_secp384r1_addcarryx_u32(&x987, &x988, x986, x950, x947); - fiat_secp384r1_addcarryx_u32(&x989, &x990, x988, x948, x945); - x991 = (x990 + x946); - fiat_secp384r1_addcarryx_u32(&x992, &x993, 0x0, x920, x967); - fiat_secp384r1_addcarryx_u32(&x994, &x995, x993, x922, x969); - fiat_secp384r1_addcarryx_u32(&x996, &x997, x995, x924, x971); - fiat_secp384r1_addcarryx_u32(&x998, &x999, x997, x926, x973); - fiat_secp384r1_addcarryx_u32(&x1000, &x1001, x999, x928, x975); - fiat_secp384r1_addcarryx_u32(&x1002, &x1003, x1001, x930, x977); - fiat_secp384r1_addcarryx_u32(&x1004, &x1005, x1003, x932, x979); - fiat_secp384r1_addcarryx_u32(&x1006, &x1007, x1005, x934, x981); - fiat_secp384r1_addcarryx_u32(&x1008, &x1009, x1007, x936, x983); - fiat_secp384r1_addcarryx_u32(&x1010, &x1011, x1009, x938, x985); - fiat_secp384r1_addcarryx_u32(&x1012, &x1013, x1011, x940, x987); - fiat_secp384r1_addcarryx_u32(&x1014, &x1015, x1013, x942, x989); - fiat_secp384r1_addcarryx_u32(&x1016, &x1017, x1015, x944, x991); - fiat_secp384r1_mulx_u32(&x1018, &x1019, x992, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1020, &x1021, x992, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1022, &x1023, x992, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1024, &x1025, x992, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1026, &x1027, x992, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1028, &x1029, x992, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1030, &x1031, x992, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1032, &x1033, x992, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x1034, &x1035, x992, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1036, &x1037, x992, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x1038, &x1039, 0x0, x1035, x1032); - fiat_secp384r1_addcarryx_u32(&x1040, &x1041, x1039, x1033, x1030); - fiat_secp384r1_addcarryx_u32(&x1042, &x1043, x1041, x1031, x1028); - fiat_secp384r1_addcarryx_u32(&x1044, &x1045, x1043, x1029, x1026); - fiat_secp384r1_addcarryx_u32(&x1046, &x1047, x1045, x1027, x1024); - fiat_secp384r1_addcarryx_u32(&x1048, &x1049, x1047, x1025, x1022); - fiat_secp384r1_addcarryx_u32(&x1050, &x1051, x1049, x1023, x1020); - fiat_secp384r1_addcarryx_u32(&x1052, &x1053, x1051, x1021, x1018); - x1054 = (x1053 + x1019); - fiat_secp384r1_addcarryx_u32(&x1055, &x1056, 0x0, x992, x1036); - fiat_secp384r1_addcarryx_u32(&x1057, &x1058, x1056, x994, x1037); - fiat_secp384r1_addcarryx_u32(&x1059, &x1060, x1058, x996, 0x0); - fiat_secp384r1_addcarryx_u32(&x1061, &x1062, x1060, x998, x1034); - fiat_secp384r1_addcarryx_u32(&x1063, &x1064, x1062, x1000, x1038); - fiat_secp384r1_addcarryx_u32(&x1065, &x1066, x1064, x1002, x1040); - fiat_secp384r1_addcarryx_u32(&x1067, &x1068, x1066, x1004, x1042); - fiat_secp384r1_addcarryx_u32(&x1069, &x1070, x1068, x1006, x1044); - fiat_secp384r1_addcarryx_u32(&x1071, &x1072, x1070, x1008, x1046); - fiat_secp384r1_addcarryx_u32(&x1073, &x1074, x1072, x1010, x1048); - fiat_secp384r1_addcarryx_u32(&x1075, &x1076, x1074, x1012, x1050); - fiat_secp384r1_addcarryx_u32(&x1077, &x1078, x1076, x1014, x1052); - fiat_secp384r1_addcarryx_u32(&x1079, &x1080, x1078, x1016, x1054); - x1081 = ((uint32_t)x1080 + x1017); - fiat_secp384r1_mulx_u32(&x1082, &x1083, x8, (arg2[11])); - fiat_secp384r1_mulx_u32(&x1084, &x1085, x8, (arg2[10])); - fiat_secp384r1_mulx_u32(&x1086, &x1087, x8, (arg2[9])); - fiat_secp384r1_mulx_u32(&x1088, &x1089, x8, (arg2[8])); - fiat_secp384r1_mulx_u32(&x1090, &x1091, x8, (arg2[7])); - fiat_secp384r1_mulx_u32(&x1092, &x1093, x8, (arg2[6])); - fiat_secp384r1_mulx_u32(&x1094, &x1095, x8, (arg2[5])); - fiat_secp384r1_mulx_u32(&x1096, &x1097, x8, (arg2[4])); - fiat_secp384r1_mulx_u32(&x1098, &x1099, x8, (arg2[3])); - fiat_secp384r1_mulx_u32(&x1100, &x1101, x8, (arg2[2])); - fiat_secp384r1_mulx_u32(&x1102, &x1103, x8, (arg2[1])); - fiat_secp384r1_mulx_u32(&x1104, &x1105, x8, (arg2[0])); - fiat_secp384r1_addcarryx_u32(&x1106, &x1107, 0x0, x1105, x1102); - fiat_secp384r1_addcarryx_u32(&x1108, &x1109, x1107, x1103, x1100); - fiat_secp384r1_addcarryx_u32(&x1110, &x1111, x1109, x1101, x1098); - fiat_secp384r1_addcarryx_u32(&x1112, &x1113, x1111, x1099, x1096); - fiat_secp384r1_addcarryx_u32(&x1114, &x1115, x1113, x1097, x1094); - fiat_secp384r1_addcarryx_u32(&x1116, &x1117, x1115, x1095, x1092); - fiat_secp384r1_addcarryx_u32(&x1118, &x1119, x1117, x1093, x1090); - fiat_secp384r1_addcarryx_u32(&x1120, &x1121, x1119, x1091, x1088); - fiat_secp384r1_addcarryx_u32(&x1122, &x1123, x1121, x1089, x1086); - fiat_secp384r1_addcarryx_u32(&x1124, &x1125, x1123, x1087, x1084); - fiat_secp384r1_addcarryx_u32(&x1126, &x1127, x1125, x1085, x1082); - x1128 = (x1127 + x1083); - fiat_secp384r1_addcarryx_u32(&x1129, &x1130, 0x0, x1057, x1104); - fiat_secp384r1_addcarryx_u32(&x1131, &x1132, x1130, x1059, x1106); - fiat_secp384r1_addcarryx_u32(&x1133, &x1134, x1132, x1061, x1108); - fiat_secp384r1_addcarryx_u32(&x1135, &x1136, x1134, x1063, x1110); - fiat_secp384r1_addcarryx_u32(&x1137, &x1138, x1136, x1065, x1112); - fiat_secp384r1_addcarryx_u32(&x1139, &x1140, x1138, x1067, x1114); - fiat_secp384r1_addcarryx_u32(&x1141, &x1142, x1140, x1069, x1116); - fiat_secp384r1_addcarryx_u32(&x1143, &x1144, x1142, x1071, x1118); - fiat_secp384r1_addcarryx_u32(&x1145, &x1146, x1144, x1073, x1120); - fiat_secp384r1_addcarryx_u32(&x1147, &x1148, x1146, x1075, x1122); - fiat_secp384r1_addcarryx_u32(&x1149, &x1150, x1148, x1077, x1124); - fiat_secp384r1_addcarryx_u32(&x1151, &x1152, x1150, x1079, x1126); - fiat_secp384r1_addcarryx_u32(&x1153, &x1154, x1152, x1081, x1128); - fiat_secp384r1_mulx_u32(&x1155, &x1156, x1129, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1157, &x1158, x1129, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1159, &x1160, x1129, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1161, &x1162, x1129, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1163, &x1164, x1129, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1165, &x1166, x1129, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1167, &x1168, x1129, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1169, &x1170, x1129, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x1171, &x1172, x1129, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1173, &x1174, x1129, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x1175, &x1176, 0x0, x1172, x1169); - fiat_secp384r1_addcarryx_u32(&x1177, &x1178, x1176, x1170, x1167); - fiat_secp384r1_addcarryx_u32(&x1179, &x1180, x1178, x1168, x1165); - fiat_secp384r1_addcarryx_u32(&x1181, &x1182, x1180, x1166, x1163); - fiat_secp384r1_addcarryx_u32(&x1183, &x1184, x1182, x1164, x1161); - fiat_secp384r1_addcarryx_u32(&x1185, &x1186, x1184, x1162, x1159); - fiat_secp384r1_addcarryx_u32(&x1187, &x1188, x1186, x1160, x1157); - fiat_secp384r1_addcarryx_u32(&x1189, &x1190, x1188, x1158, x1155); - x1191 = (x1190 + x1156); - fiat_secp384r1_addcarryx_u32(&x1192, &x1193, 0x0, x1129, x1173); - fiat_secp384r1_addcarryx_u32(&x1194, &x1195, x1193, x1131, x1174); - fiat_secp384r1_addcarryx_u32(&x1196, &x1197, x1195, x1133, 0x0); - fiat_secp384r1_addcarryx_u32(&x1198, &x1199, x1197, x1135, x1171); - fiat_secp384r1_addcarryx_u32(&x1200, &x1201, x1199, x1137, x1175); - fiat_secp384r1_addcarryx_u32(&x1202, &x1203, x1201, x1139, x1177); - fiat_secp384r1_addcarryx_u32(&x1204, &x1205, x1203, x1141, x1179); - fiat_secp384r1_addcarryx_u32(&x1206, &x1207, x1205, x1143, x1181); - fiat_secp384r1_addcarryx_u32(&x1208, &x1209, x1207, x1145, x1183); - fiat_secp384r1_addcarryx_u32(&x1210, &x1211, x1209, x1147, x1185); - fiat_secp384r1_addcarryx_u32(&x1212, &x1213, x1211, x1149, x1187); - fiat_secp384r1_addcarryx_u32(&x1214, &x1215, x1213, x1151, x1189); - fiat_secp384r1_addcarryx_u32(&x1216, &x1217, x1215, x1153, x1191); - x1218 = ((uint32_t)x1217 + x1154); - fiat_secp384r1_mulx_u32(&x1219, &x1220, x9, (arg2[11])); - fiat_secp384r1_mulx_u32(&x1221, &x1222, x9, (arg2[10])); - fiat_secp384r1_mulx_u32(&x1223, &x1224, x9, (arg2[9])); - fiat_secp384r1_mulx_u32(&x1225, &x1226, x9, (arg2[8])); - fiat_secp384r1_mulx_u32(&x1227, &x1228, x9, (arg2[7])); - fiat_secp384r1_mulx_u32(&x1229, &x1230, x9, (arg2[6])); - fiat_secp384r1_mulx_u32(&x1231, &x1232, x9, (arg2[5])); - fiat_secp384r1_mulx_u32(&x1233, &x1234, x9, (arg2[4])); - fiat_secp384r1_mulx_u32(&x1235, &x1236, x9, (arg2[3])); - fiat_secp384r1_mulx_u32(&x1237, &x1238, x9, (arg2[2])); - fiat_secp384r1_mulx_u32(&x1239, &x1240, x9, (arg2[1])); - fiat_secp384r1_mulx_u32(&x1241, &x1242, x9, (arg2[0])); - fiat_secp384r1_addcarryx_u32(&x1243, &x1244, 0x0, x1242, x1239); - fiat_secp384r1_addcarryx_u32(&x1245, &x1246, x1244, x1240, x1237); - fiat_secp384r1_addcarryx_u32(&x1247, &x1248, x1246, x1238, x1235); - fiat_secp384r1_addcarryx_u32(&x1249, &x1250, x1248, x1236, x1233); - fiat_secp384r1_addcarryx_u32(&x1251, &x1252, x1250, x1234, x1231); - fiat_secp384r1_addcarryx_u32(&x1253, &x1254, x1252, x1232, x1229); - fiat_secp384r1_addcarryx_u32(&x1255, &x1256, x1254, x1230, x1227); - fiat_secp384r1_addcarryx_u32(&x1257, &x1258, x1256, x1228, x1225); - fiat_secp384r1_addcarryx_u32(&x1259, &x1260, x1258, x1226, x1223); - fiat_secp384r1_addcarryx_u32(&x1261, &x1262, x1260, x1224, x1221); - fiat_secp384r1_addcarryx_u32(&x1263, &x1264, x1262, x1222, x1219); - x1265 = (x1264 + x1220); - fiat_secp384r1_addcarryx_u32(&x1266, &x1267, 0x0, x1194, x1241); - fiat_secp384r1_addcarryx_u32(&x1268, &x1269, x1267, x1196, x1243); - fiat_secp384r1_addcarryx_u32(&x1270, &x1271, x1269, x1198, x1245); - fiat_secp384r1_addcarryx_u32(&x1272, &x1273, x1271, x1200, x1247); - fiat_secp384r1_addcarryx_u32(&x1274, &x1275, x1273, x1202, x1249); - fiat_secp384r1_addcarryx_u32(&x1276, &x1277, x1275, x1204, x1251); - fiat_secp384r1_addcarryx_u32(&x1278, &x1279, x1277, x1206, x1253); - fiat_secp384r1_addcarryx_u32(&x1280, &x1281, x1279, x1208, x1255); - fiat_secp384r1_addcarryx_u32(&x1282, &x1283, x1281, x1210, x1257); - fiat_secp384r1_addcarryx_u32(&x1284, &x1285, x1283, x1212, x1259); - fiat_secp384r1_addcarryx_u32(&x1286, &x1287, x1285, x1214, x1261); - fiat_secp384r1_addcarryx_u32(&x1288, &x1289, x1287, x1216, x1263); - fiat_secp384r1_addcarryx_u32(&x1290, &x1291, x1289, x1218, x1265); - fiat_secp384r1_mulx_u32(&x1292, &x1293, x1266, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1294, &x1295, x1266, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1296, &x1297, x1266, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1298, &x1299, x1266, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1300, &x1301, x1266, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1302, &x1303, x1266, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1304, &x1305, x1266, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1306, &x1307, x1266, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x1308, &x1309, x1266, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1310, &x1311, x1266, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x1312, &x1313, 0x0, x1309, x1306); - fiat_secp384r1_addcarryx_u32(&x1314, &x1315, x1313, x1307, x1304); - fiat_secp384r1_addcarryx_u32(&x1316, &x1317, x1315, x1305, x1302); - fiat_secp384r1_addcarryx_u32(&x1318, &x1319, x1317, x1303, x1300); - fiat_secp384r1_addcarryx_u32(&x1320, &x1321, x1319, x1301, x1298); - fiat_secp384r1_addcarryx_u32(&x1322, &x1323, x1321, x1299, x1296); - fiat_secp384r1_addcarryx_u32(&x1324, &x1325, x1323, x1297, x1294); - fiat_secp384r1_addcarryx_u32(&x1326, &x1327, x1325, x1295, x1292); - x1328 = (x1327 + x1293); - fiat_secp384r1_addcarryx_u32(&x1329, &x1330, 0x0, x1266, x1310); - fiat_secp384r1_addcarryx_u32(&x1331, &x1332, x1330, x1268, x1311); - fiat_secp384r1_addcarryx_u32(&x1333, &x1334, x1332, x1270, 0x0); - fiat_secp384r1_addcarryx_u32(&x1335, &x1336, x1334, x1272, x1308); - fiat_secp384r1_addcarryx_u32(&x1337, &x1338, x1336, x1274, x1312); - fiat_secp384r1_addcarryx_u32(&x1339, &x1340, x1338, x1276, x1314); - fiat_secp384r1_addcarryx_u32(&x1341, &x1342, x1340, x1278, x1316); - fiat_secp384r1_addcarryx_u32(&x1343, &x1344, x1342, x1280, x1318); - fiat_secp384r1_addcarryx_u32(&x1345, &x1346, x1344, x1282, x1320); - fiat_secp384r1_addcarryx_u32(&x1347, &x1348, x1346, x1284, x1322); - fiat_secp384r1_addcarryx_u32(&x1349, &x1350, x1348, x1286, x1324); - fiat_secp384r1_addcarryx_u32(&x1351, &x1352, x1350, x1288, x1326); - fiat_secp384r1_addcarryx_u32(&x1353, &x1354, x1352, x1290, x1328); - x1355 = ((uint32_t)x1354 + x1291); - fiat_secp384r1_mulx_u32(&x1356, &x1357, x10, (arg2[11])); - fiat_secp384r1_mulx_u32(&x1358, &x1359, x10, (arg2[10])); - fiat_secp384r1_mulx_u32(&x1360, &x1361, x10, (arg2[9])); - fiat_secp384r1_mulx_u32(&x1362, &x1363, x10, (arg2[8])); - fiat_secp384r1_mulx_u32(&x1364, &x1365, x10, (arg2[7])); - fiat_secp384r1_mulx_u32(&x1366, &x1367, x10, (arg2[6])); - fiat_secp384r1_mulx_u32(&x1368, &x1369, x10, (arg2[5])); - fiat_secp384r1_mulx_u32(&x1370, &x1371, x10, (arg2[4])); - fiat_secp384r1_mulx_u32(&x1372, &x1373, x10, (arg2[3])); - fiat_secp384r1_mulx_u32(&x1374, &x1375, x10, (arg2[2])); - fiat_secp384r1_mulx_u32(&x1376, &x1377, x10, (arg2[1])); - fiat_secp384r1_mulx_u32(&x1378, &x1379, x10, (arg2[0])); - fiat_secp384r1_addcarryx_u32(&x1380, &x1381, 0x0, x1379, x1376); - fiat_secp384r1_addcarryx_u32(&x1382, &x1383, x1381, x1377, x1374); - fiat_secp384r1_addcarryx_u32(&x1384, &x1385, x1383, x1375, x1372); - fiat_secp384r1_addcarryx_u32(&x1386, &x1387, x1385, x1373, x1370); - fiat_secp384r1_addcarryx_u32(&x1388, &x1389, x1387, x1371, x1368); - fiat_secp384r1_addcarryx_u32(&x1390, &x1391, x1389, x1369, x1366); - fiat_secp384r1_addcarryx_u32(&x1392, &x1393, x1391, x1367, x1364); - fiat_secp384r1_addcarryx_u32(&x1394, &x1395, x1393, x1365, x1362); - fiat_secp384r1_addcarryx_u32(&x1396, &x1397, x1395, x1363, x1360); - fiat_secp384r1_addcarryx_u32(&x1398, &x1399, x1397, x1361, x1358); - fiat_secp384r1_addcarryx_u32(&x1400, &x1401, x1399, x1359, x1356); - x1402 = (x1401 + x1357); - fiat_secp384r1_addcarryx_u32(&x1403, &x1404, 0x0, x1331, x1378); - fiat_secp384r1_addcarryx_u32(&x1405, &x1406, x1404, x1333, x1380); - fiat_secp384r1_addcarryx_u32(&x1407, &x1408, x1406, x1335, x1382); - fiat_secp384r1_addcarryx_u32(&x1409, &x1410, x1408, x1337, x1384); - fiat_secp384r1_addcarryx_u32(&x1411, &x1412, x1410, x1339, x1386); - fiat_secp384r1_addcarryx_u32(&x1413, &x1414, x1412, x1341, x1388); - fiat_secp384r1_addcarryx_u32(&x1415, &x1416, x1414, x1343, x1390); - fiat_secp384r1_addcarryx_u32(&x1417, &x1418, x1416, x1345, x1392); - fiat_secp384r1_addcarryx_u32(&x1419, &x1420, x1418, x1347, x1394); - fiat_secp384r1_addcarryx_u32(&x1421, &x1422, x1420, x1349, x1396); - fiat_secp384r1_addcarryx_u32(&x1423, &x1424, x1422, x1351, x1398); - fiat_secp384r1_addcarryx_u32(&x1425, &x1426, x1424, x1353, x1400); - fiat_secp384r1_addcarryx_u32(&x1427, &x1428, x1426, x1355, x1402); - fiat_secp384r1_mulx_u32(&x1429, &x1430, x1403, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1431, &x1432, x1403, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1433, &x1434, x1403, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1435, &x1436, x1403, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1437, &x1438, x1403, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1439, &x1440, x1403, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1441, &x1442, x1403, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1443, &x1444, x1403, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x1445, &x1446, x1403, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1447, &x1448, x1403, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x1449, &x1450, 0x0, x1446, x1443); - fiat_secp384r1_addcarryx_u32(&x1451, &x1452, x1450, x1444, x1441); - fiat_secp384r1_addcarryx_u32(&x1453, &x1454, x1452, x1442, x1439); - fiat_secp384r1_addcarryx_u32(&x1455, &x1456, x1454, x1440, x1437); - fiat_secp384r1_addcarryx_u32(&x1457, &x1458, x1456, x1438, x1435); - fiat_secp384r1_addcarryx_u32(&x1459, &x1460, x1458, x1436, x1433); - fiat_secp384r1_addcarryx_u32(&x1461, &x1462, x1460, x1434, x1431); - fiat_secp384r1_addcarryx_u32(&x1463, &x1464, x1462, x1432, x1429); - x1465 = (x1464 + x1430); - fiat_secp384r1_addcarryx_u32(&x1466, &x1467, 0x0, x1403, x1447); - fiat_secp384r1_addcarryx_u32(&x1468, &x1469, x1467, x1405, x1448); - fiat_secp384r1_addcarryx_u32(&x1470, &x1471, x1469, x1407, 0x0); - fiat_secp384r1_addcarryx_u32(&x1472, &x1473, x1471, x1409, x1445); - fiat_secp384r1_addcarryx_u32(&x1474, &x1475, x1473, x1411, x1449); - fiat_secp384r1_addcarryx_u32(&x1476, &x1477, x1475, x1413, x1451); - fiat_secp384r1_addcarryx_u32(&x1478, &x1479, x1477, x1415, x1453); - fiat_secp384r1_addcarryx_u32(&x1480, &x1481, x1479, x1417, x1455); - fiat_secp384r1_addcarryx_u32(&x1482, &x1483, x1481, x1419, x1457); - fiat_secp384r1_addcarryx_u32(&x1484, &x1485, x1483, x1421, x1459); - fiat_secp384r1_addcarryx_u32(&x1486, &x1487, x1485, x1423, x1461); - fiat_secp384r1_addcarryx_u32(&x1488, &x1489, x1487, x1425, x1463); - fiat_secp384r1_addcarryx_u32(&x1490, &x1491, x1489, x1427, x1465); - x1492 = ((uint32_t)x1491 + x1428); - fiat_secp384r1_mulx_u32(&x1493, &x1494, x11, (arg2[11])); - fiat_secp384r1_mulx_u32(&x1495, &x1496, x11, (arg2[10])); - fiat_secp384r1_mulx_u32(&x1497, &x1498, x11, (arg2[9])); - fiat_secp384r1_mulx_u32(&x1499, &x1500, x11, (arg2[8])); - fiat_secp384r1_mulx_u32(&x1501, &x1502, x11, (arg2[7])); - fiat_secp384r1_mulx_u32(&x1503, &x1504, x11, (arg2[6])); - fiat_secp384r1_mulx_u32(&x1505, &x1506, x11, (arg2[5])); - fiat_secp384r1_mulx_u32(&x1507, &x1508, x11, (arg2[4])); - fiat_secp384r1_mulx_u32(&x1509, &x1510, x11, (arg2[3])); - fiat_secp384r1_mulx_u32(&x1511, &x1512, x11, (arg2[2])); - fiat_secp384r1_mulx_u32(&x1513, &x1514, x11, (arg2[1])); - fiat_secp384r1_mulx_u32(&x1515, &x1516, x11, (arg2[0])); - fiat_secp384r1_addcarryx_u32(&x1517, &x1518, 0x0, x1516, x1513); - fiat_secp384r1_addcarryx_u32(&x1519, &x1520, x1518, x1514, x1511); - fiat_secp384r1_addcarryx_u32(&x1521, &x1522, x1520, x1512, x1509); - fiat_secp384r1_addcarryx_u32(&x1523, &x1524, x1522, x1510, x1507); - fiat_secp384r1_addcarryx_u32(&x1525, &x1526, x1524, x1508, x1505); - fiat_secp384r1_addcarryx_u32(&x1527, &x1528, x1526, x1506, x1503); - fiat_secp384r1_addcarryx_u32(&x1529, &x1530, x1528, x1504, x1501); - fiat_secp384r1_addcarryx_u32(&x1531, &x1532, x1530, x1502, x1499); - fiat_secp384r1_addcarryx_u32(&x1533, &x1534, x1532, x1500, x1497); - fiat_secp384r1_addcarryx_u32(&x1535, &x1536, x1534, x1498, x1495); - fiat_secp384r1_addcarryx_u32(&x1537, &x1538, x1536, x1496, x1493); - x1539 = (x1538 + x1494); - fiat_secp384r1_addcarryx_u32(&x1540, &x1541, 0x0, x1468, x1515); - fiat_secp384r1_addcarryx_u32(&x1542, &x1543, x1541, x1470, x1517); - fiat_secp384r1_addcarryx_u32(&x1544, &x1545, x1543, x1472, x1519); - fiat_secp384r1_addcarryx_u32(&x1546, &x1547, x1545, x1474, x1521); - fiat_secp384r1_addcarryx_u32(&x1548, &x1549, x1547, x1476, x1523); - fiat_secp384r1_addcarryx_u32(&x1550, &x1551, x1549, x1478, x1525); - fiat_secp384r1_addcarryx_u32(&x1552, &x1553, x1551, x1480, x1527); - fiat_secp384r1_addcarryx_u32(&x1554, &x1555, x1553, x1482, x1529); - fiat_secp384r1_addcarryx_u32(&x1556, &x1557, x1555, x1484, x1531); - fiat_secp384r1_addcarryx_u32(&x1558, &x1559, x1557, x1486, x1533); - fiat_secp384r1_addcarryx_u32(&x1560, &x1561, x1559, x1488, x1535); - fiat_secp384r1_addcarryx_u32(&x1562, &x1563, x1561, x1490, x1537); - fiat_secp384r1_addcarryx_u32(&x1564, &x1565, x1563, x1492, x1539); - fiat_secp384r1_mulx_u32(&x1566, &x1567, x1540, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1568, &x1569, x1540, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1570, &x1571, x1540, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1572, &x1573, x1540, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1574, &x1575, x1540, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1576, &x1577, x1540, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1578, &x1579, x1540, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1580, &x1581, x1540, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x1582, &x1583, x1540, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1584, &x1585, x1540, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x1586, &x1587, 0x0, x1583, x1580); - fiat_secp384r1_addcarryx_u32(&x1588, &x1589, x1587, x1581, x1578); - fiat_secp384r1_addcarryx_u32(&x1590, &x1591, x1589, x1579, x1576); - fiat_secp384r1_addcarryx_u32(&x1592, &x1593, x1591, x1577, x1574); - fiat_secp384r1_addcarryx_u32(&x1594, &x1595, x1593, x1575, x1572); - fiat_secp384r1_addcarryx_u32(&x1596, &x1597, x1595, x1573, x1570); - fiat_secp384r1_addcarryx_u32(&x1598, &x1599, x1597, x1571, x1568); - fiat_secp384r1_addcarryx_u32(&x1600, &x1601, x1599, x1569, x1566); - x1602 = (x1601 + x1567); - fiat_secp384r1_addcarryx_u32(&x1603, &x1604, 0x0, x1540, x1584); - fiat_secp384r1_addcarryx_u32(&x1605, &x1606, x1604, x1542, x1585); - fiat_secp384r1_addcarryx_u32(&x1607, &x1608, x1606, x1544, 0x0); - fiat_secp384r1_addcarryx_u32(&x1609, &x1610, x1608, x1546, x1582); - fiat_secp384r1_addcarryx_u32(&x1611, &x1612, x1610, x1548, x1586); - fiat_secp384r1_addcarryx_u32(&x1613, &x1614, x1612, x1550, x1588); - fiat_secp384r1_addcarryx_u32(&x1615, &x1616, x1614, x1552, x1590); - fiat_secp384r1_addcarryx_u32(&x1617, &x1618, x1616, x1554, x1592); - fiat_secp384r1_addcarryx_u32(&x1619, &x1620, x1618, x1556, x1594); - fiat_secp384r1_addcarryx_u32(&x1621, &x1622, x1620, x1558, x1596); - fiat_secp384r1_addcarryx_u32(&x1623, &x1624, x1622, x1560, x1598); - fiat_secp384r1_addcarryx_u32(&x1625, &x1626, x1624, x1562, x1600); - fiat_secp384r1_addcarryx_u32(&x1627, &x1628, x1626, x1564, x1602); - x1629 = ((uint32_t)x1628 + x1565); - fiat_secp384r1_subborrowx_u32(&x1630, &x1631, 0x0, x1605, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1632, &x1633, x1631, x1607, 0x0); - fiat_secp384r1_subborrowx_u32(&x1634, &x1635, x1633, x1609, 0x0); - fiat_secp384r1_subborrowx_u32(&x1636, &x1637, x1635, x1611, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1638, &x1639, x1637, x1613, - UINT32_C(0xfffffffe)); - fiat_secp384r1_subborrowx_u32(&x1640, &x1641, x1639, x1615, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1642, &x1643, x1641, x1617, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1644, &x1645, x1643, x1619, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1646, &x1647, x1645, x1621, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1648, &x1649, x1647, x1623, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1650, &x1651, x1649, x1625, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1652, &x1653, x1651, x1627, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1654, &x1655, x1653, x1629, 0x0); - fiat_secp384r1_cmovznz_u32(&x1656, x1655, x1630, x1605); - fiat_secp384r1_cmovznz_u32(&x1657, x1655, x1632, x1607); - fiat_secp384r1_cmovznz_u32(&x1658, x1655, x1634, x1609); - fiat_secp384r1_cmovznz_u32(&x1659, x1655, x1636, x1611); - fiat_secp384r1_cmovznz_u32(&x1660, x1655, x1638, x1613); - fiat_secp384r1_cmovznz_u32(&x1661, x1655, x1640, x1615); - fiat_secp384r1_cmovznz_u32(&x1662, x1655, x1642, x1617); - fiat_secp384r1_cmovznz_u32(&x1663, x1655, x1644, x1619); - fiat_secp384r1_cmovznz_u32(&x1664, x1655, x1646, x1621); - fiat_secp384r1_cmovznz_u32(&x1665, x1655, x1648, x1623); - fiat_secp384r1_cmovznz_u32(&x1666, x1655, x1650, x1625); - fiat_secp384r1_cmovznz_u32(&x1667, x1655, x1652, x1627); - out1[0] = x1656; - out1[1] = x1657; - out1[2] = x1658; - out1[3] = x1659; - out1[4] = x1660; - out1[5] = x1661; - out1[6] = x1662; - out1[7] = x1663; - out1[8] = x1664; - out1[9] = x1665; - out1[10] = x1666; - out1[11] = x1667; -} - -/* - * The function fiat_secp384r1_square squares a field element in the Montgomery domain. - * - * Preconditions: - * 0 ≤ eval arg1 < m - * Postconditions: - * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m - * 0 ≤ eval out1 < m - * - */ -static void -fiat_secp384r1_square( - fiat_secp384r1_montgomery_domain_field_element out1, - const fiat_secp384r1_montgomery_domain_field_element arg1) -{ - uint32_t x1; - uint32_t x2; - uint32_t x3; - uint32_t x4; - uint32_t x5; - uint32_t x6; - uint32_t x7; - uint32_t x8; - uint32_t x9; - uint32_t x10; - uint32_t x11; - uint32_t x12; - uint32_t x13; - uint32_t x14; - uint32_t x15; - uint32_t x16; - uint32_t x17; - uint32_t x18; - uint32_t x19; - uint32_t x20; - uint32_t x21; - uint32_t x22; - uint32_t x23; - uint32_t x24; - uint32_t x25; - uint32_t x26; - uint32_t x27; - uint32_t x28; - uint32_t x29; - uint32_t x30; - uint32_t x31; - uint32_t x32; - uint32_t x33; - uint32_t x34; - uint32_t x35; - uint32_t x36; - uint32_t x37; - fiat_secp384r1_uint1 x38; - uint32_t x39; - fiat_secp384r1_uint1 x40; - uint32_t x41; - fiat_secp384r1_uint1 x42; - uint32_t x43; - fiat_secp384r1_uint1 x44; - uint32_t x45; - fiat_secp384r1_uint1 x46; - uint32_t x47; - fiat_secp384r1_uint1 x48; - uint32_t x49; - fiat_secp384r1_uint1 x50; - uint32_t x51; - fiat_secp384r1_uint1 x52; - uint32_t x53; - fiat_secp384r1_uint1 x54; - uint32_t x55; - fiat_secp384r1_uint1 x56; - uint32_t x57; - fiat_secp384r1_uint1 x58; - uint32_t x59; - uint32_t x60; - uint32_t x61; - uint32_t x62; - uint32_t x63; - uint32_t x64; - uint32_t x65; - uint32_t x66; - uint32_t x67; - uint32_t x68; - uint32_t x69; - uint32_t x70; - uint32_t x71; - uint32_t x72; - uint32_t x73; - uint32_t x74; - uint32_t x75; - uint32_t x76; - uint32_t x77; - uint32_t x78; - uint32_t x79; - uint32_t x80; - fiat_secp384r1_uint1 x81; - uint32_t x82; - fiat_secp384r1_uint1 x83; - uint32_t x84; - fiat_secp384r1_uint1 x85; - uint32_t x86; - fiat_secp384r1_uint1 x87; - uint32_t x88; - fiat_secp384r1_uint1 x89; - uint32_t x90; - fiat_secp384r1_uint1 x91; - uint32_t x92; - fiat_secp384r1_uint1 x93; - uint32_t x94; - fiat_secp384r1_uint1 x95; - uint32_t x96; - uint32_t x97; - fiat_secp384r1_uint1 x98; - uint32_t x99; - fiat_secp384r1_uint1 x100; - uint32_t x101; - fiat_secp384r1_uint1 x102; - uint32_t x103; - fiat_secp384r1_uint1 x104; - uint32_t x105; - fiat_secp384r1_uint1 x106; - uint32_t x107; - fiat_secp384r1_uint1 x108; - uint32_t x109; - fiat_secp384r1_uint1 x110; - uint32_t x111; - fiat_secp384r1_uint1 x112; - uint32_t x113; - fiat_secp384r1_uint1 x114; - uint32_t x115; - fiat_secp384r1_uint1 x116; - uint32_t x117; - fiat_secp384r1_uint1 x118; - uint32_t x119; - fiat_secp384r1_uint1 x120; - uint32_t x121; - fiat_secp384r1_uint1 x122; - uint32_t x123; - uint32_t x124; - uint32_t x125; - uint32_t x126; - uint32_t x127; - uint32_t x128; - uint32_t x129; - uint32_t x130; - uint32_t x131; - uint32_t x132; - uint32_t x133; - uint32_t x134; - uint32_t x135; - uint32_t x136; - uint32_t x137; - uint32_t x138; - uint32_t x139; - uint32_t x140; - uint32_t x141; - uint32_t x142; - uint32_t x143; - uint32_t x144; - uint32_t x145; - uint32_t x146; - uint32_t x147; - fiat_secp384r1_uint1 x148; - uint32_t x149; - fiat_secp384r1_uint1 x150; - uint32_t x151; - fiat_secp384r1_uint1 x152; - uint32_t x153; - fiat_secp384r1_uint1 x154; - uint32_t x155; - fiat_secp384r1_uint1 x156; - uint32_t x157; - fiat_secp384r1_uint1 x158; - uint32_t x159; - fiat_secp384r1_uint1 x160; - uint32_t x161; - fiat_secp384r1_uint1 x162; - uint32_t x163; - fiat_secp384r1_uint1 x164; - uint32_t x165; - fiat_secp384r1_uint1 x166; - uint32_t x167; - fiat_secp384r1_uint1 x168; - uint32_t x169; - uint32_t x170; - fiat_secp384r1_uint1 x171; - uint32_t x172; - fiat_secp384r1_uint1 x173; - uint32_t x174; - fiat_secp384r1_uint1 x175; - uint32_t x176; - fiat_secp384r1_uint1 x177; - uint32_t x178; - fiat_secp384r1_uint1 x179; - uint32_t x180; - fiat_secp384r1_uint1 x181; - uint32_t x182; - fiat_secp384r1_uint1 x183; - uint32_t x184; - fiat_secp384r1_uint1 x185; - uint32_t x186; - fiat_secp384r1_uint1 x187; - uint32_t x188; - fiat_secp384r1_uint1 x189; - uint32_t x190; - fiat_secp384r1_uint1 x191; - uint32_t x192; - fiat_secp384r1_uint1 x193; - uint32_t x194; - fiat_secp384r1_uint1 x195; - uint32_t x196; - uint32_t x197; - uint32_t x198; - uint32_t x199; - uint32_t x200; - uint32_t x201; - uint32_t x202; - uint32_t x203; - uint32_t x204; - uint32_t x205; - uint32_t x206; - uint32_t x207; - uint32_t x208; - uint32_t x209; - uint32_t x210; - uint32_t x211; - uint32_t x212; - uint32_t x213; - uint32_t x214; - uint32_t x215; - uint32_t x216; - fiat_secp384r1_uint1 x217; - uint32_t x218; - fiat_secp384r1_uint1 x219; - uint32_t x220; - fiat_secp384r1_uint1 x221; - uint32_t x222; - fiat_secp384r1_uint1 x223; - uint32_t x224; - fiat_secp384r1_uint1 x225; - uint32_t x226; - fiat_secp384r1_uint1 x227; - uint32_t x228; - fiat_secp384r1_uint1 x229; - uint32_t x230; - fiat_secp384r1_uint1 x231; - uint32_t x232; - uint32_t x233; - fiat_secp384r1_uint1 x234; - uint32_t x235; - fiat_secp384r1_uint1 x236; - uint32_t x237; - fiat_secp384r1_uint1 x238; - uint32_t x239; - fiat_secp384r1_uint1 x240; - uint32_t x241; - fiat_secp384r1_uint1 x242; - uint32_t x243; - fiat_secp384r1_uint1 x244; - uint32_t x245; - fiat_secp384r1_uint1 x246; - uint32_t x247; - fiat_secp384r1_uint1 x248; - uint32_t x249; - fiat_secp384r1_uint1 x250; - uint32_t x251; - fiat_secp384r1_uint1 x252; - uint32_t x253; - fiat_secp384r1_uint1 x254; - uint32_t x255; - fiat_secp384r1_uint1 x256; - uint32_t x257; - fiat_secp384r1_uint1 x258; - uint32_t x259; - uint32_t x260; - uint32_t x261; - uint32_t x262; - uint32_t x263; - uint32_t x264; - uint32_t x265; - uint32_t x266; - uint32_t x267; - uint32_t x268; - uint32_t x269; - uint32_t x270; - uint32_t x271; - uint32_t x272; - uint32_t x273; - uint32_t x274; - uint32_t x275; - uint32_t x276; - uint32_t x277; - uint32_t x278; - uint32_t x279; - uint32_t x280; - uint32_t x281; - uint32_t x282; - uint32_t x283; - uint32_t x284; - fiat_secp384r1_uint1 x285; - uint32_t x286; - fiat_secp384r1_uint1 x287; - uint32_t x288; - fiat_secp384r1_uint1 x289; - uint32_t x290; - fiat_secp384r1_uint1 x291; - uint32_t x292; - fiat_secp384r1_uint1 x293; - uint32_t x294; - fiat_secp384r1_uint1 x295; - uint32_t x296; - fiat_secp384r1_uint1 x297; - uint32_t x298; - fiat_secp384r1_uint1 x299; - uint32_t x300; - fiat_secp384r1_uint1 x301; - uint32_t x302; - fiat_secp384r1_uint1 x303; - uint32_t x304; - fiat_secp384r1_uint1 x305; - uint32_t x306; - uint32_t x307; - fiat_secp384r1_uint1 x308; - uint32_t x309; - fiat_secp384r1_uint1 x310; - uint32_t x311; - fiat_secp384r1_uint1 x312; - uint32_t x313; - fiat_secp384r1_uint1 x314; - uint32_t x315; - fiat_secp384r1_uint1 x316; - uint32_t x317; - fiat_secp384r1_uint1 x318; - uint32_t x319; - fiat_secp384r1_uint1 x320; - uint32_t x321; - fiat_secp384r1_uint1 x322; - uint32_t x323; - fiat_secp384r1_uint1 x324; - uint32_t x325; - fiat_secp384r1_uint1 x326; - uint32_t x327; - fiat_secp384r1_uint1 x328; - uint32_t x329; - fiat_secp384r1_uint1 x330; - uint32_t x331; - fiat_secp384r1_uint1 x332; - uint32_t x333; - uint32_t x334; - uint32_t x335; - uint32_t x336; - uint32_t x337; - uint32_t x338; - uint32_t x339; - uint32_t x340; - uint32_t x341; - uint32_t x342; - uint32_t x343; - uint32_t x344; - uint32_t x345; - uint32_t x346; - uint32_t x347; - uint32_t x348; - uint32_t x349; - uint32_t x350; - uint32_t x351; - uint32_t x352; - uint32_t x353; - fiat_secp384r1_uint1 x354; - uint32_t x355; - fiat_secp384r1_uint1 x356; - uint32_t x357; - fiat_secp384r1_uint1 x358; - uint32_t x359; - fiat_secp384r1_uint1 x360; - uint32_t x361; - fiat_secp384r1_uint1 x362; - uint32_t x363; - fiat_secp384r1_uint1 x364; - uint32_t x365; - fiat_secp384r1_uint1 x366; - uint32_t x367; - fiat_secp384r1_uint1 x368; - uint32_t x369; - uint32_t x370; - fiat_secp384r1_uint1 x371; - uint32_t x372; - fiat_secp384r1_uint1 x373; - uint32_t x374; - fiat_secp384r1_uint1 x375; - uint32_t x376; - fiat_secp384r1_uint1 x377; - uint32_t x378; - fiat_secp384r1_uint1 x379; - uint32_t x380; - fiat_secp384r1_uint1 x381; - uint32_t x382; - fiat_secp384r1_uint1 x383; - uint32_t x384; - fiat_secp384r1_uint1 x385; - uint32_t x386; - fiat_secp384r1_uint1 x387; - uint32_t x388; - fiat_secp384r1_uint1 x389; - uint32_t x390; - fiat_secp384r1_uint1 x391; - uint32_t x392; - fiat_secp384r1_uint1 x393; - uint32_t x394; - fiat_secp384r1_uint1 x395; - uint32_t x396; - uint32_t x397; - uint32_t x398; - uint32_t x399; - uint32_t x400; - uint32_t x401; - uint32_t x402; - uint32_t x403; - uint32_t x404; - uint32_t x405; - uint32_t x406; - uint32_t x407; - uint32_t x408; - uint32_t x409; - uint32_t x410; - uint32_t x411; - uint32_t x412; - uint32_t x413; - uint32_t x414; - uint32_t x415; - uint32_t x416; - uint32_t x417; - uint32_t x418; - uint32_t x419; - uint32_t x420; - uint32_t x421; - fiat_secp384r1_uint1 x422; - uint32_t x423; - fiat_secp384r1_uint1 x424; - uint32_t x425; - fiat_secp384r1_uint1 x426; - uint32_t x427; - fiat_secp384r1_uint1 x428; - uint32_t x429; - fiat_secp384r1_uint1 x430; - uint32_t x431; - fiat_secp384r1_uint1 x432; - uint32_t x433; - fiat_secp384r1_uint1 x434; - uint32_t x435; - fiat_secp384r1_uint1 x436; - uint32_t x437; - fiat_secp384r1_uint1 x438; - uint32_t x439; - fiat_secp384r1_uint1 x440; - uint32_t x441; - fiat_secp384r1_uint1 x442; - uint32_t x443; - uint32_t x444; - fiat_secp384r1_uint1 x445; - uint32_t x446; - fiat_secp384r1_uint1 x447; - uint32_t x448; - fiat_secp384r1_uint1 x449; - uint32_t x450; - fiat_secp384r1_uint1 x451; - uint32_t x452; - fiat_secp384r1_uint1 x453; - uint32_t x454; - fiat_secp384r1_uint1 x455; - uint32_t x456; - fiat_secp384r1_uint1 x457; - uint32_t x458; - fiat_secp384r1_uint1 x459; - uint32_t x460; - fiat_secp384r1_uint1 x461; - uint32_t x462; - fiat_secp384r1_uint1 x463; - uint32_t x464; - fiat_secp384r1_uint1 x465; - uint32_t x466; - fiat_secp384r1_uint1 x467; - uint32_t x468; - fiat_secp384r1_uint1 x469; - uint32_t x470; - uint32_t x471; - uint32_t x472; - uint32_t x473; - uint32_t x474; - uint32_t x475; - uint32_t x476; - uint32_t x477; - uint32_t x478; - uint32_t x479; - uint32_t x480; - uint32_t x481; - uint32_t x482; - uint32_t x483; - uint32_t x484; - uint32_t x485; - uint32_t x486; - uint32_t x487; - uint32_t x488; - uint32_t x489; - uint32_t x490; - fiat_secp384r1_uint1 x491; - uint32_t x492; - fiat_secp384r1_uint1 x493; - uint32_t x494; - fiat_secp384r1_uint1 x495; - uint32_t x496; - fiat_secp384r1_uint1 x497; - uint32_t x498; - fiat_secp384r1_uint1 x499; - uint32_t x500; - fiat_secp384r1_uint1 x501; - uint32_t x502; - fiat_secp384r1_uint1 x503; - uint32_t x504; - fiat_secp384r1_uint1 x505; - uint32_t x506; - uint32_t x507; - fiat_secp384r1_uint1 x508; - uint32_t x509; - fiat_secp384r1_uint1 x510; - uint32_t x511; - fiat_secp384r1_uint1 x512; - uint32_t x513; - fiat_secp384r1_uint1 x514; - uint32_t x515; - fiat_secp384r1_uint1 x516; - uint32_t x517; - fiat_secp384r1_uint1 x518; - uint32_t x519; - fiat_secp384r1_uint1 x520; - uint32_t x521; - fiat_secp384r1_uint1 x522; - uint32_t x523; - fiat_secp384r1_uint1 x524; - uint32_t x525; - fiat_secp384r1_uint1 x526; - uint32_t x527; - fiat_secp384r1_uint1 x528; - uint32_t x529; - fiat_secp384r1_uint1 x530; - uint32_t x531; - fiat_secp384r1_uint1 x532; - uint32_t x533; - uint32_t x534; - uint32_t x535; - uint32_t x536; - uint32_t x537; - uint32_t x538; - uint32_t x539; - uint32_t x540; - uint32_t x541; - uint32_t x542; - uint32_t x543; - uint32_t x544; - uint32_t x545; - uint32_t x546; - uint32_t x547; - uint32_t x548; - uint32_t x549; - uint32_t x550; - uint32_t x551; - uint32_t x552; - uint32_t x553; - uint32_t x554; - uint32_t x555; - uint32_t x556; - uint32_t x557; - uint32_t x558; - fiat_secp384r1_uint1 x559; - uint32_t x560; - fiat_secp384r1_uint1 x561; - uint32_t x562; - fiat_secp384r1_uint1 x563; - uint32_t x564; - fiat_secp384r1_uint1 x565; - uint32_t x566; - fiat_secp384r1_uint1 x567; - uint32_t x568; - fiat_secp384r1_uint1 x569; - uint32_t x570; - fiat_secp384r1_uint1 x571; - uint32_t x572; - fiat_secp384r1_uint1 x573; - uint32_t x574; - fiat_secp384r1_uint1 x575; - uint32_t x576; - fiat_secp384r1_uint1 x577; - uint32_t x578; - fiat_secp384r1_uint1 x579; - uint32_t x580; - uint32_t x581; - fiat_secp384r1_uint1 x582; - uint32_t x583; - fiat_secp384r1_uint1 x584; - uint32_t x585; - fiat_secp384r1_uint1 x586; - uint32_t x587; - fiat_secp384r1_uint1 x588; - uint32_t x589; - fiat_secp384r1_uint1 x590; - uint32_t x591; - fiat_secp384r1_uint1 x592; - uint32_t x593; - fiat_secp384r1_uint1 x594; - uint32_t x595; - fiat_secp384r1_uint1 x596; - uint32_t x597; - fiat_secp384r1_uint1 x598; - uint32_t x599; - fiat_secp384r1_uint1 x600; - uint32_t x601; - fiat_secp384r1_uint1 x602; - uint32_t x603; - fiat_secp384r1_uint1 x604; - uint32_t x605; - fiat_secp384r1_uint1 x606; - uint32_t x607; - uint32_t x608; - uint32_t x609; - uint32_t x610; - uint32_t x611; - uint32_t x612; - uint32_t x613; - uint32_t x614; - uint32_t x615; - uint32_t x616; - uint32_t x617; - uint32_t x618; - uint32_t x619; - uint32_t x620; - uint32_t x621; - uint32_t x622; - uint32_t x623; - uint32_t x624; - uint32_t x625; - uint32_t x626; - uint32_t x627; - fiat_secp384r1_uint1 x628; - uint32_t x629; - fiat_secp384r1_uint1 x630; - uint32_t x631; - fiat_secp384r1_uint1 x632; - uint32_t x633; - fiat_secp384r1_uint1 x634; - uint32_t x635; - fiat_secp384r1_uint1 x636; - uint32_t x637; - fiat_secp384r1_uint1 x638; - uint32_t x639; - fiat_secp384r1_uint1 x640; - uint32_t x641; - fiat_secp384r1_uint1 x642; - uint32_t x643; - uint32_t x644; - fiat_secp384r1_uint1 x645; - uint32_t x646; - fiat_secp384r1_uint1 x647; - uint32_t x648; - fiat_secp384r1_uint1 x649; - uint32_t x650; - fiat_secp384r1_uint1 x651; - uint32_t x652; - fiat_secp384r1_uint1 x653; - uint32_t x654; - fiat_secp384r1_uint1 x655; - uint32_t x656; - fiat_secp384r1_uint1 x657; - uint32_t x658; - fiat_secp384r1_uint1 x659; - uint32_t x660; - fiat_secp384r1_uint1 x661; - uint32_t x662; - fiat_secp384r1_uint1 x663; - uint32_t x664; - fiat_secp384r1_uint1 x665; - uint32_t x666; - fiat_secp384r1_uint1 x667; - uint32_t x668; - fiat_secp384r1_uint1 x669; - uint32_t x670; - uint32_t x671; - uint32_t x672; - uint32_t x673; - uint32_t x674; - uint32_t x675; - uint32_t x676; - uint32_t x677; - uint32_t x678; - uint32_t x679; - uint32_t x680; - uint32_t x681; - uint32_t x682; - uint32_t x683; - uint32_t x684; - uint32_t x685; - uint32_t x686; - uint32_t x687; - uint32_t x688; - uint32_t x689; - uint32_t x690; - uint32_t x691; - uint32_t x692; - uint32_t x693; - uint32_t x694; - uint32_t x695; - fiat_secp384r1_uint1 x696; - uint32_t x697; - fiat_secp384r1_uint1 x698; - uint32_t x699; - fiat_secp384r1_uint1 x700; - uint32_t x701; - fiat_secp384r1_uint1 x702; - uint32_t x703; - fiat_secp384r1_uint1 x704; - uint32_t x705; - fiat_secp384r1_uint1 x706; - uint32_t x707; - fiat_secp384r1_uint1 x708; - uint32_t x709; - fiat_secp384r1_uint1 x710; - uint32_t x711; - fiat_secp384r1_uint1 x712; - uint32_t x713; - fiat_secp384r1_uint1 x714; - uint32_t x715; - fiat_secp384r1_uint1 x716; - uint32_t x717; - uint32_t x718; - fiat_secp384r1_uint1 x719; - uint32_t x720; - fiat_secp384r1_uint1 x721; - uint32_t x722; - fiat_secp384r1_uint1 x723; - uint32_t x724; - fiat_secp384r1_uint1 x725; - uint32_t x726; - fiat_secp384r1_uint1 x727; - uint32_t x728; - fiat_secp384r1_uint1 x729; - uint32_t x730; - fiat_secp384r1_uint1 x731; - uint32_t x732; - fiat_secp384r1_uint1 x733; - uint32_t x734; - fiat_secp384r1_uint1 x735; - uint32_t x736; - fiat_secp384r1_uint1 x737; - uint32_t x738; - fiat_secp384r1_uint1 x739; - uint32_t x740; - fiat_secp384r1_uint1 x741; - uint32_t x742; - fiat_secp384r1_uint1 x743; - uint32_t x744; - uint32_t x745; - uint32_t x746; - uint32_t x747; - uint32_t x748; - uint32_t x749; - uint32_t x750; - uint32_t x751; - uint32_t x752; - uint32_t x753; - uint32_t x754; - uint32_t x755; - uint32_t x756; - uint32_t x757; - uint32_t x758; - uint32_t x759; - uint32_t x760; - uint32_t x761; - uint32_t x762; - uint32_t x763; - uint32_t x764; - fiat_secp384r1_uint1 x765; - uint32_t x766; - fiat_secp384r1_uint1 x767; - uint32_t x768; - fiat_secp384r1_uint1 x769; - uint32_t x770; - fiat_secp384r1_uint1 x771; - uint32_t x772; - fiat_secp384r1_uint1 x773; - uint32_t x774; - fiat_secp384r1_uint1 x775; - uint32_t x776; - fiat_secp384r1_uint1 x777; - uint32_t x778; - fiat_secp384r1_uint1 x779; - uint32_t x780; - uint32_t x781; - fiat_secp384r1_uint1 x782; - uint32_t x783; - fiat_secp384r1_uint1 x784; - uint32_t x785; - fiat_secp384r1_uint1 x786; - uint32_t x787; - fiat_secp384r1_uint1 x788; - uint32_t x789; - fiat_secp384r1_uint1 x790; - uint32_t x791; - fiat_secp384r1_uint1 x792; - uint32_t x793; - fiat_secp384r1_uint1 x794; - uint32_t x795; - fiat_secp384r1_uint1 x796; - uint32_t x797; - fiat_secp384r1_uint1 x798; - uint32_t x799; - fiat_secp384r1_uint1 x800; - uint32_t x801; - fiat_secp384r1_uint1 x802; - uint32_t x803; - fiat_secp384r1_uint1 x804; - uint32_t x805; - fiat_secp384r1_uint1 x806; - uint32_t x807; - uint32_t x808; - uint32_t x809; - uint32_t x810; - uint32_t x811; - uint32_t x812; - uint32_t x813; - uint32_t x814; - uint32_t x815; - uint32_t x816; - uint32_t x817; - uint32_t x818; - uint32_t x819; - uint32_t x820; - uint32_t x821; - uint32_t x822; - uint32_t x823; - uint32_t x824; - uint32_t x825; - uint32_t x826; - uint32_t x827; - uint32_t x828; - uint32_t x829; - uint32_t x830; - uint32_t x831; - uint32_t x832; - fiat_secp384r1_uint1 x833; - uint32_t x834; - fiat_secp384r1_uint1 x835; - uint32_t x836; - fiat_secp384r1_uint1 x837; - uint32_t x838; - fiat_secp384r1_uint1 x839; - uint32_t x840; - fiat_secp384r1_uint1 x841; - uint32_t x842; - fiat_secp384r1_uint1 x843; - uint32_t x844; - fiat_secp384r1_uint1 x845; - uint32_t x846; - fiat_secp384r1_uint1 x847; - uint32_t x848; - fiat_secp384r1_uint1 x849; - uint32_t x850; - fiat_secp384r1_uint1 x851; - uint32_t x852; - fiat_secp384r1_uint1 x853; - uint32_t x854; - uint32_t x855; - fiat_secp384r1_uint1 x856; - uint32_t x857; - fiat_secp384r1_uint1 x858; - uint32_t x859; - fiat_secp384r1_uint1 x860; - uint32_t x861; - fiat_secp384r1_uint1 x862; - uint32_t x863; - fiat_secp384r1_uint1 x864; - uint32_t x865; - fiat_secp384r1_uint1 x866; - uint32_t x867; - fiat_secp384r1_uint1 x868; - uint32_t x869; - fiat_secp384r1_uint1 x870; - uint32_t x871; - fiat_secp384r1_uint1 x872; - uint32_t x873; - fiat_secp384r1_uint1 x874; - uint32_t x875; - fiat_secp384r1_uint1 x876; - uint32_t x877; - fiat_secp384r1_uint1 x878; - uint32_t x879; - fiat_secp384r1_uint1 x880; - uint32_t x881; - uint32_t x882; - uint32_t x883; - uint32_t x884; - uint32_t x885; - uint32_t x886; - uint32_t x887; - uint32_t x888; - uint32_t x889; - uint32_t x890; - uint32_t x891; - uint32_t x892; - uint32_t x893; - uint32_t x894; - uint32_t x895; - uint32_t x896; - uint32_t x897; - uint32_t x898; - uint32_t x899; - uint32_t x900; - uint32_t x901; - fiat_secp384r1_uint1 x902; - uint32_t x903; - fiat_secp384r1_uint1 x904; - uint32_t x905; - fiat_secp384r1_uint1 x906; - uint32_t x907; - fiat_secp384r1_uint1 x908; - uint32_t x909; - fiat_secp384r1_uint1 x910; - uint32_t x911; - fiat_secp384r1_uint1 x912; - uint32_t x913; - fiat_secp384r1_uint1 x914; - uint32_t x915; - fiat_secp384r1_uint1 x916; - uint32_t x917; - uint32_t x918; - fiat_secp384r1_uint1 x919; - uint32_t x920; - fiat_secp384r1_uint1 x921; - uint32_t x922; - fiat_secp384r1_uint1 x923; - uint32_t x924; - fiat_secp384r1_uint1 x925; - uint32_t x926; - fiat_secp384r1_uint1 x927; - uint32_t x928; - fiat_secp384r1_uint1 x929; - uint32_t x930; - fiat_secp384r1_uint1 x931; - uint32_t x932; - fiat_secp384r1_uint1 x933; - uint32_t x934; - fiat_secp384r1_uint1 x935; - uint32_t x936; - fiat_secp384r1_uint1 x937; - uint32_t x938; - fiat_secp384r1_uint1 x939; - uint32_t x940; - fiat_secp384r1_uint1 x941; - uint32_t x942; - fiat_secp384r1_uint1 x943; - uint32_t x944; - uint32_t x945; - uint32_t x946; - uint32_t x947; - uint32_t x948; - uint32_t x949; - uint32_t x950; - uint32_t x951; - uint32_t x952; - uint32_t x953; - uint32_t x954; - uint32_t x955; - uint32_t x956; - uint32_t x957; - uint32_t x958; - uint32_t x959; - uint32_t x960; - uint32_t x961; - uint32_t x962; - uint32_t x963; - uint32_t x964; - uint32_t x965; - uint32_t x966; - uint32_t x967; - uint32_t x968; - uint32_t x969; - fiat_secp384r1_uint1 x970; - uint32_t x971; - fiat_secp384r1_uint1 x972; - uint32_t x973; - fiat_secp384r1_uint1 x974; - uint32_t x975; - fiat_secp384r1_uint1 x976; - uint32_t x977; - fiat_secp384r1_uint1 x978; - uint32_t x979; - fiat_secp384r1_uint1 x980; - uint32_t x981; - fiat_secp384r1_uint1 x982; - uint32_t x983; - fiat_secp384r1_uint1 x984; - uint32_t x985; - fiat_secp384r1_uint1 x986; - uint32_t x987; - fiat_secp384r1_uint1 x988; - uint32_t x989; - fiat_secp384r1_uint1 x990; - uint32_t x991; - uint32_t x992; - fiat_secp384r1_uint1 x993; - uint32_t x994; - fiat_secp384r1_uint1 x995; - uint32_t x996; - fiat_secp384r1_uint1 x997; - uint32_t x998; - fiat_secp384r1_uint1 x999; - uint32_t x1000; - fiat_secp384r1_uint1 x1001; - uint32_t x1002; - fiat_secp384r1_uint1 x1003; - uint32_t x1004; - fiat_secp384r1_uint1 x1005; - uint32_t x1006; - fiat_secp384r1_uint1 x1007; - uint32_t x1008; - fiat_secp384r1_uint1 x1009; - uint32_t x1010; - fiat_secp384r1_uint1 x1011; - uint32_t x1012; - fiat_secp384r1_uint1 x1013; - uint32_t x1014; - fiat_secp384r1_uint1 x1015; - uint32_t x1016; - fiat_secp384r1_uint1 x1017; - uint32_t x1018; - uint32_t x1019; - uint32_t x1020; - uint32_t x1021; - uint32_t x1022; - uint32_t x1023; - uint32_t x1024; - uint32_t x1025; - uint32_t x1026; - uint32_t x1027; - uint32_t x1028; - uint32_t x1029; - uint32_t x1030; - uint32_t x1031; - uint32_t x1032; - uint32_t x1033; - uint32_t x1034; - uint32_t x1035; - uint32_t x1036; - uint32_t x1037; - uint32_t x1038; - fiat_secp384r1_uint1 x1039; - uint32_t x1040; - fiat_secp384r1_uint1 x1041; - uint32_t x1042; - fiat_secp384r1_uint1 x1043; - uint32_t x1044; - fiat_secp384r1_uint1 x1045; - uint32_t x1046; - fiat_secp384r1_uint1 x1047; - uint32_t x1048; - fiat_secp384r1_uint1 x1049; - uint32_t x1050; - fiat_secp384r1_uint1 x1051; - uint32_t x1052; - fiat_secp384r1_uint1 x1053; - uint32_t x1054; - uint32_t x1055; - fiat_secp384r1_uint1 x1056; - uint32_t x1057; - fiat_secp384r1_uint1 x1058; - uint32_t x1059; - fiat_secp384r1_uint1 x1060; - uint32_t x1061; - fiat_secp384r1_uint1 x1062; - uint32_t x1063; - fiat_secp384r1_uint1 x1064; - uint32_t x1065; - fiat_secp384r1_uint1 x1066; - uint32_t x1067; - fiat_secp384r1_uint1 x1068; - uint32_t x1069; - fiat_secp384r1_uint1 x1070; - uint32_t x1071; - fiat_secp384r1_uint1 x1072; - uint32_t x1073; - fiat_secp384r1_uint1 x1074; - uint32_t x1075; - fiat_secp384r1_uint1 x1076; - uint32_t x1077; - fiat_secp384r1_uint1 x1078; - uint32_t x1079; - fiat_secp384r1_uint1 x1080; - uint32_t x1081; - uint32_t x1082; - uint32_t x1083; - uint32_t x1084; - uint32_t x1085; - uint32_t x1086; - uint32_t x1087; - uint32_t x1088; - uint32_t x1089; - uint32_t x1090; - uint32_t x1091; - uint32_t x1092; - uint32_t x1093; - uint32_t x1094; - uint32_t x1095; - uint32_t x1096; - uint32_t x1097; - uint32_t x1098; - uint32_t x1099; - uint32_t x1100; - uint32_t x1101; - uint32_t x1102; - uint32_t x1103; - uint32_t x1104; - uint32_t x1105; - uint32_t x1106; - fiat_secp384r1_uint1 x1107; - uint32_t x1108; - fiat_secp384r1_uint1 x1109; - uint32_t x1110; - fiat_secp384r1_uint1 x1111; - uint32_t x1112; - fiat_secp384r1_uint1 x1113; - uint32_t x1114; - fiat_secp384r1_uint1 x1115; - uint32_t x1116; - fiat_secp384r1_uint1 x1117; - uint32_t x1118; - fiat_secp384r1_uint1 x1119; - uint32_t x1120; - fiat_secp384r1_uint1 x1121; - uint32_t x1122; - fiat_secp384r1_uint1 x1123; - uint32_t x1124; - fiat_secp384r1_uint1 x1125; - uint32_t x1126; - fiat_secp384r1_uint1 x1127; - uint32_t x1128; - uint32_t x1129; - fiat_secp384r1_uint1 x1130; - uint32_t x1131; - fiat_secp384r1_uint1 x1132; - uint32_t x1133; - fiat_secp384r1_uint1 x1134; - uint32_t x1135; - fiat_secp384r1_uint1 x1136; - uint32_t x1137; - fiat_secp384r1_uint1 x1138; - uint32_t x1139; - fiat_secp384r1_uint1 x1140; - uint32_t x1141; - fiat_secp384r1_uint1 x1142; - uint32_t x1143; - fiat_secp384r1_uint1 x1144; - uint32_t x1145; - fiat_secp384r1_uint1 x1146; - uint32_t x1147; - fiat_secp384r1_uint1 x1148; - uint32_t x1149; - fiat_secp384r1_uint1 x1150; - uint32_t x1151; - fiat_secp384r1_uint1 x1152; - uint32_t x1153; - fiat_secp384r1_uint1 x1154; - uint32_t x1155; - uint32_t x1156; - uint32_t x1157; - uint32_t x1158; - uint32_t x1159; - uint32_t x1160; - uint32_t x1161; - uint32_t x1162; - uint32_t x1163; - uint32_t x1164; - uint32_t x1165; - uint32_t x1166; - uint32_t x1167; - uint32_t x1168; - uint32_t x1169; - uint32_t x1170; - uint32_t x1171; - uint32_t x1172; - uint32_t x1173; - uint32_t x1174; - uint32_t x1175; - fiat_secp384r1_uint1 x1176; - uint32_t x1177; - fiat_secp384r1_uint1 x1178; - uint32_t x1179; - fiat_secp384r1_uint1 x1180; - uint32_t x1181; - fiat_secp384r1_uint1 x1182; - uint32_t x1183; - fiat_secp384r1_uint1 x1184; - uint32_t x1185; - fiat_secp384r1_uint1 x1186; - uint32_t x1187; - fiat_secp384r1_uint1 x1188; - uint32_t x1189; - fiat_secp384r1_uint1 x1190; - uint32_t x1191; - uint32_t x1192; - fiat_secp384r1_uint1 x1193; - uint32_t x1194; - fiat_secp384r1_uint1 x1195; - uint32_t x1196; - fiat_secp384r1_uint1 x1197; - uint32_t x1198; - fiat_secp384r1_uint1 x1199; - uint32_t x1200; - fiat_secp384r1_uint1 x1201; - uint32_t x1202; - fiat_secp384r1_uint1 x1203; - uint32_t x1204; - fiat_secp384r1_uint1 x1205; - uint32_t x1206; - fiat_secp384r1_uint1 x1207; - uint32_t x1208; - fiat_secp384r1_uint1 x1209; - uint32_t x1210; - fiat_secp384r1_uint1 x1211; - uint32_t x1212; - fiat_secp384r1_uint1 x1213; - uint32_t x1214; - fiat_secp384r1_uint1 x1215; - uint32_t x1216; - fiat_secp384r1_uint1 x1217; - uint32_t x1218; - uint32_t x1219; - uint32_t x1220; - uint32_t x1221; - uint32_t x1222; - uint32_t x1223; - uint32_t x1224; - uint32_t x1225; - uint32_t x1226; - uint32_t x1227; - uint32_t x1228; - uint32_t x1229; - uint32_t x1230; - uint32_t x1231; - uint32_t x1232; - uint32_t x1233; - uint32_t x1234; - uint32_t x1235; - uint32_t x1236; - uint32_t x1237; - uint32_t x1238; - uint32_t x1239; - uint32_t x1240; - uint32_t x1241; - uint32_t x1242; - uint32_t x1243; - fiat_secp384r1_uint1 x1244; - uint32_t x1245; - fiat_secp384r1_uint1 x1246; - uint32_t x1247; - fiat_secp384r1_uint1 x1248; - uint32_t x1249; - fiat_secp384r1_uint1 x1250; - uint32_t x1251; - fiat_secp384r1_uint1 x1252; - uint32_t x1253; - fiat_secp384r1_uint1 x1254; - uint32_t x1255; - fiat_secp384r1_uint1 x1256; - uint32_t x1257; - fiat_secp384r1_uint1 x1258; - uint32_t x1259; - fiat_secp384r1_uint1 x1260; - uint32_t x1261; - fiat_secp384r1_uint1 x1262; - uint32_t x1263; - fiat_secp384r1_uint1 x1264; - uint32_t x1265; - uint32_t x1266; - fiat_secp384r1_uint1 x1267; - uint32_t x1268; - fiat_secp384r1_uint1 x1269; - uint32_t x1270; - fiat_secp384r1_uint1 x1271; - uint32_t x1272; - fiat_secp384r1_uint1 x1273; - uint32_t x1274; - fiat_secp384r1_uint1 x1275; - uint32_t x1276; - fiat_secp384r1_uint1 x1277; - uint32_t x1278; - fiat_secp384r1_uint1 x1279; - uint32_t x1280; - fiat_secp384r1_uint1 x1281; - uint32_t x1282; - fiat_secp384r1_uint1 x1283; - uint32_t x1284; - fiat_secp384r1_uint1 x1285; - uint32_t x1286; - fiat_secp384r1_uint1 x1287; - uint32_t x1288; - fiat_secp384r1_uint1 x1289; - uint32_t x1290; - fiat_secp384r1_uint1 x1291; - uint32_t x1292; - uint32_t x1293; - uint32_t x1294; - uint32_t x1295; - uint32_t x1296; - uint32_t x1297; - uint32_t x1298; - uint32_t x1299; - uint32_t x1300; - uint32_t x1301; - uint32_t x1302; - uint32_t x1303; - uint32_t x1304; - uint32_t x1305; - uint32_t x1306; - uint32_t x1307; - uint32_t x1308; - uint32_t x1309; - uint32_t x1310; - uint32_t x1311; - uint32_t x1312; - fiat_secp384r1_uint1 x1313; - uint32_t x1314; - fiat_secp384r1_uint1 x1315; - uint32_t x1316; - fiat_secp384r1_uint1 x1317; - uint32_t x1318; - fiat_secp384r1_uint1 x1319; - uint32_t x1320; - fiat_secp384r1_uint1 x1321; - uint32_t x1322; - fiat_secp384r1_uint1 x1323; - uint32_t x1324; - fiat_secp384r1_uint1 x1325; - uint32_t x1326; - fiat_secp384r1_uint1 x1327; - uint32_t x1328; - uint32_t x1329; - fiat_secp384r1_uint1 x1330; - uint32_t x1331; - fiat_secp384r1_uint1 x1332; - uint32_t x1333; - fiat_secp384r1_uint1 x1334; - uint32_t x1335; - fiat_secp384r1_uint1 x1336; - uint32_t x1337; - fiat_secp384r1_uint1 x1338; - uint32_t x1339; - fiat_secp384r1_uint1 x1340; - uint32_t x1341; - fiat_secp384r1_uint1 x1342; - uint32_t x1343; - fiat_secp384r1_uint1 x1344; - uint32_t x1345; - fiat_secp384r1_uint1 x1346; - uint32_t x1347; - fiat_secp384r1_uint1 x1348; - uint32_t x1349; - fiat_secp384r1_uint1 x1350; - uint32_t x1351; - fiat_secp384r1_uint1 x1352; - uint32_t x1353; - fiat_secp384r1_uint1 x1354; - uint32_t x1355; - uint32_t x1356; - uint32_t x1357; - uint32_t x1358; - uint32_t x1359; - uint32_t x1360; - uint32_t x1361; - uint32_t x1362; - uint32_t x1363; - uint32_t x1364; - uint32_t x1365; - uint32_t x1366; - uint32_t x1367; - uint32_t x1368; - uint32_t x1369; - uint32_t x1370; - uint32_t x1371; - uint32_t x1372; - uint32_t x1373; - uint32_t x1374; - uint32_t x1375; - uint32_t x1376; - uint32_t x1377; - uint32_t x1378; - uint32_t x1379; - uint32_t x1380; - fiat_secp384r1_uint1 x1381; - uint32_t x1382; - fiat_secp384r1_uint1 x1383; - uint32_t x1384; - fiat_secp384r1_uint1 x1385; - uint32_t x1386; - fiat_secp384r1_uint1 x1387; - uint32_t x1388; - fiat_secp384r1_uint1 x1389; - uint32_t x1390; - fiat_secp384r1_uint1 x1391; - uint32_t x1392; - fiat_secp384r1_uint1 x1393; - uint32_t x1394; - fiat_secp384r1_uint1 x1395; - uint32_t x1396; - fiat_secp384r1_uint1 x1397; - uint32_t x1398; - fiat_secp384r1_uint1 x1399; - uint32_t x1400; - fiat_secp384r1_uint1 x1401; - uint32_t x1402; - uint32_t x1403; - fiat_secp384r1_uint1 x1404; - uint32_t x1405; - fiat_secp384r1_uint1 x1406; - uint32_t x1407; - fiat_secp384r1_uint1 x1408; - uint32_t x1409; - fiat_secp384r1_uint1 x1410; - uint32_t x1411; - fiat_secp384r1_uint1 x1412; - uint32_t x1413; - fiat_secp384r1_uint1 x1414; - uint32_t x1415; - fiat_secp384r1_uint1 x1416; - uint32_t x1417; - fiat_secp384r1_uint1 x1418; - uint32_t x1419; - fiat_secp384r1_uint1 x1420; - uint32_t x1421; - fiat_secp384r1_uint1 x1422; - uint32_t x1423; - fiat_secp384r1_uint1 x1424; - uint32_t x1425; - fiat_secp384r1_uint1 x1426; - uint32_t x1427; - fiat_secp384r1_uint1 x1428; - uint32_t x1429; - uint32_t x1430; - uint32_t x1431; - uint32_t x1432; - uint32_t x1433; - uint32_t x1434; - uint32_t x1435; - uint32_t x1436; - uint32_t x1437; - uint32_t x1438; - uint32_t x1439; - uint32_t x1440; - uint32_t x1441; - uint32_t x1442; - uint32_t x1443; - uint32_t x1444; - uint32_t x1445; - uint32_t x1446; - uint32_t x1447; - uint32_t x1448; - uint32_t x1449; - fiat_secp384r1_uint1 x1450; - uint32_t x1451; - fiat_secp384r1_uint1 x1452; - uint32_t x1453; - fiat_secp384r1_uint1 x1454; - uint32_t x1455; - fiat_secp384r1_uint1 x1456; - uint32_t x1457; - fiat_secp384r1_uint1 x1458; - uint32_t x1459; - fiat_secp384r1_uint1 x1460; - uint32_t x1461; - fiat_secp384r1_uint1 x1462; - uint32_t x1463; - fiat_secp384r1_uint1 x1464; - uint32_t x1465; - uint32_t x1466; - fiat_secp384r1_uint1 x1467; - uint32_t x1468; - fiat_secp384r1_uint1 x1469; - uint32_t x1470; - fiat_secp384r1_uint1 x1471; - uint32_t x1472; - fiat_secp384r1_uint1 x1473; - uint32_t x1474; - fiat_secp384r1_uint1 x1475; - uint32_t x1476; - fiat_secp384r1_uint1 x1477; - uint32_t x1478; - fiat_secp384r1_uint1 x1479; - uint32_t x1480; - fiat_secp384r1_uint1 x1481; - uint32_t x1482; - fiat_secp384r1_uint1 x1483; - uint32_t x1484; - fiat_secp384r1_uint1 x1485; - uint32_t x1486; - fiat_secp384r1_uint1 x1487; - uint32_t x1488; - fiat_secp384r1_uint1 x1489; - uint32_t x1490; - fiat_secp384r1_uint1 x1491; - uint32_t x1492; - uint32_t x1493; - uint32_t x1494; - uint32_t x1495; - uint32_t x1496; - uint32_t x1497; - uint32_t x1498; - uint32_t x1499; - uint32_t x1500; - uint32_t x1501; - uint32_t x1502; - uint32_t x1503; - uint32_t x1504; - uint32_t x1505; - uint32_t x1506; - uint32_t x1507; - uint32_t x1508; - uint32_t x1509; - uint32_t x1510; - uint32_t x1511; - uint32_t x1512; - uint32_t x1513; - uint32_t x1514; - uint32_t x1515; - uint32_t x1516; - uint32_t x1517; - fiat_secp384r1_uint1 x1518; - uint32_t x1519; - fiat_secp384r1_uint1 x1520; - uint32_t x1521; - fiat_secp384r1_uint1 x1522; - uint32_t x1523; - fiat_secp384r1_uint1 x1524; - uint32_t x1525; - fiat_secp384r1_uint1 x1526; - uint32_t x1527; - fiat_secp384r1_uint1 x1528; - uint32_t x1529; - fiat_secp384r1_uint1 x1530; - uint32_t x1531; - fiat_secp384r1_uint1 x1532; - uint32_t x1533; - fiat_secp384r1_uint1 x1534; - uint32_t x1535; - fiat_secp384r1_uint1 x1536; - uint32_t x1537; - fiat_secp384r1_uint1 x1538; - uint32_t x1539; - uint32_t x1540; - fiat_secp384r1_uint1 x1541; - uint32_t x1542; - fiat_secp384r1_uint1 x1543; - uint32_t x1544; - fiat_secp384r1_uint1 x1545; - uint32_t x1546; - fiat_secp384r1_uint1 x1547; - uint32_t x1548; - fiat_secp384r1_uint1 x1549; - uint32_t x1550; - fiat_secp384r1_uint1 x1551; - uint32_t x1552; - fiat_secp384r1_uint1 x1553; - uint32_t x1554; - fiat_secp384r1_uint1 x1555; - uint32_t x1556; - fiat_secp384r1_uint1 x1557; - uint32_t x1558; - fiat_secp384r1_uint1 x1559; - uint32_t x1560; - fiat_secp384r1_uint1 x1561; - uint32_t x1562; - fiat_secp384r1_uint1 x1563; - uint32_t x1564; - fiat_secp384r1_uint1 x1565; - uint32_t x1566; - uint32_t x1567; - uint32_t x1568; - uint32_t x1569; - uint32_t x1570; - uint32_t x1571; - uint32_t x1572; - uint32_t x1573; - uint32_t x1574; - uint32_t x1575; - uint32_t x1576; - uint32_t x1577; - uint32_t x1578; - uint32_t x1579; - uint32_t x1580; - uint32_t x1581; - uint32_t x1582; - uint32_t x1583; - uint32_t x1584; - uint32_t x1585; - uint32_t x1586; - fiat_secp384r1_uint1 x1587; - uint32_t x1588; - fiat_secp384r1_uint1 x1589; - uint32_t x1590; - fiat_secp384r1_uint1 x1591; - uint32_t x1592; - fiat_secp384r1_uint1 x1593; - uint32_t x1594; - fiat_secp384r1_uint1 x1595; - uint32_t x1596; - fiat_secp384r1_uint1 x1597; - uint32_t x1598; - fiat_secp384r1_uint1 x1599; - uint32_t x1600; - fiat_secp384r1_uint1 x1601; - uint32_t x1602; - uint32_t x1603; - fiat_secp384r1_uint1 x1604; - uint32_t x1605; - fiat_secp384r1_uint1 x1606; - uint32_t x1607; - fiat_secp384r1_uint1 x1608; - uint32_t x1609; - fiat_secp384r1_uint1 x1610; - uint32_t x1611; - fiat_secp384r1_uint1 x1612; - uint32_t x1613; - fiat_secp384r1_uint1 x1614; - uint32_t x1615; - fiat_secp384r1_uint1 x1616; - uint32_t x1617; - fiat_secp384r1_uint1 x1618; - uint32_t x1619; - fiat_secp384r1_uint1 x1620; - uint32_t x1621; - fiat_secp384r1_uint1 x1622; - uint32_t x1623; - fiat_secp384r1_uint1 x1624; - uint32_t x1625; - fiat_secp384r1_uint1 x1626; - uint32_t x1627; - fiat_secp384r1_uint1 x1628; - uint32_t x1629; - uint32_t x1630; - fiat_secp384r1_uint1 x1631; - uint32_t x1632; - fiat_secp384r1_uint1 x1633; - uint32_t x1634; - fiat_secp384r1_uint1 x1635; - uint32_t x1636; - fiat_secp384r1_uint1 x1637; - uint32_t x1638; - fiat_secp384r1_uint1 x1639; - uint32_t x1640; - fiat_secp384r1_uint1 x1641; - uint32_t x1642; - fiat_secp384r1_uint1 x1643; - uint32_t x1644; - fiat_secp384r1_uint1 x1645; - uint32_t x1646; - fiat_secp384r1_uint1 x1647; - uint32_t x1648; - fiat_secp384r1_uint1 x1649; - uint32_t x1650; - fiat_secp384r1_uint1 x1651; - uint32_t x1652; - fiat_secp384r1_uint1 x1653; - uint32_t x1654; - fiat_secp384r1_uint1 x1655; - uint32_t x1656; - uint32_t x1657; - uint32_t x1658; - uint32_t x1659; - uint32_t x1660; - uint32_t x1661; - uint32_t x1662; - uint32_t x1663; - uint32_t x1664; - uint32_t x1665; - uint32_t x1666; - uint32_t x1667; - x1 = (arg1[1]); - x2 = (arg1[2]); - x3 = (arg1[3]); - x4 = (arg1[4]); - x5 = (arg1[5]); - x6 = (arg1[6]); - x7 = (arg1[7]); - x8 = (arg1[8]); - x9 = (arg1[9]); - x10 = (arg1[10]); - x11 = (arg1[11]); - x12 = (arg1[0]); - fiat_secp384r1_mulx_u32(&x13, &x14, x12, (arg1[11])); - fiat_secp384r1_mulx_u32(&x15, &x16, x12, (arg1[10])); - fiat_secp384r1_mulx_u32(&x17, &x18, x12, (arg1[9])); - fiat_secp384r1_mulx_u32(&x19, &x20, x12, (arg1[8])); - fiat_secp384r1_mulx_u32(&x21, &x22, x12, (arg1[7])); - fiat_secp384r1_mulx_u32(&x23, &x24, x12, (arg1[6])); - fiat_secp384r1_mulx_u32(&x25, &x26, x12, (arg1[5])); - fiat_secp384r1_mulx_u32(&x27, &x28, x12, (arg1[4])); - fiat_secp384r1_mulx_u32(&x29, &x30, x12, (arg1[3])); - fiat_secp384r1_mulx_u32(&x31, &x32, x12, (arg1[2])); - fiat_secp384r1_mulx_u32(&x33, &x34, x12, (arg1[1])); - fiat_secp384r1_mulx_u32(&x35, &x36, x12, (arg1[0])); - fiat_secp384r1_addcarryx_u32(&x37, &x38, 0x0, x36, x33); - fiat_secp384r1_addcarryx_u32(&x39, &x40, x38, x34, x31); - fiat_secp384r1_addcarryx_u32(&x41, &x42, x40, x32, x29); - fiat_secp384r1_addcarryx_u32(&x43, &x44, x42, x30, x27); - fiat_secp384r1_addcarryx_u32(&x45, &x46, x44, x28, x25); - fiat_secp384r1_addcarryx_u32(&x47, &x48, x46, x26, x23); - fiat_secp384r1_addcarryx_u32(&x49, &x50, x48, x24, x21); - fiat_secp384r1_addcarryx_u32(&x51, &x52, x50, x22, x19); - fiat_secp384r1_addcarryx_u32(&x53, &x54, x52, x20, x17); - fiat_secp384r1_addcarryx_u32(&x55, &x56, x54, x18, x15); - fiat_secp384r1_addcarryx_u32(&x57, &x58, x56, x16, x13); - x59 = (x58 + x14); - fiat_secp384r1_mulx_u32(&x60, &x61, x35, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x62, &x63, x35, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x64, &x65, x35, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x66, &x67, x35, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x68, &x69, x35, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x70, &x71, x35, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x72, &x73, x35, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x74, &x75, x35, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x76, &x77, x35, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x78, &x79, x35, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x80, &x81, 0x0, x77, x74); - fiat_secp384r1_addcarryx_u32(&x82, &x83, x81, x75, x72); - fiat_secp384r1_addcarryx_u32(&x84, &x85, x83, x73, x70); - fiat_secp384r1_addcarryx_u32(&x86, &x87, x85, x71, x68); - fiat_secp384r1_addcarryx_u32(&x88, &x89, x87, x69, x66); - fiat_secp384r1_addcarryx_u32(&x90, &x91, x89, x67, x64); - fiat_secp384r1_addcarryx_u32(&x92, &x93, x91, x65, x62); - fiat_secp384r1_addcarryx_u32(&x94, &x95, x93, x63, x60); - x96 = (x95 + x61); - fiat_secp384r1_addcarryx_u32(&x97, &x98, 0x0, x35, x78); - fiat_secp384r1_addcarryx_u32(&x99, &x100, x98, x37, x79); - fiat_secp384r1_addcarryx_u32(&x101, &x102, x100, x39, 0x0); - fiat_secp384r1_addcarryx_u32(&x103, &x104, x102, x41, x76); - fiat_secp384r1_addcarryx_u32(&x105, &x106, x104, x43, x80); - fiat_secp384r1_addcarryx_u32(&x107, &x108, x106, x45, x82); - fiat_secp384r1_addcarryx_u32(&x109, &x110, x108, x47, x84); - fiat_secp384r1_addcarryx_u32(&x111, &x112, x110, x49, x86); - fiat_secp384r1_addcarryx_u32(&x113, &x114, x112, x51, x88); - fiat_secp384r1_addcarryx_u32(&x115, &x116, x114, x53, x90); - fiat_secp384r1_addcarryx_u32(&x117, &x118, x116, x55, x92); - fiat_secp384r1_addcarryx_u32(&x119, &x120, x118, x57, x94); - fiat_secp384r1_addcarryx_u32(&x121, &x122, x120, x59, x96); - fiat_secp384r1_mulx_u32(&x123, &x124, x1, (arg1[11])); - fiat_secp384r1_mulx_u32(&x125, &x126, x1, (arg1[10])); - fiat_secp384r1_mulx_u32(&x127, &x128, x1, (arg1[9])); - fiat_secp384r1_mulx_u32(&x129, &x130, x1, (arg1[8])); - fiat_secp384r1_mulx_u32(&x131, &x132, x1, (arg1[7])); - fiat_secp384r1_mulx_u32(&x133, &x134, x1, (arg1[6])); - fiat_secp384r1_mulx_u32(&x135, &x136, x1, (arg1[5])); - fiat_secp384r1_mulx_u32(&x137, &x138, x1, (arg1[4])); - fiat_secp384r1_mulx_u32(&x139, &x140, x1, (arg1[3])); - fiat_secp384r1_mulx_u32(&x141, &x142, x1, (arg1[2])); - fiat_secp384r1_mulx_u32(&x143, &x144, x1, (arg1[1])); - fiat_secp384r1_mulx_u32(&x145, &x146, x1, (arg1[0])); - fiat_secp384r1_addcarryx_u32(&x147, &x148, 0x0, x146, x143); - fiat_secp384r1_addcarryx_u32(&x149, &x150, x148, x144, x141); - fiat_secp384r1_addcarryx_u32(&x151, &x152, x150, x142, x139); - fiat_secp384r1_addcarryx_u32(&x153, &x154, x152, x140, x137); - fiat_secp384r1_addcarryx_u32(&x155, &x156, x154, x138, x135); - fiat_secp384r1_addcarryx_u32(&x157, &x158, x156, x136, x133); - fiat_secp384r1_addcarryx_u32(&x159, &x160, x158, x134, x131); - fiat_secp384r1_addcarryx_u32(&x161, &x162, x160, x132, x129); - fiat_secp384r1_addcarryx_u32(&x163, &x164, x162, x130, x127); - fiat_secp384r1_addcarryx_u32(&x165, &x166, x164, x128, x125); - fiat_secp384r1_addcarryx_u32(&x167, &x168, x166, x126, x123); - x169 = (x168 + x124); - fiat_secp384r1_addcarryx_u32(&x170, &x171, 0x0, x99, x145); - fiat_secp384r1_addcarryx_u32(&x172, &x173, x171, x101, x147); - fiat_secp384r1_addcarryx_u32(&x174, &x175, x173, x103, x149); - fiat_secp384r1_addcarryx_u32(&x176, &x177, x175, x105, x151); - fiat_secp384r1_addcarryx_u32(&x178, &x179, x177, x107, x153); - fiat_secp384r1_addcarryx_u32(&x180, &x181, x179, x109, x155); - fiat_secp384r1_addcarryx_u32(&x182, &x183, x181, x111, x157); - fiat_secp384r1_addcarryx_u32(&x184, &x185, x183, x113, x159); - fiat_secp384r1_addcarryx_u32(&x186, &x187, x185, x115, x161); - fiat_secp384r1_addcarryx_u32(&x188, &x189, x187, x117, x163); - fiat_secp384r1_addcarryx_u32(&x190, &x191, x189, x119, x165); - fiat_secp384r1_addcarryx_u32(&x192, &x193, x191, x121, x167); - fiat_secp384r1_addcarryx_u32(&x194, &x195, x193, x122, x169); - fiat_secp384r1_mulx_u32(&x196, &x197, x170, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x198, &x199, x170, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x200, &x201, x170, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x202, &x203, x170, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x204, &x205, x170, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x206, &x207, x170, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x208, &x209, x170, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x210, &x211, x170, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x212, &x213, x170, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x214, &x215, x170, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x216, &x217, 0x0, x213, x210); - fiat_secp384r1_addcarryx_u32(&x218, &x219, x217, x211, x208); - fiat_secp384r1_addcarryx_u32(&x220, &x221, x219, x209, x206); - fiat_secp384r1_addcarryx_u32(&x222, &x223, x221, x207, x204); - fiat_secp384r1_addcarryx_u32(&x224, &x225, x223, x205, x202); - fiat_secp384r1_addcarryx_u32(&x226, &x227, x225, x203, x200); - fiat_secp384r1_addcarryx_u32(&x228, &x229, x227, x201, x198); - fiat_secp384r1_addcarryx_u32(&x230, &x231, x229, x199, x196); - x232 = (x231 + x197); - fiat_secp384r1_addcarryx_u32(&x233, &x234, 0x0, x170, x214); - fiat_secp384r1_addcarryx_u32(&x235, &x236, x234, x172, x215); - fiat_secp384r1_addcarryx_u32(&x237, &x238, x236, x174, 0x0); - fiat_secp384r1_addcarryx_u32(&x239, &x240, x238, x176, x212); - fiat_secp384r1_addcarryx_u32(&x241, &x242, x240, x178, x216); - fiat_secp384r1_addcarryx_u32(&x243, &x244, x242, x180, x218); - fiat_secp384r1_addcarryx_u32(&x245, &x246, x244, x182, x220); - fiat_secp384r1_addcarryx_u32(&x247, &x248, x246, x184, x222); - fiat_secp384r1_addcarryx_u32(&x249, &x250, x248, x186, x224); - fiat_secp384r1_addcarryx_u32(&x251, &x252, x250, x188, x226); - fiat_secp384r1_addcarryx_u32(&x253, &x254, x252, x190, x228); - fiat_secp384r1_addcarryx_u32(&x255, &x256, x254, x192, x230); - fiat_secp384r1_addcarryx_u32(&x257, &x258, x256, x194, x232); - x259 = ((uint32_t)x258 + x195); - fiat_secp384r1_mulx_u32(&x260, &x261, x2, (arg1[11])); - fiat_secp384r1_mulx_u32(&x262, &x263, x2, (arg1[10])); - fiat_secp384r1_mulx_u32(&x264, &x265, x2, (arg1[9])); - fiat_secp384r1_mulx_u32(&x266, &x267, x2, (arg1[8])); - fiat_secp384r1_mulx_u32(&x268, &x269, x2, (arg1[7])); - fiat_secp384r1_mulx_u32(&x270, &x271, x2, (arg1[6])); - fiat_secp384r1_mulx_u32(&x272, &x273, x2, (arg1[5])); - fiat_secp384r1_mulx_u32(&x274, &x275, x2, (arg1[4])); - fiat_secp384r1_mulx_u32(&x276, &x277, x2, (arg1[3])); - fiat_secp384r1_mulx_u32(&x278, &x279, x2, (arg1[2])); - fiat_secp384r1_mulx_u32(&x280, &x281, x2, (arg1[1])); - fiat_secp384r1_mulx_u32(&x282, &x283, x2, (arg1[0])); - fiat_secp384r1_addcarryx_u32(&x284, &x285, 0x0, x283, x280); - fiat_secp384r1_addcarryx_u32(&x286, &x287, x285, x281, x278); - fiat_secp384r1_addcarryx_u32(&x288, &x289, x287, x279, x276); - fiat_secp384r1_addcarryx_u32(&x290, &x291, x289, x277, x274); - fiat_secp384r1_addcarryx_u32(&x292, &x293, x291, x275, x272); - fiat_secp384r1_addcarryx_u32(&x294, &x295, x293, x273, x270); - fiat_secp384r1_addcarryx_u32(&x296, &x297, x295, x271, x268); - fiat_secp384r1_addcarryx_u32(&x298, &x299, x297, x269, x266); - fiat_secp384r1_addcarryx_u32(&x300, &x301, x299, x267, x264); - fiat_secp384r1_addcarryx_u32(&x302, &x303, x301, x265, x262); - fiat_secp384r1_addcarryx_u32(&x304, &x305, x303, x263, x260); - x306 = (x305 + x261); - fiat_secp384r1_addcarryx_u32(&x307, &x308, 0x0, x235, x282); - fiat_secp384r1_addcarryx_u32(&x309, &x310, x308, x237, x284); - fiat_secp384r1_addcarryx_u32(&x311, &x312, x310, x239, x286); - fiat_secp384r1_addcarryx_u32(&x313, &x314, x312, x241, x288); - fiat_secp384r1_addcarryx_u32(&x315, &x316, x314, x243, x290); - fiat_secp384r1_addcarryx_u32(&x317, &x318, x316, x245, x292); - fiat_secp384r1_addcarryx_u32(&x319, &x320, x318, x247, x294); - fiat_secp384r1_addcarryx_u32(&x321, &x322, x320, x249, x296); - fiat_secp384r1_addcarryx_u32(&x323, &x324, x322, x251, x298); - fiat_secp384r1_addcarryx_u32(&x325, &x326, x324, x253, x300); - fiat_secp384r1_addcarryx_u32(&x327, &x328, x326, x255, x302); - fiat_secp384r1_addcarryx_u32(&x329, &x330, x328, x257, x304); - fiat_secp384r1_addcarryx_u32(&x331, &x332, x330, x259, x306); - fiat_secp384r1_mulx_u32(&x333, &x334, x307, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x335, &x336, x307, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x337, &x338, x307, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x339, &x340, x307, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x341, &x342, x307, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x343, &x344, x307, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x345, &x346, x307, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x347, &x348, x307, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x349, &x350, x307, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x351, &x352, x307, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x353, &x354, 0x0, x350, x347); - fiat_secp384r1_addcarryx_u32(&x355, &x356, x354, x348, x345); - fiat_secp384r1_addcarryx_u32(&x357, &x358, x356, x346, x343); - fiat_secp384r1_addcarryx_u32(&x359, &x360, x358, x344, x341); - fiat_secp384r1_addcarryx_u32(&x361, &x362, x360, x342, x339); - fiat_secp384r1_addcarryx_u32(&x363, &x364, x362, x340, x337); - fiat_secp384r1_addcarryx_u32(&x365, &x366, x364, x338, x335); - fiat_secp384r1_addcarryx_u32(&x367, &x368, x366, x336, x333); - x369 = (x368 + x334); - fiat_secp384r1_addcarryx_u32(&x370, &x371, 0x0, x307, x351); - fiat_secp384r1_addcarryx_u32(&x372, &x373, x371, x309, x352); - fiat_secp384r1_addcarryx_u32(&x374, &x375, x373, x311, 0x0); - fiat_secp384r1_addcarryx_u32(&x376, &x377, x375, x313, x349); - fiat_secp384r1_addcarryx_u32(&x378, &x379, x377, x315, x353); - fiat_secp384r1_addcarryx_u32(&x380, &x381, x379, x317, x355); - fiat_secp384r1_addcarryx_u32(&x382, &x383, x381, x319, x357); - fiat_secp384r1_addcarryx_u32(&x384, &x385, x383, x321, x359); - fiat_secp384r1_addcarryx_u32(&x386, &x387, x385, x323, x361); - fiat_secp384r1_addcarryx_u32(&x388, &x389, x387, x325, x363); - fiat_secp384r1_addcarryx_u32(&x390, &x391, x389, x327, x365); - fiat_secp384r1_addcarryx_u32(&x392, &x393, x391, x329, x367); - fiat_secp384r1_addcarryx_u32(&x394, &x395, x393, x331, x369); - x396 = ((uint32_t)x395 + x332); - fiat_secp384r1_mulx_u32(&x397, &x398, x3, (arg1[11])); - fiat_secp384r1_mulx_u32(&x399, &x400, x3, (arg1[10])); - fiat_secp384r1_mulx_u32(&x401, &x402, x3, (arg1[9])); - fiat_secp384r1_mulx_u32(&x403, &x404, x3, (arg1[8])); - fiat_secp384r1_mulx_u32(&x405, &x406, x3, (arg1[7])); - fiat_secp384r1_mulx_u32(&x407, &x408, x3, (arg1[6])); - fiat_secp384r1_mulx_u32(&x409, &x410, x3, (arg1[5])); - fiat_secp384r1_mulx_u32(&x411, &x412, x3, (arg1[4])); - fiat_secp384r1_mulx_u32(&x413, &x414, x3, (arg1[3])); - fiat_secp384r1_mulx_u32(&x415, &x416, x3, (arg1[2])); - fiat_secp384r1_mulx_u32(&x417, &x418, x3, (arg1[1])); - fiat_secp384r1_mulx_u32(&x419, &x420, x3, (arg1[0])); - fiat_secp384r1_addcarryx_u32(&x421, &x422, 0x0, x420, x417); - fiat_secp384r1_addcarryx_u32(&x423, &x424, x422, x418, x415); - fiat_secp384r1_addcarryx_u32(&x425, &x426, x424, x416, x413); - fiat_secp384r1_addcarryx_u32(&x427, &x428, x426, x414, x411); - fiat_secp384r1_addcarryx_u32(&x429, &x430, x428, x412, x409); - fiat_secp384r1_addcarryx_u32(&x431, &x432, x430, x410, x407); - fiat_secp384r1_addcarryx_u32(&x433, &x434, x432, x408, x405); - fiat_secp384r1_addcarryx_u32(&x435, &x436, x434, x406, x403); - fiat_secp384r1_addcarryx_u32(&x437, &x438, x436, x404, x401); - fiat_secp384r1_addcarryx_u32(&x439, &x440, x438, x402, x399); - fiat_secp384r1_addcarryx_u32(&x441, &x442, x440, x400, x397); - x443 = (x442 + x398); - fiat_secp384r1_addcarryx_u32(&x444, &x445, 0x0, x372, x419); - fiat_secp384r1_addcarryx_u32(&x446, &x447, x445, x374, x421); - fiat_secp384r1_addcarryx_u32(&x448, &x449, x447, x376, x423); - fiat_secp384r1_addcarryx_u32(&x450, &x451, x449, x378, x425); - fiat_secp384r1_addcarryx_u32(&x452, &x453, x451, x380, x427); - fiat_secp384r1_addcarryx_u32(&x454, &x455, x453, x382, x429); - fiat_secp384r1_addcarryx_u32(&x456, &x457, x455, x384, x431); - fiat_secp384r1_addcarryx_u32(&x458, &x459, x457, x386, x433); - fiat_secp384r1_addcarryx_u32(&x460, &x461, x459, x388, x435); - fiat_secp384r1_addcarryx_u32(&x462, &x463, x461, x390, x437); - fiat_secp384r1_addcarryx_u32(&x464, &x465, x463, x392, x439); - fiat_secp384r1_addcarryx_u32(&x466, &x467, x465, x394, x441); - fiat_secp384r1_addcarryx_u32(&x468, &x469, x467, x396, x443); - fiat_secp384r1_mulx_u32(&x470, &x471, x444, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x472, &x473, x444, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x474, &x475, x444, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x476, &x477, x444, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x478, &x479, x444, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x480, &x481, x444, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x482, &x483, x444, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x484, &x485, x444, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x486, &x487, x444, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x488, &x489, x444, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x490, &x491, 0x0, x487, x484); - fiat_secp384r1_addcarryx_u32(&x492, &x493, x491, x485, x482); - fiat_secp384r1_addcarryx_u32(&x494, &x495, x493, x483, x480); - fiat_secp384r1_addcarryx_u32(&x496, &x497, x495, x481, x478); - fiat_secp384r1_addcarryx_u32(&x498, &x499, x497, x479, x476); - fiat_secp384r1_addcarryx_u32(&x500, &x501, x499, x477, x474); - fiat_secp384r1_addcarryx_u32(&x502, &x503, x501, x475, x472); - fiat_secp384r1_addcarryx_u32(&x504, &x505, x503, x473, x470); - x506 = (x505 + x471); - fiat_secp384r1_addcarryx_u32(&x507, &x508, 0x0, x444, x488); - fiat_secp384r1_addcarryx_u32(&x509, &x510, x508, x446, x489); - fiat_secp384r1_addcarryx_u32(&x511, &x512, x510, x448, 0x0); - fiat_secp384r1_addcarryx_u32(&x513, &x514, x512, x450, x486); - fiat_secp384r1_addcarryx_u32(&x515, &x516, x514, x452, x490); - fiat_secp384r1_addcarryx_u32(&x517, &x518, x516, x454, x492); - fiat_secp384r1_addcarryx_u32(&x519, &x520, x518, x456, x494); - fiat_secp384r1_addcarryx_u32(&x521, &x522, x520, x458, x496); - fiat_secp384r1_addcarryx_u32(&x523, &x524, x522, x460, x498); - fiat_secp384r1_addcarryx_u32(&x525, &x526, x524, x462, x500); - fiat_secp384r1_addcarryx_u32(&x527, &x528, x526, x464, x502); - fiat_secp384r1_addcarryx_u32(&x529, &x530, x528, x466, x504); - fiat_secp384r1_addcarryx_u32(&x531, &x532, x530, x468, x506); - x533 = ((uint32_t)x532 + x469); - fiat_secp384r1_mulx_u32(&x534, &x535, x4, (arg1[11])); - fiat_secp384r1_mulx_u32(&x536, &x537, x4, (arg1[10])); - fiat_secp384r1_mulx_u32(&x538, &x539, x4, (arg1[9])); - fiat_secp384r1_mulx_u32(&x540, &x541, x4, (arg1[8])); - fiat_secp384r1_mulx_u32(&x542, &x543, x4, (arg1[7])); - fiat_secp384r1_mulx_u32(&x544, &x545, x4, (arg1[6])); - fiat_secp384r1_mulx_u32(&x546, &x547, x4, (arg1[5])); - fiat_secp384r1_mulx_u32(&x548, &x549, x4, (arg1[4])); - fiat_secp384r1_mulx_u32(&x550, &x551, x4, (arg1[3])); - fiat_secp384r1_mulx_u32(&x552, &x553, x4, (arg1[2])); - fiat_secp384r1_mulx_u32(&x554, &x555, x4, (arg1[1])); - fiat_secp384r1_mulx_u32(&x556, &x557, x4, (arg1[0])); - fiat_secp384r1_addcarryx_u32(&x558, &x559, 0x0, x557, x554); - fiat_secp384r1_addcarryx_u32(&x560, &x561, x559, x555, x552); - fiat_secp384r1_addcarryx_u32(&x562, &x563, x561, x553, x550); - fiat_secp384r1_addcarryx_u32(&x564, &x565, x563, x551, x548); - fiat_secp384r1_addcarryx_u32(&x566, &x567, x565, x549, x546); - fiat_secp384r1_addcarryx_u32(&x568, &x569, x567, x547, x544); - fiat_secp384r1_addcarryx_u32(&x570, &x571, x569, x545, x542); - fiat_secp384r1_addcarryx_u32(&x572, &x573, x571, x543, x540); - fiat_secp384r1_addcarryx_u32(&x574, &x575, x573, x541, x538); - fiat_secp384r1_addcarryx_u32(&x576, &x577, x575, x539, x536); - fiat_secp384r1_addcarryx_u32(&x578, &x579, x577, x537, x534); - x580 = (x579 + x535); - fiat_secp384r1_addcarryx_u32(&x581, &x582, 0x0, x509, x556); - fiat_secp384r1_addcarryx_u32(&x583, &x584, x582, x511, x558); - fiat_secp384r1_addcarryx_u32(&x585, &x586, x584, x513, x560); - fiat_secp384r1_addcarryx_u32(&x587, &x588, x586, x515, x562); - fiat_secp384r1_addcarryx_u32(&x589, &x590, x588, x517, x564); - fiat_secp384r1_addcarryx_u32(&x591, &x592, x590, x519, x566); - fiat_secp384r1_addcarryx_u32(&x593, &x594, x592, x521, x568); - fiat_secp384r1_addcarryx_u32(&x595, &x596, x594, x523, x570); - fiat_secp384r1_addcarryx_u32(&x597, &x598, x596, x525, x572); - fiat_secp384r1_addcarryx_u32(&x599, &x600, x598, x527, x574); - fiat_secp384r1_addcarryx_u32(&x601, &x602, x600, x529, x576); - fiat_secp384r1_addcarryx_u32(&x603, &x604, x602, x531, x578); - fiat_secp384r1_addcarryx_u32(&x605, &x606, x604, x533, x580); - fiat_secp384r1_mulx_u32(&x607, &x608, x581, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x609, &x610, x581, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x611, &x612, x581, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x613, &x614, x581, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x615, &x616, x581, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x617, &x618, x581, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x619, &x620, x581, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x621, &x622, x581, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x623, &x624, x581, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x625, &x626, x581, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x627, &x628, 0x0, x624, x621); - fiat_secp384r1_addcarryx_u32(&x629, &x630, x628, x622, x619); - fiat_secp384r1_addcarryx_u32(&x631, &x632, x630, x620, x617); - fiat_secp384r1_addcarryx_u32(&x633, &x634, x632, x618, x615); - fiat_secp384r1_addcarryx_u32(&x635, &x636, x634, x616, x613); - fiat_secp384r1_addcarryx_u32(&x637, &x638, x636, x614, x611); - fiat_secp384r1_addcarryx_u32(&x639, &x640, x638, x612, x609); - fiat_secp384r1_addcarryx_u32(&x641, &x642, x640, x610, x607); - x643 = (x642 + x608); - fiat_secp384r1_addcarryx_u32(&x644, &x645, 0x0, x581, x625); - fiat_secp384r1_addcarryx_u32(&x646, &x647, x645, x583, x626); - fiat_secp384r1_addcarryx_u32(&x648, &x649, x647, x585, 0x0); - fiat_secp384r1_addcarryx_u32(&x650, &x651, x649, x587, x623); - fiat_secp384r1_addcarryx_u32(&x652, &x653, x651, x589, x627); - fiat_secp384r1_addcarryx_u32(&x654, &x655, x653, x591, x629); - fiat_secp384r1_addcarryx_u32(&x656, &x657, x655, x593, x631); - fiat_secp384r1_addcarryx_u32(&x658, &x659, x657, x595, x633); - fiat_secp384r1_addcarryx_u32(&x660, &x661, x659, x597, x635); - fiat_secp384r1_addcarryx_u32(&x662, &x663, x661, x599, x637); - fiat_secp384r1_addcarryx_u32(&x664, &x665, x663, x601, x639); - fiat_secp384r1_addcarryx_u32(&x666, &x667, x665, x603, x641); - fiat_secp384r1_addcarryx_u32(&x668, &x669, x667, x605, x643); - x670 = ((uint32_t)x669 + x606); - fiat_secp384r1_mulx_u32(&x671, &x672, x5, (arg1[11])); - fiat_secp384r1_mulx_u32(&x673, &x674, x5, (arg1[10])); - fiat_secp384r1_mulx_u32(&x675, &x676, x5, (arg1[9])); - fiat_secp384r1_mulx_u32(&x677, &x678, x5, (arg1[8])); - fiat_secp384r1_mulx_u32(&x679, &x680, x5, (arg1[7])); - fiat_secp384r1_mulx_u32(&x681, &x682, x5, (arg1[6])); - fiat_secp384r1_mulx_u32(&x683, &x684, x5, (arg1[5])); - fiat_secp384r1_mulx_u32(&x685, &x686, x5, (arg1[4])); - fiat_secp384r1_mulx_u32(&x687, &x688, x5, (arg1[3])); - fiat_secp384r1_mulx_u32(&x689, &x690, x5, (arg1[2])); - fiat_secp384r1_mulx_u32(&x691, &x692, x5, (arg1[1])); - fiat_secp384r1_mulx_u32(&x693, &x694, x5, (arg1[0])); - fiat_secp384r1_addcarryx_u32(&x695, &x696, 0x0, x694, x691); - fiat_secp384r1_addcarryx_u32(&x697, &x698, x696, x692, x689); - fiat_secp384r1_addcarryx_u32(&x699, &x700, x698, x690, x687); - fiat_secp384r1_addcarryx_u32(&x701, &x702, x700, x688, x685); - fiat_secp384r1_addcarryx_u32(&x703, &x704, x702, x686, x683); - fiat_secp384r1_addcarryx_u32(&x705, &x706, x704, x684, x681); - fiat_secp384r1_addcarryx_u32(&x707, &x708, x706, x682, x679); - fiat_secp384r1_addcarryx_u32(&x709, &x710, x708, x680, x677); - fiat_secp384r1_addcarryx_u32(&x711, &x712, x710, x678, x675); - fiat_secp384r1_addcarryx_u32(&x713, &x714, x712, x676, x673); - fiat_secp384r1_addcarryx_u32(&x715, &x716, x714, x674, x671); - x717 = (x716 + x672); - fiat_secp384r1_addcarryx_u32(&x718, &x719, 0x0, x646, x693); - fiat_secp384r1_addcarryx_u32(&x720, &x721, x719, x648, x695); - fiat_secp384r1_addcarryx_u32(&x722, &x723, x721, x650, x697); - fiat_secp384r1_addcarryx_u32(&x724, &x725, x723, x652, x699); - fiat_secp384r1_addcarryx_u32(&x726, &x727, x725, x654, x701); - fiat_secp384r1_addcarryx_u32(&x728, &x729, x727, x656, x703); - fiat_secp384r1_addcarryx_u32(&x730, &x731, x729, x658, x705); - fiat_secp384r1_addcarryx_u32(&x732, &x733, x731, x660, x707); - fiat_secp384r1_addcarryx_u32(&x734, &x735, x733, x662, x709); - fiat_secp384r1_addcarryx_u32(&x736, &x737, x735, x664, x711); - fiat_secp384r1_addcarryx_u32(&x738, &x739, x737, x666, x713); - fiat_secp384r1_addcarryx_u32(&x740, &x741, x739, x668, x715); - fiat_secp384r1_addcarryx_u32(&x742, &x743, x741, x670, x717); - fiat_secp384r1_mulx_u32(&x744, &x745, x718, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x746, &x747, x718, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x748, &x749, x718, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x750, &x751, x718, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x752, &x753, x718, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x754, &x755, x718, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x756, &x757, x718, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x758, &x759, x718, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x760, &x761, x718, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x762, &x763, x718, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x764, &x765, 0x0, x761, x758); - fiat_secp384r1_addcarryx_u32(&x766, &x767, x765, x759, x756); - fiat_secp384r1_addcarryx_u32(&x768, &x769, x767, x757, x754); - fiat_secp384r1_addcarryx_u32(&x770, &x771, x769, x755, x752); - fiat_secp384r1_addcarryx_u32(&x772, &x773, x771, x753, x750); - fiat_secp384r1_addcarryx_u32(&x774, &x775, x773, x751, x748); - fiat_secp384r1_addcarryx_u32(&x776, &x777, x775, x749, x746); - fiat_secp384r1_addcarryx_u32(&x778, &x779, x777, x747, x744); - x780 = (x779 + x745); - fiat_secp384r1_addcarryx_u32(&x781, &x782, 0x0, x718, x762); - fiat_secp384r1_addcarryx_u32(&x783, &x784, x782, x720, x763); - fiat_secp384r1_addcarryx_u32(&x785, &x786, x784, x722, 0x0); - fiat_secp384r1_addcarryx_u32(&x787, &x788, x786, x724, x760); - fiat_secp384r1_addcarryx_u32(&x789, &x790, x788, x726, x764); - fiat_secp384r1_addcarryx_u32(&x791, &x792, x790, x728, x766); - fiat_secp384r1_addcarryx_u32(&x793, &x794, x792, x730, x768); - fiat_secp384r1_addcarryx_u32(&x795, &x796, x794, x732, x770); - fiat_secp384r1_addcarryx_u32(&x797, &x798, x796, x734, x772); - fiat_secp384r1_addcarryx_u32(&x799, &x800, x798, x736, x774); - fiat_secp384r1_addcarryx_u32(&x801, &x802, x800, x738, x776); - fiat_secp384r1_addcarryx_u32(&x803, &x804, x802, x740, x778); - fiat_secp384r1_addcarryx_u32(&x805, &x806, x804, x742, x780); - x807 = ((uint32_t)x806 + x743); - fiat_secp384r1_mulx_u32(&x808, &x809, x6, (arg1[11])); - fiat_secp384r1_mulx_u32(&x810, &x811, x6, (arg1[10])); - fiat_secp384r1_mulx_u32(&x812, &x813, x6, (arg1[9])); - fiat_secp384r1_mulx_u32(&x814, &x815, x6, (arg1[8])); - fiat_secp384r1_mulx_u32(&x816, &x817, x6, (arg1[7])); - fiat_secp384r1_mulx_u32(&x818, &x819, x6, (arg1[6])); - fiat_secp384r1_mulx_u32(&x820, &x821, x6, (arg1[5])); - fiat_secp384r1_mulx_u32(&x822, &x823, x6, (arg1[4])); - fiat_secp384r1_mulx_u32(&x824, &x825, x6, (arg1[3])); - fiat_secp384r1_mulx_u32(&x826, &x827, x6, (arg1[2])); - fiat_secp384r1_mulx_u32(&x828, &x829, x6, (arg1[1])); - fiat_secp384r1_mulx_u32(&x830, &x831, x6, (arg1[0])); - fiat_secp384r1_addcarryx_u32(&x832, &x833, 0x0, x831, x828); - fiat_secp384r1_addcarryx_u32(&x834, &x835, x833, x829, x826); - fiat_secp384r1_addcarryx_u32(&x836, &x837, x835, x827, x824); - fiat_secp384r1_addcarryx_u32(&x838, &x839, x837, x825, x822); - fiat_secp384r1_addcarryx_u32(&x840, &x841, x839, x823, x820); - fiat_secp384r1_addcarryx_u32(&x842, &x843, x841, x821, x818); - fiat_secp384r1_addcarryx_u32(&x844, &x845, x843, x819, x816); - fiat_secp384r1_addcarryx_u32(&x846, &x847, x845, x817, x814); - fiat_secp384r1_addcarryx_u32(&x848, &x849, x847, x815, x812); - fiat_secp384r1_addcarryx_u32(&x850, &x851, x849, x813, x810); - fiat_secp384r1_addcarryx_u32(&x852, &x853, x851, x811, x808); - x854 = (x853 + x809); - fiat_secp384r1_addcarryx_u32(&x855, &x856, 0x0, x783, x830); - fiat_secp384r1_addcarryx_u32(&x857, &x858, x856, x785, x832); - fiat_secp384r1_addcarryx_u32(&x859, &x860, x858, x787, x834); - fiat_secp384r1_addcarryx_u32(&x861, &x862, x860, x789, x836); - fiat_secp384r1_addcarryx_u32(&x863, &x864, x862, x791, x838); - fiat_secp384r1_addcarryx_u32(&x865, &x866, x864, x793, x840); - fiat_secp384r1_addcarryx_u32(&x867, &x868, x866, x795, x842); - fiat_secp384r1_addcarryx_u32(&x869, &x870, x868, x797, x844); - fiat_secp384r1_addcarryx_u32(&x871, &x872, x870, x799, x846); - fiat_secp384r1_addcarryx_u32(&x873, &x874, x872, x801, x848); - fiat_secp384r1_addcarryx_u32(&x875, &x876, x874, x803, x850); - fiat_secp384r1_addcarryx_u32(&x877, &x878, x876, x805, x852); - fiat_secp384r1_addcarryx_u32(&x879, &x880, x878, x807, x854); - fiat_secp384r1_mulx_u32(&x881, &x882, x855, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x883, &x884, x855, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x885, &x886, x855, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x887, &x888, x855, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x889, &x890, x855, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x891, &x892, x855, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x893, &x894, x855, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x895, &x896, x855, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x897, &x898, x855, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x899, &x900, x855, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x901, &x902, 0x0, x898, x895); - fiat_secp384r1_addcarryx_u32(&x903, &x904, x902, x896, x893); - fiat_secp384r1_addcarryx_u32(&x905, &x906, x904, x894, x891); - fiat_secp384r1_addcarryx_u32(&x907, &x908, x906, x892, x889); - fiat_secp384r1_addcarryx_u32(&x909, &x910, x908, x890, x887); - fiat_secp384r1_addcarryx_u32(&x911, &x912, x910, x888, x885); - fiat_secp384r1_addcarryx_u32(&x913, &x914, x912, x886, x883); - fiat_secp384r1_addcarryx_u32(&x915, &x916, x914, x884, x881); - x917 = (x916 + x882); - fiat_secp384r1_addcarryx_u32(&x918, &x919, 0x0, x855, x899); - fiat_secp384r1_addcarryx_u32(&x920, &x921, x919, x857, x900); - fiat_secp384r1_addcarryx_u32(&x922, &x923, x921, x859, 0x0); - fiat_secp384r1_addcarryx_u32(&x924, &x925, x923, x861, x897); - fiat_secp384r1_addcarryx_u32(&x926, &x927, x925, x863, x901); - fiat_secp384r1_addcarryx_u32(&x928, &x929, x927, x865, x903); - fiat_secp384r1_addcarryx_u32(&x930, &x931, x929, x867, x905); - fiat_secp384r1_addcarryx_u32(&x932, &x933, x931, x869, x907); - fiat_secp384r1_addcarryx_u32(&x934, &x935, x933, x871, x909); - fiat_secp384r1_addcarryx_u32(&x936, &x937, x935, x873, x911); - fiat_secp384r1_addcarryx_u32(&x938, &x939, x937, x875, x913); - fiat_secp384r1_addcarryx_u32(&x940, &x941, x939, x877, x915); - fiat_secp384r1_addcarryx_u32(&x942, &x943, x941, x879, x917); - x944 = ((uint32_t)x943 + x880); - fiat_secp384r1_mulx_u32(&x945, &x946, x7, (arg1[11])); - fiat_secp384r1_mulx_u32(&x947, &x948, x7, (arg1[10])); - fiat_secp384r1_mulx_u32(&x949, &x950, x7, (arg1[9])); - fiat_secp384r1_mulx_u32(&x951, &x952, x7, (arg1[8])); - fiat_secp384r1_mulx_u32(&x953, &x954, x7, (arg1[7])); - fiat_secp384r1_mulx_u32(&x955, &x956, x7, (arg1[6])); - fiat_secp384r1_mulx_u32(&x957, &x958, x7, (arg1[5])); - fiat_secp384r1_mulx_u32(&x959, &x960, x7, (arg1[4])); - fiat_secp384r1_mulx_u32(&x961, &x962, x7, (arg1[3])); - fiat_secp384r1_mulx_u32(&x963, &x964, x7, (arg1[2])); - fiat_secp384r1_mulx_u32(&x965, &x966, x7, (arg1[1])); - fiat_secp384r1_mulx_u32(&x967, &x968, x7, (arg1[0])); - fiat_secp384r1_addcarryx_u32(&x969, &x970, 0x0, x968, x965); - fiat_secp384r1_addcarryx_u32(&x971, &x972, x970, x966, x963); - fiat_secp384r1_addcarryx_u32(&x973, &x974, x972, x964, x961); - fiat_secp384r1_addcarryx_u32(&x975, &x976, x974, x962, x959); - fiat_secp384r1_addcarryx_u32(&x977, &x978, x976, x960, x957); - fiat_secp384r1_addcarryx_u32(&x979, &x980, x978, x958, x955); - fiat_secp384r1_addcarryx_u32(&x981, &x982, x980, x956, x953); - fiat_secp384r1_addcarryx_u32(&x983, &x984, x982, x954, x951); - fiat_secp384r1_addcarryx_u32(&x985, &x986, x984, x952, x949); - fiat_secp384r1_addcarryx_u32(&x987, &x988, x986, x950, x947); - fiat_secp384r1_addcarryx_u32(&x989, &x990, x988, x948, x945); - x991 = (x990 + x946); - fiat_secp384r1_addcarryx_u32(&x992, &x993, 0x0, x920, x967); - fiat_secp384r1_addcarryx_u32(&x994, &x995, x993, x922, x969); - fiat_secp384r1_addcarryx_u32(&x996, &x997, x995, x924, x971); - fiat_secp384r1_addcarryx_u32(&x998, &x999, x997, x926, x973); - fiat_secp384r1_addcarryx_u32(&x1000, &x1001, x999, x928, x975); - fiat_secp384r1_addcarryx_u32(&x1002, &x1003, x1001, x930, x977); - fiat_secp384r1_addcarryx_u32(&x1004, &x1005, x1003, x932, x979); - fiat_secp384r1_addcarryx_u32(&x1006, &x1007, x1005, x934, x981); - fiat_secp384r1_addcarryx_u32(&x1008, &x1009, x1007, x936, x983); - fiat_secp384r1_addcarryx_u32(&x1010, &x1011, x1009, x938, x985); - fiat_secp384r1_addcarryx_u32(&x1012, &x1013, x1011, x940, x987); - fiat_secp384r1_addcarryx_u32(&x1014, &x1015, x1013, x942, x989); - fiat_secp384r1_addcarryx_u32(&x1016, &x1017, x1015, x944, x991); - fiat_secp384r1_mulx_u32(&x1018, &x1019, x992, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1020, &x1021, x992, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1022, &x1023, x992, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1024, &x1025, x992, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1026, &x1027, x992, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1028, &x1029, x992, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1030, &x1031, x992, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1032, &x1033, x992, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x1034, &x1035, x992, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1036, &x1037, x992, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x1038, &x1039, 0x0, x1035, x1032); - fiat_secp384r1_addcarryx_u32(&x1040, &x1041, x1039, x1033, x1030); - fiat_secp384r1_addcarryx_u32(&x1042, &x1043, x1041, x1031, x1028); - fiat_secp384r1_addcarryx_u32(&x1044, &x1045, x1043, x1029, x1026); - fiat_secp384r1_addcarryx_u32(&x1046, &x1047, x1045, x1027, x1024); - fiat_secp384r1_addcarryx_u32(&x1048, &x1049, x1047, x1025, x1022); - fiat_secp384r1_addcarryx_u32(&x1050, &x1051, x1049, x1023, x1020); - fiat_secp384r1_addcarryx_u32(&x1052, &x1053, x1051, x1021, x1018); - x1054 = (x1053 + x1019); - fiat_secp384r1_addcarryx_u32(&x1055, &x1056, 0x0, x992, x1036); - fiat_secp384r1_addcarryx_u32(&x1057, &x1058, x1056, x994, x1037); - fiat_secp384r1_addcarryx_u32(&x1059, &x1060, x1058, x996, 0x0); - fiat_secp384r1_addcarryx_u32(&x1061, &x1062, x1060, x998, x1034); - fiat_secp384r1_addcarryx_u32(&x1063, &x1064, x1062, x1000, x1038); - fiat_secp384r1_addcarryx_u32(&x1065, &x1066, x1064, x1002, x1040); - fiat_secp384r1_addcarryx_u32(&x1067, &x1068, x1066, x1004, x1042); - fiat_secp384r1_addcarryx_u32(&x1069, &x1070, x1068, x1006, x1044); - fiat_secp384r1_addcarryx_u32(&x1071, &x1072, x1070, x1008, x1046); - fiat_secp384r1_addcarryx_u32(&x1073, &x1074, x1072, x1010, x1048); - fiat_secp384r1_addcarryx_u32(&x1075, &x1076, x1074, x1012, x1050); - fiat_secp384r1_addcarryx_u32(&x1077, &x1078, x1076, x1014, x1052); - fiat_secp384r1_addcarryx_u32(&x1079, &x1080, x1078, x1016, x1054); - x1081 = ((uint32_t)x1080 + x1017); - fiat_secp384r1_mulx_u32(&x1082, &x1083, x8, (arg1[11])); - fiat_secp384r1_mulx_u32(&x1084, &x1085, x8, (arg1[10])); - fiat_secp384r1_mulx_u32(&x1086, &x1087, x8, (arg1[9])); - fiat_secp384r1_mulx_u32(&x1088, &x1089, x8, (arg1[8])); - fiat_secp384r1_mulx_u32(&x1090, &x1091, x8, (arg1[7])); - fiat_secp384r1_mulx_u32(&x1092, &x1093, x8, (arg1[6])); - fiat_secp384r1_mulx_u32(&x1094, &x1095, x8, (arg1[5])); - fiat_secp384r1_mulx_u32(&x1096, &x1097, x8, (arg1[4])); - fiat_secp384r1_mulx_u32(&x1098, &x1099, x8, (arg1[3])); - fiat_secp384r1_mulx_u32(&x1100, &x1101, x8, (arg1[2])); - fiat_secp384r1_mulx_u32(&x1102, &x1103, x8, (arg1[1])); - fiat_secp384r1_mulx_u32(&x1104, &x1105, x8, (arg1[0])); - fiat_secp384r1_addcarryx_u32(&x1106, &x1107, 0x0, x1105, x1102); - fiat_secp384r1_addcarryx_u32(&x1108, &x1109, x1107, x1103, x1100); - fiat_secp384r1_addcarryx_u32(&x1110, &x1111, x1109, x1101, x1098); - fiat_secp384r1_addcarryx_u32(&x1112, &x1113, x1111, x1099, x1096); - fiat_secp384r1_addcarryx_u32(&x1114, &x1115, x1113, x1097, x1094); - fiat_secp384r1_addcarryx_u32(&x1116, &x1117, x1115, x1095, x1092); - fiat_secp384r1_addcarryx_u32(&x1118, &x1119, x1117, x1093, x1090); - fiat_secp384r1_addcarryx_u32(&x1120, &x1121, x1119, x1091, x1088); - fiat_secp384r1_addcarryx_u32(&x1122, &x1123, x1121, x1089, x1086); - fiat_secp384r1_addcarryx_u32(&x1124, &x1125, x1123, x1087, x1084); - fiat_secp384r1_addcarryx_u32(&x1126, &x1127, x1125, x1085, x1082); - x1128 = (x1127 + x1083); - fiat_secp384r1_addcarryx_u32(&x1129, &x1130, 0x0, x1057, x1104); - fiat_secp384r1_addcarryx_u32(&x1131, &x1132, x1130, x1059, x1106); - fiat_secp384r1_addcarryx_u32(&x1133, &x1134, x1132, x1061, x1108); - fiat_secp384r1_addcarryx_u32(&x1135, &x1136, x1134, x1063, x1110); - fiat_secp384r1_addcarryx_u32(&x1137, &x1138, x1136, x1065, x1112); - fiat_secp384r1_addcarryx_u32(&x1139, &x1140, x1138, x1067, x1114); - fiat_secp384r1_addcarryx_u32(&x1141, &x1142, x1140, x1069, x1116); - fiat_secp384r1_addcarryx_u32(&x1143, &x1144, x1142, x1071, x1118); - fiat_secp384r1_addcarryx_u32(&x1145, &x1146, x1144, x1073, x1120); - fiat_secp384r1_addcarryx_u32(&x1147, &x1148, x1146, x1075, x1122); - fiat_secp384r1_addcarryx_u32(&x1149, &x1150, x1148, x1077, x1124); - fiat_secp384r1_addcarryx_u32(&x1151, &x1152, x1150, x1079, x1126); - fiat_secp384r1_addcarryx_u32(&x1153, &x1154, x1152, x1081, x1128); - fiat_secp384r1_mulx_u32(&x1155, &x1156, x1129, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1157, &x1158, x1129, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1159, &x1160, x1129, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1161, &x1162, x1129, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1163, &x1164, x1129, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1165, &x1166, x1129, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1167, &x1168, x1129, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1169, &x1170, x1129, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x1171, &x1172, x1129, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1173, &x1174, x1129, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x1175, &x1176, 0x0, x1172, x1169); - fiat_secp384r1_addcarryx_u32(&x1177, &x1178, x1176, x1170, x1167); - fiat_secp384r1_addcarryx_u32(&x1179, &x1180, x1178, x1168, x1165); - fiat_secp384r1_addcarryx_u32(&x1181, &x1182, x1180, x1166, x1163); - fiat_secp384r1_addcarryx_u32(&x1183, &x1184, x1182, x1164, x1161); - fiat_secp384r1_addcarryx_u32(&x1185, &x1186, x1184, x1162, x1159); - fiat_secp384r1_addcarryx_u32(&x1187, &x1188, x1186, x1160, x1157); - fiat_secp384r1_addcarryx_u32(&x1189, &x1190, x1188, x1158, x1155); - x1191 = (x1190 + x1156); - fiat_secp384r1_addcarryx_u32(&x1192, &x1193, 0x0, x1129, x1173); - fiat_secp384r1_addcarryx_u32(&x1194, &x1195, x1193, x1131, x1174); - fiat_secp384r1_addcarryx_u32(&x1196, &x1197, x1195, x1133, 0x0); - fiat_secp384r1_addcarryx_u32(&x1198, &x1199, x1197, x1135, x1171); - fiat_secp384r1_addcarryx_u32(&x1200, &x1201, x1199, x1137, x1175); - fiat_secp384r1_addcarryx_u32(&x1202, &x1203, x1201, x1139, x1177); - fiat_secp384r1_addcarryx_u32(&x1204, &x1205, x1203, x1141, x1179); - fiat_secp384r1_addcarryx_u32(&x1206, &x1207, x1205, x1143, x1181); - fiat_secp384r1_addcarryx_u32(&x1208, &x1209, x1207, x1145, x1183); - fiat_secp384r1_addcarryx_u32(&x1210, &x1211, x1209, x1147, x1185); - fiat_secp384r1_addcarryx_u32(&x1212, &x1213, x1211, x1149, x1187); - fiat_secp384r1_addcarryx_u32(&x1214, &x1215, x1213, x1151, x1189); - fiat_secp384r1_addcarryx_u32(&x1216, &x1217, x1215, x1153, x1191); - x1218 = ((uint32_t)x1217 + x1154); - fiat_secp384r1_mulx_u32(&x1219, &x1220, x9, (arg1[11])); - fiat_secp384r1_mulx_u32(&x1221, &x1222, x9, (arg1[10])); - fiat_secp384r1_mulx_u32(&x1223, &x1224, x9, (arg1[9])); - fiat_secp384r1_mulx_u32(&x1225, &x1226, x9, (arg1[8])); - fiat_secp384r1_mulx_u32(&x1227, &x1228, x9, (arg1[7])); - fiat_secp384r1_mulx_u32(&x1229, &x1230, x9, (arg1[6])); - fiat_secp384r1_mulx_u32(&x1231, &x1232, x9, (arg1[5])); - fiat_secp384r1_mulx_u32(&x1233, &x1234, x9, (arg1[4])); - fiat_secp384r1_mulx_u32(&x1235, &x1236, x9, (arg1[3])); - fiat_secp384r1_mulx_u32(&x1237, &x1238, x9, (arg1[2])); - fiat_secp384r1_mulx_u32(&x1239, &x1240, x9, (arg1[1])); - fiat_secp384r1_mulx_u32(&x1241, &x1242, x9, (arg1[0])); - fiat_secp384r1_addcarryx_u32(&x1243, &x1244, 0x0, x1242, x1239); - fiat_secp384r1_addcarryx_u32(&x1245, &x1246, x1244, x1240, x1237); - fiat_secp384r1_addcarryx_u32(&x1247, &x1248, x1246, x1238, x1235); - fiat_secp384r1_addcarryx_u32(&x1249, &x1250, x1248, x1236, x1233); - fiat_secp384r1_addcarryx_u32(&x1251, &x1252, x1250, x1234, x1231); - fiat_secp384r1_addcarryx_u32(&x1253, &x1254, x1252, x1232, x1229); - fiat_secp384r1_addcarryx_u32(&x1255, &x1256, x1254, x1230, x1227); - fiat_secp384r1_addcarryx_u32(&x1257, &x1258, x1256, x1228, x1225); - fiat_secp384r1_addcarryx_u32(&x1259, &x1260, x1258, x1226, x1223); - fiat_secp384r1_addcarryx_u32(&x1261, &x1262, x1260, x1224, x1221); - fiat_secp384r1_addcarryx_u32(&x1263, &x1264, x1262, x1222, x1219); - x1265 = (x1264 + x1220); - fiat_secp384r1_addcarryx_u32(&x1266, &x1267, 0x0, x1194, x1241); - fiat_secp384r1_addcarryx_u32(&x1268, &x1269, x1267, x1196, x1243); - fiat_secp384r1_addcarryx_u32(&x1270, &x1271, x1269, x1198, x1245); - fiat_secp384r1_addcarryx_u32(&x1272, &x1273, x1271, x1200, x1247); - fiat_secp384r1_addcarryx_u32(&x1274, &x1275, x1273, x1202, x1249); - fiat_secp384r1_addcarryx_u32(&x1276, &x1277, x1275, x1204, x1251); - fiat_secp384r1_addcarryx_u32(&x1278, &x1279, x1277, x1206, x1253); - fiat_secp384r1_addcarryx_u32(&x1280, &x1281, x1279, x1208, x1255); - fiat_secp384r1_addcarryx_u32(&x1282, &x1283, x1281, x1210, x1257); - fiat_secp384r1_addcarryx_u32(&x1284, &x1285, x1283, x1212, x1259); - fiat_secp384r1_addcarryx_u32(&x1286, &x1287, x1285, x1214, x1261); - fiat_secp384r1_addcarryx_u32(&x1288, &x1289, x1287, x1216, x1263); - fiat_secp384r1_addcarryx_u32(&x1290, &x1291, x1289, x1218, x1265); - fiat_secp384r1_mulx_u32(&x1292, &x1293, x1266, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1294, &x1295, x1266, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1296, &x1297, x1266, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1298, &x1299, x1266, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1300, &x1301, x1266, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1302, &x1303, x1266, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1304, &x1305, x1266, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1306, &x1307, x1266, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x1308, &x1309, x1266, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1310, &x1311, x1266, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x1312, &x1313, 0x0, x1309, x1306); - fiat_secp384r1_addcarryx_u32(&x1314, &x1315, x1313, x1307, x1304); - fiat_secp384r1_addcarryx_u32(&x1316, &x1317, x1315, x1305, x1302); - fiat_secp384r1_addcarryx_u32(&x1318, &x1319, x1317, x1303, x1300); - fiat_secp384r1_addcarryx_u32(&x1320, &x1321, x1319, x1301, x1298); - fiat_secp384r1_addcarryx_u32(&x1322, &x1323, x1321, x1299, x1296); - fiat_secp384r1_addcarryx_u32(&x1324, &x1325, x1323, x1297, x1294); - fiat_secp384r1_addcarryx_u32(&x1326, &x1327, x1325, x1295, x1292); - x1328 = (x1327 + x1293); - fiat_secp384r1_addcarryx_u32(&x1329, &x1330, 0x0, x1266, x1310); - fiat_secp384r1_addcarryx_u32(&x1331, &x1332, x1330, x1268, x1311); - fiat_secp384r1_addcarryx_u32(&x1333, &x1334, x1332, x1270, 0x0); - fiat_secp384r1_addcarryx_u32(&x1335, &x1336, x1334, x1272, x1308); - fiat_secp384r1_addcarryx_u32(&x1337, &x1338, x1336, x1274, x1312); - fiat_secp384r1_addcarryx_u32(&x1339, &x1340, x1338, x1276, x1314); - fiat_secp384r1_addcarryx_u32(&x1341, &x1342, x1340, x1278, x1316); - fiat_secp384r1_addcarryx_u32(&x1343, &x1344, x1342, x1280, x1318); - fiat_secp384r1_addcarryx_u32(&x1345, &x1346, x1344, x1282, x1320); - fiat_secp384r1_addcarryx_u32(&x1347, &x1348, x1346, x1284, x1322); - fiat_secp384r1_addcarryx_u32(&x1349, &x1350, x1348, x1286, x1324); - fiat_secp384r1_addcarryx_u32(&x1351, &x1352, x1350, x1288, x1326); - fiat_secp384r1_addcarryx_u32(&x1353, &x1354, x1352, x1290, x1328); - x1355 = ((uint32_t)x1354 + x1291); - fiat_secp384r1_mulx_u32(&x1356, &x1357, x10, (arg1[11])); - fiat_secp384r1_mulx_u32(&x1358, &x1359, x10, (arg1[10])); - fiat_secp384r1_mulx_u32(&x1360, &x1361, x10, (arg1[9])); - fiat_secp384r1_mulx_u32(&x1362, &x1363, x10, (arg1[8])); - fiat_secp384r1_mulx_u32(&x1364, &x1365, x10, (arg1[7])); - fiat_secp384r1_mulx_u32(&x1366, &x1367, x10, (arg1[6])); - fiat_secp384r1_mulx_u32(&x1368, &x1369, x10, (arg1[5])); - fiat_secp384r1_mulx_u32(&x1370, &x1371, x10, (arg1[4])); - fiat_secp384r1_mulx_u32(&x1372, &x1373, x10, (arg1[3])); - fiat_secp384r1_mulx_u32(&x1374, &x1375, x10, (arg1[2])); - fiat_secp384r1_mulx_u32(&x1376, &x1377, x10, (arg1[1])); - fiat_secp384r1_mulx_u32(&x1378, &x1379, x10, (arg1[0])); - fiat_secp384r1_addcarryx_u32(&x1380, &x1381, 0x0, x1379, x1376); - fiat_secp384r1_addcarryx_u32(&x1382, &x1383, x1381, x1377, x1374); - fiat_secp384r1_addcarryx_u32(&x1384, &x1385, x1383, x1375, x1372); - fiat_secp384r1_addcarryx_u32(&x1386, &x1387, x1385, x1373, x1370); - fiat_secp384r1_addcarryx_u32(&x1388, &x1389, x1387, x1371, x1368); - fiat_secp384r1_addcarryx_u32(&x1390, &x1391, x1389, x1369, x1366); - fiat_secp384r1_addcarryx_u32(&x1392, &x1393, x1391, x1367, x1364); - fiat_secp384r1_addcarryx_u32(&x1394, &x1395, x1393, x1365, x1362); - fiat_secp384r1_addcarryx_u32(&x1396, &x1397, x1395, x1363, x1360); - fiat_secp384r1_addcarryx_u32(&x1398, &x1399, x1397, x1361, x1358); - fiat_secp384r1_addcarryx_u32(&x1400, &x1401, x1399, x1359, x1356); - x1402 = (x1401 + x1357); - fiat_secp384r1_addcarryx_u32(&x1403, &x1404, 0x0, x1331, x1378); - fiat_secp384r1_addcarryx_u32(&x1405, &x1406, x1404, x1333, x1380); - fiat_secp384r1_addcarryx_u32(&x1407, &x1408, x1406, x1335, x1382); - fiat_secp384r1_addcarryx_u32(&x1409, &x1410, x1408, x1337, x1384); - fiat_secp384r1_addcarryx_u32(&x1411, &x1412, x1410, x1339, x1386); - fiat_secp384r1_addcarryx_u32(&x1413, &x1414, x1412, x1341, x1388); - fiat_secp384r1_addcarryx_u32(&x1415, &x1416, x1414, x1343, x1390); - fiat_secp384r1_addcarryx_u32(&x1417, &x1418, x1416, x1345, x1392); - fiat_secp384r1_addcarryx_u32(&x1419, &x1420, x1418, x1347, x1394); - fiat_secp384r1_addcarryx_u32(&x1421, &x1422, x1420, x1349, x1396); - fiat_secp384r1_addcarryx_u32(&x1423, &x1424, x1422, x1351, x1398); - fiat_secp384r1_addcarryx_u32(&x1425, &x1426, x1424, x1353, x1400); - fiat_secp384r1_addcarryx_u32(&x1427, &x1428, x1426, x1355, x1402); - fiat_secp384r1_mulx_u32(&x1429, &x1430, x1403, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1431, &x1432, x1403, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1433, &x1434, x1403, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1435, &x1436, x1403, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1437, &x1438, x1403, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1439, &x1440, x1403, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1441, &x1442, x1403, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1443, &x1444, x1403, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x1445, &x1446, x1403, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1447, &x1448, x1403, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x1449, &x1450, 0x0, x1446, x1443); - fiat_secp384r1_addcarryx_u32(&x1451, &x1452, x1450, x1444, x1441); - fiat_secp384r1_addcarryx_u32(&x1453, &x1454, x1452, x1442, x1439); - fiat_secp384r1_addcarryx_u32(&x1455, &x1456, x1454, x1440, x1437); - fiat_secp384r1_addcarryx_u32(&x1457, &x1458, x1456, x1438, x1435); - fiat_secp384r1_addcarryx_u32(&x1459, &x1460, x1458, x1436, x1433); - fiat_secp384r1_addcarryx_u32(&x1461, &x1462, x1460, x1434, x1431); - fiat_secp384r1_addcarryx_u32(&x1463, &x1464, x1462, x1432, x1429); - x1465 = (x1464 + x1430); - fiat_secp384r1_addcarryx_u32(&x1466, &x1467, 0x0, x1403, x1447); - fiat_secp384r1_addcarryx_u32(&x1468, &x1469, x1467, x1405, x1448); - fiat_secp384r1_addcarryx_u32(&x1470, &x1471, x1469, x1407, 0x0); - fiat_secp384r1_addcarryx_u32(&x1472, &x1473, x1471, x1409, x1445); - fiat_secp384r1_addcarryx_u32(&x1474, &x1475, x1473, x1411, x1449); - fiat_secp384r1_addcarryx_u32(&x1476, &x1477, x1475, x1413, x1451); - fiat_secp384r1_addcarryx_u32(&x1478, &x1479, x1477, x1415, x1453); - fiat_secp384r1_addcarryx_u32(&x1480, &x1481, x1479, x1417, x1455); - fiat_secp384r1_addcarryx_u32(&x1482, &x1483, x1481, x1419, x1457); - fiat_secp384r1_addcarryx_u32(&x1484, &x1485, x1483, x1421, x1459); - fiat_secp384r1_addcarryx_u32(&x1486, &x1487, x1485, x1423, x1461); - fiat_secp384r1_addcarryx_u32(&x1488, &x1489, x1487, x1425, x1463); - fiat_secp384r1_addcarryx_u32(&x1490, &x1491, x1489, x1427, x1465); - x1492 = ((uint32_t)x1491 + x1428); - fiat_secp384r1_mulx_u32(&x1493, &x1494, x11, (arg1[11])); - fiat_secp384r1_mulx_u32(&x1495, &x1496, x11, (arg1[10])); - fiat_secp384r1_mulx_u32(&x1497, &x1498, x11, (arg1[9])); - fiat_secp384r1_mulx_u32(&x1499, &x1500, x11, (arg1[8])); - fiat_secp384r1_mulx_u32(&x1501, &x1502, x11, (arg1[7])); - fiat_secp384r1_mulx_u32(&x1503, &x1504, x11, (arg1[6])); - fiat_secp384r1_mulx_u32(&x1505, &x1506, x11, (arg1[5])); - fiat_secp384r1_mulx_u32(&x1507, &x1508, x11, (arg1[4])); - fiat_secp384r1_mulx_u32(&x1509, &x1510, x11, (arg1[3])); - fiat_secp384r1_mulx_u32(&x1511, &x1512, x11, (arg1[2])); - fiat_secp384r1_mulx_u32(&x1513, &x1514, x11, (arg1[1])); - fiat_secp384r1_mulx_u32(&x1515, &x1516, x11, (arg1[0])); - fiat_secp384r1_addcarryx_u32(&x1517, &x1518, 0x0, x1516, x1513); - fiat_secp384r1_addcarryx_u32(&x1519, &x1520, x1518, x1514, x1511); - fiat_secp384r1_addcarryx_u32(&x1521, &x1522, x1520, x1512, x1509); - fiat_secp384r1_addcarryx_u32(&x1523, &x1524, x1522, x1510, x1507); - fiat_secp384r1_addcarryx_u32(&x1525, &x1526, x1524, x1508, x1505); - fiat_secp384r1_addcarryx_u32(&x1527, &x1528, x1526, x1506, x1503); - fiat_secp384r1_addcarryx_u32(&x1529, &x1530, x1528, x1504, x1501); - fiat_secp384r1_addcarryx_u32(&x1531, &x1532, x1530, x1502, x1499); - fiat_secp384r1_addcarryx_u32(&x1533, &x1534, x1532, x1500, x1497); - fiat_secp384r1_addcarryx_u32(&x1535, &x1536, x1534, x1498, x1495); - fiat_secp384r1_addcarryx_u32(&x1537, &x1538, x1536, x1496, x1493); - x1539 = (x1538 + x1494); - fiat_secp384r1_addcarryx_u32(&x1540, &x1541, 0x0, x1468, x1515); - fiat_secp384r1_addcarryx_u32(&x1542, &x1543, x1541, x1470, x1517); - fiat_secp384r1_addcarryx_u32(&x1544, &x1545, x1543, x1472, x1519); - fiat_secp384r1_addcarryx_u32(&x1546, &x1547, x1545, x1474, x1521); - fiat_secp384r1_addcarryx_u32(&x1548, &x1549, x1547, x1476, x1523); - fiat_secp384r1_addcarryx_u32(&x1550, &x1551, x1549, x1478, x1525); - fiat_secp384r1_addcarryx_u32(&x1552, &x1553, x1551, x1480, x1527); - fiat_secp384r1_addcarryx_u32(&x1554, &x1555, x1553, x1482, x1529); - fiat_secp384r1_addcarryx_u32(&x1556, &x1557, x1555, x1484, x1531); - fiat_secp384r1_addcarryx_u32(&x1558, &x1559, x1557, x1486, x1533); - fiat_secp384r1_addcarryx_u32(&x1560, &x1561, x1559, x1488, x1535); - fiat_secp384r1_addcarryx_u32(&x1562, &x1563, x1561, x1490, x1537); - fiat_secp384r1_addcarryx_u32(&x1564, &x1565, x1563, x1492, x1539); - fiat_secp384r1_mulx_u32(&x1566, &x1567, x1540, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1568, &x1569, x1540, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1570, &x1571, x1540, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1572, &x1573, x1540, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1574, &x1575, x1540, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1576, &x1577, x1540, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1578, &x1579, x1540, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1580, &x1581, x1540, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x1582, &x1583, x1540, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1584, &x1585, x1540, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x1586, &x1587, 0x0, x1583, x1580); - fiat_secp384r1_addcarryx_u32(&x1588, &x1589, x1587, x1581, x1578); - fiat_secp384r1_addcarryx_u32(&x1590, &x1591, x1589, x1579, x1576); - fiat_secp384r1_addcarryx_u32(&x1592, &x1593, x1591, x1577, x1574); - fiat_secp384r1_addcarryx_u32(&x1594, &x1595, x1593, x1575, x1572); - fiat_secp384r1_addcarryx_u32(&x1596, &x1597, x1595, x1573, x1570); - fiat_secp384r1_addcarryx_u32(&x1598, &x1599, x1597, x1571, x1568); - fiat_secp384r1_addcarryx_u32(&x1600, &x1601, x1599, x1569, x1566); - x1602 = (x1601 + x1567); - fiat_secp384r1_addcarryx_u32(&x1603, &x1604, 0x0, x1540, x1584); - fiat_secp384r1_addcarryx_u32(&x1605, &x1606, x1604, x1542, x1585); - fiat_secp384r1_addcarryx_u32(&x1607, &x1608, x1606, x1544, 0x0); - fiat_secp384r1_addcarryx_u32(&x1609, &x1610, x1608, x1546, x1582); - fiat_secp384r1_addcarryx_u32(&x1611, &x1612, x1610, x1548, x1586); - fiat_secp384r1_addcarryx_u32(&x1613, &x1614, x1612, x1550, x1588); - fiat_secp384r1_addcarryx_u32(&x1615, &x1616, x1614, x1552, x1590); - fiat_secp384r1_addcarryx_u32(&x1617, &x1618, x1616, x1554, x1592); - fiat_secp384r1_addcarryx_u32(&x1619, &x1620, x1618, x1556, x1594); - fiat_secp384r1_addcarryx_u32(&x1621, &x1622, x1620, x1558, x1596); - fiat_secp384r1_addcarryx_u32(&x1623, &x1624, x1622, x1560, x1598); - fiat_secp384r1_addcarryx_u32(&x1625, &x1626, x1624, x1562, x1600); - fiat_secp384r1_addcarryx_u32(&x1627, &x1628, x1626, x1564, x1602); - x1629 = ((uint32_t)x1628 + x1565); - fiat_secp384r1_subborrowx_u32(&x1630, &x1631, 0x0, x1605, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1632, &x1633, x1631, x1607, 0x0); - fiat_secp384r1_subborrowx_u32(&x1634, &x1635, x1633, x1609, 0x0); - fiat_secp384r1_subborrowx_u32(&x1636, &x1637, x1635, x1611, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1638, &x1639, x1637, x1613, - UINT32_C(0xfffffffe)); - fiat_secp384r1_subborrowx_u32(&x1640, &x1641, x1639, x1615, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1642, &x1643, x1641, x1617, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1644, &x1645, x1643, x1619, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1646, &x1647, x1645, x1621, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1648, &x1649, x1647, x1623, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1650, &x1651, x1649, x1625, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1652, &x1653, x1651, x1627, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1654, &x1655, x1653, x1629, 0x0); - fiat_secp384r1_cmovznz_u32(&x1656, x1655, x1630, x1605); - fiat_secp384r1_cmovznz_u32(&x1657, x1655, x1632, x1607); - fiat_secp384r1_cmovznz_u32(&x1658, x1655, x1634, x1609); - fiat_secp384r1_cmovznz_u32(&x1659, x1655, x1636, x1611); - fiat_secp384r1_cmovznz_u32(&x1660, x1655, x1638, x1613); - fiat_secp384r1_cmovznz_u32(&x1661, x1655, x1640, x1615); - fiat_secp384r1_cmovznz_u32(&x1662, x1655, x1642, x1617); - fiat_secp384r1_cmovznz_u32(&x1663, x1655, x1644, x1619); - fiat_secp384r1_cmovznz_u32(&x1664, x1655, x1646, x1621); - fiat_secp384r1_cmovznz_u32(&x1665, x1655, x1648, x1623); - fiat_secp384r1_cmovznz_u32(&x1666, x1655, x1650, x1625); - fiat_secp384r1_cmovznz_u32(&x1667, x1655, x1652, x1627); - out1[0] = x1656; - out1[1] = x1657; - out1[2] = x1658; - out1[3] = x1659; - out1[4] = x1660; - out1[5] = x1661; - out1[6] = x1662; - out1[7] = x1663; - out1[8] = x1664; - out1[9] = x1665; - out1[10] = x1666; - out1[11] = x1667; -} + if (!X || !k || !X->data || !k->data || + X->len < 97 || k->len != 48) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + res = SECFailure; + return res; + } -/* - * The function fiat_secp384r1_add adds two field elements in the Montgomery domain. - * - * Preconditions: - * 0 ≤ eval arg1 < m - * 0 ≤ eval arg2 < m - * Postconditions: - * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m - * 0 ≤ eval out1 < m - * - */ -static void -fiat_secp384r1_add( - fiat_secp384r1_montgomery_domain_field_element out1, - const fiat_secp384r1_montgomery_domain_field_element arg1, - const fiat_secp384r1_montgomery_domain_field_element arg2) -{ - uint32_t x1; - fiat_secp384r1_uint1 x2; - uint32_t x3; - fiat_secp384r1_uint1 x4; - uint32_t x5; - fiat_secp384r1_uint1 x6; - uint32_t x7; - fiat_secp384r1_uint1 x8; - uint32_t x9; - fiat_secp384r1_uint1 x10; - uint32_t x11; - fiat_secp384r1_uint1 x12; - uint32_t x13; - fiat_secp384r1_uint1 x14; - uint32_t x15; - fiat_secp384r1_uint1 x16; - uint32_t x17; - fiat_secp384r1_uint1 x18; - uint32_t x19; - fiat_secp384r1_uint1 x20; - uint32_t x21; - fiat_secp384r1_uint1 x22; - uint32_t x23; - fiat_secp384r1_uint1 x24; - uint32_t x25; - fiat_secp384r1_uint1 x26; - uint32_t x27; - fiat_secp384r1_uint1 x28; - uint32_t x29; - fiat_secp384r1_uint1 x30; - uint32_t x31; - fiat_secp384r1_uint1 x32; - uint32_t x33; - fiat_secp384r1_uint1 x34; - uint32_t x35; - fiat_secp384r1_uint1 x36; - uint32_t x37; - fiat_secp384r1_uint1 x38; - uint32_t x39; - fiat_secp384r1_uint1 x40; - uint32_t x41; - fiat_secp384r1_uint1 x42; - uint32_t x43; - fiat_secp384r1_uint1 x44; - uint32_t x45; - fiat_secp384r1_uint1 x46; - uint32_t x47; - fiat_secp384r1_uint1 x48; - uint32_t x49; - fiat_secp384r1_uint1 x50; - uint32_t x51; - uint32_t x52; - uint32_t x53; - uint32_t x54; - uint32_t x55; - uint32_t x56; - uint32_t x57; - uint32_t x58; - uint32_t x59; - uint32_t x60; - uint32_t x61; - uint32_t x62; - fiat_secp384r1_addcarryx_u32(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); - fiat_secp384r1_addcarryx_u32(&x3, &x4, x2, (arg1[1]), (arg2[1])); - fiat_secp384r1_addcarryx_u32(&x5, &x6, x4, (arg1[2]), (arg2[2])); - fiat_secp384r1_addcarryx_u32(&x7, &x8, x6, (arg1[3]), (arg2[3])); - fiat_secp384r1_addcarryx_u32(&x9, &x10, x8, (arg1[4]), (arg2[4])); - fiat_secp384r1_addcarryx_u32(&x11, &x12, x10, (arg1[5]), (arg2[5])); - fiat_secp384r1_addcarryx_u32(&x13, &x14, x12, (arg1[6]), (arg2[6])); - fiat_secp384r1_addcarryx_u32(&x15, &x16, x14, (arg1[7]), (arg2[7])); - fiat_secp384r1_addcarryx_u32(&x17, &x18, x16, (arg1[8]), (arg2[8])); - fiat_secp384r1_addcarryx_u32(&x19, &x20, x18, (arg1[9]), (arg2[9])); - fiat_secp384r1_addcarryx_u32(&x21, &x22, x20, (arg1[10]), (arg2[10])); - fiat_secp384r1_addcarryx_u32(&x23, &x24, x22, (arg1[11]), (arg2[11])); - fiat_secp384r1_subborrowx_u32(&x25, &x26, 0x0, x1, UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x27, &x28, x26, x3, 0x0); - fiat_secp384r1_subborrowx_u32(&x29, &x30, x28, x5, 0x0); - fiat_secp384r1_subborrowx_u32(&x31, &x32, x30, x7, UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x33, &x34, x32, x9, UINT32_C(0xfffffffe)); - fiat_secp384r1_subborrowx_u32(&x35, &x36, x34, x11, UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x37, &x38, x36, x13, UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x39, &x40, x38, x15, UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x41, &x42, x40, x17, UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x43, &x44, x42, x19, UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x45, &x46, x44, x21, UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x47, &x48, x46, x23, UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x49, &x50, x48, x24, 0x0); - fiat_secp384r1_cmovznz_u32(&x51, x50, x25, x1); - fiat_secp384r1_cmovznz_u32(&x52, x50, x27, x3); - fiat_secp384r1_cmovznz_u32(&x53, x50, x29, x5); - fiat_secp384r1_cmovznz_u32(&x54, x50, x31, x7); - fiat_secp384r1_cmovznz_u32(&x55, x50, x33, x9); - fiat_secp384r1_cmovznz_u32(&x56, x50, x35, x11); - fiat_secp384r1_cmovznz_u32(&x57, x50, x37, x13); - fiat_secp384r1_cmovznz_u32(&x58, x50, x39, x15); - fiat_secp384r1_cmovznz_u32(&x59, x50, x41, x17); - fiat_secp384r1_cmovznz_u32(&x60, x50, x43, x19); - fiat_secp384r1_cmovznz_u32(&x61, x50, x45, x21); - fiat_secp384r1_cmovznz_u32(&x62, x50, x47, x23); - out1[0] = x51; - out1[1] = x52; - out1[2] = x53; - out1[3] = x54; - out1[4] = x55; - out1[5] = x56; - out1[6] = x57; - out1[7] = x58; - out1[8] = x59; - out1[9] = x60; - out1[10] = x61; - out1[11] = x62; -} + bool b = Hacl_P384_dh_initiator(derived, k->data); -/* - * The function fiat_secp384r1_sub subtracts two field elements in the Montgomery domain. - * - * Preconditions: - * 0 ≤ eval arg1 < m - * 0 ≤ eval arg2 < m - * Postconditions: - * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m - * 0 ≤ eval out1 < m - * - */ -static void -fiat_secp384r1_sub( - fiat_secp384r1_montgomery_domain_field_element out1, - const fiat_secp384r1_montgomery_domain_field_element arg1, - const fiat_secp384r1_montgomery_domain_field_element arg2) -{ - uint32_t x1; - fiat_secp384r1_uint1 x2; - uint32_t x3; - fiat_secp384r1_uint1 x4; - uint32_t x5; - fiat_secp384r1_uint1 x6; - uint32_t x7; - fiat_secp384r1_uint1 x8; - uint32_t x9; - fiat_secp384r1_uint1 x10; - uint32_t x11; - fiat_secp384r1_uint1 x12; - uint32_t x13; - fiat_secp384r1_uint1 x14; - uint32_t x15; - fiat_secp384r1_uint1 x16; - uint32_t x17; - fiat_secp384r1_uint1 x18; - uint32_t x19; - fiat_secp384r1_uint1 x20; - uint32_t x21; - fiat_secp384r1_uint1 x22; - uint32_t x23; - fiat_secp384r1_uint1 x24; - uint32_t x25; - uint32_t x26; - fiat_secp384r1_uint1 x27; - uint32_t x28; - fiat_secp384r1_uint1 x29; - uint32_t x30; - fiat_secp384r1_uint1 x31; - uint32_t x32; - fiat_secp384r1_uint1 x33; - uint32_t x34; - fiat_secp384r1_uint1 x35; - uint32_t x36; - fiat_secp384r1_uint1 x37; - uint32_t x38; - fiat_secp384r1_uint1 x39; - uint32_t x40; - fiat_secp384r1_uint1 x41; - uint32_t x42; - fiat_secp384r1_uint1 x43; - uint32_t x44; - fiat_secp384r1_uint1 x45; - uint32_t x46; - fiat_secp384r1_uint1 x47; - uint32_t x48; - fiat_secp384r1_uint1 x49; - fiat_secp384r1_subborrowx_u32(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); - fiat_secp384r1_subborrowx_u32(&x3, &x4, x2, (arg1[1]), (arg2[1])); - fiat_secp384r1_subborrowx_u32(&x5, &x6, x4, (arg1[2]), (arg2[2])); - fiat_secp384r1_subborrowx_u32(&x7, &x8, x6, (arg1[3]), (arg2[3])); - fiat_secp384r1_subborrowx_u32(&x9, &x10, x8, (arg1[4]), (arg2[4])); - fiat_secp384r1_subborrowx_u32(&x11, &x12, x10, (arg1[5]), (arg2[5])); - fiat_secp384r1_subborrowx_u32(&x13, &x14, x12, (arg1[6]), (arg2[6])); - fiat_secp384r1_subborrowx_u32(&x15, &x16, x14, (arg1[7]), (arg2[7])); - fiat_secp384r1_subborrowx_u32(&x17, &x18, x16, (arg1[8]), (arg2[8])); - fiat_secp384r1_subborrowx_u32(&x19, &x20, x18, (arg1[9]), (arg2[9])); - fiat_secp384r1_subborrowx_u32(&x21, &x22, x20, (arg1[10]), (arg2[10])); - fiat_secp384r1_subborrowx_u32(&x23, &x24, x22, (arg1[11]), (arg2[11])); - fiat_secp384r1_cmovznz_u32(&x25, x24, 0x0, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x26, &x27, 0x0, x1, x25); - fiat_secp384r1_addcarryx_u32(&x28, &x29, x27, x3, 0x0); - fiat_secp384r1_addcarryx_u32(&x30, &x31, x29, x5, 0x0); - fiat_secp384r1_addcarryx_u32(&x32, &x33, x31, x7, x25); - fiat_secp384r1_addcarryx_u32(&x34, &x35, x33, x9, - (x25 & UINT32_C(0xfffffffe))); - fiat_secp384r1_addcarryx_u32(&x36, &x37, x35, x11, x25); - fiat_secp384r1_addcarryx_u32(&x38, &x39, x37, x13, x25); - fiat_secp384r1_addcarryx_u32(&x40, &x41, x39, x15, x25); - fiat_secp384r1_addcarryx_u32(&x42, &x43, x41, x17, x25); - fiat_secp384r1_addcarryx_u32(&x44, &x45, x43, x19, x25); - fiat_secp384r1_addcarryx_u32(&x46, &x47, x45, x21, x25); - fiat_secp384r1_addcarryx_u32(&x48, &x49, x47, x23, x25); - out1[0] = x26; - out1[1] = x28; - out1[2] = x30; - out1[3] = x32; - out1[4] = x34; - out1[5] = x36; - out1[6] = x38; - out1[7] = x40; - out1[8] = x42; - out1[9] = x44; - out1[10] = x46; - out1[11] = x48; -} + if (!b) { + PORT_SetError(SEC_ERROR_BAD_KEY); + res = SECFailure; + return res; + } -/* - * The function fiat_secp384r1_opp negates a field element in the Montgomery domain. - * - * Preconditions: - * 0 ≤ eval arg1 < m - * Postconditions: - * eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m - * 0 ≤ eval out1 < m - * - */ -static void -fiat_secp384r1_opp( - fiat_secp384r1_montgomery_domain_field_element out1, - const fiat_secp384r1_montgomery_domain_field_element arg1) -{ - uint32_t x1; - fiat_secp384r1_uint1 x2; - uint32_t x3; - fiat_secp384r1_uint1 x4; - uint32_t x5; - fiat_secp384r1_uint1 x6; - uint32_t x7; - fiat_secp384r1_uint1 x8; - uint32_t x9; - fiat_secp384r1_uint1 x10; - uint32_t x11; - fiat_secp384r1_uint1 x12; - uint32_t x13; - fiat_secp384r1_uint1 x14; - uint32_t x15; - fiat_secp384r1_uint1 x16; - uint32_t x17; - fiat_secp384r1_uint1 x18; - uint32_t x19; - fiat_secp384r1_uint1 x20; - uint32_t x21; - fiat_secp384r1_uint1 x22; - uint32_t x23; - fiat_secp384r1_uint1 x24; - uint32_t x25; - uint32_t x26; - fiat_secp384r1_uint1 x27; - uint32_t x28; - fiat_secp384r1_uint1 x29; - uint32_t x30; - fiat_secp384r1_uint1 x31; - uint32_t x32; - fiat_secp384r1_uint1 x33; - uint32_t x34; - fiat_secp384r1_uint1 x35; - uint32_t x36; - fiat_secp384r1_uint1 x37; - uint32_t x38; - fiat_secp384r1_uint1 x39; - uint32_t x40; - fiat_secp384r1_uint1 x41; - uint32_t x42; - fiat_secp384r1_uint1 x43; - uint32_t x44; - fiat_secp384r1_uint1 x45; - uint32_t x46; - fiat_secp384r1_uint1 x47; - uint32_t x48; - fiat_secp384r1_uint1 x49; - fiat_secp384r1_subborrowx_u32(&x1, &x2, 0x0, 0x0, (arg1[0])); - fiat_secp384r1_subborrowx_u32(&x3, &x4, x2, 0x0, (arg1[1])); - fiat_secp384r1_subborrowx_u32(&x5, &x6, x4, 0x0, (arg1[2])); - fiat_secp384r1_subborrowx_u32(&x7, &x8, x6, 0x0, (arg1[3])); - fiat_secp384r1_subborrowx_u32(&x9, &x10, x8, 0x0, (arg1[4])); - fiat_secp384r1_subborrowx_u32(&x11, &x12, x10, 0x0, (arg1[5])); - fiat_secp384r1_subborrowx_u32(&x13, &x14, x12, 0x0, (arg1[6])); - fiat_secp384r1_subborrowx_u32(&x15, &x16, x14, 0x0, (arg1[7])); - fiat_secp384r1_subborrowx_u32(&x17, &x18, x16, 0x0, (arg1[8])); - fiat_secp384r1_subborrowx_u32(&x19, &x20, x18, 0x0, (arg1[9])); - fiat_secp384r1_subborrowx_u32(&x21, &x22, x20, 0x0, (arg1[10])); - fiat_secp384r1_subborrowx_u32(&x23, &x24, x22, 0x0, (arg1[11])); - fiat_secp384r1_cmovznz_u32(&x25, x24, 0x0, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x26, &x27, 0x0, x1, x25); - fiat_secp384r1_addcarryx_u32(&x28, &x29, x27, x3, 0x0); - fiat_secp384r1_addcarryx_u32(&x30, &x31, x29, x5, 0x0); - fiat_secp384r1_addcarryx_u32(&x32, &x33, x31, x7, x25); - fiat_secp384r1_addcarryx_u32(&x34, &x35, x33, x9, - (x25 & UINT32_C(0xfffffffe))); - fiat_secp384r1_addcarryx_u32(&x36, &x37, x35, x11, x25); - fiat_secp384r1_addcarryx_u32(&x38, &x39, x37, x13, x25); - fiat_secp384r1_addcarryx_u32(&x40, &x41, x39, x15, x25); - fiat_secp384r1_addcarryx_u32(&x42, &x43, x41, x17, x25); - fiat_secp384r1_addcarryx_u32(&x44, &x45, x43, x19, x25); - fiat_secp384r1_addcarryx_u32(&x46, &x47, x45, x21, x25); - fiat_secp384r1_addcarryx_u32(&x48, &x49, x47, x23, x25); - out1[0] = x26; - out1[1] = x28; - out1[2] = x30; - out1[3] = x32; - out1[4] = x34; - out1[5] = x36; - out1[6] = x38; - out1[7] = x40; - out1[8] = x42; - out1[9] = x44; - out1[10] = x46; - out1[11] = x48; -} + X->len = 97; + X->data[0] = EC_POINT_FORM_UNCOMPRESSED; + memcpy(X->data + 1, derived, 96); + + } else { + uint8_t full_key[48] = { 0 }; + uint8_t *key; + uint8_t derived[96] = { 0 }; + + if (!X || !k || !P || !X->data || !k->data || !P->data || + X->len < 48 || P->len != 97 || + P->data[0] != EC_POINT_FORM_UNCOMPRESSED) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + res = SECFailure; + return res; + } -/* - * The function fiat_secp384r1_from_montgomery translates a field element out of the Montgomery domain. - * - * Preconditions: - * 0 ≤ eval arg1 < m - * Postconditions: - * eval out1 mod m = (eval arg1 * ((2^32)⁻¹ mod m)^12) mod m - * 0 ≤ eval out1 < m - * - */ -static void -fiat_secp384r1_from_montgomery( - fiat_secp384r1_non_montgomery_domain_field_element out1, - const fiat_secp384r1_montgomery_domain_field_element arg1) -{ - uint32_t x1; - uint32_t x2; - uint32_t x3; - uint32_t x4; - uint32_t x5; - uint32_t x6; - uint32_t x7; - uint32_t x8; - uint32_t x9; - uint32_t x10; - uint32_t x11; - uint32_t x12; - uint32_t x13; - uint32_t x14; - uint32_t x15; - uint32_t x16; - uint32_t x17; - uint32_t x18; - uint32_t x19; - uint32_t x20; - uint32_t x21; - uint32_t x22; - fiat_secp384r1_uint1 x23; - uint32_t x24; - fiat_secp384r1_uint1 x25; - uint32_t x26; - fiat_secp384r1_uint1 x27; - uint32_t x28; - fiat_secp384r1_uint1 x29; - uint32_t x30; - fiat_secp384r1_uint1 x31; - uint32_t x32; - fiat_secp384r1_uint1 x33; - uint32_t x34; - fiat_secp384r1_uint1 x35; - uint32_t x36; - fiat_secp384r1_uint1 x37; - uint32_t x38; - fiat_secp384r1_uint1 x39; - uint32_t x40; - fiat_secp384r1_uint1 x41; - uint32_t x42; - uint32_t x43; - uint32_t x44; - uint32_t x45; - uint32_t x46; - uint32_t x47; - uint32_t x48; - uint32_t x49; - uint32_t x50; - uint32_t x51; - uint32_t x52; - uint32_t x53; - uint32_t x54; - uint32_t x55; - uint32_t x56; - uint32_t x57; - uint32_t x58; - uint32_t x59; - uint32_t x60; - uint32_t x61; - uint32_t x62; - fiat_secp384r1_uint1 x63; - uint32_t x64; - fiat_secp384r1_uint1 x65; - uint32_t x66; - fiat_secp384r1_uint1 x67; - uint32_t x68; - fiat_secp384r1_uint1 x69; - uint32_t x70; - fiat_secp384r1_uint1 x71; - uint32_t x72; - fiat_secp384r1_uint1 x73; - uint32_t x74; - fiat_secp384r1_uint1 x75; - uint32_t x76; - fiat_secp384r1_uint1 x77; - uint32_t x78; - fiat_secp384r1_uint1 x79; - uint32_t x80; - fiat_secp384r1_uint1 x81; - uint32_t x82; - fiat_secp384r1_uint1 x83; - uint32_t x84; - fiat_secp384r1_uint1 x85; - uint32_t x86; - fiat_secp384r1_uint1 x87; - uint32_t x88; - fiat_secp384r1_uint1 x89; - uint32_t x90; - fiat_secp384r1_uint1 x91; - uint32_t x92; - fiat_secp384r1_uint1 x93; - uint32_t x94; - fiat_secp384r1_uint1 x95; - uint32_t x96; - fiat_secp384r1_uint1 x97; - uint32_t x98; - fiat_secp384r1_uint1 x99; - uint32_t x100; - fiat_secp384r1_uint1 x101; - uint32_t x102; - fiat_secp384r1_uint1 x103; - uint32_t x104; - fiat_secp384r1_uint1 x105; - uint32_t x106; - fiat_secp384r1_uint1 x107; - uint32_t x108; - fiat_secp384r1_uint1 x109; - uint32_t x110; - fiat_secp384r1_uint1 x111; - uint32_t x112; - fiat_secp384r1_uint1 x113; - uint32_t x114; - fiat_secp384r1_uint1 x115; - uint32_t x116; - fiat_secp384r1_uint1 x117; - uint32_t x118; - fiat_secp384r1_uint1 x119; - uint32_t x120; - fiat_secp384r1_uint1 x121; - uint32_t x122; - fiat_secp384r1_uint1 x123; - uint32_t x124; - fiat_secp384r1_uint1 x125; - uint32_t x126; - fiat_secp384r1_uint1 x127; - uint32_t x128; - uint32_t x129; - uint32_t x130; - uint32_t x131; - uint32_t x132; - uint32_t x133; - uint32_t x134; - uint32_t x135; - uint32_t x136; - uint32_t x137; - uint32_t x138; - uint32_t x139; - uint32_t x140; - uint32_t x141; - uint32_t x142; - uint32_t x143; - uint32_t x144; - uint32_t x145; - uint32_t x146; - uint32_t x147; - uint32_t x148; - fiat_secp384r1_uint1 x149; - uint32_t x150; - fiat_secp384r1_uint1 x151; - uint32_t x152; - fiat_secp384r1_uint1 x153; - uint32_t x154; - fiat_secp384r1_uint1 x155; - uint32_t x156; - fiat_secp384r1_uint1 x157; - uint32_t x158; - fiat_secp384r1_uint1 x159; - uint32_t x160; - fiat_secp384r1_uint1 x161; - uint32_t x162; - fiat_secp384r1_uint1 x163; - uint32_t x164; - fiat_secp384r1_uint1 x165; - uint32_t x166; - fiat_secp384r1_uint1 x167; - uint32_t x168; - fiat_secp384r1_uint1 x169; - uint32_t x170; - fiat_secp384r1_uint1 x171; - uint32_t x172; - fiat_secp384r1_uint1 x173; - uint32_t x174; - fiat_secp384r1_uint1 x175; - uint32_t x176; - fiat_secp384r1_uint1 x177; - uint32_t x178; - fiat_secp384r1_uint1 x179; - uint32_t x180; - fiat_secp384r1_uint1 x181; - uint32_t x182; - fiat_secp384r1_uint1 x183; - uint32_t x184; - fiat_secp384r1_uint1 x185; - uint32_t x186; - fiat_secp384r1_uint1 x187; - uint32_t x188; - fiat_secp384r1_uint1 x189; - uint32_t x190; - fiat_secp384r1_uint1 x191; - uint32_t x192; - fiat_secp384r1_uint1 x193; - uint32_t x194; - fiat_secp384r1_uint1 x195; - uint32_t x196; - fiat_secp384r1_uint1 x197; - uint32_t x198; - fiat_secp384r1_uint1 x199; - uint32_t x200; - fiat_secp384r1_uint1 x201; - uint32_t x202; - fiat_secp384r1_uint1 x203; - uint32_t x204; - fiat_secp384r1_uint1 x205; - uint32_t x206; - fiat_secp384r1_uint1 x207; - uint32_t x208; - fiat_secp384r1_uint1 x209; - uint32_t x210; - fiat_secp384r1_uint1 x211; - uint32_t x212; - fiat_secp384r1_uint1 x213; - uint32_t x214; - uint32_t x215; - uint32_t x216; - uint32_t x217; - uint32_t x218; - uint32_t x219; - uint32_t x220; - uint32_t x221; - uint32_t x222; - uint32_t x223; - uint32_t x224; - uint32_t x225; - uint32_t x226; - uint32_t x227; - uint32_t x228; - uint32_t x229; - uint32_t x230; - uint32_t x231; - uint32_t x232; - uint32_t x233; - uint32_t x234; - fiat_secp384r1_uint1 x235; - uint32_t x236; - fiat_secp384r1_uint1 x237; - uint32_t x238; - fiat_secp384r1_uint1 x239; - uint32_t x240; - fiat_secp384r1_uint1 x241; - uint32_t x242; - fiat_secp384r1_uint1 x243; - uint32_t x244; - fiat_secp384r1_uint1 x245; - uint32_t x246; - fiat_secp384r1_uint1 x247; - uint32_t x248; - fiat_secp384r1_uint1 x249; - uint32_t x250; - fiat_secp384r1_uint1 x251; - uint32_t x252; - fiat_secp384r1_uint1 x253; - uint32_t x254; - fiat_secp384r1_uint1 x255; - uint32_t x256; - fiat_secp384r1_uint1 x257; - uint32_t x258; - fiat_secp384r1_uint1 x259; - uint32_t x260; - fiat_secp384r1_uint1 x261; - uint32_t x262; - fiat_secp384r1_uint1 x263; - uint32_t x264; - fiat_secp384r1_uint1 x265; - uint32_t x266; - fiat_secp384r1_uint1 x267; - uint32_t x268; - fiat_secp384r1_uint1 x269; - uint32_t x270; - fiat_secp384r1_uint1 x271; - uint32_t x272; - fiat_secp384r1_uint1 x273; - uint32_t x274; - fiat_secp384r1_uint1 x275; - uint32_t x276; - fiat_secp384r1_uint1 x277; - uint32_t x278; - fiat_secp384r1_uint1 x279; - uint32_t x280; - fiat_secp384r1_uint1 x281; - uint32_t x282; - fiat_secp384r1_uint1 x283; - uint32_t x284; - fiat_secp384r1_uint1 x285; - uint32_t x286; - fiat_secp384r1_uint1 x287; - uint32_t x288; - fiat_secp384r1_uint1 x289; - uint32_t x290; - fiat_secp384r1_uint1 x291; - uint32_t x292; - fiat_secp384r1_uint1 x293; - uint32_t x294; - fiat_secp384r1_uint1 x295; - uint32_t x296; - fiat_secp384r1_uint1 x297; - uint32_t x298; - fiat_secp384r1_uint1 x299; - uint32_t x300; - uint32_t x301; - uint32_t x302; - uint32_t x303; - uint32_t x304; - uint32_t x305; - uint32_t x306; - uint32_t x307; - uint32_t x308; - uint32_t x309; - uint32_t x310; - uint32_t x311; - uint32_t x312; - uint32_t x313; - uint32_t x314; - uint32_t x315; - uint32_t x316; - uint32_t x317; - uint32_t x318; - uint32_t x319; - uint32_t x320; - fiat_secp384r1_uint1 x321; - uint32_t x322; - fiat_secp384r1_uint1 x323; - uint32_t x324; - fiat_secp384r1_uint1 x325; - uint32_t x326; - fiat_secp384r1_uint1 x327; - uint32_t x328; - fiat_secp384r1_uint1 x329; - uint32_t x330; - fiat_secp384r1_uint1 x331; - uint32_t x332; - fiat_secp384r1_uint1 x333; - uint32_t x334; - fiat_secp384r1_uint1 x335; - uint32_t x336; - fiat_secp384r1_uint1 x337; - uint32_t x338; - fiat_secp384r1_uint1 x339; - uint32_t x340; - fiat_secp384r1_uint1 x341; - uint32_t x342; - fiat_secp384r1_uint1 x343; - uint32_t x344; - fiat_secp384r1_uint1 x345; - uint32_t x346; - fiat_secp384r1_uint1 x347; - uint32_t x348; - fiat_secp384r1_uint1 x349; - uint32_t x350; - fiat_secp384r1_uint1 x351; - uint32_t x352; - fiat_secp384r1_uint1 x353; - uint32_t x354; - fiat_secp384r1_uint1 x355; - uint32_t x356; - fiat_secp384r1_uint1 x357; - uint32_t x358; - fiat_secp384r1_uint1 x359; - uint32_t x360; - fiat_secp384r1_uint1 x361; - uint32_t x362; - fiat_secp384r1_uint1 x363; - uint32_t x364; - fiat_secp384r1_uint1 x365; - uint32_t x366; - fiat_secp384r1_uint1 x367; - uint32_t x368; - fiat_secp384r1_uint1 x369; - uint32_t x370; - fiat_secp384r1_uint1 x371; - uint32_t x372; - fiat_secp384r1_uint1 x373; - uint32_t x374; - fiat_secp384r1_uint1 x375; - uint32_t x376; - fiat_secp384r1_uint1 x377; - uint32_t x378; - fiat_secp384r1_uint1 x379; - uint32_t x380; - fiat_secp384r1_uint1 x381; - uint32_t x382; - fiat_secp384r1_uint1 x383; - uint32_t x384; - fiat_secp384r1_uint1 x385; - uint32_t x386; - uint32_t x387; - uint32_t x388; - uint32_t x389; - uint32_t x390; - uint32_t x391; - uint32_t x392; - uint32_t x393; - uint32_t x394; - uint32_t x395; - uint32_t x396; - uint32_t x397; - uint32_t x398; - uint32_t x399; - uint32_t x400; - uint32_t x401; - uint32_t x402; - uint32_t x403; - uint32_t x404; - uint32_t x405; - uint32_t x406; - fiat_secp384r1_uint1 x407; - uint32_t x408; - fiat_secp384r1_uint1 x409; - uint32_t x410; - fiat_secp384r1_uint1 x411; - uint32_t x412; - fiat_secp384r1_uint1 x413; - uint32_t x414; - fiat_secp384r1_uint1 x415; - uint32_t x416; - fiat_secp384r1_uint1 x417; - uint32_t x418; - fiat_secp384r1_uint1 x419; - uint32_t x420; - fiat_secp384r1_uint1 x421; - uint32_t x422; - fiat_secp384r1_uint1 x423; - uint32_t x424; - fiat_secp384r1_uint1 x425; - uint32_t x426; - fiat_secp384r1_uint1 x427; - uint32_t x428; - fiat_secp384r1_uint1 x429; - uint32_t x430; - fiat_secp384r1_uint1 x431; - uint32_t x432; - fiat_secp384r1_uint1 x433; - uint32_t x434; - fiat_secp384r1_uint1 x435; - uint32_t x436; - fiat_secp384r1_uint1 x437; - uint32_t x438; - fiat_secp384r1_uint1 x439; - uint32_t x440; - fiat_secp384r1_uint1 x441; - uint32_t x442; - fiat_secp384r1_uint1 x443; - uint32_t x444; - fiat_secp384r1_uint1 x445; - uint32_t x446; - fiat_secp384r1_uint1 x447; - uint32_t x448; - fiat_secp384r1_uint1 x449; - uint32_t x450; - fiat_secp384r1_uint1 x451; - uint32_t x452; - fiat_secp384r1_uint1 x453; - uint32_t x454; - fiat_secp384r1_uint1 x455; - uint32_t x456; - fiat_secp384r1_uint1 x457; - uint32_t x458; - fiat_secp384r1_uint1 x459; - uint32_t x460; - fiat_secp384r1_uint1 x461; - uint32_t x462; - fiat_secp384r1_uint1 x463; - uint32_t x464; - fiat_secp384r1_uint1 x465; - uint32_t x466; - fiat_secp384r1_uint1 x467; - uint32_t x468; - fiat_secp384r1_uint1 x469; - uint32_t x470; - fiat_secp384r1_uint1 x471; - uint32_t x472; - uint32_t x473; - uint32_t x474; - uint32_t x475; - uint32_t x476; - uint32_t x477; - uint32_t x478; - uint32_t x479; - uint32_t x480; - uint32_t x481; - uint32_t x482; - uint32_t x483; - uint32_t x484; - uint32_t x485; - uint32_t x486; - uint32_t x487; - uint32_t x488; - uint32_t x489; - uint32_t x490; - uint32_t x491; - uint32_t x492; - fiat_secp384r1_uint1 x493; - uint32_t x494; - fiat_secp384r1_uint1 x495; - uint32_t x496; - fiat_secp384r1_uint1 x497; - uint32_t x498; - fiat_secp384r1_uint1 x499; - uint32_t x500; - fiat_secp384r1_uint1 x501; - uint32_t x502; - fiat_secp384r1_uint1 x503; - uint32_t x504; - fiat_secp384r1_uint1 x505; - uint32_t x506; - fiat_secp384r1_uint1 x507; - uint32_t x508; - fiat_secp384r1_uint1 x509; - uint32_t x510; - fiat_secp384r1_uint1 x511; - uint32_t x512; - fiat_secp384r1_uint1 x513; - uint32_t x514; - fiat_secp384r1_uint1 x515; - uint32_t x516; - fiat_secp384r1_uint1 x517; - uint32_t x518; - fiat_secp384r1_uint1 x519; - uint32_t x520; - fiat_secp384r1_uint1 x521; - uint32_t x522; - fiat_secp384r1_uint1 x523; - uint32_t x524; - fiat_secp384r1_uint1 x525; - uint32_t x526; - fiat_secp384r1_uint1 x527; - uint32_t x528; - fiat_secp384r1_uint1 x529; - uint32_t x530; - fiat_secp384r1_uint1 x531; - uint32_t x532; - fiat_secp384r1_uint1 x533; - uint32_t x534; - fiat_secp384r1_uint1 x535; - uint32_t x536; - fiat_secp384r1_uint1 x537; - uint32_t x538; - fiat_secp384r1_uint1 x539; - uint32_t x540; - fiat_secp384r1_uint1 x541; - uint32_t x542; - fiat_secp384r1_uint1 x543; - uint32_t x544; - fiat_secp384r1_uint1 x545; - uint32_t x546; - fiat_secp384r1_uint1 x547; - uint32_t x548; - fiat_secp384r1_uint1 x549; - uint32_t x550; - fiat_secp384r1_uint1 x551; - uint32_t x552; - fiat_secp384r1_uint1 x553; - uint32_t x554; - fiat_secp384r1_uint1 x555; - uint32_t x556; - fiat_secp384r1_uint1 x557; - uint32_t x558; - uint32_t x559; - uint32_t x560; - uint32_t x561; - uint32_t x562; - uint32_t x563; - uint32_t x564; - uint32_t x565; - uint32_t x566; - uint32_t x567; - uint32_t x568; - uint32_t x569; - uint32_t x570; - uint32_t x571; - uint32_t x572; - uint32_t x573; - uint32_t x574; - uint32_t x575; - uint32_t x576; - uint32_t x577; - uint32_t x578; - fiat_secp384r1_uint1 x579; - uint32_t x580; - fiat_secp384r1_uint1 x581; - uint32_t x582; - fiat_secp384r1_uint1 x583; - uint32_t x584; - fiat_secp384r1_uint1 x585; - uint32_t x586; - fiat_secp384r1_uint1 x587; - uint32_t x588; - fiat_secp384r1_uint1 x589; - uint32_t x590; - fiat_secp384r1_uint1 x591; - uint32_t x592; - fiat_secp384r1_uint1 x593; - uint32_t x594; - fiat_secp384r1_uint1 x595; - uint32_t x596; - fiat_secp384r1_uint1 x597; - uint32_t x598; - fiat_secp384r1_uint1 x599; - uint32_t x600; - fiat_secp384r1_uint1 x601; - uint32_t x602; - fiat_secp384r1_uint1 x603; - uint32_t x604; - fiat_secp384r1_uint1 x605; - uint32_t x606; - fiat_secp384r1_uint1 x607; - uint32_t x608; - fiat_secp384r1_uint1 x609; - uint32_t x610; - fiat_secp384r1_uint1 x611; - uint32_t x612; - fiat_secp384r1_uint1 x613; - uint32_t x614; - fiat_secp384r1_uint1 x615; - uint32_t x616; - fiat_secp384r1_uint1 x617; - uint32_t x618; - fiat_secp384r1_uint1 x619; - uint32_t x620; - fiat_secp384r1_uint1 x621; - uint32_t x622; - fiat_secp384r1_uint1 x623; - uint32_t x624; - fiat_secp384r1_uint1 x625; - uint32_t x626; - fiat_secp384r1_uint1 x627; - uint32_t x628; - fiat_secp384r1_uint1 x629; - uint32_t x630; - fiat_secp384r1_uint1 x631; - uint32_t x632; - fiat_secp384r1_uint1 x633; - uint32_t x634; - fiat_secp384r1_uint1 x635; - uint32_t x636; - fiat_secp384r1_uint1 x637; - uint32_t x638; - fiat_secp384r1_uint1 x639; - uint32_t x640; - fiat_secp384r1_uint1 x641; - uint32_t x642; - fiat_secp384r1_uint1 x643; - uint32_t x644; - uint32_t x645; - uint32_t x646; - uint32_t x647; - uint32_t x648; - uint32_t x649; - uint32_t x650; - uint32_t x651; - uint32_t x652; - uint32_t x653; - uint32_t x654; - uint32_t x655; - uint32_t x656; - uint32_t x657; - uint32_t x658; - uint32_t x659; - uint32_t x660; - uint32_t x661; - uint32_t x662; - uint32_t x663; - uint32_t x664; - fiat_secp384r1_uint1 x665; - uint32_t x666; - fiat_secp384r1_uint1 x667; - uint32_t x668; - fiat_secp384r1_uint1 x669; - uint32_t x670; - fiat_secp384r1_uint1 x671; - uint32_t x672; - fiat_secp384r1_uint1 x673; - uint32_t x674; - fiat_secp384r1_uint1 x675; - uint32_t x676; - fiat_secp384r1_uint1 x677; - uint32_t x678; - fiat_secp384r1_uint1 x679; - uint32_t x680; - fiat_secp384r1_uint1 x681; - uint32_t x682; - fiat_secp384r1_uint1 x683; - uint32_t x684; - fiat_secp384r1_uint1 x685; - uint32_t x686; - fiat_secp384r1_uint1 x687; - uint32_t x688; - fiat_secp384r1_uint1 x689; - uint32_t x690; - fiat_secp384r1_uint1 x691; - uint32_t x692; - fiat_secp384r1_uint1 x693; - uint32_t x694; - fiat_secp384r1_uint1 x695; - uint32_t x696; - fiat_secp384r1_uint1 x697; - uint32_t x698; - fiat_secp384r1_uint1 x699; - uint32_t x700; - fiat_secp384r1_uint1 x701; - uint32_t x702; - fiat_secp384r1_uint1 x703; - uint32_t x704; - fiat_secp384r1_uint1 x705; - uint32_t x706; - fiat_secp384r1_uint1 x707; - uint32_t x708; - fiat_secp384r1_uint1 x709; - uint32_t x710; - fiat_secp384r1_uint1 x711; - uint32_t x712; - fiat_secp384r1_uint1 x713; - uint32_t x714; - fiat_secp384r1_uint1 x715; - uint32_t x716; - fiat_secp384r1_uint1 x717; - uint32_t x718; - fiat_secp384r1_uint1 x719; - uint32_t x720; - fiat_secp384r1_uint1 x721; - uint32_t x722; - fiat_secp384r1_uint1 x723; - uint32_t x724; - fiat_secp384r1_uint1 x725; - uint32_t x726; - fiat_secp384r1_uint1 x727; - uint32_t x728; - fiat_secp384r1_uint1 x729; - uint32_t x730; - uint32_t x731; - uint32_t x732; - uint32_t x733; - uint32_t x734; - uint32_t x735; - uint32_t x736; - uint32_t x737; - uint32_t x738; - uint32_t x739; - uint32_t x740; - uint32_t x741; - uint32_t x742; - uint32_t x743; - uint32_t x744; - uint32_t x745; - uint32_t x746; - uint32_t x747; - uint32_t x748; - uint32_t x749; - uint32_t x750; - fiat_secp384r1_uint1 x751; - uint32_t x752; - fiat_secp384r1_uint1 x753; - uint32_t x754; - fiat_secp384r1_uint1 x755; - uint32_t x756; - fiat_secp384r1_uint1 x757; - uint32_t x758; - fiat_secp384r1_uint1 x759; - uint32_t x760; - fiat_secp384r1_uint1 x761; - uint32_t x762; - fiat_secp384r1_uint1 x763; - uint32_t x764; - fiat_secp384r1_uint1 x765; - uint32_t x766; - fiat_secp384r1_uint1 x767; - uint32_t x768; - fiat_secp384r1_uint1 x769; - uint32_t x770; - fiat_secp384r1_uint1 x771; - uint32_t x772; - fiat_secp384r1_uint1 x773; - uint32_t x774; - fiat_secp384r1_uint1 x775; - uint32_t x776; - fiat_secp384r1_uint1 x777; - uint32_t x778; - fiat_secp384r1_uint1 x779; - uint32_t x780; - fiat_secp384r1_uint1 x781; - uint32_t x782; - fiat_secp384r1_uint1 x783; - uint32_t x784; - fiat_secp384r1_uint1 x785; - uint32_t x786; - fiat_secp384r1_uint1 x787; - uint32_t x788; - fiat_secp384r1_uint1 x789; - uint32_t x790; - fiat_secp384r1_uint1 x791; - uint32_t x792; - fiat_secp384r1_uint1 x793; - uint32_t x794; - fiat_secp384r1_uint1 x795; - uint32_t x796; - fiat_secp384r1_uint1 x797; - uint32_t x798; - fiat_secp384r1_uint1 x799; - uint32_t x800; - fiat_secp384r1_uint1 x801; - uint32_t x802; - fiat_secp384r1_uint1 x803; - uint32_t x804; - fiat_secp384r1_uint1 x805; - uint32_t x806; - fiat_secp384r1_uint1 x807; - uint32_t x808; - fiat_secp384r1_uint1 x809; - uint32_t x810; - fiat_secp384r1_uint1 x811; - uint32_t x812; - fiat_secp384r1_uint1 x813; - uint32_t x814; - fiat_secp384r1_uint1 x815; - uint32_t x816; - uint32_t x817; - uint32_t x818; - uint32_t x819; - uint32_t x820; - uint32_t x821; - uint32_t x822; - uint32_t x823; - uint32_t x824; - uint32_t x825; - uint32_t x826; - uint32_t x827; - uint32_t x828; - uint32_t x829; - uint32_t x830; - uint32_t x831; - uint32_t x832; - uint32_t x833; - uint32_t x834; - uint32_t x835; - uint32_t x836; - fiat_secp384r1_uint1 x837; - uint32_t x838; - fiat_secp384r1_uint1 x839; - uint32_t x840; - fiat_secp384r1_uint1 x841; - uint32_t x842; - fiat_secp384r1_uint1 x843; - uint32_t x844; - fiat_secp384r1_uint1 x845; - uint32_t x846; - fiat_secp384r1_uint1 x847; - uint32_t x848; - fiat_secp384r1_uint1 x849; - uint32_t x850; - fiat_secp384r1_uint1 x851; - uint32_t x852; - fiat_secp384r1_uint1 x853; - uint32_t x854; - fiat_secp384r1_uint1 x855; - uint32_t x856; - fiat_secp384r1_uint1 x857; - uint32_t x858; - fiat_secp384r1_uint1 x859; - uint32_t x860; - fiat_secp384r1_uint1 x861; - uint32_t x862; - fiat_secp384r1_uint1 x863; - uint32_t x864; - fiat_secp384r1_uint1 x865; - uint32_t x866; - fiat_secp384r1_uint1 x867; - uint32_t x868; - fiat_secp384r1_uint1 x869; - uint32_t x870; - fiat_secp384r1_uint1 x871; - uint32_t x872; - fiat_secp384r1_uint1 x873; - uint32_t x874; - fiat_secp384r1_uint1 x875; - uint32_t x876; - fiat_secp384r1_uint1 x877; - uint32_t x878; - fiat_secp384r1_uint1 x879; - uint32_t x880; - fiat_secp384r1_uint1 x881; - uint32_t x882; - fiat_secp384r1_uint1 x883; - uint32_t x884; - fiat_secp384r1_uint1 x885; - uint32_t x886; - fiat_secp384r1_uint1 x887; - uint32_t x888; - fiat_secp384r1_uint1 x889; - uint32_t x890; - fiat_secp384r1_uint1 x891; - uint32_t x892; - fiat_secp384r1_uint1 x893; - uint32_t x894; - fiat_secp384r1_uint1 x895; - uint32_t x896; - fiat_secp384r1_uint1 x897; - uint32_t x898; - fiat_secp384r1_uint1 x899; - uint32_t x900; - fiat_secp384r1_uint1 x901; - uint32_t x902; - uint32_t x903; - uint32_t x904; - uint32_t x905; - uint32_t x906; - uint32_t x907; - uint32_t x908; - uint32_t x909; - uint32_t x910; - uint32_t x911; - uint32_t x912; - uint32_t x913; - uint32_t x914; - uint32_t x915; - uint32_t x916; - uint32_t x917; - uint32_t x918; - uint32_t x919; - uint32_t x920; - uint32_t x921; - uint32_t x922; - fiat_secp384r1_uint1 x923; - uint32_t x924; - fiat_secp384r1_uint1 x925; - uint32_t x926; - fiat_secp384r1_uint1 x927; - uint32_t x928; - fiat_secp384r1_uint1 x929; - uint32_t x930; - fiat_secp384r1_uint1 x931; - uint32_t x932; - fiat_secp384r1_uint1 x933; - uint32_t x934; - fiat_secp384r1_uint1 x935; - uint32_t x936; - fiat_secp384r1_uint1 x937; - uint32_t x938; - fiat_secp384r1_uint1 x939; - uint32_t x940; - fiat_secp384r1_uint1 x941; - uint32_t x942; - fiat_secp384r1_uint1 x943; - uint32_t x944; - fiat_secp384r1_uint1 x945; - uint32_t x946; - fiat_secp384r1_uint1 x947; - uint32_t x948; - fiat_secp384r1_uint1 x949; - uint32_t x950; - fiat_secp384r1_uint1 x951; - uint32_t x952; - fiat_secp384r1_uint1 x953; - uint32_t x954; - fiat_secp384r1_uint1 x955; - uint32_t x956; - fiat_secp384r1_uint1 x957; - uint32_t x958; - fiat_secp384r1_uint1 x959; - uint32_t x960; - fiat_secp384r1_uint1 x961; - uint32_t x962; - fiat_secp384r1_uint1 x963; - uint32_t x964; - fiat_secp384r1_uint1 x965; - uint32_t x966; - fiat_secp384r1_uint1 x967; - uint32_t x968; - fiat_secp384r1_uint1 x969; - uint32_t x970; - fiat_secp384r1_uint1 x971; - uint32_t x972; - fiat_secp384r1_uint1 x973; - uint32_t x974; - fiat_secp384r1_uint1 x975; - uint32_t x976; - fiat_secp384r1_uint1 x977; - uint32_t x978; - fiat_secp384r1_uint1 x979; - uint32_t x980; - fiat_secp384r1_uint1 x981; - uint32_t x982; - fiat_secp384r1_uint1 x983; - uint32_t x984; - fiat_secp384r1_uint1 x985; - uint32_t x986; - fiat_secp384r1_uint1 x987; - uint32_t x988; - fiat_secp384r1_uint1 x989; - uint32_t x990; - uint32_t x991; - uint32_t x992; - uint32_t x993; - uint32_t x994; - uint32_t x995; - uint32_t x996; - uint32_t x997; - uint32_t x998; - uint32_t x999; - uint32_t x1000; - uint32_t x1001; - x1 = (arg1[0]); - fiat_secp384r1_mulx_u32(&x2, &x3, x1, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x4, &x5, x1, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x6, &x7, x1, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x8, &x9, x1, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x10, &x11, x1, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x12, &x13, x1, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x14, &x15, x1, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x16, &x17, x1, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x18, &x19, x1, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x20, &x21, x1, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x22, &x23, 0x0, x19, x16); - fiat_secp384r1_addcarryx_u32(&x24, &x25, x23, x17, x14); - fiat_secp384r1_addcarryx_u32(&x26, &x27, x25, x15, x12); - fiat_secp384r1_addcarryx_u32(&x28, &x29, x27, x13, x10); - fiat_secp384r1_addcarryx_u32(&x30, &x31, x29, x11, x8); - fiat_secp384r1_addcarryx_u32(&x32, &x33, x31, x9, x6); - fiat_secp384r1_addcarryx_u32(&x34, &x35, x33, x7, x4); - fiat_secp384r1_addcarryx_u32(&x36, &x37, x35, x5, x2); - fiat_secp384r1_addcarryx_u32(&x38, &x39, 0x0, x1, x20); - fiat_secp384r1_addcarryx_u32(&x40, &x41, 0x0, (x39 + x21), (arg1[1])); - fiat_secp384r1_mulx_u32(&x42, &x43, x40, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x44, &x45, x40, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x46, &x47, x40, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x48, &x49, x40, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x50, &x51, x40, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x52, &x53, x40, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x54, &x55, x40, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x56, &x57, x40, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x58, &x59, x40, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x60, &x61, x40, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x62, &x63, 0x0, x59, x56); - fiat_secp384r1_addcarryx_u32(&x64, &x65, x63, x57, x54); - fiat_secp384r1_addcarryx_u32(&x66, &x67, x65, x55, x52); - fiat_secp384r1_addcarryx_u32(&x68, &x69, x67, x53, x50); - fiat_secp384r1_addcarryx_u32(&x70, &x71, x69, x51, x48); - fiat_secp384r1_addcarryx_u32(&x72, &x73, x71, x49, x46); - fiat_secp384r1_addcarryx_u32(&x74, &x75, x73, x47, x44); - fiat_secp384r1_addcarryx_u32(&x76, &x77, x75, x45, x42); - fiat_secp384r1_addcarryx_u32(&x78, &x79, 0x0, x40, x60); - fiat_secp384r1_addcarryx_u32(&x80, &x81, x79, x41, x61); - fiat_secp384r1_addcarryx_u32(&x82, &x83, x81, x18, 0x0); - fiat_secp384r1_addcarryx_u32(&x84, &x85, x83, x22, x58); - fiat_secp384r1_addcarryx_u32(&x86, &x87, x85, x24, x62); - fiat_secp384r1_addcarryx_u32(&x88, &x89, x87, x26, x64); - fiat_secp384r1_addcarryx_u32(&x90, &x91, x89, x28, x66); - fiat_secp384r1_addcarryx_u32(&x92, &x93, x91, x30, x68); - fiat_secp384r1_addcarryx_u32(&x94, &x95, x93, x32, x70); - fiat_secp384r1_addcarryx_u32(&x96, &x97, x95, x34, x72); - fiat_secp384r1_addcarryx_u32(&x98, &x99, x97, x36, x74); - fiat_secp384r1_addcarryx_u32(&x100, &x101, x99, (x37 + x3), x76); - fiat_secp384r1_addcarryx_u32(&x102, &x103, x101, 0x0, (x77 + x43)); - fiat_secp384r1_addcarryx_u32(&x104, &x105, 0x0, x80, (arg1[2])); - fiat_secp384r1_addcarryx_u32(&x106, &x107, x105, x82, 0x0); - fiat_secp384r1_addcarryx_u32(&x108, &x109, x107, x84, 0x0); - fiat_secp384r1_addcarryx_u32(&x110, &x111, x109, x86, 0x0); - fiat_secp384r1_addcarryx_u32(&x112, &x113, x111, x88, 0x0); - fiat_secp384r1_addcarryx_u32(&x114, &x115, x113, x90, 0x0); - fiat_secp384r1_addcarryx_u32(&x116, &x117, x115, x92, 0x0); - fiat_secp384r1_addcarryx_u32(&x118, &x119, x117, x94, 0x0); - fiat_secp384r1_addcarryx_u32(&x120, &x121, x119, x96, 0x0); - fiat_secp384r1_addcarryx_u32(&x122, &x123, x121, x98, 0x0); - fiat_secp384r1_addcarryx_u32(&x124, &x125, x123, x100, 0x0); - fiat_secp384r1_addcarryx_u32(&x126, &x127, x125, x102, 0x0); - fiat_secp384r1_mulx_u32(&x128, &x129, x104, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x130, &x131, x104, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x132, &x133, x104, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x134, &x135, x104, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x136, &x137, x104, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x138, &x139, x104, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x140, &x141, x104, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x142, &x143, x104, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x144, &x145, x104, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x146, &x147, x104, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x148, &x149, 0x0, x145, x142); - fiat_secp384r1_addcarryx_u32(&x150, &x151, x149, x143, x140); - fiat_secp384r1_addcarryx_u32(&x152, &x153, x151, x141, x138); - fiat_secp384r1_addcarryx_u32(&x154, &x155, x153, x139, x136); - fiat_secp384r1_addcarryx_u32(&x156, &x157, x155, x137, x134); - fiat_secp384r1_addcarryx_u32(&x158, &x159, x157, x135, x132); - fiat_secp384r1_addcarryx_u32(&x160, &x161, x159, x133, x130); - fiat_secp384r1_addcarryx_u32(&x162, &x163, x161, x131, x128); - fiat_secp384r1_addcarryx_u32(&x164, &x165, 0x0, x104, x146); - fiat_secp384r1_addcarryx_u32(&x166, &x167, x165, x106, x147); - fiat_secp384r1_addcarryx_u32(&x168, &x169, x167, x108, 0x0); - fiat_secp384r1_addcarryx_u32(&x170, &x171, x169, x110, x144); - fiat_secp384r1_addcarryx_u32(&x172, &x173, x171, x112, x148); - fiat_secp384r1_addcarryx_u32(&x174, &x175, x173, x114, x150); - fiat_secp384r1_addcarryx_u32(&x176, &x177, x175, x116, x152); - fiat_secp384r1_addcarryx_u32(&x178, &x179, x177, x118, x154); - fiat_secp384r1_addcarryx_u32(&x180, &x181, x179, x120, x156); - fiat_secp384r1_addcarryx_u32(&x182, &x183, x181, x122, x158); - fiat_secp384r1_addcarryx_u32(&x184, &x185, x183, x124, x160); - fiat_secp384r1_addcarryx_u32(&x186, &x187, x185, x126, x162); - fiat_secp384r1_addcarryx_u32(&x188, &x189, x187, ((uint32_t)x127 + x103), - (x163 + x129)); - fiat_secp384r1_addcarryx_u32(&x190, &x191, 0x0, x166, (arg1[3])); - fiat_secp384r1_addcarryx_u32(&x192, &x193, x191, x168, 0x0); - fiat_secp384r1_addcarryx_u32(&x194, &x195, x193, x170, 0x0); - fiat_secp384r1_addcarryx_u32(&x196, &x197, x195, x172, 0x0); - fiat_secp384r1_addcarryx_u32(&x198, &x199, x197, x174, 0x0); - fiat_secp384r1_addcarryx_u32(&x200, &x201, x199, x176, 0x0); - fiat_secp384r1_addcarryx_u32(&x202, &x203, x201, x178, 0x0); - fiat_secp384r1_addcarryx_u32(&x204, &x205, x203, x180, 0x0); - fiat_secp384r1_addcarryx_u32(&x206, &x207, x205, x182, 0x0); - fiat_secp384r1_addcarryx_u32(&x208, &x209, x207, x184, 0x0); - fiat_secp384r1_addcarryx_u32(&x210, &x211, x209, x186, 0x0); - fiat_secp384r1_addcarryx_u32(&x212, &x213, x211, x188, 0x0); - fiat_secp384r1_mulx_u32(&x214, &x215, x190, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x216, &x217, x190, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x218, &x219, x190, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x220, &x221, x190, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x222, &x223, x190, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x224, &x225, x190, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x226, &x227, x190, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x228, &x229, x190, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x230, &x231, x190, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x232, &x233, x190, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x234, &x235, 0x0, x231, x228); - fiat_secp384r1_addcarryx_u32(&x236, &x237, x235, x229, x226); - fiat_secp384r1_addcarryx_u32(&x238, &x239, x237, x227, x224); - fiat_secp384r1_addcarryx_u32(&x240, &x241, x239, x225, x222); - fiat_secp384r1_addcarryx_u32(&x242, &x243, x241, x223, x220); - fiat_secp384r1_addcarryx_u32(&x244, &x245, x243, x221, x218); - fiat_secp384r1_addcarryx_u32(&x246, &x247, x245, x219, x216); - fiat_secp384r1_addcarryx_u32(&x248, &x249, x247, x217, x214); - fiat_secp384r1_addcarryx_u32(&x250, &x251, 0x0, x190, x232); - fiat_secp384r1_addcarryx_u32(&x252, &x253, x251, x192, x233); - fiat_secp384r1_addcarryx_u32(&x254, &x255, x253, x194, 0x0); - fiat_secp384r1_addcarryx_u32(&x256, &x257, x255, x196, x230); - fiat_secp384r1_addcarryx_u32(&x258, &x259, x257, x198, x234); - fiat_secp384r1_addcarryx_u32(&x260, &x261, x259, x200, x236); - fiat_secp384r1_addcarryx_u32(&x262, &x263, x261, x202, x238); - fiat_secp384r1_addcarryx_u32(&x264, &x265, x263, x204, x240); - fiat_secp384r1_addcarryx_u32(&x266, &x267, x265, x206, x242); - fiat_secp384r1_addcarryx_u32(&x268, &x269, x267, x208, x244); - fiat_secp384r1_addcarryx_u32(&x270, &x271, x269, x210, x246); - fiat_secp384r1_addcarryx_u32(&x272, &x273, x271, x212, x248); - fiat_secp384r1_addcarryx_u32(&x274, &x275, x273, ((uint32_t)x213 + x189), - (x249 + x215)); - fiat_secp384r1_addcarryx_u32(&x276, &x277, 0x0, x252, (arg1[4])); - fiat_secp384r1_addcarryx_u32(&x278, &x279, x277, x254, 0x0); - fiat_secp384r1_addcarryx_u32(&x280, &x281, x279, x256, 0x0); - fiat_secp384r1_addcarryx_u32(&x282, &x283, x281, x258, 0x0); - fiat_secp384r1_addcarryx_u32(&x284, &x285, x283, x260, 0x0); - fiat_secp384r1_addcarryx_u32(&x286, &x287, x285, x262, 0x0); - fiat_secp384r1_addcarryx_u32(&x288, &x289, x287, x264, 0x0); - fiat_secp384r1_addcarryx_u32(&x290, &x291, x289, x266, 0x0); - fiat_secp384r1_addcarryx_u32(&x292, &x293, x291, x268, 0x0); - fiat_secp384r1_addcarryx_u32(&x294, &x295, x293, x270, 0x0); - fiat_secp384r1_addcarryx_u32(&x296, &x297, x295, x272, 0x0); - fiat_secp384r1_addcarryx_u32(&x298, &x299, x297, x274, 0x0); - fiat_secp384r1_mulx_u32(&x300, &x301, x276, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x302, &x303, x276, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x304, &x305, x276, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x306, &x307, x276, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x308, &x309, x276, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x310, &x311, x276, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x312, &x313, x276, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x314, &x315, x276, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x316, &x317, x276, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x318, &x319, x276, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x320, &x321, 0x0, x317, x314); - fiat_secp384r1_addcarryx_u32(&x322, &x323, x321, x315, x312); - fiat_secp384r1_addcarryx_u32(&x324, &x325, x323, x313, x310); - fiat_secp384r1_addcarryx_u32(&x326, &x327, x325, x311, x308); - fiat_secp384r1_addcarryx_u32(&x328, &x329, x327, x309, x306); - fiat_secp384r1_addcarryx_u32(&x330, &x331, x329, x307, x304); - fiat_secp384r1_addcarryx_u32(&x332, &x333, x331, x305, x302); - fiat_secp384r1_addcarryx_u32(&x334, &x335, x333, x303, x300); - fiat_secp384r1_addcarryx_u32(&x336, &x337, 0x0, x276, x318); - fiat_secp384r1_addcarryx_u32(&x338, &x339, x337, x278, x319); - fiat_secp384r1_addcarryx_u32(&x340, &x341, x339, x280, 0x0); - fiat_secp384r1_addcarryx_u32(&x342, &x343, x341, x282, x316); - fiat_secp384r1_addcarryx_u32(&x344, &x345, x343, x284, x320); - fiat_secp384r1_addcarryx_u32(&x346, &x347, x345, x286, x322); - fiat_secp384r1_addcarryx_u32(&x348, &x349, x347, x288, x324); - fiat_secp384r1_addcarryx_u32(&x350, &x351, x349, x290, x326); - fiat_secp384r1_addcarryx_u32(&x352, &x353, x351, x292, x328); - fiat_secp384r1_addcarryx_u32(&x354, &x355, x353, x294, x330); - fiat_secp384r1_addcarryx_u32(&x356, &x357, x355, x296, x332); - fiat_secp384r1_addcarryx_u32(&x358, &x359, x357, x298, x334); - fiat_secp384r1_addcarryx_u32(&x360, &x361, x359, ((uint32_t)x299 + x275), - (x335 + x301)); - fiat_secp384r1_addcarryx_u32(&x362, &x363, 0x0, x338, (arg1[5])); - fiat_secp384r1_addcarryx_u32(&x364, &x365, x363, x340, 0x0); - fiat_secp384r1_addcarryx_u32(&x366, &x367, x365, x342, 0x0); - fiat_secp384r1_addcarryx_u32(&x368, &x369, x367, x344, 0x0); - fiat_secp384r1_addcarryx_u32(&x370, &x371, x369, x346, 0x0); - fiat_secp384r1_addcarryx_u32(&x372, &x373, x371, x348, 0x0); - fiat_secp384r1_addcarryx_u32(&x374, &x375, x373, x350, 0x0); - fiat_secp384r1_addcarryx_u32(&x376, &x377, x375, x352, 0x0); - fiat_secp384r1_addcarryx_u32(&x378, &x379, x377, x354, 0x0); - fiat_secp384r1_addcarryx_u32(&x380, &x381, x379, x356, 0x0); - fiat_secp384r1_addcarryx_u32(&x382, &x383, x381, x358, 0x0); - fiat_secp384r1_addcarryx_u32(&x384, &x385, x383, x360, 0x0); - fiat_secp384r1_mulx_u32(&x386, &x387, x362, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x388, &x389, x362, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x390, &x391, x362, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x392, &x393, x362, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x394, &x395, x362, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x396, &x397, x362, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x398, &x399, x362, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x400, &x401, x362, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x402, &x403, x362, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x404, &x405, x362, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x406, &x407, 0x0, x403, x400); - fiat_secp384r1_addcarryx_u32(&x408, &x409, x407, x401, x398); - fiat_secp384r1_addcarryx_u32(&x410, &x411, x409, x399, x396); - fiat_secp384r1_addcarryx_u32(&x412, &x413, x411, x397, x394); - fiat_secp384r1_addcarryx_u32(&x414, &x415, x413, x395, x392); - fiat_secp384r1_addcarryx_u32(&x416, &x417, x415, x393, x390); - fiat_secp384r1_addcarryx_u32(&x418, &x419, x417, x391, x388); - fiat_secp384r1_addcarryx_u32(&x420, &x421, x419, x389, x386); - fiat_secp384r1_addcarryx_u32(&x422, &x423, 0x0, x362, x404); - fiat_secp384r1_addcarryx_u32(&x424, &x425, x423, x364, x405); - fiat_secp384r1_addcarryx_u32(&x426, &x427, x425, x366, 0x0); - fiat_secp384r1_addcarryx_u32(&x428, &x429, x427, x368, x402); - fiat_secp384r1_addcarryx_u32(&x430, &x431, x429, x370, x406); - fiat_secp384r1_addcarryx_u32(&x432, &x433, x431, x372, x408); - fiat_secp384r1_addcarryx_u32(&x434, &x435, x433, x374, x410); - fiat_secp384r1_addcarryx_u32(&x436, &x437, x435, x376, x412); - fiat_secp384r1_addcarryx_u32(&x438, &x439, x437, x378, x414); - fiat_secp384r1_addcarryx_u32(&x440, &x441, x439, x380, x416); - fiat_secp384r1_addcarryx_u32(&x442, &x443, x441, x382, x418); - fiat_secp384r1_addcarryx_u32(&x444, &x445, x443, x384, x420); - fiat_secp384r1_addcarryx_u32(&x446, &x447, x445, ((uint32_t)x385 + x361), - (x421 + x387)); - fiat_secp384r1_addcarryx_u32(&x448, &x449, 0x0, x424, (arg1[6])); - fiat_secp384r1_addcarryx_u32(&x450, &x451, x449, x426, 0x0); - fiat_secp384r1_addcarryx_u32(&x452, &x453, x451, x428, 0x0); - fiat_secp384r1_addcarryx_u32(&x454, &x455, x453, x430, 0x0); - fiat_secp384r1_addcarryx_u32(&x456, &x457, x455, x432, 0x0); - fiat_secp384r1_addcarryx_u32(&x458, &x459, x457, x434, 0x0); - fiat_secp384r1_addcarryx_u32(&x460, &x461, x459, x436, 0x0); - fiat_secp384r1_addcarryx_u32(&x462, &x463, x461, x438, 0x0); - fiat_secp384r1_addcarryx_u32(&x464, &x465, x463, x440, 0x0); - fiat_secp384r1_addcarryx_u32(&x466, &x467, x465, x442, 0x0); - fiat_secp384r1_addcarryx_u32(&x468, &x469, x467, x444, 0x0); - fiat_secp384r1_addcarryx_u32(&x470, &x471, x469, x446, 0x0); - fiat_secp384r1_mulx_u32(&x472, &x473, x448, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x474, &x475, x448, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x476, &x477, x448, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x478, &x479, x448, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x480, &x481, x448, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x482, &x483, x448, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x484, &x485, x448, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x486, &x487, x448, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x488, &x489, x448, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x490, &x491, x448, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x492, &x493, 0x0, x489, x486); - fiat_secp384r1_addcarryx_u32(&x494, &x495, x493, x487, x484); - fiat_secp384r1_addcarryx_u32(&x496, &x497, x495, x485, x482); - fiat_secp384r1_addcarryx_u32(&x498, &x499, x497, x483, x480); - fiat_secp384r1_addcarryx_u32(&x500, &x501, x499, x481, x478); - fiat_secp384r1_addcarryx_u32(&x502, &x503, x501, x479, x476); - fiat_secp384r1_addcarryx_u32(&x504, &x505, x503, x477, x474); - fiat_secp384r1_addcarryx_u32(&x506, &x507, x505, x475, x472); - fiat_secp384r1_addcarryx_u32(&x508, &x509, 0x0, x448, x490); - fiat_secp384r1_addcarryx_u32(&x510, &x511, x509, x450, x491); - fiat_secp384r1_addcarryx_u32(&x512, &x513, x511, x452, 0x0); - fiat_secp384r1_addcarryx_u32(&x514, &x515, x513, x454, x488); - fiat_secp384r1_addcarryx_u32(&x516, &x517, x515, x456, x492); - fiat_secp384r1_addcarryx_u32(&x518, &x519, x517, x458, x494); - fiat_secp384r1_addcarryx_u32(&x520, &x521, x519, x460, x496); - fiat_secp384r1_addcarryx_u32(&x522, &x523, x521, x462, x498); - fiat_secp384r1_addcarryx_u32(&x524, &x525, x523, x464, x500); - fiat_secp384r1_addcarryx_u32(&x526, &x527, x525, x466, x502); - fiat_secp384r1_addcarryx_u32(&x528, &x529, x527, x468, x504); - fiat_secp384r1_addcarryx_u32(&x530, &x531, x529, x470, x506); - fiat_secp384r1_addcarryx_u32(&x532, &x533, x531, ((uint32_t)x471 + x447), - (x507 + x473)); - fiat_secp384r1_addcarryx_u32(&x534, &x535, 0x0, x510, (arg1[7])); - fiat_secp384r1_addcarryx_u32(&x536, &x537, x535, x512, 0x0); - fiat_secp384r1_addcarryx_u32(&x538, &x539, x537, x514, 0x0); - fiat_secp384r1_addcarryx_u32(&x540, &x541, x539, x516, 0x0); - fiat_secp384r1_addcarryx_u32(&x542, &x543, x541, x518, 0x0); - fiat_secp384r1_addcarryx_u32(&x544, &x545, x543, x520, 0x0); - fiat_secp384r1_addcarryx_u32(&x546, &x547, x545, x522, 0x0); - fiat_secp384r1_addcarryx_u32(&x548, &x549, x547, x524, 0x0); - fiat_secp384r1_addcarryx_u32(&x550, &x551, x549, x526, 0x0); - fiat_secp384r1_addcarryx_u32(&x552, &x553, x551, x528, 0x0); - fiat_secp384r1_addcarryx_u32(&x554, &x555, x553, x530, 0x0); - fiat_secp384r1_addcarryx_u32(&x556, &x557, x555, x532, 0x0); - fiat_secp384r1_mulx_u32(&x558, &x559, x534, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x560, &x561, x534, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x562, &x563, x534, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x564, &x565, x534, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x566, &x567, x534, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x568, &x569, x534, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x570, &x571, x534, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x572, &x573, x534, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x574, &x575, x534, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x576, &x577, x534, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x578, &x579, 0x0, x575, x572); - fiat_secp384r1_addcarryx_u32(&x580, &x581, x579, x573, x570); - fiat_secp384r1_addcarryx_u32(&x582, &x583, x581, x571, x568); - fiat_secp384r1_addcarryx_u32(&x584, &x585, x583, x569, x566); - fiat_secp384r1_addcarryx_u32(&x586, &x587, x585, x567, x564); - fiat_secp384r1_addcarryx_u32(&x588, &x589, x587, x565, x562); - fiat_secp384r1_addcarryx_u32(&x590, &x591, x589, x563, x560); - fiat_secp384r1_addcarryx_u32(&x592, &x593, x591, x561, x558); - fiat_secp384r1_addcarryx_u32(&x594, &x595, 0x0, x534, x576); - fiat_secp384r1_addcarryx_u32(&x596, &x597, x595, x536, x577); - fiat_secp384r1_addcarryx_u32(&x598, &x599, x597, x538, 0x0); - fiat_secp384r1_addcarryx_u32(&x600, &x601, x599, x540, x574); - fiat_secp384r1_addcarryx_u32(&x602, &x603, x601, x542, x578); - fiat_secp384r1_addcarryx_u32(&x604, &x605, x603, x544, x580); - fiat_secp384r1_addcarryx_u32(&x606, &x607, x605, x546, x582); - fiat_secp384r1_addcarryx_u32(&x608, &x609, x607, x548, x584); - fiat_secp384r1_addcarryx_u32(&x610, &x611, x609, x550, x586); - fiat_secp384r1_addcarryx_u32(&x612, &x613, x611, x552, x588); - fiat_secp384r1_addcarryx_u32(&x614, &x615, x613, x554, x590); - fiat_secp384r1_addcarryx_u32(&x616, &x617, x615, x556, x592); - fiat_secp384r1_addcarryx_u32(&x618, &x619, x617, ((uint32_t)x557 + x533), - (x593 + x559)); - fiat_secp384r1_addcarryx_u32(&x620, &x621, 0x0, x596, (arg1[8])); - fiat_secp384r1_addcarryx_u32(&x622, &x623, x621, x598, 0x0); - fiat_secp384r1_addcarryx_u32(&x624, &x625, x623, x600, 0x0); - fiat_secp384r1_addcarryx_u32(&x626, &x627, x625, x602, 0x0); - fiat_secp384r1_addcarryx_u32(&x628, &x629, x627, x604, 0x0); - fiat_secp384r1_addcarryx_u32(&x630, &x631, x629, x606, 0x0); - fiat_secp384r1_addcarryx_u32(&x632, &x633, x631, x608, 0x0); - fiat_secp384r1_addcarryx_u32(&x634, &x635, x633, x610, 0x0); - fiat_secp384r1_addcarryx_u32(&x636, &x637, x635, x612, 0x0); - fiat_secp384r1_addcarryx_u32(&x638, &x639, x637, x614, 0x0); - fiat_secp384r1_addcarryx_u32(&x640, &x641, x639, x616, 0x0); - fiat_secp384r1_addcarryx_u32(&x642, &x643, x641, x618, 0x0); - fiat_secp384r1_mulx_u32(&x644, &x645, x620, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x646, &x647, x620, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x648, &x649, x620, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x650, &x651, x620, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x652, &x653, x620, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x654, &x655, x620, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x656, &x657, x620, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x658, &x659, x620, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x660, &x661, x620, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x662, &x663, x620, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x664, &x665, 0x0, x661, x658); - fiat_secp384r1_addcarryx_u32(&x666, &x667, x665, x659, x656); - fiat_secp384r1_addcarryx_u32(&x668, &x669, x667, x657, x654); - fiat_secp384r1_addcarryx_u32(&x670, &x671, x669, x655, x652); - fiat_secp384r1_addcarryx_u32(&x672, &x673, x671, x653, x650); - fiat_secp384r1_addcarryx_u32(&x674, &x675, x673, x651, x648); - fiat_secp384r1_addcarryx_u32(&x676, &x677, x675, x649, x646); - fiat_secp384r1_addcarryx_u32(&x678, &x679, x677, x647, x644); - fiat_secp384r1_addcarryx_u32(&x680, &x681, 0x0, x620, x662); - fiat_secp384r1_addcarryx_u32(&x682, &x683, x681, x622, x663); - fiat_secp384r1_addcarryx_u32(&x684, &x685, x683, x624, 0x0); - fiat_secp384r1_addcarryx_u32(&x686, &x687, x685, x626, x660); - fiat_secp384r1_addcarryx_u32(&x688, &x689, x687, x628, x664); - fiat_secp384r1_addcarryx_u32(&x690, &x691, x689, x630, x666); - fiat_secp384r1_addcarryx_u32(&x692, &x693, x691, x632, x668); - fiat_secp384r1_addcarryx_u32(&x694, &x695, x693, x634, x670); - fiat_secp384r1_addcarryx_u32(&x696, &x697, x695, x636, x672); - fiat_secp384r1_addcarryx_u32(&x698, &x699, x697, x638, x674); - fiat_secp384r1_addcarryx_u32(&x700, &x701, x699, x640, x676); - fiat_secp384r1_addcarryx_u32(&x702, &x703, x701, x642, x678); - fiat_secp384r1_addcarryx_u32(&x704, &x705, x703, ((uint32_t)x643 + x619), - (x679 + x645)); - fiat_secp384r1_addcarryx_u32(&x706, &x707, 0x0, x682, (arg1[9])); - fiat_secp384r1_addcarryx_u32(&x708, &x709, x707, x684, 0x0); - fiat_secp384r1_addcarryx_u32(&x710, &x711, x709, x686, 0x0); - fiat_secp384r1_addcarryx_u32(&x712, &x713, x711, x688, 0x0); - fiat_secp384r1_addcarryx_u32(&x714, &x715, x713, x690, 0x0); - fiat_secp384r1_addcarryx_u32(&x716, &x717, x715, x692, 0x0); - fiat_secp384r1_addcarryx_u32(&x718, &x719, x717, x694, 0x0); - fiat_secp384r1_addcarryx_u32(&x720, &x721, x719, x696, 0x0); - fiat_secp384r1_addcarryx_u32(&x722, &x723, x721, x698, 0x0); - fiat_secp384r1_addcarryx_u32(&x724, &x725, x723, x700, 0x0); - fiat_secp384r1_addcarryx_u32(&x726, &x727, x725, x702, 0x0); - fiat_secp384r1_addcarryx_u32(&x728, &x729, x727, x704, 0x0); - fiat_secp384r1_mulx_u32(&x730, &x731, x706, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x732, &x733, x706, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x734, &x735, x706, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x736, &x737, x706, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x738, &x739, x706, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x740, &x741, x706, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x742, &x743, x706, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x744, &x745, x706, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x746, &x747, x706, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x748, &x749, x706, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x750, &x751, 0x0, x747, x744); - fiat_secp384r1_addcarryx_u32(&x752, &x753, x751, x745, x742); - fiat_secp384r1_addcarryx_u32(&x754, &x755, x753, x743, x740); - fiat_secp384r1_addcarryx_u32(&x756, &x757, x755, x741, x738); - fiat_secp384r1_addcarryx_u32(&x758, &x759, x757, x739, x736); - fiat_secp384r1_addcarryx_u32(&x760, &x761, x759, x737, x734); - fiat_secp384r1_addcarryx_u32(&x762, &x763, x761, x735, x732); - fiat_secp384r1_addcarryx_u32(&x764, &x765, x763, x733, x730); - fiat_secp384r1_addcarryx_u32(&x766, &x767, 0x0, x706, x748); - fiat_secp384r1_addcarryx_u32(&x768, &x769, x767, x708, x749); - fiat_secp384r1_addcarryx_u32(&x770, &x771, x769, x710, 0x0); - fiat_secp384r1_addcarryx_u32(&x772, &x773, x771, x712, x746); - fiat_secp384r1_addcarryx_u32(&x774, &x775, x773, x714, x750); - fiat_secp384r1_addcarryx_u32(&x776, &x777, x775, x716, x752); - fiat_secp384r1_addcarryx_u32(&x778, &x779, x777, x718, x754); - fiat_secp384r1_addcarryx_u32(&x780, &x781, x779, x720, x756); - fiat_secp384r1_addcarryx_u32(&x782, &x783, x781, x722, x758); - fiat_secp384r1_addcarryx_u32(&x784, &x785, x783, x724, x760); - fiat_secp384r1_addcarryx_u32(&x786, &x787, x785, x726, x762); - fiat_secp384r1_addcarryx_u32(&x788, &x789, x787, x728, x764); - fiat_secp384r1_addcarryx_u32(&x790, &x791, x789, ((uint32_t)x729 + x705), - (x765 + x731)); - fiat_secp384r1_addcarryx_u32(&x792, &x793, 0x0, x768, (arg1[10])); - fiat_secp384r1_addcarryx_u32(&x794, &x795, x793, x770, 0x0); - fiat_secp384r1_addcarryx_u32(&x796, &x797, x795, x772, 0x0); - fiat_secp384r1_addcarryx_u32(&x798, &x799, x797, x774, 0x0); - fiat_secp384r1_addcarryx_u32(&x800, &x801, x799, x776, 0x0); - fiat_secp384r1_addcarryx_u32(&x802, &x803, x801, x778, 0x0); - fiat_secp384r1_addcarryx_u32(&x804, &x805, x803, x780, 0x0); - fiat_secp384r1_addcarryx_u32(&x806, &x807, x805, x782, 0x0); - fiat_secp384r1_addcarryx_u32(&x808, &x809, x807, x784, 0x0); - fiat_secp384r1_addcarryx_u32(&x810, &x811, x809, x786, 0x0); - fiat_secp384r1_addcarryx_u32(&x812, &x813, x811, x788, 0x0); - fiat_secp384r1_addcarryx_u32(&x814, &x815, x813, x790, 0x0); - fiat_secp384r1_mulx_u32(&x816, &x817, x792, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x818, &x819, x792, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x820, &x821, x792, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x822, &x823, x792, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x824, &x825, x792, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x826, &x827, x792, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x828, &x829, x792, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x830, &x831, x792, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x832, &x833, x792, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x834, &x835, x792, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x836, &x837, 0x0, x833, x830); - fiat_secp384r1_addcarryx_u32(&x838, &x839, x837, x831, x828); - fiat_secp384r1_addcarryx_u32(&x840, &x841, x839, x829, x826); - fiat_secp384r1_addcarryx_u32(&x842, &x843, x841, x827, x824); - fiat_secp384r1_addcarryx_u32(&x844, &x845, x843, x825, x822); - fiat_secp384r1_addcarryx_u32(&x846, &x847, x845, x823, x820); - fiat_secp384r1_addcarryx_u32(&x848, &x849, x847, x821, x818); - fiat_secp384r1_addcarryx_u32(&x850, &x851, x849, x819, x816); - fiat_secp384r1_addcarryx_u32(&x852, &x853, 0x0, x792, x834); - fiat_secp384r1_addcarryx_u32(&x854, &x855, x853, x794, x835); - fiat_secp384r1_addcarryx_u32(&x856, &x857, x855, x796, 0x0); - fiat_secp384r1_addcarryx_u32(&x858, &x859, x857, x798, x832); - fiat_secp384r1_addcarryx_u32(&x860, &x861, x859, x800, x836); - fiat_secp384r1_addcarryx_u32(&x862, &x863, x861, x802, x838); - fiat_secp384r1_addcarryx_u32(&x864, &x865, x863, x804, x840); - fiat_secp384r1_addcarryx_u32(&x866, &x867, x865, x806, x842); - fiat_secp384r1_addcarryx_u32(&x868, &x869, x867, x808, x844); - fiat_secp384r1_addcarryx_u32(&x870, &x871, x869, x810, x846); - fiat_secp384r1_addcarryx_u32(&x872, &x873, x871, x812, x848); - fiat_secp384r1_addcarryx_u32(&x874, &x875, x873, x814, x850); - fiat_secp384r1_addcarryx_u32(&x876, &x877, x875, ((uint32_t)x815 + x791), - (x851 + x817)); - fiat_secp384r1_addcarryx_u32(&x878, &x879, 0x0, x854, (arg1[11])); - fiat_secp384r1_addcarryx_u32(&x880, &x881, x879, x856, 0x0); - fiat_secp384r1_addcarryx_u32(&x882, &x883, x881, x858, 0x0); - fiat_secp384r1_addcarryx_u32(&x884, &x885, x883, x860, 0x0); - fiat_secp384r1_addcarryx_u32(&x886, &x887, x885, x862, 0x0); - fiat_secp384r1_addcarryx_u32(&x888, &x889, x887, x864, 0x0); - fiat_secp384r1_addcarryx_u32(&x890, &x891, x889, x866, 0x0); - fiat_secp384r1_addcarryx_u32(&x892, &x893, x891, x868, 0x0); - fiat_secp384r1_addcarryx_u32(&x894, &x895, x893, x870, 0x0); - fiat_secp384r1_addcarryx_u32(&x896, &x897, x895, x872, 0x0); - fiat_secp384r1_addcarryx_u32(&x898, &x899, x897, x874, 0x0); - fiat_secp384r1_addcarryx_u32(&x900, &x901, x899, x876, 0x0); - fiat_secp384r1_mulx_u32(&x902, &x903, x878, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x904, &x905, x878, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x906, &x907, x878, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x908, &x909, x878, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x910, &x911, x878, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x912, &x913, x878, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x914, &x915, x878, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x916, &x917, x878, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x918, &x919, x878, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x920, &x921, x878, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x922, &x923, 0x0, x919, x916); - fiat_secp384r1_addcarryx_u32(&x924, &x925, x923, x917, x914); - fiat_secp384r1_addcarryx_u32(&x926, &x927, x925, x915, x912); - fiat_secp384r1_addcarryx_u32(&x928, &x929, x927, x913, x910); - fiat_secp384r1_addcarryx_u32(&x930, &x931, x929, x911, x908); - fiat_secp384r1_addcarryx_u32(&x932, &x933, x931, x909, x906); - fiat_secp384r1_addcarryx_u32(&x934, &x935, x933, x907, x904); - fiat_secp384r1_addcarryx_u32(&x936, &x937, x935, x905, x902); - fiat_secp384r1_addcarryx_u32(&x938, &x939, 0x0, x878, x920); - fiat_secp384r1_addcarryx_u32(&x940, &x941, x939, x880, x921); - fiat_secp384r1_addcarryx_u32(&x942, &x943, x941, x882, 0x0); - fiat_secp384r1_addcarryx_u32(&x944, &x945, x943, x884, x918); - fiat_secp384r1_addcarryx_u32(&x946, &x947, x945, x886, x922); - fiat_secp384r1_addcarryx_u32(&x948, &x949, x947, x888, x924); - fiat_secp384r1_addcarryx_u32(&x950, &x951, x949, x890, x926); - fiat_secp384r1_addcarryx_u32(&x952, &x953, x951, x892, x928); - fiat_secp384r1_addcarryx_u32(&x954, &x955, x953, x894, x930); - fiat_secp384r1_addcarryx_u32(&x956, &x957, x955, x896, x932); - fiat_secp384r1_addcarryx_u32(&x958, &x959, x957, x898, x934); - fiat_secp384r1_addcarryx_u32(&x960, &x961, x959, x900, x936); - fiat_secp384r1_addcarryx_u32(&x962, &x963, x961, ((uint32_t)x901 + x877), - (x937 + x903)); - fiat_secp384r1_subborrowx_u32(&x964, &x965, 0x0, x940, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x966, &x967, x965, x942, 0x0); - fiat_secp384r1_subborrowx_u32(&x968, &x969, x967, x944, 0x0); - fiat_secp384r1_subborrowx_u32(&x970, &x971, x969, x946, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x972, &x973, x971, x948, - UINT32_C(0xfffffffe)); - fiat_secp384r1_subborrowx_u32(&x974, &x975, x973, x950, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x976, &x977, x975, x952, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x978, &x979, x977, x954, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x980, &x981, x979, x956, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x982, &x983, x981, x958, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x984, &x985, x983, x960, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x986, &x987, x985, x962, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x988, &x989, x987, x963, 0x0); - fiat_secp384r1_cmovznz_u32(&x990, x989, x964, x940); - fiat_secp384r1_cmovznz_u32(&x991, x989, x966, x942); - fiat_secp384r1_cmovznz_u32(&x992, x989, x968, x944); - fiat_secp384r1_cmovznz_u32(&x993, x989, x970, x946); - fiat_secp384r1_cmovznz_u32(&x994, x989, x972, x948); - fiat_secp384r1_cmovznz_u32(&x995, x989, x974, x950); - fiat_secp384r1_cmovznz_u32(&x996, x989, x976, x952); - fiat_secp384r1_cmovznz_u32(&x997, x989, x978, x954); - fiat_secp384r1_cmovznz_u32(&x998, x989, x980, x956); - fiat_secp384r1_cmovznz_u32(&x999, x989, x982, x958); - fiat_secp384r1_cmovznz_u32(&x1000, x989, x984, x960); - fiat_secp384r1_cmovznz_u32(&x1001, x989, x986, x962); - out1[0] = x990; - out1[1] = x991; - out1[2] = x992; - out1[3] = x993; - out1[4] = x994; - out1[5] = x995; - out1[6] = x996; - out1[7] = x997; - out1[8] = x998; - out1[9] = x999; - out1[10] = x1000; - out1[11] = x1001; -} + /* We consider keys of up to size 48, or of size 49 with a single leading 0 */ + if (k->len < 48) { + memcpy(full_key + 48 - k->len, k->data, k->len); + key = full_key; + } else if (k->len == 48) { + key = k->data; + } else if (k->len == 49 && k->data[0] == 0) { + key = k->data + 1; + } else { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + res = SECFailure; + return res; + } -/* - * The function fiat_secp384r1_to_montgomery translates a field element into the Montgomery domain. - * - * Preconditions: - * 0 ≤ eval arg1 < m - * Postconditions: - * eval (from_montgomery out1) mod m = eval arg1 mod m - * 0 ≤ eval out1 < m - * - */ -static void -fiat_secp384r1_to_montgomery( - fiat_secp384r1_montgomery_domain_field_element out1, - const fiat_secp384r1_non_montgomery_domain_field_element arg1) -{ - uint32_t x1; - uint32_t x2; - uint32_t x3; - uint32_t x4; - uint32_t x5; - uint32_t x6; - uint32_t x7; - uint32_t x8; - uint32_t x9; - uint32_t x10; - uint32_t x11; - uint32_t x12; - uint32_t x13; - uint32_t x14; - uint32_t x15; - uint32_t x16; - uint32_t x17; - uint32_t x18; - uint32_t x19; - uint32_t x20; - uint32_t x21; - fiat_secp384r1_uint1 x22; - uint32_t x23; - uint32_t x24; - uint32_t x25; - uint32_t x26; - uint32_t x27; - uint32_t x28; - uint32_t x29; - uint32_t x30; - uint32_t x31; - uint32_t x32; - uint32_t x33; - uint32_t x34; - uint32_t x35; - uint32_t x36; - uint32_t x37; - uint32_t x38; - uint32_t x39; - uint32_t x40; - uint32_t x41; - uint32_t x42; - uint32_t x43; - fiat_secp384r1_uint1 x44; - uint32_t x45; - fiat_secp384r1_uint1 x46; - uint32_t x47; - fiat_secp384r1_uint1 x48; - uint32_t x49; - fiat_secp384r1_uint1 x50; - uint32_t x51; - fiat_secp384r1_uint1 x52; - uint32_t x53; - fiat_secp384r1_uint1 x54; - uint32_t x55; - fiat_secp384r1_uint1 x56; - uint32_t x57; - fiat_secp384r1_uint1 x58; - uint32_t x59; - fiat_secp384r1_uint1 x60; - uint32_t x61; - fiat_secp384r1_uint1 x62; - uint32_t x63; - fiat_secp384r1_uint1 x64; - uint32_t x65; - fiat_secp384r1_uint1 x66; - uint32_t x67; - fiat_secp384r1_uint1 x68; - uint32_t x69; - fiat_secp384r1_uint1 x70; - uint32_t x71; - fiat_secp384r1_uint1 x72; - uint32_t x73; - fiat_secp384r1_uint1 x74; - uint32_t x75; - fiat_secp384r1_uint1 x76; - uint32_t x77; - fiat_secp384r1_uint1 x78; - uint32_t x79; - fiat_secp384r1_uint1 x80; - uint32_t x81; - fiat_secp384r1_uint1 x82; - uint32_t x83; - uint32_t x84; - uint32_t x85; - uint32_t x86; - uint32_t x87; - uint32_t x88; - uint32_t x89; - uint32_t x90; - uint32_t x91; - fiat_secp384r1_uint1 x92; - uint32_t x93; - fiat_secp384r1_uint1 x94; - uint32_t x95; - fiat_secp384r1_uint1 x96; - uint32_t x97; - fiat_secp384r1_uint1 x98; - uint32_t x99; - fiat_secp384r1_uint1 x100; - uint32_t x101; - fiat_secp384r1_uint1 x102; - uint32_t x103; - fiat_secp384r1_uint1 x104; - uint32_t x105; - fiat_secp384r1_uint1 x106; - uint32_t x107; - fiat_secp384r1_uint1 x108; - uint32_t x109; - fiat_secp384r1_uint1 x110; - uint32_t x111; - fiat_secp384r1_uint1 x112; - uint32_t x113; - fiat_secp384r1_uint1 x114; - uint32_t x115; - fiat_secp384r1_uint1 x116; - uint32_t x117; - uint32_t x118; - uint32_t x119; - uint32_t x120; - uint32_t x121; - uint32_t x122; - uint32_t x123; - uint32_t x124; - uint32_t x125; - uint32_t x126; - uint32_t x127; - uint32_t x128; - uint32_t x129; - uint32_t x130; - uint32_t x131; - uint32_t x132; - uint32_t x133; - uint32_t x134; - uint32_t x135; - uint32_t x136; - uint32_t x137; - fiat_secp384r1_uint1 x138; - uint32_t x139; - fiat_secp384r1_uint1 x140; - uint32_t x141; - fiat_secp384r1_uint1 x142; - uint32_t x143; - fiat_secp384r1_uint1 x144; - uint32_t x145; - fiat_secp384r1_uint1 x146; - uint32_t x147; - fiat_secp384r1_uint1 x148; - uint32_t x149; - fiat_secp384r1_uint1 x150; - uint32_t x151; - fiat_secp384r1_uint1 x152; - uint32_t x153; - fiat_secp384r1_uint1 x154; - uint32_t x155; - fiat_secp384r1_uint1 x156; - uint32_t x157; - fiat_secp384r1_uint1 x158; - uint32_t x159; - fiat_secp384r1_uint1 x160; - uint32_t x161; - fiat_secp384r1_uint1 x162; - uint32_t x163; - fiat_secp384r1_uint1 x164; - uint32_t x165; - fiat_secp384r1_uint1 x166; - uint32_t x167; - fiat_secp384r1_uint1 x168; - uint32_t x169; - fiat_secp384r1_uint1 x170; - uint32_t x171; - fiat_secp384r1_uint1 x172; - uint32_t x173; - fiat_secp384r1_uint1 x174; - uint32_t x175; - fiat_secp384r1_uint1 x176; - uint32_t x177; - fiat_secp384r1_uint1 x178; - uint32_t x179; - uint32_t x180; - uint32_t x181; - uint32_t x182; - uint32_t x183; - uint32_t x184; - uint32_t x185; - uint32_t x186; - uint32_t x187; - fiat_secp384r1_uint1 x188; - uint32_t x189; - fiat_secp384r1_uint1 x190; - uint32_t x191; - fiat_secp384r1_uint1 x192; - uint32_t x193; - fiat_secp384r1_uint1 x194; - uint32_t x195; - fiat_secp384r1_uint1 x196; - uint32_t x197; - fiat_secp384r1_uint1 x198; - uint32_t x199; - fiat_secp384r1_uint1 x200; - uint32_t x201; - fiat_secp384r1_uint1 x202; - uint32_t x203; - fiat_secp384r1_uint1 x204; - uint32_t x205; - fiat_secp384r1_uint1 x206; - uint32_t x207; - fiat_secp384r1_uint1 x208; - uint32_t x209; - fiat_secp384r1_uint1 x210; - uint32_t x211; - fiat_secp384r1_uint1 x212; - uint32_t x213; - uint32_t x214; - uint32_t x215; - uint32_t x216; - uint32_t x217; - uint32_t x218; - uint32_t x219; - uint32_t x220; - uint32_t x221; - uint32_t x222; - uint32_t x223; - uint32_t x224; - uint32_t x225; - uint32_t x226; - uint32_t x227; - uint32_t x228; - uint32_t x229; - uint32_t x230; - uint32_t x231; - uint32_t x232; - uint32_t x233; - fiat_secp384r1_uint1 x234; - uint32_t x235; - fiat_secp384r1_uint1 x236; - uint32_t x237; - fiat_secp384r1_uint1 x238; - uint32_t x239; - fiat_secp384r1_uint1 x240; - uint32_t x241; - fiat_secp384r1_uint1 x242; - uint32_t x243; - fiat_secp384r1_uint1 x244; - uint32_t x245; - fiat_secp384r1_uint1 x246; - uint32_t x247; - fiat_secp384r1_uint1 x248; - uint32_t x249; - fiat_secp384r1_uint1 x250; - uint32_t x251; - fiat_secp384r1_uint1 x252; - uint32_t x253; - fiat_secp384r1_uint1 x254; - uint32_t x255; - fiat_secp384r1_uint1 x256; - uint32_t x257; - fiat_secp384r1_uint1 x258; - uint32_t x259; - fiat_secp384r1_uint1 x260; - uint32_t x261; - fiat_secp384r1_uint1 x262; - uint32_t x263; - fiat_secp384r1_uint1 x264; - uint32_t x265; - fiat_secp384r1_uint1 x266; - uint32_t x267; - fiat_secp384r1_uint1 x268; - uint32_t x269; - fiat_secp384r1_uint1 x270; - uint32_t x271; - fiat_secp384r1_uint1 x272; - uint32_t x273; - fiat_secp384r1_uint1 x274; - uint32_t x275; - uint32_t x276; - uint32_t x277; - uint32_t x278; - uint32_t x279; - uint32_t x280; - uint32_t x281; - uint32_t x282; - uint32_t x283; - fiat_secp384r1_uint1 x284; - uint32_t x285; - fiat_secp384r1_uint1 x286; - uint32_t x287; - fiat_secp384r1_uint1 x288; - uint32_t x289; - fiat_secp384r1_uint1 x290; - uint32_t x291; - fiat_secp384r1_uint1 x292; - uint32_t x293; - fiat_secp384r1_uint1 x294; - uint32_t x295; - fiat_secp384r1_uint1 x296; - uint32_t x297; - fiat_secp384r1_uint1 x298; - uint32_t x299; - fiat_secp384r1_uint1 x300; - uint32_t x301; - fiat_secp384r1_uint1 x302; - uint32_t x303; - fiat_secp384r1_uint1 x304; - uint32_t x305; - fiat_secp384r1_uint1 x306; - uint32_t x307; - fiat_secp384r1_uint1 x308; - uint32_t x309; - uint32_t x310; - uint32_t x311; - uint32_t x312; - uint32_t x313; - uint32_t x314; - uint32_t x315; - uint32_t x316; - uint32_t x317; - uint32_t x318; - uint32_t x319; - uint32_t x320; - uint32_t x321; - uint32_t x322; - uint32_t x323; - uint32_t x324; - uint32_t x325; - uint32_t x326; - uint32_t x327; - uint32_t x328; - uint32_t x329; - fiat_secp384r1_uint1 x330; - uint32_t x331; - fiat_secp384r1_uint1 x332; - uint32_t x333; - fiat_secp384r1_uint1 x334; - uint32_t x335; - fiat_secp384r1_uint1 x336; - uint32_t x337; - fiat_secp384r1_uint1 x338; - uint32_t x339; - fiat_secp384r1_uint1 x340; - uint32_t x341; - fiat_secp384r1_uint1 x342; - uint32_t x343; - fiat_secp384r1_uint1 x344; - uint32_t x345; - fiat_secp384r1_uint1 x346; - uint32_t x347; - fiat_secp384r1_uint1 x348; - uint32_t x349; - fiat_secp384r1_uint1 x350; - uint32_t x351; - fiat_secp384r1_uint1 x352; - uint32_t x353; - fiat_secp384r1_uint1 x354; - uint32_t x355; - fiat_secp384r1_uint1 x356; - uint32_t x357; - fiat_secp384r1_uint1 x358; - uint32_t x359; - fiat_secp384r1_uint1 x360; - uint32_t x361; - fiat_secp384r1_uint1 x362; - uint32_t x363; - fiat_secp384r1_uint1 x364; - uint32_t x365; - fiat_secp384r1_uint1 x366; - uint32_t x367; - fiat_secp384r1_uint1 x368; - uint32_t x369; - fiat_secp384r1_uint1 x370; - uint32_t x371; - uint32_t x372; - uint32_t x373; - uint32_t x374; - uint32_t x375; - uint32_t x376; - uint32_t x377; - uint32_t x378; - uint32_t x379; - fiat_secp384r1_uint1 x380; - uint32_t x381; - fiat_secp384r1_uint1 x382; - uint32_t x383; - fiat_secp384r1_uint1 x384; - uint32_t x385; - fiat_secp384r1_uint1 x386; - uint32_t x387; - fiat_secp384r1_uint1 x388; - uint32_t x389; - fiat_secp384r1_uint1 x390; - uint32_t x391; - fiat_secp384r1_uint1 x392; - uint32_t x393; - fiat_secp384r1_uint1 x394; - uint32_t x395; - fiat_secp384r1_uint1 x396; - uint32_t x397; - fiat_secp384r1_uint1 x398; - uint32_t x399; - fiat_secp384r1_uint1 x400; - uint32_t x401; - fiat_secp384r1_uint1 x402; - uint32_t x403; - fiat_secp384r1_uint1 x404; - uint32_t x405; - uint32_t x406; - uint32_t x407; - uint32_t x408; - uint32_t x409; - uint32_t x410; - uint32_t x411; - uint32_t x412; - uint32_t x413; - uint32_t x414; - uint32_t x415; - uint32_t x416; - uint32_t x417; - uint32_t x418; - uint32_t x419; - uint32_t x420; - uint32_t x421; - uint32_t x422; - uint32_t x423; - uint32_t x424; - uint32_t x425; - fiat_secp384r1_uint1 x426; - uint32_t x427; - fiat_secp384r1_uint1 x428; - uint32_t x429; - fiat_secp384r1_uint1 x430; - uint32_t x431; - fiat_secp384r1_uint1 x432; - uint32_t x433; - fiat_secp384r1_uint1 x434; - uint32_t x435; - fiat_secp384r1_uint1 x436; - uint32_t x437; - fiat_secp384r1_uint1 x438; - uint32_t x439; - fiat_secp384r1_uint1 x440; - uint32_t x441; - fiat_secp384r1_uint1 x442; - uint32_t x443; - fiat_secp384r1_uint1 x444; - uint32_t x445; - fiat_secp384r1_uint1 x446; - uint32_t x447; - fiat_secp384r1_uint1 x448; - uint32_t x449; - fiat_secp384r1_uint1 x450; - uint32_t x451; - fiat_secp384r1_uint1 x452; - uint32_t x453; - fiat_secp384r1_uint1 x454; - uint32_t x455; - fiat_secp384r1_uint1 x456; - uint32_t x457; - fiat_secp384r1_uint1 x458; - uint32_t x459; - fiat_secp384r1_uint1 x460; - uint32_t x461; - fiat_secp384r1_uint1 x462; - uint32_t x463; - fiat_secp384r1_uint1 x464; - uint32_t x465; - fiat_secp384r1_uint1 x466; - uint32_t x467; - uint32_t x468; - uint32_t x469; - uint32_t x470; - uint32_t x471; - uint32_t x472; - uint32_t x473; - uint32_t x474; - uint32_t x475; - fiat_secp384r1_uint1 x476; - uint32_t x477; - fiat_secp384r1_uint1 x478; - uint32_t x479; - fiat_secp384r1_uint1 x480; - uint32_t x481; - fiat_secp384r1_uint1 x482; - uint32_t x483; - fiat_secp384r1_uint1 x484; - uint32_t x485; - fiat_secp384r1_uint1 x486; - uint32_t x487; - fiat_secp384r1_uint1 x488; - uint32_t x489; - fiat_secp384r1_uint1 x490; - uint32_t x491; - fiat_secp384r1_uint1 x492; - uint32_t x493; - fiat_secp384r1_uint1 x494; - uint32_t x495; - fiat_secp384r1_uint1 x496; - uint32_t x497; - fiat_secp384r1_uint1 x498; - uint32_t x499; - fiat_secp384r1_uint1 x500; - uint32_t x501; - uint32_t x502; - uint32_t x503; - uint32_t x504; - uint32_t x505; - uint32_t x506; - uint32_t x507; - uint32_t x508; - uint32_t x509; - uint32_t x510; - uint32_t x511; - uint32_t x512; - uint32_t x513; - uint32_t x514; - uint32_t x515; - uint32_t x516; - uint32_t x517; - uint32_t x518; - uint32_t x519; - uint32_t x520; - uint32_t x521; - fiat_secp384r1_uint1 x522; - uint32_t x523; - fiat_secp384r1_uint1 x524; - uint32_t x525; - fiat_secp384r1_uint1 x526; - uint32_t x527; - fiat_secp384r1_uint1 x528; - uint32_t x529; - fiat_secp384r1_uint1 x530; - uint32_t x531; - fiat_secp384r1_uint1 x532; - uint32_t x533; - fiat_secp384r1_uint1 x534; - uint32_t x535; - fiat_secp384r1_uint1 x536; - uint32_t x537; - fiat_secp384r1_uint1 x538; - uint32_t x539; - fiat_secp384r1_uint1 x540; - uint32_t x541; - fiat_secp384r1_uint1 x542; - uint32_t x543; - fiat_secp384r1_uint1 x544; - uint32_t x545; - fiat_secp384r1_uint1 x546; - uint32_t x547; - fiat_secp384r1_uint1 x548; - uint32_t x549; - fiat_secp384r1_uint1 x550; - uint32_t x551; - fiat_secp384r1_uint1 x552; - uint32_t x553; - fiat_secp384r1_uint1 x554; - uint32_t x555; - fiat_secp384r1_uint1 x556; - uint32_t x557; - fiat_secp384r1_uint1 x558; - uint32_t x559; - fiat_secp384r1_uint1 x560; - uint32_t x561; - fiat_secp384r1_uint1 x562; - uint32_t x563; - uint32_t x564; - uint32_t x565; - uint32_t x566; - uint32_t x567; - uint32_t x568; - uint32_t x569; - uint32_t x570; - uint32_t x571; - fiat_secp384r1_uint1 x572; - uint32_t x573; - fiat_secp384r1_uint1 x574; - uint32_t x575; - fiat_secp384r1_uint1 x576; - uint32_t x577; - fiat_secp384r1_uint1 x578; - uint32_t x579; - fiat_secp384r1_uint1 x580; - uint32_t x581; - fiat_secp384r1_uint1 x582; - uint32_t x583; - fiat_secp384r1_uint1 x584; - uint32_t x585; - fiat_secp384r1_uint1 x586; - uint32_t x587; - fiat_secp384r1_uint1 x588; - uint32_t x589; - fiat_secp384r1_uint1 x590; - uint32_t x591; - fiat_secp384r1_uint1 x592; - uint32_t x593; - fiat_secp384r1_uint1 x594; - uint32_t x595; - fiat_secp384r1_uint1 x596; - uint32_t x597; - uint32_t x598; - uint32_t x599; - uint32_t x600; - uint32_t x601; - uint32_t x602; - uint32_t x603; - uint32_t x604; - uint32_t x605; - uint32_t x606; - uint32_t x607; - uint32_t x608; - uint32_t x609; - uint32_t x610; - uint32_t x611; - uint32_t x612; - uint32_t x613; - uint32_t x614; - uint32_t x615; - uint32_t x616; - uint32_t x617; - fiat_secp384r1_uint1 x618; - uint32_t x619; - fiat_secp384r1_uint1 x620; - uint32_t x621; - fiat_secp384r1_uint1 x622; - uint32_t x623; - fiat_secp384r1_uint1 x624; - uint32_t x625; - fiat_secp384r1_uint1 x626; - uint32_t x627; - fiat_secp384r1_uint1 x628; - uint32_t x629; - fiat_secp384r1_uint1 x630; - uint32_t x631; - fiat_secp384r1_uint1 x632; - uint32_t x633; - fiat_secp384r1_uint1 x634; - uint32_t x635; - fiat_secp384r1_uint1 x636; - uint32_t x637; - fiat_secp384r1_uint1 x638; - uint32_t x639; - fiat_secp384r1_uint1 x640; - uint32_t x641; - fiat_secp384r1_uint1 x642; - uint32_t x643; - fiat_secp384r1_uint1 x644; - uint32_t x645; - fiat_secp384r1_uint1 x646; - uint32_t x647; - fiat_secp384r1_uint1 x648; - uint32_t x649; - fiat_secp384r1_uint1 x650; - uint32_t x651; - fiat_secp384r1_uint1 x652; - uint32_t x653; - fiat_secp384r1_uint1 x654; - uint32_t x655; - fiat_secp384r1_uint1 x656; - uint32_t x657; - fiat_secp384r1_uint1 x658; - uint32_t x659; - uint32_t x660; - uint32_t x661; - uint32_t x662; - uint32_t x663; - uint32_t x664; - uint32_t x665; - uint32_t x666; - uint32_t x667; - fiat_secp384r1_uint1 x668; - uint32_t x669; - fiat_secp384r1_uint1 x670; - uint32_t x671; - fiat_secp384r1_uint1 x672; - uint32_t x673; - fiat_secp384r1_uint1 x674; - uint32_t x675; - fiat_secp384r1_uint1 x676; - uint32_t x677; - fiat_secp384r1_uint1 x678; - uint32_t x679; - fiat_secp384r1_uint1 x680; - uint32_t x681; - fiat_secp384r1_uint1 x682; - uint32_t x683; - fiat_secp384r1_uint1 x684; - uint32_t x685; - fiat_secp384r1_uint1 x686; - uint32_t x687; - fiat_secp384r1_uint1 x688; - uint32_t x689; - fiat_secp384r1_uint1 x690; - uint32_t x691; - fiat_secp384r1_uint1 x692; - uint32_t x693; - uint32_t x694; - uint32_t x695; - uint32_t x696; - uint32_t x697; - uint32_t x698; - uint32_t x699; - uint32_t x700; - uint32_t x701; - uint32_t x702; - uint32_t x703; - uint32_t x704; - uint32_t x705; - uint32_t x706; - uint32_t x707; - uint32_t x708; - uint32_t x709; - uint32_t x710; - uint32_t x711; - uint32_t x712; - uint32_t x713; - fiat_secp384r1_uint1 x714; - uint32_t x715; - fiat_secp384r1_uint1 x716; - uint32_t x717; - fiat_secp384r1_uint1 x718; - uint32_t x719; - fiat_secp384r1_uint1 x720; - uint32_t x721; - fiat_secp384r1_uint1 x722; - uint32_t x723; - fiat_secp384r1_uint1 x724; - uint32_t x725; - fiat_secp384r1_uint1 x726; - uint32_t x727; - fiat_secp384r1_uint1 x728; - uint32_t x729; - fiat_secp384r1_uint1 x730; - uint32_t x731; - fiat_secp384r1_uint1 x732; - uint32_t x733; - fiat_secp384r1_uint1 x734; - uint32_t x735; - fiat_secp384r1_uint1 x736; - uint32_t x737; - fiat_secp384r1_uint1 x738; - uint32_t x739; - fiat_secp384r1_uint1 x740; - uint32_t x741; - fiat_secp384r1_uint1 x742; - uint32_t x743; - fiat_secp384r1_uint1 x744; - uint32_t x745; - fiat_secp384r1_uint1 x746; - uint32_t x747; - fiat_secp384r1_uint1 x748; - uint32_t x749; - fiat_secp384r1_uint1 x750; - uint32_t x751; - fiat_secp384r1_uint1 x752; - uint32_t x753; - fiat_secp384r1_uint1 x754; - uint32_t x755; - uint32_t x756; - uint32_t x757; - uint32_t x758; - uint32_t x759; - uint32_t x760; - uint32_t x761; - uint32_t x762; - uint32_t x763; - fiat_secp384r1_uint1 x764; - uint32_t x765; - fiat_secp384r1_uint1 x766; - uint32_t x767; - fiat_secp384r1_uint1 x768; - uint32_t x769; - fiat_secp384r1_uint1 x770; - uint32_t x771; - fiat_secp384r1_uint1 x772; - uint32_t x773; - fiat_secp384r1_uint1 x774; - uint32_t x775; - fiat_secp384r1_uint1 x776; - uint32_t x777; - fiat_secp384r1_uint1 x778; - uint32_t x779; - fiat_secp384r1_uint1 x780; - uint32_t x781; - fiat_secp384r1_uint1 x782; - uint32_t x783; - fiat_secp384r1_uint1 x784; - uint32_t x785; - fiat_secp384r1_uint1 x786; - uint32_t x787; - fiat_secp384r1_uint1 x788; - uint32_t x789; - uint32_t x790; - uint32_t x791; - uint32_t x792; - uint32_t x793; - uint32_t x794; - uint32_t x795; - uint32_t x796; - uint32_t x797; - uint32_t x798; - uint32_t x799; - uint32_t x800; - uint32_t x801; - uint32_t x802; - uint32_t x803; - uint32_t x804; - uint32_t x805; - uint32_t x806; - uint32_t x807; - uint32_t x808; - uint32_t x809; - fiat_secp384r1_uint1 x810; - uint32_t x811; - fiat_secp384r1_uint1 x812; - uint32_t x813; - fiat_secp384r1_uint1 x814; - uint32_t x815; - fiat_secp384r1_uint1 x816; - uint32_t x817; - fiat_secp384r1_uint1 x818; - uint32_t x819; - fiat_secp384r1_uint1 x820; - uint32_t x821; - fiat_secp384r1_uint1 x822; - uint32_t x823; - fiat_secp384r1_uint1 x824; - uint32_t x825; - fiat_secp384r1_uint1 x826; - uint32_t x827; - fiat_secp384r1_uint1 x828; - uint32_t x829; - fiat_secp384r1_uint1 x830; - uint32_t x831; - fiat_secp384r1_uint1 x832; - uint32_t x833; - fiat_secp384r1_uint1 x834; - uint32_t x835; - fiat_secp384r1_uint1 x836; - uint32_t x837; - fiat_secp384r1_uint1 x838; - uint32_t x839; - fiat_secp384r1_uint1 x840; - uint32_t x841; - fiat_secp384r1_uint1 x842; - uint32_t x843; - fiat_secp384r1_uint1 x844; - uint32_t x845; - fiat_secp384r1_uint1 x846; - uint32_t x847; - fiat_secp384r1_uint1 x848; - uint32_t x849; - fiat_secp384r1_uint1 x850; - uint32_t x851; - uint32_t x852; - uint32_t x853; - uint32_t x854; - uint32_t x855; - uint32_t x856; - uint32_t x857; - uint32_t x858; - uint32_t x859; - fiat_secp384r1_uint1 x860; - uint32_t x861; - fiat_secp384r1_uint1 x862; - uint32_t x863; - fiat_secp384r1_uint1 x864; - uint32_t x865; - fiat_secp384r1_uint1 x866; - uint32_t x867; - fiat_secp384r1_uint1 x868; - uint32_t x869; - fiat_secp384r1_uint1 x870; - uint32_t x871; - fiat_secp384r1_uint1 x872; - uint32_t x873; - fiat_secp384r1_uint1 x874; - uint32_t x875; - fiat_secp384r1_uint1 x876; - uint32_t x877; - fiat_secp384r1_uint1 x878; - uint32_t x879; - fiat_secp384r1_uint1 x880; - uint32_t x881; - fiat_secp384r1_uint1 x882; - uint32_t x883; - fiat_secp384r1_uint1 x884; - uint32_t x885; - uint32_t x886; - uint32_t x887; - uint32_t x888; - uint32_t x889; - uint32_t x890; - uint32_t x891; - uint32_t x892; - uint32_t x893; - uint32_t x894; - uint32_t x895; - uint32_t x896; - uint32_t x897; - uint32_t x898; - uint32_t x899; - uint32_t x900; - uint32_t x901; - uint32_t x902; - uint32_t x903; - uint32_t x904; - uint32_t x905; - fiat_secp384r1_uint1 x906; - uint32_t x907; - fiat_secp384r1_uint1 x908; - uint32_t x909; - fiat_secp384r1_uint1 x910; - uint32_t x911; - fiat_secp384r1_uint1 x912; - uint32_t x913; - fiat_secp384r1_uint1 x914; - uint32_t x915; - fiat_secp384r1_uint1 x916; - uint32_t x917; - fiat_secp384r1_uint1 x918; - uint32_t x919; - fiat_secp384r1_uint1 x920; - uint32_t x921; - fiat_secp384r1_uint1 x922; - uint32_t x923; - fiat_secp384r1_uint1 x924; - uint32_t x925; - fiat_secp384r1_uint1 x926; - uint32_t x927; - fiat_secp384r1_uint1 x928; - uint32_t x929; - fiat_secp384r1_uint1 x930; - uint32_t x931; - fiat_secp384r1_uint1 x932; - uint32_t x933; - fiat_secp384r1_uint1 x934; - uint32_t x935; - fiat_secp384r1_uint1 x936; - uint32_t x937; - fiat_secp384r1_uint1 x938; - uint32_t x939; - fiat_secp384r1_uint1 x940; - uint32_t x941; - fiat_secp384r1_uint1 x942; - uint32_t x943; - fiat_secp384r1_uint1 x944; - uint32_t x945; - fiat_secp384r1_uint1 x946; - uint32_t x947; - uint32_t x948; - uint32_t x949; - uint32_t x950; - uint32_t x951; - uint32_t x952; - uint32_t x953; - uint32_t x954; - uint32_t x955; - fiat_secp384r1_uint1 x956; - uint32_t x957; - fiat_secp384r1_uint1 x958; - uint32_t x959; - fiat_secp384r1_uint1 x960; - uint32_t x961; - fiat_secp384r1_uint1 x962; - uint32_t x963; - fiat_secp384r1_uint1 x964; - uint32_t x965; - fiat_secp384r1_uint1 x966; - uint32_t x967; - fiat_secp384r1_uint1 x968; - uint32_t x969; - fiat_secp384r1_uint1 x970; - uint32_t x971; - fiat_secp384r1_uint1 x972; - uint32_t x973; - fiat_secp384r1_uint1 x974; - uint32_t x975; - fiat_secp384r1_uint1 x976; - uint32_t x977; - fiat_secp384r1_uint1 x978; - uint32_t x979; - fiat_secp384r1_uint1 x980; - uint32_t x981; - uint32_t x982; - uint32_t x983; - uint32_t x984; - uint32_t x985; - uint32_t x986; - uint32_t x987; - uint32_t x988; - uint32_t x989; - uint32_t x990; - uint32_t x991; - uint32_t x992; - uint32_t x993; - uint32_t x994; - uint32_t x995; - uint32_t x996; - uint32_t x997; - uint32_t x998; - uint32_t x999; - uint32_t x1000; - uint32_t x1001; - fiat_secp384r1_uint1 x1002; - uint32_t x1003; - fiat_secp384r1_uint1 x1004; - uint32_t x1005; - fiat_secp384r1_uint1 x1006; - uint32_t x1007; - fiat_secp384r1_uint1 x1008; - uint32_t x1009; - fiat_secp384r1_uint1 x1010; - uint32_t x1011; - fiat_secp384r1_uint1 x1012; - uint32_t x1013; - fiat_secp384r1_uint1 x1014; - uint32_t x1015; - fiat_secp384r1_uint1 x1016; - uint32_t x1017; - fiat_secp384r1_uint1 x1018; - uint32_t x1019; - fiat_secp384r1_uint1 x1020; - uint32_t x1021; - fiat_secp384r1_uint1 x1022; - uint32_t x1023; - fiat_secp384r1_uint1 x1024; - uint32_t x1025; - fiat_secp384r1_uint1 x1026; - uint32_t x1027; - fiat_secp384r1_uint1 x1028; - uint32_t x1029; - fiat_secp384r1_uint1 x1030; - uint32_t x1031; - fiat_secp384r1_uint1 x1032; - uint32_t x1033; - fiat_secp384r1_uint1 x1034; - uint32_t x1035; - fiat_secp384r1_uint1 x1036; - uint32_t x1037; - fiat_secp384r1_uint1 x1038; - uint32_t x1039; - fiat_secp384r1_uint1 x1040; - uint32_t x1041; - fiat_secp384r1_uint1 x1042; - uint32_t x1043; - uint32_t x1044; - uint32_t x1045; - uint32_t x1046; - uint32_t x1047; - uint32_t x1048; - uint32_t x1049; - uint32_t x1050; - uint32_t x1051; - fiat_secp384r1_uint1 x1052; - uint32_t x1053; - fiat_secp384r1_uint1 x1054; - uint32_t x1055; - fiat_secp384r1_uint1 x1056; - uint32_t x1057; - fiat_secp384r1_uint1 x1058; - uint32_t x1059; - fiat_secp384r1_uint1 x1060; - uint32_t x1061; - fiat_secp384r1_uint1 x1062; - uint32_t x1063; - fiat_secp384r1_uint1 x1064; - uint32_t x1065; - fiat_secp384r1_uint1 x1066; - uint32_t x1067; - fiat_secp384r1_uint1 x1068; - uint32_t x1069; - fiat_secp384r1_uint1 x1070; - uint32_t x1071; - fiat_secp384r1_uint1 x1072; - uint32_t x1073; - fiat_secp384r1_uint1 x1074; - uint32_t x1075; - fiat_secp384r1_uint1 x1076; - uint32_t x1077; - uint32_t x1078; - uint32_t x1079; - uint32_t x1080; - uint32_t x1081; - uint32_t x1082; - uint32_t x1083; - uint32_t x1084; - uint32_t x1085; - uint32_t x1086; - uint32_t x1087; - uint32_t x1088; - uint32_t x1089; - uint32_t x1090; - uint32_t x1091; - uint32_t x1092; - uint32_t x1093; - uint32_t x1094; - uint32_t x1095; - uint32_t x1096; - uint32_t x1097; - fiat_secp384r1_uint1 x1098; - uint32_t x1099; - fiat_secp384r1_uint1 x1100; - uint32_t x1101; - fiat_secp384r1_uint1 x1102; - uint32_t x1103; - fiat_secp384r1_uint1 x1104; - uint32_t x1105; - fiat_secp384r1_uint1 x1106; - uint32_t x1107; - fiat_secp384r1_uint1 x1108; - uint32_t x1109; - fiat_secp384r1_uint1 x1110; - uint32_t x1111; - fiat_secp384r1_uint1 x1112; - uint32_t x1113; - fiat_secp384r1_uint1 x1114; - uint32_t x1115; - fiat_secp384r1_uint1 x1116; - uint32_t x1117; - fiat_secp384r1_uint1 x1118; - uint32_t x1119; - fiat_secp384r1_uint1 x1120; - uint32_t x1121; - fiat_secp384r1_uint1 x1122; - uint32_t x1123; - fiat_secp384r1_uint1 x1124; - uint32_t x1125; - fiat_secp384r1_uint1 x1126; - uint32_t x1127; - fiat_secp384r1_uint1 x1128; - uint32_t x1129; - fiat_secp384r1_uint1 x1130; - uint32_t x1131; - fiat_secp384r1_uint1 x1132; - uint32_t x1133; - fiat_secp384r1_uint1 x1134; - uint32_t x1135; - fiat_secp384r1_uint1 x1136; - uint32_t x1137; - fiat_secp384r1_uint1 x1138; - uint32_t x1139; - fiat_secp384r1_uint1 x1140; - uint32_t x1141; - fiat_secp384r1_uint1 x1142; - uint32_t x1143; - fiat_secp384r1_uint1 x1144; - uint32_t x1145; - fiat_secp384r1_uint1 x1146; - uint32_t x1147; - fiat_secp384r1_uint1 x1148; - uint32_t x1149; - fiat_secp384r1_uint1 x1150; - uint32_t x1151; - fiat_secp384r1_uint1 x1152; - uint32_t x1153; - fiat_secp384r1_uint1 x1154; - uint32_t x1155; - fiat_secp384r1_uint1 x1156; - uint32_t x1157; - fiat_secp384r1_uint1 x1158; - uint32_t x1159; - fiat_secp384r1_uint1 x1160; - uint32_t x1161; - fiat_secp384r1_uint1 x1162; - uint32_t x1163; - fiat_secp384r1_uint1 x1164; - uint32_t x1165; - uint32_t x1166; - uint32_t x1167; - uint32_t x1168; - uint32_t x1169; - uint32_t x1170; - uint32_t x1171; - uint32_t x1172; - uint32_t x1173; - uint32_t x1174; - uint32_t x1175; - uint32_t x1176; - x1 = (arg1[1]); - x2 = (arg1[2]); - x3 = (arg1[3]); - x4 = (arg1[4]); - x5 = (arg1[5]); - x6 = (arg1[6]); - x7 = (arg1[7]); - x8 = (arg1[8]); - x9 = (arg1[9]); - x10 = (arg1[10]); - x11 = (arg1[11]); - x12 = (arg1[0]); - fiat_secp384r1_mulx_u32(&x13, &x14, x12, 0x2); - fiat_secp384r1_mulx_u32(&x15, &x16, x12, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x17, &x18, x12, 0x2); - fiat_secp384r1_mulx_u32(&x19, &x20, x12, UINT32_C(0xfffffffe)); - fiat_secp384r1_addcarryx_u32(&x21, &x22, 0x0, (fiat_secp384r1_uint1)x14, - x12); - fiat_secp384r1_mulx_u32(&x23, &x24, x12, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x25, &x26, x12, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x27, &x28, x12, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x29, &x30, x12, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x31, &x32, x12, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x33, &x34, x12, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x35, &x36, x12, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x37, &x38, x12, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x39, &x40, x12, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x41, &x42, x12, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x43, &x44, 0x0, x40, x37); - fiat_secp384r1_addcarryx_u32(&x45, &x46, x44, x38, x35); - fiat_secp384r1_addcarryx_u32(&x47, &x48, x46, x36, x33); - fiat_secp384r1_addcarryx_u32(&x49, &x50, x48, x34, x31); - fiat_secp384r1_addcarryx_u32(&x51, &x52, x50, x32, x29); - fiat_secp384r1_addcarryx_u32(&x53, &x54, x52, x30, x27); - fiat_secp384r1_addcarryx_u32(&x55, &x56, x54, x28, x25); - fiat_secp384r1_addcarryx_u32(&x57, &x58, x56, x26, x23); - fiat_secp384r1_addcarryx_u32(&x59, &x60, 0x0, x12, x41); - fiat_secp384r1_addcarryx_u32(&x61, &x62, x60, x19, x42); - fiat_secp384r1_addcarryx_u32(&x63, &x64, 0x0, x17, x39); - fiat_secp384r1_addcarryx_u32(&x65, &x66, x64, (fiat_secp384r1_uint1)x18, - x43); - fiat_secp384r1_addcarryx_u32(&x67, &x68, x66, x15, x45); - fiat_secp384r1_addcarryx_u32(&x69, &x70, x68, x16, x47); - fiat_secp384r1_addcarryx_u32(&x71, &x72, x70, x13, x49); - fiat_secp384r1_addcarryx_u32(&x73, &x74, x72, x21, x51); - fiat_secp384r1_addcarryx_u32(&x75, &x76, x74, x22, x53); - fiat_secp384r1_addcarryx_u32(&x77, &x78, x76, 0x0, x55); - fiat_secp384r1_addcarryx_u32(&x79, &x80, x78, 0x0, x57); - fiat_secp384r1_addcarryx_u32(&x81, &x82, x80, 0x0, (x58 + x24)); - fiat_secp384r1_mulx_u32(&x83, &x84, x1, 0x2); - fiat_secp384r1_mulx_u32(&x85, &x86, x1, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x87, &x88, x1, 0x2); - fiat_secp384r1_mulx_u32(&x89, &x90, x1, UINT32_C(0xfffffffe)); - fiat_secp384r1_addcarryx_u32(&x91, &x92, 0x0, (fiat_secp384r1_uint1)x84, - x1); - fiat_secp384r1_addcarryx_u32(&x93, &x94, 0x0, x61, x1); - fiat_secp384r1_addcarryx_u32(&x95, &x96, x94, (x62 + x20), x89); - fiat_secp384r1_addcarryx_u32(&x97, &x98, x96, x63, x90); - fiat_secp384r1_addcarryx_u32(&x99, &x100, x98, x65, x87); - fiat_secp384r1_addcarryx_u32(&x101, &x102, x100, x67, - (fiat_secp384r1_uint1)x88); - fiat_secp384r1_addcarryx_u32(&x103, &x104, x102, x69, x85); - fiat_secp384r1_addcarryx_u32(&x105, &x106, x104, x71, x86); - fiat_secp384r1_addcarryx_u32(&x107, &x108, x106, x73, x83); - fiat_secp384r1_addcarryx_u32(&x109, &x110, x108, x75, x91); - fiat_secp384r1_addcarryx_u32(&x111, &x112, x110, x77, x92); - fiat_secp384r1_addcarryx_u32(&x113, &x114, x112, x79, 0x0); - fiat_secp384r1_addcarryx_u32(&x115, &x116, x114, x81, 0x0); - fiat_secp384r1_mulx_u32(&x117, &x118, x93, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x119, &x120, x93, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x121, &x122, x93, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x123, &x124, x93, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x125, &x126, x93, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x127, &x128, x93, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x129, &x130, x93, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x131, &x132, x93, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x133, &x134, x93, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x135, &x136, x93, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x137, &x138, 0x0, x134, x131); - fiat_secp384r1_addcarryx_u32(&x139, &x140, x138, x132, x129); - fiat_secp384r1_addcarryx_u32(&x141, &x142, x140, x130, x127); - fiat_secp384r1_addcarryx_u32(&x143, &x144, x142, x128, x125); - fiat_secp384r1_addcarryx_u32(&x145, &x146, x144, x126, x123); - fiat_secp384r1_addcarryx_u32(&x147, &x148, x146, x124, x121); - fiat_secp384r1_addcarryx_u32(&x149, &x150, x148, x122, x119); - fiat_secp384r1_addcarryx_u32(&x151, &x152, x150, x120, x117); - fiat_secp384r1_addcarryx_u32(&x153, &x154, 0x0, x93, x135); - fiat_secp384r1_addcarryx_u32(&x155, &x156, x154, x95, x136); - fiat_secp384r1_addcarryx_u32(&x157, &x158, x156, x97, 0x0); - fiat_secp384r1_addcarryx_u32(&x159, &x160, x158, x99, x133); - fiat_secp384r1_addcarryx_u32(&x161, &x162, x160, x101, x137); - fiat_secp384r1_addcarryx_u32(&x163, &x164, x162, x103, x139); - fiat_secp384r1_addcarryx_u32(&x165, &x166, x164, x105, x141); - fiat_secp384r1_addcarryx_u32(&x167, &x168, x166, x107, x143); - fiat_secp384r1_addcarryx_u32(&x169, &x170, x168, x109, x145); - fiat_secp384r1_addcarryx_u32(&x171, &x172, x170, x111, x147); - fiat_secp384r1_addcarryx_u32(&x173, &x174, x172, x113, x149); - fiat_secp384r1_addcarryx_u32(&x175, &x176, x174, x115, x151); - fiat_secp384r1_addcarryx_u32(&x177, &x178, x176, ((uint32_t)x116 + x82), - (x152 + x118)); - fiat_secp384r1_mulx_u32(&x179, &x180, x2, 0x2); - fiat_secp384r1_mulx_u32(&x181, &x182, x2, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x183, &x184, x2, 0x2); - fiat_secp384r1_mulx_u32(&x185, &x186, x2, UINT32_C(0xfffffffe)); - fiat_secp384r1_addcarryx_u32(&x187, &x188, 0x0, (fiat_secp384r1_uint1)x180, - x2); - fiat_secp384r1_addcarryx_u32(&x189, &x190, 0x0, x155, x2); - fiat_secp384r1_addcarryx_u32(&x191, &x192, x190, x157, x185); - fiat_secp384r1_addcarryx_u32(&x193, &x194, x192, x159, x186); - fiat_secp384r1_addcarryx_u32(&x195, &x196, x194, x161, x183); - fiat_secp384r1_addcarryx_u32(&x197, &x198, x196, x163, - (fiat_secp384r1_uint1)x184); - fiat_secp384r1_addcarryx_u32(&x199, &x200, x198, x165, x181); - fiat_secp384r1_addcarryx_u32(&x201, &x202, x200, x167, x182); - fiat_secp384r1_addcarryx_u32(&x203, &x204, x202, x169, x179); - fiat_secp384r1_addcarryx_u32(&x205, &x206, x204, x171, x187); - fiat_secp384r1_addcarryx_u32(&x207, &x208, x206, x173, x188); - fiat_secp384r1_addcarryx_u32(&x209, &x210, x208, x175, 0x0); - fiat_secp384r1_addcarryx_u32(&x211, &x212, x210, x177, 0x0); - fiat_secp384r1_mulx_u32(&x213, &x214, x189, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x215, &x216, x189, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x217, &x218, x189, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x219, &x220, x189, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x221, &x222, x189, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x223, &x224, x189, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x225, &x226, x189, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x227, &x228, x189, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x229, &x230, x189, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x231, &x232, x189, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x233, &x234, 0x0, x230, x227); - fiat_secp384r1_addcarryx_u32(&x235, &x236, x234, x228, x225); - fiat_secp384r1_addcarryx_u32(&x237, &x238, x236, x226, x223); - fiat_secp384r1_addcarryx_u32(&x239, &x240, x238, x224, x221); - fiat_secp384r1_addcarryx_u32(&x241, &x242, x240, x222, x219); - fiat_secp384r1_addcarryx_u32(&x243, &x244, x242, x220, x217); - fiat_secp384r1_addcarryx_u32(&x245, &x246, x244, x218, x215); - fiat_secp384r1_addcarryx_u32(&x247, &x248, x246, x216, x213); - fiat_secp384r1_addcarryx_u32(&x249, &x250, 0x0, x189, x231); - fiat_secp384r1_addcarryx_u32(&x251, &x252, x250, x191, x232); - fiat_secp384r1_addcarryx_u32(&x253, &x254, x252, x193, 0x0); - fiat_secp384r1_addcarryx_u32(&x255, &x256, x254, x195, x229); - fiat_secp384r1_addcarryx_u32(&x257, &x258, x256, x197, x233); - fiat_secp384r1_addcarryx_u32(&x259, &x260, x258, x199, x235); - fiat_secp384r1_addcarryx_u32(&x261, &x262, x260, x201, x237); - fiat_secp384r1_addcarryx_u32(&x263, &x264, x262, x203, x239); - fiat_secp384r1_addcarryx_u32(&x265, &x266, x264, x205, x241); - fiat_secp384r1_addcarryx_u32(&x267, &x268, x266, x207, x243); - fiat_secp384r1_addcarryx_u32(&x269, &x270, x268, x209, x245); - fiat_secp384r1_addcarryx_u32(&x271, &x272, x270, x211, x247); - fiat_secp384r1_addcarryx_u32(&x273, &x274, x272, ((uint32_t)x212 + x178), - (x248 + x214)); - fiat_secp384r1_mulx_u32(&x275, &x276, x3, 0x2); - fiat_secp384r1_mulx_u32(&x277, &x278, x3, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x279, &x280, x3, 0x2); - fiat_secp384r1_mulx_u32(&x281, &x282, x3, UINT32_C(0xfffffffe)); - fiat_secp384r1_addcarryx_u32(&x283, &x284, 0x0, (fiat_secp384r1_uint1)x276, - x3); - fiat_secp384r1_addcarryx_u32(&x285, &x286, 0x0, x251, x3); - fiat_secp384r1_addcarryx_u32(&x287, &x288, x286, x253, x281); - fiat_secp384r1_addcarryx_u32(&x289, &x290, x288, x255, x282); - fiat_secp384r1_addcarryx_u32(&x291, &x292, x290, x257, x279); - fiat_secp384r1_addcarryx_u32(&x293, &x294, x292, x259, - (fiat_secp384r1_uint1)x280); - fiat_secp384r1_addcarryx_u32(&x295, &x296, x294, x261, x277); - fiat_secp384r1_addcarryx_u32(&x297, &x298, x296, x263, x278); - fiat_secp384r1_addcarryx_u32(&x299, &x300, x298, x265, x275); - fiat_secp384r1_addcarryx_u32(&x301, &x302, x300, x267, x283); - fiat_secp384r1_addcarryx_u32(&x303, &x304, x302, x269, x284); - fiat_secp384r1_addcarryx_u32(&x305, &x306, x304, x271, 0x0); - fiat_secp384r1_addcarryx_u32(&x307, &x308, x306, x273, 0x0); - fiat_secp384r1_mulx_u32(&x309, &x310, x285, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x311, &x312, x285, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x313, &x314, x285, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x315, &x316, x285, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x317, &x318, x285, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x319, &x320, x285, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x321, &x322, x285, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x323, &x324, x285, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x325, &x326, x285, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x327, &x328, x285, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x329, &x330, 0x0, x326, x323); - fiat_secp384r1_addcarryx_u32(&x331, &x332, x330, x324, x321); - fiat_secp384r1_addcarryx_u32(&x333, &x334, x332, x322, x319); - fiat_secp384r1_addcarryx_u32(&x335, &x336, x334, x320, x317); - fiat_secp384r1_addcarryx_u32(&x337, &x338, x336, x318, x315); - fiat_secp384r1_addcarryx_u32(&x339, &x340, x338, x316, x313); - fiat_secp384r1_addcarryx_u32(&x341, &x342, x340, x314, x311); - fiat_secp384r1_addcarryx_u32(&x343, &x344, x342, x312, x309); - fiat_secp384r1_addcarryx_u32(&x345, &x346, 0x0, x285, x327); - fiat_secp384r1_addcarryx_u32(&x347, &x348, x346, x287, x328); - fiat_secp384r1_addcarryx_u32(&x349, &x350, x348, x289, 0x0); - fiat_secp384r1_addcarryx_u32(&x351, &x352, x350, x291, x325); - fiat_secp384r1_addcarryx_u32(&x353, &x354, x352, x293, x329); - fiat_secp384r1_addcarryx_u32(&x355, &x356, x354, x295, x331); - fiat_secp384r1_addcarryx_u32(&x357, &x358, x356, x297, x333); - fiat_secp384r1_addcarryx_u32(&x359, &x360, x358, x299, x335); - fiat_secp384r1_addcarryx_u32(&x361, &x362, x360, x301, x337); - fiat_secp384r1_addcarryx_u32(&x363, &x364, x362, x303, x339); - fiat_secp384r1_addcarryx_u32(&x365, &x366, x364, x305, x341); - fiat_secp384r1_addcarryx_u32(&x367, &x368, x366, x307, x343); - fiat_secp384r1_addcarryx_u32(&x369, &x370, x368, ((uint32_t)x308 + x274), - (x344 + x310)); - fiat_secp384r1_mulx_u32(&x371, &x372, x4, 0x2); - fiat_secp384r1_mulx_u32(&x373, &x374, x4, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x375, &x376, x4, 0x2); - fiat_secp384r1_mulx_u32(&x377, &x378, x4, UINT32_C(0xfffffffe)); - fiat_secp384r1_addcarryx_u32(&x379, &x380, 0x0, (fiat_secp384r1_uint1)x372, - x4); - fiat_secp384r1_addcarryx_u32(&x381, &x382, 0x0, x347, x4); - fiat_secp384r1_addcarryx_u32(&x383, &x384, x382, x349, x377); - fiat_secp384r1_addcarryx_u32(&x385, &x386, x384, x351, x378); - fiat_secp384r1_addcarryx_u32(&x387, &x388, x386, x353, x375); - fiat_secp384r1_addcarryx_u32(&x389, &x390, x388, x355, - (fiat_secp384r1_uint1)x376); - fiat_secp384r1_addcarryx_u32(&x391, &x392, x390, x357, x373); - fiat_secp384r1_addcarryx_u32(&x393, &x394, x392, x359, x374); - fiat_secp384r1_addcarryx_u32(&x395, &x396, x394, x361, x371); - fiat_secp384r1_addcarryx_u32(&x397, &x398, x396, x363, x379); - fiat_secp384r1_addcarryx_u32(&x399, &x400, x398, x365, x380); - fiat_secp384r1_addcarryx_u32(&x401, &x402, x400, x367, 0x0); - fiat_secp384r1_addcarryx_u32(&x403, &x404, x402, x369, 0x0); - fiat_secp384r1_mulx_u32(&x405, &x406, x381, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x407, &x408, x381, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x409, &x410, x381, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x411, &x412, x381, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x413, &x414, x381, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x415, &x416, x381, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x417, &x418, x381, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x419, &x420, x381, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x421, &x422, x381, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x423, &x424, x381, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x425, &x426, 0x0, x422, x419); - fiat_secp384r1_addcarryx_u32(&x427, &x428, x426, x420, x417); - fiat_secp384r1_addcarryx_u32(&x429, &x430, x428, x418, x415); - fiat_secp384r1_addcarryx_u32(&x431, &x432, x430, x416, x413); - fiat_secp384r1_addcarryx_u32(&x433, &x434, x432, x414, x411); - fiat_secp384r1_addcarryx_u32(&x435, &x436, x434, x412, x409); - fiat_secp384r1_addcarryx_u32(&x437, &x438, x436, x410, x407); - fiat_secp384r1_addcarryx_u32(&x439, &x440, x438, x408, x405); - fiat_secp384r1_addcarryx_u32(&x441, &x442, 0x0, x381, x423); - fiat_secp384r1_addcarryx_u32(&x443, &x444, x442, x383, x424); - fiat_secp384r1_addcarryx_u32(&x445, &x446, x444, x385, 0x0); - fiat_secp384r1_addcarryx_u32(&x447, &x448, x446, x387, x421); - fiat_secp384r1_addcarryx_u32(&x449, &x450, x448, x389, x425); - fiat_secp384r1_addcarryx_u32(&x451, &x452, x450, x391, x427); - fiat_secp384r1_addcarryx_u32(&x453, &x454, x452, x393, x429); - fiat_secp384r1_addcarryx_u32(&x455, &x456, x454, x395, x431); - fiat_secp384r1_addcarryx_u32(&x457, &x458, x456, x397, x433); - fiat_secp384r1_addcarryx_u32(&x459, &x460, x458, x399, x435); - fiat_secp384r1_addcarryx_u32(&x461, &x462, x460, x401, x437); - fiat_secp384r1_addcarryx_u32(&x463, &x464, x462, x403, x439); - fiat_secp384r1_addcarryx_u32(&x465, &x466, x464, ((uint32_t)x404 + x370), - (x440 + x406)); - fiat_secp384r1_mulx_u32(&x467, &x468, x5, 0x2); - fiat_secp384r1_mulx_u32(&x469, &x470, x5, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x471, &x472, x5, 0x2); - fiat_secp384r1_mulx_u32(&x473, &x474, x5, UINT32_C(0xfffffffe)); - fiat_secp384r1_addcarryx_u32(&x475, &x476, 0x0, (fiat_secp384r1_uint1)x468, - x5); - fiat_secp384r1_addcarryx_u32(&x477, &x478, 0x0, x443, x5); - fiat_secp384r1_addcarryx_u32(&x479, &x480, x478, x445, x473); - fiat_secp384r1_addcarryx_u32(&x481, &x482, x480, x447, x474); - fiat_secp384r1_addcarryx_u32(&x483, &x484, x482, x449, x471); - fiat_secp384r1_addcarryx_u32(&x485, &x486, x484, x451, - (fiat_secp384r1_uint1)x472); - fiat_secp384r1_addcarryx_u32(&x487, &x488, x486, x453, x469); - fiat_secp384r1_addcarryx_u32(&x489, &x490, x488, x455, x470); - fiat_secp384r1_addcarryx_u32(&x491, &x492, x490, x457, x467); - fiat_secp384r1_addcarryx_u32(&x493, &x494, x492, x459, x475); - fiat_secp384r1_addcarryx_u32(&x495, &x496, x494, x461, x476); - fiat_secp384r1_addcarryx_u32(&x497, &x498, x496, x463, 0x0); - fiat_secp384r1_addcarryx_u32(&x499, &x500, x498, x465, 0x0); - fiat_secp384r1_mulx_u32(&x501, &x502, x477, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x503, &x504, x477, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x505, &x506, x477, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x507, &x508, x477, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x509, &x510, x477, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x511, &x512, x477, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x513, &x514, x477, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x515, &x516, x477, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x517, &x518, x477, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x519, &x520, x477, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x521, &x522, 0x0, x518, x515); - fiat_secp384r1_addcarryx_u32(&x523, &x524, x522, x516, x513); - fiat_secp384r1_addcarryx_u32(&x525, &x526, x524, x514, x511); - fiat_secp384r1_addcarryx_u32(&x527, &x528, x526, x512, x509); - fiat_secp384r1_addcarryx_u32(&x529, &x530, x528, x510, x507); - fiat_secp384r1_addcarryx_u32(&x531, &x532, x530, x508, x505); - fiat_secp384r1_addcarryx_u32(&x533, &x534, x532, x506, x503); - fiat_secp384r1_addcarryx_u32(&x535, &x536, x534, x504, x501); - fiat_secp384r1_addcarryx_u32(&x537, &x538, 0x0, x477, x519); - fiat_secp384r1_addcarryx_u32(&x539, &x540, x538, x479, x520); - fiat_secp384r1_addcarryx_u32(&x541, &x542, x540, x481, 0x0); - fiat_secp384r1_addcarryx_u32(&x543, &x544, x542, x483, x517); - fiat_secp384r1_addcarryx_u32(&x545, &x546, x544, x485, x521); - fiat_secp384r1_addcarryx_u32(&x547, &x548, x546, x487, x523); - fiat_secp384r1_addcarryx_u32(&x549, &x550, x548, x489, x525); - fiat_secp384r1_addcarryx_u32(&x551, &x552, x550, x491, x527); - fiat_secp384r1_addcarryx_u32(&x553, &x554, x552, x493, x529); - fiat_secp384r1_addcarryx_u32(&x555, &x556, x554, x495, x531); - fiat_secp384r1_addcarryx_u32(&x557, &x558, x556, x497, x533); - fiat_secp384r1_addcarryx_u32(&x559, &x560, x558, x499, x535); - fiat_secp384r1_addcarryx_u32(&x561, &x562, x560, ((uint32_t)x500 + x466), - (x536 + x502)); - fiat_secp384r1_mulx_u32(&x563, &x564, x6, 0x2); - fiat_secp384r1_mulx_u32(&x565, &x566, x6, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x567, &x568, x6, 0x2); - fiat_secp384r1_mulx_u32(&x569, &x570, x6, UINT32_C(0xfffffffe)); - fiat_secp384r1_addcarryx_u32(&x571, &x572, 0x0, (fiat_secp384r1_uint1)x564, - x6); - fiat_secp384r1_addcarryx_u32(&x573, &x574, 0x0, x539, x6); - fiat_secp384r1_addcarryx_u32(&x575, &x576, x574, x541, x569); - fiat_secp384r1_addcarryx_u32(&x577, &x578, x576, x543, x570); - fiat_secp384r1_addcarryx_u32(&x579, &x580, x578, x545, x567); - fiat_secp384r1_addcarryx_u32(&x581, &x582, x580, x547, - (fiat_secp384r1_uint1)x568); - fiat_secp384r1_addcarryx_u32(&x583, &x584, x582, x549, x565); - fiat_secp384r1_addcarryx_u32(&x585, &x586, x584, x551, x566); - fiat_secp384r1_addcarryx_u32(&x587, &x588, x586, x553, x563); - fiat_secp384r1_addcarryx_u32(&x589, &x590, x588, x555, x571); - fiat_secp384r1_addcarryx_u32(&x591, &x592, x590, x557, x572); - fiat_secp384r1_addcarryx_u32(&x593, &x594, x592, x559, 0x0); - fiat_secp384r1_addcarryx_u32(&x595, &x596, x594, x561, 0x0); - fiat_secp384r1_mulx_u32(&x597, &x598, x573, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x599, &x600, x573, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x601, &x602, x573, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x603, &x604, x573, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x605, &x606, x573, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x607, &x608, x573, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x609, &x610, x573, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x611, &x612, x573, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x613, &x614, x573, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x615, &x616, x573, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x617, &x618, 0x0, x614, x611); - fiat_secp384r1_addcarryx_u32(&x619, &x620, x618, x612, x609); - fiat_secp384r1_addcarryx_u32(&x621, &x622, x620, x610, x607); - fiat_secp384r1_addcarryx_u32(&x623, &x624, x622, x608, x605); - fiat_secp384r1_addcarryx_u32(&x625, &x626, x624, x606, x603); - fiat_secp384r1_addcarryx_u32(&x627, &x628, x626, x604, x601); - fiat_secp384r1_addcarryx_u32(&x629, &x630, x628, x602, x599); - fiat_secp384r1_addcarryx_u32(&x631, &x632, x630, x600, x597); - fiat_secp384r1_addcarryx_u32(&x633, &x634, 0x0, x573, x615); - fiat_secp384r1_addcarryx_u32(&x635, &x636, x634, x575, x616); - fiat_secp384r1_addcarryx_u32(&x637, &x638, x636, x577, 0x0); - fiat_secp384r1_addcarryx_u32(&x639, &x640, x638, x579, x613); - fiat_secp384r1_addcarryx_u32(&x641, &x642, x640, x581, x617); - fiat_secp384r1_addcarryx_u32(&x643, &x644, x642, x583, x619); - fiat_secp384r1_addcarryx_u32(&x645, &x646, x644, x585, x621); - fiat_secp384r1_addcarryx_u32(&x647, &x648, x646, x587, x623); - fiat_secp384r1_addcarryx_u32(&x649, &x650, x648, x589, x625); - fiat_secp384r1_addcarryx_u32(&x651, &x652, x650, x591, x627); - fiat_secp384r1_addcarryx_u32(&x653, &x654, x652, x593, x629); - fiat_secp384r1_addcarryx_u32(&x655, &x656, x654, x595, x631); - fiat_secp384r1_addcarryx_u32(&x657, &x658, x656, ((uint32_t)x596 + x562), - (x632 + x598)); - fiat_secp384r1_mulx_u32(&x659, &x660, x7, 0x2); - fiat_secp384r1_mulx_u32(&x661, &x662, x7, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x663, &x664, x7, 0x2); - fiat_secp384r1_mulx_u32(&x665, &x666, x7, UINT32_C(0xfffffffe)); - fiat_secp384r1_addcarryx_u32(&x667, &x668, 0x0, (fiat_secp384r1_uint1)x660, - x7); - fiat_secp384r1_addcarryx_u32(&x669, &x670, 0x0, x635, x7); - fiat_secp384r1_addcarryx_u32(&x671, &x672, x670, x637, x665); - fiat_secp384r1_addcarryx_u32(&x673, &x674, x672, x639, x666); - fiat_secp384r1_addcarryx_u32(&x675, &x676, x674, x641, x663); - fiat_secp384r1_addcarryx_u32(&x677, &x678, x676, x643, - (fiat_secp384r1_uint1)x664); - fiat_secp384r1_addcarryx_u32(&x679, &x680, x678, x645, x661); - fiat_secp384r1_addcarryx_u32(&x681, &x682, x680, x647, x662); - fiat_secp384r1_addcarryx_u32(&x683, &x684, x682, x649, x659); - fiat_secp384r1_addcarryx_u32(&x685, &x686, x684, x651, x667); - fiat_secp384r1_addcarryx_u32(&x687, &x688, x686, x653, x668); - fiat_secp384r1_addcarryx_u32(&x689, &x690, x688, x655, 0x0); - fiat_secp384r1_addcarryx_u32(&x691, &x692, x690, x657, 0x0); - fiat_secp384r1_mulx_u32(&x693, &x694, x669, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x695, &x696, x669, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x697, &x698, x669, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x699, &x700, x669, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x701, &x702, x669, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x703, &x704, x669, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x705, &x706, x669, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x707, &x708, x669, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x709, &x710, x669, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x711, &x712, x669, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x713, &x714, 0x0, x710, x707); - fiat_secp384r1_addcarryx_u32(&x715, &x716, x714, x708, x705); - fiat_secp384r1_addcarryx_u32(&x717, &x718, x716, x706, x703); - fiat_secp384r1_addcarryx_u32(&x719, &x720, x718, x704, x701); - fiat_secp384r1_addcarryx_u32(&x721, &x722, x720, x702, x699); - fiat_secp384r1_addcarryx_u32(&x723, &x724, x722, x700, x697); - fiat_secp384r1_addcarryx_u32(&x725, &x726, x724, x698, x695); - fiat_secp384r1_addcarryx_u32(&x727, &x728, x726, x696, x693); - fiat_secp384r1_addcarryx_u32(&x729, &x730, 0x0, x669, x711); - fiat_secp384r1_addcarryx_u32(&x731, &x732, x730, x671, x712); - fiat_secp384r1_addcarryx_u32(&x733, &x734, x732, x673, 0x0); - fiat_secp384r1_addcarryx_u32(&x735, &x736, x734, x675, x709); - fiat_secp384r1_addcarryx_u32(&x737, &x738, x736, x677, x713); - fiat_secp384r1_addcarryx_u32(&x739, &x740, x738, x679, x715); - fiat_secp384r1_addcarryx_u32(&x741, &x742, x740, x681, x717); - fiat_secp384r1_addcarryx_u32(&x743, &x744, x742, x683, x719); - fiat_secp384r1_addcarryx_u32(&x745, &x746, x744, x685, x721); - fiat_secp384r1_addcarryx_u32(&x747, &x748, x746, x687, x723); - fiat_secp384r1_addcarryx_u32(&x749, &x750, x748, x689, x725); - fiat_secp384r1_addcarryx_u32(&x751, &x752, x750, x691, x727); - fiat_secp384r1_addcarryx_u32(&x753, &x754, x752, ((uint32_t)x692 + x658), - (x728 + x694)); - fiat_secp384r1_mulx_u32(&x755, &x756, x8, 0x2); - fiat_secp384r1_mulx_u32(&x757, &x758, x8, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x759, &x760, x8, 0x2); - fiat_secp384r1_mulx_u32(&x761, &x762, x8, UINT32_C(0xfffffffe)); - fiat_secp384r1_addcarryx_u32(&x763, &x764, 0x0, (fiat_secp384r1_uint1)x756, - x8); - fiat_secp384r1_addcarryx_u32(&x765, &x766, 0x0, x731, x8); - fiat_secp384r1_addcarryx_u32(&x767, &x768, x766, x733, x761); - fiat_secp384r1_addcarryx_u32(&x769, &x770, x768, x735, x762); - fiat_secp384r1_addcarryx_u32(&x771, &x772, x770, x737, x759); - fiat_secp384r1_addcarryx_u32(&x773, &x774, x772, x739, - (fiat_secp384r1_uint1)x760); - fiat_secp384r1_addcarryx_u32(&x775, &x776, x774, x741, x757); - fiat_secp384r1_addcarryx_u32(&x777, &x778, x776, x743, x758); - fiat_secp384r1_addcarryx_u32(&x779, &x780, x778, x745, x755); - fiat_secp384r1_addcarryx_u32(&x781, &x782, x780, x747, x763); - fiat_secp384r1_addcarryx_u32(&x783, &x784, x782, x749, x764); - fiat_secp384r1_addcarryx_u32(&x785, &x786, x784, x751, 0x0); - fiat_secp384r1_addcarryx_u32(&x787, &x788, x786, x753, 0x0); - fiat_secp384r1_mulx_u32(&x789, &x790, x765, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x791, &x792, x765, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x793, &x794, x765, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x795, &x796, x765, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x797, &x798, x765, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x799, &x800, x765, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x801, &x802, x765, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x803, &x804, x765, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x805, &x806, x765, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x807, &x808, x765, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x809, &x810, 0x0, x806, x803); - fiat_secp384r1_addcarryx_u32(&x811, &x812, x810, x804, x801); - fiat_secp384r1_addcarryx_u32(&x813, &x814, x812, x802, x799); - fiat_secp384r1_addcarryx_u32(&x815, &x816, x814, x800, x797); - fiat_secp384r1_addcarryx_u32(&x817, &x818, x816, x798, x795); - fiat_secp384r1_addcarryx_u32(&x819, &x820, x818, x796, x793); - fiat_secp384r1_addcarryx_u32(&x821, &x822, x820, x794, x791); - fiat_secp384r1_addcarryx_u32(&x823, &x824, x822, x792, x789); - fiat_secp384r1_addcarryx_u32(&x825, &x826, 0x0, x765, x807); - fiat_secp384r1_addcarryx_u32(&x827, &x828, x826, x767, x808); - fiat_secp384r1_addcarryx_u32(&x829, &x830, x828, x769, 0x0); - fiat_secp384r1_addcarryx_u32(&x831, &x832, x830, x771, x805); - fiat_secp384r1_addcarryx_u32(&x833, &x834, x832, x773, x809); - fiat_secp384r1_addcarryx_u32(&x835, &x836, x834, x775, x811); - fiat_secp384r1_addcarryx_u32(&x837, &x838, x836, x777, x813); - fiat_secp384r1_addcarryx_u32(&x839, &x840, x838, x779, x815); - fiat_secp384r1_addcarryx_u32(&x841, &x842, x840, x781, x817); - fiat_secp384r1_addcarryx_u32(&x843, &x844, x842, x783, x819); - fiat_secp384r1_addcarryx_u32(&x845, &x846, x844, x785, x821); - fiat_secp384r1_addcarryx_u32(&x847, &x848, x846, x787, x823); - fiat_secp384r1_addcarryx_u32(&x849, &x850, x848, ((uint32_t)x788 + x754), - (x824 + x790)); - fiat_secp384r1_mulx_u32(&x851, &x852, x9, 0x2); - fiat_secp384r1_mulx_u32(&x853, &x854, x9, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x855, &x856, x9, 0x2); - fiat_secp384r1_mulx_u32(&x857, &x858, x9, UINT32_C(0xfffffffe)); - fiat_secp384r1_addcarryx_u32(&x859, &x860, 0x0, (fiat_secp384r1_uint1)x852, - x9); - fiat_secp384r1_addcarryx_u32(&x861, &x862, 0x0, x827, x9); - fiat_secp384r1_addcarryx_u32(&x863, &x864, x862, x829, x857); - fiat_secp384r1_addcarryx_u32(&x865, &x866, x864, x831, x858); - fiat_secp384r1_addcarryx_u32(&x867, &x868, x866, x833, x855); - fiat_secp384r1_addcarryx_u32(&x869, &x870, x868, x835, - (fiat_secp384r1_uint1)x856); - fiat_secp384r1_addcarryx_u32(&x871, &x872, x870, x837, x853); - fiat_secp384r1_addcarryx_u32(&x873, &x874, x872, x839, x854); - fiat_secp384r1_addcarryx_u32(&x875, &x876, x874, x841, x851); - fiat_secp384r1_addcarryx_u32(&x877, &x878, x876, x843, x859); - fiat_secp384r1_addcarryx_u32(&x879, &x880, x878, x845, x860); - fiat_secp384r1_addcarryx_u32(&x881, &x882, x880, x847, 0x0); - fiat_secp384r1_addcarryx_u32(&x883, &x884, x882, x849, 0x0); - fiat_secp384r1_mulx_u32(&x885, &x886, x861, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x887, &x888, x861, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x889, &x890, x861, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x891, &x892, x861, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x893, &x894, x861, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x895, &x896, x861, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x897, &x898, x861, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x899, &x900, x861, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x901, &x902, x861, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x903, &x904, x861, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x905, &x906, 0x0, x902, x899); - fiat_secp384r1_addcarryx_u32(&x907, &x908, x906, x900, x897); - fiat_secp384r1_addcarryx_u32(&x909, &x910, x908, x898, x895); - fiat_secp384r1_addcarryx_u32(&x911, &x912, x910, x896, x893); - fiat_secp384r1_addcarryx_u32(&x913, &x914, x912, x894, x891); - fiat_secp384r1_addcarryx_u32(&x915, &x916, x914, x892, x889); - fiat_secp384r1_addcarryx_u32(&x917, &x918, x916, x890, x887); - fiat_secp384r1_addcarryx_u32(&x919, &x920, x918, x888, x885); - fiat_secp384r1_addcarryx_u32(&x921, &x922, 0x0, x861, x903); - fiat_secp384r1_addcarryx_u32(&x923, &x924, x922, x863, x904); - fiat_secp384r1_addcarryx_u32(&x925, &x926, x924, x865, 0x0); - fiat_secp384r1_addcarryx_u32(&x927, &x928, x926, x867, x901); - fiat_secp384r1_addcarryx_u32(&x929, &x930, x928, x869, x905); - fiat_secp384r1_addcarryx_u32(&x931, &x932, x930, x871, x907); - fiat_secp384r1_addcarryx_u32(&x933, &x934, x932, x873, x909); - fiat_secp384r1_addcarryx_u32(&x935, &x936, x934, x875, x911); - fiat_secp384r1_addcarryx_u32(&x937, &x938, x936, x877, x913); - fiat_secp384r1_addcarryx_u32(&x939, &x940, x938, x879, x915); - fiat_secp384r1_addcarryx_u32(&x941, &x942, x940, x881, x917); - fiat_secp384r1_addcarryx_u32(&x943, &x944, x942, x883, x919); - fiat_secp384r1_addcarryx_u32(&x945, &x946, x944, ((uint32_t)x884 + x850), - (x920 + x886)); - fiat_secp384r1_mulx_u32(&x947, &x948, x10, 0x2); - fiat_secp384r1_mulx_u32(&x949, &x950, x10, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x951, &x952, x10, 0x2); - fiat_secp384r1_mulx_u32(&x953, &x954, x10, UINT32_C(0xfffffffe)); - fiat_secp384r1_addcarryx_u32(&x955, &x956, 0x0, (fiat_secp384r1_uint1)x948, - x10); - fiat_secp384r1_addcarryx_u32(&x957, &x958, 0x0, x923, x10); - fiat_secp384r1_addcarryx_u32(&x959, &x960, x958, x925, x953); - fiat_secp384r1_addcarryx_u32(&x961, &x962, x960, x927, x954); - fiat_secp384r1_addcarryx_u32(&x963, &x964, x962, x929, x951); - fiat_secp384r1_addcarryx_u32(&x965, &x966, x964, x931, - (fiat_secp384r1_uint1)x952); - fiat_secp384r1_addcarryx_u32(&x967, &x968, x966, x933, x949); - fiat_secp384r1_addcarryx_u32(&x969, &x970, x968, x935, x950); - fiat_secp384r1_addcarryx_u32(&x971, &x972, x970, x937, x947); - fiat_secp384r1_addcarryx_u32(&x973, &x974, x972, x939, x955); - fiat_secp384r1_addcarryx_u32(&x975, &x976, x974, x941, x956); - fiat_secp384r1_addcarryx_u32(&x977, &x978, x976, x943, 0x0); - fiat_secp384r1_addcarryx_u32(&x979, &x980, x978, x945, 0x0); - fiat_secp384r1_mulx_u32(&x981, &x982, x957, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x983, &x984, x957, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x985, &x986, x957, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x987, &x988, x957, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x989, &x990, x957, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x991, &x992, x957, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x993, &x994, x957, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x995, &x996, x957, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x997, &x998, x957, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x999, &x1000, x957, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x1001, &x1002, 0x0, x998, x995); - fiat_secp384r1_addcarryx_u32(&x1003, &x1004, x1002, x996, x993); - fiat_secp384r1_addcarryx_u32(&x1005, &x1006, x1004, x994, x991); - fiat_secp384r1_addcarryx_u32(&x1007, &x1008, x1006, x992, x989); - fiat_secp384r1_addcarryx_u32(&x1009, &x1010, x1008, x990, x987); - fiat_secp384r1_addcarryx_u32(&x1011, &x1012, x1010, x988, x985); - fiat_secp384r1_addcarryx_u32(&x1013, &x1014, x1012, x986, x983); - fiat_secp384r1_addcarryx_u32(&x1015, &x1016, x1014, x984, x981); - fiat_secp384r1_addcarryx_u32(&x1017, &x1018, 0x0, x957, x999); - fiat_secp384r1_addcarryx_u32(&x1019, &x1020, x1018, x959, x1000); - fiat_secp384r1_addcarryx_u32(&x1021, &x1022, x1020, x961, 0x0); - fiat_secp384r1_addcarryx_u32(&x1023, &x1024, x1022, x963, x997); - fiat_secp384r1_addcarryx_u32(&x1025, &x1026, x1024, x965, x1001); - fiat_secp384r1_addcarryx_u32(&x1027, &x1028, x1026, x967, x1003); - fiat_secp384r1_addcarryx_u32(&x1029, &x1030, x1028, x969, x1005); - fiat_secp384r1_addcarryx_u32(&x1031, &x1032, x1030, x971, x1007); - fiat_secp384r1_addcarryx_u32(&x1033, &x1034, x1032, x973, x1009); - fiat_secp384r1_addcarryx_u32(&x1035, &x1036, x1034, x975, x1011); - fiat_secp384r1_addcarryx_u32(&x1037, &x1038, x1036, x977, x1013); - fiat_secp384r1_addcarryx_u32(&x1039, &x1040, x1038, x979, x1015); - fiat_secp384r1_addcarryx_u32(&x1041, &x1042, x1040, ((uint32_t)x980 + x946), - (x1016 + x982)); - fiat_secp384r1_mulx_u32(&x1043, &x1044, x11, 0x2); - fiat_secp384r1_mulx_u32(&x1045, &x1046, x11, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x1047, &x1048, x11, 0x2); - fiat_secp384r1_mulx_u32(&x1049, &x1050, x11, UINT32_C(0xfffffffe)); - fiat_secp384r1_addcarryx_u32(&x1051, &x1052, 0x0, - (fiat_secp384r1_uint1)x1044, x11); - fiat_secp384r1_addcarryx_u32(&x1053, &x1054, 0x0, x1019, x11); - fiat_secp384r1_addcarryx_u32(&x1055, &x1056, x1054, x1021, x1049); - fiat_secp384r1_addcarryx_u32(&x1057, &x1058, x1056, x1023, x1050); - fiat_secp384r1_addcarryx_u32(&x1059, &x1060, x1058, x1025, x1047); - fiat_secp384r1_addcarryx_u32(&x1061, &x1062, x1060, x1027, - (fiat_secp384r1_uint1)x1048); - fiat_secp384r1_addcarryx_u32(&x1063, &x1064, x1062, x1029, x1045); - fiat_secp384r1_addcarryx_u32(&x1065, &x1066, x1064, x1031, x1046); - fiat_secp384r1_addcarryx_u32(&x1067, &x1068, x1066, x1033, x1043); - fiat_secp384r1_addcarryx_u32(&x1069, &x1070, x1068, x1035, x1051); - fiat_secp384r1_addcarryx_u32(&x1071, &x1072, x1070, x1037, x1052); - fiat_secp384r1_addcarryx_u32(&x1073, &x1074, x1072, x1039, 0x0); - fiat_secp384r1_addcarryx_u32(&x1075, &x1076, x1074, x1041, 0x0); - fiat_secp384r1_mulx_u32(&x1077, &x1078, x1053, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1079, &x1080, x1053, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1081, &x1082, x1053, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1083, &x1084, x1053, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1085, &x1086, x1053, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1087, &x1088, x1053, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1089, &x1090, x1053, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1091, &x1092, x1053, UINT32_C(0xfffffffe)); - fiat_secp384r1_mulx_u32(&x1093, &x1094, x1053, UINT32_C(0xffffffff)); - fiat_secp384r1_mulx_u32(&x1095, &x1096, x1053, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x1097, &x1098, 0x0, x1094, x1091); - fiat_secp384r1_addcarryx_u32(&x1099, &x1100, x1098, x1092, x1089); - fiat_secp384r1_addcarryx_u32(&x1101, &x1102, x1100, x1090, x1087); - fiat_secp384r1_addcarryx_u32(&x1103, &x1104, x1102, x1088, x1085); - fiat_secp384r1_addcarryx_u32(&x1105, &x1106, x1104, x1086, x1083); - fiat_secp384r1_addcarryx_u32(&x1107, &x1108, x1106, x1084, x1081); - fiat_secp384r1_addcarryx_u32(&x1109, &x1110, x1108, x1082, x1079); - fiat_secp384r1_addcarryx_u32(&x1111, &x1112, x1110, x1080, x1077); - fiat_secp384r1_addcarryx_u32(&x1113, &x1114, 0x0, x1053, x1095); - fiat_secp384r1_addcarryx_u32(&x1115, &x1116, x1114, x1055, x1096); - fiat_secp384r1_addcarryx_u32(&x1117, &x1118, x1116, x1057, 0x0); - fiat_secp384r1_addcarryx_u32(&x1119, &x1120, x1118, x1059, x1093); - fiat_secp384r1_addcarryx_u32(&x1121, &x1122, x1120, x1061, x1097); - fiat_secp384r1_addcarryx_u32(&x1123, &x1124, x1122, x1063, x1099); - fiat_secp384r1_addcarryx_u32(&x1125, &x1126, x1124, x1065, x1101); - fiat_secp384r1_addcarryx_u32(&x1127, &x1128, x1126, x1067, x1103); - fiat_secp384r1_addcarryx_u32(&x1129, &x1130, x1128, x1069, x1105); - fiat_secp384r1_addcarryx_u32(&x1131, &x1132, x1130, x1071, x1107); - fiat_secp384r1_addcarryx_u32(&x1133, &x1134, x1132, x1073, x1109); - fiat_secp384r1_addcarryx_u32(&x1135, &x1136, x1134, x1075, x1111); - fiat_secp384r1_addcarryx_u32(&x1137, &x1138, x1136, - ((uint32_t)x1076 + x1042), (x1112 + x1078)); - fiat_secp384r1_subborrowx_u32(&x1139, &x1140, 0x0, x1115, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1141, &x1142, x1140, x1117, 0x0); - fiat_secp384r1_subborrowx_u32(&x1143, &x1144, x1142, x1119, 0x0); - fiat_secp384r1_subborrowx_u32(&x1145, &x1146, x1144, x1121, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1147, &x1148, x1146, x1123, - UINT32_C(0xfffffffe)); - fiat_secp384r1_subborrowx_u32(&x1149, &x1150, x1148, x1125, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1151, &x1152, x1150, x1127, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1153, &x1154, x1152, x1129, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1155, &x1156, x1154, x1131, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1157, &x1158, x1156, x1133, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1159, &x1160, x1158, x1135, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1161, &x1162, x1160, x1137, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x1163, &x1164, x1162, x1138, 0x0); - fiat_secp384r1_cmovznz_u32(&x1165, x1164, x1139, x1115); - fiat_secp384r1_cmovznz_u32(&x1166, x1164, x1141, x1117); - fiat_secp384r1_cmovznz_u32(&x1167, x1164, x1143, x1119); - fiat_secp384r1_cmovznz_u32(&x1168, x1164, x1145, x1121); - fiat_secp384r1_cmovznz_u32(&x1169, x1164, x1147, x1123); - fiat_secp384r1_cmovznz_u32(&x1170, x1164, x1149, x1125); - fiat_secp384r1_cmovznz_u32(&x1171, x1164, x1151, x1127); - fiat_secp384r1_cmovznz_u32(&x1172, x1164, x1153, x1129); - fiat_secp384r1_cmovznz_u32(&x1173, x1164, x1155, x1131); - fiat_secp384r1_cmovznz_u32(&x1174, x1164, x1157, x1133); - fiat_secp384r1_cmovznz_u32(&x1175, x1164, x1159, x1135); - fiat_secp384r1_cmovznz_u32(&x1176, x1164, x1161, x1137); - out1[0] = x1165; - out1[1] = x1166; - out1[2] = x1167; - out1[3] = x1168; - out1[4] = x1169; - out1[5] = x1170; - out1[6] = x1171; - out1[7] = x1172; - out1[8] = x1173; - out1[9] = x1174; - out1[10] = x1175; - out1[11] = x1176; -} + bool b = Hacl_P384_dh_responder(derived, P->data + 1, key); -/* - * The function fiat_secp384r1_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. - * - * Preconditions: - * 0 ≤ eval arg1 < m - * Postconditions: - * out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 - * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * Output Bounds: - * out1: [0x0 ~> 0xffffffff] - */ -static void -fiat_secp384r1_nonzero(uint32_t *out1, const uint32_t arg1[12]) -{ - uint32_t x1; - x1 = ((arg1[0]) | - ((arg1[1]) | - ((arg1[2]) | - ((arg1[3]) | - ((arg1[4]) | - ((arg1[5]) | - ((arg1[6]) | - ((arg1[7]) | - ((arg1[8]) | ((arg1[9]) | ((arg1[10]) | (arg1[11])))))))))))); - *out1 = x1; -} + if (!b) { + PORT_SetError(SEC_ERROR_BAD_KEY); + res = SECFailure; + return res; + } -/* - * The function fiat_secp384r1_selectznz is a multi-limb conditional select. - * - * Postconditions: - * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) - * - * Input Bounds: - * arg1: [0x0 ~> 0x1] - * arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -static void -fiat_secp384r1_selectznz(uint32_t out1[12], - fiat_secp384r1_uint1 arg1, - const uint32_t arg2[12], - const uint32_t arg3[12]) -{ - uint32_t x1; - uint32_t x2; - uint32_t x3; - uint32_t x4; - uint32_t x5; - uint32_t x6; - uint32_t x7; - uint32_t x8; - uint32_t x9; - uint32_t x10; - uint32_t x11; - uint32_t x12; - fiat_secp384r1_cmovznz_u32(&x1, arg1, (arg2[0]), (arg3[0])); - fiat_secp384r1_cmovznz_u32(&x2, arg1, (arg2[1]), (arg3[1])); - fiat_secp384r1_cmovznz_u32(&x3, arg1, (arg2[2]), (arg3[2])); - fiat_secp384r1_cmovznz_u32(&x4, arg1, (arg2[3]), (arg3[3])); - fiat_secp384r1_cmovznz_u32(&x5, arg1, (arg2[4]), (arg3[4])); - fiat_secp384r1_cmovznz_u32(&x6, arg1, (arg2[5]), (arg3[5])); - fiat_secp384r1_cmovznz_u32(&x7, arg1, (arg2[6]), (arg3[6])); - fiat_secp384r1_cmovznz_u32(&x8, arg1, (arg2[7]), (arg3[7])); - fiat_secp384r1_cmovznz_u32(&x9, arg1, (arg2[8]), (arg3[8])); - fiat_secp384r1_cmovznz_u32(&x10, arg1, (arg2[9]), (arg3[9])); - fiat_secp384r1_cmovznz_u32(&x11, arg1, (arg2[10]), (arg3[10])); - fiat_secp384r1_cmovznz_u32(&x12, arg1, (arg2[11]), (arg3[11])); - out1[0] = x1; - out1[1] = x2; - out1[2] = x3; - out1[3] = x4; - out1[4] = x5; - out1[5] = x6; - out1[6] = x7; - out1[7] = x8; - out1[8] = x9; - out1[9] = x10; - out1[10] = x11; - out1[11] = x12; -} + X->len = 48; + memcpy(X->data, derived, 48); + } -/* - * The function fiat_secp384r1_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. - * - * Preconditions: - * 0 ≤ eval arg1 < m - * Postconditions: - * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..47] - * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] - */ -static void -fiat_secp384r1_to_bytes(uint8_t out1[48], const uint32_t arg1[12]) -{ - uint32_t x1; - uint32_t x2; - uint32_t x3; - uint32_t x4; - uint32_t x5; - uint32_t x6; - uint32_t x7; - uint32_t x8; - uint32_t x9; - uint32_t x10; - uint32_t x11; - uint32_t x12; - uint8_t x13; - uint32_t x14; - uint8_t x15; - uint32_t x16; - uint8_t x17; - uint8_t x18; - uint8_t x19; - uint32_t x20; - uint8_t x21; - uint32_t x22; - uint8_t x23; - uint8_t x24; - uint8_t x25; - uint32_t x26; - uint8_t x27; - uint32_t x28; - uint8_t x29; - uint8_t x30; - uint8_t x31; - uint32_t x32; - uint8_t x33; - uint32_t x34; - uint8_t x35; - uint8_t x36; - uint8_t x37; - uint32_t x38; - uint8_t x39; - uint32_t x40; - uint8_t x41; - uint8_t x42; - uint8_t x43; - uint32_t x44; - uint8_t x45; - uint32_t x46; - uint8_t x47; - uint8_t x48; - uint8_t x49; - uint32_t x50; - uint8_t x51; - uint32_t x52; - uint8_t x53; - uint8_t x54; - uint8_t x55; - uint32_t x56; - uint8_t x57; - uint32_t x58; - uint8_t x59; - uint8_t x60; - uint8_t x61; - uint32_t x62; - uint8_t x63; - uint32_t x64; - uint8_t x65; - uint8_t x66; - uint8_t x67; - uint32_t x68; - uint8_t x69; - uint32_t x70; - uint8_t x71; - uint8_t x72; - uint8_t x73; - uint32_t x74; - uint8_t x75; - uint32_t x76; - uint8_t x77; - uint8_t x78; - uint8_t x79; - uint32_t x80; - uint8_t x81; - uint32_t x82; - uint8_t x83; - uint8_t x84; - x1 = (arg1[11]); - x2 = (arg1[10]); - x3 = (arg1[9]); - x4 = (arg1[8]); - x5 = (arg1[7]); - x6 = (arg1[6]); - x7 = (arg1[5]); - x8 = (arg1[4]); - x9 = (arg1[3]); - x10 = (arg1[2]); - x11 = (arg1[1]); - x12 = (arg1[0]); - x13 = (uint8_t)(x12 & UINT8_C(0xff)); - x14 = (x12 >> 8); - x15 = (uint8_t)(x14 & UINT8_C(0xff)); - x16 = (x14 >> 8); - x17 = (uint8_t)(x16 & UINT8_C(0xff)); - x18 = (uint8_t)(x16 >> 8); - x19 = (uint8_t)(x11 & UINT8_C(0xff)); - x20 = (x11 >> 8); - x21 = (uint8_t)(x20 & UINT8_C(0xff)); - x22 = (x20 >> 8); - x23 = (uint8_t)(x22 & UINT8_C(0xff)); - x24 = (uint8_t)(x22 >> 8); - x25 = (uint8_t)(x10 & UINT8_C(0xff)); - x26 = (x10 >> 8); - x27 = (uint8_t)(x26 & UINT8_C(0xff)); - x28 = (x26 >> 8); - x29 = (uint8_t)(x28 & UINT8_C(0xff)); - x30 = (uint8_t)(x28 >> 8); - x31 = (uint8_t)(x9 & UINT8_C(0xff)); - x32 = (x9 >> 8); - x33 = (uint8_t)(x32 & UINT8_C(0xff)); - x34 = (x32 >> 8); - x35 = (uint8_t)(x34 & UINT8_C(0xff)); - x36 = (uint8_t)(x34 >> 8); - x37 = (uint8_t)(x8 & UINT8_C(0xff)); - x38 = (x8 >> 8); - x39 = (uint8_t)(x38 & UINT8_C(0xff)); - x40 = (x38 >> 8); - x41 = (uint8_t)(x40 & UINT8_C(0xff)); - x42 = (uint8_t)(x40 >> 8); - x43 = (uint8_t)(x7 & UINT8_C(0xff)); - x44 = (x7 >> 8); - x45 = (uint8_t)(x44 & UINT8_C(0xff)); - x46 = (x44 >> 8); - x47 = (uint8_t)(x46 & UINT8_C(0xff)); - x48 = (uint8_t)(x46 >> 8); - x49 = (uint8_t)(x6 & UINT8_C(0xff)); - x50 = (x6 >> 8); - x51 = (uint8_t)(x50 & UINT8_C(0xff)); - x52 = (x50 >> 8); - x53 = (uint8_t)(x52 & UINT8_C(0xff)); - x54 = (uint8_t)(x52 >> 8); - x55 = (uint8_t)(x5 & UINT8_C(0xff)); - x56 = (x5 >> 8); - x57 = (uint8_t)(x56 & UINT8_C(0xff)); - x58 = (x56 >> 8); - x59 = (uint8_t)(x58 & UINT8_C(0xff)); - x60 = (uint8_t)(x58 >> 8); - x61 = (uint8_t)(x4 & UINT8_C(0xff)); - x62 = (x4 >> 8); - x63 = (uint8_t)(x62 & UINT8_C(0xff)); - x64 = (x62 >> 8); - x65 = (uint8_t)(x64 & UINT8_C(0xff)); - x66 = (uint8_t)(x64 >> 8); - x67 = (uint8_t)(x3 & UINT8_C(0xff)); - x68 = (x3 >> 8); - x69 = (uint8_t)(x68 & UINT8_C(0xff)); - x70 = (x68 >> 8); - x71 = (uint8_t)(x70 & UINT8_C(0xff)); - x72 = (uint8_t)(x70 >> 8); - x73 = (uint8_t)(x2 & UINT8_C(0xff)); - x74 = (x2 >> 8); - x75 = (uint8_t)(x74 & UINT8_C(0xff)); - x76 = (x74 >> 8); - x77 = (uint8_t)(x76 & UINT8_C(0xff)); - x78 = (uint8_t)(x76 >> 8); - x79 = (uint8_t)(x1 & UINT8_C(0xff)); - x80 = (x1 >> 8); - x81 = (uint8_t)(x80 & UINT8_C(0xff)); - x82 = (x80 >> 8); - x83 = (uint8_t)(x82 & UINT8_C(0xff)); - x84 = (uint8_t)(x82 >> 8); - out1[0] = x13; - out1[1] = x15; - out1[2] = x17; - out1[3] = x18; - out1[4] = x19; - out1[5] = x21; - out1[6] = x23; - out1[7] = x24; - out1[8] = x25; - out1[9] = x27; - out1[10] = x29; - out1[11] = x30; - out1[12] = x31; - out1[13] = x33; - out1[14] = x35; - out1[15] = x36; - out1[16] = x37; - out1[17] = x39; - out1[18] = x41; - out1[19] = x42; - out1[20] = x43; - out1[21] = x45; - out1[22] = x47; - out1[23] = x48; - out1[24] = x49; - out1[25] = x51; - out1[26] = x53; - out1[27] = x54; - out1[28] = x55; - out1[29] = x57; - out1[30] = x59; - out1[31] = x60; - out1[32] = x61; - out1[33] = x63; - out1[34] = x65; - out1[35] = x66; - out1[36] = x67; - out1[37] = x69; - out1[38] = x71; - out1[39] = x72; - out1[40] = x73; - out1[41] = x75; - out1[42] = x77; - out1[43] = x78; - out1[44] = x79; - out1[45] = x81; - out1[46] = x83; - out1[47] = x84; + return res; } /* - * The function fiat_secp384r1_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. - * - * Preconditions: - * 0 ≤ bytes_eval arg1 < m - * Postconditions: - * eval out1 mod m = bytes_eval arg1 mod m - * 0 ≤ eval out1 < m - * - * Input Bounds: - * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] + * ECDSA Signature for P-384 */ -static void -fiat_secp384r1_from_bytes(uint32_t out1[12], - const uint8_t arg1[48]) -{ - uint32_t x1; - uint32_t x2; - uint32_t x3; - uint8_t x4; - uint32_t x5; - uint32_t x6; - uint32_t x7; - uint8_t x8; - uint32_t x9; - uint32_t x10; - uint32_t x11; - uint8_t x12; - uint32_t x13; - uint32_t x14; - uint32_t x15; - uint8_t x16; - uint32_t x17; - uint32_t x18; - uint32_t x19; - uint8_t x20; - uint32_t x21; - uint32_t x22; - uint32_t x23; - uint8_t x24; - uint32_t x25; - uint32_t x26; - uint32_t x27; - uint8_t x28; - uint32_t x29; - uint32_t x30; - uint32_t x31; - uint8_t x32; - uint32_t x33; - uint32_t x34; - uint32_t x35; - uint8_t x36; - uint32_t x37; - uint32_t x38; - uint32_t x39; - uint8_t x40; - uint32_t x41; - uint32_t x42; - uint32_t x43; - uint8_t x44; - uint32_t x45; - uint32_t x46; - uint32_t x47; - uint8_t x48; - uint32_t x49; - uint32_t x50; - uint32_t x51; - uint32_t x52; - uint32_t x53; - uint32_t x54; - uint32_t x55; - uint32_t x56; - uint32_t x57; - uint32_t x58; - uint32_t x59; - uint32_t x60; - uint32_t x61; - uint32_t x62; - uint32_t x63; - uint32_t x64; - uint32_t x65; - uint32_t x66; - uint32_t x67; - uint32_t x68; - uint32_t x69; - uint32_t x70; - uint32_t x71; - uint32_t x72; - uint32_t x73; - uint32_t x74; - uint32_t x75; - uint32_t x76; - uint32_t x77; - uint32_t x78; - uint32_t x79; - uint32_t x80; - uint32_t x81; - uint32_t x82; - uint32_t x83; - uint32_t x84; - x1 = ((uint32_t)(arg1[47]) << 24); - x2 = ((uint32_t)(arg1[46]) << 16); - x3 = ((uint32_t)(arg1[45]) << 8); - x4 = (arg1[44]); - x5 = ((uint32_t)(arg1[43]) << 24); - x6 = ((uint32_t)(arg1[42]) << 16); - x7 = ((uint32_t)(arg1[41]) << 8); - x8 = (arg1[40]); - x9 = ((uint32_t)(arg1[39]) << 24); - x10 = ((uint32_t)(arg1[38]) << 16); - x11 = ((uint32_t)(arg1[37]) << 8); - x12 = (arg1[36]); - x13 = ((uint32_t)(arg1[35]) << 24); - x14 = ((uint32_t)(arg1[34]) << 16); - x15 = ((uint32_t)(arg1[33]) << 8); - x16 = (arg1[32]); - x17 = ((uint32_t)(arg1[31]) << 24); - x18 = ((uint32_t)(arg1[30]) << 16); - x19 = ((uint32_t)(arg1[29]) << 8); - x20 = (arg1[28]); - x21 = ((uint32_t)(arg1[27]) << 24); - x22 = ((uint32_t)(arg1[26]) << 16); - x23 = ((uint32_t)(arg1[25]) << 8); - x24 = (arg1[24]); - x25 = ((uint32_t)(arg1[23]) << 24); - x26 = ((uint32_t)(arg1[22]) << 16); - x27 = ((uint32_t)(arg1[21]) << 8); - x28 = (arg1[20]); - x29 = ((uint32_t)(arg1[19]) << 24); - x30 = ((uint32_t)(arg1[18]) << 16); - x31 = ((uint32_t)(arg1[17]) << 8); - x32 = (arg1[16]); - x33 = ((uint32_t)(arg1[15]) << 24); - x34 = ((uint32_t)(arg1[14]) << 16); - x35 = ((uint32_t)(arg1[13]) << 8); - x36 = (arg1[12]); - x37 = ((uint32_t)(arg1[11]) << 24); - x38 = ((uint32_t)(arg1[10]) << 16); - x39 = ((uint32_t)(arg1[9]) << 8); - x40 = (arg1[8]); - x41 = ((uint32_t)(arg1[7]) << 24); - x42 = ((uint32_t)(arg1[6]) << 16); - x43 = ((uint32_t)(arg1[5]) << 8); - x44 = (arg1[4]); - x45 = ((uint32_t)(arg1[3]) << 24); - x46 = ((uint32_t)(arg1[2]) << 16); - x47 = ((uint32_t)(arg1[1]) << 8); - x48 = (arg1[0]); - x49 = (x47 + (uint32_t)x48); - x50 = (x46 + x49); - x51 = (x45 + x50); - x52 = (x43 + (uint32_t)x44); - x53 = (x42 + x52); - x54 = (x41 + x53); - x55 = (x39 + (uint32_t)x40); - x56 = (x38 + x55); - x57 = (x37 + x56); - x58 = (x35 + (uint32_t)x36); - x59 = (x34 + x58); - x60 = (x33 + x59); - x61 = (x31 + (uint32_t)x32); - x62 = (x30 + x61); - x63 = (x29 + x62); - x64 = (x27 + (uint32_t)x28); - x65 = (x26 + x64); - x66 = (x25 + x65); - x67 = (x23 + (uint32_t)x24); - x68 = (x22 + x67); - x69 = (x21 + x68); - x70 = (x19 + (uint32_t)x20); - x71 = (x18 + x70); - x72 = (x17 + x71); - x73 = (x15 + (uint32_t)x16); - x74 = (x14 + x73); - x75 = (x13 + x74); - x76 = (x11 + (uint32_t)x12); - x77 = (x10 + x76); - x78 = (x9 + x77); - x79 = (x7 + (uint32_t)x8); - x80 = (x6 + x79); - x81 = (x5 + x80); - x82 = (x3 + (uint32_t)x4); - x83 = (x2 + x82); - x84 = (x1 + x83); - out1[0] = x51; - out1[1] = x54; - out1[2] = x57; - out1[3] = x60; - out1[4] = x63; - out1[5] = x66; - out1[6] = x69; - out1[7] = x72; - out1[8] = x75; - out1[9] = x78; - out1[10] = x81; - out1[11] = x84; -} -/* - * The function fiat_secp384r1_divstep computes a divstep. - * - * Preconditions: - * 0 ≤ eval arg4 < m - * 0 ≤ eval arg5 < m - * Postconditions: - * out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) - * twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) - * twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) - * eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) - * eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) - * 0 ≤ eval out5 < m - * 0 ≤ eval out5 < m - * 0 ≤ eval out2 < m - * 0 ≤ eval out3 < m - * - * Input Bounds: - * arg1: [0x0 ~> 0xffffffff] - * arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * arg4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * arg5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * Output Bounds: - * out1: [0x0 ~> 0xffffffff] - * out2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * out3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * out4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * out5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -static void -fiat_secp384r1_divstep( - uint32_t *out1, uint32_t out2[13], uint32_t out3[13], uint32_t out4[12], - uint32_t out5[12], uint32_t arg1, const uint32_t arg2[13], - const uint32_t arg3[13], const uint32_t arg4[12], const uint32_t arg5[12]) +SECStatus +ec_secp384r1_sign_digest(ECPrivateKey *ecPrivKey, SECItem *signature, + const SECItem *digest, const unsigned char *kb, + const unsigned int kblen) { - uint32_t x1; - fiat_secp384r1_uint1 x2; - fiat_secp384r1_uint1 x3; - uint32_t x4; - fiat_secp384r1_uint1 x5; - uint32_t x6; - uint32_t x7; - uint32_t x8; - uint32_t x9; - uint32_t x10; - uint32_t x11; - uint32_t x12; - uint32_t x13; - uint32_t x14; - uint32_t x15; - uint32_t x16; - uint32_t x17; - uint32_t x18; - uint32_t x19; - uint32_t x20; - fiat_secp384r1_uint1 x21; - uint32_t x22; - fiat_secp384r1_uint1 x23; - uint32_t x24; - fiat_secp384r1_uint1 x25; - uint32_t x26; - fiat_secp384r1_uint1 x27; - uint32_t x28; - fiat_secp384r1_uint1 x29; - uint32_t x30; - fiat_secp384r1_uint1 x31; - uint32_t x32; - fiat_secp384r1_uint1 x33; - uint32_t x34; - fiat_secp384r1_uint1 x35; - uint32_t x36; - fiat_secp384r1_uint1 x37; - uint32_t x38; - fiat_secp384r1_uint1 x39; - uint32_t x40; - fiat_secp384r1_uint1 x41; - uint32_t x42; - fiat_secp384r1_uint1 x43; - uint32_t x44; - fiat_secp384r1_uint1 x45; - uint32_t x46; - uint32_t x47; - uint32_t x48; - uint32_t x49; - uint32_t x50; - uint32_t x51; - uint32_t x52; - uint32_t x53; - uint32_t x54; - uint32_t x55; - uint32_t x56; - uint32_t x57; - uint32_t x58; - uint32_t x59; - uint32_t x60; - uint32_t x61; - uint32_t x62; - uint32_t x63; - uint32_t x64; - uint32_t x65; - uint32_t x66; - uint32_t x67; - uint32_t x68; - uint32_t x69; - uint32_t x70; - uint32_t x71; - fiat_secp384r1_uint1 x72; - uint32_t x73; - fiat_secp384r1_uint1 x74; - uint32_t x75; - fiat_secp384r1_uint1 x76; - uint32_t x77; - fiat_secp384r1_uint1 x78; - uint32_t x79; - fiat_secp384r1_uint1 x80; - uint32_t x81; - fiat_secp384r1_uint1 x82; - uint32_t x83; - fiat_secp384r1_uint1 x84; - uint32_t x85; - fiat_secp384r1_uint1 x86; - uint32_t x87; - fiat_secp384r1_uint1 x88; - uint32_t x89; - fiat_secp384r1_uint1 x90; - uint32_t x91; - fiat_secp384r1_uint1 x92; - uint32_t x93; - fiat_secp384r1_uint1 x94; - uint32_t x95; - fiat_secp384r1_uint1 x96; - uint32_t x97; - fiat_secp384r1_uint1 x98; - uint32_t x99; - fiat_secp384r1_uint1 x100; - uint32_t x101; - fiat_secp384r1_uint1 x102; - uint32_t x103; - fiat_secp384r1_uint1 x104; - uint32_t x105; - fiat_secp384r1_uint1 x106; - uint32_t x107; - fiat_secp384r1_uint1 x108; - uint32_t x109; - fiat_secp384r1_uint1 x110; - uint32_t x111; - fiat_secp384r1_uint1 x112; - uint32_t x113; - fiat_secp384r1_uint1 x114; - uint32_t x115; - fiat_secp384r1_uint1 x116; - uint32_t x117; - fiat_secp384r1_uint1 x118; - uint32_t x119; - fiat_secp384r1_uint1 x120; - uint32_t x121; - uint32_t x122; - uint32_t x123; - uint32_t x124; - uint32_t x125; - uint32_t x126; - uint32_t x127; - uint32_t x128; - uint32_t x129; - uint32_t x130; - uint32_t x131; - uint32_t x132; - uint32_t x133; - fiat_secp384r1_uint1 x134; - uint32_t x135; - fiat_secp384r1_uint1 x136; - uint32_t x137; - fiat_secp384r1_uint1 x138; - uint32_t x139; - fiat_secp384r1_uint1 x140; - uint32_t x141; - fiat_secp384r1_uint1 x142; - uint32_t x143; - fiat_secp384r1_uint1 x144; - uint32_t x145; - fiat_secp384r1_uint1 x146; - uint32_t x147; - fiat_secp384r1_uint1 x148; - uint32_t x149; - fiat_secp384r1_uint1 x150; - uint32_t x151; - fiat_secp384r1_uint1 x152; - uint32_t x153; - fiat_secp384r1_uint1 x154; - uint32_t x155; - fiat_secp384r1_uint1 x156; - uint32_t x157; - uint32_t x158; - fiat_secp384r1_uint1 x159; - uint32_t x160; - fiat_secp384r1_uint1 x161; - uint32_t x162; - fiat_secp384r1_uint1 x163; - uint32_t x164; - fiat_secp384r1_uint1 x165; - uint32_t x166; - fiat_secp384r1_uint1 x167; - uint32_t x168; - fiat_secp384r1_uint1 x169; - uint32_t x170; - fiat_secp384r1_uint1 x171; - uint32_t x172; - fiat_secp384r1_uint1 x173; - uint32_t x174; - fiat_secp384r1_uint1 x175; - uint32_t x176; - fiat_secp384r1_uint1 x177; - uint32_t x178; - fiat_secp384r1_uint1 x179; - uint32_t x180; - fiat_secp384r1_uint1 x181; - uint32_t x182; - uint32_t x183; - uint32_t x184; - uint32_t x185; - uint32_t x186; - uint32_t x187; - uint32_t x188; - uint32_t x189; - uint32_t x190; - uint32_t x191; - uint32_t x192; - uint32_t x193; - fiat_secp384r1_uint1 x194; - uint32_t x195; - uint32_t x196; - uint32_t x197; - uint32_t x198; - uint32_t x199; - uint32_t x200; - uint32_t x201; - uint32_t x202; - uint32_t x203; - uint32_t x204; - uint32_t x205; - uint32_t x206; - uint32_t x207; - uint32_t x208; - fiat_secp384r1_uint1 x209; - uint32_t x210; - fiat_secp384r1_uint1 x211; - uint32_t x212; - fiat_secp384r1_uint1 x213; - uint32_t x214; - fiat_secp384r1_uint1 x215; - uint32_t x216; - fiat_secp384r1_uint1 x217; - uint32_t x218; - fiat_secp384r1_uint1 x219; - uint32_t x220; - fiat_secp384r1_uint1 x221; - uint32_t x222; - fiat_secp384r1_uint1 x223; - uint32_t x224; - fiat_secp384r1_uint1 x225; - uint32_t x226; - fiat_secp384r1_uint1 x227; - uint32_t x228; - fiat_secp384r1_uint1 x229; - uint32_t x230; - fiat_secp384r1_uint1 x231; - uint32_t x232; - fiat_secp384r1_uint1 x233; - uint32_t x234; - uint32_t x235; - uint32_t x236; - uint32_t x237; - uint32_t x238; - uint32_t x239; - uint32_t x240; - uint32_t x241; - uint32_t x242; - uint32_t x243; - uint32_t x244; - uint32_t x245; - uint32_t x246; - fiat_secp384r1_uint1 x247; - uint32_t x248; - fiat_secp384r1_uint1 x249; - uint32_t x250; - fiat_secp384r1_uint1 x251; - uint32_t x252; - fiat_secp384r1_uint1 x253; - uint32_t x254; - fiat_secp384r1_uint1 x255; - uint32_t x256; - fiat_secp384r1_uint1 x257; - uint32_t x258; - fiat_secp384r1_uint1 x259; - uint32_t x260; - fiat_secp384r1_uint1 x261; - uint32_t x262; - fiat_secp384r1_uint1 x263; - uint32_t x264; - fiat_secp384r1_uint1 x265; - uint32_t x266; - fiat_secp384r1_uint1 x267; - uint32_t x268; - fiat_secp384r1_uint1 x269; - uint32_t x270; - fiat_secp384r1_uint1 x271; - uint32_t x272; - fiat_secp384r1_uint1 x273; - uint32_t x274; - fiat_secp384r1_uint1 x275; - uint32_t x276; - fiat_secp384r1_uint1 x277; - uint32_t x278; - fiat_secp384r1_uint1 x279; - uint32_t x280; - fiat_secp384r1_uint1 x281; - uint32_t x282; - fiat_secp384r1_uint1 x283; - uint32_t x284; - fiat_secp384r1_uint1 x285; - uint32_t x286; - fiat_secp384r1_uint1 x287; - uint32_t x288; - fiat_secp384r1_uint1 x289; - uint32_t x290; - fiat_secp384r1_uint1 x291; - uint32_t x292; - fiat_secp384r1_uint1 x293; - uint32_t x294; - fiat_secp384r1_uint1 x295; - uint32_t x296; - fiat_secp384r1_uint1 x297; - uint32_t x298; - uint32_t x299; - uint32_t x300; - uint32_t x301; - uint32_t x302; - uint32_t x303; - uint32_t x304; - uint32_t x305; - uint32_t x306; - uint32_t x307; - uint32_t x308; - uint32_t x309; - uint32_t x310; - uint32_t x311; - uint32_t x312; - uint32_t x313; - uint32_t x314; - uint32_t x315; - uint32_t x316; - uint32_t x317; - uint32_t x318; - uint32_t x319; - uint32_t x320; - uint32_t x321; - uint32_t x322; - uint32_t x323; - uint32_t x324; - uint32_t x325; - uint32_t x326; - uint32_t x327; - uint32_t x328; - uint32_t x329; - uint32_t x330; - uint32_t x331; - uint32_t x332; - uint32_t x333; - uint32_t x334; - fiat_secp384r1_addcarryx_u32(&x1, &x2, 0x0, (~arg1), 0x1); - x3 = (fiat_secp384r1_uint1)((fiat_secp384r1_uint1)(x1 >> 31) & - (fiat_secp384r1_uint1)((arg3[0]) & 0x1)); - fiat_secp384r1_addcarryx_u32(&x4, &x5, 0x0, (~arg1), 0x1); - fiat_secp384r1_cmovznz_u32(&x6, x3, arg1, x4); - fiat_secp384r1_cmovznz_u32(&x7, x3, (arg2[0]), (arg3[0])); - fiat_secp384r1_cmovznz_u32(&x8, x3, (arg2[1]), (arg3[1])); - fiat_secp384r1_cmovznz_u32(&x9, x3, (arg2[2]), (arg3[2])); - fiat_secp384r1_cmovznz_u32(&x10, x3, (arg2[3]), (arg3[3])); - fiat_secp384r1_cmovznz_u32(&x11, x3, (arg2[4]), (arg3[4])); - fiat_secp384r1_cmovznz_u32(&x12, x3, (arg2[5]), (arg3[5])); - fiat_secp384r1_cmovznz_u32(&x13, x3, (arg2[6]), (arg3[6])); - fiat_secp384r1_cmovznz_u32(&x14, x3, (arg2[7]), (arg3[7])); - fiat_secp384r1_cmovznz_u32(&x15, x3, (arg2[8]), (arg3[8])); - fiat_secp384r1_cmovznz_u32(&x16, x3, (arg2[9]), (arg3[9])); - fiat_secp384r1_cmovznz_u32(&x17, x3, (arg2[10]), (arg3[10])); - fiat_secp384r1_cmovznz_u32(&x18, x3, (arg2[11]), (arg3[11])); - fiat_secp384r1_cmovznz_u32(&x19, x3, (arg2[12]), (arg3[12])); - fiat_secp384r1_addcarryx_u32(&x20, &x21, 0x0, 0x1, (~(arg2[0]))); - fiat_secp384r1_addcarryx_u32(&x22, &x23, x21, 0x0, (~(arg2[1]))); - fiat_secp384r1_addcarryx_u32(&x24, &x25, x23, 0x0, (~(arg2[2]))); - fiat_secp384r1_addcarryx_u32(&x26, &x27, x25, 0x0, (~(arg2[3]))); - fiat_secp384r1_addcarryx_u32(&x28, &x29, x27, 0x0, (~(arg2[4]))); - fiat_secp384r1_addcarryx_u32(&x30, &x31, x29, 0x0, (~(arg2[5]))); - fiat_secp384r1_addcarryx_u32(&x32, &x33, x31, 0x0, (~(arg2[6]))); - fiat_secp384r1_addcarryx_u32(&x34, &x35, x33, 0x0, (~(arg2[7]))); - fiat_secp384r1_addcarryx_u32(&x36, &x37, x35, 0x0, (~(arg2[8]))); - fiat_secp384r1_addcarryx_u32(&x38, &x39, x37, 0x0, (~(arg2[9]))); - fiat_secp384r1_addcarryx_u32(&x40, &x41, x39, 0x0, (~(arg2[10]))); - fiat_secp384r1_addcarryx_u32(&x42, &x43, x41, 0x0, (~(arg2[11]))); - fiat_secp384r1_addcarryx_u32(&x44, &x45, x43, 0x0, (~(arg2[12]))); - fiat_secp384r1_cmovznz_u32(&x46, x3, (arg3[0]), x20); - fiat_secp384r1_cmovznz_u32(&x47, x3, (arg3[1]), x22); - fiat_secp384r1_cmovznz_u32(&x48, x3, (arg3[2]), x24); - fiat_secp384r1_cmovznz_u32(&x49, x3, (arg3[3]), x26); - fiat_secp384r1_cmovznz_u32(&x50, x3, (arg3[4]), x28); - fiat_secp384r1_cmovznz_u32(&x51, x3, (arg3[5]), x30); - fiat_secp384r1_cmovznz_u32(&x52, x3, (arg3[6]), x32); - fiat_secp384r1_cmovznz_u32(&x53, x3, (arg3[7]), x34); - fiat_secp384r1_cmovznz_u32(&x54, x3, (arg3[8]), x36); - fiat_secp384r1_cmovznz_u32(&x55, x3, (arg3[9]), x38); - fiat_secp384r1_cmovznz_u32(&x56, x3, (arg3[10]), x40); - fiat_secp384r1_cmovznz_u32(&x57, x3, (arg3[11]), x42); - fiat_secp384r1_cmovznz_u32(&x58, x3, (arg3[12]), x44); - fiat_secp384r1_cmovznz_u32(&x59, x3, (arg4[0]), (arg5[0])); - fiat_secp384r1_cmovznz_u32(&x60, x3, (arg4[1]), (arg5[1])); - fiat_secp384r1_cmovznz_u32(&x61, x3, (arg4[2]), (arg5[2])); - fiat_secp384r1_cmovznz_u32(&x62, x3, (arg4[3]), (arg5[3])); - fiat_secp384r1_cmovznz_u32(&x63, x3, (arg4[4]), (arg5[4])); - fiat_secp384r1_cmovznz_u32(&x64, x3, (arg4[5]), (arg5[5])); - fiat_secp384r1_cmovznz_u32(&x65, x3, (arg4[6]), (arg5[6])); - fiat_secp384r1_cmovznz_u32(&x66, x3, (arg4[7]), (arg5[7])); - fiat_secp384r1_cmovznz_u32(&x67, x3, (arg4[8]), (arg5[8])); - fiat_secp384r1_cmovznz_u32(&x68, x3, (arg4[9]), (arg5[9])); - fiat_secp384r1_cmovznz_u32(&x69, x3, (arg4[10]), (arg5[10])); - fiat_secp384r1_cmovznz_u32(&x70, x3, (arg4[11]), (arg5[11])); - fiat_secp384r1_addcarryx_u32(&x71, &x72, 0x0, x59, x59); - fiat_secp384r1_addcarryx_u32(&x73, &x74, x72, x60, x60); - fiat_secp384r1_addcarryx_u32(&x75, &x76, x74, x61, x61); - fiat_secp384r1_addcarryx_u32(&x77, &x78, x76, x62, x62); - fiat_secp384r1_addcarryx_u32(&x79, &x80, x78, x63, x63); - fiat_secp384r1_addcarryx_u32(&x81, &x82, x80, x64, x64); - fiat_secp384r1_addcarryx_u32(&x83, &x84, x82, x65, x65); - fiat_secp384r1_addcarryx_u32(&x85, &x86, x84, x66, x66); - fiat_secp384r1_addcarryx_u32(&x87, &x88, x86, x67, x67); - fiat_secp384r1_addcarryx_u32(&x89, &x90, x88, x68, x68); - fiat_secp384r1_addcarryx_u32(&x91, &x92, x90, x69, x69); - fiat_secp384r1_addcarryx_u32(&x93, &x94, x92, x70, x70); - fiat_secp384r1_subborrowx_u32(&x95, &x96, 0x0, x71, UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x97, &x98, x96, x73, 0x0); - fiat_secp384r1_subborrowx_u32(&x99, &x100, x98, x75, 0x0); - fiat_secp384r1_subborrowx_u32(&x101, &x102, x100, x77, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x103, &x104, x102, x79, - UINT32_C(0xfffffffe)); - fiat_secp384r1_subborrowx_u32(&x105, &x106, x104, x81, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x107, &x108, x106, x83, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x109, &x110, x108, x85, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x111, &x112, x110, x87, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x113, &x114, x112, x89, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x115, &x116, x114, x91, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x117, &x118, x116, x93, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x119, &x120, x118, x94, 0x0); - x121 = (arg4[11]); - x122 = (arg4[10]); - x123 = (arg4[9]); - x124 = (arg4[8]); - x125 = (arg4[7]); - x126 = (arg4[6]); - x127 = (arg4[5]); - x128 = (arg4[4]); - x129 = (arg4[3]); - x130 = (arg4[2]); - x131 = (arg4[1]); - x132 = (arg4[0]); - fiat_secp384r1_subborrowx_u32(&x133, &x134, 0x0, 0x0, x132); - fiat_secp384r1_subborrowx_u32(&x135, &x136, x134, 0x0, x131); - fiat_secp384r1_subborrowx_u32(&x137, &x138, x136, 0x0, x130); - fiat_secp384r1_subborrowx_u32(&x139, &x140, x138, 0x0, x129); - fiat_secp384r1_subborrowx_u32(&x141, &x142, x140, 0x0, x128); - fiat_secp384r1_subborrowx_u32(&x143, &x144, x142, 0x0, x127); - fiat_secp384r1_subborrowx_u32(&x145, &x146, x144, 0x0, x126); - fiat_secp384r1_subborrowx_u32(&x147, &x148, x146, 0x0, x125); - fiat_secp384r1_subborrowx_u32(&x149, &x150, x148, 0x0, x124); - fiat_secp384r1_subborrowx_u32(&x151, &x152, x150, 0x0, x123); - fiat_secp384r1_subborrowx_u32(&x153, &x154, x152, 0x0, x122); - fiat_secp384r1_subborrowx_u32(&x155, &x156, x154, 0x0, x121); - fiat_secp384r1_cmovznz_u32(&x157, x156, 0x0, UINT32_C(0xffffffff)); - fiat_secp384r1_addcarryx_u32(&x158, &x159, 0x0, x133, x157); - fiat_secp384r1_addcarryx_u32(&x160, &x161, x159, x135, 0x0); - fiat_secp384r1_addcarryx_u32(&x162, &x163, x161, x137, 0x0); - fiat_secp384r1_addcarryx_u32(&x164, &x165, x163, x139, x157); - fiat_secp384r1_addcarryx_u32(&x166, &x167, x165, x141, - (x157 & UINT32_C(0xfffffffe))); - fiat_secp384r1_addcarryx_u32(&x168, &x169, x167, x143, x157); - fiat_secp384r1_addcarryx_u32(&x170, &x171, x169, x145, x157); - fiat_secp384r1_addcarryx_u32(&x172, &x173, x171, x147, x157); - fiat_secp384r1_addcarryx_u32(&x174, &x175, x173, x149, x157); - fiat_secp384r1_addcarryx_u32(&x176, &x177, x175, x151, x157); - fiat_secp384r1_addcarryx_u32(&x178, &x179, x177, x153, x157); - fiat_secp384r1_addcarryx_u32(&x180, &x181, x179, x155, x157); - fiat_secp384r1_cmovznz_u32(&x182, x3, (arg5[0]), x158); - fiat_secp384r1_cmovznz_u32(&x183, x3, (arg5[1]), x160); - fiat_secp384r1_cmovznz_u32(&x184, x3, (arg5[2]), x162); - fiat_secp384r1_cmovznz_u32(&x185, x3, (arg5[3]), x164); - fiat_secp384r1_cmovznz_u32(&x186, x3, (arg5[4]), x166); - fiat_secp384r1_cmovznz_u32(&x187, x3, (arg5[5]), x168); - fiat_secp384r1_cmovznz_u32(&x188, x3, (arg5[6]), x170); - fiat_secp384r1_cmovznz_u32(&x189, x3, (arg5[7]), x172); - fiat_secp384r1_cmovznz_u32(&x190, x3, (arg5[8]), x174); - fiat_secp384r1_cmovznz_u32(&x191, x3, (arg5[9]), x176); - fiat_secp384r1_cmovznz_u32(&x192, x3, (arg5[10]), x178); - fiat_secp384r1_cmovznz_u32(&x193, x3, (arg5[11]), x180); - x194 = (fiat_secp384r1_uint1)(x46 & 0x1); - fiat_secp384r1_cmovznz_u32(&x195, x194, 0x0, x7); - fiat_secp384r1_cmovznz_u32(&x196, x194, 0x0, x8); - fiat_secp384r1_cmovznz_u32(&x197, x194, 0x0, x9); - fiat_secp384r1_cmovznz_u32(&x198, x194, 0x0, x10); - fiat_secp384r1_cmovznz_u32(&x199, x194, 0x0, x11); - fiat_secp384r1_cmovznz_u32(&x200, x194, 0x0, x12); - fiat_secp384r1_cmovznz_u32(&x201, x194, 0x0, x13); - fiat_secp384r1_cmovznz_u32(&x202, x194, 0x0, x14); - fiat_secp384r1_cmovznz_u32(&x203, x194, 0x0, x15); - fiat_secp384r1_cmovznz_u32(&x204, x194, 0x0, x16); - fiat_secp384r1_cmovznz_u32(&x205, x194, 0x0, x17); - fiat_secp384r1_cmovznz_u32(&x206, x194, 0x0, x18); - fiat_secp384r1_cmovznz_u32(&x207, x194, 0x0, x19); - fiat_secp384r1_addcarryx_u32(&x208, &x209, 0x0, x46, x195); - fiat_secp384r1_addcarryx_u32(&x210, &x211, x209, x47, x196); - fiat_secp384r1_addcarryx_u32(&x212, &x213, x211, x48, x197); - fiat_secp384r1_addcarryx_u32(&x214, &x215, x213, x49, x198); - fiat_secp384r1_addcarryx_u32(&x216, &x217, x215, x50, x199); - fiat_secp384r1_addcarryx_u32(&x218, &x219, x217, x51, x200); - fiat_secp384r1_addcarryx_u32(&x220, &x221, x219, x52, x201); - fiat_secp384r1_addcarryx_u32(&x222, &x223, x221, x53, x202); - fiat_secp384r1_addcarryx_u32(&x224, &x225, x223, x54, x203); - fiat_secp384r1_addcarryx_u32(&x226, &x227, x225, x55, x204); - fiat_secp384r1_addcarryx_u32(&x228, &x229, x227, x56, x205); - fiat_secp384r1_addcarryx_u32(&x230, &x231, x229, x57, x206); - fiat_secp384r1_addcarryx_u32(&x232, &x233, x231, x58, x207); - fiat_secp384r1_cmovznz_u32(&x234, x194, 0x0, x59); - fiat_secp384r1_cmovznz_u32(&x235, x194, 0x0, x60); - fiat_secp384r1_cmovznz_u32(&x236, x194, 0x0, x61); - fiat_secp384r1_cmovznz_u32(&x237, x194, 0x0, x62); - fiat_secp384r1_cmovznz_u32(&x238, x194, 0x0, x63); - fiat_secp384r1_cmovznz_u32(&x239, x194, 0x0, x64); - fiat_secp384r1_cmovznz_u32(&x240, x194, 0x0, x65); - fiat_secp384r1_cmovznz_u32(&x241, x194, 0x0, x66); - fiat_secp384r1_cmovznz_u32(&x242, x194, 0x0, x67); - fiat_secp384r1_cmovznz_u32(&x243, x194, 0x0, x68); - fiat_secp384r1_cmovznz_u32(&x244, x194, 0x0, x69); - fiat_secp384r1_cmovznz_u32(&x245, x194, 0x0, x70); - fiat_secp384r1_addcarryx_u32(&x246, &x247, 0x0, x182, x234); - fiat_secp384r1_addcarryx_u32(&x248, &x249, x247, x183, x235); - fiat_secp384r1_addcarryx_u32(&x250, &x251, x249, x184, x236); - fiat_secp384r1_addcarryx_u32(&x252, &x253, x251, x185, x237); - fiat_secp384r1_addcarryx_u32(&x254, &x255, x253, x186, x238); - fiat_secp384r1_addcarryx_u32(&x256, &x257, x255, x187, x239); - fiat_secp384r1_addcarryx_u32(&x258, &x259, x257, x188, x240); - fiat_secp384r1_addcarryx_u32(&x260, &x261, x259, x189, x241); - fiat_secp384r1_addcarryx_u32(&x262, &x263, x261, x190, x242); - fiat_secp384r1_addcarryx_u32(&x264, &x265, x263, x191, x243); - fiat_secp384r1_addcarryx_u32(&x266, &x267, x265, x192, x244); - fiat_secp384r1_addcarryx_u32(&x268, &x269, x267, x193, x245); - fiat_secp384r1_subborrowx_u32(&x270, &x271, 0x0, x246, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x272, &x273, x271, x248, 0x0); - fiat_secp384r1_subborrowx_u32(&x274, &x275, x273, x250, 0x0); - fiat_secp384r1_subborrowx_u32(&x276, &x277, x275, x252, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x278, &x279, x277, x254, - UINT32_C(0xfffffffe)); - fiat_secp384r1_subborrowx_u32(&x280, &x281, x279, x256, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x282, &x283, x281, x258, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x284, &x285, x283, x260, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x286, &x287, x285, x262, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x288, &x289, x287, x264, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x290, &x291, x289, x266, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x292, &x293, x291, x268, - UINT32_C(0xffffffff)); - fiat_secp384r1_subborrowx_u32(&x294, &x295, x293, x269, 0x0); - fiat_secp384r1_addcarryx_u32(&x296, &x297, 0x0, x6, 0x1); - x298 = ((x208 >> 1) | ((x210 << 31) & UINT32_C(0xffffffff))); - x299 = ((x210 >> 1) | ((x212 << 31) & UINT32_C(0xffffffff))); - x300 = ((x212 >> 1) | ((x214 << 31) & UINT32_C(0xffffffff))); - x301 = ((x214 >> 1) | ((x216 << 31) & UINT32_C(0xffffffff))); - x302 = ((x216 >> 1) | ((x218 << 31) & UINT32_C(0xffffffff))); - x303 = ((x218 >> 1) | ((x220 << 31) & UINT32_C(0xffffffff))); - x304 = ((x220 >> 1) | ((x222 << 31) & UINT32_C(0xffffffff))); - x305 = ((x222 >> 1) | ((x224 << 31) & UINT32_C(0xffffffff))); - x306 = ((x224 >> 1) | ((x226 << 31) & UINT32_C(0xffffffff))); - x307 = ((x226 >> 1) | ((x228 << 31) & UINT32_C(0xffffffff))); - x308 = ((x228 >> 1) | ((x230 << 31) & UINT32_C(0xffffffff))); - x309 = ((x230 >> 1) | ((x232 << 31) & UINT32_C(0xffffffff))); - x310 = ((x232 & UINT32_C(0x80000000)) | (x232 >> 1)); - fiat_secp384r1_cmovznz_u32(&x311, x120, x95, x71); - fiat_secp384r1_cmovznz_u32(&x312, x120, x97, x73); - fiat_secp384r1_cmovznz_u32(&x313, x120, x99, x75); - fiat_secp384r1_cmovznz_u32(&x314, x120, x101, x77); - fiat_secp384r1_cmovznz_u32(&x315, x120, x103, x79); - fiat_secp384r1_cmovznz_u32(&x316, x120, x105, x81); - fiat_secp384r1_cmovznz_u32(&x317, x120, x107, x83); - fiat_secp384r1_cmovznz_u32(&x318, x120, x109, x85); - fiat_secp384r1_cmovznz_u32(&x319, x120, x111, x87); - fiat_secp384r1_cmovznz_u32(&x320, x120, x113, x89); - fiat_secp384r1_cmovznz_u32(&x321, x120, x115, x91); - fiat_secp384r1_cmovznz_u32(&x322, x120, x117, x93); - fiat_secp384r1_cmovznz_u32(&x323, x295, x270, x246); - fiat_secp384r1_cmovznz_u32(&x324, x295, x272, x248); - fiat_secp384r1_cmovznz_u32(&x325, x295, x274, x250); - fiat_secp384r1_cmovznz_u32(&x326, x295, x276, x252); - fiat_secp384r1_cmovznz_u32(&x327, x295, x278, x254); - fiat_secp384r1_cmovznz_u32(&x328, x295, x280, x256); - fiat_secp384r1_cmovznz_u32(&x329, x295, x282, x258); - fiat_secp384r1_cmovznz_u32(&x330, x295, x284, x260); - fiat_secp384r1_cmovznz_u32(&x331, x295, x286, x262); - fiat_secp384r1_cmovznz_u32(&x332, x295, x288, x264); - fiat_secp384r1_cmovznz_u32(&x333, x295, x290, x266); - fiat_secp384r1_cmovznz_u32(&x334, x295, x292, x268); - *out1 = x296; - out2[0] = x7; - out2[1] = x8; - out2[2] = x9; - out2[3] = x10; - out2[4] = x11; - out2[5] = x12; - out2[6] = x13; - out2[7] = x14; - out2[8] = x15; - out2[9] = x16; - out2[10] = x17; - out2[11] = x18; - out2[12] = x19; - out3[0] = x298; - out3[1] = x299; - out3[2] = x300; - out3[3] = x301; - out3[4] = x302; - out3[5] = x303; - out3[6] = x304; - out3[7] = x305; - out3[8] = x306; - out3[9] = x307; - out3[10] = x308; - out3[11] = x309; - out3[12] = x310; - out4[0] = x311; - out4[1] = x312; - out4[2] = x313; - out4[3] = x314; - out4[4] = x315; - out4[5] = x316; - out4[6] = x317; - out4[7] = x318; - out4[8] = x319; - out4[9] = x320; - out4[10] = x321; - out4[11] = x322; - out5[0] = x323; - out5[1] = x324; - out5[2] = x325; - out5[3] = x326; - out5[4] = x327; - out5[5] = x328; - out5[6] = x329; - out5[7] = x330; - out5[8] = x331; - out5[9] = x332; - out5[10] = x333; - out5[11] = x334; -} - -/* END verbatim fiat code */ - -/* curve-related constants */ - -static const limb_t const_one[12] = { - UINT32_C(0x00000001), UINT32_C(0xFFFFFFFF), UINT32_C(0xFFFFFFFF), - UINT32_C(0x00000000), UINT32_C(0x00000001), UINT32_C(0x00000000), - UINT32_C(0x00000000), UINT32_C(0x00000000), UINT32_C(0x00000000), - UINT32_C(0x00000000), UINT32_C(0x00000000), UINT32_C(0x00000000) -}; + SECStatus res = SECSuccess; -static const limb_t const_b[12] = { - UINT32_C(0x9D412DCC), UINT32_C(0x08118871), UINT32_C(0x7A4C32EC), - UINT32_C(0xF729ADD8), UINT32_C(0x1920022E), UINT32_C(0x77F2209B), - UINT32_C(0x94938AE2), UINT32_C(0xE3374BEE), UINT32_C(0x1F022094), - UINT32_C(0xB62B21F4), UINT32_C(0x604FBFF9), UINT32_C(0xCD08114B) -}; - -static const limb_t const_divstep[12] = { - UINT32_C(0x00005000), UINT32_C(0xFFFFC800), UINT32_C(0xFFFF83FF), - UINT32_C(0xFFFFB3FF), UINT32_C(0xFFFFFFFF), UINT32_C(0xFFFFF7FF), - UINT32_C(0xFFFFEFFF), UINT32_C(0xFFFFEBFF), UINT32_C(0xFFFFF3FF), - UINT32_C(0x00000BFF), UINT32_C(0x00003000), UINT32_C(0x00005000) -}; - -static const limb_t const_psat[12] = { - UINT32_C(0xFFFFFFFF), UINT32_C(0x00000000), UINT32_C(0x00000000), - UINT32_C(0xFFFFFFFF), UINT32_C(0xFFFFFFFE), UINT32_C(0xFFFFFFFF), - UINT32_C(0xFFFFFFFF), UINT32_C(0xFFFFFFFF), UINT32_C(0xFFFFFFFF), - UINT32_C(0xFFFFFFFF), UINT32_C(0xFFFFFFFF), UINT32_C(0xFFFFFFFF) -}; - -/* LUT for scalar multiplication by comb interleaving */ -static const pt_aff_t lut_cmb[21][16] = { - { - { { UINT32_C(0x49C0B528), UINT32_C(0x3DD07566), UINT32_C(0xA0D6CE38), - UINT32_C(0x20E378E2), UINT32_C(0x541B4D6E), UINT32_C(0x879C3AFC), - UINT32_C(0x59A30EFF), UINT32_C(0x64548684), UINT32_C(0x614EDE2B), - UINT32_C(0x812FF723), UINT32_C(0x299E1513), UINT32_C(0x4D3AADC2) }, - { UINT32_C(0x4B03A4FE), UINT32_C(0x23043DAD), UINT32_C(0x7BB4A9AC), - UINT32_C(0xA1BFA8BF), UINT32_C(0x2E83B050), UINT32_C(0x8BADE756), - UINT32_C(0x68F4FFD9), UINT32_C(0xC6C35219), UINT32_C(0x3969A840), - UINT32_C(0xDD800226), UINT32_C(0x5A15C5E9), UINT32_C(0x2B78ABC2) } }, - { { UINT32_C(0xC1DC4073), UINT32_C(0x05E4DBE6), UINT32_C(0xF04F779C), - UINT32_C(0xC54EA9FF), UINT32_C(0xA170CCF0), UINT32_C(0x6B2034E9), - UINT32_C(0xD51C6C3E), UINT32_C(0x3A48D732), UINT32_C(0x263AA470), - UINT32_C(0xE36F7E2D), UINT32_C(0xE7C1C3AC), UINT32_C(0xD283FE68) }, - { UINT32_C(0xC04EE157), UINT32_C(0x7E284821), UINT32_C(0x7AE0E36D), - UINT32_C(0x92D789A7), UINT32_C(0x4EF67446), UINT32_C(0x132663C0), - UINT32_C(0xD2E1D0B4), UINT32_C(0x68012D5A), UINT32_C(0x5102B339), - UINT32_C(0xF6DB68B1), UINT32_C(0x983292AF), UINT32_C(0x465465FC) } }, - { { UINT32_C(0x68F1F0DF), UINT32_C(0xBB595EBA), UINT32_C(0xCC873466), - UINT32_C(0xC185C0CB), UINT32_C(0x293C703B), UINT32_C(0x7F1EB1B5), - UINT32_C(0xAACC05E6), UINT32_C(0x60DB2CF5), UINT32_C(0xE2E8E4C6), - UINT32_C(0xC676B987), UINT32_C(0x1D178FFB), UINT32_C(0xE1BB26B1) }, - { UINT32_C(0x7073FA21), UINT32_C(0x2B694BA0), UINT32_C(0x72F34566), - UINT32_C(0x22C16E2E), UINT32_C(0x01C35B99), UINT32_C(0x80B61B31), - UINT32_C(0x982C0411), UINT32_C(0x4B237FAF), UINT32_C(0x24DE236D), - UINT32_C(0xE6C59440), UINT32_C(0xE209E4A3), UINT32_C(0x4DB1C9D6) } }, - { { UINT32_C(0x7D69222B), UINT32_C(0xDF13B9D1), UINT32_C(0x874774B1), - UINT32_C(0x4CE6415F), UINT32_C(0x211FAA95), UINT32_C(0x731EDCF8), - UINT32_C(0x659753ED), UINT32_C(0x5F4215D1), UINT32_C(0x9DB2DF55), - UINT32_C(0xF893DB58), UINT32_C(0x1C89025B), UINT32_C(0x932C9F81) }, - { UINT32_C(0x7706A61E), UINT32_C(0x0996B220), UINT32_C(0xA8641C79), - UINT32_C(0x135349D5), UINT32_C(0x50130844), UINT32_C(0x65AAD76F), - UINT32_C(0x01FFF780), UINT32_C(0x0FF37C04), UINT32_C(0x693B0706), - UINT32_C(0xF57F238E), UINT32_C(0xAF6C9B3E), UINT32_C(0xD90A16B6) } }, - { { UINT32_C(0x2353B92F), UINT32_C(0x2F5D200E), UINT32_C(0x3FD7E4F9), - UINT32_C(0xE35D8729), UINT32_C(0xA96D745D), UINT32_C(0x26094833), - UINT32_C(0x3CBFFF3F), UINT32_C(0xDC351DC1), UINT32_C(0xDAD54D6A), - UINT32_C(0x26D464C6), UINT32_C(0x53636C6A), UINT32_C(0x5CAB1D1D) }, - { UINT32_C(0xB18EC0B0), UINT32_C(0xF2813072), UINT32_C(0xD742AA2F), - UINT32_C(0x3777E270), UINT32_C(0x033CA7C2), UINT32_C(0x27F061C7), - UINT32_C(0x68EAD0D8), UINT32_C(0xA6ECACCC), UINT32_C(0xEE69A754), - UINT32_C(0x7D9429F4), UINT32_C(0x31E8F5C6), UINT32_C(0xE7706334) } }, - { { UINT32_C(0xB68B8C7D), UINT32_C(0xC7708B19), UINT32_C(0x44377ABA), - UINT32_C(0x4532077C), UINT32_C(0x6CDAD64F), UINT32_C(0x0DCC6770), - UINT32_C(0x147B6602), UINT32_C(0x01B8BF56), UINT32_C(0xF0561D79), - UINT32_C(0xF8D89885), UINT32_C(0x7BA9C437), UINT32_C(0x9C19E9FC) }, - { UINT32_C(0xBDC4BA25), UINT32_C(0x764EB146), UINT32_C(0xAC144B83), - UINT32_C(0x604FE46B), UINT32_C(0x8A77E780), UINT32_C(0x3CE81329), - UINT32_C(0xFE9E682E), UINT32_C(0x2E070F36), UINT32_C(0x3A53287A), - UINT32_C(0x41821D0C), UINT32_C(0x3533F918), UINT32_C(0x9AA62F9F) } }, - { { UINT32_C(0x75CCBDFB), UINT32_C(0x9B7AEB7E), UINT32_C(0xF6749A95), - UINT32_C(0xB25E28C5), UINT32_C(0x33B7D4AE), UINT32_C(0x8A7A8E46), - UINT32_C(0xD9C1BD56), UINT32_C(0xDB5203A8), UINT32_C(0xED22DF97), - UINT32_C(0xD2657265), UINT32_C(0x8CF23C94), UINT32_C(0xB51C56E1) }, - { UINT32_C(0x6C3D812D), UINT32_C(0xF4D39459), UINT32_C(0x87CAE0C2), - UINT32_C(0xD8E88F1A), UINT32_C(0xCF4D0FE3), UINT32_C(0x789A2A48), - UINT32_C(0xFEC38D60), UINT32_C(0xB7FEAC2D), UINT32_C(0x3B490EC3), - UINT32_C(0x81FDBD1C), UINT32_C(0xCC6979E1), UINT32_C(0x4617ADB7) } }, - { { UINT32_C(0x4709F4A9), UINT32_C(0x446AD888), UINT32_C(0xEC3DABD8), - UINT32_C(0x2B7210E2), UINT32_C(0x50E07B34), UINT32_C(0x83CCF195), - UINT32_C(0x789B3075), UINT32_C(0x59500917), UINT32_C(0xEB085993), - UINT32_C(0x0FC01FD4), UINT32_C(0x4903026B), UINT32_C(0xFB62D26F) }, - { UINT32_C(0x6FE989BB), UINT32_C(0x2309CC9D), UINT32_C(0x144BD586), - UINT32_C(0x61609CBD), UINT32_C(0xDE06610C), UINT32_C(0x4B23D3A0), - UINT32_C(0xD898F470), UINT32_C(0xDDDC2866), UINT32_C(0x400C5797), - UINT32_C(0x8733FC41), UINT32_C(0xD0BC2716), UINT32_C(0x5A68C6FE) } }, - { { UINT32_C(0x4B4A3CD0), UINT32_C(0x8903E130), UINT32_C(0x8FF1F43E), - UINT32_C(0x3EA4EA4C), UINT32_C(0xF655A10D), UINT32_C(0xE6FC3F2A), - UINT32_C(0x524FFEFC), UINT32_C(0x7BE3737D), UINT32_C(0x5330455E), - UINT32_C(0x9F692855), UINT32_C(0xE475CE70), UINT32_C(0x524F166E) }, - { UINT32_C(0x6C12F055), UINT32_C(0x3FCC69CD), UINT32_C(0xD5B9C0DA), - UINT32_C(0x4E23B6FF), UINT32_C(0x336BF183), UINT32_C(0x49CE6993), - UINT32_C(0x4A54504A), UINT32_C(0xF87D6D85), UINT32_C(0xB3C2677A), - UINT32_C(0x25EB5DF1), UINT32_C(0x55B164C9), UINT32_C(0xAC37986F) } }, - { { UINT32_C(0xBAA84C08), UINT32_C(0x82A2ED4A), UINT32_C(0x41A8C912), - UINT32_C(0x22C4CC5F), UINT32_C(0x154AAD5E), UINT32_C(0xCA109C3B), - UINT32_C(0xFC38538E), UINT32_C(0x23891298), UINT32_C(0x539802AE), - UINT32_C(0xB3B6639C), UINT32_C(0x0390D706), UINT32_C(0xFA0F1F45) }, - { UINT32_C(0xB0DC21D0), UINT32_C(0x46B78E5D), UINT32_C(0xC3DA2EAC), - UINT32_C(0xA8C72D3C), UINT32_C(0x6FF2F643), UINT32_C(0x9170B378), - UINT32_C(0xB67F30C3), UINT32_C(0x3F5A799B), UINT32_C(0x8264B672), - UINT32_C(0x15D1DC77), UINT32_C(0xE9577764), UINT32_C(0xA1D47B23) } }, - { { UINT32_C(0x0422CE2F), UINT32_C(0x08265E51), UINT32_C(0xDD2F9E21), - UINT32_C(0x88E0D496), UINT32_C(0x6177F75D), UINT32_C(0x30128AA0), - UINT32_C(0xBD9EBE69), UINT32_C(0x2E59AB62), UINT32_C(0x5DF0E537), - UINT32_C(0x1B1A0F6C), UINT32_C(0xDAC012B5), UINT32_C(0xAB16C626) }, - { UINT32_C(0x008C5DE7), UINT32_C(0x8014214B), UINT32_C(0x38F17BEA), - UINT32_C(0xAA740A9E), UINT32_C(0x8A149098), UINT32_C(0x262EBB49), - UINT32_C(0x8527CD59), UINT32_C(0xB454111E), UINT32_C(0xACEA5817), - UINT32_C(0x266AD15A), UINT32_C(0x1353CCBA), UINT32_C(0x21824F41) } }, - { { UINT32_C(0x12E3683B), UINT32_C(0xD1B4E74D), UINT32_C(0x569B8EF6), - UINT32_C(0x990ED20B), UINT32_C(0x429C0A18), UINT32_C(0xB9D3DD25), - UINT32_C(0x2A351783), UINT32_C(0x1C75B8AB), UINT32_C(0x905432F0), - UINT32_C(0x61E4CA2B), UINT32_C(0xEEA8F224), UINT32_C(0x80826A69) }, - { UINT32_C(0xEC52ABAD), UINT32_C(0x7FC33A6B), UINT32_C(0xA65E4813), - UINT32_C(0x0BCCA3F0), UINT32_C(0xA527CEBE), UINT32_C(0x7AD8A132), - UINT32_C(0xEAF22C7E), UINT32_C(0xF0138950), UINT32_C(0x566718C1), - UINT32_C(0x282D2437), UINT32_C(0xE2212559), UINT32_C(0x9DFCCB0D) } }, - { { UINT32_C(0x58CE3B83), UINT32_C(0x1E937227), UINT32_C(0x3CB3FB36), - UINT32_C(0xBB280DFA), UINT32_C(0xE2BE174A), UINT32_C(0x57D0F3D2), - UINT32_C(0x208ABE1E), UINT32_C(0x9BD51B99), UINT32_C(0xDE248024), - UINT32_C(0x3809AB50), UINT32_C(0xA5BB7331), UINT32_C(0xC29C6E2C) }, - { UINT32_C(0x61124F05), UINT32_C(0x9944FD2E), UINT32_C(0x9009E391), - UINT32_C(0x83CCBC4E), UINT32_C(0x9424A3CC), UINT32_C(0x01628F05), - UINT32_C(0xEA8E4344), UINT32_C(0xD6A2F51D), UINT32_C(0x4CEBC96E), - UINT32_C(0xDA3E1A3D), UINT32_C(0xE97809DC), UINT32_C(0x1FE6FB42) } }, - { { UINT32_C(0x467D66E4), UINT32_C(0xA04482D2), UINT32_C(0x4D78291D), - UINT32_C(0xCF191293), UINT32_C(0x482396F9), UINT32_C(0x8E0D4168), - UINT32_C(0xD18F14D0), UINT32_C(0x7228E2D5), UINT32_C(0x9C6A58FE), - UINT32_C(0x2F7E8D50), UINT32_C(0x373E5AEC), UINT32_C(0xE8CA780E) }, - { UINT32_C(0x1B68E9F8), UINT32_C(0x42AAD1D6), UINT32_C(0x69E2F8F4), - UINT32_C(0x58A6D7F5), UINT32_C(0x31DA1BEA), UINT32_C(0xD779ADFE), - UINT32_C(0x38C85A85), UINT32_C(0x7D265406), UINT32_C(0xD44D3CDF), - UINT32_C(0x67E67195), UINT32_C(0xC5134ED7), UINT32_C(0x17820A0B) } }, - { { UINT32_C(0xD3021470), UINT32_C(0x019D6AC5), UINT32_C(0x780443D6), - UINT32_C(0x25846B66), UINT32_C(0x55C97647), UINT32_C(0xCE3C15ED), - UINT32_C(0x0E3FEB0F), UINT32_C(0x3DC22D49), UINT32_C(0xA7DF26E4), - UINT32_C(0x2065B7CB), UINT32_C(0x187CEA1F), UINT32_C(0xC8B00AE8) }, - { UINT32_C(0x865DDED3), UINT32_C(0x1A5284A0), UINT32_C(0x20C83DE2), - UINT32_C(0x293C1649), UINT32_C(0xCCE851B3), UINT32_C(0xAB178D26), - UINT32_C(0x404505FB), UINT32_C(0x8E6DB10B), UINT32_C(0x90C82033), - UINT32_C(0xF6F57E71), UINT32_C(0x5977F16C), UINT32_C(0x1D2A1C01) } }, - { { UINT32_C(0x7C8906A4), UINT32_C(0xA39C8931), UINT32_C(0x9E821EE6), - UINT32_C(0xB6E7ECDD), UINT32_C(0xF0DF4FE6), UINT32_C(0x2ECF8340), - UINT32_C(0x53C14965), UINT32_C(0xD42F7DC9), UINT32_C(0xE3BA8285), - UINT32_C(0x1AFB51A3), UINT32_C(0x0A3305D1), UINT32_C(0x6C07C404) }, - { UINT32_C(0x127FC1DA), UINT32_C(0xDAB83288), UINT32_C(0x374C4B08), - UINT32_C(0xBC0A699B), UINT32_C(0x42EB20DD), UINT32_C(0x402A9BAB), - UINT32_C(0x045A7A1C), UINT32_C(0xD7DD464F), UINT32_C(0x36BEECC4), - UINT32_C(0x5B3D0D6D), UINT32_C(0x6398A19D), UINT32_C(0x475A3E75) } }, - }, - { - { { UINT32_C(0x72876AE8), UINT32_C(0x31BDB483), UINT32_C(0x961ED1BF), - UINT32_C(0xE3325D98), UINT32_C(0x9B6FC64D), UINT32_C(0x18C04246), - UINT32_C(0x15786B8C), UINT32_C(0x0DCC15FA), UINT32_C(0x8E63DA4A), - UINT32_C(0x81ACDB06), UINT32_C(0xDADA70FB), UINT32_C(0xD3A4B643) }, - { UINT32_C(0xDEA424EB), UINT32_C(0x46361AFE), UINT32_C(0x89B92970), - UINT32_C(0xDC2D2CAE), UINT32_C(0x615694E6), UINT32_C(0xF389B61B), - UINT32_C(0x872951D2), UINT32_C(0x7036DEF1), UINT32_C(0xD93BADC7), - UINT32_C(0x40FD3BDA), UINT32_C(0x380A68D3), UINT32_C(0x45AB6321) } }, - { { UINT32_C(0x81A2703A), UINT32_C(0x23C1F744), UINT32_C(0xB9859136), - UINT32_C(0x1A5D075C), UINT32_C(0x5AFD1BFD), UINT32_C(0xA4F82C9D), - UINT32_C(0xF89D76FE), UINT32_C(0xA3D1E9A4), UINT32_C(0x75702F80), - UINT32_C(0x964F7050), UINT32_C(0xF56C089D), UINT32_C(0x182BF349) }, - { UINT32_C(0xBE0DA6E1), UINT32_C(0xE205FA8F), UINT32_C(0x0A40F8F3), - UINT32_C(0x32905EB9), UINT32_C(0x356D4395), UINT32_C(0x331A1004), - UINT32_C(0xFDBBDFDE), UINT32_C(0x58B78901), UINT32_C(0x9BA00E71), - UINT32_C(0xA52A1597), UINT32_C(0x55497A30), UINT32_C(0xE0092E1F) } }, - { { UINT32_C(0x70EE8F39), UINT32_C(0x5562A856), UINT32_C(0x64E52A9C), - UINT32_C(0x86B0C117), UINT32_C(0x09C75B8C), UINT32_C(0xC19F3174), - UINT32_C(0x24923F80), UINT32_C(0x21C7CC31), UINT32_C(0x8F5B291E), - UINT32_C(0xE63FE47F), UINT32_C(0x0DC08B05), UINT32_C(0x3D6D3C05) }, - { UINT32_C(0xEE0C39A1), UINT32_C(0x58AE455E), UINT32_C(0x0AD97942), - UINT32_C(0x78BEA431), UINT32_C(0x3EE3989C), UINT32_C(0x42C7C97F), - UINT32_C(0xF38759AE), UINT32_C(0xC1B03AF5), UINT32_C(0xBCF46899), - UINT32_C(0x1A673C75), UINT32_C(0x8D508C7D), UINT32_C(0x4831B7D3) } }, - { { UINT32_C(0xC552E354), UINT32_C(0x76512D1B), UINT32_C(0x273020FD), - UINT32_C(0x2B7EB6DF), UINT32_C(0x025A5F25), UINT32_C(0xD1C73AA8), - UINT32_C(0x5CBD2A40), UINT32_C(0x2ABA1929), UINT32_C(0xC88D61C6), - UINT32_C(0xB53CADC3), UINT32_C(0x098290F3), UINT32_C(0x7E66A95E) }, - { UINT32_C(0xAF4C5073), UINT32_C(0x72800ECB), UINT32_C(0x9DC63FAF), - UINT32_C(0x81F2725E), UINT32_C(0x282BA9D1), UINT32_C(0x14BF92A7), - UINT32_C(0xBD5F1BB2), UINT32_C(0x90629672), UINT32_C(0xA97C6C96), - UINT32_C(0x362F68EB), UINT32_C(0x7EA9D601), UINT32_C(0xB1D3BB8B) } }, - { { UINT32_C(0xA9C94429), UINT32_C(0x73878F7F), UINT32_C(0x456CA6D8), - UINT32_C(0xB35C3BC8), UINT32_C(0xF721923A), UINT32_C(0xD96F0B3C), - UINT32_C(0xE6D44FA1), UINT32_C(0x28D8F06C), UINT32_C(0xD5CD671A), - UINT32_C(0x94EFDCDC), UINT32_C(0x3F97D481), UINT32_C(0x0299AB93) }, - { UINT32_C(0x2FD1D324), UINT32_C(0xB7CED6EA), UINT32_C(0x7E932EC2), - UINT32_C(0xBD683208), UINT32_C(0xCB755A6E), UINT32_C(0x24ED31FB), - UINT32_C(0xE48781D2), UINT32_C(0xA636098E), UINT32_C(0xF0A4F297), - UINT32_C(0x8687C63C), UINT32_C(0x07478526), UINT32_C(0xBB523440) } }, - { { UINT32_C(0x34124B56), UINT32_C(0x2E5F7419), UINT32_C(0x4B3F02CA), - UINT32_C(0x1F223AE1), UINT32_C(0xE8336C7E), UINT32_C(0x6345B427), - UINT32_C(0xF5D0E3D0), UINT32_C(0x92123E16), UINT32_C(0x45E79F3A), - UINT32_C(0xDAF0D14D), UINT32_C(0x6F3BD0C6), UINT32_C(0x6ACA6765) }, - { UINT32_C(0x403813F4), UINT32_C(0xF6169FAB), UINT32_C(0x334A4C59), - UINT32_C(0x31DC39C0), UINT32_C(0xD589866D), UINT32_C(0x74C46753), - UINT32_C(0x984C6A5D), UINT32_C(0x5741511D), UINT32_C(0x97FED2D3), - UINT32_C(0xF2631287), UINT32_C(0x11614886), UINT32_C(0x5687CA1B) } }, - { { UINT32_C(0x33836D4B), UINT32_C(0x076D902A), UINT32_C(0x24AFB557), - UINT32_C(0xEC6C5C43), UINT32_C(0xA0516A0F), UINT32_C(0xA0FE2D1C), - UINT32_C(0x00D22ECC), UINT32_C(0x6FB8D737), UINT32_C(0xDAF1D7B3), - UINT32_C(0xF1DE9077), UINT32_C(0xD4C0C1EB), UINT32_C(0xE4695F77) }, - { UINT32_C(0xB4375573), UINT32_C(0x5F0FD8A8), UINT32_C(0x5E50944F), - UINT32_C(0x76238359), UINT32_C(0x635CD76F), UINT32_C(0x65EA2F28), - UINT32_C(0x25FDE7B0), UINT32_C(0x08547769), UINT32_C(0x51944304), - UINT32_C(0xB2345A2E), UINT32_C(0xA16C980D), UINT32_C(0x86EFA2F7) } }, - { { UINT32_C(0xBF4D1D63), UINT32_C(0x4CCBE2D0), UINT32_C(0x397366D5), - UINT32_C(0x32E33401), UINT32_C(0x71BDA2CE), UINT32_C(0xC83AFDDE), - UINT32_C(0x478ED9E6), UINT32_C(0x8DACE2AC), UINT32_C(0x763FDD9E), - UINT32_C(0x3AC6A559), UINT32_C(0xB398558F), UINT32_C(0x0FFDB04C) }, - { UINT32_C(0xAFB9D6B8), UINT32_C(0x6C1B99B2), UINT32_C(0x27F815DD), - UINT32_C(0x572BA39C), UINT32_C(0x0DBCF842), UINT32_C(0x9DE73EE7), - UINT32_C(0x29267B88), UINT32_C(0x2A3ED589), UINT32_C(0x15EBBBB3), - UINT32_C(0xD46A7FD3), UINT32_C(0xE29400C7), UINT32_C(0xD1D01863) } }, - { { UINT32_C(0xE1F89EC5), UINT32_C(0x8FB101D1), UINT32_C(0xF8508042), - UINT32_C(0xB87A1F53), UINT32_C(0x0ED7BEEF), UINT32_C(0x28C8DB24), - UINT32_C(0xACE8660A), UINT32_C(0x3940F845), UINT32_C(0xC6D453FD), - UINT32_C(0x4EACB619), UINT32_C(0x2BAD6160), UINT32_C(0x2E044C98) }, - { UINT32_C(0x80B16C02), UINT32_C(0x87928548), UINT32_C(0xC0A9EB64), - UINT32_C(0xF0D4BEB3), UINT32_C(0xC183C195), UINT32_C(0xD785B4AF), - UINT32_C(0x5E6C46EA), UINT32_C(0x23AAB0E6), UINT32_C(0xA930FECA), - UINT32_C(0x30F7E104), UINT32_C(0xD55C10FB), UINT32_C(0x6A1A7B8B) } }, - { { UINT32_C(0xDBFED1AA), UINT32_C(0xDA74EAEB), UINT32_C(0xDF0B025C), - UINT32_C(0xC8A59223), UINT32_C(0xD5B627F7), UINT32_C(0x7EF7DC85), - UINT32_C(0x197D7624), UINT32_C(0x02A13AE1), UINT32_C(0x2F785A9B), - UINT32_C(0x119E9BE1), UINT32_C(0x00D6B219), UINT32_C(0xC0B7572F) }, - { UINT32_C(0x6D4CAF30), UINT32_C(0x9B1E5126), UINT32_C(0x0A840BD1), - UINT32_C(0xA16A5117), UINT32_C(0x0E9CCF43), UINT32_C(0x5BE17B91), - UINT32_C(0x69CF2C9C), UINT32_C(0x5BDBEDDD), UINT32_C(0x4CF4F289), - UINT32_C(0x9FFBFBCF), UINT32_C(0x6C355CE9), UINT32_C(0xE1A62183) } }, - { { UINT32_C(0xA7B2FCCF), UINT32_C(0x056199D9), UINT32_C(0xCE1D784E), - UINT32_C(0x51F2E7B6), UINT32_C(0x339E2FF0), UINT32_C(0xA1D09C47), - UINT32_C(0xB836D0A9), UINT32_C(0xC8E64890), UINT32_C(0xC0D07EBE), - UINT32_C(0x2F781DCB), UINT32_C(0x3ACF934C), UINT32_C(0x5CF3C2AD) }, - { UINT32_C(0xA17E26AE), UINT32_C(0xE55DB190), UINT32_C(0x91245513), - UINT32_C(0xC9C61E1F), UINT32_C(0x61998C15), UINT32_C(0x83D7E6CF), - UINT32_C(0xE41D38E3), UINT32_C(0x4DB33C85), UINT32_C(0xC2FEE43D), - UINT32_C(0x74D5F91D), UINT32_C(0x36BBC826), UINT32_C(0x7EBBDB45) } }, - { { UINT32_C(0xCB655A9D), UINT32_C(0xE20EC7E9), UINT32_C(0x5C47D421), - UINT32_C(0x4977EB92), UINT32_C(0x3B9D72FA), UINT32_C(0xA237E12C), - UINT32_C(0xCBF7B145), UINT32_C(0xCAAEDBC1), UINT32_C(0x3B77AAA3), - UINT32_C(0x5200F5B2), UINT32_C(0xBDBE5380), UINT32_C(0x32EDED55) }, - { UINT32_C(0xE7C9B80A), UINT32_C(0x74E38A40), UINT32_C(0xAB6DE911), - UINT32_C(0x3A3F0CF8), UINT32_C(0xAD16AAF0), UINT32_C(0x56DCDD7A), - UINT32_C(0x8E861D5E), UINT32_C(0x3D292449), UINT32_C(0x985733E2), - UINT32_C(0xD6C61878), UINT32_C(0x6AA6CD5B), UINT32_C(0x2401FE7D) } }, - { { UINT32_C(0xB42E3686), UINT32_C(0xABB3DC75), UINT32_C(0xB4C57E61), - UINT32_C(0xAE712419), UINT32_C(0xB21B009B), UINT32_C(0x2C565F72), - UINT32_C(0x710C3699), UINT32_C(0xA5F1DA2E), UINT32_C(0xA5EBA59A), - UINT32_C(0x771099A0), UINT32_C(0xC10017A0), UINT32_C(0x4DA88F4A) }, - { UINT32_C(0x1927B56D), UINT32_C(0x987FFFD3), UINT32_C(0xC4E33478), - UINT32_C(0xB98CB8EC), UINT32_C(0xC2248166), UINT32_C(0xB224A971), - UINT32_C(0xDE1DC794), UINT32_C(0x5470F554), UINT32_C(0xE31FF983), - UINT32_C(0xD747CC24), UINT32_C(0xB5B22DAE), UINT32_C(0xB91745E9) } }, - { { UINT32_C(0x72F34420), UINT32_C(0x6CCBFED0), UINT32_C(0xA53039D2), - UINT32_C(0x95045E4D), UINT32_C(0x5A793944), UINT32_C(0x3B6C1154), - UINT32_C(0xDDB6B799), UINT32_C(0xAA114145), UINT32_C(0x252B7637), - UINT32_C(0xABC15CA4), UINT32_C(0xA5744634), UINT32_C(0x5745A35B) }, - { UINT32_C(0xDA596FC0), UINT32_C(0x05DC6BDE), UINT32_C(0xA8020881), - UINT32_C(0xCD52C18C), UINT32_C(0xD296BAD0), UINT32_C(0x03FA9F47), - UINT32_C(0x7268E139), UINT32_C(0xD8E2C129), UINT32_C(0x9EC450B0), - UINT32_C(0x58C1A98D), UINT32_C(0xDE48B20D), UINT32_C(0x909638DA) } }, - { { UINT32_C(0x9B7F8311), UINT32_C(0x7AFC30D4), UINT32_C(0x42368EA3), - UINT32_C(0x82A00422), UINT32_C(0x6F5F9865), UINT32_C(0xBFF95198), - UINT32_C(0xFC0A070F), UINT32_C(0x9B24F612), UINT32_C(0x620F489D), - UINT32_C(0x22C06CF2), UINT32_C(0x780F7DBB), UINT32_C(0x3C7ED052) }, - { UINT32_C(0x34DAFE9B), UINT32_C(0xDB87AB18), UINT32_C(0x9C4BBCA1), - UINT32_C(0x20C03B40), UINT32_C(0x59A42341), UINT32_C(0x5D718CF0), - UINT32_C(0x69E84538), UINT32_C(0x98631706), UINT32_C(0xD27D64E1), - UINT32_C(0x5557192B), UINT32_C(0xDA822766), UINT32_C(0x08B4EC52) } }, - { { UINT32_C(0xD66C1A59), UINT32_C(0xB2D986F6), UINT32_C(0x78E0E423), - UINT32_C(0x927DEB16), UINT32_C(0x49C3DEDC), UINT32_C(0x9E673CDE), - UINT32_C(0xF7ECB6CF), UINT32_C(0xFA362D84), UINT32_C(0x1BA17340), - UINT32_C(0x078E5F40), UINT32_C(0x1F4E489C), UINT32_C(0x934CA5D1) }, - { UINT32_C(0x64EEF493), UINT32_C(0xC03C0731), UINT32_C(0xD7931A7E), - UINT32_C(0x631A353B), UINT32_C(0x65DD74F1), UINT32_C(0x8E7CC3BB), - UINT32_C(0x702676A5), UINT32_C(0xD55864C5), UINT32_C(0x439F04BD), - UINT32_C(0x6D306AC4), UINT32_C(0x2BAFED57), UINT32_C(0x58544F67) } }, - }, - { - { { UINT32_C(0xEC074AEA), UINT32_C(0xB083BA6A), UINT32_C(0x7F0B505B), - UINT32_C(0x46FAC5EF), UINT32_C(0xFC82DC03), UINT32_C(0x95367A21), - UINT32_C(0x9D3679D8), UINT32_C(0x227BE26A), UINT32_C(0x7E9724C0), - UINT32_C(0xC70F6D6C), UINT32_C(0xF9EBEC0F), UINT32_C(0xCD68C757) }, - { UINT32_C(0x8FF321B2), UINT32_C(0x29DDE03E), UINT32_C(0x031939DC), - UINT32_C(0xF84AD7BB), UINT32_C(0x0F602F4B), UINT32_C(0xDAF590C9), - UINT32_C(0x49722BC4), UINT32_C(0x17C52888), UINT32_C(0x089B22B6), - UINT32_C(0xA8DF99F0), UINT32_C(0xE59B9B90), UINT32_C(0xC21BC5D4) } }, - { { UINT32_C(0x8A31973F), UINT32_C(0x4936C6A0), UINT32_C(0x83B8C205), - UINT32_C(0x54D442FA), UINT32_C(0x5714F2C6), UINT32_C(0x03AEE8B4), - UINT32_C(0x3F5AC25A), UINT32_C(0x139BD692), UINT32_C(0xB5B33794), - UINT32_C(0x6A2E42BA), UINT32_C(0x3FF7BBA9), UINT32_C(0x50FA1164) }, - { UINT32_C(0xF7E2C099), UINT32_C(0xB61D8643), UINT32_C(0xBD5C6637), - UINT32_C(0x2366C993), UINT32_C(0x72EB77FA), UINT32_C(0x62110E14), - UINT32_C(0x3B99C635), UINT32_C(0x3D5B96F1), UINT32_C(0xF674C9F2), - UINT32_C(0x956ECF64), UINT32_C(0xEF2BA250), UINT32_C(0xC56F7E51) } }, - { { UINT32_C(0xFF602C1B), UINT32_C(0x246FFCB6), UINT32_C(0x6E1258E0), - UINT32_C(0x1E1A1D74), UINT32_C(0x250E6676), UINT32_C(0xB4B43AE2), - UINT32_C(0x924CE5FA), UINT32_C(0x95C1B5F0), UINT32_C(0xEBD8C776), - UINT32_C(0x2555795B), UINT32_C(0xACD9D9D0), UINT32_C(0x4C1E03DC) }, - { UINT32_C(0x9CE90C61), UINT32_C(0xE1D74AA6), UINT32_C(0xA9C4B9F9), - UINT32_C(0xA88C0769), UINT32_C(0x95AF56DE), UINT32_C(0xDF74DF27), - UINT32_C(0xB331B6F4), UINT32_C(0x24B10C5F), UINT32_C(0x6559E137), - UINT32_C(0xB0A6DF9A), UINT32_C(0xC06637F2), UINT32_C(0x6ACC1B8F) } }, - { { UINT32_C(0x34B4E381), UINT32_C(0xBD8C0868), UINT32_C(0x30DFF271), - UINT32_C(0x278CACC7), UINT32_C(0x02459389), UINT32_C(0x87ED12DE), - UINT32_C(0xDEF840B6), UINT32_C(0x3F7D98FF), UINT32_C(0x5F0B56E1), - UINT32_C(0x71EEE0CB), UINT32_C(0xD8D9BE87), UINT32_C(0x462B5C9B) }, - { UINT32_C(0x98094C0F), UINT32_C(0xE6B50B5A), UINT32_C(0x508C67CE), - UINT32_C(0x26F3B274), UINT32_C(0x7CB1F992), UINT32_C(0x418B1BD1), - UINT32_C(0x4FF11827), UINT32_C(0x607818ED), UINT32_C(0x9B042C63), - UINT32_C(0xE630D93A), UINT32_C(0x8C779AE3), UINT32_C(0x38B9EFF3) } }, - { { UINT32_C(0x729C5431), UINT32_C(0xE8767D36), UINT32_C(0xBB94642C), - UINT32_C(0xA8BD07C0), UINT32_C(0x58F2E5B2), UINT32_C(0x0C11FC8E), - UINT32_C(0x547533FE), UINT32_C(0xD8912D48), UINT32_C(0x230D91FB), - UINT32_C(0xAAE14F5E), UINT32_C(0x676DFBA0), UINT32_C(0xC122051A) }, - { UINT32_C(0x5EA93078), UINT32_C(0x9ED4501F), UINT32_C(0xBD4BEE0A), - UINT32_C(0x2758515C), UINT32_C(0x94D21F52), UINT32_C(0x97733C6C), - UINT32_C(0x4AD306A2), UINT32_C(0x139BCD6D), UINT32_C(0x298123CC), - UINT32_C(0x0AAECBDC), UINT32_C(0x1CB7C7C9), UINT32_C(0x102B8A31) } }, - { { UINT32_C(0xFAF46675), UINT32_C(0x22A28E59), UINT32_C(0x10A31E7D), - UINT32_C(0x10757308), UINT32_C(0x2B4C2F4F), UINT32_C(0xC7EEAC84), - UINT32_C(0xB5EF5184), UINT32_C(0xBA370148), UINT32_C(0x8732E055), - UINT32_C(0x4A5A2866), UINT32_C(0xB887C36F), UINT32_C(0x14B8DCDC) }, - { UINT32_C(0x433F093D), UINT32_C(0xDBA8C85C), UINT32_C(0x1C9A201C), - UINT32_C(0x73DF549D), UINT32_C(0x70F927D8), UINT32_C(0x69AA0D7B), - UINT32_C(0xD7D2493A), UINT32_C(0xFA3A8685), UINT32_C(0x0A7F4013), - UINT32_C(0x6F48A255), UINT32_C(0xDD393067), UINT32_C(0xD20C8BF9) } }, - { { UINT32_C(0x81625E78), UINT32_C(0x4EC874EA), UINT32_C(0x3FBE9267), - UINT32_C(0x8B8D8B5A), UINT32_C(0x9421EC2F), UINT32_C(0xA3D9D164), - UINT32_C(0x880EA295), UINT32_C(0x490E92D9), UINT32_C(0xD8F3B6DA), - UINT32_C(0x745D1EDC), UINT32_C(0x8F18BA03), UINT32_C(0x0116628B) }, - { UINT32_C(0x834EADCE), UINT32_C(0x0FF6BCE0), UINT32_C(0x000827F7), - UINT32_C(0x464697F2), UINT32_C(0x498D724E), UINT32_C(0x08DCCF84), - UINT32_C(0x1E88304C), UINT32_C(0x7896D365), UINT32_C(0x135E3622), - UINT32_C(0xE63EBCCE), UINT32_C(0xDC007521), UINT32_C(0xFB942E8E) } }, - { { UINT32_C(0xA3688621), UINT32_C(0xBB155A66), UINT32_C(0xF91B52A3), - UINT32_C(0xED2FD7CD), UINT32_C(0xEA20CB88), UINT32_C(0x52798F5D), - UINT32_C(0x373F7DD8), UINT32_C(0x069CE105), UINT32_C(0x8CA78F6B), - UINT32_C(0xF9392EC7), UINT32_C(0x6B335169), UINT32_C(0xB3013E25) }, - { UINT32_C(0x6B11715C), UINT32_C(0x1D92F800), UINT32_C(0xFF9DC464), - UINT32_C(0xADD4050E), UINT32_C(0x8465B84A), UINT32_C(0x2AC22659), - UINT32_C(0x465B2BD6), UINT32_C(0x2729D646), UINT32_C(0xE4EFF9DD), - UINT32_C(0x6202344A), UINT32_C(0xCD9B90B9), UINT32_C(0x51F3198F) } }, - { { UINT32_C(0xE5F0AE1D), UINT32_C(0x17CE54EF), UINT32_C(0xB09852AF), - UINT32_C(0x984E8204), UINT32_C(0xC4B27A71), UINT32_C(0x3365B37A), - UINT32_C(0xA00E0A9C), UINT32_C(0x720E3152), UINT32_C(0x925BD606), - UINT32_C(0x3692F70D), UINT32_C(0x7BC7E9AB), UINT32_C(0xBE6E699D) }, - { UINT32_C(0x4C89A3C0), UINT32_C(0xD75C041F), UINT32_C(0x8DC100C0), - UINT32_C(0x8B9F592D), UINT32_C(0xAD228F71), UINT32_C(0x30750F3A), - UINT32_C(0xE8B17A11), UINT32_C(0x1B9ECF84), UINT32_C(0x0FBFA8A2), - UINT32_C(0xDF202562), UINT32_C(0xAA1B6D67), UINT32_C(0x45C811FC) } }, - { { UINT32_C(0x1A5151F8), UINT32_C(0xEC5B84B7), UINT32_C(0x550AB2D2), - UINT32_C(0x118E59E8), UINT32_C(0x049BD735), UINT32_C(0x2CCDEDA4), - UINT32_C(0x9CD62F0F), UINT32_C(0xC99CBA71), UINT32_C(0x62C9E4F8), - UINT32_C(0x69B8040A), UINT32_C(0x110B8283), UINT32_C(0x16F1A31A) }, - { UINT32_C(0x98E908A3), UINT32_C(0x53F63802), UINT32_C(0xD862F9DE), - UINT32_C(0x308CB6EF), UINT32_C(0xA521A95A), UINT32_C(0xE185DAD8), - UINT32_C(0x097F75CA), UINT32_C(0x4D8FE9A4), UINT32_C(0x1CA07D53), - UINT32_C(0xD1ECCEC7), UINT32_C(0x0DB07E83), UINT32_C(0x13DFA1DC) } }, - { { UINT32_C(0x0F591A76), UINT32_C(0xDDAF9DC6), UINT32_C(0x1685F412), - UINT32_C(0xE1A6D7CC), UINT32_C(0x002B6E8D), UINT32_C(0x153DE557), - UINT32_C(0xC6DA37D9), UINT32_C(0x730C38BC), UINT32_C(0x0914B597), - UINT32_C(0xAE180622), UINT32_C(0xDD8C3A0A), UINT32_C(0x84F98103) }, - { UINT32_C(0x8DA205B0), UINT32_C(0x369C5398), UINT32_C(0x3888A720), - UINT32_C(0xA3D95B81), UINT32_C(0xE10E2806), UINT32_C(0x1F3F8BBF), - UINT32_C(0x4530D1F3), UINT32_C(0x48663DF5), UINT32_C(0x3E377713), - UINT32_C(0x320523B4), UINT32_C(0xC7894814), UINT32_C(0xE8B1A575) } }, - { { UINT32_C(0x2EE8EA07), UINT32_C(0x33066871), UINT32_C(0x60DA199D), - UINT32_C(0xC6FB4EC5), UINT32_C(0xF4370A05), UINT32_C(0x33231860), - UINT32_C(0xC6DE4E26), UINT32_C(0x7ABECE72), UINT32_C(0xEBDECE7A), - UINT32_C(0xDE8D4BD8), UINT32_C(0x1CBE93C7), UINT32_C(0xC90EE657) }, - { UINT32_C(0x85AC2509), UINT32_C(0x0246751B), UINT32_C(0x30380245), - UINT32_C(0xD0EF142C), UINT32_C(0x7C76E39C), UINT32_C(0x086DF9C4), - UINT32_C(0xB789FB56), UINT32_C(0x68F1304F), UINT32_C(0xA5E4BD56), - UINT32_C(0x23E4CB98), UINT32_C(0x64663DCA), UINT32_C(0x69A4C63C) } }, - { { UINT32_C(0x7CB34E63), UINT32_C(0x6C72B6AF), UINT32_C(0x6DFC23FE), - UINT32_C(0x073C40CD), UINT32_C(0xC936693A), UINT32_C(0xBDEEE7A1), - UINT32_C(0x6EFAD378), UINT32_C(0xBC858E80), UINT32_C(0xF5BE55D4), - UINT32_C(0xEAD719FF), UINT32_C(0x04552F5F), UINT32_C(0xC8C3238F) }, - { UINT32_C(0x928D5784), UINT32_C(0x0952C068), UINT32_C(0x94C58F2B), - UINT32_C(0x89DFDF22), UINT32_C(0x67502C50), UINT32_C(0x332DEDF3), - UINT32_C(0xAC0BE258), UINT32_C(0x3ED2FA3A), UINT32_C(0x7C5C8244), - UINT32_C(0xAEDC9B8A), UINT32_C(0xDC0EA34F), UINT32_C(0x43A761B9) } }, - { { UINT32_C(0xCC5E21A5), UINT32_C(0x8FD683A2), UINT32_C(0xFBA2BB68), - UINT32_C(0x5F444C6E), UINT32_C(0xAF05586D), UINT32_C(0x709ACD0E), - UINT32_C(0xDE8FB348), UINT32_C(0x8EFA54D2), UINT32_C(0x34CFE29E), - UINT32_C(0x35276B71), UINT32_C(0x941EAC8C), UINT32_C(0x77A06FCD) }, - { UINT32_C(0x928322DD), UINT32_C(0x5815792D), UINT32_C(0x67F7CB59), - UINT32_C(0x82FF356B), UINT32_C(0x304980F4), UINT32_C(0x71E40A78), - UINT32_C(0x3667D021), UINT32_C(0xC8645C27), UINT32_C(0xAEBAE28F), - UINT32_C(0xE785741C), UINT32_C(0x53ECAC37), UINT32_C(0xB2C1BC75) } }, - { { UINT32_C(0x1D0A74DB), UINT32_C(0x633EB24F), UINT32_C(0xFA752512), - UINT32_C(0xF1F55E56), UINT32_C(0x8EFE11DE), UINT32_C(0x75FECA68), - UINT32_C(0xE6BF19EC), UINT32_C(0xC80FD91C), UINT32_C(0x2A14C908), - UINT32_C(0xAD0BAFEC), UINT32_C(0xADE4031F), UINT32_C(0x4E1C4ACA) }, - { UINT32_C(0x1EB1549A), UINT32_C(0x463A815B), UINT32_C(0x668F1298), - UINT32_C(0x5AD4253C), UINT32_C(0x38A37151), UINT32_C(0x5CB38662), - UINT32_C(0xAFF16B96), UINT32_C(0x34BB1CCF), UINT32_C(0xEE731AB0), - UINT32_C(0xDCA93B13), UINT32_C(0x9BE01A0B), UINT32_C(0x9F3CE5CC) } }, - { { UINT32_C(0xA110D331), UINT32_C(0x75DB5723), UINT32_C(0x7123D89F), - UINT32_C(0x67C66F6A), UINT32_C(0x4009D570), UINT32_C(0x27ABBD4B), - UINT32_C(0xC73451BC), UINT32_C(0xACDA6F84), UINT32_C(0x05575ACF), - UINT32_C(0xE4B9A239), UINT32_C(0xAB2D3D6C), UINT32_C(0x3C2DB7EF) }, - { UINT32_C(0x29115145), UINT32_C(0x01CCDD08), UINT32_C(0x57B5814A), - UINT32_C(0x9E0602FE), UINT32_C(0x87862838), UINT32_C(0x679B35C2), - UINT32_C(0x38AD598D), UINT32_C(0x0277DC4C), UINT32_C(0x6D896DD4), - UINT32_C(0xEF80A213), UINT32_C(0xE7B9047B), UINT32_C(0xC8812213) } }, - }, - { - { { UINT32_C(0xEDC9CE62), UINT32_C(0xAC6DBDF6), UINT32_C(0x0F9C006E), - UINT32_C(0xA58F5B44), UINT32_C(0xDC28E1B0), UINT32_C(0x16694DE3), - UINT32_C(0xA6647711), UINT32_C(0x2D039CF2), UINT32_C(0xC5B08B4B), - UINT32_C(0xA13BBE6F), UINT32_C(0x10EBD8CE), UINT32_C(0xE44DA930) }, - { UINT32_C(0x19649A16), UINT32_C(0xCD472087), UINT32_C(0x683E5DF1), - UINT32_C(0xE18F4E44), UINT32_C(0x929BFA28), UINT32_C(0xB3F66303), - UINT32_C(0x818249BF), UINT32_C(0x7C378E43), UINT32_C(0x847F7CD9), - UINT32_C(0x76068C80), UINT32_C(0x987EBA16), UINT32_C(0xEE3DB6D1) } }, - { { UINT32_C(0xC42A2F52), UINT32_C(0xCBBD8576), UINT32_C(0x9D2B06BB), - UINT32_C(0x9ACC6F70), UINT32_C(0x2E6B72A4), UINT32_C(0xE5CB5620), - UINT32_C(0x7C024443), UINT32_C(0x5738EA0E), UINT32_C(0xB55368F3), - UINT32_C(0x8ED06170), UINT32_C(0x1AEED44F), UINT32_C(0xE54C99BB) }, - { UINT32_C(0xE2E0D8B2), UINT32_C(0x3D90A6B2), UINT32_C(0xCF7B2856), - UINT32_C(0x21718977), UINT32_C(0xC5612AEC), UINT32_C(0x089093DC), - UINT32_C(0x99C1BACC), UINT32_C(0xC272EF6F), UINT32_C(0xDC43EAAD), - UINT32_C(0x47DB3B43), UINT32_C(0x0832D891), UINT32_C(0x730F30E4) } }, - { { UINT32_C(0x0C7FECDB), UINT32_C(0x9FFE5563), UINT32_C(0xF88101E5), - UINT32_C(0x55CC67B6), UINT32_C(0xCBEFA3C7), UINT32_C(0x3039F981), - UINT32_C(0x667BFD64), UINT32_C(0x2AB06883), UINT32_C(0x4340E3DF), - UINT32_C(0x9007A257), UINT32_C(0x5A3A49CA), UINT32_C(0x1AC3F3FA) }, - { UINT32_C(0xC97E20FD), UINT32_C(0x9C7BE629), UINT32_C(0xA3DAE003), - UINT32_C(0xF61823D3), UINT32_C(0xE7380DBA), UINT32_C(0xFFE7FF39), - UINT32_C(0x9FACC3B8), UINT32_C(0x620BB9B5), UINT32_C(0x31AE422C), - UINT32_C(0x2DDCB8CD), UINT32_C(0xD12C3C43), UINT32_C(0x1DE3BCFA) } }, - { { UINT32_C(0xD6E0F9A9), UINT32_C(0x8C074946), UINT32_C(0x51C3B05B), - UINT32_C(0x662FA995), UINT32_C(0x04BB2048), UINT32_C(0x6CDAE969), - UINT32_C(0xD6DC8B60), UINT32_C(0x6DEC9594), UINT32_C(0x54438BBC), - UINT32_C(0x8D265869), UINT32_C(0x1B0E95A5), UINT32_C(0x88E983E3) }, - { UINT32_C(0x60CBF838), UINT32_C(0x8189F114), UINT32_C(0x771DC46B), - UINT32_C(0x77190697), UINT32_C(0x27F8EC1A), UINT32_C(0x775775A2), - UINT32_C(0x607E3739), UINT32_C(0x7A125240), UINT32_C(0x4F793E4E), - UINT32_C(0xAFAE84E7), UINT32_C(0x5BF5BAF4), UINT32_C(0x44FA17F3) } }, - { { UINT32_C(0xD03AC439), UINT32_C(0xA21E69A5), UINT32_C(0x88AA8094), - UINT32_C(0x2069C5FC), UINT32_C(0x8C08F206), UINT32_C(0xB041EEA7), - UINT32_C(0x3D65B8ED), UINT32_C(0x55B9D461), UINT32_C(0xD392C7C4), - UINT32_C(0x951EA25C), UINT32_C(0x9D166232), UINT32_C(0x4B9A1CEC) }, - { UINT32_C(0xFCF931A4), UINT32_C(0xC184FCD8), UINT32_C(0x063AD374), - UINT32_C(0xBA59AD44), UINT32_C(0x1AA9796F), UINT32_C(0x1868AD2A), - UINT32_C(0xDFF29832), UINT32_C(0x38A34018), UINT32_C(0x03DF8070), - UINT32_C(0x01FC8801), UINT32_C(0x48DD334A), UINT32_C(0x1282CCE0) } }, - { { UINT32_C(0x26D8503C), UINT32_C(0x76AA9557), UINT32_C(0x6BC3E3D0), - UINT32_C(0xBE962B63), UINT32_C(0x97DE8841), UINT32_C(0xF5CA93E5), - UINT32_C(0xAF3F2C16), UINT32_C(0x1561B05E), UINT32_C(0xD34BFF98), - UINT32_C(0x34BE00AA), UINT32_C(0xD23D2925), UINT32_C(0xEA21E6E9) }, - { UINT32_C(0x394C3AFB), UINT32_C(0x55713230), UINT32_C(0xD6C8BECA), - UINT32_C(0xEAF0529B), UINT32_C(0x202B9A11), UINT32_C(0xFF38A743), - UINT32_C(0x6D3A398B), UINT32_C(0xA13E39FC), UINT32_C(0x86E2615A), - UINT32_C(0x8CBD644B), UINT32_C(0x191057EC), UINT32_C(0x92063988) } }, - { { UINT32_C(0x13F89146), UINT32_C(0x787835CE), UINT32_C(0x69446C3F), - UINT32_C(0x7FCD42CC), UINT32_C(0x840E679D), UINT32_C(0x0DA2AA98), - UINT32_C(0x18779A1B), UINT32_C(0x44F20523), UINT32_C(0xEFBF5935), - UINT32_C(0xE3A3B34F), UINT32_C(0xB9947B70), UINT32_C(0xA5D2CFD0) }, - { UINT32_C(0x27F4E16F), UINT32_C(0xAE2AF4EF), UINT32_C(0xB9D21322), - UINT32_C(0xA7FA70D2), UINT32_C(0xB3FD566B), UINT32_C(0x68084919), - UINT32_C(0xD7AAD6AB), UINT32_C(0xF04D71C8), UINT32_C(0x10BC4260), - UINT32_C(0xDBEA21E4), UINT32_C(0x8D949B42), UINT32_C(0xAA7DC665) } }, - { { UINT32_C(0x6CCB8213), UINT32_C(0xD8E958A0), UINT32_C(0x91900B54), - UINT32_C(0x118D9DB9), UINT32_C(0x85E8CED6), UINT32_C(0x09BB9D49), - UINT32_C(0x24019281), UINT32_C(0x410E9FB5), UINT32_C(0x6D74C86E), - UINT32_C(0x3B31B4E1), UINT32_C(0x020BB77D), UINT32_C(0x52BC0252) }, - { UINT32_C(0x27092CE4), UINT32_C(0x5616A26F), UINT32_C(0xA08F65CD), - UINT32_C(0x67774DBC), UINT32_C(0xC08BD569), UINT32_C(0x560AD494), - UINT32_C(0xAD498783), UINT32_C(0xBE26DA36), UINT32_C(0x7F019C91), - UINT32_C(0x0276C8AB), UINT32_C(0x5248266E), UINT32_C(0x09843ADA) } }, - { { UINT32_C(0x7D963CF2), UINT32_C(0xA0AE88A7), UINT32_C(0xD0E84920), - UINT32_C(0x91EF8986), UINT32_C(0xF8C58104), UINT32_C(0xC7EFE344), - UINT32_C(0xECA20773), UINT32_C(0x0A25D9FD), UINT32_C(0x00D8F1D5), - UINT32_C(0x9D989FAA), UINT32_C(0xC8B06264), UINT32_C(0x4204C8CE) }, - { UINT32_C(0xBE1A2796), UINT32_C(0x717C12E0), UINT32_C(0xC190C728), - UINT32_C(0x1FA4BA8C), UINT32_C(0x8C8A59BA), UINT32_C(0xA245CA8D), - UINT32_C(0x7672B935), UINT32_C(0xE3C37475), UINT32_C(0x2E4D6375), - UINT32_C(0x083D5E40), UINT32_C(0x5455E16E), UINT32_C(0x0B8D5AB3) } }, - { { UINT32_C(0xEED765D4), UINT32_C(0x1DB17DBF), UINT32_C(0xA5DDB965), - UINT32_C(0xBBC9B1BE), UINT32_C(0xDFC12ABC), UINT32_C(0x1948F76D), - UINT32_C(0x134EF489), UINT32_C(0x2C2714E5), UINT32_C(0x741C600F), - UINT32_C(0x60CE2EE8), UINT32_C(0xF80E6E63), UINT32_C(0x32396F22) }, - { UINT32_C(0x22537F59), UINT32_C(0x421DAC75), UINT32_C(0x49475DF5), - UINT32_C(0x58FB73C6), UINT32_C(0x6F18F1C7), UINT32_C(0x0ABF2885), - UINT32_C(0x9A398D16), UINT32_C(0x36474468), UINT32_C(0xBF673B87), - UINT32_C(0x87A661A7), UINT32_C(0x73819E17), UINT32_C(0x3E80698F) } }, - { { UINT32_C(0x53784CC4), UINT32_C(0xDFE49793), UINT32_C(0x486D508F), - UINT32_C(0x4280EAB0), UINT32_C(0xE534F5A4), UINT32_C(0x119593FF), - UINT32_C(0x9F63242F), UINT32_C(0x98AEFADD), UINT32_C(0xC4829CAE), - UINT32_C(0x9AE6A24A), UINT32_C(0x58E8BA80), UINT32_C(0xF2373CA5) }, - { UINT32_C(0x51765FB3), UINT32_C(0x4017AF7E), UINT32_C(0xAF4AEC4B), - UINT32_C(0xD1E40F7C), UINT32_C(0x0898E3BC), UINT32_C(0x87372C7A), - UINT32_C(0x85452CA9), UINT32_C(0x688982B2), UINT32_C(0xB1E50BCA), - UINT32_C(0x71E0B4BF), UINT32_C(0xF70E714A), UINT32_C(0x21FD2DBF) } }, - { { UINT32_C(0xFB78DDAC), UINT32_C(0xEE6E8820), UINT32_C(0x063892CD), - UINT32_C(0x0BAED29C), UINT32_C(0x28C0588D), UINT32_C(0x5F33049C), - UINT32_C(0x18DBC432), UINT32_C(0x90C2515E), UINT32_C(0x3B4CB0BD), - UINT32_C(0xB8A1B143), UINT32_C(0x68103043), UINT32_C(0x0AB5C0C9) }, - { UINT32_C(0x4005EC40), UINT32_C(0xF3788FA0), UINT32_C(0x039EE115), - UINT32_C(0x82571C99), UINT32_C(0x93260BED), UINT32_C(0xEE8FCED5), - UINT32_C(0x10836D18), UINT32_C(0x5A9BAF79), UINT32_C(0xC46AA4F6), - UINT32_C(0x7C258B09), UINT32_C(0x37F53D31), UINT32_C(0x46ECC5E8) } }, - { { UINT32_C(0xBFE0DD98), UINT32_C(0xFA32C0DC), UINT32_C(0x962B1066), - UINT32_C(0x66EFAFC4), UINT32_C(0x64BDF5EB), UINT32_C(0xBA81D33E), - UINT32_C(0xFC7FC512), UINT32_C(0x36C28536), UINT32_C(0xE0B4FA97), - UINT32_C(0x0C95176B), UINT32_C(0x3B9BC64A), UINT32_C(0x47DDE29B) }, - { UINT32_C(0x5C173B36), UINT32_C(0x08D986FD), UINT32_C(0x6CF3F28C), - UINT32_C(0x46D84B52), UINT32_C(0xF026BDB9), UINT32_C(0x6F6ED6C3), - UINT32_C(0x68206DC5), UINT32_C(0xAC90668B), UINT32_C(0xECBE4E70), - UINT32_C(0xE8ED5D98), UINT32_C(0xDC1A6974), UINT32_C(0xCFFF61DD) } }, - { { UINT32_C(0x77B1A5C1), UINT32_C(0xFF5C3A29), UINT32_C(0x0DDF995D), - UINT32_C(0x10C27E4A), UINT32_C(0xE23363E3), UINT32_C(0xCB745F77), - UINT32_C(0x32F399A3), UINT32_C(0xD765DF6F), UINT32_C(0x8A99E109), - UINT32_C(0xF0CA0C2F), UINT32_C(0x1E025CA0), UINT32_C(0xC3A6BFB7) }, - { UINT32_C(0x4F9D9FA5), UINT32_C(0x830B2C0A), UINT32_C(0xBD1A84E5), - UINT32_C(0xAE914CAC), UINT32_C(0xA4FEBCC1), UINT32_C(0x30B35ED8), - UINT32_C(0x84CFBF2E), UINT32_C(0xCB902B46), UINT32_C(0x25FC6375), - UINT32_C(0x0BD47628), UINT32_C(0x85509D04), UINT32_C(0xA858A53C) } }, - { { UINT32_C(0x552E0A3F), UINT32_C(0x8B995D0C), UINT32_C(0x17BE9FF7), - UINT32_C(0xEDBD4E94), UINT32_C(0x95085178), UINT32_C(0x3432E839), - UINT32_C(0x80C256F5), UINT32_C(0x0FE5C181), UINT32_C(0xEBF9597C), - UINT32_C(0x05A64EA8), UINT32_C(0x3F80371F), UINT32_C(0x6ED44BB1) }, - { UINT32_C(0xFE4C12EE), UINT32_C(0x6A29A05E), UINT32_C(0xE0BB83B3), - UINT32_C(0x3E436A43), UINT32_C(0x74D72921), UINT32_C(0x38365D9A), - UINT32_C(0xC38E1ED7), UINT32_C(0x3F5EE823), UINT32_C(0xE8FA063F), - UINT32_C(0x09A53213), UINT32_C(0xB435E713), UINT32_C(0x1E7FE47A) } }, - { { UINT32_C(0xFDDD17F3), UINT32_C(0xE4D9BC94), UINT32_C(0xC1016C20), - UINT32_C(0xC74B8FED), UINT32_C(0xB49C060E), UINT32_C(0x095DE39B), - UINT32_C(0x8AC0DF00), UINT32_C(0xDBCC6795), UINT32_C(0x1C34F4DF), - UINT32_C(0x4CF6BAEB), UINT32_C(0xE8390170), UINT32_C(0x72C55C21) }, - { UINT32_C(0xF6C48E79), UINT32_C(0x4F17BFD2), UINT32_C(0x017A80BA), - UINT32_C(0x18BF4DA0), UINT32_C(0xBCF4B138), UINT32_C(0xCF51D829), - UINT32_C(0xF48F8B0D), UINT32_C(0x598AEE5F), UINT32_C(0x20F10809), - UINT32_C(0x83FAEE56), UINT32_C(0x779F0850), UINT32_C(0x4615D4DC) } }, - }, - { - { { UINT32_C(0x5852B59B), UINT32_C(0x22313DEE), UINT32_C(0xB6A0B37F), - UINT32_C(0x6F56C8E8), UINT32_C(0xA76EC380), UINT32_C(0x43D6EEAE), - UINT32_C(0x0275AD36), UINT32_C(0xA1655136), UINT32_C(0xDF095BDA), - UINT32_C(0xE5C1B65A), UINT32_C(0x367C44B0), UINT32_C(0xBD1FFA8D) }, - { UINT32_C(0x6B48AF2B), UINT32_C(0xE2B419C2), UINT32_C(0x3DA194C8), - UINT32_C(0x57BBBD97), UINT32_C(0xA2BAFF05), UINT32_C(0xB5FBE51F), - UINT32_C(0x6269B5D0), UINT32_C(0xA0594D70), UINT32_C(0x23E8D667), - UINT32_C(0x0B07B705), UINT32_C(0x63E016E7), UINT32_C(0xAE1976B5) } }, - { { UINT32_C(0xFBECAAAE), UINT32_C(0x2FDE4893), UINT32_C(0x30332229), - UINT32_C(0x444346DE), UINT32_C(0x09456ED5), UINT32_C(0x157B8A5B), - UINT32_C(0x25797C6C), UINT32_C(0x73606A79), UINT32_C(0x33C14C06), - UINT32_C(0xA9D0F47C), UINT32_C(0xFAF971CA), UINT32_C(0x7BC8962C) }, - { UINT32_C(0x65909DFD), UINT32_C(0x6E763C51), UINT32_C(0x14A9BF42), - UINT32_C(0x1BBBE41B), UINT32_C(0xC49E9EFC), UINT32_C(0xD95B7ECB), - UINT32_C(0xB38F2B59), UINT32_C(0x0C317927), UINT32_C(0xB3C397DB), - UINT32_C(0x97912B53), UINT32_C(0x45C7ABC7), UINT32_C(0xCB3879AA) } }, - { { UINT32_C(0x24359B81), UINT32_C(0xCD81BDCF), UINT32_C(0xDB4C321C), - UINT32_C(0x6FD326E2), UINT32_C(0xF8EBE39C), UINT32_C(0x4CB0228B), - UINT32_C(0xB2CDD852), UINT32_C(0x496A9DCE), UINT32_C(0xD0E9B3AF), - UINT32_C(0x0F115A1A), UINT32_C(0xD8EEEF8A), UINT32_C(0xAA08BF36) }, - { UINT32_C(0x06E5E739), UINT32_C(0x5232A515), UINT32_C(0x8407A551), - UINT32_C(0x21FAE9D5), UINT32_C(0x8994B4E8), UINT32_C(0x289D18B0), - UINT32_C(0x09097A52), UINT32_C(0xB4E346A8), UINT32_C(0x324621D0), - UINT32_C(0xC641510F), UINT32_C(0x95A41AB8), UINT32_C(0xC567FD4A) } }, - { { UINT32_C(0xD57C8DE9), UINT32_C(0x261578C7), UINT32_C(0x3836C5C8), - UINT32_C(0xB9BC491F), UINT32_C(0x14C8038F), UINT32_C(0x993266B4), - UINT32_C(0xFAA7CC39), UINT32_C(0xBACAD755), UINT32_C(0xD69B7E27), - UINT32_C(0x418C4DEF), UINT32_C(0xAE751533), UINT32_C(0x53FDC5CD) }, - { UINT32_C(0xC3EEA63A), UINT32_C(0x6F3BD329), UINT32_C(0xE53DD29E), - UINT32_C(0xA7A22091), UINT32_C(0xDC4C54EC), UINT32_C(0xB7164F73), - UINT32_C(0x44D3D74E), UINT32_C(0xCA66290D), UINT32_C(0x4C9EA511), - UINT32_C(0xF77C6242), UINT32_C(0x1F714C49), UINT32_C(0x34337F55) } }, - { { UINT32_C(0xA64B6C4B), UINT32_C(0x5ED2B216), UINT32_C(0x3AAE640D), - UINT32_C(0x1C38794F), UINT32_C(0x8905794F), UINT32_C(0x30BBAEE0), - UINT32_C(0xC8699CFB), UINT32_C(0x0D9EE41E), UINT32_C(0xCF7B7C29), - UINT32_C(0xAF38DAF2), UINT32_C(0x43E53513), UINT32_C(0x0D6A05CA) }, - { UINT32_C(0x2606AB56), UINT32_C(0xBE96C644), UINT32_C(0xE9EB9734), - UINT32_C(0x13E7A072), UINT32_C(0x5FF50CD7), UINT32_C(0xF9669445), - UINT32_C(0x47DA6F1D), UINT32_C(0x68EF26B5), UINT32_C(0x23687CB7), - UINT32_C(0xF0028738), UINT32_C(0x6217C1CE), UINT32_C(0x5ED9C876) } }, - { { UINT32_C(0x0A3A9691), UINT32_C(0x423BA513), UINT32_C(0xB3179296), - UINT32_C(0xF421B1E7), UINT32_C(0x1A871E1B), UINT32_C(0x6B51BCDB), - UINT32_C(0x464E4300), UINT32_C(0x6E3BB5B5), UINT32_C(0xFC6C54CC), - UINT32_C(0x24171E2E), UINT32_C(0xD3E58DC2), UINT32_C(0xA9DFA947) }, - { UINT32_C(0x9DE9CFA7), UINT32_C(0x175B3309), UINT32_C(0x2D1015DA), - UINT32_C(0x707B2529), UINT32_C(0x993EA65A), UINT32_C(0xCBB95F17), - UINT32_C(0x0447450D), UINT32_C(0x93515063), UINT32_C(0x1B2753C9), - UINT32_C(0x0F47B205), UINT32_C(0xE7D427CF), UINT32_C(0x4A0BAB14) } }, - { { UINT32_C(0xB5AA7CA1), UINT32_C(0xA39DEF39), UINT32_C(0xC47C33DF), - UINT32_C(0x591CB173), UINT32_C(0x6BBAB872), UINT32_C(0xA09DAC79), - UINT32_C(0x7208BA2F), UINT32_C(0x3EF9D7CF), UINT32_C(0x7A0A34FC), - UINT32_C(0x3CC18931), UINT32_C(0xBCC3380F), UINT32_C(0xAE31C62B) }, - { UINT32_C(0x0287C0B4), UINT32_C(0xD72A6794), UINT32_C(0x68E334F1), - UINT32_C(0x3373382C), UINT32_C(0xBD20C6A6), UINT32_C(0xD0310CA8), - UINT32_C(0x42C033FD), UINT32_C(0xA2734B87), UINT32_C(0x8DCE4509), - UINT32_C(0xA5D390F1), UINT32_C(0x3E1AFCB5), UINT32_C(0xFC84E74B) } }, - { { UINT32_C(0xF2CD8A9C), UINT32_C(0xB028334D), UINT32_C(0x570F76F6), - UINT32_C(0xB8719291), UINT32_C(0x01065A2D), UINT32_C(0x662A386E), - UINT32_C(0x53D940AE), UINT32_C(0xDF1634CB), UINT32_C(0x8F5B41F9), - UINT32_C(0x625A7B83), UINT32_C(0xEE6AA1B4), UINT32_C(0xA033E4FE) }, - { UINT32_C(0x1E42BABB), UINT32_C(0x51E9D463), UINT32_C(0x0D388468), - UINT32_C(0x660BC2E4), UINT32_C(0xFCBB114A), UINT32_C(0x3F702189), - UINT32_C(0xB414CA78), UINT32_C(0x6B46FE35), UINT32_C(0x4A57316B), - UINT32_C(0x328F6CF2), UINT32_C(0x381AD156), UINT32_C(0x917423B5) } }, - { { UINT32_C(0x5373A607), UINT32_C(0xAC19306E), UINT32_C(0x191D0969), - UINT32_C(0x471DF8E3), UINT32_C(0xB9720D83), UINT32_C(0x380ADE35), - UINT32_C(0x48F1FD5C), UINT32_C(0x7423FDF5), UINT32_C(0x49CABC95), - UINT32_C(0x8B090C9F), UINT32_C(0xC9842F2F), UINT32_C(0xB768E8CD) }, - { UINT32_C(0xE56162D6), UINT32_C(0x399F456D), UINT32_C(0x4F326791), - UINT32_C(0xBB6BA240), UINT32_C(0x342590BE), UINT32_C(0x8F4FBA3B), - UINT32_C(0x3DFB6B3E), UINT32_C(0x053986B9), UINT32_C(0x190C7425), - UINT32_C(0xBB6739F1), UINT32_C(0x32F7E95F), UINT32_C(0x32D4A553) } }, - { { UINT32_C(0x0DDBFB21), UINT32_C(0x0205A0EC), UINT32_C(0x33AC3407), - UINT32_C(0x3010327D), UINT32_C(0x3348999B), UINT32_C(0xCF2F4DB3), - UINT32_C(0x1551604A), UINT32_C(0x660DB9F4), UINT32_C(0x5D38D335), - UINT32_C(0xC346C69A), UINT32_C(0x38882479), UINT32_C(0x64AAB3D3) }, - { UINT32_C(0x6AE44403), UINT32_C(0xA096B5E7), UINT32_C(0x645F76CD), - UINT32_C(0x6B4C9571), UINT32_C(0x4711120F), UINT32_C(0x72E1CD5F), - UINT32_C(0xF27CC3E1), UINT32_C(0x93EC42AC), UINT32_C(0xA72ABB12), - UINT32_C(0x2D18D004), UINT32_C(0xC9841A04), UINT32_C(0x232E9568) } }, - { { UINT32_C(0x3CC7F908), UINT32_C(0xFF01DB22), UINT32_C(0xD13CDD3B), - UINT32_C(0x9F214F8F), UINT32_C(0xE0B014B5), UINT32_C(0x38DADBB7), - UINT32_C(0x94245C95), UINT32_C(0x2C548CCC), UINT32_C(0x809AFCE3), - UINT32_C(0x714BE331), UINT32_C(0x9BFE957E), UINT32_C(0xBCC64410) }, - { UINT32_C(0x5B957F80), UINT32_C(0xC21C2D21), UINT32_C(0xBB8A4C42), - UINT32_C(0xBA2D4FDC), UINT32_C(0x74817CEC), UINT32_C(0xFA6CD4AF), - UINT32_C(0xC528EAD6), UINT32_C(0x9E7FB523), UINT32_C(0x7714B10E), - UINT32_C(0xAED781FF), UINT32_C(0x94F04455), UINT32_C(0xB52BB592) } }, - { { UINT32_C(0x868CC68B), UINT32_C(0xA578BD69), UINT32_C(0x603F2C08), - UINT32_C(0xA40FDC8D), UINT32_C(0x2D81B042), UINT32_C(0x53D79BD1), - UINT32_C(0xA7587EAB), UINT32_C(0x1B136AF3), UINT32_C(0x868A16DB), - UINT32_C(0x1ED4F939), UINT32_C(0xD0B98273), UINT32_C(0x775A61FB) }, - { UINT32_C(0xE56BEF8C), UINT32_C(0xBA5C12A6), UINT32_C(0xDDDC8595), - UINT32_C(0xF926CE52), UINT32_C(0x586FE1F8), UINT32_C(0xA13F5C8F), - UINT32_C(0x060DBB54), UINT32_C(0xEAC9F7F2), UINT32_C(0x51AF4342), - UINT32_C(0x70C0AC3A), UINT32_C(0x79CDA450), UINT32_C(0xC16E303C) } }, - { { UINT32_C(0x8113F4EA), UINT32_C(0xD0DADD6C), UINT32_C(0x07BDF09F), - UINT32_C(0xF14E3922), UINT32_C(0xAA7D877C), UINT32_C(0x3FE5E9C2), - UINT32_C(0x48779264), UINT32_C(0x9EA95C19), UINT32_C(0x4FCB8344), - UINT32_C(0xE93F65A7), UINT32_C(0x76D925A4), UINT32_C(0x9F40837E) }, - { UINT32_C(0x8271FFC7), UINT32_C(0x0EA6DA3F), UINT32_C(0xCC8F9B19), - UINT32_C(0x557FA529), UINT32_C(0x78E6DDFD), UINT32_C(0x2613DBF1), - UINT32_C(0x36B1E954), UINT32_C(0x7A7523B8), UINT32_C(0x406A87FB), - UINT32_C(0x20EB3168), UINT32_C(0x03ABA56A), UINT32_C(0x64C21C14) } }, - { { UINT32_C(0xC032DD5F), UINT32_C(0xE86C9C2D), UINT32_C(0x86F16A21), - UINT32_C(0x158CEB8E), UINT32_C(0x68326AF1), UINT32_C(0x0279FF53), - UINT32_C(0x59F12BA5), UINT32_C(0x1FFE2E2B), UINT32_C(0x86826D45), - UINT32_C(0xD75A46DB), UINT32_C(0x1E33E6AC), UINT32_C(0xE19B4841) }, - { UINT32_C(0x0E52991C), UINT32_C(0x5F0CC524), UINT32_C(0x8B116286), - UINT32_C(0x645871F9), UINT32_C(0xFCAEC5D3), UINT32_C(0xAB3B4B1E), - UINT32_C(0x51D0F698), UINT32_C(0x994C8DF0), UINT32_C(0xE5D13040), - UINT32_C(0x06F890AF), UINT32_C(0x5F96C7C2), UINT32_C(0x72D9DC23) } }, - { { UINT32_C(0xE7886A80), UINT32_C(0x7C018DEE), UINT32_C(0x8786E4A3), - UINT32_C(0xFA209330), UINT32_C(0xA4415CA1), UINT32_C(0xCEC8E2A3), - UINT32_C(0xCC83CC60), UINT32_C(0x5C736FC1), UINT32_C(0xF00C259F), - UINT32_C(0xFEF9788C), UINT32_C(0xDD29A6AD), UINT32_C(0xED5C01CB) }, - { UINT32_C(0x3E20825B), UINT32_C(0x87834A03), UINT32_C(0x123F9358), - UINT32_C(0x13B1239D), UINT32_C(0xFBC286C1), UINT32_C(0x7E8869D0), - UINT32_C(0x24CE8609), UINT32_C(0xC4AB5AA3), UINT32_C(0xB6349208), - UINT32_C(0x38716BEE), UINT32_C(0xB322AE21), UINT32_C(0x0BDF4F99) } }, - { { UINT32_C(0x53E3494B), UINT32_C(0x6B97A2BF), UINT32_C(0x70F7A13E), - UINT32_C(0xA8AA05C5), UINT32_C(0xF1305B51), UINT32_C(0x209709C2), - UINT32_C(0xDAB76F2C), UINT32_C(0x57B31888), UINT32_C(0xAA2A406A), - UINT32_C(0x75B2ECD7), UINT32_C(0xA35374A4), UINT32_C(0x88801A00) }, - { UINT32_C(0x45C0471B), UINT32_C(0xE1458D1C), UINT32_C(0x322C1AB0), - UINT32_C(0x5760E306), UINT32_C(0xAD6AB0A6), UINT32_C(0x789A0AF1), - UINT32_C(0xF458B9CE), UINT32_C(0x74398DE1), UINT32_C(0x32E0C65F), - UINT32_C(0x1652FF9F), UINT32_C(0xFFFB3A52), UINT32_C(0xFAF1F9D5) } }, - }, - { - { { UINT32_C(0xD1D1B007), UINT32_C(0xA05C751C), UINT32_C(0x0213E478), - UINT32_C(0x016C213B), UINT32_C(0xF4C98FEE), UINT32_C(0x9C56E26C), - UINT32_C(0xE7B3A7C7), UINT32_C(0x6084F8B9), UINT32_C(0xDECC1646), - UINT32_C(0xA0B042F6), UINT32_C(0xFBF3A0BC), UINT32_C(0x4A6F3C1A) }, - { UINT32_C(0x51C9F909), UINT32_C(0x94524C2C), UINT32_C(0x3A6D3748), - UINT32_C(0xF3B3AD40), UINT32_C(0x7CE1F9F5), UINT32_C(0x18792D6E), - UINT32_C(0xFC0C34FA), UINT32_C(0x8EBC2FD7), UINT32_C(0x780A1693), - UINT32_C(0x032A9F41), UINT32_C(0x56A60019), UINT32_C(0x34F9801E) } }, - { { UINT32_C(0xF0DB3751), UINT32_C(0xB398290C), UINT32_C(0xBA42C976), - UINT32_C(0x01170580), UINT32_C(0x56560B89), UINT32_C(0x3E71AA29), - UINT32_C(0x50E6647B), UINT32_C(0x80817AAC), UINT32_C(0xA0BE42DA), - UINT32_C(0x35C833AD), UINT32_C(0xF1BABA4E), UINT32_C(0xFA3C6148) }, - { UINT32_C(0xCD8F6253), UINT32_C(0xC57BE645), UINT32_C(0xC657AD0D), - UINT32_C(0x77CEE46B), UINT32_C(0x0DEFD908), UINT32_C(0x83007731), - UINT32_C(0x899CBA56), UINT32_C(0x92FE9BCE), UINT32_C(0xBCEFFB5A), - UINT32_C(0x48450EC4), UINT32_C(0xF2F5F4BF), UINT32_C(0xE615148D) } }, - { { UINT32_C(0x90B86166), UINT32_C(0xF55EDABB), UINT32_C(0x075430A2), - UINT32_C(0x27F7D784), UINT32_C(0x9BF17161), UINT32_C(0xF53E822B), - UINT32_C(0xAFE808DC), UINT32_C(0x4A5B3B93), UINT32_C(0xD7272F55), - UINT32_C(0x590BBBDE), UINT32_C(0xEAEA79A1), UINT32_C(0x233D63FA) }, - { UINT32_C(0xFE1EBA07), UINT32_C(0xD7042BEA), UINT32_C(0x10750D7E), - UINT32_C(0xD2B9AEA0), UINT32_C(0x31078AA5), UINT32_C(0xD8D1E690), - UINT32_C(0x7E37BC8B), UINT32_C(0x9E837F18), UINT32_C(0x85008975), - UINT32_C(0x9558FF4F), UINT32_C(0x421FE867), UINT32_C(0x93EDB837) } }, - { { UINT32_C(0x83D55B5A), UINT32_C(0xAA6489DF), UINT32_C(0x86BF27F7), - UINT32_C(0xEA092E49), UINT32_C(0x5FA2EFEC), UINT32_C(0x4D8943A9), - UINT32_C(0x720E1A8C), UINT32_C(0xC9BAAE53), UINT32_C(0x95A4F8A3), - UINT32_C(0xC055444B), UINT32_C(0xA7C1206B), UINT32_C(0x93BD01E8) }, - { UINT32_C(0x714A27DF), UINT32_C(0xD97765B6), UINT32_C(0x193F1B16), - UINT32_C(0xD622D954), UINT32_C(0xF1503B15), UINT32_C(0x115CC35A), - UINT32_C(0xA9FA21F8), UINT32_C(0x1DD5359F), UINT32_C(0x6DFED1F1), - UINT32_C(0x197C3299), UINT32_C(0xF77F2679), UINT32_C(0xDEE8B7C9) } }, - { { UINT32_C(0x394FD855), UINT32_C(0x5405179F), UINT32_C(0x49FDFB33), - UINT32_C(0xC9D6E244), UINT32_C(0xBD903393), UINT32_C(0x70EBCAB4), - UINT32_C(0xA2C56780), UINT32_C(0x0D3A3899), UINT32_C(0x683D1A0A), - UINT32_C(0x012C7256), UINT32_C(0x80A48F3B), UINT32_C(0xC688FC88) }, - { UINT32_C(0x6F7DF527), UINT32_C(0x18095754), UINT32_C(0x71315D16), - UINT32_C(0x9E339B4B), UINT32_C(0xA956BB12), UINT32_C(0x90560C28), - UINT32_C(0xD42EEE8D), UINT32_C(0x2BECEA60), UINT32_C(0x50632653), - UINT32_C(0x82AEB9A7), UINT32_C(0xDFA5CD6A), UINT32_C(0xED34353E) } }, - { { UINT32_C(0x91AECCE4), UINT32_C(0x82154D2C), UINT32_C(0x5041887F), - UINT32_C(0x312C6070), UINT32_C(0xFB9FBD71), UINT32_C(0xECF589F3), - UINT32_C(0xB524BDE4), UINT32_C(0x67660A7D), UINT32_C(0x724ACF23), - UINT32_C(0xE99B029D), UINT32_C(0x6D1CD891), UINT32_C(0xDF06E4AF) }, - { UINT32_C(0x80EE304D), UINT32_C(0x07806CB5), UINT32_C(0x7443A8F8), - UINT32_C(0x0C70BB9F), UINT32_C(0x08B0830A), UINT32_C(0x01EC3414), - UINT32_C(0x5A81510B), UINT32_C(0xFD7B63C3), UINT32_C(0x453B5F93), - UINT32_C(0xE90A0A39), UINT32_C(0x9BC71725), UINT32_C(0xAB700F8F) } }, - { { UINT32_C(0xB9F00793), UINT32_C(0x9401AEC2), UINT32_C(0xB997F0BF), - UINT32_C(0x064EC4F4), UINT32_C(0x849240C8), UINT32_C(0xDC0CC1FD), - UINT32_C(0xB6E92D72), UINT32_C(0x39A75F37), UINT32_C(0x0224A4AB), - UINT32_C(0xAA43CA5D), UINT32_C(0x54614C47), UINT32_C(0x9C4D6325) }, - { UINT32_C(0xC6709DA3), UINT32_C(0x1767366F), UINT32_C(0x23479232), - UINT32_C(0xA6B482D1), UINT32_C(0x84D63E85), UINT32_C(0x54DC6DDC), - UINT32_C(0xC99D3B9E), UINT32_C(0x0ACCB5AD), UINT32_C(0xE8AA3ABF), - UINT32_C(0x211716BB), UINT32_C(0x69EC6406), UINT32_C(0xD0FE25AD) } }, - { { UINT32_C(0xDF85C705), UINT32_C(0x0D5C1769), UINT32_C(0xA409DCD1), - UINT32_C(0x7086C93D), UINT32_C(0x0E8D75D8), UINT32_C(0x9710839D), - UINT32_C(0xEBDD4177), UINT32_C(0x17B7DB75), UINT32_C(0xF649A809), - UINT32_C(0xAF69EB58), UINT32_C(0x8A84E220), UINT32_C(0x6EF19EA2) }, - { UINT32_C(0x65C278B2), UINT32_C(0x36EB5C66), UINT32_C(0x81EA9D65), - UINT32_C(0xD2A15128), UINT32_C(0x769300AD), UINT32_C(0x4FCBA840), - UINT32_C(0xC8E536E5), UINT32_C(0xC2052CCD), UINT32_C(0xAC263B8F), - UINT32_C(0x9CAEE014), UINT32_C(0xF9239663), UINT32_C(0x56F7ED7A) } }, - { { UINT32_C(0xAC9E09E1), UINT32_C(0xF6FA251F), UINT32_C(0x955A2853), - UINT32_C(0xA3775605), UINT32_C(0xF2A4BD78), UINT32_C(0x977B8D21), - UINT32_C(0x3E096410), UINT32_C(0xF68AA7FF), UINT32_C(0x65F88419), - UINT32_C(0x01AB0552), UINT32_C(0xBB93F64E), UINT32_C(0xC4C8D77E) }, - { UINT32_C(0x3451FE64), UINT32_C(0x71825111), UINT32_C(0x46F9BAF0), - UINT32_C(0xFA0F905B), UINT32_C(0xCA49EF1A), UINT32_C(0x79BE3BF3), - UINT32_C(0x6CB02071), UINT32_C(0x831109B2), UINT32_C(0xC4DDBFE5), - UINT32_C(0x765F935F), UINT32_C(0x80E5A3BA), UINT32_C(0x6F99CD14) } }, - { { UINT32_C(0x234F91FF), UINT32_C(0xD2E8DA04), UINT32_C(0x813867AA), - UINT32_C(0x4DED4D6D), UINT32_C(0xE0A0D945), UINT32_C(0x3B50175D), - UINT32_C(0x4EB78137), UINT32_C(0x55AC7406), UINT32_C(0xE1D47730), - UINT32_C(0xE9FA7F6E), UINT32_C(0x5CBF2176), UINT32_C(0x2C171531) }, - { UINT32_C(0x2BE7A47D), UINT32_C(0xA521788F), UINT32_C(0x3FCF1AB3), - UINT32_C(0x95B15A27), UINT32_C(0xF28A946A), UINT32_C(0xAADA6401), - UINT32_C(0x8B4E898B), UINT32_C(0x628B2EF4), UINT32_C(0x6D6592CC), - UINT32_C(0x0E6F4629), UINT32_C(0xA723CADD), UINT32_C(0x997C7094) } }, - { { UINT32_C(0x6AFE80C6), UINT32_C(0x878BCE11), UINT32_C(0x007BBA38), - UINT32_C(0xA89ABC9D), UINT32_C(0xA7CC267F), UINT32_C(0xB0C1F87B), - UINT32_C(0x5104FF04), UINT32_C(0x86D33B9D), UINT32_C(0x2EF1BA42), - UINT32_C(0xB0504B1B), UINT32_C(0xB2827E88), UINT32_C(0x21693048) }, - { UINT32_C(0x79CFCD14), UINT32_C(0x11F1CCD5), UINT32_C(0x94AD227E), - UINT32_C(0x59C09FFA), UINT32_C(0x3EA91ACF), UINT32_C(0x95A4ADCB), - UINT32_C(0xB4370BAA), UINT32_C(0x1346238B), UINT32_C(0x3E1367B0), - UINT32_C(0xB099D202), UINT32_C(0x90F23CEA), UINT32_C(0xCF5BBDE6) } }, - { { UINT32_C(0xBCB3BE5E), UINT32_C(0x453299BB), UINT32_C(0x38E9FF97), - UINT32_C(0x123C588E), UINT32_C(0xF6A2E521), UINT32_C(0x8C115DD9), - UINT32_C(0xFF7D4B98), UINT32_C(0x6E333C11), UINT32_C(0xDA73E736), - UINT32_C(0x9DD061E5), UINT32_C(0x5CA53056), UINT32_C(0xC6AB7B3A) }, - { UINT32_C(0x5B30A76B), UINT32_C(0xF1EF3EE3), UINT32_C(0x961BA11F), - UINT32_C(0xADD6B44A), UINT32_C(0x2CA6E030), UINT32_C(0x7BB00B75), - UINT32_C(0x2FE270AD), UINT32_C(0x270272E8), UINT32_C(0x241A9239), - UINT32_C(0x23BC6F4F), UINT32_C(0x0BB94A94), UINT32_C(0x88581E13) } }, - { { UINT32_C(0x24EEF67F), UINT32_C(0xBD225A69), UINT32_C(0x0412CEB7), - UINT32_C(0x7CFD9614), UINT32_C(0x99AC298E), UINT32_C(0xF6DE1679), - UINT32_C(0xED6C3571), UINT32_C(0xB20FD895), UINT32_C(0x61836C56), - UINT32_C(0x03C73B78), UINT32_C(0xABA6CB34), UINT32_C(0xEE3C3A16) }, - { UINT32_C(0x4138408A), UINT32_C(0x9E8C5667), UINT32_C(0x2DD6EBDF), - UINT32_C(0xEC25FCB1), UINT32_C(0xDBBDF6E3), UINT32_C(0xC54C33FD), - UINT32_C(0x4A3C9DD4), UINT32_C(0x93E0913B), UINT32_C(0x35EDEED4), - UINT32_C(0x66D7D135), UINT32_C(0x453FB66E), UINT32_C(0xD29A36C4) } }, - { { UINT32_C(0x9F1943AF), UINT32_C(0x7F192F03), UINT32_C(0x4E0B5FB0), - UINT32_C(0x6488163F), UINT32_C(0x53599226), UINT32_C(0x66A45C69), - UINT32_C(0x9AD15A73), UINT32_C(0x924E2E43), UINT32_C(0x42A99D76), - UINT32_C(0x8B553DB7), UINT32_C(0x0451F521), UINT32_C(0x4BC6B53B) }, - { UINT32_C(0x101F8AD6), UINT32_C(0xC029B5EF), UINT32_C(0xC507EED9), - UINT32_C(0x6A4DA71C), UINT32_C(0x30BB22F3), UINT32_C(0x3ADFAEC0), - UINT32_C(0xB514F85B), UINT32_C(0x81BCAF7A), UINT32_C(0x5A7E60D3), - UINT32_C(0x2E1E6EFF), UINT32_C(0xAE39D42F), UINT32_C(0x5270ABC0) } }, - { { UINT32_C(0x3901F0F8), UINT32_C(0x86D56DEB), UINT32_C(0xEED5F650), - UINT32_C(0x1D0BC792), UINT32_C(0xCA1114A3), UINT32_C(0x1A2DDFD8), - UINT32_C(0xF1DD316D), UINT32_C(0x94ABF4B1), UINT32_C(0x3D9F18EF), - UINT32_C(0xF72179E4), UINT32_C(0x9AA2CABF), UINT32_C(0x52A0921E) }, - { UINT32_C(0xA7452883), UINT32_C(0xECDA9E27), UINT32_C(0xAFD771B4), - UINT32_C(0x7E90850A), UINT32_C(0x9CC0465C), UINT32_C(0xD40F87EA), - UINT32_C(0x865CDA36), UINT32_C(0x8CFCB60A), UINT32_C(0x7C650942), - UINT32_C(0x3DBEC2CC), UINT32_C(0xE718CA9D), UINT32_C(0x071A4EE7) } }, - { { UINT32_C(0x276AC5F3), UINT32_C(0x73C0E4FF), UINT32_C(0xBDB97EA1), - UINT32_C(0xE7BA5A6A), UINT32_C(0xC5808398), UINT32_C(0x638CA54E), - UINT32_C(0x413855E5), UINT32_C(0x8258DC82), UINT32_C(0x57F07614), - UINT32_C(0x35DDD2E9), UINT32_C(0x1DC13BF9), UINT32_C(0xF98DD692) }, - { UINT32_C(0xF16DCD84), UINT32_C(0x3A4C0088), UINT32_C(0x833D83F9), - UINT32_C(0xF192EADD), UINT32_C(0xA6D61D29), UINT32_C(0x3C26C931), - UINT32_C(0xDE0AD7A1), UINT32_C(0x589FDD52), UINT32_C(0x0442D37F), - UINT32_C(0x7CD83DD2), UINT32_C(0x403ECBFC), UINT32_C(0x1E47E777) } }, - }, - { - { { UINT32_C(0x70D4D7BC), UINT32_C(0x2AF8ED81), UINT32_C(0xB632435C), - UINT32_C(0xABC3E15F), UINT32_C(0x78219356), UINT32_C(0x4C0E726F), - UINT32_C(0xB87254C4), UINT32_C(0x8C1962A1), UINT32_C(0xC9E7691A), - UINT32_C(0x30796A71), UINT32_C(0xA75A12EE), UINT32_C(0xD453EF19) }, - { UINT32_C(0x13AE4964), UINT32_C(0x535F42C2), UINT32_C(0x0DA9586A), - UINT32_C(0x86831C3C), UINT32_C(0xE39A7A58), UINT32_C(0xB7F1EF35), - UINT32_C(0xD459B91A), UINT32_C(0xA2789AE2), UINT32_C(0x02FD429D), - UINT32_C(0xEADBCA7F), UINT32_C(0x65290F57), UINT32_C(0x94F215D4) } }, - { { UINT32_C(0x1CFB79AC), UINT32_C(0x37ED2BE5), UINT32_C(0xE7AF84C3), - UINT32_C(0x801946F3), UINT32_C(0xE77C2F00), UINT32_C(0xB061AD8A), - UINT32_C(0x44DE16A8), UINT32_C(0xE87E1A9A), UINT32_C(0x7EE490FF), - UINT32_C(0xDF4F57C8), UINT32_C(0x005993ED), UINT32_C(0x4E793B49) }, - { UINT32_C(0xBCCB593F), UINT32_C(0xE1036387), UINT32_C(0x95E09B80), - UINT32_C(0xF1749411), UINT32_C(0x5AB42F91), UINT32_C(0x59CB20D1), - UINT32_C(0xAC0FF033), UINT32_C(0xA738A18D), UINT32_C(0x2AC1E7F4), - UINT32_C(0xDA501A2E), UINT32_C(0x84D8A6E0), UINT32_C(0x1B67EDA0) } }, - { { UINT32_C(0x1080E90B), UINT32_C(0x1D27EFCE), UINT32_C(0x3FD01DC6), - UINT32_C(0xA2815246), UINT32_C(0xCAA26D18), UINT32_C(0x99A3FB83), - UINT32_C(0xB82BABBE), UINT32_C(0xD27E6133), UINT32_C(0xD783DD60), - UINT32_C(0x61030DFD), UINT32_C(0x73C78CB8), UINT32_C(0x295A2913) }, - { UINT32_C(0x68BE6A92), UINT32_C(0x8707A2CF), UINT32_C(0xEEB3474A), - UINT32_C(0xC9C2FB98), UINT32_C(0xA2B176B8), UINT32_C(0x7C3FD412), - UINT32_C(0xC7202101), UINT32_C(0xD5B52E2F), UINT32_C(0xF0A6D536), - UINT32_C(0x24A63030), UINT32_C(0x04648EC0), UINT32_C(0x05842DE3) } }, - { { UINT32_C(0x30577AC9), UINT32_C(0x67477CDC), UINT32_C(0x244F92A8), - UINT32_C(0x51DD9775), UINT32_C(0x917EEC66), UINT32_C(0x31FD60B9), - UINT32_C(0xD66C5C1D), UINT32_C(0xACD95BD4), UINT32_C(0xBF9508BA), - UINT32_C(0x2E0551F3), UINT32_C(0x688CB243), UINT32_C(0x121168E1) }, - { UINT32_C(0x4540D230), UINT32_C(0x8C039740), UINT32_C(0x009ECDF9), - UINT32_C(0xC4ED3CF6), UINT32_C(0x44DB62AF), UINT32_C(0x191825E1), - UINT32_C(0xC4A030DA), UINT32_C(0x3EE8ACAB), UINT32_C(0x94081504), - UINT32_C(0x8AB154A8), UINT32_C(0x486C9CD0), UINT32_C(0x1FE09E4B) } }, - { { UINT32_C(0xD113450B), UINT32_C(0x512F82F9), UINT32_C(0x2DBC9197), - UINT32_C(0x5878C901), UINT32_C(0xE13F355B), UINT32_C(0xDB87412B), - UINT32_C(0x935B8A5E), UINT32_C(0x0A0A4A9B), UINT32_C(0xF25A5351), - UINT32_C(0x818587BD), UINT32_C(0x31E3D9C7), UINT32_C(0xE8079310) }, - { UINT32_C(0x611BC1B1), UINT32_C(0x8B1D47C7), UINT32_C(0x72A823F2), - UINT32_C(0x51722B58), UINT32_C(0x53B36B3E), UINT32_C(0x6F97EE8A), - UINT32_C(0x946DD453), UINT32_C(0x6E085AAC), UINT32_C(0xE65E6533), - UINT32_C(0x2EC5057D), UINT32_C(0x4BB18801), UINT32_C(0xF82D9D71) } }, - { { UINT32_C(0x8BA5AA8E), UINT32_C(0xAD81FA93), UINT32_C(0x8F7AA69E), - UINT32_C(0x723E628E), UINT32_C(0xEF35937C), UINT32_C(0x0BA7C2DE), - UINT32_C(0x6DECFB40), UINT32_C(0x83A43EC5), UINT32_C(0xE60C4F2D), - UINT32_C(0xF520F849), UINT32_C(0x457E3B5E), UINT32_C(0x8260E8AE) }, - { UINT32_C(0xBF1D9ED7), UINT32_C(0x7CE874F0), UINT32_C(0x7F1A5466), - UINT32_C(0x5FDE3553), UINT32_C(0x0C162DBB), UINT32_C(0x5A63777C), - UINT32_C(0xDAD87289), UINT32_C(0x0FD04F8C), UINT32_C(0x640761D5), - UINT32_C(0xCA2D9E0E), UINT32_C(0x38501ADB), UINT32_C(0x4615CFF8) } }, - { { UINT32_C(0x110B4A25), UINT32_C(0x9422789B), UINT32_C(0x70AD8CC1), - UINT32_C(0x5C26779F), UINT32_C(0xEC4F1E14), UINT32_C(0x4EE6A748), - UINT32_C(0x5C7AB5E0), UINT32_C(0xFB584A0D), UINT32_C(0xFB21EE66), - UINT32_C(0xED1DCB0B), UINT32_C(0x11C6863C), UINT32_C(0xDBED1F00) }, - { UINT32_C(0xB1B1D187), UINT32_C(0xD2969269), UINT32_C(0xAFE964E6), - UINT32_C(0xF7D0C3F2), UINT32_C(0x12BB865E), UINT32_C(0xE05EE93F), - UINT32_C(0xED79118E), UINT32_C(0x1AFB7BEE), UINT32_C(0x0F0FE453), - UINT32_C(0x220AF138), UINT32_C(0x52782AB9), UINT32_C(0x1463AA1A) } }, - { { UINT32_C(0xD7DBE5F9), UINT32_C(0x7C139D56), UINT32_C(0x0B83685B), - UINT32_C(0xFC16E611), UINT32_C(0x9018463C), UINT32_C(0xFA723C02), - UINT32_C(0x840BF5D7), UINT32_C(0xC472458C), UINT32_C(0x0AF07591), - UINT32_C(0x4D809359), UINT32_C(0x3308DFD9), UINT32_C(0x418D8830) }, - { UINT32_C(0x0C365AE3), UINT32_C(0x9B381E04), UINT32_C(0xF8190FD1), - UINT32_C(0x3780BF33), UINT32_C(0xDD03E854), UINT32_C(0x45397418), - UINT32_C(0x4E51E491), UINT32_C(0xA95D030F), UINT32_C(0xE3286CEA), - UINT32_C(0x87C8C686), UINT32_C(0x900B5F83), UINT32_C(0x01C773BF) } }, - { { UINT32_C(0x78673B02), UINT32_C(0xDABE3475), UINT32_C(0xF6E7395E), - UINT32_C(0x4F0F25CE), UINT32_C(0xD181AD45), UINT32_C(0x3117ABB9), - UINT32_C(0xAA13DE0B), UINT32_C(0x4B559F88), UINT32_C(0xEA7C9745), - UINT32_C(0xFD8EFE78), UINT32_C(0x5DD21682), UINT32_C(0x08060047) }, - { UINT32_C(0xD4C86FFC), UINT32_C(0xC0F5DE4B), UINT32_C(0xF21AB6A2), - UINT32_C(0x4BB14B1E), UINT32_C(0xF50C1D12), UINT32_C(0xACB53A6C), - UINT32_C(0x5CC9162E), UINT32_C(0x46AAC450), UINT32_C(0x2DE240B6), - UINT32_C(0x049C51E0), UINT32_C(0xE383C3B0), UINT32_C(0xBB2DC016) } }, - { { UINT32_C(0x8E438C92), UINT32_C(0xA3C56AD2), UINT32_C(0xB2CEAF1A), - UINT32_C(0x7C43F98F), UINT32_C(0xE2150778), UINT32_C(0x397C44F7), - UINT32_C(0x71A24131), UINT32_C(0x48D17AB7), UINT32_C(0x1E2ACDA9), - UINT32_C(0xCC513863), UINT32_C(0xF0C9BAC9), UINT32_C(0x2C76A55E) }, - { UINT32_C(0x7EA4BB7B), UINT32_C(0x4D74CDCE), UINT32_C(0xB1B3C2BA), - UINT32_C(0x834BD5BF), UINT32_C(0xCCC310A4), UINT32_C(0x46E2911E), - UINT32_C(0x0FC1BF13), UINT32_C(0xD3DE84AA), UINT32_C(0x80A03AD3), - UINT32_C(0x27F2892F), UINT32_C(0x3BD2F08B), UINT32_C(0x85B47620) } }, - { { UINT32_C(0x567AF533), UINT32_C(0xAB1CB818), UINT32_C(0xBAC2705A), - UINT32_C(0x273B4537), UINT32_C(0x22C84AB6), UINT32_C(0x133066C4), - UINT32_C(0x4830BFC1), UINT32_C(0xC3590DE6), UINT32_C(0x5E4742D0), - UINT32_C(0xEA297869), UINT32_C(0x4F3164C0), UINT32_C(0xF6D8C694) }, - { UINT32_C(0xC1249588), UINT32_C(0x09E85F3D), UINT32_C(0x4EC64DF7), - UINT32_C(0x6C2BB05D), UINT32_C(0x8B78000F), UINT32_C(0xD267115E), - UINT32_C(0xC7E4A316), UINT32_C(0x07C5D7AE), UINT32_C(0x4619E5BD), - UINT32_C(0xCB1187BA), UINT32_C(0xA43F7EEE), UINT32_C(0x57B1D4EF) } }, - { { UINT32_C(0xC8176A96), UINT32_C(0x3618891F), UINT32_C(0xE5808B97), - UINT32_C(0x62C4B084), UINT32_C(0x4DD95D6E), UINT32_C(0xDE558546), - UINT32_C(0x730B2EA4), UINT32_C(0x27A8133E), UINT32_C(0x6AF318A0), - UINT32_C(0xE07CEEC3), UINT32_C(0xCE24FD2C), UINT32_C(0x0ACC1286) }, - { UINT32_C(0xDD4D307C), UINT32_C(0x8A48FE4A), UINT32_C(0x18CDE0DA), - UINT32_C(0x71A9BA9C), UINT32_C(0xD5D79747), UINT32_C(0x655E2B66), - UINT32_C(0xA79AEDC7), UINT32_C(0x409FE856), UINT32_C(0xD287E5CF), - UINT32_C(0xC5A9F244), UINT32_C(0x4E82EC39), UINT32_C(0xCCE10384) } }, - { { UINT32_C(0xF25D364C), UINT32_C(0x00675BA7), UINT32_C(0x68D36BDF), - UINT32_C(0x7A7F1629), UINT32_C(0xA9E23F29), UINT32_C(0x35EC468A), - UINT32_C(0x2D926E6C), UINT32_C(0xF797AC50), UINT32_C(0x4B4F4376), - UINT32_C(0x639BA453), UINT32_C(0x51FF9519), UINT32_C(0xD71B430F) }, - { UINT32_C(0x2CF5635C), UINT32_C(0xB8C439EC), UINT32_C(0x81980393), - UINT32_C(0x0CE4C8D1), UINT32_C(0x64123B15), UINT32_C(0x4C5362A9), - UINT32_C(0xFFDCF096), UINT32_C(0x6E0421E0), UINT32_C(0x10D1F914), - UINT32_C(0x624A855F), UINT32_C(0x614DCD29), UINT32_C(0x7D8F3AB7) } }, - { { UINT32_C(0xB3493CE0), UINT32_C(0xD9219ADA), UINT32_C(0x52F09AE5), - UINT32_C(0x971B243A), UINT32_C(0xE24E3674), UINT32_C(0xC16C9BF8), - UINT32_C(0xCE68C7CD), UINT32_C(0x026D408D), UINT32_C(0x358209E3), - UINT32_C(0xF9B33DD9), UINT32_C(0xF3B2A206), UINT32_C(0x02D0595D) }, - { UINT32_C(0x60D15640), UINT32_C(0xBF994271), UINT32_C(0x15B5466A), - UINT32_C(0x6DA7A04E), UINT32_C(0x1CADB50D), UINT32_C(0x03AA4ED8), - UINT32_C(0x129A4253), UINT32_C(0x1548F029), UINT32_C(0xB842865A), - UINT32_C(0x41741F7E), UINT32_C(0xA3F88C98), UINT32_C(0x859FE0A4) } }, - { { UINT32_C(0x05FD7553), UINT32_C(0x80DE085A), UINT32_C(0xB897566B), - UINT32_C(0x4A4AB91E), UINT32_C(0x2F1C173F), UINT32_C(0x33BCD475), - UINT32_C(0xC100C013), UINT32_C(0x4E238896), UINT32_C(0xD614B34B), - UINT32_C(0x1C88500D), UINT32_C(0xC3BA9E23), UINT32_C(0x0401C5F6) }, - { UINT32_C(0xD0AF0DE5), UINT32_C(0x8E8003C4), UINT32_C(0x9D0DCBB9), - UINT32_C(0x19B1DFB5), UINT32_C(0xEBEF7AB6), UINT32_C(0x4A3640A9), - UINT32_C(0x959B15F6), UINT32_C(0xEDAFD65B), UINT32_C(0x7FB95821), - UINT32_C(0x8092EF7F), UINT32_C(0xCE2E45D1), UINT32_C(0xAB8DD52E) } }, - { { UINT32_C(0xB9CFE6BF), UINT32_C(0xD1F2D6B8), UINT32_C(0x00073F6F), - UINT32_C(0x6358810B), UINT32_C(0xD712106E), UINT32_C(0x5FCE5993), - UINT32_C(0x1C024C91), UINT32_C(0x5EE6B271), UINT32_C(0x453DB663), - UINT32_C(0xD0248FF5), UINT32_C(0xADB835E8), UINT32_C(0xD6D81CB2) }, - { UINT32_C(0xFDFCB4C7), UINT32_C(0x8696CFEC), UINT32_C(0x53BC9045), - UINT32_C(0x696B7FCB), UINT32_C(0xDDA56981), UINT32_C(0xAB4D3807), - UINT32_C(0x1E4B943B), UINT32_C(0x2F998052), UINT32_C(0x166B7F18), - UINT32_C(0x8AA76ADB), UINT32_C(0x52A2D7ED), UINT32_C(0x63934301) } }, - }, - { - { { UINT32_C(0xA368EFF6), UINT32_C(0xBBCCCE39), UINT32_C(0x8CEB5C43), - UINT32_C(0xD8CAABDF), UINT32_C(0xD2252FDA), UINT32_C(0x9EAE35A5), - UINT32_C(0x54E7DD49), UINT32_C(0xA8F4F209), UINT32_C(0x295100FD), - UINT32_C(0xA56D72A6), UINT32_C(0x56767727), UINT32_C(0x20FC1FE8) }, - { UINT32_C(0x0BBAA5AB), UINT32_C(0xBF60B248), UINT32_C(0x313911F2), - UINT32_C(0xA4F3CE5A), UINT32_C(0xB93DAB9C), UINT32_C(0xC2A67AD4), - UINT32_C(0x22D71F39), UINT32_C(0x18CD0ED0), UINT32_C(0x5F304DB2), - UINT32_C(0x04380C42), UINT32_C(0x6729C821), UINT32_C(0x26420CBB) } }, - { { UINT32_C(0xBDFBCAE8), UINT32_C(0x26BD07D6), UINT32_C(0xDF01A80A), - UINT32_C(0x10B5173F), UINT32_C(0x6798B96C), UINT32_C(0xD831C546), - UINT32_C(0x1D3F3859), UINT32_C(0x1D6B4108), UINT32_C(0x991B9EC7), - UINT32_C(0x501D38EC), UINT32_C(0xD78431A9), UINT32_C(0x26319283) }, - { UINT32_C(0x118B343C), UINT32_C(0x8B85BAF7), UINT32_C(0x58DEF7D0), - UINT32_C(0x4696CDDD), UINT32_C(0x7ACDCF58), UINT32_C(0xEFC7C110), - UINT32_C(0x848D5842), UINT32_C(0xD9AF415C), UINT32_C(0x0AC7FDAC), - UINT32_C(0x6B5A06BC), UINT32_C(0xA344319B), UINT32_C(0x7D623E0D) } }, - { { UINT32_C(0x0C9D3547), UINT32_C(0x4C0D7806), UINT32_C(0xCF2AED47), - UINT32_C(0x993F048D), UINT32_C(0xE4B57E22), UINT32_C(0x5217C453), - UINT32_C(0xF4172B28), UINT32_C(0xB4669E35), UINT32_C(0x49F999F8), - UINT32_C(0x509A3CD0), UINT32_C(0x87C69D41), UINT32_C(0xD19F8632) }, - { UINT32_C(0x4C8FDED0), UINT32_C(0xE14D01E8), UINT32_C(0xEAFD9E1C), - UINT32_C(0x342880FD), UINT32_C(0x70DC2BF0), UINT32_C(0x0E17BFF2), - UINT32_C(0xC0186400), UINT32_C(0x46560B7B), UINT32_C(0x49A4DD34), - UINT32_C(0xE28C7B9C), UINT32_C(0x0F325D06), UINT32_C(0x18211916) } }, - { { UINT32_C(0xD7E02E18), UINT32_C(0x46D70888), UINT32_C(0xD9F11FD9), - UINT32_C(0x7C806954), UINT32_C(0x4FBEA271), UINT32_C(0xE4948FCA), - UINT32_C(0xBD80A9DF), UINT32_C(0x7D6C7765), UINT32_C(0xF3871C71), - UINT32_C(0x1B470EA6), UINT32_C(0x8330A570), UINT32_C(0xD62DE244) }, - { UINT32_C(0xC659C3A7), UINT32_C(0xDAECDDC1), UINT32_C(0x077F7AFC), - UINT32_C(0x8621E513), UINT32_C(0xCAEEEF13), UINT32_C(0x56C7CD84), - UINT32_C(0xC685A356), UINT32_C(0xC60C910F), UINT32_C(0x9DD93DDC), - UINT32_C(0xE68BC5C5), UINT32_C(0xFEB64895), UINT32_C(0xD904E89F) } }, - { { UINT32_C(0x8BA7917A), UINT32_C(0x75D874FB), UINT32_C(0xFD043BD4), - UINT32_C(0x18FA7F53), UINT32_C(0x1FC3979E), UINT32_C(0x212A0AD7), - UINT32_C(0x5D6EAC0E), UINT32_C(0x5703A7D9), UINT32_C(0x017DEAD5), - UINT32_C(0x222F7188), UINT32_C(0x0F6C1817), UINT32_C(0x1EC687B7) }, - { UINT32_C(0x238BACB6), UINT32_C(0x23412FC3), UINT32_C(0x54CED154), - UINT32_C(0xB85D70E9), UINT32_C(0xBDA674D0), UINT32_C(0xD4E06722), - UINT32_C(0x36F5A0C2), UINT32_C(0x3EA5F178), UINT32_C(0xF5C6D2CA), - UINT32_C(0x7E7D79CF), UINT32_C(0x3DBB3C73), UINT32_C(0x1FFF9464) } }, - { { UINT32_C(0xF163E4A8), UINT32_C(0x916E19D0), UINT32_C(0x1489DF17), - UINT32_C(0x1E6740E7), UINT32_C(0x339F3A47), UINT32_C(0x1EAF9723), - UINT32_C(0x124B8DAD), UINT32_C(0x22F0ED1A), UINT32_C(0x49C3DD04), - UINT32_C(0x39C9166C), UINT32_C(0xCE1E9ACC), UINT32_C(0x628E7FD4) }, - { UINT32_C(0x40031676), UINT32_C(0x124DDF27), UINT32_C(0x1EDDB9BE), - UINT32_C(0x00256939), UINT32_C(0xD360B0DA), UINT32_C(0xD39E25E7), - UINT32_C(0x4AA6C4C9), UINT32_C(0x6E3015A8), UINT32_C(0x623EDA09), - UINT32_C(0xC6A2F643), UINT32_C(0x50AA99FB), UINT32_C(0xBEFF2D12) } }, - { { UINT32_C(0x93EE8089), UINT32_C(0x1FEEF7CE), UINT32_C(0x252DD7BD), - UINT32_C(0xC6B180BC), UINT32_C(0x1788F051), UINT32_C(0xA16FB20B), - UINT32_C(0xE046ED39), UINT32_C(0xD86FD392), UINT32_C(0x9378CE1D), - UINT32_C(0xDA0A3611), UINT32_C(0xA5F7A61D), UINT32_C(0x121EF3E7) }, - { UINT32_C(0x92D13CAE), UINT32_C(0x94D22061), UINT32_C(0x77C72E08), - UINT32_C(0x5076046A), UINT32_C(0x7D2308B9), UINT32_C(0xF18BC233), - UINT32_C(0x17F977B1), UINT32_C(0x004DB3C5), UINT32_C(0x0471C11D), - UINT32_C(0xD05AE399), UINT32_C(0x85CD1726), UINT32_C(0x86A2A557) } }, - { { UINT32_C(0x72107804), UINT32_C(0xB8D9B286), UINT32_C(0x3303B79B), - UINT32_C(0xB5A7C413), UINT32_C(0x5FA37DED), UINT32_C(0x927EEF78), - UINT32_C(0xAD67DABA), UINT32_C(0xA1C5CF1E), UINT32_C(0x7360E7C7), - UINT32_C(0xAA5E3FB2), UINT32_C(0x0A0C0993), UINT32_C(0x8354E61A) }, - { UINT32_C(0x7F5458CC), UINT32_C(0x2EC73AF9), UINT32_C(0x48474325), - UINT32_C(0xDE4CB488), UINT32_C(0x7209BC69), UINT32_C(0x2DD134C7), - UINT32_C(0x451A2ABE), UINT32_C(0xB70C5567), UINT32_C(0x8E293018), - UINT32_C(0x2CD1B200), UINT32_C(0xD33C0D72), UINT32_C(0x15F8DA7A) } }, - { { UINT32_C(0xA8790657), UINT32_C(0x5DC386D0), UINT32_C(0xBC4D88BB), - UINT32_C(0xA4FDF676), UINT32_C(0x48BC6C49), UINT32_C(0x1B21F38F), - UINT32_C(0x543A7003), UINT32_C(0xCDCC7FAA), UINT32_C(0x8C9CF72C), - UINT32_C(0xEA97E7AA), UINT32_C(0x50D938A8), UINT32_C(0xA6B883F4) }, - { UINT32_C(0xA3A10F27), UINT32_C(0x51936F3A), UINT32_C(0xDECC76BF), - UINT32_C(0x0170785F), UINT32_C(0x908C578A), UINT32_C(0x7539ECE1), - UINT32_C(0x0F3E8C25), UINT32_C(0x5D9C8A8E), UINT32_C(0x9E4717A7), - UINT32_C(0x8681B43B), UINT32_C(0xA9D83E39), UINT32_C(0x94F42507) } }, - { { UINT32_C(0xA55ADDE7), UINT32_C(0xBBE11CA8), UINT32_C(0x3BC0896B), - UINT32_C(0x39E6F5CF), UINT32_C(0x1D2D8D94), UINT32_C(0x1447314E), - UINT32_C(0x5B012F8A), UINT32_C(0x45B48125), UINT32_C(0x08AD5283), - UINT32_C(0x41AD23FA), UINT32_C(0x41D13774), UINT32_C(0x837243E2) }, - { UINT32_C(0xBADCAA46), UINT32_C(0x1FC0BD9D), UINT32_C(0x26E84CAE), - UINT32_C(0x8DF164ED), UINT32_C(0x41017176), UINT32_C(0x8FF70EC0), - UINT32_C(0x5C848BA7), UINT32_C(0x23AD4BCE), UINT32_C(0x97A19CBB), - UINT32_C(0x89246FDE), UINT32_C(0x78397991), UINT32_C(0xA5EF987B) } }, - { { UINT32_C(0x4757964D), UINT32_C(0x111AF1B7), UINT32_C(0xDDBBF258), - UINT32_C(0x1D25D351), UINT32_C(0x7D2B06D6), UINT32_C(0x4161E776), - UINT32_C(0x1CAC0C5B), UINT32_C(0x6EFD2691), UINT32_C(0x211BFAEB), - UINT32_C(0x633B95DB), UINT32_C(0xE2BDF701), UINT32_C(0x9BEDFA5A) }, - { UINT32_C(0x73E099C8), UINT32_C(0xADAC2B0B), UINT32_C(0xBFB16BFF), - UINT32_C(0x436F0023), UINT32_C(0x30F55854), UINT32_C(0xB91B1002), - UINT32_C(0xF4C6C8B7), UINT32_C(0xAF6A2097), UINT32_C(0x3AD7B3D9), - UINT32_C(0x3FF65CED), UINT32_C(0x330E56DF), UINT32_C(0x6FA2626F) } }, - { { UINT32_C(0xFFCCFD07), UINT32_C(0x3D28BF2D), UINT32_C(0xD989603B), - UINT32_C(0x0514F6FF), UINT32_C(0x5514787A), UINT32_C(0xB9519629), - UINT32_C(0xC3DB4E9C), UINT32_C(0xA1848121), UINT32_C(0x2A3D4595), - UINT32_C(0x47FE2E39), UINT32_C(0x11B73ED4), UINT32_C(0x506F5D82) }, - { UINT32_C(0xA600D8BB), UINT32_C(0xA2257AE7), UINT32_C(0x0F9F122C), - UINT32_C(0xD659DBD1), UINT32_C(0x64DF160F), UINT32_C(0xDB0FDC67), - UINT32_C(0x7CB19690), UINT32_C(0xFF379339), UINT32_C(0x98E72EC1), - UINT32_C(0xDF4366B8), UINT32_C(0xDF437EB8), UINT32_C(0x97E72BEC) } }, - { { UINT32_C(0x1C81E5D9), UINT32_C(0x81DCEA27), UINT32_C(0x6717FC49), - UINT32_C(0x7E1B6CDA), UINT32_C(0x11EAE80D), UINT32_C(0xAA36B3B5), - UINT32_C(0x3CD7CBB3), UINT32_C(0x1306687C), UINT32_C(0xC4E89064), - UINT32_C(0xED670235), UINT32_C(0x58A94760), UINT32_C(0x9D3B0009) }, - { UINT32_C(0xE6A6333C), UINT32_C(0x5A64E158), UINT32_C(0x49453203), - UINT32_C(0x1A8B4A36), UINT32_C(0x1F77CC21), UINT32_C(0xF1CAD724), - UINT32_C(0x70518EF7), UINT32_C(0x693EBB4B), UINT32_C(0x0F39C91A), - UINT32_C(0xFB47BD81), UINT32_C(0xFA4BC64B), UINT32_C(0xCFE63DA2) } }, - { { UINT32_C(0xEAA66108), UINT32_C(0x82C1C684), UINT32_C(0x4CFE79FC), - UINT32_C(0xE3226218), UINT32_C(0x849C720E), UINT32_C(0x3F28B72B), - UINT32_C(0x8FEE1CA8), UINT32_C(0x137FB355), UINT32_C(0xE4F90C4E), - UINT32_C(0x4D18A9CD), UINT32_C(0xCC3E46FA), UINT32_C(0xC0344227) }, - { UINT32_C(0x79CDA392), UINT32_C(0x4FD5C08E), UINT32_C(0x8ADC87B5), - UINT32_C(0x65DB20DB), UINT32_C(0x916C1B84), UINT32_C(0x86F95D5B), - UINT32_C(0x17BB2B7C), UINT32_C(0x7EDA3871), UINT32_C(0x669A533B), - UINT32_C(0x18CCF7E7), UINT32_C(0xECAD0E06), UINT32_C(0x5E92421C) } }, - { { UINT32_C(0x4174B08B), UINT32_C(0x26063E12), UINT32_C(0x70DE8E4D), - UINT32_C(0xE621D9BE), UINT32_C(0x5ECDF350), UINT32_C(0xAEA0FD0F), - UINT32_C(0x9C20E5C9), UINT32_C(0x0D9F69E4), UINT32_C(0x0BBE2918), - UINT32_C(0xD3DADEB9), UINT32_C(0x58AA2F71), UINT32_C(0xD7B9B5DB) }, - { UINT32_C(0x3364CAF8), UINT32_C(0x7A971DD7), UINT32_C(0xC25D4BE4), - UINT32_C(0x702616A3), UINT32_C(0xA9E30071), UINT32_C(0xA30F0FA1), - UINT32_C(0x5573BC69), UINT32_C(0x98AB2438), UINT32_C(0x6FEC2E22), - UINT32_C(0xCBC63CDF), UINT32_C(0xCC901B9B), UINT32_C(0x965F90ED) } }, - { { UINT32_C(0x71E15BB3), UINT32_C(0xD53B592D), UINT32_C(0x8820E0D0), - UINT32_C(0x1F03C0E9), UINT32_C(0x3CCCB726), UINT32_C(0xCE93947D), - UINT32_C(0x1D547590), UINT32_C(0x2790FEE0), UINT32_C(0xC59CDD7A), - UINT32_C(0x4401D847), UINT32_C(0xA926DD9D), UINT32_C(0x72D69120) }, - { UINT32_C(0x4229F289), UINT32_C(0x38B8F21D), UINT32_C(0x7FE978AF), - UINT32_C(0x9F412E40), UINT32_C(0xCDB59AF1), UINT32_C(0xAE07901B), - UINT32_C(0xD1D4715E), UINT32_C(0x1E6BE5EB), UINT32_C(0x18C96BEF), - UINT32_C(0x3715BD8B), UINT32_C(0xE11B3798), UINT32_C(0x4B71F6E6) } }, - }, - { - { { UINT32_C(0xF0CE2DF4), UINT32_C(0x11A8FDE5), UINT32_C(0xFA8D26DF), - UINT32_C(0xBC70CA3E), UINT32_C(0xC74DFE82), UINT32_C(0x6818C275), - UINT32_C(0x38373A50), UINT32_C(0x2B0294AC), UINT32_C(0xE8E5F88F), - UINT32_C(0x584C4061), UINT32_C(0x7342383A), UINT32_C(0x1C05C1CA) }, - { UINT32_C(0x911430EC), UINT32_C(0x263895B3), UINT32_C(0xA5171453), - UINT32_C(0xEF9B0032), UINT32_C(0x84DA7F0C), UINT32_C(0x144359DA), - UINT32_C(0x924A09F2), UINT32_C(0x76E3095A), UINT32_C(0xD69AD835), - UINT32_C(0x612986E3), UINT32_C(0x392122AF), UINT32_C(0x70E03ADA) } }, - { { UINT32_C(0x67AAD17B), UINT32_C(0xFEB707EE), UINT32_C(0x83042995), - UINT32_C(0xBB21B287), UINT32_C(0x9A0D32BA), UINT32_C(0x26DE1645), - UINT32_C(0x1FFB9266), UINT32_C(0x9A2FF38A), UINT32_C(0x8F578B4A), - UINT32_C(0x4E5AD96D), UINT32_C(0x883E7443), UINT32_C(0x26CC0655) }, - { UINT32_C(0x2EE9367A), UINT32_C(0x1D8EECAB), UINT32_C(0x881DE2F8), - UINT32_C(0x42B84337), UINT32_C(0xD758AE41), UINT32_C(0xE49B2FAE), - UINT32_C(0x4A85D867), UINT32_C(0x6A9A2290), UINT32_C(0xE68CBA86), - UINT32_C(0x2FB89DCE), UINT32_C(0x7F09A982), UINT32_C(0xBC252635) } }, - { { UINT32_C(0x8C61AAAC), UINT32_C(0xADC79436), UINT32_C(0x5E926563), - UINT32_C(0x24C7FD13), UINT32_C(0x0406C129), UINT32_C(0xEF9FAAA4), - UINT32_C(0x8B658D3C), UINT32_C(0xF4E6388C), UINT32_C(0x1E435BAF), - UINT32_C(0x7262BEB4), UINT32_C(0xFDAEAC99), UINT32_C(0x3BF622CC) }, - { UINT32_C(0x4E1AEDDC), UINT32_C(0xD359F7D8), UINT32_C(0xD78C17B7), - UINT32_C(0x05DC4F8C), UINT32_C(0x29498BA5), UINT32_C(0xB18CF032), - UINT32_C(0x85BF35AD), UINT32_C(0xC67388CA), UINT32_C(0x62AA4BC8), - UINT32_C(0x8A7A6AA2), UINT32_C(0x72F4627A), UINT32_C(0x0B8F458E) } }, - { { UINT32_C(0xC68E4488), UINT32_C(0x3FB812EE), UINT32_C(0x60EF7281), - UINT32_C(0x53C5EAA4), UINT32_C(0x8FBEFBE4), UINT32_C(0xE5724183), - UINT32_C(0xA4B24A05), UINT32_C(0x2B7D49F4), UINT32_C(0x710C0A43), - UINT32_C(0x23B138D0), UINT32_C(0xA85EC1DB), UINT32_C(0x16A5B4C1) }, - { UINT32_C(0x305FEB02), UINT32_C(0x7CC1F3D7), UINT32_C(0x5B6C1B54), - UINT32_C(0x52F7947D), UINT32_C(0x8F56981C), UINT32_C(0x1BDA2312), - UINT32_C(0xB4080A01), UINT32_C(0x68663EAE), UINT32_C(0x9F999B7F), - UINT32_C(0x8DD7BA7E), UINT32_C(0xB686580C), UINT32_C(0xD8768D19) } }, - { { UINT32_C(0x7AFDDA94), UINT32_C(0xBCD0E0AD), UINT32_C(0x34A30687), - UINT32_C(0x95A0DBBE), UINT32_C(0x8C5E2665), UINT32_C(0xBBE3C3DF), - UINT32_C(0xEBF2BC16), UINT32_C(0x742BECD8), UINT32_C(0x3FA163A6), - UINT32_C(0x300CEB48), UINT32_C(0x4663354B), UINT32_C(0x0C5D02EE) }, - { UINT32_C(0xB5E606A4), UINT32_C(0xE4FB9AD6), UINT32_C(0xCF49FF95), - UINT32_C(0x93F507B8), UINT32_C(0x585C193B), UINT32_C(0x9406A90C), - UINT32_C(0x4ECF9517), UINT32_C(0xAD1440C1), UINT32_C(0x9CEA53F1), - UINT32_C(0x184CB475), UINT32_C(0x8EF11302), UINT32_C(0x6855C474) } }, - { { UINT32_C(0xEDCAFA52), UINT32_C(0x00ECB523), UINT32_C(0x086F69D3), - UINT32_C(0x0DA0AE0E), UINT32_C(0xC242F347), UINT32_C(0xC384DE15), - UINT32_C(0x848C12B7), UINT32_C(0xFB050E6E), UINT32_C(0x64E015CE), - UINT32_C(0x22F67654), UINT32_C(0x7CA122F2), UINT32_C(0xCBDC2A48) }, - { UINT32_C(0x445FB02C), UINT32_C(0xA940D973), UINT32_C(0x3767D89D), - UINT32_C(0x00F31E78), UINT32_C(0x613DABDD), UINT32_C(0x2B65A237), - UINT32_C(0xC875AE09), UINT32_C(0x2BE0AB05), UINT32_C(0xBA204F8E), - UINT32_C(0xB22E54FD), UINT32_C(0x0F7687B9), UINT32_C(0x65E2029D) } }, - { { UINT32_C(0x1855A71C), UINT32_C(0xFFD82538), UINT32_C(0x438BD8D8), - UINT32_C(0x26A330B3), UINT32_C(0xF9D8C5F9), UINT32_C(0x89628311), - UINT32_C(0x953738A0), UINT32_C(0x8D5FB9CF), UINT32_C(0xEDFCD4E5), - UINT32_C(0xCB7159C9), UINT32_C(0x2064C7C2), UINT32_C(0xD64E5230) }, - { UINT32_C(0x689F3CFE), UINT32_C(0xF858ED80), UINT32_C(0x56128B67), - UINT32_C(0x4830E309), UINT32_C(0xE0E90688), UINT32_C(0x2E1692DA), - UINT32_C(0xCA9CC232), UINT32_C(0xAB818913), UINT32_C(0xA5D229A6), - UINT32_C(0xE2E30C23), UINT32_C(0x0E740E23), UINT32_C(0xA544E8B1) } }, - { { UINT32_C(0xDC61E6CC), UINT32_C(0x1C15E569), UINT32_C(0x58FC7800), - UINT32_C(0x8FD72967), UINT32_C(0x37A9DFC5), UINT32_C(0xE61E7DB7), - UINT32_C(0x5AFD7822), UINT32_C(0x3F34A9C6), UINT32_C(0x19E80773), - UINT32_C(0x0A112742), UINT32_C(0x4760FC58), UINT32_C(0xA353460C) }, - { UINT32_C(0xB3124C71), UINT32_C(0x2FB7DEEB), UINT32_C(0x2D4009CC), - UINT32_C(0x48463627), UINT32_C(0xC3A10370), UINT32_C(0x399D1933), - UINT32_C(0x54388DBD), UINT32_C(0x7EB19450), UINT32_C(0x7C2A006A), - UINT32_C(0x8ECCE639), UINT32_C(0x55C932A0), UINT32_C(0x3D565DAF) } }, - { { UINT32_C(0xD9ADAE53), UINT32_C(0xCEF57A9F), UINT32_C(0xF83FD8CD), - UINT32_C(0xE2EB27D7), UINT32_C(0x9BBD2DDE), UINT32_C(0x4AC8F719), - UINT32_C(0xE91ABFB7), UINT32_C(0x604283AA), UINT32_C(0x34799F87), - UINT32_C(0xB6A4E115), UINT32_C(0xE4C2A8F3), UINT32_C(0x2B253224) }, - { UINT32_C(0xC8782294), UINT32_C(0xC34F8B92), UINT32_C(0xFCC2CB6B), - UINT32_C(0xC74D697D), UINT32_C(0xC2C84C46), UINT32_C(0xD990411B), - UINT32_C(0x31EA4955), UINT32_C(0x2807B5C6), UINT32_C(0xB9EB27F5), - UINT32_C(0x14AE2B93), UINT32_C(0x6163EDFA), UINT32_C(0xF0AE96A7) } }, - { { UINT32_C(0x42DB7180), UINT32_C(0xA7BDCBB4), UINT32_C(0xEDCA752F), - UINT32_C(0xC9FAA41F), UINT32_C(0xE820F401), UINT32_C(0x147F91B4), - UINT32_C(0xF5F2645F), UINT32_C(0x1E6CEF86), UINT32_C(0x31FE711D), - UINT32_C(0xB4AB4D7F), UINT32_C(0x743EF882), UINT32_C(0xCE68FB3C) }, - { UINT32_C(0x3EF2FCFF), UINT32_C(0xB9D7D682), UINT32_C(0x020DCAFD), - UINT32_C(0xF6893811), UINT32_C(0xBF81E760), UINT32_C(0x30D9A50C), - UINT32_C(0xB9B87228), UINT32_C(0x7F247D06), UINT32_C(0x5F40CFC0), - UINT32_C(0x143D4FEC), UINT32_C(0x329B2A88), UINT32_C(0x21D78D73) } }, - { { UINT32_C(0xED3F2055), UINT32_C(0x06B3FF8A), UINT32_C(0x522BE214), - UINT32_C(0x50482C77), UINT32_C(0xDDF54620), UINT32_C(0x8DF69CD8), - UINT32_C(0xF78A1165), UINT32_C(0x6D1DB204), UINT32_C(0x9AFE6BF2), - UINT32_C(0x459AE4A2), UINT32_C(0x24AC871E), UINT32_C(0xC23A9FFD) }, - { UINT32_C(0x89E85D81), UINT32_C(0xB7FD22E3), UINT32_C(0x122E9978), - UINT32_C(0x297F1F6B), UINT32_C(0x144BE1CE), UINT32_C(0xAB283D66), - UINT32_C(0xC00C614E), UINT32_C(0xC1F90AC2), UINT32_C(0x3224CD09), - UINT32_C(0x5465576E), UINT32_C(0x441B6059), UINT32_C(0x8E8D910D) } }, - { { UINT32_C(0xAAA228BC), UINT32_C(0xF73A060A), UINT32_C(0x56EFF87D), - UINT32_C(0xCF1B0783), UINT32_C(0xA54C9133), UINT32_C(0x11EF17C0), - UINT32_C(0x76A4DAA5), UINT32_C(0x9E476B15), UINT32_C(0x8018FB92), - UINT32_C(0x5624FEAC), UINT32_C(0xCFEEC1B9), UINT32_C(0x9826A0FC) }, - { UINT32_C(0x2DFE2046), UINT32_C(0xB732F7FE), UINT32_C(0x3B40DA6A), - UINT32_C(0x9260BD9F), UINT32_C(0x4F231773), UINT32_C(0xCC9F908F), - UINT32_C(0xDAFC0D55), UINT32_C(0x4827FEB9), UINT32_C(0x538ACE95), - UINT32_C(0x07D32E85), UINT32_C(0xB8EDAF37), UINT32_C(0xAD9F897C) } }, - { { UINT32_C(0xE3415498), UINT32_C(0x2F75B82F), UINT32_C(0xF1015F30), - UINT32_C(0xF99CAC5F), UINT32_C(0x7D7F25DE), UINT32_C(0x76640824), - UINT32_C(0xEE74C047), UINT32_C(0x714BC9CD), UINT32_C(0x07448879), - UINT32_C(0x70F847BF), UINT32_C(0x072165C0), UINT32_C(0xA14481DE) }, - { UINT32_C(0xDB1140A8), UINT32_C(0x9BFA59E3), UINT32_C(0xFCD13502), - UINT32_C(0x7B9C7FF0), UINT32_C(0x68459ABF), UINT32_C(0xF4D7538E), - UINT32_C(0xC8FC6AD2), UINT32_C(0xED93A791), UINT32_C(0xB51BD9B2), - UINT32_C(0xA8BBE2A8), UINT32_C(0x9FB34008), UINT32_C(0x084B5A27) } }, - { { UINT32_C(0xEB138C84), UINT32_C(0xB3BB9545), UINT32_C(0x3FC88BFD), - UINT32_C(0x59C3489C), UINT32_C(0x85F53EC7), UINT32_C(0x3A97FF63), - UINT32_C(0x0AA69C3D), UINT32_C(0x40FDF5A6), UINT32_C(0x53D19668), - UINT32_C(0x0E8CCEC7), UINT32_C(0x33FAA661), UINT32_C(0x0AA72EF9) }, - { UINT32_C(0x9B1E684B), UINT32_C(0xF5C5A6CF), UINT32_C(0x31A22EA1), - UINT32_C(0x630F9371), UINT32_C(0xAC60F7EA), UINT32_C(0x06B2AAC2), - UINT32_C(0x5BC37D80), UINT32_C(0xB181CAE2), UINT32_C(0x247B13EA), - UINT32_C(0x4601A929), UINT32_C(0x5F739797), UINT32_C(0x8A71C386) } }, - { { UINT32_C(0xAB134786), UINT32_C(0x545387B3), UINT32_C(0x1599B64A), - UINT32_C(0x3179BB06), UINT32_C(0x07593574), UINT32_C(0xB0A61986), - UINT32_C(0x63FA7C3B), UINT32_C(0xC7E39B21), UINT32_C(0x91585D13), - UINT32_C(0xA1173F86), UINT32_C(0xCB9525CD), UINT32_C(0x09D5CC8E) }, - { UINT32_C(0x8F3A3451), UINT32_C(0xAAD44FFD), UINT32_C(0x25820CC5), - UINT32_C(0x702B04F2), UINT32_C(0x1CB66C17), UINT32_C(0xE90CAC49), - UINT32_C(0xEE161DC4), UINT32_C(0x40F6B547), UINT32_C(0x1BA4AC4E), - UINT32_C(0xC08BB8B4), UINT32_C(0xAE5A6BC1), UINT32_C(0x7DC064FB) } }, - { { UINT32_C(0x9D76DDC7), UINT32_C(0x90A5E871), UINT32_C(0xEDFC8E2E), - UINT32_C(0x39DC8FAE), UINT32_C(0x5B079C62), UINT32_C(0x98467A23), - UINT32_C(0x05450C98), UINT32_C(0xE25E3785), UINT32_C(0x96140083), - UINT32_C(0x2FE23A4D), UINT32_C(0xE9900312), UINT32_C(0x65CE3B9A) }, - { UINT32_C(0x6B72B5D9), UINT32_C(0x1D87D088), UINT32_C(0xFD9AFC82), - UINT32_C(0x72F53220), UINT32_C(0x9E1F71FA), UINT32_C(0xC63C7C15), - UINT32_C(0x8D449637), UINT32_C(0x90DF26EA), UINT32_C(0xC1C2B215), - UINT32_C(0x97089F40), UINT32_C(0x42317FAA), UINT32_C(0x83AF2664) } }, - }, - { - { { UINT32_C(0x8D688E31), UINT32_C(0xFA2DB51A), UINT32_C(0xA09C88D4), - UINT32_C(0x225B696C), UINT32_C(0x6059171F), UINT32_C(0x9F88AF1D), - UINT32_C(0x782A0993), UINT32_C(0x1C5FEA5E), UINT32_C(0x4EC710D3), - UINT32_C(0xE0FB1588), UINT32_C(0xD32CE365), UINT32_C(0xFAF372E5) }, - { UINT32_C(0x26506F45), UINT32_C(0xD9F896AB), UINT32_C(0x8373C724), - UINT32_C(0x8D350338), UINT32_C(0xCA6E7342), UINT32_C(0x1B76992D), - UINT32_C(0x6FD0C08B), UINT32_C(0x76338FCA), UINT32_C(0xA00F5C23), - UINT32_C(0xC3EA4C65), UINT32_C(0xB316B35B), UINT32_C(0xDFAB29B3) } }, - { { UINT32_C(0x483AEBF9), UINT32_C(0x84E5541F), UINT32_C(0x49165772), - UINT32_C(0x8ADFF7DC), UINT32_C(0x9BEAAD3C), UINT32_C(0xE0A43AD6), - UINT32_C(0xF51C2714), UINT32_C(0x97DD1820), UINT32_C(0x57EA5B0C), - UINT32_C(0xAC2B4CB4), UINT32_C(0xD11767CA), UINT32_C(0x87DBD011) }, - { UINT32_C(0xBFC7957A), UINT32_C(0x18CCF36C), UINT32_C(0x1BC79227), - UINT32_C(0xD4A08841), UINT32_C(0xD8D292A8), UINT32_C(0x9811CE43), - UINT32_C(0xD58C4EE7), UINT32_C(0x72C5FC68), UINT32_C(0xD35C65A7), - UINT32_C(0x5BC0F0BE), UINT32_C(0xCBBF9669), UINT32_C(0x0B446DBC) } }, - { { UINT32_C(0x9CEE9BCE), UINT32_C(0x7EBA3DA6), UINT32_C(0xD5377750), - UINT32_C(0x3E2C1248), UINT32_C(0x2B93D8B2), UINT32_C(0x8C917D98), - UINT32_C(0x7CAD1F75), UINT32_C(0xCA8FC6AC), UINT32_C(0xA0FF150A), - UINT32_C(0x5F581F19), UINT32_C(0xE08327FA), UINT32_C(0x872CC14A) }, - { UINT32_C(0xE9333188), UINT32_C(0xC774F187), UINT32_C(0x497AF7E8), - UINT32_C(0x528ED4AC), UINT32_C(0x8AD72B10), UINT32_C(0xCE036E9B), - UINT32_C(0x917986CF), UINT32_C(0x463F9EBB), UINT32_C(0x1325CF9B), - UINT32_C(0xBE516328), UINT32_C(0xDD7E5FEA), UINT32_C(0xD28D5C50) } }, - { { UINT32_C(0xDD58BBE3), UINT32_C(0x714C1D1B), UINT32_C(0x039AFD0F), - UINT32_C(0x85BA01AE), UINT32_C(0x6951AC80), UINT32_C(0x7F23EA3A), - UINT32_C(0xAC00C837), UINT32_C(0x5C599290), UINT32_C(0xBF24CC1B), - UINT32_C(0xF6EFA2B3), UINT32_C(0x1E84462B), UINT32_C(0x393D8E42) }, - { UINT32_C(0xF8B89453), UINT32_C(0x9BDA627D), UINT32_C(0xB23E0D1B), - UINT32_C(0xE66FFF2E), UINT32_C(0xC3B94EC2), UINT32_C(0xD1EE7089), - UINT32_C(0x3031699A), UINT32_C(0xF75DBA6E), UINT32_C(0x242B2453), - UINT32_C(0x8FF75F79), UINT32_C(0x289BFED4), UINT32_C(0xE721EDEB) } }, - { { UINT32_C(0xC1390FA8), UINT32_C(0x083215A1), UINT32_C(0x6DCE8CE0), - UINT32_C(0x901D686A), UINT32_C(0x837073FF), UINT32_C(0x4AB1BA62), - UINT32_C(0x34BEABA5), UINT32_C(0x10C287AA), UINT32_C(0x46985239), - UINT32_C(0xB4931AF4), UINT32_C(0xB053C4DC), UINT32_C(0x07639899) }, - { UINT32_C(0xE721EECD), UINT32_C(0x29E7F44D), UINT32_C(0x57B3FF48), - UINT32_C(0x65817182), UINT32_C(0x5054E2E0), UINT32_C(0x198542E2), - UINT32_C(0x84616DE8), UINT32_C(0x923C9E15), UINT32_C(0xAD465BB9), - UINT32_C(0x2A9C15E1), UINT32_C(0x16319245), UINT32_C(0xD8D4EFC7) } }, - { { UINT32_C(0x9961A674), UINT32_C(0x72DC7943), UINT32_C(0xA0E13668), - UINT32_C(0x839A0A52), UINT32_C(0x334945EA), UINT32_C(0xD7A53FA9), - UINT32_C(0xE7AA25DB), UINT32_C(0xDB21DB77), UINT32_C(0x66E96DA3), - UINT32_C(0xB6675A7D), UINT32_C(0xE66F33C0), UINT32_C(0x2C31C406) }, - { UINT32_C(0x6EC7B9CB), UINT32_C(0x45020B62), UINT32_C(0x0391F267), - UINT32_C(0xFF46E9CD), UINT32_C(0x0FA2F221), UINT32_C(0x7DABD744), - UINT32_C(0x9D4A2A3E), UINT32_C(0x9A32364B), UINT32_C(0x52D2E47A), - UINT32_C(0xF0F84AE8), UINT32_C(0x888F488A), UINT32_C(0xD0B872BB) } }, - { { UINT32_C(0xC9790EEF), UINT32_C(0x531E4CEF), UINT32_C(0x2B8D1A58), - UINT32_C(0xF7B5735E), UINT32_C(0xEF568511), UINT32_C(0xB8882F1E), - UINT32_C(0x86A86DB3), UINT32_C(0xAFB08D1C), UINT32_C(0xF54DE8C7), - UINT32_C(0x88CB9DF2), UINT32_C(0x9A683282), UINT32_C(0xA44234F1) }, - { UINT32_C(0xA6E9AB2E), UINT32_C(0xBC1B3D3A), UINT32_C(0x87FC99EE), - UINT32_C(0xEFA071FB), UINT32_C(0xA102DC0F), UINT32_C(0xFA3C737D), - UINT32_C(0xD6A0CBD2), UINT32_C(0xDF3248A6), UINT32_C(0x1ECC1BF4), - UINT32_C(0x6E62A4FF), UINT32_C(0xC8F1BC17), UINT32_C(0xF718F940) } }, - { { UINT32_C(0x4F63F026), UINT32_C(0x2C8B0AAD), UINT32_C(0x50B253CC), - UINT32_C(0x2AFF6238), UINT32_C(0x10C4D122), UINT32_C(0xCAB3E942), - UINT32_C(0x07CD2816), UINT32_C(0x52B59F04), UINT32_C(0x982C41FC), - UINT32_C(0x22322803), UINT32_C(0x8CF50B19), UINT32_C(0x38844E66) }, - { UINT32_C(0xBE3264CD), UINT32_C(0x42A959F7), UINT32_C(0x6C983524), - UINT32_C(0xBDDC24BD), UINT32_C(0x462B8640), UINT32_C(0xA489EB0C), - UINT32_C(0x98029BE7), UINT32_C(0xB7C05092), UINT32_C(0xA1ADDC64), - UINT32_C(0xD5546B5F), UINT32_C(0xA0C655AF), UINT32_C(0xE7CAC1FC) } }, - { { UINT32_C(0x47636F97), UINT32_C(0x14547198), UINT32_C(0xEBCDCCFF), - UINT32_C(0x6FA67481), UINT32_C(0x395D3258), UINT32_C(0xC164872F), - UINT32_C(0xEE6ACDBC), UINT32_C(0xB8CECAFE), UINT32_C(0xA933F180), - UINT32_C(0x3FBFE5F3), UINT32_C(0x898C3B1E), UINT32_C(0xEC20CAC2) }, - { UINT32_C(0x87DA73F9), UINT32_C(0x6A031BEE), UINT32_C(0x5C5AF46E), - UINT32_C(0xD1E667D1), UINT32_C(0x1DC6EEF9), UINT32_C(0xCB3DC168), - UINT32_C(0x33D310C0), UINT32_C(0x2DD1BD94), UINT32_C(0x9207E438), - UINT32_C(0x0F78D493), UINT32_C(0xA99C0E75), UINT32_C(0xC233D544) } }, - { { UINT32_C(0x9E2A0113), UINT32_C(0x228F19F1), UINT32_C(0x0E1A5D37), - UINT32_C(0x58495BE5), UINT32_C(0x38D7F364), UINT32_C(0x97E08F69), - UINT32_C(0x510759B0), UINT32_C(0x1EC3BA3E), UINT32_C(0xE03CD40D), - UINT32_C(0x3682F19A), UINT32_C(0xF9E16D68), UINT32_C(0xC87745D8) }, - { UINT32_C(0x09A642EA), UINT32_C(0xFD527AB5), UINT32_C(0xF9C81F27), - UINT32_C(0x6308EEBD), UINT32_C(0x550C5D68), UINT32_C(0xFA9F666C), - UINT32_C(0x584AB153), UINT32_C(0xDEBA436F), UINT32_C(0x5B63E939), - UINT32_C(0x1D4861D3), UINT32_C(0xC9850221), UINT32_C(0x073BED9B) } }, - { { UINT32_C(0x8B171246), UINT32_C(0x802BCCF0), UINT32_C(0x733B072F), - UINT32_C(0xFFF7D15A), UINT32_C(0x4CBFA4EF), UINT32_C(0xEA386266), - UINT32_C(0xD635946B), UINT32_C(0x9E5B5073), UINT32_C(0xFA81BE95), - UINT32_C(0x16E9A979), UINT32_C(0xB14F701F), UINT32_C(0x41E8716E) }, - { UINT32_C(0x101A6719), UINT32_C(0x25782E0F), UINT32_C(0xC9D66959), - UINT32_C(0x442C4875), UINT32_C(0x2B85D153), UINT32_C(0x52D845D9), - UINT32_C(0x2E831117), UINT32_C(0xFF925138), UINT32_C(0x8E02434B), - UINT32_C(0x01B700CC), UINT32_C(0xEC0BAE3E), UINT32_C(0xD2DB7F8E) } }, - { { UINT32_C(0x966A4872), UINT32_C(0x1B225300), UINT32_C(0x566F537B), - UINT32_C(0x40C149BE), UINT32_C(0xCB680021), UINT32_C(0x3335F4D2), - UINT32_C(0x778E5F5F), UINT32_C(0x773D0263), UINT32_C(0x666FA9ED), - UINT32_C(0x1D9B7602), UINT32_C(0x2E6200CF), UINT32_C(0x52490A10) }, - { UINT32_C(0x961F290B), UINT32_C(0x8434C7DD), UINT32_C(0x64456446), - UINT32_C(0x773AC156), UINT32_C(0x47B712BB), UINT32_C(0x5E2BB789), - UINT32_C(0xBE0974AD), UINT32_C(0xFD3BCBFD), UINT32_C(0x791AD5D8), - UINT32_C(0x71AE9351), UINT32_C(0x6F4E1400), UINT32_C(0x1EE738BA) } }, - { { UINT32_C(0x0BE8E26E), UINT32_C(0x2FA428AB), UINT32_C(0xBB4CF9FC), - UINT32_C(0xFEFF0600), UINT32_C(0xB2EA5FB0), UINT32_C(0x76F25CA9), - UINT32_C(0x6835C5F4), UINT32_C(0xAB7FECF0), UINT32_C(0x19D5F328), - UINT32_C(0x649D0772), UINT32_C(0xACBCB12E), UINT32_C(0xABE7B895) }, - { UINT32_C(0xD69B1EA8), UINT32_C(0xF2D1031A), UINT32_C(0xC60B0BBB), - UINT32_C(0x46065D5D), UINT32_C(0x85D798FF), UINT32_C(0xB0908DC1), - UINT32_C(0xD2C9B18A), UINT32_C(0x4E2420F0), UINT32_C(0xD30432A2), - UINT32_C(0x6B3A9BDD), UINT32_C(0xC9B134AD), UINT32_C(0x501C3383) } }, - { { UINT32_C(0x98A21284), UINT32_C(0x608F0967), UINT32_C(0x059CCEDE), - UINT32_C(0x5361BE86), UINT32_C(0xAFD87EF7), UINT32_C(0x3A40655C), - UINT32_C(0x59083AA2), UINT32_C(0x03CF3117), UINT32_C(0xB6C366D9), - UINT32_C(0x57DB5F61), UINT32_C(0x6DD0D232), UINT32_C(0x29DC275B) }, - { UINT32_C(0x8FA67501), UINT32_C(0xBDAB24DD), UINT32_C(0x65D08C37), - UINT32_C(0x5928F775), UINT32_C(0x645D466A), UINT32_C(0x9448A856), - UINT32_C(0xC0E927A5), UINT32_C(0x6E6B5E2E), UINT32_C(0xE80C6871), - UINT32_C(0xE884D546), UINT32_C(0x53A9A851), UINT32_C(0x10C881C9) } }, - { { UINT32_C(0x9B627AA5), UINT32_C(0x35505374), UINT32_C(0x7976677B), - UINT32_C(0xE7CA1B57), UINT32_C(0x4976CE17), UINT32_C(0x81239712), - UINT32_C(0x96DA31B9), UINT32_C(0x96E9080B), UINT32_C(0xCC64AA1F), - UINT32_C(0x458254AB), UINT32_C(0x48E674C9), UINT32_C(0xFEFF6821) }, - { UINT32_C(0x021F1488), UINT32_C(0x8772F37A), UINT32_C(0xAB56345C), - UINT32_C(0x2E274E18), UINT32_C(0x29823B76), UINT32_C(0x7C7BE61C), - UINT32_C(0x9EEFB39E), UINT32_C(0x275DB7B2), UINT32_C(0xBF5CBCEF), - UINT32_C(0x83B10ED4), UINT32_C(0x518E5183), UINT32_C(0x40D7F5B4) } }, - { { UINT32_C(0xF960B41B), UINT32_C(0x315CCC01), UINT32_C(0x1D99E722), - UINT32_C(0x90B417C9), UINT32_C(0x013463E0), UINT32_C(0x84AFAA0D), - UINT32_C(0x13E6D9E1), UINT32_C(0xF133C5D8), UINT32_C(0x525B7430), - UINT32_C(0xD95C6ADC), UINT32_C(0x7A25106A), UINT32_C(0x082C61AD) }, - { UINT32_C(0xBA1CE179), UINT32_C(0xABC1966D), UINT32_C(0xA5DB529A), - UINT32_C(0xE0578B77), UINT32_C(0xEC84107D), UINT32_C(0x10988C05), - UINT32_C(0x1B207F83), UINT32_C(0xFCADE5D7), UINT32_C(0xC5BA83DB), - UINT32_C(0x0BEB6FDB), UINT32_C(0x57537E34), UINT32_C(0x1C39B86D) } }, - }, - { - { { UINT32_C(0x2A7AECED), UINT32_C(0x5B0B5D69), UINT32_C(0x01DC545F), - UINT32_C(0x4C03450C), UINT32_C(0x404A3458), UINT32_C(0x72AD0A4A), - UINT32_C(0x9F467B60), UINT32_C(0x1DE8E255), UINT32_C(0x90634809), - UINT32_C(0xA4B35705), UINT32_C(0x706F0178), UINT32_C(0x76F30205) }, - { UINT32_C(0x4454F0E5), UINT32_C(0x588D21AB), UINT32_C(0x64134928), - UINT32_C(0xD22DF549), UINT32_C(0x241BCD90), UINT32_C(0xF4E7E73D), - UINT32_C(0x2FACC7CC), UINT32_C(0xB8D8A1D2), UINT32_C(0x1D25D2A0), - UINT32_C(0x483C35A7), UINT32_C(0x1EF9F608), UINT32_C(0x7F8D2545) } }, - { { UINT32_C(0x54EBC926), UINT32_C(0xCB51F039), UINT32_C(0xB8D4A7BB), - UINT32_C(0xE235D356), UINT32_C(0xB41FE1A6), UINT32_C(0x93C8FAFA), - UINT32_C(0xA719F254), UINT32_C(0x6297701D), UINT32_C(0x644F5CDE), - UINT32_C(0x6E9165BC), UINT32_C(0x0C11C542), UINT32_C(0x6506329D) }, - { UINT32_C(0xA92B4250), UINT32_C(0xA2564809), UINT32_C(0x889C2E3E), - UINT32_C(0x0E9AC173), UINT32_C(0x22B1D1BE), UINT32_C(0x286A5926), - UINT32_C(0x6ECDD041), UINT32_C(0x86A3D752), UINT32_C(0x649F9524), - UINT32_C(0x4B867E0A), UINT32_C(0x0629CB0F), UINT32_C(0x1FE7D95A) } }, - { { UINT32_C(0xCA5BAF54), UINT32_C(0xF4F66843), UINT32_C(0xEFE7DB78), - UINT32_C(0x298DB357), UINT32_C(0x7365712F), UINT32_C(0xF607E86E), - UINT32_C(0x8A822BC0), UINT32_C(0xD5882298), UINT32_C(0xC61299B3), - UINT32_C(0x2CFBD63A), UINT32_C(0x67167B1A), UINT32_C(0x6F713D9B) }, - { UINT32_C(0xDE0B077A), UINT32_C(0x750F673F), UINT32_C(0xEE2178DA), - UINT32_C(0x07482708), UINT32_C(0x69123C75), UINT32_C(0x5E6D5BD1), - UINT32_C(0xEAB99B37), UINT32_C(0x6A93D1B6), UINT32_C(0x8CAEC6A3), - UINT32_C(0x6EF4F7E6), UINT32_C(0xCF3ED818), UINT32_C(0x7BE411D6) } }, - { { UINT32_C(0x63A0A7D2), UINT32_C(0xF92B3073), UINT32_C(0x881DC8CF), - UINT32_C(0x32DA431C), UINT32_C(0xC578E3A3), UINT32_C(0xE51BD5ED), - UINT32_C(0x9587FA22), UINT32_C(0xEFDA70D2), UINT32_C(0x9B2EBA85), - UINT32_C(0xCFEC1708), UINT32_C(0xAF7BA530), UINT32_C(0x6AB51A4B) }, - { UINT32_C(0x98174812), UINT32_C(0x5AC155AE), UINT32_C(0xCCB076E3), - UINT32_C(0xCAF07A71), UINT32_C(0xC38718A7), UINT32_C(0x280E86C2), - UINT32_C(0xD63745B7), UINT32_C(0x9D12DE73), UINT32_C(0xBF8A79AA), - UINT32_C(0x0E8EA855), UINT32_C(0xBD705BF7), UINT32_C(0x5EB2BED8) } }, - { { UINT32_C(0xAE16DE53), UINT32_C(0x33FE9578), UINT32_C(0x10BEC902), - UINT32_C(0x3AE85EB5), UINT32_C(0x44AF850E), UINT32_C(0xC4F49658), - UINT32_C(0x087DD658), UINT32_C(0x6EA222B3), UINT32_C(0xA51F1447), - UINT32_C(0xB255E6FD), UINT32_C(0x117E3F48), UINT32_C(0xB35E4997) }, - { UINT32_C(0x05616CA1), UINT32_C(0x562E813B), UINT32_C(0x8A61E156), - UINT32_C(0xDF5925D6), UINT32_C(0x571C728B), UINT32_C(0xB2FA8125), - UINT32_C(0xA2F2D1CF), UINT32_C(0x00864805), UINT32_C(0x1BCCB6FF), - UINT32_C(0x2DC26F41), UINT32_C(0x63AE37DD), UINT32_C(0xEBD5E093) } }, - { { UINT32_C(0x0A285611), UINT32_C(0xD2D68BB3), UINT32_C(0xDC8378F2), - UINT32_C(0x3EAE7596), UINT32_C(0x6CC688A3), UINT32_C(0x2DC6CCC6), - UINT32_C(0x011F5DFB), UINT32_C(0xC45E5713), UINT32_C(0x62D34487), - UINT32_C(0x6B9C4F6C), UINT32_C(0x1FC65551), UINT32_C(0xFAD6F077) }, - { UINT32_C(0x62B23B52), UINT32_C(0x5E3266E0), UINT32_C(0xE98F4715), - UINT32_C(0xF1DAF319), UINT32_C(0x3ED0AE83), UINT32_C(0x064D12EA), - UINT32_C(0x564125CB), UINT32_C(0x5CCF9326), UINT32_C(0xC63C1E9F), - UINT32_C(0x09057022), UINT32_C(0xDC9B5D2E), UINT32_C(0x7171972C) } }, - { { UINT32_C(0xEABD21B2), UINT32_C(0x2364FD9A), UINT32_C(0x9174AD6D), - UINT32_C(0x3CE5F4BB), UINT32_C(0xB38688C0), UINT32_C(0xA4D6D5D0), - UINT32_C(0x6D87FD7D), UINT32_C(0x2292A2D2), UINT32_C(0x4CA02E54), - UINT32_C(0x2A7D1B53), UINT32_C(0xB4185715), UINT32_C(0x7BEE6E7E) }, - { UINT32_C(0x8FC63ACD), UINT32_C(0x73E54609), UINT32_C(0x4064E09D), - UINT32_C(0xF4D93A12), UINT32_C(0x2B92DAA5), UINT32_C(0xD20E157A), - UINT32_C(0xC4B81A00), UINT32_C(0x90D125DB), UINT32_C(0x7682DE13), - UINT32_C(0xCB951C9E), UINT32_C(0x27987545), UINT32_C(0x1ABE58F4) } }, - { { UINT32_C(0x30C70C8D), UINT32_C(0x6D351640), UINT32_C(0xCE2361B8), - UINT32_C(0x8047D811), UINT32_C(0xDF8E2C81), UINT32_C(0x3F8B3D4F), - UINT32_C(0x33FA1F6C), UINT32_C(0x5D595477), UINT32_C(0xE29B8A91), - UINT32_C(0xF769FE5A), UINT32_C(0xD737B2A2), UINT32_C(0x26F0E606) }, - { UINT32_C(0xB8B31C6A), UINT32_C(0x70CBFA5D), UINT32_C(0x863D3AEA), - UINT32_C(0x0F883B4A), UINT32_C(0xE386AE2F), UINT32_C(0x156A4479), - UINT32_C(0xADE8A684), UINT32_C(0xA17A2FCD), UINT32_C(0xE2A7E335), - UINT32_C(0x78BDF958), UINT32_C(0x3B9E3041), UINT32_C(0xD1B4E673) } }, - { { UINT32_C(0x449A6D11), UINT32_C(0x1EAF48EC), UINT32_C(0x6D2FA7B9), - UINT32_C(0x6B94B8E4), UINT32_C(0x728E4C1B), UINT32_C(0x1D75D269), - UINT32_C(0xDD304E2C), UINT32_C(0x91123819), UINT32_C(0x88804F4B), - UINT32_C(0x0B34CAE3), UINT32_C(0xC5495E9A), UINT32_C(0x2BA192FB) }, - { UINT32_C(0xFF4D24BF), UINT32_C(0xC93FF6EF), UINT32_C(0x0342BA78), - UINT32_C(0xF8C2C0B0), UINT32_C(0x831EB94C), UINT32_C(0x8041F769), - UINT32_C(0x7782985E), UINT32_C(0x35310074), UINT32_C(0x3AF84E83), - UINT32_C(0xC755320B), UINT32_C(0x6F497E7F), UINT32_C(0x384B6D26) } }, - { { UINT32_C(0x17E6BD17), UINT32_C(0xEF92CD59), UINT32_C(0xA426965C), - UINT32_C(0xA087305B), UINT32_C(0xAC47F773), UINT32_C(0x13895CE7), - UINT32_C(0xE0BB2867), UINT32_C(0xB85F2A9F), UINT32_C(0x7CD7C58E), - UINT32_C(0x2926E6AA), UINT32_C(0x450459C5), UINT32_C(0xE544EDA6) }, - { UINT32_C(0xB90A9849), UINT32_C(0x73DBC351), UINT32_C(0x848EBE86), - UINT32_C(0x961183F6), UINT32_C(0x80534712), UINT32_C(0xC45BB210), - UINT32_C(0xA654D9A3), UINT32_C(0x379D08D7), UINT32_C(0xBD3FFA9C), - UINT32_C(0x5B97CEF2), UINT32_C(0xDDC2FCE5), UINT32_C(0x0F469F34) } }, - { { UINT32_C(0x0642F38D), UINT32_C(0x6D146108), UINT32_C(0xD21EB887), - UINT32_C(0x055171A0), UINT32_C(0xD0DCEB28), UINT32_C(0x28DFFAB4), - UINT32_C(0x98DE9CCD), UINT32_C(0x0D0E6312), UINT32_C(0x118C3C3F), - UINT32_C(0x750A9156), UINT32_C(0xB049D799), UINT32_C(0x8C1F1390) }, - { UINT32_C(0x439607C5), UINT32_C(0xE4823858), UINT32_C(0x5C111EAB), - UINT32_C(0x947E9BA0), UINT32_C(0xA355DF2E), UINT32_C(0x39C95616), - UINT32_C(0x10E54BDA), UINT32_C(0xF5F6B98E), UINT32_C(0x142B876A), - UINT32_C(0xB0E0B33D), UINT32_C(0xEA18C90C), UINT32_C(0x71197D73) } }, - { { UINT32_C(0xF52BE819), UINT32_C(0x36A5139D), UINT32_C(0x29A45D2B), - UINT32_C(0xF60DDF34), UINT32_C(0xE9220E34), UINT32_C(0x0727EFEC), - UINT32_C(0x4EF7F446), UINT32_C(0x431D3386), UINT32_C(0xFCC4962C), - UINT32_C(0xC3165A64), UINT32_C(0xD64362BB), UINT32_C(0xB7D926E1) }, - { UINT32_C(0xD45F9350), UINT32_C(0x216BC61F), UINT32_C(0xBBAED815), - UINT32_C(0xA974CB2F), UINT32_C(0x86FB2F76), UINT32_C(0x31DF342D), - UINT32_C(0x01D78314), UINT32_C(0x3AB67E05), UINT32_C(0xDEE33ED2), - UINT32_C(0x7AA951E0), UINT32_C(0xCEC78D94), UINT32_C(0x318FBBBD) } }, - { { UINT32_C(0xB8FE0204), UINT32_C(0xAD7EFB65), UINT32_C(0x230AB7F7), - UINT32_C(0x0432E1C5), UINT32_C(0x9C967400), UINT32_C(0x7563A62D), - UINT32_C(0x3524D4FF), UINT32_C(0xD88B9C74), UINT32_C(0xF1A823E3), - UINT32_C(0x16A1991C), UINT32_C(0xFA6F0FFB), UINT32_C(0xCF2F9BFE) }, - { UINT32_C(0xA50CA61F), UINT32_C(0x55AAA946), UINT32_C(0xFED4CAB3), - UINT32_C(0x8CBBD3C8), UINT32_C(0x7651365A), UINT32_C(0x03A0FAB8), - UINT32_C(0x62DC3913), UINT32_C(0x46B5234B), UINT32_C(0xB558CBBD), - UINT32_C(0xFD875B28), UINT32_C(0x11CEB361), UINT32_C(0xA48EC3AE) } }, - { { UINT32_C(0xB3ADBD8B), UINT32_C(0x5DD131A1), UINT32_C(0x29B45EF8), - UINT32_C(0xF9FBCA3A), UINT32_C(0x9341EE18), UINT32_C(0x02204866), - UINT32_C(0x83BF9618), UINT32_C(0x8D13B895), UINT32_C(0xE807459C), - UINT32_C(0x0E395BAE), UINT32_C(0xB190E7DB), UINT32_C(0xB9C110CC) }, - { UINT32_C(0x25D25063), UINT32_C(0xA0DC3452), UINT32_C(0x02371462), - UINT32_C(0x2FB78EC8), UINT32_C(0x8975C2D5), UINT32_C(0xC3A9E7BB), - UINT32_C(0x85A78264), UINT32_C(0x94666872), UINT32_C(0x8029AA92), - UINT32_C(0x480D2CC2), UINT32_C(0x5655726D), UINT32_C(0x237086C7) } }, - { { UINT32_C(0x65EB9EEE), UINT32_C(0x197F14BB), UINT32_C(0x9F12E5FD), - UINT32_C(0xFC93125C), UINT32_C(0x8BFBAE5E), UINT32_C(0x9C20BC53), - UINT32_C(0x4BC053BA), UINT32_C(0xB35E2154), UINT32_C(0x21C3898E), - UINT32_C(0xE5FA9CC7), UINT32_C(0xD42F950F), UINT32_C(0x502D72FF) }, - { UINT32_C(0xD1EB8C31), UINT32_C(0x6812D38A), UINT32_C(0x080D30BB), - UINT32_C(0x1F77F3F1), UINT32_C(0x5A8B1E98), UINT32_C(0x18D12833), - UINT32_C(0x299196CE), UINT32_C(0x7FD39FA9), UINT32_C(0xCF4ED6D6), - UINT32_C(0xFB8C9F11), UINT32_C(0xD6363194), UINT32_C(0x4C00F604) } }, - { { UINT32_C(0xFA2A21C2), UINT32_C(0x5C8AFCF9), UINT32_C(0x1928D133), - UINT32_C(0x71CBF282), UINT32_C(0x42B29506), UINT32_C(0x56BEF28E), - UINT32_C(0x70323DE2), UINT32_C(0xAFBA250C), UINT32_C(0x7DED2C30), - UINT32_C(0x3FE208D1), UINT32_C(0xCE9AA598), UINT32_C(0xBD2CD213) }, - { UINT32_C(0xCFEED070), UINT32_C(0x52C5EC52), UINT32_C(0xD3DA336B), - UINT32_C(0x0A7223E7), UINT32_C(0xCE156B46), UINT32_C(0x7156A4ED), - UINT32_C(0xED7E6159), UINT32_C(0x9AF6C499), UINT32_C(0x13C029AD), - UINT32_C(0x9D7A6797), UINT32_C(0x9018DC77), UINT32_C(0xE5B5C924) } }, - }, - { - { { UINT32_C(0xDE1E4E55), UINT32_C(0x3F2EFF53), UINT32_C(0xE4D3ECC4), - UINT32_C(0x6B749943), UINT32_C(0x0DDE190D), UINT32_C(0xAF10B18A), - UINT32_C(0xA26B0409), UINT32_C(0xF491B98D), UINT32_C(0xA2B1D944), - UINT32_C(0x66080782), UINT32_C(0x97E8C541), UINT32_C(0x59277DC6) }, - { UINT32_C(0x006F18AA), UINT32_C(0xFDBFC5F6), UINT32_C(0xFADD8BE1), - UINT32_C(0x435D165B), UINT32_C(0x57645EF4), UINT32_C(0x8E5D2638), - UINT32_C(0xA0258363), UINT32_C(0x31BCFDA6), UINT32_C(0xD35D2503), - UINT32_C(0xF5330AB8), UINT32_C(0xC7CAB285), UINT32_C(0xB71369F0) } }, - { { UINT32_C(0x40ACC5A8), UINT32_C(0xE6A19DCC), UINT32_C(0xDBC6DBF8), - UINT32_C(0x1C3A1FF1), UINT32_C(0xC6455613), UINT32_C(0xB4D89B9F), - UINT32_C(0xA7390D0E), UINT32_C(0x6CB0FE44), UINT32_C(0x59EA135A), - UINT32_C(0xADE197A4), UINT32_C(0x20680982), UINT32_C(0xDA6AA865) }, - { UINT32_C(0x5A442C1B), UINT32_C(0x03DB9BE9), UINT32_C(0x2BFB93F2), - UINT32_C(0x221A2D73), UINT32_C(0x753C196C), UINT32_C(0x44DEE8D4), - UINT32_C(0x0B7C6FF5), UINT32_C(0x59ADCC70), UINT32_C(0x4CA1B142), - UINT32_C(0xC6260EC2), UINT32_C(0x46CBD4F2), UINT32_C(0x4C3CB5C6) } }, - { { UINT32_C(0xA417111F), UINT32_C(0x8A15D6FE), UINT32_C(0x71D93FCC), - UINT32_C(0xFE4A16BD), UINT32_C(0x55BBE732), UINT32_C(0x7A7EE38C), - UINT32_C(0x1FF94A9D), UINT32_C(0xEFF146A5), UINT32_C(0xDD585AB5), - UINT32_C(0xE572D13E), UINT32_C(0x06491A5D), UINT32_C(0xD879790E) }, - { UINT32_C(0x2A58CB2E), UINT32_C(0x9C84E1C5), UINT32_C(0x6C938630), - UINT32_C(0xD79D1374), UINT32_C(0x385F06C7), UINT32_C(0xDB12CD9B), - UINT32_C(0x7A7759C3), UINT32_C(0x0C93EB97), UINT32_C(0x683BD706), - UINT32_C(0xF1F5B0FE), UINT32_C(0x85EC3D50), UINT32_C(0x541E4F72) } }, - { { UINT32_C(0x81833608), UINT32_C(0x9A0E1535), UINT32_C(0x6E2833AC), - UINT32_C(0x5CCE871E), UINT32_C(0xFB29777C), UINT32_C(0xC17059EA), - UINT32_C(0xE354CAFD), UINT32_C(0x7E40E5FA), UINT32_C(0x4D07C371), - UINT32_C(0x9CF59405), UINT32_C(0xA71C3945), UINT32_C(0x64CE36B2) }, - { UINT32_C(0x56CAF487), UINT32_C(0x69309E96), UINT32_C(0x1AE3454B), - UINT32_C(0x3D719E9F), UINT32_C(0xE25823B6), UINT32_C(0xF2164070), - UINT32_C(0x0BC27359), UINT32_C(0xEAD851BD), UINT32_C(0xB0925094), - UINT32_C(0x3D21BFE8), UINT32_C(0x34A97F4E), UINT32_C(0xA783B1E9) } }, - { { UINT32_C(0x9546491A), UINT32_C(0x406B0C26), UINT32_C(0xF293C4E5), - UINT32_C(0x9E5E15E2), UINT32_C(0x15B164DB), UINT32_C(0xC60D6413), - UINT32_C(0x0C75A78E), UINT32_C(0x0DA46F53), UINT32_C(0xEA0C656B), - UINT32_C(0x7C599BB7), UINT32_C(0x1B1A8122), UINT32_C(0x0F07A512) }, - { UINT32_C(0x15172686), UINT32_C(0x14C7204A), UINT32_C(0x5165625D), - UINT32_C(0x8FAEDFF8), UINT32_C(0x37AEDE40), UINT32_C(0x20F260CE), - UINT32_C(0x8F357FFE), UINT32_C(0xC81F771E), UINT32_C(0xB0912557), - UINT32_C(0x25499197), UINT32_C(0x4C739C74), UINT32_C(0x736197DC) } }, - { { UINT32_C(0x381B3462), UINT32_C(0x6151BAB1), UINT32_C(0x43DBD344), - UINT32_C(0x27E5A078), UINT32_C(0xA1C3E9FB), UINT32_C(0x2CB05BD6), - UINT32_C(0x27CF2A11), UINT32_C(0x2A759760), UINT32_C(0xFF43E702), - UINT32_C(0x0ADCF9DB), UINT32_C(0x1F484146), UINT32_C(0x4BBF03E2) }, - { UINT32_C(0x55B6521A), UINT32_C(0x0E74997F), UINT32_C(0xADE17086), - UINT32_C(0x15629231), UINT32_C(0x7493FC58), UINT32_C(0x7F143E86), - UINT32_C(0xAF8B9670), UINT32_C(0x60869095), UINT32_C(0x7E524869), - UINT32_C(0x482CFCD7), UINT32_C(0x1D454756), UINT32_C(0x9E8060C3) } }, - { { UINT32_C(0xC88B4D3B), UINT32_C(0xE495747A), UINT32_C(0xAE8A948F), - UINT32_C(0xB7559835), UINT32_C(0xDEB56853), UINT32_C(0x67EEF3A9), - UINT32_C(0x9DEE5ADF), UINT32_C(0x0E20E269), UINT32_C(0x61F0A1AA), - UINT32_C(0x9031AF67), UINT32_C(0x683402BC), UINT32_C(0x76669D32) }, - { UINT32_C(0x06718B16), UINT32_C(0x90BD2313), UINT32_C(0x864EFDAC), - UINT32_C(0xE1B22A21), UINT32_C(0x6620089F), UINT32_C(0xE4FFE909), - UINT32_C(0x3428E2D9), UINT32_C(0xB84C842E), UINT32_C(0xFE3871FC), - UINT32_C(0x0E28C880), UINT32_C(0x3F21C200), UINT32_C(0x8932F698) } }, - { { UINT32_C(0x6C90EA5D), UINT32_C(0x603F00CE), UINT32_C(0x40A2F693), - UINT32_C(0x64739307), UINT32_C(0x2174E517), UINT32_C(0xAF65148B), - UINT32_C(0xF784AE74), UINT32_C(0x162FC2CA), UINT32_C(0x4D5F6458), - UINT32_C(0x0D9A8825), UINT32_C(0x43AACE93), UINT32_C(0x0C2D5861) }, - { UINT32_C(0x9F73CBFC), UINT32_C(0xBF1EADDE), UINT32_C(0x9C68BBCA), - UINT32_C(0xDE9C34C0), UINT32_C(0x67EF8A1A), UINT32_C(0x6D95602D), - UINT32_C(0xA791B241), UINT32_C(0x0AF2581B), UINT32_C(0x12CAD604), - UINT32_C(0x14F77361), UINT32_C(0xE2ACD1AD), UINT32_C(0x19F2354D) } }, - { { UINT32_C(0x0D60F263), UINT32_C(0x272F78F6), UINT32_C(0x208FD785), - UINT32_C(0xE7A8F4AF), UINT32_C(0x36554F2C), UINT32_C(0x10E191C6), - UINT32_C(0xFD5CD0B3), UINT32_C(0x06D88551), UINT32_C(0x57069C27), - UINT32_C(0x29BF8568), UINT32_C(0x28AA6FAD), UINT32_C(0x3CE7ECD8) }, - { UINT32_C(0xE9F1A1D8), UINT32_C(0x7D8A92D0), UINT32_C(0xD30B5725), - UINT32_C(0xD40C7FF8), UINT32_C(0xF54CAEB8), UINT32_C(0x16BE6CB2), - UINT32_C(0x14CB0A91), UINT32_C(0x14CA471A), UINT32_C(0x02733CAE), - UINT32_C(0xD5FF15B8), UINT32_C(0xDAA76580), UINT32_C(0xCAF88D87) } }, - { { UINT32_C(0x2C046592), UINT32_C(0x39430E22), UINT32_C(0x1AD26706), - UINT32_C(0x6CDAE81F), UINT32_C(0xA25D9106), UINT32_C(0x8C102159), - UINT32_C(0x27CA9F30), UINT32_C(0x9A440572), UINT32_C(0x70287FBC), - UINT32_C(0x8D34C430), UINT32_C(0x29DB8AFA), UINT32_C(0x9003A455) }, - { UINT32_C(0x7FD971AD), UINT32_C(0x91364CC3), UINT32_C(0x9C60EDB7), - UINT32_C(0x7B3AA048), UINT32_C(0x526F4DD8), UINT32_C(0x58B0E008), - UINT32_C(0xD86D98AE), UINT32_C(0xB7674454), UINT32_C(0xB2B45747), - UINT32_C(0xC25F4051), UINT32_C(0xCC043E8F), UINT32_C(0x8243BF9C) } }, - { { UINT32_C(0x43A0C387), UINT32_C(0xA89641C6), UINT32_C(0x87B9AB17), - UINT32_C(0x6D92205C), UINT32_C(0xDAA0E102), UINT32_C(0x37D691F4), - UINT32_C(0xCDE5312E), UINT32_C(0xEB3E52D7), UINT32_C(0x16F518A2), - UINT32_C(0x60D3C099), UINT32_C(0x8A378EEB), UINT32_C(0x7854C051) }, - { UINT32_C(0x4BBCAAC5), UINT32_C(0x7359DB51), UINT32_C(0x1713F102), - UINT32_C(0xF5B1B68C), UINT32_C(0xE4398DE5), UINT32_C(0xDAEAE645), - UINT32_C(0xD1ABFB82), UINT32_C(0x8C8ACB6C), UINT32_C(0x136423E2), - UINT32_C(0x2E8B76C3), UINT32_C(0xA8BA015E), UINT32_C(0x509DCB2D) } }, - { { UINT32_C(0x9AD9C59C), UINT32_C(0x2FF36815), UINT32_C(0x658E65B9), - UINT32_C(0xB189A4E8), UINT32_C(0xEA786AD2), UINT32_C(0x7D33DDBB), - UINT32_C(0xC0D2DC05), UINT32_C(0x96D0D648), UINT32_C(0xBFA03BE9), - UINT32_C(0x05E49256), UINT32_C(0x8BAF5A1C), UINT32_C(0x0EA4E7A6) }, - { UINT32_C(0x9F9AD5A8), UINT32_C(0x3DDCE0B0), UINT32_C(0x9E49C2CB), - UINT32_C(0xF7809195), UINT32_C(0x21782C2F), UINT32_C(0xBFCEF29D), - UINT32_C(0xC41BFD97), UINT32_C(0xE57AD39F), UINT32_C(0x1355AD19), - UINT32_C(0xC04B93E8), UINT32_C(0x59440F9F), UINT32_C(0xAABC9E6E) } }, - { { UINT32_C(0x5B6459DA), UINT32_C(0x7AA48103), UINT32_C(0x0166E880), - UINT32_C(0x83EF7477), UINT32_C(0x511CCE80), UINT32_C(0x536182B1), - UINT32_C(0x73CA55AA), UINT32_C(0xAFDD2EEE), UINT32_C(0xA8716143), - UINT32_C(0xAB910D0D), UINT32_C(0x83707250), UINT32_C(0x8BEAA42B) }, - { UINT32_C(0x8DA2AB3D), UINT32_C(0x4BCCFD89), UINT32_C(0xEC6AA105), - UINT32_C(0x1DBF68A9), UINT32_C(0x68EB42DA), UINT32_C(0x32CE6108), - UINT32_C(0x8EA62E37), UINT32_C(0x5C2C2C85), UINT32_C(0xCD3088A7), - UINT32_C(0x1ED2791F), UINT32_C(0xFF05070C), UINT32_C(0x496B4FEB) } }, - { { UINT32_C(0x0AA629C5), UINT32_C(0x9FA9121A), UINT32_C(0x57558BEC), - UINT32_C(0xE286CFF1), UINT32_C(0x59813A4D), UINT32_C(0x4D9D657E), - UINT32_C(0x26103519), UINT32_C(0xC4676A16), UINT32_C(0x2BD4DF80), - UINT32_C(0x616160B3), UINT32_C(0x30FBAE87), UINT32_C(0x26FB78CC) }, - { UINT32_C(0x8F0F66BD), UINT32_C(0x09607013), UINT32_C(0x03D9B90D), - UINT32_C(0xDD4E2D0C), UINT32_C(0x600D1B12), UINT32_C(0x5D3A8912), - UINT32_C(0x4308E126), UINT32_C(0xF76DD52F), UINT32_C(0x9E4FCCA6), - UINT32_C(0x97CC0409), UINT32_C(0x04C4DF7B), UINT32_C(0x0CFBE311) } }, - { { UINT32_C(0x28437A23), UINT32_C(0x6CA62C12), UINT32_C(0x40E7A003), - UINT32_C(0x0DAF3353), UINT32_C(0xD20F8079), UINT32_C(0x1FD07DF0), - UINT32_C(0x3BBC9749), UINT32_C(0xEAE7969C), UINT32_C(0x9ECAD022), - UINT32_C(0x55861AFA), UINT32_C(0x1FBC3D4C), UINT32_C(0xEC41DAD9) }, - { UINT32_C(0xDA8B261B), UINT32_C(0x1FE4CB40), UINT32_C(0x427C5C9D), - UINT32_C(0xC2671AB6), UINT32_C(0x261D4939), UINT32_C(0xDFCDA7B8), - UINT32_C(0x2072C0B9), UINT32_C(0x9E7B802B), UINT32_C(0xC7828CC2), - UINT32_C(0x3AFEE900), UINT32_C(0xF6DE987F), UINT32_C(0x3488BF28) } }, - { { UINT32_C(0x7BE1F89E), UINT32_C(0x33B9F2DE), UINT32_C(0x299B15C9), - UINT32_C(0xD4E80821), UINT32_C(0x0E13F37F), UINT32_C(0x87A3067A), - UINT32_C(0x55FD239F), UINT32_C(0x6D4C09ED), UINT32_C(0x92EF014F), - UINT32_C(0x48B1042D), UINT32_C(0xB385A759), UINT32_C(0xA382B2E0) }, - { UINT32_C(0x7F6F84F8), UINT32_C(0xBF571BB0), UINT32_C(0x0CE87F50), - UINT32_C(0x25AFFA37), UINT32_C(0xFE54F1BC), UINT32_C(0x826906D3), - UINT32_C(0xC53AE76A), UINT32_C(0x6B0421F4), UINT32_C(0x4855EB3C), - UINT32_C(0x44F85A3A), UINT32_C(0x8D1F2B27), UINT32_C(0xF49E2151) } }, - }, - { - { { UINT32_C(0x5E3C647B), UINT32_C(0xC0426B77), UINT32_C(0x8CF05348), - UINT32_C(0xBFCBD939), UINT32_C(0x172C0D3D), UINT32_C(0x31D312E3), - UINT32_C(0xEE754737), UINT32_C(0x5F49FDE6), UINT32_C(0x6DA7EE61), - UINT32_C(0x895530F0), UINT32_C(0xE8B3A5FB), UINT32_C(0xCF281B0A) }, - { UINT32_C(0x41B8A543), UINT32_C(0xFD149735), UINT32_C(0x3080DD30), - UINT32_C(0x41A625A7), UINT32_C(0x653908CF), UINT32_C(0xE2BAAE07), - UINT32_C(0xBA02A278), UINT32_C(0xC3D01436), UINT32_C(0x7B21B8F8), - UINT32_C(0xA0D0222E), UINT32_C(0xD7EC1297), UINT32_C(0xFDC270E9) } }, - { { UINT32_C(0x9F101E64), UINT32_C(0x06A67BD2), UINT32_C(0xE1733A4A), - UINT32_C(0xCB6E0AC7), UINT32_C(0x97BC62D2), UINT32_C(0xEE0B5D51), - UINT32_C(0x24C51874), UINT32_C(0x52B17039), UINT32_C(0x82A1A0D5), - UINT32_C(0xFED1F423), UINT32_C(0xDB6270AC), UINT32_C(0x55D90569) }, - { UINT32_C(0x5D73D533), UINT32_C(0x36BE4A9C), UINT32_C(0x976ED4D5), - UINT32_C(0xBE9266D6), UINT32_C(0xB8F8074B), UINT32_C(0xC17436D3), - UINT32_C(0x718545C6), UINT32_C(0x3BB4D399), UINT32_C(0x5C757D21), - UINT32_C(0x8E1EA355), UINT32_C(0x8C474366), UINT32_C(0xF7EDBC97) } }, - { { UINT32_C(0x6EA83242), UINT32_C(0xEC72C650), UINT32_C(0x1B2D237F), - UINT32_C(0xF7DE7BE5), UINT32_C(0x1819EFB0), UINT32_C(0x3C5E2200), - UINT32_C(0x8CDDE870), UINT32_C(0xDF5AB6D6), UINT32_C(0x92A87AEE), - UINT32_C(0x75A44E9D), UINT32_C(0xBCF77F19), UINT32_C(0xBDDC46F4) }, - { UINT32_C(0x669B674D), UINT32_C(0x8191EFBD), UINT32_C(0xED71768F), - UINT32_C(0x52884DF9), UINT32_C(0x65CF242C), UINT32_C(0xE62BE582), - UINT32_C(0x80B1D17B), UINT32_C(0xAE99A3B1), UINT32_C(0x92DE59A9), - UINT32_C(0x48CBB446), UINT32_C(0x2DCB3CE2), UINT32_C(0xD3C226CF) } }, - { { UINT32_C(0x9FD94EC4), UINT32_C(0x9580CDFB), UINT32_C(0x28631AD9), - UINT32_C(0xED273A6C), UINT32_C(0xC327F3E7), UINT32_C(0x5D3D5F77), - UINT32_C(0x35353C5F), UINT32_C(0x05D5339C), UINT32_C(0x5C258EB1), - UINT32_C(0xC56FB5FE), UINT32_C(0xEDCE1F79), UINT32_C(0xEFF8425E) }, - { UINT32_C(0xCF83CF9C), UINT32_C(0xAB7AA141), UINT32_C(0x207D6D4F), - UINT32_C(0xBD2A690A), UINT32_C(0x458D9E52), UINT32_C(0xE1241491), - UINT32_C(0xAA7F0F31), UINT32_C(0xDD2448CC), UINT32_C(0xF0FDA7AB), - UINT32_C(0xEC58D3C7), UINT32_C(0xC91BBA4D), UINT32_C(0x7B6E122D) } }, - { { UINT32_C(0xB1B48156), UINT32_C(0x2A2DEDAF), UINT32_C(0xBB93DB87), - UINT32_C(0xA0A2C63A), UINT32_C(0x08ACD99E), UINT32_C(0xC6559078), - UINT32_C(0xFE4AC331), UINT32_C(0x03EA42AF), UINT32_C(0xEB180ED6), - UINT32_C(0x43D2C14A), UINT32_C(0xB1156A1A), UINT32_C(0xC2F293DD) }, - { UINT32_C(0xA9D81249), UINT32_C(0x1FAFABF5), UINT32_C(0x9A8EEE87), - UINT32_C(0x39ADDEAD), UINT32_C(0x119E2E92), UINT32_C(0x21E206F2), - UINT32_C(0xD74DCEB6), UINT32_C(0xBC5DCC2E), UINT32_C(0x0A73A358), - UINT32_C(0x86647FA3), UINT32_C(0x2F53F642), UINT32_C(0xEAD8BEA4) } }, - { { UINT32_C(0x91C09091), UINT32_C(0x636225F5), UINT32_C(0x71BDCFDF), - UINT32_C(0xCCF5070A), UINT32_C(0xB9668EE2), UINT32_C(0x0EF8D625), - UINT32_C(0xB5E04E4F), UINT32_C(0x57BDF6CD), UINT32_C(0x7C75EA43), - UINT32_C(0xFC6AB0A6), UINT32_C(0xF7FD6EF3), UINT32_C(0xEB6B8AFB) }, - { UINT32_C(0x2A3DF404), UINT32_C(0x5B2AEEF0), UINT32_C(0xB9823197), - UINT32_C(0x31FD3B48), UINT32_C(0x83A7EB23), UINT32_C(0x56226DB6), - UINT32_C(0x5BB1ED2F), UINT32_C(0x3772C21E), UINT32_C(0xCD1ABA6A), - UINT32_C(0x3E833624), UINT32_C(0xAC672DAD), UINT32_C(0xBAE58FFA) } }, - { { UINT32_C(0x31BA1705), UINT32_C(0xCE92224D), UINT32_C(0xF0197F63), - UINT32_C(0x022C6ED2), UINT32_C(0xA4DC1113), UINT32_C(0x21F18D99), - UINT32_C(0x03616BF1), UINT32_C(0x5CD04DE8), UINT32_C(0x9FF12E08), - UINT32_C(0x6F900679), UINT32_C(0x48E61DDF), UINT32_C(0xF59A3315) }, - { UINT32_C(0xB51BD024), UINT32_C(0x9474D42C), UINT32_C(0x9051E49D), - UINT32_C(0x11A0A413), UINT32_C(0xDCE70EDB), UINT32_C(0x79C92705), - UINT32_C(0x34198426), UINT32_C(0x113CE278), UINT32_C(0xEA8616D2), - UINT32_C(0x8978396F), UINT32_C(0xEA894C36), UINT32_C(0x9A2A14D0) } }, - { { UINT32_C(0x604F6E4A), UINT32_C(0x4F1E1254), UINT32_C(0x0187D585), - UINT32_C(0x4513B088), UINT32_C(0x19E0F482), UINT32_C(0x9022F257), - UINT32_C(0xE2239DBF), UINT32_C(0x51FB2A80), UINT32_C(0x998ED9D5), - UINT32_C(0x49940D9E), UINT32_C(0x6C932C5D), UINT32_C(0x0583D241) }, - { UINT32_C(0xF25B73F7), UINT32_C(0x1188CEC8), UINT32_C(0x3B3D06CD), - UINT32_C(0xA28788CB), UINT32_C(0xA083DB5A), UINT32_C(0xDEA194EC), - UINT32_C(0x22DF4272), UINT32_C(0xD93A4F7E), UINT32_C(0x6A009C49), - UINT32_C(0x8D84E4BF), UINT32_C(0x3E3E4A9E), UINT32_C(0x893D8DD9) } }, - { { UINT32_C(0x33D31160), UINT32_C(0x35E909EA), UINT32_C(0x57172F1E), - UINT32_C(0x50203168), UINT32_C(0x51F3D866), UINT32_C(0x2707FC44), - UINT32_C(0xD2442A5D), UINT32_C(0xEB9D2018), UINT32_C(0x5DBFE378), - UINT32_C(0x904D7209), UINT32_C(0x5F13CF77), UINT32_C(0x6DB132A3) }, - { UINT32_C(0x7A3AF54B), UINT32_C(0x9D842BA6), UINT32_C(0x5AA5B4F9), - UINT32_C(0x4E16EA19), UINT32_C(0xAF24228E), UINT32_C(0x2BBA457C), - UINT32_C(0x16F3C5FE), UINT32_C(0xCC04B3BB), UINT32_C(0x77E64944), - UINT32_C(0xBAFAC516), UINT32_C(0xF08BCEE0), UINT32_C(0x31580A34) } }, - { { UINT32_C(0x20C30ACA), UINT32_C(0xC6808DEE), UINT32_C(0xA3EA2056), - UINT32_C(0xDADD216F), UINT32_C(0x7A4A9F9D), UINT32_C(0xD331394E), - UINT32_C(0x424C4026), UINT32_C(0x9E0441AD), UINT32_C(0x0AEB5350), - UINT32_C(0xAEED102F), UINT32_C(0xD45B09DA), UINT32_C(0xC6697FBB) }, - { UINT32_C(0xDEAC1496), UINT32_C(0x52A2590E), UINT32_C(0x250B87AF), - UINT32_C(0x7142B831), UINT32_C(0x6D0784A8), UINT32_C(0xBEF2E68B), - UINT32_C(0xA5F71CEF), UINT32_C(0x5F62593A), UINT32_C(0xB5DA51A3), - UINT32_C(0x3B8F7616), UINT32_C(0xB680F5FE), UINT32_C(0xC7A6FA0D) } }, - { { UINT32_C(0x99C8227C), UINT32_C(0x36C21DE6), UINT32_C(0xC26813B1), - UINT32_C(0xBEE3E867), UINT32_C(0xBDD91549), UINT32_C(0x9B05F2E6), - UINT32_C(0xA7D1110F), UINT32_C(0x34FF2B1F), UINT32_C(0x37F67FD0), - UINT32_C(0x8E6953B9), UINT32_C(0xC3183E20), UINT32_C(0x56C7F18B) }, - { UINT32_C(0x9E2019ED), UINT32_C(0x48AF46DE), UINT32_C(0xF551BBBF), - UINT32_C(0xDEAF972E), UINT32_C(0xCC5E3EEF), UINT32_C(0x88EE38F8), - UINT32_C(0x392D6BAF), UINT32_C(0xFB8D7A44), UINT32_C(0x0127187D), - UINT32_C(0x32293BFC), UINT32_C(0xE58647CC), UINT32_C(0x7689E767) } }, - { { UINT32_C(0x52168013), UINT32_C(0x00CE901B), UINT32_C(0x837AAE71), - UINT32_C(0xC6BF8E38), UINT32_C(0x167677D8), UINT32_C(0xD6F11EFA), - UINT32_C(0x86C8E5CF), UINT32_C(0xE53BB485), UINT32_C(0xC48E74AB), - UINT32_C(0x671167CE), UINT32_C(0x8AD720A7), UINT32_C(0x8A40218C) }, - { UINT32_C(0xE7C1191A), UINT32_C(0x81E827A6), UINT32_C(0xADDB153D), - UINT32_C(0x54058F8D), UINT32_C(0x0D950FA2), UINT32_C(0x0BAF2925), - UINT32_C(0x576DDA13), UINT32_C(0xC244674D), UINT32_C(0x41BCD13B), - UINT32_C(0x8C4630AE), UINT32_C(0x5A077419), UINT32_C(0x6C2127BF) } }, - { { UINT32_C(0xA83C501F), UINT32_C(0xCF977FD5), UINT32_C(0xB6AB176F), - UINT32_C(0xD7C6DF36), UINT32_C(0x397BC6B5), UINT32_C(0x117F6331), - UINT32_C(0xF7A2D491), UINT32_C(0x72A6078B), UINT32_C(0x5242FE2E), - UINT32_C(0xE5A2AAED), UINT32_C(0xFEBDC212), UINT32_C(0x88ECFFDC) }, - { UINT32_C(0xCE33BA21), UINT32_C(0xF2DBBF50), UINT32_C(0xCEB19F07), - UINT32_C(0xE1343B76), UINT32_C(0xD2C28F71), UINT32_C(0x1F32D4C9), - UINT32_C(0x18587685), UINT32_C(0x93FC64B4), UINT32_C(0xBA1F8BD1), - UINT32_C(0x39CEEF9B), UINT32_C(0x8D6D6BB0), UINT32_C(0x99C36A78) } }, - { { UINT32_C(0x3E9561CF), UINT32_C(0x0D063817), UINT32_C(0x3D33704D), - UINT32_C(0x1D8646AA), UINT32_C(0x7A08BA33), UINT32_C(0x8C451384), - UINT32_C(0xE02D6624), UINT32_C(0x96446BD3), UINT32_C(0x2D6F4166), - UINT32_C(0x749849F0), UINT32_C(0x14268BF0), UINT32_C(0xE364DA01) }, - { UINT32_C(0x9AEBFCFD), UINT32_C(0x7CE4587E), UINT32_C(0x56234393), - UINT32_C(0xD4686064), UINT32_C(0x16DF73B2), UINT32_C(0x00231D51), - UINT32_C(0x7279C78C), UINT32_C(0xF6A969B7), UINT32_C(0x6CB4117C), - UINT32_C(0x1FF1F6B6), UINT32_C(0xD3EAB680), UINT32_C(0x30AEBC39) } }, - { { UINT32_C(0x93EF00B9), UINT32_C(0x5CC97E64), UINT32_C(0x972345AE), - UINT32_C(0xDAE13841), UINT32_C(0x4788F43C), UINT32_C(0x85839184), - UINT32_C(0xE2E6CF3E), UINT32_C(0xD0FF521E), UINT32_C(0x4B707C86), - UINT32_C(0xAED14A5B), UINT32_C(0xD2523CF7), UINT32_C(0x7EAAE4A6) }, - { UINT32_C(0x024C8AC6), UINT32_C(0x266472C5), UINT32_C(0xC0170051), - UINT32_C(0xE47E1522), UINT32_C(0x73826BAE), UINT32_C(0x7B83DA61), - UINT32_C(0xCF543F0D), UINT32_C(0xE97E19F5), UINT32_C(0x20BF38E2), - UINT32_C(0x5D5248FA), UINT32_C(0xDF56A037), UINT32_C(0x8A7C2F7D) } }, - { { UINT32_C(0x87B0526C), UINT32_C(0xB04659DD), UINT32_C(0x2307565E), - UINT32_C(0x593C604A), UINT32_C(0x7C630AB8), UINT32_C(0x49E52225), - UINT32_C(0xDCE9CD23), UINT32_C(0x24C1D0C6), UINT32_C(0x85177079), - UINT32_C(0x6FDB241C), UINT32_C(0xF250C351), UINT32_C(0x5F521D19) }, - { UINT32_C(0xA6FB61DF), UINT32_C(0xFB56134B), UINT32_C(0xD75C07ED), - UINT32_C(0xA4E70D69), UINT32_C(0x7D8825A8), UINT32_C(0xB7A82448), - UINT32_C(0xDD64BBCC), UINT32_C(0xA3AEA7D4), UINT32_C(0x8692F539), - UINT32_C(0xD53E6E6C), UINT32_C(0xF7AA4BC0), UINT32_C(0x8DDDA83B) } }, - }, - { - { { UINT32_C(0xDD93D50A), UINT32_C(0x140A0F9F), UINT32_C(0x83B7ABAC), - UINT32_C(0x4799FFDE), UINT32_C(0x04A1F742), UINT32_C(0x78FF7C23), - UINT32_C(0x195BA34E), UINT32_C(0xC0568F51), UINT32_C(0x3B7F78B4), - UINT32_C(0xE9718360), UINT32_C(0xF9EFAA53), UINT32_C(0x9CFD1FF1) }, - { UINT32_C(0xBB06022E), UINT32_C(0xE924D2C5), UINT32_C(0xFAA2AF6D), - UINT32_C(0x9987FA86), UINT32_C(0x6EE37E0F), UINT32_C(0x4B12E73F), - UINT32_C(0x5E5A1DDE), UINT32_C(0x1836FDFA), UINT32_C(0x9DCD6416), - UINT32_C(0x7F1B9225), UINT32_C(0x677544D8), UINT32_C(0xCB2C1B4D) } }, - { { UINT32_C(0x9C213D95), UINT32_C(0x0254486D), UINT32_C(0xCB2F6E94), - UINT32_C(0x68A9DB56), UINT32_C(0x000F5491), UINT32_C(0xFB5858BA), - UINT32_C(0x34009FB6), UINT32_C(0x1315BDD9), UINT32_C(0xC42BDE30), - UINT32_C(0xB18A8E0A), UINT32_C(0xF1070358), UINT32_C(0xFDCF93D1) }, - { UINT32_C(0x3022937E), UINT32_C(0xBEB1DB75), UINT32_C(0xCAC20DB4), - UINT32_C(0x9B9ECA7A), UINT32_C(0xE4122B20), UINT32_C(0x152214D4), - UINT32_C(0xAABCCC7B), UINT32_C(0xD3E673F2), UINT32_C(0xAED07571), - UINT32_C(0x94C50F64), UINT32_C(0xE66B4F17), UINT32_C(0xD767059A) } }, - { { UINT32_C(0xDCD6D14B), UINT32_C(0x40336B12), UINT32_C(0xE3B4919C), - UINT32_C(0xF6BCFF5D), UINT32_C(0x9C841F0C), UINT32_C(0xC337048D), - UINT32_C(0x1D617F50), UINT32_C(0x4CE6D025), UINT32_C(0x8117D379), - UINT32_C(0x00FEF219), UINT32_C(0xF95BE243), UINT32_C(0x18B7C4E9) }, - { UINT32_C(0x38DF08FF), UINT32_C(0x98DE119E), UINT32_C(0x8D772D20), - UINT32_C(0xDFD803BD), UINT32_C(0x0F9678BD), UINT32_C(0x94125B72), - UINT32_C(0x334ACE30), UINT32_C(0xFC5B57CD), UINT32_C(0xB7E86E04), - UINT32_C(0x09486527), UINT32_C(0x6E552039), UINT32_C(0xFE9F8BCC) } }, - { { UINT32_C(0xD6F5A10E), UINT32_C(0x3B75C45B), UINT32_C(0xC1C35F38), - UINT32_C(0xFD4680F4), UINT32_C(0xF8E0A113), UINT32_C(0x5450227D), - UINT32_C(0x73DDBA24), UINT32_C(0x5E69F1AE), UINT32_C(0x57F24645), - UINT32_C(0x2007B80E), UINT32_C(0x3D159741), UINT32_C(0xC63695DC) }, - { UINT32_C(0x4530F623), UINT32_C(0xCBE54D29), UINT32_C(0x2869586B), - UINT32_C(0x986AD573), UINT32_C(0x4CC39F73), UINT32_C(0xE19F7059), - UINT32_C(0x2B1B8DA9), UINT32_C(0x80F00AB3), UINT32_C(0x73F68D26), - UINT32_C(0xB765AAF9), UINT32_C(0xE993F829), UINT32_C(0xBC79A394) } }, - { { UINT32_C(0xF310D2A0), UINT32_C(0x9C441043), UINT32_C(0xDC5EB106), - UINT32_C(0x2865EE58), UINT32_C(0x9CB8065C), UINT32_C(0x71A95922), - UINT32_C(0xA052AF0F), UINT32_C(0x8EB3A733), UINT32_C(0xB09D716E), - UINT32_C(0x56009F42), UINT32_C(0xABCBE6AD), UINT32_C(0xA7F923C5) }, - { UINT32_C(0xFA375C01), UINT32_C(0x263B7669), UINT32_C(0x21EF27A2), - UINT32_C(0x641C47E5), UINT32_C(0xB08FFD25), UINT32_C(0xA89B474E), - UINT32_C(0xF0A239F3), UINT32_C(0x5BE8EC3F), UINT32_C(0x242A6C5A), - UINT32_C(0x0E79957A), UINT32_C(0x0C6C75F5), UINT32_C(0x1DFB26D0) } }, - { { UINT32_C(0x9DFBF22A), UINT32_C(0x2FD97B9B), UINT32_C(0x5643532D), - UINT32_C(0xDEC16CC8), UINT32_C(0x60FEE7C3), UINT32_C(0xDF0E6E39), - UINT32_C(0x545860C8), UINT32_C(0xD09AD7B6), UINT32_C(0x73FC3B7C), - UINT32_C(0xCC16E984), UINT32_C(0x0D4E1555), UINT32_C(0x6CE734C1) }, - { UINT32_C(0x4B5F6032), UINT32_C(0xC6EFE68B), UINT32_C(0x14F54073), - UINT32_C(0x3A64F34C), UINT32_C(0xAC44DC95), UINT32_C(0x25DA689C), - UINT32_C(0x5358AD8A), UINT32_C(0x990C477E), UINT32_C(0xF36DA7DE), - UINT32_C(0x00E958A5), UINT32_C(0xC9B6F161), UINT32_C(0x902B7360) } }, - { { UINT32_C(0x9347B90A), UINT32_C(0x454AB42C), UINT32_C(0xA698B02B), - UINT32_C(0xCAEBE64A), UINT32_C(0xFB86FA40), UINT32_C(0x119CDC69), - UINT32_C(0xC3109281), UINT32_C(0x2E5CB7AD), UINT32_C(0xCD0C3D00), - UINT32_C(0x67BB1EC5), UINT32_C(0x83F25BBF), UINT32_C(0x5D430BC7) }, - { UINT32_C(0x5CDE0ABB), UINT32_C(0x69FD84A8), UINT32_C(0x9816B688), - UINT32_C(0x69DA263E), UINT32_C(0x0E53CBB8), UINT32_C(0xE52D93DF), - UINT32_C(0xADD2D5A7), UINT32_C(0x42CF6F25), UINT32_C(0xC87CA88F), - UINT32_C(0x227BA59D), UINT32_C(0xDA738554), UINT32_C(0x7A1CA876) } }, - { { UINT32_C(0x1CAC82C4), UINT32_C(0x3FA5C105), UINT32_C(0x8A78C9BE), - UINT32_C(0x23C76087), UINT32_C(0x1C5CFA42), UINT32_C(0xE98CDAD6), - UINT32_C(0x0A6C0421), UINT32_C(0x09C30252), UINT32_C(0x42FC61B9), - UINT32_C(0x149BAC7C), UINT32_C(0x3004A3E2), UINT32_C(0x3A1C22AC) }, - { UINT32_C(0x202C7FED), UINT32_C(0xDE6B0D6E), UINT32_C(0xE7E63052), - UINT32_C(0xB2457377), UINT32_C(0x3706B3EF), UINT32_C(0x31725FD4), - UINT32_C(0x2B1AFDBF), UINT32_C(0xE16A347D), UINT32_C(0x8C29CF66), - UINT32_C(0xBE4850C4), UINT32_C(0x2939F23C), UINT32_C(0x8F51CC4D) } }, - { { UINT32_C(0x219AE6C1), UINT32_C(0x169E025B), UINT32_C(0x116E1CA1), - UINT32_C(0x55FF526F), UINT32_C(0xB191F55D), UINT32_C(0x01B810A3), - UINT32_C(0x29588A69), UINT32_C(0x2D981272), UINT32_C(0x48B92199), - UINT32_C(0x53C93770), UINT32_C(0x8A85236F), UINT32_C(0x8C7DD84E) }, - { UINT32_C(0xCAACF958), UINT32_C(0x293D48B6), UINT32_C(0x43572B30), - UINT32_C(0x1F084ACB), UINT32_C(0xFAD91F28), UINT32_C(0x628BFA2D), - UINT32_C(0x829386AF), UINT32_C(0x8D627B11), UINT32_C(0xD44A77BE), - UINT32_C(0x3EC1DD00), UINT32_C(0x649AC7F0), UINT32_C(0x8D3B0D08) } }, - { { UINT32_C(0x177513BF), UINT32_C(0x00A93DAA), UINT32_C(0x42AD79E1), - UINT32_C(0x2EF0B96F), UINT32_C(0xA07129D9), UINT32_C(0x81F5AAF1), - UINT32_C(0x923F2449), UINT32_C(0xFC04B7EF), UINT32_C(0x60CDB1B7), - UINT32_C(0x855DA795), UINT32_C(0xAD5D61D4), UINT32_C(0xB1EB5DAB) }, - { UINT32_C(0x353FD028), UINT32_C(0xD2CEF1AE), UINT32_C(0x9EE94847), - UINT32_C(0xC21D5439), UINT32_C(0x0380C1A8), UINT32_C(0x9ED552BB), - UINT32_C(0x2BAC328F), UINT32_C(0xB156FE7A), UINT32_C(0x7213C6A4), - UINT32_C(0xBB7E0196), UINT32_C(0x1701ED5B), UINT32_C(0x36002A33) } }, - { { UINT32_C(0xDDC9EF4D), UINT32_C(0x20B1632A), UINT32_C(0x272D082B), - UINT32_C(0x2A35FF4C), UINT32_C(0xF6CC9BD3), UINT32_C(0x30D39923), - UINT32_C(0xE65C9D08), UINT32_C(0x6D879BC2), UINT32_C(0x6FA9983C), - UINT32_C(0xCE8274E1), UINT32_C(0x0EB7424F), UINT32_C(0x652371E8) }, - { UINT32_C(0xC5C35282), UINT32_C(0x32B77503), UINT32_C(0xC885A931), - UINT32_C(0xD7306333), UINT32_C(0x72955AA8), UINT32_C(0x8A16D719), - UINT32_C(0x7D51F882), UINT32_C(0x5548F163), UINT32_C(0xBABA59EF), - UINT32_C(0xB311DC66), UINT32_C(0x0DB8F627), UINT32_C(0x773D5448) } }, - { { UINT32_C(0x7A62EB3B), UINT32_C(0x59B1B134), UINT32_C(0xCCEEFB34), - UINT32_C(0x0F8CE157), UINT32_C(0xA798CB2B), UINT32_C(0x3FE842A8), - UINT32_C(0x0BF4161D), UINT32_C(0xD01BC626), UINT32_C(0x4D016FDB), - UINT32_C(0x55EF6E55), UINT32_C(0xB242B201), UINT32_C(0xCB561503) }, - { UINT32_C(0xAF4199C1), UINT32_C(0x076EBC73), UINT32_C(0x697244F7), - UINT32_C(0x39DEDCBB), UINT32_C(0x040162BC), UINT32_C(0x9D184733), - UINT32_C(0x7F6B5FA6), UINT32_C(0x902992C1), UINT32_C(0xBB4952B5), - UINT32_C(0xAD1DE754), UINT32_C(0xA121F6C8), UINT32_C(0x7ACF1B93) } }, - { { UINT32_C(0x325C9B9A), UINT32_C(0x7A56867C), UINT32_C(0xF3DC3D6A), - UINT32_C(0x1A143999), UINT32_C(0x03F5BCB8), UINT32_C(0xCE109590), - UINT32_C(0xD6EEE5B7), UINT32_C(0x034E9035), UINT32_C(0x495DF1BC), - UINT32_C(0x2AFA81C8), UINT32_C(0x08924D02), UINT32_C(0x5EAB52DC) }, - { UINT32_C(0xAA181904), UINT32_C(0xEE6AA014), UINT32_C(0x310AD621), - UINT32_C(0xE62DEF09), UINT32_C(0xC7538A03), UINT32_C(0x6C9792FC), - UINT32_C(0x3E41D789), UINT32_C(0xA89D3E88), UINT32_C(0x9F94AE83), - UINT32_C(0xD60FA11C), UINT32_C(0xE0D6234A), UINT32_C(0x5E16A8C2) } }, - { { UINT32_C(0xA9242F3B), UINT32_C(0x87EC053D), UINT32_C(0xF0E03545), - UINT32_C(0x99544637), UINT32_C(0x6B7019E9), UINT32_C(0xEA0633FF), - UINT32_C(0x68DDDB5B), UINT32_C(0x8CB8AE07), UINT32_C(0x1A811AC7), - UINT32_C(0x892E7C84), UINT32_C(0x73664249), UINT32_C(0xC7EF19EB) }, - { UINT32_C(0xCD1489E3), UINT32_C(0xD1B5819A), UINT32_C(0xDE45D24A), - UINT32_C(0xF9C80FB0), UINT32_C(0x83BB7491), UINT32_C(0x045C21A6), - UINT32_C(0x73F7A47D), UINT32_C(0xA65325BE), UINT32_C(0x9C394F0C), - UINT32_C(0x08D09F0E), UINT32_C(0x268D4F08), UINT32_C(0xE7FB21C6) } }, - { { UINT32_C(0x6CA95C18), UINT32_C(0xC4CCAB95), UINT32_C(0xBC42E040), - UINT32_C(0x563FFD56), UINT32_C(0xE701C604), UINT32_C(0xFA3C64D8), - UINT32_C(0xB0ABAFEE), UINT32_C(0xC88D4426), UINT32_C(0x8542E4C3), - UINT32_C(0x1A353E5E), UINT32_C(0xED726186), UINT32_C(0x9A2D8B7C) }, - { UINT32_C(0x42D097FA), UINT32_C(0xD61CE190), UINT32_C(0x799A748B), - UINT32_C(0x6A63E280), UINT32_C(0x3225486B), UINT32_C(0x0F48D063), - UINT32_C(0x42A3C443), UINT32_C(0x848F8FE1), UINT32_C(0x8493CEF4), - UINT32_C(0x2CCDE250), UINT32_C(0x45E77E7C), UINT32_C(0x5450A508) } }, - { { UINT32_C(0x03112816), UINT32_C(0xD0F4E248), UINT32_C(0xCCBE9E16), - UINT32_C(0xFCAD9DDB), UINT32_C(0x5AE01EA0), UINT32_C(0x177999BF), - UINT32_C(0xCE832DCE), UINT32_C(0xD20C78B9), UINT32_C(0x50C8C646), - UINT32_C(0x3CC694FB), UINT32_C(0xC93D4887), UINT32_C(0x24D75968) }, - { UINT32_C(0x87BC08AF), UINT32_C(0x9F06366A), UINT32_C(0x7FD0DF2A), - UINT32_C(0x59FAB50E), UINT32_C(0x6C4CC234), UINT32_C(0x5FFCC7F7), - UINT32_C(0x65F52D86), UINT32_C(0x87198DD7), UINT32_C(0xA855DF04), - UINT32_C(0x5B9C94B0), UINT32_C(0x8A067AD7), UINT32_C(0xD8BA6C73) } }, - }, - { - { { UINT32_C(0x1C4C9D90), UINT32_C(0x9E9AF315), UINT32_C(0xD12E0A89), - UINT32_C(0x8665C5A9), UINT32_C(0x58286493), UINT32_C(0x204ABD92), - UINT32_C(0xB2E09205), UINT32_C(0x79959889), UINT32_C(0xFE56B101), - UINT32_C(0x0C727A3D), UINT32_C(0x8B657F26), UINT32_C(0xF366244C) }, - { UINT32_C(0xCCA65BE2), UINT32_C(0xDE35D954), UINT32_C(0xB0FD41CE), - UINT32_C(0x52EE1230), UINT32_C(0x36019FEE), UINT32_C(0xFA03261F), - UINT32_C(0x66511D8F), UINT32_C(0xAFDA42D9), UINT32_C(0x821148B9), - UINT32_C(0xF63211DD), UINT32_C(0x6F13A3E1), UINT32_C(0x7B56AF7E) } }, - { { UINT32_C(0x5913E184), UINT32_C(0x47FE4799), UINT32_C(0x82145900), - UINT32_C(0x5BBE584C), UINT32_C(0x9A867173), UINT32_C(0xB76CFA8B), - UINT32_C(0x514BF471), UINT32_C(0x9BC87BF0), UINT32_C(0x71DCF1FC), - UINT32_C(0x37392DCE), UINT32_C(0x3AD1EFA8), UINT32_C(0xEC3EFAE0) }, - { UINT32_C(0x14876451), UINT32_C(0xBBEA5A34), UINT32_C(0x6217090F), - UINT32_C(0x96E5F543), UINT32_C(0x9B1665A9), UINT32_C(0x5B3D4ECD), - UINT32_C(0xE329DF22), UINT32_C(0xE7B0DF26), UINT32_C(0x0BAA808D), - UINT32_C(0x18FB438E), UINT32_C(0xDD516FAF), UINT32_C(0x90757EBF) } }, - { { UINT32_C(0xD5A98D68), UINT32_C(0x1E6F9A95), UINT32_C(0x849DA828), - UINT32_C(0x759EA7DF), UINT32_C(0x6E8B4198), UINT32_C(0x365D5625), - UINT32_C(0x7A4A53F9), UINT32_C(0xE1B9C53B), UINT32_C(0xE32B9B16), - UINT32_C(0x55DC1D50), UINT32_C(0xBB6D5701), UINT32_C(0xA4657EBB) }, - { UINT32_C(0xEACC76E2), UINT32_C(0x4C270249), UINT32_C(0x162B1CC7), - UINT32_C(0xBE49EC75), UINT32_C(0x0689902B), UINT32_C(0x19A95B61), - UINT32_C(0xA4CFC5A8), UINT32_C(0xDD5706BF), UINT32_C(0x14E5B424), - UINT32_C(0xD33BDB73), UINT32_C(0xE69EBA87), UINT32_C(0x21311BD1) } }, - { { UINT32_C(0x72A21ACC), UINT32_C(0x75BA2F9B), UINT32_C(0xA28EDB4C), - UINT32_C(0x356688D4), UINT32_C(0x610D080F), UINT32_C(0x3C339E0B), - UINT32_C(0x33A99C2F), UINT32_C(0x614AC293), UINT32_C(0xAA580AFF), - UINT32_C(0xA5E23AF2), UINT32_C(0xE1FDBA3A), UINT32_C(0xA6BCB860) }, - { UINT32_C(0xB43F9425), UINT32_C(0xAA603365), UINT32_C(0xF7EE4635), - UINT32_C(0xAE8D7126), UINT32_C(0x56330A32), UINT32_C(0xA2B25244), - UINT32_C(0x9E025AA3), UINT32_C(0xC396B5BB), UINT32_C(0xF8A0D5CF), - UINT32_C(0xABBF77FA), UINT32_C(0xEA31C83B), UINT32_C(0xB322EE30) } }, - { { UINT32_C(0x7890E234), UINT32_C(0x04881384), UINT32_C(0x672E70C6), - UINT32_C(0x387F1159), UINT32_C(0x7B307F75), UINT32_C(0x1468A614), - UINT32_C(0xED85EC96), UINT32_C(0x56335B52), UINT32_C(0xD45BCAE9), - UINT32_C(0xDA1BB60F), UINT32_C(0xF9FAEADD), UINT32_C(0x4D94F3F0) }, - { UINT32_C(0xFC78D86B), UINT32_C(0x6C6A7183), UINT32_C(0x3018DEC6), - UINT32_C(0xA425B5C7), UINT32_C(0x2D877399), UINT32_C(0xB1549C33), - UINT32_C(0x92B2BC37), UINT32_C(0x6C41C50C), UINT32_C(0x83EE0DDB), - UINT32_C(0x3A9F380C), UINT32_C(0xC4599E73), UINT32_C(0xDED5FEB6) } }, - { { UINT32_C(0x0B7F8354), UINT32_C(0x14D34C21), UINT32_C(0x9177CE45), - UINT32_C(0x1475A1CD), UINT32_C(0x9B926E4B), UINT32_C(0x9F5F764A), - UINT32_C(0x05DD21FE), UINT32_C(0x77260D1E), UINT32_C(0xC4B937F7), - UINT32_C(0x3C882480), UINT32_C(0x722372F2), UINT32_C(0xC92DCD39) }, - { UINT32_C(0xEC6F657E), UINT32_C(0xF636A1BE), UINT32_C(0x1D30DD35), - UINT32_C(0xB0E6C312), UINT32_C(0xE4654EFE), UINT32_C(0xFE4B0528), - UINT32_C(0x21D230D2), UINT32_C(0x1C4A6820), UINT32_C(0x98FA45AB), - UINT32_C(0x615D2E48), UINT32_C(0x01FDBABF), UINT32_C(0x1F35D6D8) } }, - { { UINT32_C(0x3A7B10D1), UINT32_C(0xA636EEB8), UINT32_C(0xF4A29E73), - UINT32_C(0x4E1AE352), UINT32_C(0xE6BB1EC7), UINT32_C(0x01704F5F), - UINT32_C(0x0EF020AE), UINT32_C(0x75C04F72), UINT32_C(0x5A31E6A6), - UINT32_C(0x448D8CEE), UINT32_C(0x208F994B), UINT32_C(0xE40A9C29) }, - { UINT32_C(0xFD8F9D5D), UINT32_C(0x69E09A30), UINT32_C(0x449BAB7E), - UINT32_C(0xE6A5F7EB), UINT32_C(0x2AA1768B), UINT32_C(0xF25BC18A), - UINT32_C(0x3C841234), UINT32_C(0x9449E404), UINT32_C(0x016A7BEF), - UINT32_C(0x7A3BF43E), UINT32_C(0x2A150B60), UINT32_C(0xF25803E8) } }, - { { UINT32_C(0xB215F9E0), UINT32_C(0xE44A2A57), UINT32_C(0x19066F0A), - UINT32_C(0x38B34DCE), UINT32_C(0x40BB1BFB), UINT32_C(0x8BB91DAD), - UINT32_C(0xE67735FC), UINT32_C(0x64C9F775), UINT32_C(0x88D613CD), - UINT32_C(0xDE142417), UINT32_C(0x1901D88D), UINT32_C(0xC5014FF5) }, - { UINT32_C(0xF38116B0), UINT32_C(0xA250341D), UINT32_C(0x9D6CBCB2), - UINT32_C(0xF96B9DD4), UINT32_C(0x76B3FAC2), UINT32_C(0x15EC6C72), - UINT32_C(0x8124C1E9), UINT32_C(0x88F1952F), UINT32_C(0x975BE4F5), - UINT32_C(0x6B72F8EA), UINT32_C(0x061F7530), UINT32_C(0x23D288FF) } }, - { { UINT32_C(0xAFB96CE3), UINT32_C(0xEBFE3E5F), UINT32_C(0xB1979537), - UINT32_C(0x2275EDFB), UINT32_C(0xC97BA741), UINT32_C(0xC37AB9E8), - UINT32_C(0x63D7C626), UINT32_C(0x446E4B10), UINT32_C(0xD025EB02), - UINT32_C(0xB73E2DCE), UINT32_C(0x7669EEA7), UINT32_C(0x1F952B51) }, - { UINT32_C(0x6069A424), UINT32_C(0xABDD00F6), UINT32_C(0xDC298BFB), - UINT32_C(0x1C0F9D9B), UINT32_C(0xEB757B33), UINT32_C(0x831B1FD3), - UINT32_C(0x59D60B32), UINT32_C(0xD7DBE183), UINT32_C(0x9EF094B3), - UINT32_C(0x663D1F36), UINT32_C(0x67F7F11A), UINT32_C(0x1BD5732E) } }, - { { UINT32_C(0xC75D8892), UINT32_C(0x3C7FB3F5), UINT32_C(0xBA68DA69), - UINT32_C(0x2CFF9A0C), UINT32_C(0x60EC740B), UINT32_C(0x76455E8B), - UINT32_C(0x167B88F0), UINT32_C(0x4B8D67FF), UINT32_C(0x5A4186B1), - UINT32_C(0xEDEC0C02), UINT32_C(0xBEBF35AB), UINT32_C(0x127C462D) }, - { UINT32_C(0x049430FC), UINT32_C(0x9159C67E), UINT32_C(0xE7747320), - UINT32_C(0x86B21DD2), UINT32_C(0x0CF27B89), UINT32_C(0x0E0E0152), - UINT32_C(0xCD1316B6), UINT32_C(0x705F28F5), UINT32_C(0xBEAEA8A8), - UINT32_C(0x76751691), UINT32_C(0x360C5B69), UINT32_C(0x4C73E282) } }, - { { UINT32_C(0xFD7B3D74), UINT32_C(0x46BCC0D5), UINT32_C(0x0DC4F410), - UINT32_C(0x6F13C20E), UINT32_C(0x72F11CDF), UINT32_C(0x98A1AF7D), - UINT32_C(0x7928881C), UINT32_C(0x6099FD83), UINT32_C(0x371BB94B), - UINT32_C(0x66976356), UINT32_C(0x19B945AB), UINT32_C(0x673FBA72) }, - { UINT32_C(0xAED00700), UINT32_C(0xE4D8FA6E), UINT32_C(0x5C71A9F7), - UINT32_C(0xEA2313EC), UINT32_C(0xF99D4AEA), UINT32_C(0xF9ED8268), - UINT32_C(0x42AB59C7), UINT32_C(0xADD89164), UINT32_C(0x3F3A2D45), - UINT32_C(0xB37EB26F), UINT32_C(0xA924841E), UINT32_C(0x0B39BD7A) } }, - { { UINT32_C(0xE03CDBBB), UINT32_C(0xD811EB32), UINT32_C(0x7CC3610E), - UINT32_C(0x12055F1D), UINT32_C(0xA9046E3F), UINT32_C(0x6B23A1A0), - UINT32_C(0x9DD4A749), UINT32_C(0x4D712122), UINT32_C(0xB1BF0AC3), - UINT32_C(0xB0C2ACA1), UINT32_C(0xC1B0432F), UINT32_C(0x71EFF575) }, - { UINT32_C(0x2B44E285), UINT32_C(0x6CD81492), UINT32_C(0xD87E8D20), - UINT32_C(0x3088BD9C), UINT32_C(0xF567E8FA), UINT32_C(0xACE218E5), - UINT32_C(0xCF90CBBB), UINT32_C(0xB3FA0424), UINT32_C(0x770734D3), - UINT32_C(0xADBDA751), UINT32_C(0x5AD6569A), UINT32_C(0xBCD78BAD) } }, - { { UINT32_C(0x7F39641F), UINT32_C(0xCADB31FA), UINT32_C(0x825E5562), - UINT32_C(0x3EF3E295), UINT32_C(0xF4094C64), UINT32_C(0x4893C633), - UINT32_C(0x8ADDF432), UINT32_C(0x52F685F1), UINT32_C(0x7FDC9373), - UINT32_C(0x9FD887AB), UINT32_C(0xE8680E8B), UINT32_C(0x47A9ADA0) }, - { UINT32_C(0xF0CD44F6), UINT32_C(0x579313B7), UINT32_C(0xE188AE2E), - UINT32_C(0xAC4B8668), UINT32_C(0x8FB145BD), UINT32_C(0x648F4369), - UINT32_C(0x74629E31), UINT32_C(0xE0460AB3), UINT32_C(0x8FF2B05F), - UINT32_C(0xC25F2875), UINT32_C(0x2D31EAEA), UINT32_C(0x4720C2B6) } }, - { { UINT32_C(0x13D48F80), UINT32_C(0x4603CDF4), UINT32_C(0xA49725DA), - UINT32_C(0x9ADB50E2), UINT32_C(0x65DF63F0), UINT32_C(0x8CD33050), - UINT32_C(0xCD643003), UINT32_C(0x58D8B3BB), UINT32_C(0xB739826B), - UINT32_C(0x170A4F4A), UINT32_C(0x1EAD0E17), UINT32_C(0x857772B5) }, - { UINT32_C(0xE65320F1), UINT32_C(0x01B78152), UINT32_C(0xB7503FC0), - UINT32_C(0xA6B4D845), UINT32_C(0x3DD50798), UINT32_C(0x0F5089B9), - UINT32_C(0x5690B6BE), UINT32_C(0x488F200F), UINT32_C(0x9E096F36), - UINT32_C(0x220B4ADF), UINT32_C(0x8CE5BC7C), UINT32_C(0x474D7C9F) } }, - { { UINT32_C(0xC745F8C9), UINT32_C(0xFED8C058), UINT32_C(0x291262D1), - UINT32_C(0xB683179E), UINT32_C(0xD15EE88C), UINT32_C(0x26ABD367), - UINT32_C(0xF60A6249), UINT32_C(0x29E8EED3), UINT32_C(0x1E02D6E1), - UINT32_C(0xED6008BB), UINT32_C(0xA6B12B8D), UINT32_C(0xD82ECF4C) }, - { UINT32_C(0xAAE4FA22), UINT32_C(0x9929D021), UINT32_C(0x336A1AB3), - UINT32_C(0xBE4DEF14), UINT32_C(0x8C80A312), UINT32_C(0x529B7E09), - UINT32_C(0xEE0EB0CE), UINT32_C(0xB059188D), UINT32_C(0x16DEAB7F), - UINT32_C(0x1E42979A), UINT32_C(0x84EE9477), UINT32_C(0x24110349) } }, - { { UINT32_C(0x2BE579CC), UINT32_C(0xD6524685), UINT32_C(0xC456FDED), - UINT32_C(0x849316F1), UINT32_C(0x2D1B67DA), UINT32_C(0xC51B7DA4), - UINT32_C(0x41BC6D6A), UINT32_C(0xC25B539E), UINT32_C(0xA9BF8BED), - UINT32_C(0xE3B7CCA3), UINT32_C(0x045C15E4), UINT32_C(0x813EF18C) }, - { UINT32_C(0x697982C4), UINT32_C(0x5F3789A1), UINT32_C(0x8C435566), - UINT32_C(0x4C125369), UINT32_C(0xDC0A92C6), UINT32_C(0x00A7AE6E), - UINT32_C(0x2F64A053), UINT32_C(0x1ABC929B), UINT32_C(0x38666B44), - UINT32_C(0xF4925C4C), UINT32_C(0x0F3DE7F6), UINT32_C(0xA81044B0) } }, - }, - { - { { UINT32_C(0xC2EC3731), UINT32_C(0xBCC88422), UINT32_C(0x10DC4EC2), - UINT32_C(0x78A3E4D4), UINT32_C(0x2571D6B1), UINT32_C(0x745DA1EF), - UINT32_C(0x739A956E), UINT32_C(0xF01C2921), UINT32_C(0xE4BFFC16), - UINT32_C(0xEFFD8065), UINT32_C(0xF36FE72C), UINT32_C(0x6EFE62A1) }, - { UINT32_C(0x0F4629A4), UINT32_C(0xF49E90D2), UINT32_C(0x8CE646F4), - UINT32_C(0xADD1DCC7), UINT32_C(0xB7240D91), UINT32_C(0xCB78B583), - UINT32_C(0x03F8387F), UINT32_C(0x2E1A7C3C), UINT32_C(0x3200F2D9), - UINT32_C(0x16566C22), UINT32_C(0xAAF80A84), UINT32_C(0x2361B14B) } }, - { { UINT32_C(0xB5733309), UINT32_C(0xDB1CFFD2), UINT32_C(0x0F9DD939), - UINT32_C(0x24BC250B), UINT32_C(0xA3C1DB85), UINT32_C(0xA4181E5A), - UINT32_C(0xAC55D391), UINT32_C(0xE5183E51), UINT32_C(0xEFD270D0), - UINT32_C(0x2793D5EF), UINT32_C(0xC0631546), UINT32_C(0x7D56F63D) }, - { UINT32_C(0x0C1EE59D), UINT32_C(0xECB40A59), UINT32_C(0xBB5BFA2C), - UINT32_C(0xE613A9E4), UINT32_C(0x6C5830F9), UINT32_C(0xA89B14AB), - UINT32_C(0xA03F201E), UINT32_C(0x4DC477DC), UINT32_C(0xC88C54F6), - UINT32_C(0x5604F5DA), UINT32_C(0x2ACFC66E), UINT32_C(0xD49264DC) } }, - { { UINT32_C(0x1C4DFA95), UINT32_C(0x283DD7F0), UINT32_C(0x62C0B160), - UINT32_C(0xB898CC2C), UINT32_C(0x870282AA), UINT32_C(0xBA08C095), - UINT32_C(0xF4E36324), UINT32_C(0xB02B00D8), UINT32_C(0x604CECF2), - UINT32_C(0x53AADDC0), UINT32_C(0x84DDD24E), UINT32_C(0xF1F927D3) }, - { UINT32_C(0xE2ABC9E1), UINT32_C(0x34BC00A0), UINT32_C(0x60289F88), - UINT32_C(0x2DA1227D), UINT32_C(0xCEF68F74), UINT32_C(0x5228EAAA), - UINT32_C(0x3C029351), UINT32_C(0x40A790D2), UINT32_C(0x8442E3B7), - UINT32_C(0xE0E9AF5C), UINT32_C(0xA9F141E0), UINT32_C(0xA3214142) } }, - { { UINT32_C(0xF9A58E3D), UINT32_C(0x72F4949E), UINT32_C(0xA48660A6), - UINT32_C(0x738C700B), UINT32_C(0x092A5805), UINT32_C(0x71B04726), - UINT32_C(0x0F5CDB72), UINT32_C(0xAD5C3C11), UINT32_C(0x554BFC49), - UINT32_C(0xD4951F9E), UINT32_C(0x6131EBE7), UINT32_C(0xEE594EE5) }, - { UINT32_C(0x3C1AF0A9), UINT32_C(0x37DA59F3), UINT32_C(0xCB040A63), - UINT32_C(0xD7AFC73B), UINT32_C(0x4D89FA65), UINT32_C(0xD020962A), - UINT32_C(0x71D824F5), UINT32_C(0x2610C61E), UINT32_C(0x3C050E31), - UINT32_C(0x9C917DA7), UINT32_C(0xE6E7EBFB), UINT32_C(0x3840F92F) } }, - { { UINT32_C(0x8D8B8CED), UINT32_C(0x50FBD7FE), UINT32_C(0x47D240AE), - UINT32_C(0xC7282F75), UINT32_C(0x1930FF73), UINT32_C(0x79646A47), - UINT32_C(0x2F7F5A77), UINT32_C(0x2E0BAC4E), UINT32_C(0x26127E0B), - UINT32_C(0x0EE44FA5), UINT32_C(0x82BC2AA7), UINT32_C(0x678881B7) }, - { UINT32_C(0x67F5F497), UINT32_C(0xB9E5D384), UINT32_C(0xA9B7106B), - UINT32_C(0x8F94A7D4), UINT32_C(0x9D329F68), UINT32_C(0xBF7E0B07), - UINT32_C(0x45D192FB), UINT32_C(0x169B93EA), UINT32_C(0x20DBE8C0), - UINT32_C(0xCCAA9467), UINT32_C(0x938F9574), UINT32_C(0xD4513A50) } }, - { { UINT32_C(0x054CB874), UINT32_C(0x841C96B4), UINT32_C(0xA3C26834), - UINT32_C(0xD75B1AF1), UINT32_C(0xEE6575F0), UINT32_C(0x7237169D), - UINT32_C(0x0322AADC), UINT32_C(0xD71FC7E5), UINT32_C(0x949E3A8E), - UINT32_C(0xD7A23F1E), UINT32_C(0xDD31D8C7), UINT32_C(0x77E2D102) }, - { UINT32_C(0xD10F5A1F), UINT32_C(0x5AD69D09), UINT32_C(0xB99D9A0B), - UINT32_C(0x526C9CB4), UINT32_C(0x972B237D), UINT32_C(0x521BB10B), - UINT32_C(0xA326F342), UINT32_C(0x1E4CD42F), UINT32_C(0xF0F126CA), - UINT32_C(0x5BB6DB27), UINT32_C(0xA4A515AD), UINT32_C(0x587AF22C) } }, - { { UINT32_C(0xB12E542F), UINT32_C(0x1123A531), UINT32_C(0xB9EB2811), - UINT32_C(0x1D01A64D), UINT32_C(0xF2D70F87), UINT32_C(0xA4A3515B), - UINT32_C(0xB4BD0270), UINT32_C(0xFA205234), UINT32_C(0x5EDA26B9), - UINT32_C(0x74B81830), UINT32_C(0x56578E75), UINT32_C(0x9305D6E6) }, - { UINT32_C(0x9F11BE19), UINT32_C(0xF38E69DE), UINT32_C(0x44DBE89F), - UINT32_C(0x1E2A5C23), UINT32_C(0xFD286654), UINT32_C(0x1077E7BC), - UINT32_C(0x0FCA4741), UINT32_C(0xD3669894), UINT32_C(0x278F8497), - UINT32_C(0x893BF904), UINT32_C(0xEB3E14F4), UINT32_C(0xD6AC5F83) } }, - { { UINT32_C(0x488F5F74), UINT32_C(0x327B9DAB), UINT32_C(0xCAB7364F), - UINT32_C(0x2B44F4B8), UINT32_C(0x19B6C6BD), UINT32_C(0xB4A6D22D), - UINT32_C(0xFC77CD3E), UINT32_C(0xA087E613), UINT32_C(0xB0B49BC7), - UINT32_C(0x4558E327), UINT32_C(0xCD835D35), UINT32_C(0x188805BE) }, - { UINT32_C(0xC1DC1007), UINT32_C(0x592F293C), UINT32_C(0x6AF02B44), - UINT32_C(0xFAEE660F), UINT32_C(0x904035F2), UINT32_C(0x5BFBB3BF), - UINT32_C(0x79C07E70), UINT32_C(0xD7C9AE60), UINT32_C(0x234896C2), - UINT32_C(0xC5287DD4), UINT32_C(0xCB0E4121), UINT32_C(0xC4CE4523) } }, - { { UINT32_C(0x58344831), UINT32_C(0x3626B406), UINT32_C(0x8E55C984), - UINT32_C(0xABCCE356), UINT32_C(0x77241602), UINT32_C(0x495CC81C), - UINT32_C(0x6D70DF8F), UINT32_C(0x4FB79676), UINT32_C(0x5B071DCA), - UINT32_C(0x6354B37C), UINT32_C(0x8C0FC0AD), UINT32_C(0x2CAD80A4) }, - { UINT32_C(0xF68739B4), UINT32_C(0x18AADD51), UINT32_C(0x47F09C6C), - UINT32_C(0x1BFBB177), UINT32_C(0xA8FD51C4), UINT32_C(0x9355EA19), - UINT32_C(0xEE58DB7B), UINT32_C(0x3D512A84), UINT32_C(0xE9237640), - UINT32_C(0x70842AFD), UINT32_C(0xACAF858D), UINT32_C(0x36F515CA) } }, - { { UINT32_C(0x7E768B23), UINT32_C(0x3DDEC7C4), UINT32_C(0x036D43ED), - UINT32_C(0x97E13C53), UINT32_C(0x3A39AB5F), UINT32_C(0x871E5925), - UINT32_C(0x07E68E2B), UINT32_C(0x9AF292DE), UINT32_C(0x4A40112E), - UINT32_C(0x41158349), UINT32_C(0x3D4D97E6), UINT32_C(0xCDBB46AF) }, - { UINT32_C(0x3C0EBE40), UINT32_C(0x2F891293), UINT32_C(0x3EBAD1E5), - UINT32_C(0x696C7EEE), UINT32_C(0x33B50D99), UINT32_C(0x8A5F3B69), - UINT32_C(0x7ED47DDE), UINT32_C(0xB7BC4840), UINT32_C(0x1E6706D8), - UINT32_C(0x3A6F8E6C), UINT32_C(0x3D84BB8F), UINT32_C(0x6A147943) } }, - { { UINT32_C(0x603AE8D1), UINT32_C(0xEC3A9C78), UINT32_C(0x228C29E5), - UINT32_C(0xBFE07E37), UINT32_C(0x396DBC2B), UINT32_C(0xB0385C5B), - UINT32_C(0xDF85F41F), UINT32_C(0x7C14FE83), UINT32_C(0xADFD463E), - UINT32_C(0xE2E64676), UINT32_C(0x8BF9F23D), UINT32_C(0x5BEF10AA) }, - { UINT32_C(0xF6BAB6DA), UINT32_C(0xFA83EA0D), UINT32_C(0x966BF7E3), - UINT32_C(0xCD0C8BA5), UINT32_C(0x98501C2E), UINT32_C(0xD62216B4), - UINT32_C(0xC3E69F2D), UINT32_C(0xB7F298A4), UINT32_C(0x9C8740F4), - UINT32_C(0x42CEF13B), UINT32_C(0x0DD64307), UINT32_C(0xBB317E52) } }, - { { UINT32_C(0x3FFEE775), UINT32_C(0x22B6245C), UINT32_C(0xB37CE7AA), - UINT32_C(0x5C3F60BE), UINT32_C(0xE1FEC0DF), UINT32_C(0xDE195D40), - UINT32_C(0xA0A82074), UINT32_C(0x3BFAFBC5), UINT32_C(0xC72CA86A), - UINT32_C(0xC36EC86A), UINT32_C(0x13FD43EA), UINT32_C(0x56062851) }, - { UINT32_C(0x8E0B03A4), UINT32_C(0x8686BE80), UINT32_C(0xD540D440), - UINT32_C(0xC3BD1F93), UINT32_C(0xBF96CEC5), UINT32_C(0x13E4EBC0), - UINT32_C(0x9190C844), UINT32_C(0xE8E23984), UINT32_C(0x00844802), - UINT32_C(0x183593A6), UINT32_C(0x4D206878), UINT32_C(0x46716879) } }, - { { UINT32_C(0xB6F63D19), UINT32_C(0x358F394D), UINT32_C(0x6B052194), - UINT32_C(0xA75D4849), UINT32_C(0x5C8D7975), UINT32_C(0x58403590), - UINT32_C(0x6CBFBD77), UINT32_C(0x86DC9B6B), UINT32_C(0x647A51E5), - UINT32_C(0x2DB04D77), UINT32_C(0xF8950D88), UINT32_C(0x5E9A5B02) }, - { UINT32_C(0x017168B0), UINT32_C(0xCE69A7E5), UINT32_C(0xC4843AD3), - UINT32_C(0x94630FAC), UINT32_C(0x1EFC44FF), UINT32_C(0xB3B9D736), - UINT32_C(0xB14D7F93), UINT32_C(0xE729E9B6), UINT32_C(0xE0ED0ABC), - UINT32_C(0xA071FC60), UINT32_C(0x8C8D9B83), UINT32_C(0xFC1A9971) } }, - { { UINT32_C(0xD138E975), UINT32_C(0x49686031), UINT32_C(0x5A8EF0D1), - UINT32_C(0x64864038), UINT32_C(0xE7F7DE49), UINT32_C(0x32679713), - UINT32_C(0x29D1CD1D), UINT32_C(0x59132349), UINT32_C(0x20BE9ED2), - UINT32_C(0x849AA23A), UINT32_C(0x284B3F33), UINT32_C(0x15D303E1) }, - { UINT32_C(0xB63F9FE9), UINT32_C(0x37309475), UINT32_C(0x45B7256A), - UINT32_C(0x327BAC8B), UINT32_C(0xD17FC5D3), UINT32_C(0x291CD227), - UINT32_C(0xA973EDF1), UINT32_C(0x8291D8CD), UINT32_C(0x437ABA09), - UINT32_C(0xF3843562), UINT32_C(0x271D0785), UINT32_C(0x33FFB704) } }, - { { UINT32_C(0x47E11E5E), UINT32_C(0x5248D6E4), UINT32_C(0x269C7ED3), - UINT32_C(0x0F66FC3C), UINT32_C(0x903E346E), UINT32_C(0x18C0D2B9), - UINT32_C(0x4BEAE1B8), UINT32_C(0xD81D9D97), UINT32_C(0xFC30FDF3), - UINT32_C(0x610326B0), UINT32_C(0x19A7DFCD), UINT32_C(0x2B136870) }, - { UINT32_C(0xB9527676), UINT32_C(0xEC75F70A), UINT32_C(0x29A3D897), - UINT32_C(0x90829F51), UINT32_C(0x97980302), UINT32_C(0x92FE1809), - UINT32_C(0x68474991), UINT32_C(0xA3F2498E), UINT32_C(0x0F22BBAD), - UINT32_C(0x6A66307B), UINT32_C(0x20378557), UINT32_C(0x32014B91) } }, - { { UINT32_C(0x3CD98610), UINT32_C(0x72CD7D55), UINT32_C(0x74504ADF), - UINT32_C(0xC3D560B0), UINT32_C(0xCEBB5D5D), UINT32_C(0x23F0A982), - UINT32_C(0xB839DDB8), UINT32_C(0x1431C15B), UINT32_C(0xCEB72207), - UINT32_C(0x7E207CD8), UINT32_C(0xE7EFB28D), UINT32_C(0x28E0A848) }, - { UINT32_C(0x1BD96F6E), UINT32_C(0xD22561FE), UINT32_C(0x62A8236B), - UINT32_C(0x04812C18), UINT32_C(0x975491FA), UINT32_C(0xA0BF2334), - UINT32_C(0x435DF87F), UINT32_C(0x294F42A6), UINT32_C(0xA5D6F4F6), - UINT32_C(0x2772B783), UINT32_C(0x2724F853), UINT32_C(0x348F92ED) } }, - }, - { - { { UINT32_C(0x1A42E5E7), UINT32_C(0xC20FB911), UINT32_C(0x81D12863), - UINT32_C(0x075A678B), UINT32_C(0x5CC0AA89), UINT32_C(0x12BCBC6A), - UINT32_C(0x4FB9F01E), UINT32_C(0x5279C6AB), UINT32_C(0x11AE1B89), - UINT32_C(0xBC8E1789), UINT32_C(0xC290003C), UINT32_C(0xAE74A706) }, - { UINT32_C(0x79DF3F45), UINT32_C(0x9949D6EC), UINT32_C(0x96C8D37F), - UINT32_C(0xBA18E262), UINT32_C(0xDD2275BF), UINT32_C(0x68DE6EE2), - UINT32_C(0xC419F1D5), UINT32_C(0xA9E4FFF8), UINT32_C(0xA52B5A40), - UINT32_C(0xBC759CA4), UINT32_C(0x63B0996D), UINT32_C(0xFF18CBD8) } }, - { { UINT32_C(0xD7DD47E5), UINT32_C(0x73C57FDE), UINT32_C(0xD49A7F5D), - UINT32_C(0xB0FE5479), UINT32_C(0xCFB9821E), UINT32_C(0xD25C71F1), - UINT32_C(0xCF6A1D68), UINT32_C(0x9427E209), UINT32_C(0xACD24E64), - UINT32_C(0xBF3C3916), UINT32_C(0xBDA7B8B5), UINT32_C(0x7E9F5583) }, - { UINT32_C(0xCF971E11), UINT32_C(0xE7C5F7C8), UINT32_C(0x3C7F035E), - UINT32_C(0xEC16D5D7), UINT32_C(0xE66B277C), UINT32_C(0x818DC472), - UINT32_C(0xB2816F1E), UINT32_C(0x4413FD47), UINT32_C(0x48383C6D), - UINT32_C(0x40F262AF), UINT32_C(0x4F190537), UINT32_C(0xFB057584) } }, - { { UINT32_C(0x08962F6B), UINT32_C(0x487EDC07), UINT32_C(0x190A7E55), - UINT32_C(0x6002F1E7), UINT32_C(0x10FDBA0C), UINT32_C(0x7FC62BEA), - UINT32_C(0x2C3DBF33), UINT32_C(0xC836BBC5), UINT32_C(0x4F7D2A46), - UINT32_C(0x4FDFB5C3), UINT32_C(0xDCA0DF71), UINT32_C(0x824654DE) }, - { UINT32_C(0x0C23902B), UINT32_C(0x30A07676), UINT32_C(0x77FBBF37), - UINT32_C(0x7F1EBB93), UINT32_C(0xFACC13DB), UINT32_C(0xD307D49D), - UINT32_C(0xAE1A261A), UINT32_C(0x148D673A), UINT32_C(0x52D98650), - UINT32_C(0xE008F95B), UINT32_C(0x9F558FDE), UINT32_C(0xC7614440) } }, - { { UINT32_C(0x9CB16650), UINT32_C(0x17CD6AF6), UINT32_C(0x69F4EEBE), - UINT32_C(0x86CC27C1), UINT32_C(0x78822432), UINT32_C(0x7E495B1D), - UINT32_C(0x1B974525), UINT32_C(0xFED338E3), UINT32_C(0x86F3CE21), - UINT32_C(0x527743D3), UINT32_C(0xB515C896), UINT32_C(0x87948AD3) }, - { UINT32_C(0xB17F2FB8), UINT32_C(0x9FDE7039), UINT32_C(0xD9B89D96), - UINT32_C(0xA2FA9A5F), UINT32_C(0x36FF74DC), UINT32_C(0x5D46600B), - UINT32_C(0x8302C3C9), UINT32_C(0x8EA74B04), UINT32_C(0xF744B5EB), - UINT32_C(0xD560F570), UINT32_C(0xFE762402), UINT32_C(0xC921023B) } }, - { { UINT32_C(0xFFF4C8ED), UINT32_C(0xA35AB657), UINT32_C(0x8A5FABD7), - UINT32_C(0x017C6124), UINT32_C(0x09ACDA28), UINT32_C(0x56463025), - UINT32_C(0x14CF238A), UINT32_C(0x6038D361), UINT32_C(0xAF1B9F07), - UINT32_C(0x1428B1B6), UINT32_C(0x7482E95C), UINT32_C(0x5827FF44) }, - { UINT32_C(0x780FF362), UINT32_C(0xCB997E18), UINT32_C(0xE0BCAC1E), - UINT32_C(0x2B89D702), UINT32_C(0xA837DDC8), UINT32_C(0xC632A0B5), - UINT32_C(0x59762647), UINT32_C(0xF3EFCF1F), UINT32_C(0x38B0D60A), - UINT32_C(0xE9BA309A), UINT32_C(0x20B5FB37), UINT32_C(0x05DEABDD) } }, - { { UINT32_C(0xCB8AF047), UINT32_C(0xD44E5DBA), UINT32_C(0x943CFE82), - UINT32_C(0x15400CB4), UINT32_C(0x9DF88B67), UINT32_C(0xDBD69575), - UINT32_C(0xB2405A7D), UINT32_C(0x8299DB2B), UINT32_C(0x0B1D80CD), - UINT32_C(0x46E3BF77), UINT32_C(0xE82BA3D9), UINT32_C(0xC50CF66C) }, - { UINT32_C(0xF2F747A9), UINT32_C(0xB2910A07), UINT32_C(0x5ADC89C1), - UINT32_C(0xF6B669DB), UINT32_C(0x9052B081), UINT32_C(0x3B5EF1A0), - UINT32_C(0xB594ACE2), UINT32_C(0x0F5D5ED3), UINT32_C(0xD5F01320), - UINT32_C(0xDA30B8D5), UINT32_C(0xAAFCD58F), UINT32_C(0x0D688C5E) } }, - { { UINT32_C(0x2A161074), UINT32_C(0x5EEE3A31), UINT32_C(0xEFE2BE37), - UINT32_C(0x6BAAAE56), UINT32_C(0xE3D78698), UINT32_C(0xF9787F61), - UINT32_C(0x50630A30), UINT32_C(0xC6836B26), UINT32_C(0x1445DEF1), - UINT32_C(0x7445B85D), UINT32_C(0xD568A6A5), UINT32_C(0xD72016A2) }, - { UINT32_C(0xE355614F), UINT32_C(0x9DD6F533), UINT32_C(0x91E04588), - UINT32_C(0x637E7E5F), UINT32_C(0xB9FB1391), UINT32_C(0x42E142F3), - UINT32_C(0x41AFE5DA), UINT32_C(0x0D07C05C), UINT32_C(0x1394EDF1), - UINT32_C(0xD7CD25C8), UINT32_C(0xB99288EE), UINT32_C(0xEBE6A0FC) } }, - { { UINT32_C(0xBABBAD86), UINT32_C(0xB8E63B7B), UINT32_C(0x90D66766), - UINT32_C(0x63226A9F), UINT32_C(0x5CF26666), UINT32_C(0x26381836), - UINT32_C(0x4CADD0BF), UINT32_C(0xCCBD142D), UINT32_C(0x9AC29470), - UINT32_C(0xA070965E), UINT32_C(0x25FF23ED), UINT32_C(0x6BDCA260) }, - { UINT32_C(0x87DCA7B3), UINT32_C(0xD4E00FD4), UINT32_C(0x9E0E8734), - UINT32_C(0xA5097833), UINT32_C(0x048173A4), UINT32_C(0xF73F162E), - UINT32_C(0x9C3C2FA2), UINT32_C(0xD23F9196), UINT32_C(0xE4AC397A), - UINT32_C(0x9AB98B45), UINT32_C(0x543F2D4B), UINT32_C(0x2BAA0300) } }, - { { UINT32_C(0xC658C445), UINT32_C(0xBBBE15E7), UINT32_C(0xC28941D1), - UINT32_C(0xB8CBCB20), UINT32_C(0x027D6540), UINT32_C(0x65549BE2), - UINT32_C(0x1E8EF4F4), UINT32_C(0xEBBCA802), UINT32_C(0xD2ACA397), - UINT32_C(0x18214B4B), UINT32_C(0xE31784A3), UINT32_C(0xCBEC7DE2) }, - { UINT32_C(0x0116FDF3), UINT32_C(0x96F0533F), UINT32_C(0x5C8F5EE1), - UINT32_C(0x68911C90), UINT32_C(0xD568603A), UINT32_C(0x7DE9A3AE), - UINT32_C(0x6A3AD7B7), UINT32_C(0x3F56C52C), UINT32_C(0x670B4D0E), - UINT32_C(0x5BE9AFCA), UINT32_C(0x375DFE2F), UINT32_C(0x628BFEEE) } }, - { { UINT32_C(0xDD4ADDB3), UINT32_C(0x97DAE81B), UINT32_C(0x8704761B), - UINT32_C(0x12D2CF4E), UINT32_C(0x3247788D), UINT32_C(0x5E820B40), - UINT32_C(0x0051CA80), UINT32_C(0x82234B62), UINT32_C(0x6CB5EA74), - UINT32_C(0x0C62704D), UINT32_C(0x23941593), UINT32_C(0xDE560420) }, - { UINT32_C(0xF1B04145), UINT32_C(0xB3912A3C), UINT32_C(0xAF93688D), - UINT32_C(0xE3967CD7), UINT32_C(0x58DABB4B), UINT32_C(0x2E2DCD2F), - UINT32_C(0x0E303911), UINT32_C(0x6564836F), UINT32_C(0xECE07C5C), - UINT32_C(0x1F10F19B), UINT32_C(0xD8919126), UINT32_C(0xB47F07EE) } }, - { { UINT32_C(0xE9A2EEC9), UINT32_C(0xE3545085), UINT32_C(0x2C8E51FE), - UINT32_C(0x81866A97), UINT32_C(0x50027243), UINT32_C(0xD2BA7DB5), - UINT32_C(0x4AE87DE4), UINT32_C(0x29DAEAB5), UINT32_C(0x684F9497), - UINT32_C(0x5EF3D4B8), UINT32_C(0x9D5D6873), UINT32_C(0xE2DACE3B) }, - { UINT32_C(0xFFD29C9C), UINT32_C(0xF012C951), UINT32_C(0xADBADA14), - UINT32_C(0x48289445), UINT32_C(0x89558C49), UINT32_C(0x8751F50D), - UINT32_C(0x99E35BEE), UINT32_C(0x75511A4F), UINT32_C(0x7D59AA5F), - UINT32_C(0xEF802D6E), UINT32_C(0xA2A795E2), UINT32_C(0x14FCAD65) } }, - { { UINT32_C(0x08CB8F2C), UINT32_C(0xC8EB00E8), UINT32_C(0x2B45BD86), - UINT32_C(0x68607532), UINT32_C(0x59969713), UINT32_C(0x7A29B459), - UINT32_C(0xD684201B), UINT32_C(0x5FA15B9B), UINT32_C(0xB9E538EE), - UINT32_C(0x1A853190), UINT32_C(0xD573D043), UINT32_C(0x4150605C) }, - { UINT32_C(0xEB9FBB68), UINT32_C(0xEF011D3B), UINT32_C(0x66AE32B6), - UINT32_C(0x67279982), UINT32_C(0x445DE5EC), UINT32_C(0x861B86EA), - UINT32_C(0xA34A50E1), UINT32_C(0x62837D18), UINT32_C(0xBF5F0663), - UINT32_C(0x228C006A), UINT32_C(0x396DB36A), UINT32_C(0xE007FDE7) } }, - { { UINT32_C(0x5A916A55), UINT32_C(0xDEE4F881), UINT32_C(0xF39C82CB), - UINT32_C(0x20DC0370), UINT32_C(0x40F09821), UINT32_C(0xD9A71615), - UINT32_C(0xF7273492), UINT32_C(0xD50AD8BF), UINT32_C(0x32E7C4BF), - UINT32_C(0xA06F7D12), UINT32_C(0x4C5CEA36), UINT32_C(0xFA0F6154) }, - { UINT32_C(0x5FC49CFE), UINT32_C(0xF4FD9BED), UINT32_C(0xC9291678), - UINT32_C(0xD8CB45D1), UINT32_C(0x7B92C9F2), UINT32_C(0x94DB86CC), - UINT32_C(0x73C81169), UINT32_C(0x09CA5F38), UINT32_C(0xAEED06F0), - UINT32_C(0x109F40B0), UINT32_C(0x14DCAA0A), UINT32_C(0x9F0360B2) } }, - { { UINT32_C(0xE12AD3E7), UINT32_C(0x4189B70D), UINT32_C(0x10B06607), - UINT32_C(0x5208ADB2), UINT32_C(0xEE8497FA), UINT32_C(0xEBD8E2A2), - UINT32_C(0xE04F2ECB), UINT32_C(0x61B1BD67), UINT32_C(0x4F3F5F99), - UINT32_C(0x0E2DDA72), UINT32_C(0xF747B16D), UINT32_C(0xD5D96740) }, - { UINT32_C(0xA6BF397F), UINT32_C(0x308A48F6), UINT32_C(0x23A93595), - UINT32_C(0x7021C3E5), UINT32_C(0x36470AA0), UINT32_C(0xF10B0229), - UINT32_C(0x4E03295B), UINT32_C(0x7761E8EC), UINT32_C(0x07339770), - UINT32_C(0x16EFEF58), UINT32_C(0x5DA5DAA2), UINT32_C(0x0D55D2DD) } }, - { { UINT32_C(0x8A22F87A), UINT32_C(0x915EA6A3), UINT32_C(0x2E5A088E), - UINT32_C(0x191151C1), UINT32_C(0x7F1D5CBE), UINT32_C(0x190252F1), - UINT32_C(0x3B0EC99B), UINT32_C(0xE43F59C3), UINT32_C(0xFF2A6135), - UINT32_C(0xBE8588D4), UINT32_C(0x2ECB4B9F), UINT32_C(0x103877CC) }, - { UINT32_C(0x023CF92B), UINT32_C(0x8F4147E5), UINT32_C(0x0CC2085B), - UINT32_C(0xC24384CC), UINT32_C(0xD082D311), UINT32_C(0x6A2DB4A2), - UINT32_C(0xED7BA9AE), UINT32_C(0x06283811), UINT32_C(0x2A8E1592), - UINT32_C(0xE9A3F532), UINT32_C(0x5A59E894), UINT32_C(0xAC20F0F4) } }, - { { UINT32_C(0x74AAB4B1), UINT32_C(0x788CAA52), UINT32_C(0x2FEAFC7E), - UINT32_C(0xEB84ABA1), UINT32_C(0xAC04FF77), UINT32_C(0x31DA71DA), - UINT32_C(0x24E4D0BF), UINT32_C(0x39D12EB9), UINT32_C(0x87A34EF8), - UINT32_C(0x4F2F292F), UINT32_C(0xA237A8ED), UINT32_C(0x9B324372) }, - { UINT32_C(0x2EE3A82D), UINT32_C(0xBB2D04B1), UINT32_C(0xD18D36B2), - UINT32_C(0xED4FF367), UINT32_C(0xA6EA0138), UINT32_C(0x99D231EE), - UINT32_C(0x4F92E04A), UINT32_C(0x7C2D4F06), UINT32_C(0xCA272FD0), - UINT32_C(0x78A82AB2), UINT32_C(0xAB8CDC32), UINT32_C(0x7EC41340) } }, - }, - { - { { UINT32_C(0xD2E15A8C), UINT32_C(0xD23658C8), UINT32_C(0x16BA28CA), - UINT32_C(0x23F93DF7), UINT32_C(0x082210F1), UINT32_C(0x6DAB10EC), - UINT32_C(0xBFC36490), UINT32_C(0xFB1ADD91), UINT32_C(0x9A4F2D14), - UINT32_C(0xEDA8B02F), UINT32_C(0x56560443), UINT32_C(0x9060318C) }, - { UINT32_C(0x64711AB2), UINT32_C(0x6C01479E), UINT32_C(0xE337EB85), - UINT32_C(0x41446FC7), UINT32_C(0x71888397), UINT32_C(0x4DCF3C1D), - UINT32_C(0x13C34FD2), UINT32_C(0x87A9C04E), UINT32_C(0x510C15AC), - UINT32_C(0xFE0E08EC), UINT32_C(0xC0F495D2), UINT32_C(0xFC0D0413) } }, - { { UINT32_C(0x156636C2), UINT32_C(0xEB05C516), UINT32_C(0x090E93FC), - UINT32_C(0x2F613ABA), UINT32_C(0x489576F5), UINT32_C(0xCFD573CD), - UINT32_C(0x535A8D57), UINT32_C(0xE6535380), UINT32_C(0x671436C4), - UINT32_C(0x13947314), UINT32_C(0x5F0A122D), UINT32_C(0x1172FB0C) }, - { UINT32_C(0xC12F58F6), UINT32_C(0xAECC7EC1), UINT32_C(0x8E41AFD2), - UINT32_C(0xFE42F957), UINT32_C(0x3D4221AA), UINT32_C(0xDF96F652), - UINT32_C(0x2851996B), UINT32_C(0xFEF5649F), UINT32_C(0xD5CFB67E), - UINT32_C(0x46FB9F26), UINT32_C(0xEF5C4052), UINT32_C(0xB047BFC7) } }, - { { UINT32_C(0xF4484374), UINT32_C(0x5CBDC442), UINT32_C(0xF92452EF), - UINT32_C(0x6B156957), UINT32_C(0xC118D02A), UINT32_C(0x58A26886), - UINT32_C(0x75AAF276), UINT32_C(0x87FF74E6), UINT32_C(0xF65F6EC1), - UINT32_C(0xB133BE95), UINT32_C(0x4B1B8D32), UINT32_C(0xA89B6284) }, - { UINT32_C(0x09C81004), UINT32_C(0xDD8A8EF3), UINT32_C(0x0CF21991), - UINT32_C(0x7F8225DB), UINT32_C(0x26623FAF), UINT32_C(0xD525A6DB), - UINT32_C(0xBAE15453), UINT32_C(0xF2368D40), UINT32_C(0x84F89FC9), - UINT32_C(0x55D6A84D), UINT32_C(0x86021A3E), UINT32_C(0xAF38358A) } }, - { { UINT32_C(0xFF52E280), UINT32_C(0xBD048BDC), UINT32_C(0x526A1795), - UINT32_C(0x8A51D0B2), UINT32_C(0xA985AC0F), UINT32_C(0x40AAA758), - UINT32_C(0xF2C7ACE9), UINT32_C(0x6039BCDC), UINT32_C(0x6AEC347D), - UINT32_C(0x712092CC), UINT32_C(0x6B5ACAB7), UINT32_C(0x7976D090) }, - { UINT32_C(0x6EED9617), UINT32_C(0x1EBCF80D), UINT32_C(0xB0F404A4), - UINT32_C(0xB3A63149), UINT32_C(0xD0B610EF), UINT32_C(0x3FDD3D1A), - UINT32_C(0x98C28AC7), UINT32_C(0xDD3F6F94), UINT32_C(0x3A59750F), - UINT32_C(0x650B7794), UINT32_C(0x2D3991AC), UINT32_C(0xEC59BAB1) } }, - { { UINT32_C(0x2E552766), UINT32_C(0x01F40E88), UINT32_C(0x66F5354F), - UINT32_C(0x1FE3D509), UINT32_C(0xB3A8EA7F), UINT32_C(0x0E46D006), - UINT32_C(0xF831CD6A), UINT32_C(0xF75AB629), UINT32_C(0x91465119), - UINT32_C(0xDAD808D7), UINT32_C(0x17EF9B10), UINT32_C(0x442405AF) }, - { UINT32_C(0x672BDFCB), UINT32_C(0xD5FE0A96), UINT32_C(0x355DBDEC), - UINT32_C(0xA9DFA422), UINT32_C(0x79B25636), UINT32_C(0xFDB79AA1), - UINT32_C(0xEECE8AEC), UINT32_C(0xE7F26FFD), UINT32_C(0x7EDD5AA2), - UINT32_C(0xB5925550), UINT32_C(0x8EB3A6C2), UINT32_C(0x2C8F6FF0) } }, - { { UINT32_C(0x757D6136), UINT32_C(0x88887756), UINT32_C(0x88B92E72), - UINT32_C(0xAD9AC183), UINT32_C(0x8785D3EB), UINT32_C(0x92CB2FC4), - UINT32_C(0x9319764B), UINT32_C(0xD1A542FE), UINT32_C(0x626A62F8), - UINT32_C(0xAF4CC78F), UINT32_C(0x26BFFAAE), UINT32_C(0x7F3F5FC9) }, - { UINT32_C(0x40AE2231), UINT32_C(0x0A203D43), UINT32_C(0x387898E8), - UINT32_C(0xA8BFD9E0), UINT32_C(0x474B7DDD), UINT32_C(0x1A0C379C), - UINT32_C(0x34FD49EA), UINT32_C(0x03855E0A), UINT32_C(0xB3EF4AE1), - UINT32_C(0x02B26223), UINT32_C(0xE399E0A3), UINT32_C(0x804BD8CF) } }, - { { UINT32_C(0xDE865713), UINT32_C(0x11A9F3D0), UINT32_C(0xBDE98821), - UINT32_C(0x81E36B6B), UINT32_C(0x6AA891D0), UINT32_C(0x324996C8), - UINT32_C(0x395682B5), UINT32_C(0x7B95BDC1), UINT32_C(0xC1600563), - UINT32_C(0x47BF2219), UINT32_C(0x643E38B4), UINT32_C(0x7A473F50) }, - { UINT32_C(0xF5738288), UINT32_C(0x0911F50A), UINT32_C(0x6F9C415B), - UINT32_C(0xDF947A70), UINT32_C(0x67A067F6), UINT32_C(0xBDB994F2), - UINT32_C(0x88BE96CD), UINT32_C(0x3F4BEC1B), UINT32_C(0xE56DD6D9), - UINT32_C(0x9820E931), UINT32_C(0x0A80F419), UINT32_C(0xB138F14F) } }, - { { UINT32_C(0x0429077A), UINT32_C(0xA11A1A8F), UINT32_C(0x10351C68), - UINT32_C(0x2BB1E33D), UINT32_C(0x89459A27), UINT32_C(0x3C25ABFE), - UINT32_C(0x6B8AC774), UINT32_C(0x2D0091B8), UINT32_C(0x3B2415D9), - UINT32_C(0xDAFC7853), UINT32_C(0x9201680D), UINT32_C(0xDE713CF1) }, - { UINT32_C(0x68889D57), UINT32_C(0x8E5F445D), UINT32_C(0x60EABF5B), - UINT32_C(0x608B209C), UINT32_C(0xF9CFA408), UINT32_C(0x10EC0ACC), - UINT32_C(0x4D1EE754), UINT32_C(0xD5256B9D), UINT32_C(0x0AA6C18D), - UINT32_C(0xFF866BAB), UINT32_C(0xACB90A45), UINT32_C(0x9D196DB8) } }, - { { UINT32_C(0xB9B081B2), UINT32_C(0xA46D76A9), UINT32_C(0x62163C25), - UINT32_C(0xFC743A10), UINT32_C(0x7761C392), UINT32_C(0xCD2A5C8D), - UINT32_C(0xBE808583), UINT32_C(0x39BDDE0B), UINT32_C(0xB98E4DFE), - UINT32_C(0x7C416021), UINT32_C(0x65913A44), UINT32_C(0xF930E563) }, - { UINT32_C(0x7585CF3C), UINT32_C(0xC3555F7E), UINT32_C(0x3D6333D5), - UINT32_C(0xC737E383), UINT32_C(0xB430B03D), UINT32_C(0x5B60DBA4), - UINT32_C(0xE7555404), UINT32_C(0x42B715EB), UINT32_C(0x7C7796E3), - UINT32_C(0x571BDF5B), UINT32_C(0x6DB6331F), UINT32_C(0x33DC62C6) } }, - { { UINT32_C(0xE61DEE59), UINT32_C(0x3FB9CCB0), UINT32_C(0x18B14DB9), - UINT32_C(0xC5185F23), UINT32_C(0x845EF36C), UINT32_C(0x1B2ADC4F), - UINT32_C(0x5C1A33AB), UINT32_C(0x195D5B50), UINT32_C(0x421F59D2), - UINT32_C(0x8CEA528E), UINT32_C(0xD2931CEA), UINT32_C(0x7DFCCECF) }, - { UINT32_C(0x8CF7E3F7), UINT32_C(0x51FFA1D5), UINT32_C(0xBDC9FB43), - UINT32_C(0xF01B7886), UINT32_C(0x261A0D35), UINT32_C(0xD65AB610), - UINT32_C(0x7574A554), UINT32_C(0x84BCBAFD), UINT32_C(0xFAD70208), - UINT32_C(0x4B119956), UINT32_C(0x4FAB5243), UINT32_C(0xDDC329C2) } }, - { { UINT32_C(0x9CE92177), UINT32_C(0x1A08AA57), UINT32_C(0xDC2B5C36), - UINT32_C(0x3395E557), UINT32_C(0x394ED04E), UINT32_C(0xFDFE7041), - UINT32_C(0xC6DFCDDE), UINT32_C(0xB797EB24), UINT32_C(0xCB9DE5D6), - UINT32_C(0x284A6B2A), UINT32_C(0x07222765), UINT32_C(0xE0BD95C8) }, - { UINT32_C(0x9FE678A7), UINT32_C(0x114A951B), UINT32_C(0x9E4954EC), - UINT32_C(0xE7ECD0BD), UINT32_C(0x79F0B8A9), UINT32_C(0x7D4096FE), - UINT32_C(0x09724FE2), UINT32_C(0xBDB26E9A), UINT32_C(0xF787AF95), - UINT32_C(0x08741AD8), UINT32_C(0x24045AD8), UINT32_C(0x2BF97272) } }, - { { UINT32_C(0xA9451D57), UINT32_C(0xAB1FEDD9), UINT32_C(0x483E38C9), - UINT32_C(0xDF4D91DF), UINT32_C(0x24E9CF8E), UINT32_C(0x2D54D311), - UINT32_C(0x7A22EEB6), UINT32_C(0x9C2A5AF8), UINT32_C(0x0A43F123), - UINT32_C(0xBD9861EF), UINT32_C(0x38A18B7B), UINT32_C(0x581EA6A2) }, - { UINT32_C(0x296470A3), UINT32_C(0xAF339C85), UINT32_C(0xAFD8203E), - UINT32_C(0xF9603FCD), UINT32_C(0x96763C28), UINT32_C(0x95D05350), - UINT32_C(0x860EC831), UINT32_C(0x15445C16), UINT32_C(0x6867A323), - UINT32_C(0x2AFB8728), UINT32_C(0x0C4838BF), UINT32_C(0x4B152D6D) } }, - { { UINT32_C(0x837CACBA), UINT32_C(0x45BA0E4F), UINT32_C(0xC0725275), - UINT32_C(0x7ADB38AE), UINT32_C(0x942D3C28), UINT32_C(0x19C82831), - UINT32_C(0x6D0FE7DD), UINT32_C(0x94F4731D), UINT32_C(0x4898F1E6), - UINT32_C(0xC3C07E13), UINT32_C(0xED410B51), UINT32_C(0x76350EAC) }, - { UINT32_C(0xF99AACFC), UINT32_C(0x0FA8BECA), UINT32_C(0x65FAF9CF), - UINT32_C(0x2834D86F), UINT32_C(0x6F3866AF), UINT32_C(0x8E62846A), - UINT32_C(0x3DFD6A2B), UINT32_C(0xDAA9BD4F), UINT32_C(0xA6132655), - UINT32_C(0xC27115BB), UINT32_C(0xBD5A32C2), UINT32_C(0x83972DF7) } }, - { { UINT32_C(0xD513B825), UINT32_C(0xA330CB5B), UINT32_C(0xEE37BEC3), - UINT32_C(0xAE18B2D3), UINT32_C(0xF780A902), UINT32_C(0xFC3AB80A), - UINT32_C(0xD607DDF1), UINT32_C(0xD7835BE2), UINT32_C(0x5B6E4C2B), - UINT32_C(0x8120F767), UINT32_C(0x67E78CCB), UINT32_C(0xAA8C3859) }, - { UINT32_C(0xAA0ED321), UINT32_C(0xA8DA8CE2), UINT32_C(0xD766341A), - UINT32_C(0xCB8846FD), UINT32_C(0x33DC9D9A), UINT32_C(0xF2A342EE), - UINT32_C(0xD0A18A80), UINT32_C(0xA519E0BE), UINT32_C(0xAF48DF4C), - UINT32_C(0x9CDAA39C), UINT32_C(0x7E0C19EE), UINT32_C(0xA4B500CA) } }, - { { UINT32_C(0x8217001B), UINT32_C(0x83A7FD2F), UINT32_C(0x4296A8BA), - UINT32_C(0x4F6FCF06), UINT32_C(0x91619927), UINT32_C(0x7D748643), - UINT32_C(0x941E4D41), UINT32_C(0x174C1075), UINT32_C(0xA64F5A6C), - UINT32_C(0x037EDEBD), UINT32_C(0x6E29DC56), UINT32_C(0xCF64DB3A) }, - { UINT32_C(0x37C0B9F4), UINT32_C(0x150B3ACE), UINT32_C(0x7168178B), - UINT32_C(0x1323234A), UINT32_C(0xEF4D1879), UINT32_C(0x1CE47014), - UINT32_C(0x17FB4D5C), UINT32_C(0xA22E3742), UINT32_C(0xD985F794), - UINT32_C(0x69B81822), UINT32_C(0x081D7214), UINT32_C(0x199C21C4) } }, - { { UINT32_C(0x8F04B4D2), UINT32_C(0x160BC7A1), UINT32_C(0xB10DE174), - UINT32_C(0x79CA81DD), UINT32_C(0x2DA1E9C7), UINT32_C(0xE2A280B0), - UINT32_C(0x1D6A0A29), UINT32_C(0xB4F6BD99), UINT32_C(0x1C5B8F27), - UINT32_C(0x57CF3EDD), UINT32_C(0x158C2FD4), UINT32_C(0x7E34FC57) }, - { UINT32_C(0xCAC93459), UINT32_C(0x828CFD89), UINT32_C(0xB7AF499F), - UINT32_C(0x9E631B6F), UINT32_C(0xDA26C135), UINT32_C(0xF4DC8BC0), - UINT32_C(0x37186735), UINT32_C(0x6128ED39), UINT32_C(0x67BF0BA5), - UINT32_C(0xBB45538B), UINT32_C(0x0064A3AB), UINT32_C(0x1ADDD4C1) } }, - }, - { - { { UINT32_C(0xDD14D47E), UINT32_C(0xC32730E8), UINT32_C(0xC0F01E0F), - UINT32_C(0xCDC1FD42), UINT32_C(0x3F5CD846), UINT32_C(0x2BACFDBF), - UINT32_C(0x7272D4DD), UINT32_C(0x45F36416), UINT32_C(0x5EB75776), - UINT32_C(0xDD813A79), UINT32_C(0x50997BE2), UINT32_C(0xB57885E4) }, - { UINT32_C(0xDB8C9829), UINT32_C(0xDA054E2B), UINT32_C(0xAAB5A594), - UINT32_C(0x4161D820), UINT32_C(0x026116A3), UINT32_C(0x4C428F31), - UINT32_C(0xDCD85E91), UINT32_C(0x372AF9A0), UINT32_C(0x673ADC2D), - UINT32_C(0xFDA6E903), UINT32_C(0xA8DB59E6), UINT32_C(0x4526B8AC) } }, - { { UINT32_C(0xE23A8472), UINT32_C(0x68FE359D), UINT32_C(0x4CE3C101), - UINT32_C(0x43EB12BD), UINT32_C(0xFC704935), UINT32_C(0x0EC652C3), - UINT32_C(0x52E4E22D), UINT32_C(0x1EEFF1F9), UINT32_C(0x083E3ADA), - UINT32_C(0xBA6777CB), UINT32_C(0x8BEFC871), UINT32_C(0xAB52D7DC) }, - { UINT32_C(0x497CBD59), UINT32_C(0x4EDE689F), UINT32_C(0x27577DD9), - UINT32_C(0xC8AE42B9), UINT32_C(0x7AB83C27), UINT32_C(0xE0F08051), - UINT32_C(0x2C8C1F48), UINT32_C(0x1F3D5F25), UINT32_C(0xAF241AAC), - UINT32_C(0x57991607), UINT32_C(0xB8A337E0), UINT32_C(0xC4458B0A) } }, - { { UINT32_C(0x51DD1BA9), UINT32_C(0x3DBB3FA6), UINT32_C(0x545E960B), - UINT32_C(0xE53C1C4D), UINT32_C(0x793CE803), UINT32_C(0x35AC6574), - UINT32_C(0x83DBCE4F), UINT32_C(0xB2697DC7), UINT32_C(0xE13CF6B0), - UINT32_C(0xE35C5BF2), UINT32_C(0xB0C4A164), UINT32_C(0x35034280) }, - { UINT32_C(0xD9C0D3C1), UINT32_C(0xAA490908), UINT32_C(0xCB4D2E90), - UINT32_C(0x2CCE614D), UINT32_C(0x54D504E4), UINT32_C(0xF646E96C), - UINT32_C(0xB73310A3), UINT32_C(0xD74E7541), UINT32_C(0x18BDE5DA), - UINT32_C(0xEAD71596), UINT32_C(0xAA09AEF7), UINT32_C(0x96E7F4A8) } }, - { { UINT32_C(0x5D6E5F48), UINT32_C(0xA8393A24), UINT32_C(0xF9175CE8), - UINT32_C(0x2C8D7EA2), UINT32_C(0x55A20268), UINT32_C(0xD8824E02), - UINT32_C(0xA446BCC6), UINT32_C(0x9DD9A272), UINT32_C(0x5351499B), - UINT32_C(0xC929CDED), UINT32_C(0xCFE76535), UINT32_C(0xEA5AD9EC) }, - { UINT32_C(0xDC32D001), UINT32_C(0x26F3D7D9), UINT32_C(0x43EB9689), - UINT32_C(0x51C3BE83), UINT32_C(0x759E6DDB), UINT32_C(0x91FDCC06), - UINT32_C(0xE302B891), UINT32_C(0xAC2E1904), UINT32_C(0xC207E1F7), - UINT32_C(0xAD25C645), UINT32_C(0xAB3DEB4A), UINT32_C(0x28A70F0D) } }, - { { UINT32_C(0x03BEA8F1), UINT32_C(0x922D7F97), UINT32_C(0x584570BE), - UINT32_C(0x3AD820D4), UINT32_C(0x3CD46B43), UINT32_C(0x0CE0A850), - UINT32_C(0xAE66743D), UINT32_C(0x4C07911F), UINT32_C(0xFDA60023), - UINT32_C(0x66519EB9), UINT32_C(0xEC2ACD9C), UINT32_C(0x7F83004B) }, - { UINT32_C(0xC3117EAD), UINT32_C(0x001E0B80), UINT32_C(0x0722BA25), - UINT32_C(0xBB72D541), UINT32_C(0x6E9A5078), UINT32_C(0x3AF7DB96), - UINT32_C(0x701B6B4C), UINT32_C(0x86C5774E), UINT32_C(0x37824DB5), - UINT32_C(0xBD2C0E8E), UINT32_C(0xBFAC286D), UINT32_C(0x3AE3028C) } }, - { { UINT32_C(0xA33E071B), UINT32_C(0x83D4D4A8), UINT32_C(0x61444BB5), - UINT32_C(0x881C0A92), UINT32_C(0x520E3BC3), UINT32_C(0xEEA1E292), - UINT32_C(0x2AAAB729), UINT32_C(0x5A5F4C3C), UINT32_C(0xE63C7C94), - UINT32_C(0x0B766C5E), UINT32_C(0xBB2CC79C), UINT32_C(0x62BB8A9F) }, - { UINT32_C(0xAA5DC49D), UINT32_C(0x97ADC7D2), UINT32_C(0x31718681), - UINT32_C(0x30CC26B3), UINT32_C(0x56E86EDE), UINT32_C(0xAC86E6FF), - UINT32_C(0xCD52F7F2), UINT32_C(0x37BCA7A2), UINT32_C(0x9CE6D87F), - UINT32_C(0x734D2C94), UINT32_C(0xC2F7E0CA), UINT32_C(0x06A71D71) } }, - { { UINT32_C(0xC6357D33), UINT32_C(0x559DCF75), UINT32_C(0x652517DE), - UINT32_C(0x4616D940), UINT32_C(0x1CCF207B), UINT32_C(0x3D576B98), - UINT32_C(0x1979F631), UINT32_C(0x51E2D1EF), UINT32_C(0x06AE8296), - UINT32_C(0x57517DDD), UINT32_C(0xD6E7151F), UINT32_C(0x309A3D7F) }, - { UINT32_C(0x0E3A6FE5), UINT32_C(0xBA2A23E6), UINT32_C(0xD28B22C3), - UINT32_C(0x76CF674A), UINT32_C(0xF8B808C3), UINT32_C(0xD235AD07), - UINT32_C(0x6B71213A), UINT32_C(0x7BBF4C58), UINT32_C(0x93271EBB), - UINT32_C(0x0676792E), UINT32_C(0x05B1FC31), UINT32_C(0x2CFD2C76) } }, - { { UINT32_C(0x37A450F5), UINT32_C(0x4258E5C0), UINT32_C(0x52D2B118), - UINT32_C(0xC3245F1B), UINT32_C(0x82BC5963), UINT32_C(0x6DF7B484), - UINT32_C(0x9C273D1E), UINT32_C(0xE520DA4D), UINT32_C(0x2C3010E5), - UINT32_C(0xED78E012), UINT32_C(0x3C1D4C05), UINT32_C(0x11222948) }, - { UINT32_C(0xC692B490), UINT32_C(0xE3DAE5AF), UINT32_C(0xC197F793), - UINT32_C(0x3272BD10), UINT32_C(0xE709ACAA), UINT32_C(0xF7EAE411), - UINT32_C(0x778270A6), UINT32_C(0x00B0C95F), UINT32_C(0x220D4350), - UINT32_C(0x4DA76EE1), UINT32_C(0xAB71E308), UINT32_C(0x521E1461) } }, - { { UINT32_C(0x343196A3), UINT32_C(0x7B654323), UINT32_C(0xB0C95250), - UINT32_C(0x35D442AD), UINT32_C(0xE264FF17), UINT32_C(0x38AF50E6), - UINT32_C(0x2030D2EA), UINT32_C(0x28397A41), UINT32_C(0xF74EEDA1), - UINT32_C(0x8F1D84E9), UINT32_C(0xE6FB3C52), UINT32_C(0xD521F92D) }, - { UINT32_C(0x95733811), UINT32_C(0xAF358D77), UINT32_C(0x93ABFE94), - UINT32_C(0xEBFDDD01), UINT32_C(0xD18D99DE), UINT32_C(0x05D8A028), - UINT32_C(0xB5D5BDD9), UINT32_C(0x5A664019), UINT32_C(0x2AA12FE8), - UINT32_C(0x3DF17282), UINT32_C(0xB889A28E), UINT32_C(0xB42E006F) } }, - { { UINT32_C(0xBC35CB1A), UINT32_C(0xCF10E97D), UINT32_C(0x994DEDC5), - UINT32_C(0xC70A7BBD), UINT32_C(0x37D04FB9), UINT32_C(0x76A5327C), - UINT32_C(0xA76E0CDA), UINT32_C(0x87539F76), UINT32_C(0xCD60A6B1), - UINT32_C(0xE9FE493F), UINT32_C(0x132F01C0), UINT32_C(0xA4574796) }, - { UINT32_C(0xDB70B167), UINT32_C(0xC43B85EB), UINT32_C(0x98551DFA), - UINT32_C(0x81D5039A), UINT32_C(0x1D979FA4), UINT32_C(0x6B56FBE9), - UINT32_C(0x8615098F), UINT32_C(0x49714FD7), UINT32_C(0x94DECAB5), - UINT32_C(0xB10E1CEA), UINT32_C(0x480EF6E3), UINT32_C(0x8342EBA3) } }, - { { UINT32_C(0xB3677288), UINT32_C(0xE1E030B0), UINT32_C(0x8D5CE3AF), - UINT32_C(0x2978174C), UINT32_C(0xF7B2DE98), UINT32_C(0xAFC0271C), - UINT32_C(0xB99C20B5), UINT32_C(0x745BC6F3), UINT32_C(0x1E3BB4E5), - UINT32_C(0x9F6EDCED), UINT32_C(0x73C8C1FC), UINT32_C(0x58D3EE4E) }, - { UINT32_C(0x7FD30124), UINT32_C(0x1F3535F4), UINT32_C(0x5FA62502), - UINT32_C(0xF366AC70), UINT32_C(0x965363FE), UINT32_C(0x4C4C1FDD), - UINT32_C(0x1DE2CA2B), UINT32_C(0x8B2C7777), UINT32_C(0x882F1173), - UINT32_C(0x0CB54743), UINT32_C(0x71343331), UINT32_C(0x94B6B8C0) } }, - { { UINT32_C(0x65B8B35B), UINT32_C(0x75AF0141), UINT32_C(0x4670A1F5), - UINT32_C(0x6D7B8485), UINT32_C(0xA3B6D376), UINT32_C(0x6EAA3A47), - UINT32_C(0xCB3E5B66), UINT32_C(0xD7E673D2), UINT32_C(0x9589AB38), - UINT32_C(0xC0338E6C), UINT32_C(0x09440FAA), UINT32_C(0x4BE26CB3) }, - { UINT32_C(0x394F9AA3), UINT32_C(0x82CB05E7), UINT32_C(0x7F7792EA), - UINT32_C(0xC45C8A8A), UINT32_C(0xB687DC70), UINT32_C(0x37E5E33B), - UINT32_C(0xDFE48E49), UINT32_C(0x63853219), UINT32_C(0x6D0E5C8C), - UINT32_C(0x087951C1), UINT32_C(0x2BC27310), UINT32_C(0x7696A8C7) } }, - { { UINT32_C(0xB67E834A), UINT32_C(0xA05736D5), UINT32_C(0x9098D42A), - UINT32_C(0xDD2AA0F2), UINT32_C(0x49C69DDC), UINT32_C(0x09F0C1D8), - UINT32_C(0x8FF0F0F3), UINT32_C(0x81F8BC1C), UINT32_C(0x03037775), - UINT32_C(0x36FD3A4F), UINT32_C(0x4B06DF5C), UINT32_C(0x8286717D) }, - { UINT32_C(0xA9079EA2), UINT32_C(0xB878F496), UINT32_C(0xD7DC796D), - UINT32_C(0xA5642426), UINT32_C(0x67FDAC2B), UINT32_C(0x29B9351A), - UINT32_C(0x1D543CDE), UINT32_C(0x93774C0E), UINT32_C(0x1A8E31C4), - UINT32_C(0x4F8793BA), UINT32_C(0x6C94798A), UINT32_C(0x7C9F3F3A) } }, - { { UINT32_C(0xCB8ECDB8), UINT32_C(0x23C5AD11), UINT32_C(0x485A6A02), - UINT32_C(0x1E88D25E), UINT32_C(0xF1E268AE), UINT32_C(0xB27CBE84), - UINT32_C(0xF4CD0475), UINT32_C(0xDDA80238), UINT32_C(0x49F8EB1B), - UINT32_C(0x4F88857B), UINT32_C(0x52FB07F9), UINT32_C(0x91B1221F) }, - { UINT32_C(0x8637FA67), UINT32_C(0x7CE97460), UINT32_C(0x632198D8), - UINT32_C(0x528B3CF4), UINT32_C(0xF6623769), UINT32_C(0x33365AB3), - UINT32_C(0x3A83A30F), UINT32_C(0x6FEBCFFF), UINT32_C(0x9BD341EB), - UINT32_C(0x398F4C99), UINT32_C(0xB33A333C), UINT32_C(0x180712BB) } }, - { { UINT32_C(0xD93429E7), UINT32_C(0x2B8655A2), UINT32_C(0x75C8B9EE), - UINT32_C(0x99D600BB), UINT32_C(0x88FCA6CD), UINT32_C(0x9FC1AF8B), - UINT32_C(0x7C311F80), UINT32_C(0x2FB53386), UINT32_C(0xE8A71EEE), - UINT32_C(0x20743ECB), UINT32_C(0xE848B49E), UINT32_C(0xEC3713C4) }, - { UINT32_C(0xBB886817), UINT32_C(0x5B2037B5), UINT32_C(0x307DBAF4), - UINT32_C(0x40EF5AC2), UINT32_C(0x1B3F643D), UINT32_C(0xC2888AF2), - UINT32_C(0x9D5A4190), UINT32_C(0x0D8252E1), UINT32_C(0x2DB52A8A), - UINT32_C(0x06CC0BEC), UINT32_C(0xAB94E969), UINT32_C(0xB84B98EA) } }, - { { UINT32_C(0xA0321E0E), UINT32_C(0x2E7AC078), UINT32_C(0xEF3DAAB6), - UINT32_C(0x5C5A1168), UINT32_C(0xADDD454A), UINT32_C(0xD2D573CB), - UINT32_C(0x36259CC7), UINT32_C(0x27E149E2), UINT32_C(0xA63F47F1), - UINT32_C(0x1EDFD469), UINT32_C(0xF1BD2CFD), UINT32_C(0x039AD674) }, - { UINT32_C(0x3077D3CC), UINT32_C(0xBFA633FC), UINT32_C(0x2FD64E9F), - UINT32_C(0x14A7C82F), UINT32_C(0x9D824999), UINT32_C(0xAAA65014), - UINT32_C(0x21760F2E), UINT32_C(0x41AB113B), UINT32_C(0x1CAE260A), - UINT32_C(0x23E646C5), UINT32_C(0x68DC5159), UINT32_C(0x08062C8F) } }, - }, - { - { { UINT32_C(0x204BE028), UINT32_C(0x2E7D0A16), UINT32_C(0xD0E41851), - UINT32_C(0x4F1D082E), UINT32_C(0x3EB317F9), UINT32_C(0x15F1DDC6), - UINT32_C(0x5ADF71D7), UINT32_C(0xF0275071), UINT32_C(0xEE858BC3), - UINT32_C(0x2CE33C2E), UINT32_C(0xDA73B71A), UINT32_C(0xA24C76D1) }, - { UINT32_C(0x6C70C483), UINT32_C(0x9EF6A70A), UINT32_C(0x05CF9612), - UINT32_C(0xEFCF1705), UINT32_C(0x7502DE64), UINT32_C(0x9F5BF5A6), - UINT32_C(0xA4701973), UINT32_C(0xD11122A1), UINT32_C(0xA2EA7B24), - UINT32_C(0x82CFAAC2), UINT32_C(0x0A4582E1), UINT32_C(0x6CAD67CC) } }, - { { UINT32_C(0xB4DC8600), UINT32_C(0x597A26FF), UINT32_C(0xF9288555), - UINT32_C(0x264A09F3), UINT32_C(0x5C27F5F6), UINT32_C(0x0B06AFF6), - UINT32_C(0xD8D544E6), UINT32_C(0xCE5AB665), UINT32_C(0x99275C32), - UINT32_C(0x92F031BE), UINT32_C(0xF42E0E7C), UINT32_C(0xAF51C5BB) }, - { UINT32_C(0x1E37B36D), UINT32_C(0x5BB28B06), UINT32_C(0x8473543A), - UINT32_C(0x583FBA6A), UINT32_C(0xF93FB7DC), UINT32_C(0xE73FD299), - UINT32_C(0x6E2CCAD9), UINT32_C(0xFCD999A8), UINT32_C(0x334D4F57), - UINT32_C(0xB8C8A6DF), UINT32_C(0x9A2ACC9B), UINT32_C(0x5ADB28DD) } }, - { { UINT32_C(0x111792B9), UINT32_C(0x5ADF3D9A), UINT32_C(0x4F1E0D09), - UINT32_C(0x1C77A305), UINT32_C(0xA82D3736), UINT32_C(0xF9FBCE33), - UINT32_C(0x718C8AA3), UINT32_C(0xF307823E), UINT32_C(0x416CCF69), - UINT32_C(0x860578CF), UINT32_C(0x1EF8465B), UINT32_C(0xB942ADD8) }, - { UINT32_C(0xCD9472E1), UINT32_C(0x9EE0CF97), UINT32_C(0xB01528A8), - UINT32_C(0xE6792EEF), UINT32_C(0xC09DA90B), UINT32_C(0xF99B9A8D), - UINT32_C(0xCBF3CCB8), UINT32_C(0x1F521C2D), UINT32_C(0x91A62632), - UINT32_C(0x6BF66948), UINT32_C(0x854FE9DA), UINT32_C(0xCC7A9CEB) } }, - { { UINT32_C(0x491CCB92), UINT32_C(0x46303171), UINT32_C(0x2771235B), - UINT32_C(0xA80A8C0D), UINT32_C(0xF172C7CF), UINT32_C(0xD8E497FF), - UINT32_C(0x35B193CF), UINT32_C(0x7F7009D7), UINT32_C(0xF19DF4BC), - UINT32_C(0x6B9FD3F7), UINT32_C(0xB46F1E37), UINT32_C(0xADA548C3) }, - { UINT32_C(0xC7A20270), UINT32_C(0x87C6EAA9), UINT32_C(0xAE78EF99), - UINT32_C(0xEF2245D6), UINT32_C(0x539EAB95), UINT32_C(0x2A121042), - UINT32_C(0x79B8F5CC), UINT32_C(0x29A6D5D7), UINT32_C(0xB77840DC), - UINT32_C(0x33803A10), UINT32_C(0x11A6A30F), UINT32_C(0xFEDD3A70) } }, - { { UINT32_C(0x142403D1), UINT32_C(0xFA070E22), UINT32_C(0x15C6F7F5), - UINT32_C(0x68FF3160), UINT32_C(0x223A0CE8), UINT32_C(0xE09F04E6), - UINT32_C(0x53E14183), UINT32_C(0x22BBD018), UINT32_C(0xCF45B75B), - UINT32_C(0x35D9FAFC), UINT32_C(0x7ECEEC88), UINT32_C(0x3A34819D) }, - { UINT32_C(0xD33262D2), UINT32_C(0xD9CF7568), UINT32_C(0x841D1505), - UINT32_C(0x431036D5), UINT32_C(0x9EB2A79A), UINT32_C(0x0C800565), - UINT32_C(0x5F7EDC6A), UINT32_C(0x8E77D9F0), UINT32_C(0x65E800AA), - UINT32_C(0x19E12D05), UINT32_C(0xB7784E7C), UINT32_C(0x335C8D36) } }, - { { UINT32_C(0x6484FD40), UINT32_C(0x8B2FC4E9), UINT32_C(0xA35D24EA), - UINT32_C(0xEE702764), UINT32_C(0xB871C3F3), UINT32_C(0x15B28AC7), - UINT32_C(0xE097047F), UINT32_C(0x805B4048), UINT32_C(0x647CAD2F), - UINT32_C(0xD6F1B8DF), UINT32_C(0xDC7DD67F), UINT32_C(0xF1D5B458) }, - { UINT32_C(0x25148803), UINT32_C(0x324C529C), UINT32_C(0x21274FAF), - UINT32_C(0xF6185EBE), UINT32_C(0x95148B55), UINT32_C(0xAF14751E), - UINT32_C(0x28F284F4), UINT32_C(0x283ED89D), UINT32_C(0x4CBEBF1A), - UINT32_C(0x93AD20E7), UINT32_C(0x882935E1), UINT32_C(0x5F6EC65D) } }, - { { UINT32_C(0xA4DCEFE9), UINT32_C(0xE222EBA4), UINT32_C(0xEC1CEB74), - UINT32_C(0x63AD235F), UINT32_C(0xE05B18E7), UINT32_C(0x2E0BF749), - UINT32_C(0xB48BDD87), UINT32_C(0x547BD050), UINT32_C(0xF5AA2FC4), - UINT32_C(0x0490C970), UINT32_C(0x2B431390), UINT32_C(0xCED5E4CF) }, - { UINT32_C(0x51D2898E), UINT32_C(0x07D82704), UINT32_C(0x083B57D4), - UINT32_C(0x44B72442), UINT32_C(0x5037FCE8), UINT32_C(0xA4ADA230), - UINT32_C(0x50510DA6), UINT32_C(0x55F7905E), UINT32_C(0x8D890A98), - UINT32_C(0xD8EE724F), UINT32_C(0x11B85640), UINT32_C(0x925A8E7C) } }, - { { UINT32_C(0x1CA459ED), UINT32_C(0x5BFA10CD), UINT32_C(0x6DCF56BF), - UINT32_C(0x593F085A), UINT32_C(0xC0579C3E), UINT32_C(0xE6F0AD9B), - UINT32_C(0x2527C1AD), UINT32_C(0xC11C95A2), UINT32_C(0xCF1CB8B3), - UINT32_C(0x7CFA71E1), UINT32_C(0x1D6DC79D), UINT32_C(0xEDCFF833) }, - { UINT32_C(0x432521C9), UINT32_C(0x581C4BBE), UINT32_C(0x144E11A0), - UINT32_C(0xBF620096), UINT32_C(0xBE3A107B), UINT32_C(0x54C38B71), - UINT32_C(0xE2606EC0), UINT32_C(0xED555E37), UINT32_C(0xD721D034), - UINT32_C(0x3FB148B8), UINT32_C(0x0091BC90), UINT32_C(0x79D53DAD) } }, - { { UINT32_C(0xB7082C80), UINT32_C(0xE32068C5), UINT32_C(0x7A144E22), - UINT32_C(0x4140FFD2), UINT32_C(0x9EDD9E86), UINT32_C(0x5811D2F0), - UINT32_C(0xC572C465), UINT32_C(0xCDD79B5F), UINT32_C(0xC97BF450), - UINT32_C(0x3563FED1), UINT32_C(0xF2CE5C9C), UINT32_C(0x985C1444) }, - { UINT32_C(0x99950F1C), UINT32_C(0x260AE797), UINT32_C(0x765E9DED), - UINT32_C(0x659F4F40), UINT32_C(0x2E3BC286), UINT32_C(0x2A412D66), - UINT32_C(0xF87E0C82), UINT32_C(0xE865E62C), UINT32_C(0x6C05E7D7), - UINT32_C(0xD63D3A9A), UINT32_C(0x8686F89A), UINT32_C(0x96725D67) } }, - { { UINT32_C(0xAB7EA0F5), UINT32_C(0xC99A5E4C), UINT32_C(0xC5393FA9), - UINT32_C(0xC9860A1A), UINT32_C(0x8FDEEFC0), UINT32_C(0x9ED83CEE), - UINT32_C(0x5ED6869A), UINT32_C(0xE3EA8B4C), UINT32_C(0xD2EED3A9), - UINT32_C(0x89A85463), UINT32_C(0xE421A622), UINT32_C(0x2CD91B6D) }, - { UINT32_C(0x2C91C41D), UINT32_C(0x6FEC1EF3), UINT32_C(0x8171037D), - UINT32_C(0xB1540D1F), UINT32_C(0x1C010E5B), UINT32_C(0x4FE4991A), - UINT32_C(0xFC1C7368), UINT32_C(0x28A3469F), UINT32_C(0xAF118781), - UINT32_C(0xE1EEECD1), UINT32_C(0x99EF3531), UINT32_C(0x1BCCB977) } }, - { { UINT32_C(0xC4DAB7B8), UINT32_C(0x63D3B638), UINT32_C(0x3F7F5BAB), - UINT32_C(0xD92133B6), UINT32_C(0x09FB6069), UINT32_C(0x2573EE20), - UINT32_C(0x890A1686), UINT32_C(0x771FABDF), UINT32_C(0xA77AFFF5), - UINT32_C(0x1D0BA21F), UINT32_C(0xBA3DD2C0), UINT32_C(0x83145FCC) }, - { UINT32_C(0x2D115C20), UINT32_C(0xFA073A81), UINT32_C(0x19176F27), - UINT32_C(0x6AB7A9D3), UINT32_C(0x9AC639EE), UINT32_C(0xAF62CF93), - UINT32_C(0x2CCD1319), UINT32_C(0xF73848B9), UINT32_C(0x3C71659D), - UINT32_C(0x3B613234), UINT32_C(0x10AB3826), UINT32_C(0xF8E0011C) } }, - { { UINT32_C(0x0282FFA5), UINT32_C(0x0501F036), UINT32_C(0xD9E0F15A), - UINT32_C(0xC39A5CF4), UINT32_C(0x9A3D1F3C), UINT32_C(0x48D8C729), - UINT32_C(0x64E18EDA), UINT32_C(0xB5FC136B), UINT32_C(0x7E58FEF0), - UINT32_C(0xE81B53D9), UINT32_C(0xF7B0F28D), UINT32_C(0x0D534055) }, - { UINT32_C(0x7A80619B), UINT32_C(0x47B8DE12), UINT32_C(0x81F9E55D), - UINT32_C(0x60E2A2B3), UINT32_C(0xCF564CC5), UINT32_C(0x6E9624D7), - UINT32_C(0x6BDEDFFF), UINT32_C(0xFDF18A21), UINT32_C(0xC0D5FC82), - UINT32_C(0x3787DE38), UINT32_C(0x497A6B11), UINT32_C(0xCBCAA347) } }, - { { UINT32_C(0xB226465A), UINT32_C(0x6E7EF35E), UINT32_C(0x5F8A2BAF), - UINT32_C(0x4B469919), UINT32_C(0x1120D93F), UINT32_C(0x44B3A3CF), - UINT32_C(0x68F34AD1), UINT32_C(0xB052C8B6), UINT32_C(0xEF7632DD), - UINT32_C(0x27EC574B), UINT32_C(0x685DE26F), UINT32_C(0xAEBEA108) }, - { UINT32_C(0xE39424B6), UINT32_C(0xDA33236B), UINT32_C(0xEBCC22AD), - UINT32_C(0xB1BD94A9), UINT32_C(0x2CDFB5D5), UINT32_C(0x6DDEE6CC), - UINT32_C(0x6F14069A), UINT32_C(0xBDAED927), UINT32_C(0x2A247CB7), - UINT32_C(0x2ADE427C), UINT32_C(0xED156A40), UINT32_C(0xCE96B436) } }, - { { UINT32_C(0x81F3F819), UINT32_C(0xDDDCA360), UINT32_C(0xD419B96A), - UINT32_C(0x4AF4A49F), UINT32_C(0x7CB966B9), UINT32_C(0x746C6525), - UINT32_C(0x6F610023), UINT32_C(0x01E39088), UINT32_C(0x98DD33FC), - UINT32_C(0x05ECB38D), UINT32_C(0x8F84EDF4), UINT32_C(0x962B971B) }, - { UINT32_C(0x6A6F2602), UINT32_C(0xEB32C0A5), UINT32_C(0x562D60F2), - UINT32_C(0xF026AF71), UINT32_C(0x84615FAB), UINT32_C(0xA9E246BF), - UINT32_C(0x75DBAE01), UINT32_C(0xAD967092), UINT32_C(0x3ECE5D07), - UINT32_C(0xBF97C79B), UINT32_C(0x74EAA3D3), UINT32_C(0xE06266C7) } }, - { { UINT32_C(0x2E6DBB6E), UINT32_C(0x161A0157), UINT32_C(0x60FA8F47), - UINT32_C(0xB8AF4904), UINT32_C(0x00197F22), UINT32_C(0xE4336C44), - UINT32_C(0x9CEDCE0E), UINT32_C(0xF811AFFA), UINT32_C(0xF94C2EF1), - UINT32_C(0xB1DD7685), UINT32_C(0xCA957BB0), UINT32_C(0xEEDC0F4B) }, - { UINT32_C(0x4AA76BB1), UINT32_C(0xD319FD57), UINT32_C(0x16CD7CCB), - UINT32_C(0xB3525D7C), UINT32_C(0xA97DD072), UINT32_C(0x7B22DA9C), - UINT32_C(0x38A83E71), UINT32_C(0x99DB84BD), UINT32_C(0xC0EDD8BE), - UINT32_C(0x4939BC8D), UINT32_C(0x903A932C), UINT32_C(0x06D524EA) } }, - { { UINT32_C(0x0E31F639), UINT32_C(0x4BC950EC), UINT32_C(0x6016BE30), - UINT32_C(0xB7ABD3DC), UINT32_C(0x6703DAD0), UINT32_C(0x3B0F4473), - UINT32_C(0x0AC1C4EA), UINT32_C(0xCC405F8B), UINT32_C(0x176C3FEE), - UINT32_C(0x9BED5E57), UINT32_C(0x36AE36C2), UINT32_C(0xF4524810) }, - { UINT32_C(0x15D7B503), UINT32_C(0xC1EDBB83), UINT32_C(0xE30F3657), - UINT32_C(0x943B1156), UINT32_C(0x98377805), UINT32_C(0x984E9EEF), - UINT32_C(0x36CF1DEB), UINT32_C(0x291AE7AC), UINT32_C(0xA9F66DF3), - UINT32_C(0xFED8748C), UINT32_C(0xFEA8FA5D), UINT32_C(0xECA758BB) } }, - }, - { - { { UINT32_C(0x2DD1B249), UINT32_C(0xACC787EF), UINT32_C(0xD82976F1), - UINT32_C(0x736E1030), UINT32_C(0xA01B3649), UINT32_C(0x0A6940FA), - UINT32_C(0xC42341E7), UINT32_C(0xE00B926B), UINT32_C(0xDE8FFD6C), - UINT32_C(0x911508D0), UINT32_C(0x5276B0CB), UINT32_C(0x4DCF8D46) }, - { UINT32_C(0xCC3CAD8D), UINT32_C(0x23AD0A90), UINT32_C(0xADED962A), - UINT32_C(0x2A92E54C), UINT32_C(0xF231BFAF), UINT32_C(0x93FBEC4D), - UINT32_C(0x4798987A), UINT32_C(0x9544BC77), UINT32_C(0x08E29F60), - UINT32_C(0x48084E25), UINT32_C(0x32DE5869), UINT32_C(0x0C0D2F43) } }, - { { UINT32_C(0x3A9ABC13), UINT32_C(0x6778F970), UINT32_C(0x3D2B166B), - UINT32_C(0xFD014FAC), UINT32_C(0x3C6FED60), UINT32_C(0x1FE4FC78), - UINT32_C(0xAA7C69C5), UINT32_C(0x04295FA8), UINT32_C(0x7C123175), - UINT32_C(0xA01DE56D), UINT32_C(0x3D9A713A), UINT32_C(0x0FA0D3A8) }, - { UINT32_C(0xE3E08ADD), UINT32_C(0xA7A6E5E3), UINT32_C(0x1AC58F85), - UINT32_C(0xBD77E94B), UINT32_C(0xB7321A9C), UINT32_C(0x078F6FD2), - UINT32_C(0x911EF6D9), UINT32_C(0x9564601E), UINT32_C(0x415C6BEF), - UINT32_C(0x31C5C1B2), UINT32_C(0xD3212C62), UINT32_C(0xE6C0C91E) } }, - { { UINT32_C(0x0D16022F), UINT32_C(0xBA7BD23C), UINT32_C(0x198BE288), - UINT32_C(0xE9CF4750), UINT32_C(0x47DEEC65), UINT32_C(0x304E3169), - UINT32_C(0x96EEB288), UINT32_C(0xCF65B41F), UINT32_C(0x927E9E3B), - UINT32_C(0x17E99C17), UINT32_C(0xF6630A80), UINT32_C(0x82225546) }, - { UINT32_C(0xCA067BD9), UINT32_C(0x15122B8A), UINT32_C(0xB77B4E98), - UINT32_C(0xE2673205), UINT32_C(0x9407CA63), UINT32_C(0x13037565), - UINT32_C(0x8B621602), UINT32_C(0x53624F54), UINT32_C(0xEAE4BD06), - UINT32_C(0x96AF2CB1), UINT32_C(0x8FA20829), UINT32_C(0x576ECD1C) } }, - { { UINT32_C(0x7E02D2D0), UINT32_C(0xA551CE10), UINT32_C(0x9D13DBC7), - UINT32_C(0x1584ED24), UINT32_C(0x4DA7B6D8), UINT32_C(0x082017AD), - UINT32_C(0xE054BC48), UINT32_C(0x81918A8F), UINT32_C(0x572DC384), - UINT32_C(0x677DB48E), UINT32_C(0x6155484C), UINT32_C(0x2EF82296) }, - { UINT32_C(0x41B9C231), UINT32_C(0xC3DB14C6), UINT32_C(0x4A766192), - UINT32_C(0x910A87D1), UINT32_C(0x10AB8E0F), UINT32_C(0x93D5CC86), - UINT32_C(0xAE57CA1B), UINT32_C(0x4194D548), UINT32_C(0x267FC37A), - UINT32_C(0xFAF3A1D6), UINT32_C(0x13B87C97), UINT32_C(0x70EC2364) } }, - { { UINT32_C(0x5E12756A), UINT32_C(0x064B565B), UINT32_C(0xAE49C98E), - UINT32_C(0x953B7BD1), UINT32_C(0xF7001D91), UINT32_C(0xE0CE8284), - UINT32_C(0xF31108D0), UINT32_C(0x1546060B), UINT32_C(0x6779B6E2), - UINT32_C(0xDBC2C3F4), UINT32_C(0xE0DD07CF), UINT32_C(0x157AA47D) }, - { UINT32_C(0xF23B261E), UINT32_C(0xBF4A1C6F), UINT32_C(0x654F4BE5), - UINT32_C(0x5B8EED30), UINT32_C(0x6B20CCD8), UINT32_C(0xDF5896D3), - UINT32_C(0x559ED23D), UINT32_C(0x56920E2C), UINT32_C(0xFA6E3E27), - UINT32_C(0x901F342E), UINT32_C(0x896CA082), UINT32_C(0x745C747C) } }, - { { UINT32_C(0x2944EC84), UINT32_C(0xDBCCD575), UINT32_C(0xA5FF65FE), - UINT32_C(0x54A2A935), UINT32_C(0x1A1319B6), UINT32_C(0x88C92A5E), - UINT32_C(0x82DA96C1), UINT32_C(0x9537C28F), UINT32_C(0x35F93C46), - UINT32_C(0xB6836474), UINT32_C(0x65B0846C), UINT32_C(0xEC526A1D) }, - { UINT32_C(0xF382C412), UINT32_C(0x6F12AFBD), UINT32_C(0x9E99FA06), - UINT32_C(0x5EBC81D8), UINT32_C(0x869B93BD), UINT32_C(0x97B5D672), - UINT32_C(0x377E12AA), UINT32_C(0x2983C310), UINT32_C(0x24D681EA), - UINT32_C(0x48759681), UINT32_C(0x287FD767), UINT32_C(0x1E0BD106) } }, - { { UINT32_C(0x7231247F), UINT32_C(0x0AC75A3E), UINT32_C(0xEF27AD3A), - UINT32_C(0x65C20DE6), UINT32_C(0xBD02EEE5), UINT32_C(0x87EB6CF1), - UINT32_C(0x00147E03), UINT32_C(0x264ACA7A), UINT32_C(0xAE2A9437), - UINT32_C(0xEBC78581), UINT32_C(0x6316BFA5), UINT32_C(0x9929964E) }, - { UINT32_C(0x9AF207EF), UINT32_C(0xDC09E040), UINT32_C(0x0C9D8658), - UINT32_C(0x3ECFFE2D), UINT32_C(0xDFB43D38), UINT32_C(0x547EA735), - UINT32_C(0xD04B1B20), UINT32_C(0x5485247B), UINT32_C(0xBFD8B609), - UINT32_C(0xB18D3F02), UINT32_C(0xCCE73705), UINT32_C(0xEEB3E805) } }, - { { UINT32_C(0xDB93850F), UINT32_C(0xDAB1A525), UINT32_C(0x8365B7D5), - UINT32_C(0x18ADAA23), UINT32_C(0x113FC8C7), UINT32_C(0x58485C90), - UINT32_C(0x348AD323), UINT32_C(0x80C3DBB9), UINT32_C(0xE16ADCA1), - UINT32_C(0xAF892FB5), UINT32_C(0x979F005A), UINT32_C(0x2183C879) }, - { UINT32_C(0x0643A99E), UINT32_C(0x20FA1A94), UINT32_C(0x1A1609CB), - UINT32_C(0x2741221C), UINT32_C(0x3C2FBDDC), UINT32_C(0x1C1687E5), - UINT32_C(0xD420D6CF), UINT32_C(0xDCCF329E), UINT32_C(0x2B7197D1), - UINT32_C(0x75D5577D), UINT32_C(0xC8729D9C), UINT32_C(0x4C3C3875) } }, - { { UINT32_C(0xE5CBDCB9), UINT32_C(0x5E79F995), UINT32_C(0xA742FCC7), - UINT32_C(0x03139824), UINT32_C(0x239EF4A1), UINT32_C(0x6D0C214A), - UINT32_C(0x401A2944), UINT32_C(0x53A27952), UINT32_C(0xC10BCDF0), - UINT32_C(0xF42A1B34), UINT32_C(0x7CF38061), UINT32_C(0x426BAA43) }, - { UINT32_C(0xA96AD0C8), UINT32_C(0x16A53139), UINT32_C(0x6BAD5301), - UINT32_C(0x627F1D31), UINT32_C(0x4ACCD627), UINT32_C(0x5AF74877), - UINT32_C(0xB55B0FB8), UINT32_C(0x3C58A1C5), UINT32_C(0xF4399A6A), - UINT32_C(0xFAA57B91), UINT32_C(0xC28094B8), UINT32_C(0xBAD283FB) } }, - { { UINT32_C(0x83E10A93), UINT32_C(0xBA32AC61), UINT32_C(0xEC06BDB0), - UINT32_C(0x1C91F6B4), UINT32_C(0x65F60C93), UINT32_C(0x42E6CFBC), - UINT32_C(0x2C0CDCBE), UINT32_C(0xEFE33BC8), UINT32_C(0x4D6414F2), - UINT32_C(0xE0FE1D09), UINT32_C(0x76FA5C5B), UINT32_C(0x4C112316) }, - { UINT32_C(0x2E26200A), UINT32_C(0x812C1DC6), UINT32_C(0xEE879D25), - UINT32_C(0xD6C413C5), UINT32_C(0xBCA8BAFE), UINT32_C(0xBEADE255), - UINT32_C(0xCE2BA0E7), UINT32_C(0x0EAF4AE2), UINT32_C(0xC4F4408A), - UINT32_C(0x66E9FFB0), UINT32_C(0x9782C7AD), UINT32_C(0xB36A86D7) } }, - { { UINT32_C(0xBAD8D1C7), UINT32_C(0x10FCD1F4), UINT32_C(0x4502F645), - UINT32_C(0xC903816A), UINT32_C(0xA503B895), UINT32_C(0x7FAC1CC1), - UINT32_C(0x0778900C), UINT32_C(0x8BCD6041), UINT32_C(0x5BCF2784), - UINT32_C(0x5A5F2202), UINT32_C(0x10EDB896), UINT32_C(0x9B157E87) }, - { UINT32_C(0xF602A8B1), UINT32_C(0x4C58DA69), UINT32_C(0x59EC9D7E), - UINT32_C(0xD55132F8), UINT32_C(0xA26D4870), UINT32_C(0x155B719A), - UINT32_C(0x36441746), UINT32_C(0x25AAFCA3), UINT32_C(0xDD3B6B30), - UINT32_C(0x01F83338), UINT32_C(0x551917CC), UINT32_C(0xD52BB5C1) } }, - { { UINT32_C(0x6135066A), UINT32_C(0xA0B6207B), UINT32_C(0x2AEC8CBD), - UINT32_C(0xB3409F84), UINT32_C(0x19D87DF0), UINT32_C(0x5EBFD436), - UINT32_C(0xE8526DE2), UINT32_C(0xCB4C209B), UINT32_C(0x21E1A230), - UINT32_C(0xD764085B), UINT32_C(0x0899964A), UINT32_C(0x96F91554) }, - { UINT32_C(0xA57D122A), UINT32_C(0xB0BEC8EF), UINT32_C(0x5D9D0B33), - UINT32_C(0xC572EC56), UINT32_C(0xCFA7C72C), UINT32_C(0xEBE2A780), - UINT32_C(0x9EF3295C), UINT32_C(0x52D40CDB), UINT32_C(0x0DE74DFE), - UINT32_C(0x64004584), UINT32_C(0xC0809716), UINT32_C(0xA6846432) } }, - { { UINT32_C(0x02C979BC), UINT32_C(0x0D09E8CD), UINT32_C(0x409F4F2A), - UINT32_C(0xEC4B21F6), UINT32_C(0x13FB07CA), UINT32_C(0x68125C70), - UINT32_C(0x6FDFA72A), UINT32_C(0x1C4CFC17), UINT32_C(0x04539FCD), - UINT32_C(0xC9E71B9E), UINT32_C(0x8BA70797), UINT32_C(0x94B7103D) }, - { UINT32_C(0xB33FDE83), UINT32_C(0x6B81E82F), UINT32_C(0xEABAFD4B), - UINT32_C(0x7CA9A8CA), UINT32_C(0xEAB819CE), UINT32_C(0xADD85A67), - UINT32_C(0x98E99FFC), UINT32_C(0xAEC25483), UINT32_C(0x274A07B6), - UINT32_C(0x938D6440), UINT32_C(0x564A6AA0), UINT32_C(0x0A5C7097) } }, - { { UINT32_C(0x2F4FCEB6), UINT32_C(0x7284FF50), UINT32_C(0x78D0D5CB), - UINT32_C(0x0A28715A), UINT32_C(0xBFCE187C), UINT32_C(0xE70B7014), - UINT32_C(0x7A17148D), UINT32_C(0xA6B538F5), UINT32_C(0xDD427166), - UINT32_C(0x1DAB07C9), UINT32_C(0x149D23CA), UINT32_C(0x5C5578B0) }, - { UINT32_C(0x875B5EDE), UINT32_C(0x875E2056), UINT32_C(0x02C893B9), - UINT32_C(0xCBF44B6D), UINT32_C(0x5C2993FB), UINT32_C(0x5715A77E), - UINT32_C(0x3410597E), UINT32_C(0xAF328146), UINT32_C(0x42DC49DF), - UINT32_C(0x65DF418F), UINT32_C(0xA9EE52F6), UINT32_C(0x7AC9C720) } }, - { { UINT32_C(0x62955486), UINT32_C(0xB1C9AA07), UINT32_C(0x245061D7), - UINT32_C(0xCBF35BE3), UINT32_C(0x8CF4DDC0), UINT32_C(0x811E1BD3), - UINT32_C(0x948F7C84), UINT32_C(0xD9D4589C), UINT32_C(0xCB0F996D), - UINT32_C(0x30D09A0F), UINT32_C(0x590E7704), UINT32_C(0x1A1B3B7A) }, - { UINT32_C(0x2082768D), UINT32_C(0xA848E349), UINT32_C(0x9A249DF4), - UINT32_C(0x9FEBD492), UINT32_C(0x5F20439A), UINT32_C(0x503420AF), - UINT32_C(0x8E2BFCD4), UINT32_C(0x0CBE52B6), UINT32_C(0x118C91B2), - UINT32_C(0xB1D5E261), UINT32_C(0x71D8F2BC), UINT32_C(0x93CFF6DA) } }, - { { UINT32_C(0x8AB58944), UINT32_C(0x5F5BC06B), UINT32_C(0x4979882D), - UINT32_C(0xE4BED538), UINT32_C(0xD79B0EB1), UINT32_C(0x57C30362), - UINT32_C(0xEF7C56D8), UINT32_C(0x391AE2C1), UINT32_C(0xADD98625), - UINT32_C(0x28BC2E97), UINT32_C(0x1B257107), UINT32_C(0xFA8E86B8) }, - { UINT32_C(0x6118C715), UINT32_C(0x5E4859F8), UINT32_C(0x524C71DD), - UINT32_C(0x91C83324), UINT32_C(0x6D2F5E6D), UINT32_C(0xFB209243), - UINT32_C(0x2A900A43), UINT32_C(0x6B4FE21F), UINT32_C(0x32A73C1F), - UINT32_C(0x241F75D6), UINT32_C(0x5AE89613), UINT32_C(0xF5BC4629) } }, - } -}; - -/*- - * Finite field inversion. - * Computed with Bernstein-Yang algorithm. - * https://tches.iacr.org/index.php/TCHES/article/view/8298 - * Based on https://github.com/mit-plv/fiat-crypto/tree/master/inversion/c - * NB: this is not a real fiat-crypto function, just named that way for consistency. - */ -static void -fiat_secp384r1_inv(fe_t output, const fe_t t1) -{ - int i; - fe_t v1, r1, v2; - limb_t *r2 = output; - limb_t f1[LIMB_CNT + 1], g1[LIMB_CNT + 1], f2[LIMB_CNT + 1], - g2[LIMB_CNT + 1]; - limb_t d2, d1 = 1; - - fe_copy(g1, t1); - g1[LIMB_CNT] = 0; - fe_copy(f1, const_psat); - f1[LIMB_CNT] = 0; - fe_copy(r1, const_one); - fe_set_zero(v1); - - /* 1110 divstep iterations */ - for (i = 0; i < 555; i++) { - fiat_secp384r1_divstep(&d2, f2, g2, v2, r2, d1, f1, g1, v1, r1); - fiat_secp384r1_divstep(&d1, f1, g1, v1, r1, d2, f2, g2, v2, r2); + if (!ecPrivKey || !signature || !digest || !kb || + !ecPrivKey->privateValue.data || + !signature->data || !digest->data || + ecPrivKey->ecParams.name != ECCurve_NIST_P384) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + res = SECFailure; + return res; } - fiat_secp384r1_opp(output, v1); - fiat_secp384r1_selectznz(output, f1[LIMB_CNT] >> (LIMB_BITS - 1), v1, - output); - fiat_secp384r1_mul(output, output, const_divstep); -} - -/*- - * Q := 2P, both projective, Q and P same pointers OK - * Autogenerated: op3/dbl_proj.op3 - * https://eprint.iacr.org/2015/1060 Alg 6 - * ASSERT: a = -3 - */ -static void -point_double(pt_prj_t *Q, const pt_prj_t *P) -{ - /* temporary variables */ - fe_t t0, t1, t2, t3, t4; - /* constants */ - const limb_t *b = const_b; - /* set pointers for legacy curve arith */ - const limb_t *X = P->X; - const limb_t *Y = P->Y; - const limb_t *Z = P->Z; - limb_t *X3 = Q->X; - limb_t *Y3 = Q->Y; - limb_t *Z3 = Q->Z; - - /* the curve arith formula */ - fiat_secp384r1_square(t0, X); - fiat_secp384r1_square(t1, Y); - fiat_secp384r1_square(t2, Z); - fiat_secp384r1_mul(t3, X, Y); - fiat_secp384r1_add(t3, t3, t3); - fiat_secp384r1_mul(t4, Y, Z); - fiat_secp384r1_mul(Z3, X, Z); - fiat_secp384r1_add(Z3, Z3, Z3); - fiat_secp384r1_mul(Y3, b, t2); - fiat_secp384r1_sub(Y3, Y3, Z3); - fiat_secp384r1_add(X3, Y3, Y3); - fiat_secp384r1_add(Y3, X3, Y3); - fiat_secp384r1_sub(X3, t1, Y3); - fiat_secp384r1_add(Y3, t1, Y3); - fiat_secp384r1_mul(Y3, X3, Y3); - fiat_secp384r1_mul(X3, X3, t3); - fiat_secp384r1_add(t3, t2, t2); - fiat_secp384r1_add(t2, t2, t3); - fiat_secp384r1_mul(Z3, b, Z3); - fiat_secp384r1_sub(Z3, Z3, t2); - fiat_secp384r1_sub(Z3, Z3, t0); - fiat_secp384r1_add(t3, Z3, Z3); - fiat_secp384r1_add(Z3, Z3, t3); - fiat_secp384r1_add(t3, t0, t0); - fiat_secp384r1_add(t0, t3, t0); - fiat_secp384r1_sub(t0, t0, t2); - fiat_secp384r1_mul(t0, t0, Z3); - fiat_secp384r1_add(Y3, Y3, t0); - fiat_secp384r1_add(t0, t4, t4); - fiat_secp384r1_mul(Z3, t0, Z3); - fiat_secp384r1_sub(X3, X3, Z3); - fiat_secp384r1_mul(Z3, t0, t1); - fiat_secp384r1_add(Z3, Z3, Z3); - fiat_secp384r1_add(Z3, Z3, Z3); -} - -/*- - * R := Q + P where R and Q are projective, P affine. - * R and Q same pointers OK - * R and P same pointers not OK - * Autogenerated: op3/add_mixed.op3 - * https://eprint.iacr.org/2015/1060 Alg 5 - * ASSERT: a = -3 - */ -static void -point_add_mixed(pt_prj_t *R, const pt_prj_t *Q, const pt_aff_t *P) -{ - /* temporary variables */ - fe_t t0, t1, t2, t3, t4; - /* constants */ - const limb_t *b = const_b; - /* set pointers for legacy curve arith */ - const limb_t *X1 = Q->X; - const limb_t *Y1 = Q->Y; - const limb_t *Z1 = Q->Z; - const limb_t *X2 = P->X; - const limb_t *Y2 = P->Y; - fe_t X3; - fe_t Y3; - fe_t Z3; - limb_t nz; - - /* check P for affine inf */ - fiat_secp384r1_nonzero(&nz, P->Y); - - /* the curve arith formula */ - fiat_secp384r1_mul(t0, X1, X2); - fiat_secp384r1_mul(t1, Y1, Y2); - fiat_secp384r1_add(t3, X2, Y2); - fiat_secp384r1_add(t4, X1, Y1); - fiat_secp384r1_mul(t3, t3, t4); - fiat_secp384r1_add(t4, t0, t1); - fiat_secp384r1_sub(t3, t3, t4); - fiat_secp384r1_mul(t4, Y2, Z1); - fiat_secp384r1_add(t4, t4, Y1); - fiat_secp384r1_mul(Y3, X2, Z1); - fiat_secp384r1_add(Y3, Y3, X1); - fiat_secp384r1_mul(Z3, b, Z1); - fiat_secp384r1_sub(X3, Y3, Z3); - fiat_secp384r1_add(Z3, X3, X3); - fiat_secp384r1_add(X3, X3, Z3); - fiat_secp384r1_sub(Z3, t1, X3); - fiat_secp384r1_add(X3, t1, X3); - fiat_secp384r1_mul(Y3, b, Y3); - fiat_secp384r1_add(t1, Z1, Z1); - fiat_secp384r1_add(t2, t1, Z1); - fiat_secp384r1_sub(Y3, Y3, t2); - fiat_secp384r1_sub(Y3, Y3, t0); - fiat_secp384r1_add(t1, Y3, Y3); - fiat_secp384r1_add(Y3, t1, Y3); - fiat_secp384r1_add(t1, t0, t0); - fiat_secp384r1_add(t0, t1, t0); - fiat_secp384r1_sub(t0, t0, t2); - fiat_secp384r1_mul(t1, t4, Y3); - fiat_secp384r1_mul(t2, t0, Y3); - fiat_secp384r1_mul(Y3, X3, Z3); - fiat_secp384r1_add(Y3, Y3, t2); - fiat_secp384r1_mul(X3, t3, X3); - fiat_secp384r1_sub(X3, X3, t1); - fiat_secp384r1_mul(Z3, t4, Z3); - fiat_secp384r1_mul(t1, t3, t0); - fiat_secp384r1_add(Z3, Z3, t1); - - /* if P is inf, throw all that away and take Q */ - fiat_secp384r1_selectznz(R->X, nz, Q->X, X3); - fiat_secp384r1_selectznz(R->Y, nz, Q->Y, Y3); - fiat_secp384r1_selectznz(R->Z, nz, Q->Z, Z3); -} - -/*- - * R := Q + P all projective. - * R and Q same pointers OK - * R and P same pointers not OK - * Autogenerated: op3/add_proj.op3 - * https://eprint.iacr.org/2015/1060 Alg 4 - * ASSERT: a = -3 - */ -static void -point_add_proj(pt_prj_t *R, const pt_prj_t *Q, const pt_prj_t *P) -{ - /* temporary variables */ - fe_t t0, t1, t2, t3, t4, t5; - /* constants */ - const limb_t *b = const_b; - /* set pointers for legacy curve arith */ - const limb_t *X1 = Q->X; - const limb_t *Y1 = Q->Y; - const limb_t *Z1 = Q->Z; - const limb_t *X2 = P->X; - const limb_t *Y2 = P->Y; - const limb_t *Z2 = P->Z; - limb_t *X3 = R->X; - limb_t *Y3 = R->Y; - limb_t *Z3 = R->Z; - - /* the curve arith formula */ - fiat_secp384r1_mul(t0, X1, X2); - fiat_secp384r1_mul(t1, Y1, Y2); - fiat_secp384r1_mul(t2, Z1, Z2); - fiat_secp384r1_add(t3, X1, Y1); - fiat_secp384r1_add(t4, X2, Y2); - fiat_secp384r1_mul(t3, t3, t4); - fiat_secp384r1_add(t4, t0, t1); - fiat_secp384r1_sub(t3, t3, t4); - fiat_secp384r1_add(t4, Y1, Z1); - fiat_secp384r1_add(t5, Y2, Z2); - fiat_secp384r1_mul(t4, t4, t5); - fiat_secp384r1_add(t5, t1, t2); - fiat_secp384r1_sub(t4, t4, t5); - fiat_secp384r1_add(X3, X1, Z1); - fiat_secp384r1_add(Y3, X2, Z2); - fiat_secp384r1_mul(X3, X3, Y3); - fiat_secp384r1_add(Y3, t0, t2); - fiat_secp384r1_sub(Y3, X3, Y3); - fiat_secp384r1_mul(Z3, b, t2); - fiat_secp384r1_sub(X3, Y3, Z3); - fiat_secp384r1_add(Z3, X3, X3); - fiat_secp384r1_add(X3, X3, Z3); - fiat_secp384r1_sub(Z3, t1, X3); - fiat_secp384r1_add(X3, t1, X3); - fiat_secp384r1_mul(Y3, b, Y3); - fiat_secp384r1_add(t1, t2, t2); - fiat_secp384r1_add(t2, t1, t2); - fiat_secp384r1_sub(Y3, Y3, t2); - fiat_secp384r1_sub(Y3, Y3, t0); - fiat_secp384r1_add(t1, Y3, Y3); - fiat_secp384r1_add(Y3, t1, Y3); - fiat_secp384r1_add(t1, t0, t0); - fiat_secp384r1_add(t0, t1, t0); - fiat_secp384r1_sub(t0, t0, t2); - fiat_secp384r1_mul(t1, t4, Y3); - fiat_secp384r1_mul(t2, t0, Y3); - fiat_secp384r1_mul(Y3, X3, Z3); - fiat_secp384r1_add(Y3, Y3, t2); - fiat_secp384r1_mul(X3, t3, X3); - fiat_secp384r1_sub(X3, X3, t1); - fiat_secp384r1_mul(Z3, t4, Z3); - fiat_secp384r1_mul(t1, t3, t0); - fiat_secp384r1_add(Z3, Z3, t1); -} - -/* constants */ -#define RADIX 5 -#define DRADIX (1 << RADIX) -#define DRADIX_WNAF ((DRADIX) << 1) - -/*- - * precomp for wnaf scalar multiplication: - * precomp[0] = 1P - * precomp[1] = 3P - * precomp[2] = 5P - * precomp[3] = 7P - * precomp[4] = 9P - * ... - */ -static void -precomp_wnaf(pt_prj_t precomp[DRADIX / 2], const pt_aff_t *P) -{ - int i; - - fe_copy(precomp[0].X, P->X); - fe_copy(precomp[0].Y, P->Y); - fe_copy(precomp[0].Z, const_one); - point_double(&precomp[DRADIX / 2 - 1], &precomp[0]); - - for (i = 1; i < DRADIX / 2; i++) - point_add_proj(&precomp[i], &precomp[DRADIX / 2 - 1], &precomp[i - 1]); -} - -/* fetch a scalar bit */ -static int -scalar_get_bit(const unsigned char in[48], int idx) -{ - int widx, rshift; - - widx = idx >> 3; - rshift = idx & 0x7; - - if (idx < 0 || widx >= 48) - return 0; - - return (in[widx] >> rshift) & 0x1; -} - -/*- - * Compute "regular" wnaf representation of a scalar. - * See "Exponent Recoding and Regular Exponentiation Algorithms", - * Tunstall et al., AfricaCrypt 2009, Alg 6. - * It forces an odd scalar and outputs digits in - * {\pm 1, \pm 3, \pm 5, \pm 7, \pm 9, ...} - * i.e. signed odd digits with _no zeroes_ -- that makes it "regular". - */ -static void -scalar_rwnaf(int8_t out[77], const unsigned char in[48]) -{ - int i; - int8_t window, d; - - window = (in[0] & (DRADIX_WNAF - 1)) | 1; - for (i = 0; i < 76; i++) { - d = (window & (DRADIX_WNAF - 1)) - DRADIX; - out[i] = d; - window = (window - d) >> RADIX; - window += scalar_get_bit(in, (i + 1) * RADIX + 1) << 1; - window += scalar_get_bit(in, (i + 1) * RADIX + 2) << 2; - window += scalar_get_bit(in, (i + 1) * RADIX + 3) << 3; - window += scalar_get_bit(in, (i + 1) * RADIX + 4) << 4; - window += scalar_get_bit(in, (i + 1) * RADIX + 5) << 5; + if (kblen == 0 || digest->len == 0 || signature->len < 96) { + PORT_SetError(SEC_ERROR_INPUT_LEN); + res = SECFailure; + return res; } - out[i] = window; -} - -/*- - * Compute "textbook" wnaf representation of a scalar. - * NB: not constant time - */ -static void -scalar_wnaf(int8_t out[385], const unsigned char in[48]) -{ - int i; - int8_t window, d; - window = in[0] & (DRADIX_WNAF - 1); - for (i = 0; i < 385; i++) { - d = 0; - if ((window & 1) && ((d = window & (DRADIX_WNAF - 1)) & DRADIX)) - d -= DRADIX_WNAF; - out[i] = d; - window = (window - d) >> 1; - window += scalar_get_bit(in, i + 1 + RADIX) << RADIX; + // Private keys should be 48 bytes, but some software trims leading zeros, + // and some software produces 49 byte keys with a leading zero. We'll + // accept these variants. + uint8_t padded_key_data[48] = { 0 }; + uint8_t *key; + SECItem *privKey = &ecPrivKey->privateValue; + if (privKey->len == 48) { + key = privKey->data; + } else if (privKey->len == 49 && privKey->data[0] == 0) { + key = privKey->data + 1; + } else if (privKey->len < 48) { + memcpy(padded_key_data + 48 - privKey->len, privKey->data, privKey->len); + key = padded_key_data; + } else { + PORT_SetError(SEC_ERROR_INPUT_LEN); + return SECFailure; } -} - -/*- - * Simultaneous scalar multiplication: interleaved "textbook" wnaf. - * NB: not constant time - */ -static void -var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[48], - const unsigned char b[48], const pt_aff_t *P) -{ - int i, d, is_neg, is_inf = 1, flipped = 0; - int8_t anaf[385] = { 0 }; - int8_t bnaf[385] = { 0 }; - pt_prj_t Q = { { 0 }, { 0 }, { 0 } }; - pt_prj_t precomp[DRADIX / 2]; - precomp_wnaf(precomp, P); - scalar_wnaf(anaf, a); - scalar_wnaf(bnaf, b); - - for (i = 384; i >= 0; i--) { - if (!is_inf) - point_double(&Q, &Q); - if ((d = bnaf[i])) { - if ((is_neg = d < 0) != flipped) { - fiat_secp384r1_opp(Q.Y, Q.Y); - flipped ^= 1; - } - d = (is_neg) ? (-d - 1) >> 1 : (d - 1) >> 1; - if (is_inf) { - /* initialize accumulator */ - fe_copy(Q.X, &precomp[d].X); - fe_copy(Q.Y, &precomp[d].Y); - fe_copy(Q.Z, &precomp[d].Z); - is_inf = 0; - } else - point_add_proj(&Q, &Q, &precomp[d]); - } - if ((d = anaf[i])) { - if ((is_neg = d < 0) != flipped) { - fiat_secp384r1_opp(Q.Y, Q.Y); - flipped ^= 1; - } - d = (is_neg) ? (-d - 1) >> 1 : (d - 1) >> 1; - if (is_inf) { - /* initialize accumulator */ - fe_copy(Q.X, &lut_cmb[0][d].X); - fe_copy(Q.Y, &lut_cmb[0][d].Y); - fe_copy(Q.Z, const_one); - is_inf = 0; - } else - point_add_mixed(&Q, &Q, &lut_cmb[0][d]); - } + uint8_t hash[48] = { 0 }; + if (digest->len < 48) { + memcpy(hash + 48 - digest->len, digest->data, digest->len); + } else { + memcpy(hash, digest->data, 48); } - if (is_inf) { - /* initialize accumulator to inf: all-zero scalars */ - fe_set_zero(Q.X); - fe_copy(Q.Y, const_one); - fe_set_zero(Q.Z); + uint8_t nonce[48] = { 0 }; + if (kblen < 48) { + memcpy(nonce + 48 - kblen, kb, kblen); + } else { + memcpy(nonce, kb, 48); } - if (flipped) { - /* correct sign */ - fiat_secp384r1_opp(Q.Y, Q.Y); + bool b = Hacl_P384_ecdsa_sign_p384_without_hash( + signature->data, 48, hash, key, nonce); + if (!b) { + PORT_SetError(SEC_ERROR_BAD_KEY); + res = SECFailure; + return res; } - /* convert to affine -- NB depends on coordinate system */ - fiat_secp384r1_inv(Q.Z, Q.Z); - fiat_secp384r1_mul(out->X, Q.X, Q.Z); - fiat_secp384r1_mul(out->Y, Q.Y, Q.Z); + signature->len = 96; + return res; } -/*- - * Variable point scalar multiplication with "regular" wnaf. - * Here "regular" means _no zeroes_, so the sequence of - * EC arithmetic ops is fixed. +/* + * ECDSA Signature Verification for P-384 */ -static void -var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[48], - const pt_aff_t *P) -{ - int i, j, d, diff, is_neg; - int8_t rnaf[77] = { 0 }; - pt_prj_t Q = { { 0 }, { 0 }, { 0 } }, lut = { { 0 }, { 0 }, { 0 } }; - pt_prj_t precomp[DRADIX / 2]; - - precomp_wnaf(precomp, P); - scalar_rwnaf(rnaf, scalar); -#if defined(_MSC_VER) - /* result still unsigned: yes we know */ -#pragma warning(push) -#pragma warning(disable : 4146) -#endif +SECStatus +ec_secp384r1_verify_digest(ECPublicKey *key, const SECItem *signature, + const SECItem *digest) +{ + SECStatus res = SECSuccess; - /* initialize accumulator to high digit */ - d = (rnaf[76] - 1) >> 1; - for (j = 0; j < DRADIX / 2; j++) { - diff = (1 - (-(d ^ j) >> (8 * sizeof(int) - 1))) & 1; - fiat_secp384r1_selectznz(Q.X, diff, Q.X, precomp[j].X); - fiat_secp384r1_selectznz(Q.Y, diff, Q.Y, precomp[j].Y); - fiat_secp384r1_selectznz(Q.Z, diff, Q.Z, precomp[j].Z); + if (!key || !signature || !digest || + !key->publicValue.data || + !signature->data || !digest->data || + key->ecParams.name != ECCurve_NIST_P384) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + res = SECFailure; + return res; } - for (i = 75; i >= 0; i--) { - for (j = 0; j < RADIX; j++) - point_double(&Q, &Q); - d = rnaf[i]; - /* is_neg = (d < 0) ? 1 : 0 */ - is_neg = (d >> (8 * sizeof(int) - 1)) & 1; - /* d = abs(d) */ - d = (d ^ -is_neg) + is_neg; - d = (d - 1) >> 1; - for (j = 0; j < DRADIX / 2; j++) { - diff = (1 - (-(d ^ j) >> (8 * sizeof(int) - 1))) & 1; - fiat_secp384r1_selectznz(lut.X, diff, lut.X, precomp[j].X); - fiat_secp384r1_selectznz(lut.Y, diff, lut.Y, precomp[j].Y); - fiat_secp384r1_selectznz(lut.Z, diff, lut.Z, precomp[j].Z); - } - /* negate lut point if digit is negative */ - fiat_secp384r1_opp(out->Y, lut.Y); - fiat_secp384r1_selectznz(lut.Y, is_neg, lut.Y, out->Y); - point_add_proj(&Q, &Q, &lut); + if (signature->len == 0 || signature->len % 2 != 0 || + signature->len > 96 || digest->len == 0 || + key->publicValue.len != 97) { + PORT_SetError(SEC_ERROR_INPUT_LEN); + res = SECFailure; + return res; } -#if defined(_MSC_VER) -#pragma warning(pop) -#endif - - /* conditionally subtract P if the scalar was even */ - fe_copy(lut.X, precomp[0].X); - fiat_secp384r1_opp(lut.Y, precomp[0].Y); - fe_copy(lut.Z, precomp[0].Z); - point_add_proj(&lut, &lut, &Q); - fiat_secp384r1_selectznz(Q.X, scalar[0] & 1, lut.X, Q.X); - fiat_secp384r1_selectznz(Q.Y, scalar[0] & 1, lut.Y, Q.Y); - fiat_secp384r1_selectznz(Q.Z, scalar[0] & 1, lut.Z, Q.Z); - - /* convert to affine -- NB depends on coordinate system */ - fiat_secp384r1_inv(Q.Z, Q.Z); - fiat_secp384r1_mul(out->X, Q.X, Q.Z); - fiat_secp384r1_mul(out->Y, Q.Y, Q.Z); -} - -/*- - * Fixed scalar multiplication: comb with interleaving. - */ -static void -fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[48]) -{ - int i, j, k, d, diff, is_neg = 0; - int8_t rnaf[77] = { 0 }; - pt_prj_t Q = { { 0 }, { 0 }, { 0 } }, R = { { 0 }, { 0 }, { 0 } }; - pt_aff_t lut = { { 0 }, { 0 } }; - - scalar_rwnaf(rnaf, scalar); - - /* initalize accumulator to inf */ - fe_set_zero(Q.X); - fe_copy(Q.Y, const_one); - fe_set_zero(Q.Z); - -#if defined(_MSC_VER) - /* result still unsigned: yes we know */ -#pragma warning(push) -#pragma warning(disable : 4146) -#endif - - for (i = 3; i >= 0; i--) { - for (j = 0; i != 3 && j < RADIX; j++) - point_double(&Q, &Q); - for (j = 0; j < 21; j++) { - if (j * 4 + i > 76) - continue; - d = rnaf[j * 4 + i]; - /* is_neg = (d < 0) ? 1 : 0 */ - is_neg = (d >> (8 * sizeof(int) - 1)) & 1; - /* d = abs(d) */ - d = (d ^ -is_neg) + is_neg; - d = (d - 1) >> 1; - for (k = 0; k < DRADIX / 2; k++) { - diff = (1 - (-(d ^ k) >> (8 * sizeof(int) - 1))) & 1; - fiat_secp384r1_selectznz(lut.X, diff, lut.X, lut_cmb[j][k].X); - fiat_secp384r1_selectznz(lut.Y, diff, lut.Y, lut_cmb[j][k].Y); - } - /* negate lut point if digit is negative */ - fiat_secp384r1_opp(out->Y, lut.Y); - fiat_secp384r1_selectznz(lut.Y, is_neg, lut.Y, out->Y); - point_add_mixed(&Q, &Q, &lut); - } + if (key->publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) { + PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM); + res = SECFailure; + return res; } -#if defined(_MSC_VER) -#pragma warning(pop) -#endif - - /* conditionally subtract P if the scalar was even */ - fe_copy(lut.X, lut_cmb[0][0].X); - fiat_secp384r1_opp(lut.Y, lut_cmb[0][0].Y); - point_add_mixed(&R, &Q, &lut); - fiat_secp384r1_selectznz(Q.X, scalar[0] & 1, R.X, Q.X); - fiat_secp384r1_selectznz(Q.Y, scalar[0] & 1, R.Y, Q.Y); - fiat_secp384r1_selectznz(Q.Z, scalar[0] & 1, R.Z, Q.Z); - - /* convert to affine -- NB depends on coordinate system */ - fiat_secp384r1_inv(Q.Z, Q.Z); - fiat_secp384r1_mul(out->X, Q.X, Q.Z); - fiat_secp384r1_mul(out->Y, Q.Y, Q.Z); -} - -/*- - * Wrapper: simultaneous scalar mutiplication. - * outx, outy := a * G + b * P - * where P = (inx, iny). - * Everything is LE byte ordering. - */ -void -point_mul_two_secp384r1(unsigned char outx[48], unsigned char outy[48], - const unsigned char a[48], - const unsigned char b[48], - const unsigned char inx[48], - const unsigned char iny[48]) -{ - pt_aff_t P; + // Signatures should be 96 bytes, but some software produces short signatures. + // Pad components with zeros if necessary. + uint8_t paddedSigData[96] = { 0 }; + uint8_t *sig; + if (signature->len != 96) { + size_t split = signature->len / 2; - fiat_secp384r1_from_bytes(P.X, inx); - fiat_secp384r1_from_bytes(P.Y, iny); - fiat_secp384r1_to_montgomery(P.X, P.X); - fiat_secp384r1_to_montgomery(P.Y, P.Y); - /* simultaneous scalar multiplication */ - var_smul_wnaf_two(&P, a, b, &P); + memcpy(paddedSigData + 48 - split, signature->data, split); + memcpy(paddedSigData + 96 - split, signature->data + split, split); - fiat_secp384r1_from_montgomery(P.X, P.X); - fiat_secp384r1_from_montgomery(P.Y, P.Y); - fiat_secp384r1_to_bytes(outx, P.X); - fiat_secp384r1_to_bytes(outy, P.Y); -} - -/*- - * Wrapper: fixed scalar mutiplication. - * outx, outy := scalar * G - * Everything is LE byte ordering. - */ -void -point_mul_g_secp384r1(unsigned char outx[48], unsigned char outy[48], - const unsigned char scalar[48]) -{ - pt_aff_t P; + sig = paddedSigData; + } else { + sig = signature->data; + } - /* fixed scmul function */ - fixed_smul_cmb(&P, scalar); - fiat_secp384r1_from_montgomery(P.X, P.X); - fiat_secp384r1_from_montgomery(P.Y, P.Y); - fiat_secp384r1_to_bytes(outx, P.X); - fiat_secp384r1_to_bytes(outy, P.Y); -} + uint8_t hash[48] = { 0 }; + if (digest->len < 48) { + memcpy(hash + 48 - digest->len, digest->data, digest->len); + } else { + memcpy(hash, digest->data, 48); + } -/*- - * Wrapper: variable point scalar mutiplication. - * outx, outy := scalar * P - * where P = (inx, iny). - * Everything is LE byte ordering. - */ -void -point_mul_secp384r1(unsigned char outx[48], unsigned char outy[48], - const unsigned char scalar[48], - const unsigned char inx[48], - const unsigned char iny[48]) -{ - pt_aff_t P; + bool b = Hacl_P384_ecdsa_verif_without_hash( + 48, hash, key->publicValue.data + 1, sig, sig + 48); + if (!b) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + res = SECFailure; + return res; + } - fiat_secp384r1_from_bytes(P.X, inx); - fiat_secp384r1_from_bytes(P.Y, iny); - fiat_secp384r1_to_montgomery(P.X, P.X); - fiat_secp384r1_to_montgomery(P.Y, P.Y); - /* var scmul function */ - var_smul_rwnaf(&P, scalar, &P); - fiat_secp384r1_from_montgomery(P.X, P.X); - fiat_secp384r1_from_montgomery(P.Y, P.Y); - fiat_secp384r1_to_bytes(outx, P.X); - fiat_secp384r1_to_bytes(outy, P.Y); + return res; } - -#endif /* __SIZEOF_INT128__ */ diff --git a/nss/lib/freebl/ecl/ecp_secp384r1_wrap.c b/nss/lib/freebl/ecl/ecp_secp384r1_wrap.c deleted file mode 100644 index 26ed14d..0000000 --- a/nss/lib/freebl/ecl/ecp_secp384r1_wrap.c +++ /dev/null @@ -1,228 +0,0 @@ -/*- - * MIT License - * - - * Copyright (c) 2020 Luis Rivera-Zamarripa, Jesús-Javier Chi-Domínguez, Billy Bob Brumley - * - - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - - * The above copyright notice and this permission notice shall be included in all - * copies or substantial portions of the Software. - * - - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -#undef RADIX -#include "ecp.h" -#include "ecp_secp384r1.h" -#include "mpi-priv.h" -#include "mplogic.h" - -/*- - * reverse bytes -- total hack - */ -#define MP_BE2LE(a) \ - do { \ - unsigned char z_bswap; \ - z_bswap = a[0]; \ - a[0] = a[47]; \ - a[47] = z_bswap; \ - z_bswap = a[1]; \ - a[1] = a[46]; \ - a[46] = z_bswap; \ - z_bswap = a[2]; \ - a[2] = a[45]; \ - a[45] = z_bswap; \ - z_bswap = a[3]; \ - a[3] = a[44]; \ - a[44] = z_bswap; \ - z_bswap = a[4]; \ - a[4] = a[43]; \ - a[43] = z_bswap; \ - z_bswap = a[5]; \ - a[5] = a[42]; \ - a[42] = z_bswap; \ - z_bswap = a[6]; \ - a[6] = a[41]; \ - a[41] = z_bswap; \ - z_bswap = a[7]; \ - a[7] = a[40]; \ - a[40] = z_bswap; \ - z_bswap = a[8]; \ - a[8] = a[39]; \ - a[39] = z_bswap; \ - z_bswap = a[9]; \ - a[9] = a[38]; \ - a[38] = z_bswap; \ - z_bswap = a[10]; \ - a[10] = a[37]; \ - a[37] = z_bswap; \ - z_bswap = a[11]; \ - a[11] = a[36]; \ - a[36] = z_bswap; \ - z_bswap = a[12]; \ - a[12] = a[35]; \ - a[35] = z_bswap; \ - z_bswap = a[13]; \ - a[13] = a[34]; \ - a[34] = z_bswap; \ - z_bswap = a[14]; \ - a[14] = a[33]; \ - a[33] = z_bswap; \ - z_bswap = a[15]; \ - a[15] = a[32]; \ - a[32] = z_bswap; \ - z_bswap = a[16]; \ - a[16] = a[31]; \ - a[31] = z_bswap; \ - z_bswap = a[17]; \ - a[17] = a[30]; \ - a[30] = z_bswap; \ - z_bswap = a[18]; \ - a[18] = a[29]; \ - a[29] = z_bswap; \ - z_bswap = a[19]; \ - a[19] = a[28]; \ - a[28] = z_bswap; \ - z_bswap = a[20]; \ - a[20] = a[27]; \ - a[27] = z_bswap; \ - z_bswap = a[21]; \ - a[21] = a[26]; \ - a[26] = z_bswap; \ - z_bswap = a[22]; \ - a[22] = a[25]; \ - a[25] = z_bswap; \ - z_bswap = a[23]; \ - a[23] = a[24]; \ - a[24] = z_bswap; \ - } while (0) - -static mp_err -point_mul_g_secp384r1_wrap(const mp_int *n, mp_int *out_x, - mp_int *out_y, const ECGroup *group) -{ - unsigned char b_x[48]; - unsigned char b_y[48]; - unsigned char b_n[48]; - mp_err res; - - ARGCHK(n != NULL && out_x != NULL && out_y != NULL, MP_BADARG); - - /* fail on out of range scalars */ - if (mpl_significant_bits(n) > 384 || mp_cmp_z(n) != MP_GT) - return MP_RANGE; - - MP_CHECKOK(mp_to_fixlen_octets(n, b_n, 48)); - MP_BE2LE(b_n); - point_mul_g_secp384r1(b_x, b_y, b_n); - MP_BE2LE(b_x); - MP_BE2LE(b_y); - MP_CHECKOK(mp_read_unsigned_octets(out_x, b_x, 48)); - MP_CHECKOK(mp_read_unsigned_octets(out_y, b_y, 48)); - -CLEANUP: - return res; -} - -static mp_err -point_mul_secp384r1_wrap(const mp_int *n, const mp_int *in_x, - const mp_int *in_y, mp_int *out_x, - mp_int *out_y, const ECGroup *group) -{ - unsigned char b_x[48]; - unsigned char b_y[48]; - unsigned char b_n[48]; - mp_err res; - - ARGCHK(n != NULL && in_x != NULL && in_y != NULL && out_x != NULL && - out_y != NULL, - MP_BADARG); - - /* fail on out of range scalars */ - if (mpl_significant_bits(n) > 384 || mp_cmp_z(n) != MP_GT) - return MP_RANGE; - - MP_CHECKOK(mp_to_fixlen_octets(n, b_n, 48)); - MP_CHECKOK(mp_to_fixlen_octets(in_x, b_x, 48)); - MP_CHECKOK(mp_to_fixlen_octets(in_y, b_y, 48)); - MP_BE2LE(b_x); - MP_BE2LE(b_y); - MP_BE2LE(b_n); - point_mul_secp384r1(b_x, b_y, b_n, b_x, b_y); - MP_BE2LE(b_x); - MP_BE2LE(b_y); - MP_CHECKOK(mp_read_unsigned_octets(out_x, b_x, 48)); - MP_CHECKOK(mp_read_unsigned_octets(out_y, b_y, 48)); - -CLEANUP: - return res; -} - -static mp_err -point_mul_two_secp384r1_wrap(const mp_int *n1, const mp_int *n2, - const mp_int *in_x, - const mp_int *in_y, mp_int *out_x, - mp_int *out_y, - const ECGroup *group) -{ - unsigned char b_x[48]; - unsigned char b_y[48]; - unsigned char b_n1[48]; - unsigned char b_n2[48]; - mp_err res; - - /* If n2 == NULL or 0, this is just a base-point multiplication. */ - if (n2 == NULL || mp_cmp_z(n2) == MP_EQ) - return point_mul_g_secp384r1_wrap(n1, out_x, out_y, group); - - /* If n1 == NULL or 0, this is just an arbitary-point multiplication. */ - if (n1 == NULL || mp_cmp_z(n1) == MP_EQ) - return point_mul_secp384r1_wrap(n2, in_x, in_y, out_x, out_y, group); - - ARGCHK(in_x != NULL && in_y != NULL && out_x != NULL && out_y != NULL, - MP_BADARG); - - /* fail on out of range scalars */ - if (mpl_significant_bits(n1) > 384 || mp_cmp_z(n1) != MP_GT || - mpl_significant_bits(n2) > 384 || mp_cmp_z(n2) != MP_GT) - return MP_RANGE; - - MP_CHECKOK(mp_to_fixlen_octets(n1, b_n1, 48)); - MP_CHECKOK(mp_to_fixlen_octets(n2, b_n2, 48)); - MP_CHECKOK(mp_to_fixlen_octets(in_x, b_x, 48)); - MP_CHECKOK(mp_to_fixlen_octets(in_y, b_y, 48)); - MP_BE2LE(b_x); - MP_BE2LE(b_y); - MP_BE2LE(b_n1); - MP_BE2LE(b_n2); - point_mul_two_secp384r1(b_x, b_y, b_n1, b_n2, b_x, b_y); - MP_BE2LE(b_x); - MP_BE2LE(b_y); - MP_CHECKOK(mp_read_unsigned_octets(out_x, b_x, 48)); - MP_CHECKOK(mp_read_unsigned_octets(out_y, b_y, 48)); - -CLEANUP: - return res; -} - -mp_err -ec_group_set_secp384r1(ECGroup *group, ECCurveName name) -{ - if (name == ECCurve_NIST_P384) { - group->base_point_mul = &point_mul_g_secp384r1_wrap; - group->point_mul = &point_mul_secp384r1_wrap; - group->points_mul = &point_mul_two_secp384r1_wrap; - } - return MP_OKAY; -} diff --git a/nss/lib/freebl/ecl/ecp_secp521r1.c b/nss/lib/freebl/ecl/ecp_secp521r1.c index b992506..af3458a 100644 --- a/nss/lib/freebl/ecl/ecp_secp521r1.c +++ b/nss/lib/freebl/ecl/ecp_secp521r1.c @@ -1,11622 +1,293 @@ -/* Autogenerated: ECCKiila https://gitlab.com/nisec/ecckiila */ -/*- - * MIT License - * - - * Copyright (c) 2020 Luis Rivera-Zamarripa, Jesús-Javier Chi-Domínguez, Billy Bob Brumley - * - - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - - * The above copyright notice and this permission notice shall be included in all - * copies or substantial portions of the Software. - * - - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ -#if defined(__SIZEOF_INT128__) && !defined(PEDANTIC) - -#include "ecp_secp521r1.h" -#include <stdint.h> -#include <string.h> -#define LIMB_BITS 64 -#define LIMB_CNT 9 -/* Field elements */ -typedef uint64_t fe_t[LIMB_CNT]; -typedef uint64_t limb_t; - -#define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) -#define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) - -/* Projective points */ -typedef struct { - fe_t X; - fe_t Y; - fe_t Z; -} pt_prj_t; - -/* Affine points */ -typedef struct { - fe_t X; - fe_t Y; -} pt_aff_t; - -/* BEGIN verbatim fiat code https://github.com/mit-plv/fiat-crypto */ -/*- - * MIT License - * - * Copyright (c) 2015-2021 the fiat-crypto authors (see the AUTHORS file). - * https://github.com/mit-plv/fiat-crypto/blob/master/AUTHORS - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -/* Autogenerated: unsaturated_solinas --static --use-value-barrier secp521r1 64 9 '2^521 - 1' */ -/* curve description: secp521r1 */ -/* machine_wordsize = 64 (from "64") */ -/* requested operations: (all) */ -/* n = 9 (from "9") */ -/* s-c = 2^521 - [(1, 1)] (from "2^521 - 1") */ -/* tight_bounds_multiplier = 1 (from "") */ -/* */ -/* Computed values: */ -/* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 0, 1] */ -/* eval z = z[0] + (z[1] << 58) + (z[2] << 116) + (z[3] << 174) + (z[4] << 232) + (z[5] << 0x122) + (z[6] << 0x15c) + (z[7] << 0x196) + (z[8] << 0x1d0) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) + (z[64] << 2^9) + (z[65] << 0x208) */ -/* balance = [0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x3fffffffffffffe] */ - -#include <stdint.h> -typedef unsigned char fiat_secp521r1_uint1; -typedef signed char fiat_secp521r1_int1; -#ifdef __GNUC__ -#define FIAT_SECP521R1_FIAT_EXTENSION __extension__ -#define FIAT_SECP521R1_FIAT_INLINE __inline__ -#else -#define FIAT_SECP521R1_FIAT_EXTENSION -#define FIAT_SECP521R1_FIAT_INLINE -#endif - -FIAT_SECP521R1_FIAT_EXTENSION typedef signed __int128 fiat_secp521r1_int128; -FIAT_SECP521R1_FIAT_EXTENSION typedef unsigned __int128 fiat_secp521r1_uint128; +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -/* The type fiat_secp521r1_loose_field_element is a field element with loose bounds. */ -/* Bounds: [[0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0x600000000000000]] */ -typedef uint64_t fiat_secp521r1_loose_field_element[9]; - -/* The type fiat_secp521r1_tight_field_element is a field element with tight bounds. */ -/* Bounds: [[0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x200000000000000]] */ -typedef uint64_t fiat_secp521r1_tight_field_element[9]; - -#if (-1 & 3) != 3 -#error "This code only works on a two's complement system" +#ifdef FREEBL_NO_DEPEND +#include "../stubs.h" #endif -#if !defined(FIAT_SECP521R1_NO_ASM) && (defined(__GNUC__) || defined(__clang__)) -static __inline__ uint64_t -fiat_secp521r1_value_barrier_u64(uint64_t a) -{ - __asm__("" - : "+r"(a) - : /* no inputs */); - return a; -} -#else -#define fiat_secp521r1_value_barrier_u64(x) (x) -#endif +#include "ecl-priv.h" +#include "secitem.h" +#include "secerr.h" +#include "secmpi.h" +#include "../verified/Hacl_P521.h" /* - * The function fiat_secp521r1_addcarryx_u58 is an addition with carry. - * - * Postconditions: - * out1 = (arg1 + arg2 + arg3) mod 2^58 - * out2 = ⌊(arg1 + arg2 + arg3) / 2^58⌋ - * - * Input Bounds: - * arg1: [0x0 ~> 0x1] - * arg2: [0x0 ~> 0x3ffffffffffffff] - * arg3: [0x0 ~> 0x3ffffffffffffff] - * Output Bounds: - * out1: [0x0 ~> 0x3ffffffffffffff] - * out2: [0x0 ~> 0x1] - */ -static void -fiat_secp521r1_addcarryx_u58(uint64_t *out1, - fiat_secp521r1_uint1 *out2, - fiat_secp521r1_uint1 arg1, - uint64_t arg2, uint64_t arg3) -{ - uint64_t x1; - uint64_t x2; - fiat_secp521r1_uint1 x3; - x1 = ((arg1 + arg2) + arg3); - x2 = (x1 & UINT64_C(0x3ffffffffffffff)); - x3 = (fiat_secp521r1_uint1)(x1 >> 58); - *out1 = x2; - *out2 = x3; -} - -/* - * The function fiat_secp521r1_subborrowx_u58 is a subtraction with borrow. - * - * Postconditions: - * out1 = (-arg1 + arg2 + -arg3) mod 2^58 - * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^58⌋ - * - * Input Bounds: - * arg1: [0x0 ~> 0x1] - * arg2: [0x0 ~> 0x3ffffffffffffff] - * arg3: [0x0 ~> 0x3ffffffffffffff] - * Output Bounds: - * out1: [0x0 ~> 0x3ffffffffffffff] - * out2: [0x0 ~> 0x1] - */ -static void -fiat_secp521r1_subborrowx_u58(uint64_t *out1, - fiat_secp521r1_uint1 *out2, - fiat_secp521r1_uint1 arg1, - uint64_t arg2, uint64_t arg3) -{ - int64_t x1; - fiat_secp521r1_int1 x2; - uint64_t x3; - x1 = ((int64_t)(arg2 - (int64_t)arg1) - (int64_t)arg3); - x2 = (fiat_secp521r1_int1)(x1 >> 58); - x3 = (x1 & UINT64_C(0x3ffffffffffffff)); - *out1 = x3; - *out2 = (fiat_secp521r1_uint1)(0x0 - x2); -} - -/* - * The function fiat_secp521r1_addcarryx_u57 is an addition with carry. - * - * Postconditions: - * out1 = (arg1 + arg2 + arg3) mod 2^57 - * out2 = ⌊(arg1 + arg2 + arg3) / 2^57⌋ - * - * Input Bounds: - * arg1: [0x0 ~> 0x1] - * arg2: [0x0 ~> 0x1ffffffffffffff] - * arg3: [0x0 ~> 0x1ffffffffffffff] - * Output Bounds: - * out1: [0x0 ~> 0x1ffffffffffffff] - * out2: [0x0 ~> 0x1] - */ -static void -fiat_secp521r1_addcarryx_u57(uint64_t *out1, - fiat_secp521r1_uint1 *out2, - fiat_secp521r1_uint1 arg1, - uint64_t arg2, uint64_t arg3) -{ - uint64_t x1; - uint64_t x2; - fiat_secp521r1_uint1 x3; - x1 = ((arg1 + arg2) + arg3); - x2 = (x1 & UINT64_C(0x1ffffffffffffff)); - x3 = (fiat_secp521r1_uint1)(x1 >> 57); - *out1 = x2; - *out2 = x3; -} - -/* - * The function fiat_secp521r1_subborrowx_u57 is a subtraction with borrow. - * - * Postconditions: - * out1 = (-arg1 + arg2 + -arg3) mod 2^57 - * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^57⌋ - * - * Input Bounds: - * arg1: [0x0 ~> 0x1] - * arg2: [0x0 ~> 0x1ffffffffffffff] - * arg3: [0x0 ~> 0x1ffffffffffffff] - * Output Bounds: - * out1: [0x0 ~> 0x1ffffffffffffff] - * out2: [0x0 ~> 0x1] - */ -static void -fiat_secp521r1_subborrowx_u57(uint64_t *out1, - fiat_secp521r1_uint1 *out2, - fiat_secp521r1_uint1 arg1, - uint64_t arg2, uint64_t arg3) -{ - int64_t x1; - fiat_secp521r1_int1 x2; - uint64_t x3; - x1 = ((int64_t)(arg2 - (int64_t)arg1) - (int64_t)arg3); - x2 = (fiat_secp521r1_int1)(x1 >> 57); - x3 = (x1 & UINT64_C(0x1ffffffffffffff)); - *out1 = x3; - *out2 = (fiat_secp521r1_uint1)(0x0 - x2); -} - -/* - * The function fiat_secp521r1_cmovznz_u64 is a single-word conditional move. - * - * Postconditions: - * out1 = (if arg1 = 0 then arg2 else arg3) - * - * Input Bounds: - * arg1: [0x0 ~> 0x1] - * arg2: [0x0 ~> 0xffffffffffffffff] - * arg3: [0x0 ~> 0xffffffffffffffff] - * Output Bounds: - * out1: [0x0 ~> 0xffffffffffffffff] - */ -static void -fiat_secp521r1_cmovznz_u64(uint64_t *out1, - fiat_secp521r1_uint1 arg1, uint64_t arg2, - uint64_t arg3) -{ - fiat_secp521r1_uint1 x1; - uint64_t x2; - uint64_t x3; - x1 = (!(!arg1)); - x2 = ((fiat_secp521r1_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); - x3 = ((fiat_secp521r1_value_barrier_u64(x2) & arg3) | - (fiat_secp521r1_value_barrier_u64((~x2)) & arg2)); - *out1 = x3; -} - -/* - * The function fiat_secp521r1_carry_mul multiplies two field elements and reduces the result. - * - * Postconditions: - * eval out1 mod m = (eval arg1 * eval arg2) mod m - * - */ -static void -fiat_secp521r1_carry_mul( - fiat_secp521r1_tight_field_element out1, - const fiat_secp521r1_loose_field_element arg1, - const fiat_secp521r1_loose_field_element arg2) -{ - fiat_secp521r1_uint128 x1; - fiat_secp521r1_uint128 x2; - fiat_secp521r1_uint128 x3; - fiat_secp521r1_uint128 x4; - fiat_secp521r1_uint128 x5; - fiat_secp521r1_uint128 x6; - fiat_secp521r1_uint128 x7; - fiat_secp521r1_uint128 x8; - fiat_secp521r1_uint128 x9; - fiat_secp521r1_uint128 x10; - fiat_secp521r1_uint128 x11; - fiat_secp521r1_uint128 x12; - fiat_secp521r1_uint128 x13; - fiat_secp521r1_uint128 x14; - fiat_secp521r1_uint128 x15; - fiat_secp521r1_uint128 x16; - fiat_secp521r1_uint128 x17; - fiat_secp521r1_uint128 x18; - fiat_secp521r1_uint128 x19; - fiat_secp521r1_uint128 x20; - fiat_secp521r1_uint128 x21; - fiat_secp521r1_uint128 x22; - fiat_secp521r1_uint128 x23; - fiat_secp521r1_uint128 x24; - fiat_secp521r1_uint128 x25; - fiat_secp521r1_uint128 x26; - fiat_secp521r1_uint128 x27; - fiat_secp521r1_uint128 x28; - fiat_secp521r1_uint128 x29; - fiat_secp521r1_uint128 x30; - fiat_secp521r1_uint128 x31; - fiat_secp521r1_uint128 x32; - fiat_secp521r1_uint128 x33; - fiat_secp521r1_uint128 x34; - fiat_secp521r1_uint128 x35; - fiat_secp521r1_uint128 x36; - fiat_secp521r1_uint128 x37; - fiat_secp521r1_uint128 x38; - fiat_secp521r1_uint128 x39; - fiat_secp521r1_uint128 x40; - fiat_secp521r1_uint128 x41; - fiat_secp521r1_uint128 x42; - fiat_secp521r1_uint128 x43; - fiat_secp521r1_uint128 x44; - fiat_secp521r1_uint128 x45; - fiat_secp521r1_uint128 x46; - fiat_secp521r1_uint128 x47; - fiat_secp521r1_uint128 x48; - fiat_secp521r1_uint128 x49; - fiat_secp521r1_uint128 x50; - fiat_secp521r1_uint128 x51; - fiat_secp521r1_uint128 x52; - fiat_secp521r1_uint128 x53; - fiat_secp521r1_uint128 x54; - fiat_secp521r1_uint128 x55; - fiat_secp521r1_uint128 x56; - fiat_secp521r1_uint128 x57; - fiat_secp521r1_uint128 x58; - fiat_secp521r1_uint128 x59; - fiat_secp521r1_uint128 x60; - fiat_secp521r1_uint128 x61; - fiat_secp521r1_uint128 x62; - fiat_secp521r1_uint128 x63; - fiat_secp521r1_uint128 x64; - fiat_secp521r1_uint128 x65; - fiat_secp521r1_uint128 x66; - fiat_secp521r1_uint128 x67; - fiat_secp521r1_uint128 x68; - fiat_secp521r1_uint128 x69; - fiat_secp521r1_uint128 x70; - fiat_secp521r1_uint128 x71; - fiat_secp521r1_uint128 x72; - fiat_secp521r1_uint128 x73; - fiat_secp521r1_uint128 x74; - fiat_secp521r1_uint128 x75; - fiat_secp521r1_uint128 x76; - fiat_secp521r1_uint128 x77; - fiat_secp521r1_uint128 x78; - fiat_secp521r1_uint128 x79; - fiat_secp521r1_uint128 x80; - fiat_secp521r1_uint128 x81; - fiat_secp521r1_uint128 x82; - fiat_secp521r1_uint128 x83; - uint64_t x84; - fiat_secp521r1_uint128 x85; - fiat_secp521r1_uint128 x86; - fiat_secp521r1_uint128 x87; - fiat_secp521r1_uint128 x88; - fiat_secp521r1_uint128 x89; - fiat_secp521r1_uint128 x90; - fiat_secp521r1_uint128 x91; - fiat_secp521r1_uint128 x92; - fiat_secp521r1_uint128 x93; - fiat_secp521r1_uint128 x94; - uint64_t x95; - fiat_secp521r1_uint128 x96; - fiat_secp521r1_uint128 x97; - uint64_t x98; - fiat_secp521r1_uint128 x99; - fiat_secp521r1_uint128 x100; - uint64_t x101; - fiat_secp521r1_uint128 x102; - fiat_secp521r1_uint128 x103; - uint64_t x104; - fiat_secp521r1_uint128 x105; - fiat_secp521r1_uint128 x106; - uint64_t x107; - fiat_secp521r1_uint128 x108; - fiat_secp521r1_uint128 x109; - uint64_t x110; - fiat_secp521r1_uint128 x111; - fiat_secp521r1_uint128 x112; - uint64_t x113; - fiat_secp521r1_uint128 x114; - fiat_secp521r1_uint128 x115; - uint64_t x116; - fiat_secp521r1_uint128 x117; - uint64_t x118; - uint64_t x119; - uint64_t x120; - fiat_secp521r1_uint1 x121; - uint64_t x122; - uint64_t x123; - x1 = ((fiat_secp521r1_uint128)(arg1[8]) * ((arg2[8]) * 0x2)); - x2 = ((fiat_secp521r1_uint128)(arg1[8]) * ((arg2[7]) * 0x2)); - x3 = ((fiat_secp521r1_uint128)(arg1[8]) * ((arg2[6]) * 0x2)); - x4 = ((fiat_secp521r1_uint128)(arg1[8]) * ((arg2[5]) * 0x2)); - x5 = ((fiat_secp521r1_uint128)(arg1[8]) * ((arg2[4]) * 0x2)); - x6 = ((fiat_secp521r1_uint128)(arg1[8]) * ((arg2[3]) * 0x2)); - x7 = ((fiat_secp521r1_uint128)(arg1[8]) * ((arg2[2]) * 0x2)); - x8 = ((fiat_secp521r1_uint128)(arg1[8]) * ((arg2[1]) * 0x2)); - x9 = ((fiat_secp521r1_uint128)(arg1[7]) * ((arg2[8]) * 0x2)); - x10 = ((fiat_secp521r1_uint128)(arg1[7]) * ((arg2[7]) * 0x2)); - x11 = ((fiat_secp521r1_uint128)(arg1[7]) * ((arg2[6]) * 0x2)); - x12 = ((fiat_secp521r1_uint128)(arg1[7]) * ((arg2[5]) * 0x2)); - x13 = ((fiat_secp521r1_uint128)(arg1[7]) * ((arg2[4]) * 0x2)); - x14 = ((fiat_secp521r1_uint128)(arg1[7]) * ((arg2[3]) * 0x2)); - x15 = ((fiat_secp521r1_uint128)(arg1[7]) * ((arg2[2]) * 0x2)); - x16 = ((fiat_secp521r1_uint128)(arg1[6]) * ((arg2[8]) * 0x2)); - x17 = ((fiat_secp521r1_uint128)(arg1[6]) * ((arg2[7]) * 0x2)); - x18 = ((fiat_secp521r1_uint128)(arg1[6]) * ((arg2[6]) * 0x2)); - x19 = ((fiat_secp521r1_uint128)(arg1[6]) * ((arg2[5]) * 0x2)); - x20 = ((fiat_secp521r1_uint128)(arg1[6]) * ((arg2[4]) * 0x2)); - x21 = ((fiat_secp521r1_uint128)(arg1[6]) * ((arg2[3]) * 0x2)); - x22 = ((fiat_secp521r1_uint128)(arg1[5]) * ((arg2[8]) * 0x2)); - x23 = ((fiat_secp521r1_uint128)(arg1[5]) * ((arg2[7]) * 0x2)); - x24 = ((fiat_secp521r1_uint128)(arg1[5]) * ((arg2[6]) * 0x2)); - x25 = ((fiat_secp521r1_uint128)(arg1[5]) * ((arg2[5]) * 0x2)); - x26 = ((fiat_secp521r1_uint128)(arg1[5]) * ((arg2[4]) * 0x2)); - x27 = ((fiat_secp521r1_uint128)(arg1[4]) * ((arg2[8]) * 0x2)); - x28 = ((fiat_secp521r1_uint128)(arg1[4]) * ((arg2[7]) * 0x2)); - x29 = ((fiat_secp521r1_uint128)(arg1[4]) * ((arg2[6]) * 0x2)); - x30 = ((fiat_secp521r1_uint128)(arg1[4]) * ((arg2[5]) * 0x2)); - x31 = ((fiat_secp521r1_uint128)(arg1[3]) * ((arg2[8]) * 0x2)); - x32 = ((fiat_secp521r1_uint128)(arg1[3]) * ((arg2[7]) * 0x2)); - x33 = ((fiat_secp521r1_uint128)(arg1[3]) * ((arg2[6]) * 0x2)); - x34 = ((fiat_secp521r1_uint128)(arg1[2]) * ((arg2[8]) * 0x2)); - x35 = ((fiat_secp521r1_uint128)(arg1[2]) * ((arg2[7]) * 0x2)); - x36 = ((fiat_secp521r1_uint128)(arg1[1]) * ((arg2[8]) * 0x2)); - x37 = ((fiat_secp521r1_uint128)(arg1[8]) * (arg2[0])); - x38 = ((fiat_secp521r1_uint128)(arg1[7]) * (arg2[1])); - x39 = ((fiat_secp521r1_uint128)(arg1[7]) * (arg2[0])); - x40 = ((fiat_secp521r1_uint128)(arg1[6]) * (arg2[2])); - x41 = ((fiat_secp521r1_uint128)(arg1[6]) * (arg2[1])); - x42 = ((fiat_secp521r1_uint128)(arg1[6]) * (arg2[0])); - x43 = ((fiat_secp521r1_uint128)(arg1[5]) * (arg2[3])); - x44 = ((fiat_secp521r1_uint128)(arg1[5]) * (arg2[2])); - x45 = ((fiat_secp521r1_uint128)(arg1[5]) * (arg2[1])); - x46 = ((fiat_secp521r1_uint128)(arg1[5]) * (arg2[0])); - x47 = ((fiat_secp521r1_uint128)(arg1[4]) * (arg2[4])); - x48 = ((fiat_secp521r1_uint128)(arg1[4]) * (arg2[3])); - x49 = ((fiat_secp521r1_uint128)(arg1[4]) * (arg2[2])); - x50 = ((fiat_secp521r1_uint128)(arg1[4]) * (arg2[1])); - x51 = ((fiat_secp521r1_uint128)(arg1[4]) * (arg2[0])); - x52 = ((fiat_secp521r1_uint128)(arg1[3]) * (arg2[5])); - x53 = ((fiat_secp521r1_uint128)(arg1[3]) * (arg2[4])); - x54 = ((fiat_secp521r1_uint128)(arg1[3]) * (arg2[3])); - x55 = ((fiat_secp521r1_uint128)(arg1[3]) * (arg2[2])); - x56 = ((fiat_secp521r1_uint128)(arg1[3]) * (arg2[1])); - x57 = ((fiat_secp521r1_uint128)(arg1[3]) * (arg2[0])); - x58 = ((fiat_secp521r1_uint128)(arg1[2]) * (arg2[6])); - x59 = ((fiat_secp521r1_uint128)(arg1[2]) * (arg2[5])); - x60 = ((fiat_secp521r1_uint128)(arg1[2]) * (arg2[4])); - x61 = ((fiat_secp521r1_uint128)(arg1[2]) * (arg2[3])); - x62 = ((fiat_secp521r1_uint128)(arg1[2]) * (arg2[2])); - x63 = ((fiat_secp521r1_uint128)(arg1[2]) * (arg2[1])); - x64 = ((fiat_secp521r1_uint128)(arg1[2]) * (arg2[0])); - x65 = ((fiat_secp521r1_uint128)(arg1[1]) * (arg2[7])); - x66 = ((fiat_secp521r1_uint128)(arg1[1]) * (arg2[6])); - x67 = ((fiat_secp521r1_uint128)(arg1[1]) * (arg2[5])); - x68 = ((fiat_secp521r1_uint128)(arg1[1]) * (arg2[4])); - x69 = ((fiat_secp521r1_uint128)(arg1[1]) * (arg2[3])); - x70 = ((fiat_secp521r1_uint128)(arg1[1]) * (arg2[2])); - x71 = ((fiat_secp521r1_uint128)(arg1[1]) * (arg2[1])); - x72 = ((fiat_secp521r1_uint128)(arg1[1]) * (arg2[0])); - x73 = ((fiat_secp521r1_uint128)(arg1[0]) * (arg2[8])); - x74 = ((fiat_secp521r1_uint128)(arg1[0]) * (arg2[7])); - x75 = ((fiat_secp521r1_uint128)(arg1[0]) * (arg2[6])); - x76 = ((fiat_secp521r1_uint128)(arg1[0]) * (arg2[5])); - x77 = ((fiat_secp521r1_uint128)(arg1[0]) * (arg2[4])); - x78 = ((fiat_secp521r1_uint128)(arg1[0]) * (arg2[3])); - x79 = ((fiat_secp521r1_uint128)(arg1[0]) * (arg2[2])); - x80 = ((fiat_secp521r1_uint128)(arg1[0]) * (arg2[1])); - x81 = ((fiat_secp521r1_uint128)(arg1[0]) * (arg2[0])); - x82 = (x81 + (x36 + (x35 + (x33 + (x30 + (x26 + (x21 + (x15 + x8)))))))); - x83 = (x82 >> 58); - x84 = (uint64_t)(x82 & UINT64_C(0x3ffffffffffffff)); - x85 = (x73 + (x65 + (x58 + (x52 + (x47 + (x43 + (x40 + (x38 + x37)))))))); - x86 = (x74 + (x66 + (x59 + (x53 + (x48 + (x44 + (x41 + (x39 + x1)))))))); - x87 = (x75 + (x67 + (x60 + (x54 + (x49 + (x45 + (x42 + (x9 + x2)))))))); - x88 = (x76 + (x68 + (x61 + (x55 + (x50 + (x46 + (x16 + (x10 + x3)))))))); - x89 = (x77 + (x69 + (x62 + (x56 + (x51 + (x22 + (x17 + (x11 + x4)))))))); - x90 = (x78 + (x70 + (x63 + (x57 + (x27 + (x23 + (x18 + (x12 + x5)))))))); - x91 = (x79 + (x71 + (x64 + (x31 + (x28 + (x24 + (x19 + (x13 + x6)))))))); - x92 = (x80 + (x72 + (x34 + (x32 + (x29 + (x25 + (x20 + (x14 + x7)))))))); - x93 = (x83 + x92); - x94 = (x93 >> 58); - x95 = (uint64_t)(x93 & UINT64_C(0x3ffffffffffffff)); - x96 = (x94 + x91); - x97 = (x96 >> 58); - x98 = (uint64_t)(x96 & UINT64_C(0x3ffffffffffffff)); - x99 = (x97 + x90); - x100 = (x99 >> 58); - x101 = (uint64_t)(x99 & UINT64_C(0x3ffffffffffffff)); - x102 = (x100 + x89); - x103 = (x102 >> 58); - x104 = (uint64_t)(x102 & UINT64_C(0x3ffffffffffffff)); - x105 = (x103 + x88); - x106 = (x105 >> 58); - x107 = (uint64_t)(x105 & UINT64_C(0x3ffffffffffffff)); - x108 = (x106 + x87); - x109 = (x108 >> 58); - x110 = (uint64_t)(x108 & UINT64_C(0x3ffffffffffffff)); - x111 = (x109 + x86); - x112 = (x111 >> 58); - x113 = (uint64_t)(x111 & UINT64_C(0x3ffffffffffffff)); - x114 = (x112 + x85); - x115 = (x114 >> 57); - x116 = (uint64_t)(x114 & UINT64_C(0x1ffffffffffffff)); - x117 = (x84 + x115); - x118 = (uint64_t)(x117 >> 58); - x119 = (uint64_t)(x117 & UINT64_C(0x3ffffffffffffff)); - x120 = (x118 + x95); - x121 = (fiat_secp521r1_uint1)(x120 >> 58); - x122 = (x120 & UINT64_C(0x3ffffffffffffff)); - x123 = (x121 + x98); - out1[0] = x119; - out1[1] = x122; - out1[2] = x123; - out1[3] = x101; - out1[4] = x104; - out1[5] = x107; - out1[6] = x110; - out1[7] = x113; - out1[8] = x116; -} - -/* - * The function fiat_secp521r1_carry_square squares a field element and reduces the result. - * - * Postconditions: - * eval out1 mod m = (eval arg1 * eval arg1) mod m - * - */ -static void -fiat_secp521r1_carry_square( - fiat_secp521r1_tight_field_element out1, - const fiat_secp521r1_loose_field_element arg1) -{ - uint64_t x1; - uint64_t x2; - uint64_t x3; - uint64_t x4; - uint64_t x5; - uint64_t x6; - uint64_t x7; - uint64_t x8; - uint64_t x9; - uint64_t x10; - uint64_t x11; - uint64_t x12; - uint64_t x13; - uint64_t x14; - uint64_t x15; - uint64_t x16; - fiat_secp521r1_uint128 x17; - fiat_secp521r1_uint128 x18; - fiat_secp521r1_uint128 x19; - fiat_secp521r1_uint128 x20; - fiat_secp521r1_uint128 x21; - fiat_secp521r1_uint128 x22; - fiat_secp521r1_uint128 x23; - fiat_secp521r1_uint128 x24; - fiat_secp521r1_uint128 x25; - fiat_secp521r1_uint128 x26; - fiat_secp521r1_uint128 x27; - fiat_secp521r1_uint128 x28; - fiat_secp521r1_uint128 x29; - fiat_secp521r1_uint128 x30; - fiat_secp521r1_uint128 x31; - fiat_secp521r1_uint128 x32; - fiat_secp521r1_uint128 x33; - fiat_secp521r1_uint128 x34; - fiat_secp521r1_uint128 x35; - fiat_secp521r1_uint128 x36; - fiat_secp521r1_uint128 x37; - fiat_secp521r1_uint128 x38; - fiat_secp521r1_uint128 x39; - fiat_secp521r1_uint128 x40; - fiat_secp521r1_uint128 x41; - fiat_secp521r1_uint128 x42; - fiat_secp521r1_uint128 x43; - fiat_secp521r1_uint128 x44; - fiat_secp521r1_uint128 x45; - fiat_secp521r1_uint128 x46; - fiat_secp521r1_uint128 x47; - fiat_secp521r1_uint128 x48; - fiat_secp521r1_uint128 x49; - fiat_secp521r1_uint128 x50; - fiat_secp521r1_uint128 x51; - fiat_secp521r1_uint128 x52; - fiat_secp521r1_uint128 x53; - fiat_secp521r1_uint128 x54; - fiat_secp521r1_uint128 x55; - fiat_secp521r1_uint128 x56; - fiat_secp521r1_uint128 x57; - fiat_secp521r1_uint128 x58; - fiat_secp521r1_uint128 x59; - fiat_secp521r1_uint128 x60; - fiat_secp521r1_uint128 x61; - fiat_secp521r1_uint128 x62; - fiat_secp521r1_uint128 x63; - uint64_t x64; - fiat_secp521r1_uint128 x65; - fiat_secp521r1_uint128 x66; - fiat_secp521r1_uint128 x67; - fiat_secp521r1_uint128 x68; - fiat_secp521r1_uint128 x69; - fiat_secp521r1_uint128 x70; - fiat_secp521r1_uint128 x71; - fiat_secp521r1_uint128 x72; - fiat_secp521r1_uint128 x73; - fiat_secp521r1_uint128 x74; - uint64_t x75; - fiat_secp521r1_uint128 x76; - fiat_secp521r1_uint128 x77; - uint64_t x78; - fiat_secp521r1_uint128 x79; - fiat_secp521r1_uint128 x80; - uint64_t x81; - fiat_secp521r1_uint128 x82; - fiat_secp521r1_uint128 x83; - uint64_t x84; - fiat_secp521r1_uint128 x85; - fiat_secp521r1_uint128 x86; - uint64_t x87; - fiat_secp521r1_uint128 x88; - fiat_secp521r1_uint128 x89; - uint64_t x90; - fiat_secp521r1_uint128 x91; - fiat_secp521r1_uint128 x92; - uint64_t x93; - fiat_secp521r1_uint128 x94; - fiat_secp521r1_uint128 x95; - uint64_t x96; - fiat_secp521r1_uint128 x97; - uint64_t x98; - uint64_t x99; - uint64_t x100; - fiat_secp521r1_uint1 x101; - uint64_t x102; - uint64_t x103; - x1 = (arg1[8]); - x2 = (x1 * 0x2); - x3 = ((arg1[8]) * 0x2); - x4 = (arg1[7]); - x5 = (x4 * 0x2); - x6 = ((arg1[7]) * 0x2); - x7 = (arg1[6]); - x8 = (x7 * 0x2); - x9 = ((arg1[6]) * 0x2); - x10 = (arg1[5]); - x11 = (x10 * 0x2); - x12 = ((arg1[5]) * 0x2); - x13 = ((arg1[4]) * 0x2); - x14 = ((arg1[3]) * 0x2); - x15 = ((arg1[2]) * 0x2); - x16 = ((arg1[1]) * 0x2); - x17 = ((fiat_secp521r1_uint128)(arg1[8]) * (x1 * 0x2)); - x18 = ((fiat_secp521r1_uint128)(arg1[7]) * (x2 * 0x2)); - x19 = ((fiat_secp521r1_uint128)(arg1[7]) * (x4 * 0x2)); - x20 = ((fiat_secp521r1_uint128)(arg1[6]) * (x2 * 0x2)); - x21 = ((fiat_secp521r1_uint128)(arg1[6]) * (x5 * 0x2)); - x22 = ((fiat_secp521r1_uint128)(arg1[6]) * (x7 * 0x2)); - x23 = ((fiat_secp521r1_uint128)(arg1[5]) * (x2 * 0x2)); - x24 = ((fiat_secp521r1_uint128)(arg1[5]) * (x5 * 0x2)); - x25 = ((fiat_secp521r1_uint128)(arg1[5]) * (x8 * 0x2)); - x26 = ((fiat_secp521r1_uint128)(arg1[5]) * (x10 * 0x2)); - x27 = ((fiat_secp521r1_uint128)(arg1[4]) * (x2 * 0x2)); - x28 = ((fiat_secp521r1_uint128)(arg1[4]) * (x5 * 0x2)); - x29 = ((fiat_secp521r1_uint128)(arg1[4]) * (x8 * 0x2)); - x30 = ((fiat_secp521r1_uint128)(arg1[4]) * (x11 * 0x2)); - x31 = ((fiat_secp521r1_uint128)(arg1[4]) * (arg1[4])); - x32 = ((fiat_secp521r1_uint128)(arg1[3]) * (x2 * 0x2)); - x33 = ((fiat_secp521r1_uint128)(arg1[3]) * (x5 * 0x2)); - x34 = ((fiat_secp521r1_uint128)(arg1[3]) * (x8 * 0x2)); - x35 = ((fiat_secp521r1_uint128)(arg1[3]) * x12); - x36 = ((fiat_secp521r1_uint128)(arg1[3]) * x13); - x37 = ((fiat_secp521r1_uint128)(arg1[3]) * (arg1[3])); - x38 = ((fiat_secp521r1_uint128)(arg1[2]) * (x2 * 0x2)); - x39 = ((fiat_secp521r1_uint128)(arg1[2]) * (x5 * 0x2)); - x40 = ((fiat_secp521r1_uint128)(arg1[2]) * x9); - x41 = ((fiat_secp521r1_uint128)(arg1[2]) * x12); - x42 = ((fiat_secp521r1_uint128)(arg1[2]) * x13); - x43 = ((fiat_secp521r1_uint128)(arg1[2]) * x14); - x44 = ((fiat_secp521r1_uint128)(arg1[2]) * (arg1[2])); - x45 = ((fiat_secp521r1_uint128)(arg1[1]) * (x2 * 0x2)); - x46 = ((fiat_secp521r1_uint128)(arg1[1]) * x6); - x47 = ((fiat_secp521r1_uint128)(arg1[1]) * x9); - x48 = ((fiat_secp521r1_uint128)(arg1[1]) * x12); - x49 = ((fiat_secp521r1_uint128)(arg1[1]) * x13); - x50 = ((fiat_secp521r1_uint128)(arg1[1]) * x14); - x51 = ((fiat_secp521r1_uint128)(arg1[1]) * x15); - x52 = ((fiat_secp521r1_uint128)(arg1[1]) * (arg1[1])); - x53 = ((fiat_secp521r1_uint128)(arg1[0]) * x3); - x54 = ((fiat_secp521r1_uint128)(arg1[0]) * x6); - x55 = ((fiat_secp521r1_uint128)(arg1[0]) * x9); - x56 = ((fiat_secp521r1_uint128)(arg1[0]) * x12); - x57 = ((fiat_secp521r1_uint128)(arg1[0]) * x13); - x58 = ((fiat_secp521r1_uint128)(arg1[0]) * x14); - x59 = ((fiat_secp521r1_uint128)(arg1[0]) * x15); - x60 = ((fiat_secp521r1_uint128)(arg1[0]) * x16); - x61 = ((fiat_secp521r1_uint128)(arg1[0]) * (arg1[0])); - x62 = (x61 + (x45 + (x39 + (x34 + x30)))); - x63 = (x62 >> 58); - x64 = (uint64_t)(x62 & UINT64_C(0x3ffffffffffffff)); - x65 = (x53 + (x46 + (x40 + (x35 + x31)))); - x66 = (x54 + (x47 + (x41 + (x36 + x17)))); - x67 = (x55 + (x48 + (x42 + (x37 + x18)))); - x68 = (x56 + (x49 + (x43 + (x20 + x19)))); - x69 = (x57 + (x50 + (x44 + (x23 + x21)))); - x70 = (x58 + (x51 + (x27 + (x24 + x22)))); - x71 = (x59 + (x52 + (x32 + (x28 + x25)))); - x72 = (x60 + (x38 + (x33 + (x29 + x26)))); - x73 = (x63 + x72); - x74 = (x73 >> 58); - x75 = (uint64_t)(x73 & UINT64_C(0x3ffffffffffffff)); - x76 = (x74 + x71); - x77 = (x76 >> 58); - x78 = (uint64_t)(x76 & UINT64_C(0x3ffffffffffffff)); - x79 = (x77 + x70); - x80 = (x79 >> 58); - x81 = (uint64_t)(x79 & UINT64_C(0x3ffffffffffffff)); - x82 = (x80 + x69); - x83 = (x82 >> 58); - x84 = (uint64_t)(x82 & UINT64_C(0x3ffffffffffffff)); - x85 = (x83 + x68); - x86 = (x85 >> 58); - x87 = (uint64_t)(x85 & UINT64_C(0x3ffffffffffffff)); - x88 = (x86 + x67); - x89 = (x88 >> 58); - x90 = (uint64_t)(x88 & UINT64_C(0x3ffffffffffffff)); - x91 = (x89 + x66); - x92 = (x91 >> 58); - x93 = (uint64_t)(x91 & UINT64_C(0x3ffffffffffffff)); - x94 = (x92 + x65); - x95 = (x94 >> 57); - x96 = (uint64_t)(x94 & UINT64_C(0x1ffffffffffffff)); - x97 = (x64 + x95); - x98 = (uint64_t)(x97 >> 58); - x99 = (uint64_t)(x97 & UINT64_C(0x3ffffffffffffff)); - x100 = (x98 + x75); - x101 = (fiat_secp521r1_uint1)(x100 >> 58); - x102 = (x100 & UINT64_C(0x3ffffffffffffff)); - x103 = (x101 + x78); - out1[0] = x99; - out1[1] = x102; - out1[2] = x103; - out1[3] = x81; - out1[4] = x84; - out1[5] = x87; - out1[6] = x90; - out1[7] = x93; - out1[8] = x96; -} - -/* - * The function fiat_secp521r1_carry_add adds two field elements. - * - * Postconditions: - * eval out1 mod m = (eval arg1 + eval arg2) mod m - * - */ -static void -fiat_secp521r1_carry_add( - fiat_secp521r1_tight_field_element out1, - const fiat_secp521r1_tight_field_element arg1, - const fiat_secp521r1_tight_field_element arg2) -{ - uint64_t x1; - uint64_t x2; - uint64_t x3; - uint64_t x4; - uint64_t x5; - uint64_t x6; - uint64_t x7; - uint64_t x8; - uint64_t x9; - uint64_t x10; - uint64_t x11; - uint64_t x12; - uint64_t x13; - uint64_t x14; - uint64_t x15; - uint64_t x16; - uint64_t x17; - uint64_t x18; - uint64_t x19; - uint64_t x20; - x1 = ((arg1[0]) + (arg2[0])); - x2 = ((x1 >> 58) + ((arg1[1]) + (arg2[1]))); - x3 = ((x2 >> 58) + ((arg1[2]) + (arg2[2]))); - x4 = ((x3 >> 58) + ((arg1[3]) + (arg2[3]))); - x5 = ((x4 >> 58) + ((arg1[4]) + (arg2[4]))); - x6 = ((x5 >> 58) + ((arg1[5]) + (arg2[5]))); - x7 = ((x6 >> 58) + ((arg1[6]) + (arg2[6]))); - x8 = ((x7 >> 58) + ((arg1[7]) + (arg2[7]))); - x9 = ((x8 >> 58) + ((arg1[8]) + (arg2[8]))); - x10 = ((x1 & UINT64_C(0x3ffffffffffffff)) + (x9 >> 57)); - x11 = ((fiat_secp521r1_uint1)(x10 >> 58) + - (x2 & UINT64_C(0x3ffffffffffffff))); - x12 = (x10 & UINT64_C(0x3ffffffffffffff)); - x13 = (x11 & UINT64_C(0x3ffffffffffffff)); - x14 = ((fiat_secp521r1_uint1)(x11 >> 58) + - (x3 & UINT64_C(0x3ffffffffffffff))); - x15 = (x4 & UINT64_C(0x3ffffffffffffff)); - x16 = (x5 & UINT64_C(0x3ffffffffffffff)); - x17 = (x6 & UINT64_C(0x3ffffffffffffff)); - x18 = (x7 & UINT64_C(0x3ffffffffffffff)); - x19 = (x8 & UINT64_C(0x3ffffffffffffff)); - x20 = (x9 & UINT64_C(0x1ffffffffffffff)); - out1[0] = x12; - out1[1] = x13; - out1[2] = x14; - out1[3] = x15; - out1[4] = x16; - out1[5] = x17; - out1[6] = x18; - out1[7] = x19; - out1[8] = x20; -} - -/* - * The function fiat_secp521r1_carry_sub subtracts two field elements. - * - * Postconditions: - * eval out1 mod m = (eval arg1 - eval arg2) mod m - * - */ -static void -fiat_secp521r1_carry_sub( - fiat_secp521r1_tight_field_element out1, - const fiat_secp521r1_tight_field_element arg1, - const fiat_secp521r1_tight_field_element arg2) -{ - uint64_t x1; - uint64_t x2; - uint64_t x3; - uint64_t x4; - uint64_t x5; - uint64_t x6; - uint64_t x7; - uint64_t x8; - uint64_t x9; - uint64_t x10; - uint64_t x11; - uint64_t x12; - uint64_t x13; - uint64_t x14; - uint64_t x15; - uint64_t x16; - uint64_t x17; - uint64_t x18; - uint64_t x19; - uint64_t x20; - x1 = ((UINT64_C(0x7fffffffffffffe) + (arg1[0])) - (arg2[0])); - x2 = ((x1 >> 58) + ((UINT64_C(0x7fffffffffffffe) + (arg1[1])) - (arg2[1]))); - x3 = ((x2 >> 58) + ((UINT64_C(0x7fffffffffffffe) + (arg1[2])) - (arg2[2]))); - x4 = ((x3 >> 58) + ((UINT64_C(0x7fffffffffffffe) + (arg1[3])) - (arg2[3]))); - x5 = ((x4 >> 58) + ((UINT64_C(0x7fffffffffffffe) + (arg1[4])) - (arg2[4]))); - x6 = ((x5 >> 58) + ((UINT64_C(0x7fffffffffffffe) + (arg1[5])) - (arg2[5]))); - x7 = ((x6 >> 58) + ((UINT64_C(0x7fffffffffffffe) + (arg1[6])) - (arg2[6]))); - x8 = ((x7 >> 58) + ((UINT64_C(0x7fffffffffffffe) + (arg1[7])) - (arg2[7]))); - x9 = ((x8 >> 58) + ((UINT64_C(0x3fffffffffffffe) + (arg1[8])) - (arg2[8]))); - x10 = ((x1 & UINT64_C(0x3ffffffffffffff)) + (x9 >> 57)); - x11 = ((fiat_secp521r1_uint1)(x10 >> 58) + - (x2 & UINT64_C(0x3ffffffffffffff))); - x12 = (x10 & UINT64_C(0x3ffffffffffffff)); - x13 = (x11 & UINT64_C(0x3ffffffffffffff)); - x14 = ((fiat_secp521r1_uint1)(x11 >> 58) + - (x3 & UINT64_C(0x3ffffffffffffff))); - x15 = (x4 & UINT64_C(0x3ffffffffffffff)); - x16 = (x5 & UINT64_C(0x3ffffffffffffff)); - x17 = (x6 & UINT64_C(0x3ffffffffffffff)); - x18 = (x7 & UINT64_C(0x3ffffffffffffff)); - x19 = (x8 & UINT64_C(0x3ffffffffffffff)); - x20 = (x9 & UINT64_C(0x1ffffffffffffff)); - out1[0] = x12; - out1[1] = x13; - out1[2] = x14; - out1[3] = x15; - out1[4] = x16; - out1[5] = x17; - out1[6] = x18; - out1[7] = x19; - out1[8] = x20; -} - -/* - * The function fiat_secp521r1_carry_opp negates a field element. - * - * Postconditions: - * eval out1 mod m = -eval arg1 mod m - * - */ -static void -fiat_secp521r1_carry_opp( - fiat_secp521r1_tight_field_element out1, - const fiat_secp521r1_tight_field_element arg1) -{ - uint64_t x1; - uint64_t x2; - uint64_t x3; - uint64_t x4; - uint64_t x5; - uint64_t x6; - uint64_t x7; - uint64_t x8; - uint64_t x9; - uint64_t x10; - uint64_t x11; - uint64_t x12; - uint64_t x13; - uint64_t x14; - uint64_t x15; - uint64_t x16; - uint64_t x17; - uint64_t x18; - uint64_t x19; - uint64_t x20; - x1 = (UINT64_C(0x7fffffffffffffe) - (arg1[0])); - x2 = ((fiat_secp521r1_uint1)(x1 >> 58) + - (UINT64_C(0x7fffffffffffffe) - (arg1[1]))); - x3 = ((fiat_secp521r1_uint1)(x2 >> 58) + - (UINT64_C(0x7fffffffffffffe) - (arg1[2]))); - x4 = ((fiat_secp521r1_uint1)(x3 >> 58) + - (UINT64_C(0x7fffffffffffffe) - (arg1[3]))); - x5 = ((fiat_secp521r1_uint1)(x4 >> 58) + - (UINT64_C(0x7fffffffffffffe) - (arg1[4]))); - x6 = ((fiat_secp521r1_uint1)(x5 >> 58) + - (UINT64_C(0x7fffffffffffffe) - (arg1[5]))); - x7 = ((fiat_secp521r1_uint1)(x6 >> 58) + - (UINT64_C(0x7fffffffffffffe) - (arg1[6]))); - x8 = ((fiat_secp521r1_uint1)(x7 >> 58) + - (UINT64_C(0x7fffffffffffffe) - (arg1[7]))); - x9 = ((fiat_secp521r1_uint1)(x8 >> 58) + - (UINT64_C(0x3fffffffffffffe) - (arg1[8]))); - x10 = ((x1 & UINT64_C(0x3ffffffffffffff)) + - (uint64_t)(fiat_secp521r1_uint1)(x9 >> 57)); - x11 = ((fiat_secp521r1_uint1)(x10 >> 58) + - (x2 & UINT64_C(0x3ffffffffffffff))); - x12 = (x10 & UINT64_C(0x3ffffffffffffff)); - x13 = (x11 & UINT64_C(0x3ffffffffffffff)); - x14 = ((fiat_secp521r1_uint1)(x11 >> 58) + - (x3 & UINT64_C(0x3ffffffffffffff))); - x15 = (x4 & UINT64_C(0x3ffffffffffffff)); - x16 = (x5 & UINT64_C(0x3ffffffffffffff)); - x17 = (x6 & UINT64_C(0x3ffffffffffffff)); - x18 = (x7 & UINT64_C(0x3ffffffffffffff)); - x19 = (x8 & UINT64_C(0x3ffffffffffffff)); - x20 = (x9 & UINT64_C(0x1ffffffffffffff)); - out1[0] = x12; - out1[1] = x13; - out1[2] = x14; - out1[3] = x15; - out1[4] = x16; - out1[5] = x17; - out1[6] = x18; - out1[7] = x19; - out1[8] = x20; -} - -/* - * The function fiat_secp521r1_selectznz is a multi-limb conditional select. - * - * Postconditions: - * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) - * - * Input Bounds: - * arg1: [0x0 ~> 0x1] - * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -static void -fiat_secp521r1_selectznz(uint64_t out1[9], - fiat_secp521r1_uint1 arg1, - const uint64_t arg2[9], - const uint64_t arg3[9]) -{ - uint64_t x1; - uint64_t x2; - uint64_t x3; - uint64_t x4; - uint64_t x5; - uint64_t x6; - uint64_t x7; - uint64_t x8; - uint64_t x9; - fiat_secp521r1_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0])); - fiat_secp521r1_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1])); - fiat_secp521r1_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2])); - fiat_secp521r1_cmovznz_u64(&x4, arg1, (arg2[3]), (arg3[3])); - fiat_secp521r1_cmovznz_u64(&x5, arg1, (arg2[4]), (arg3[4])); - fiat_secp521r1_cmovznz_u64(&x6, arg1, (arg2[5]), (arg3[5])); - fiat_secp521r1_cmovznz_u64(&x7, arg1, (arg2[6]), (arg3[6])); - fiat_secp521r1_cmovznz_u64(&x8, arg1, (arg2[7]), (arg3[7])); - fiat_secp521r1_cmovznz_u64(&x9, arg1, (arg2[8]), (arg3[8])); - out1[0] = x1; - out1[1] = x2; - out1[2] = x3; - out1[3] = x4; - out1[4] = x5; - out1[5] = x6; - out1[6] = x7; - out1[7] = x8; - out1[8] = x9; -} - -/* - * The function fiat_secp521r1_to_bytes serializes a field element to bytes in little-endian order. - * - * Postconditions: - * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..65] - * - * Output Bounds: - * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x1]] - */ -static void -fiat_secp521r1_to_bytes( - uint8_t out1[66], const fiat_secp521r1_tight_field_element arg1) -{ - uint64_t x1; - fiat_secp521r1_uint1 x2; - uint64_t x3; - fiat_secp521r1_uint1 x4; - uint64_t x5; - fiat_secp521r1_uint1 x6; - uint64_t x7; - fiat_secp521r1_uint1 x8; - uint64_t x9; - fiat_secp521r1_uint1 x10; - uint64_t x11; - fiat_secp521r1_uint1 x12; - uint64_t x13; - fiat_secp521r1_uint1 x14; - uint64_t x15; - fiat_secp521r1_uint1 x16; - uint64_t x17; - fiat_secp521r1_uint1 x18; - uint64_t x19; - uint64_t x20; - fiat_secp521r1_uint1 x21; - uint64_t x22; - fiat_secp521r1_uint1 x23; - uint64_t x24; - fiat_secp521r1_uint1 x25; - uint64_t x26; - fiat_secp521r1_uint1 x27; - uint64_t x28; - fiat_secp521r1_uint1 x29; - uint64_t x30; - fiat_secp521r1_uint1 x31; - uint64_t x32; - fiat_secp521r1_uint1 x33; - uint64_t x34; - fiat_secp521r1_uint1 x35; - uint64_t x36; - fiat_secp521r1_uint1 x37; - uint64_t x38; - uint64_t x39; - uint64_t x40; - uint64_t x41; - uint64_t x42; - uint64_t x43; - uint8_t x44; - uint64_t x45; - uint8_t x46; - uint64_t x47; - uint8_t x48; - uint64_t x49; - uint8_t x50; - uint64_t x51; - uint8_t x52; - uint64_t x53; - uint8_t x54; - uint64_t x55; - uint8_t x56; - uint8_t x57; - uint64_t x58; - uint8_t x59; - uint64_t x60; - uint8_t x61; - uint64_t x62; - uint8_t x63; - uint64_t x64; - uint8_t x65; - uint64_t x66; - uint8_t x67; - uint64_t x68; - uint8_t x69; - uint64_t x70; - uint8_t x71; - uint8_t x72; - uint64_t x73; - uint8_t x74; - uint64_t x75; - uint8_t x76; - uint64_t x77; - uint8_t x78; - uint64_t x79; - uint8_t x80; - uint64_t x81; - uint8_t x82; - uint64_t x83; - uint8_t x84; - uint64_t x85; - uint8_t x86; - uint8_t x87; - uint64_t x88; - uint8_t x89; - uint64_t x90; - uint8_t x91; - uint64_t x92; - uint8_t x93; - uint64_t x94; - uint8_t x95; - uint64_t x96; - uint8_t x97; - uint64_t x98; - uint8_t x99; - uint64_t x100; - uint8_t x101; - uint8_t x102; - uint8_t x103; - uint64_t x104; - uint8_t x105; - uint64_t x106; - uint8_t x107; - uint64_t x108; - uint8_t x109; - uint64_t x110; - uint8_t x111; - uint64_t x112; - uint8_t x113; - uint64_t x114; - uint8_t x115; - uint8_t x116; - uint64_t x117; - uint8_t x118; - uint64_t x119; - uint8_t x120; - uint64_t x121; - uint8_t x122; - uint64_t x123; - uint8_t x124; - uint64_t x125; - uint8_t x126; - uint64_t x127; - uint8_t x128; - uint64_t x129; - uint8_t x130; - uint8_t x131; - uint64_t x132; - uint8_t x133; - uint64_t x134; - uint8_t x135; - uint64_t x136; - uint8_t x137; - uint64_t x138; - uint8_t x139; - uint64_t x140; - uint8_t x141; - uint64_t x142; - uint8_t x143; - uint64_t x144; - uint8_t x145; - uint8_t x146; - uint64_t x147; - uint8_t x148; - uint64_t x149; - uint8_t x150; - uint64_t x151; - uint8_t x152; - uint64_t x153; - uint8_t x154; - uint64_t x155; - uint8_t x156; - uint64_t x157; - uint8_t x158; - uint64_t x159; - uint8_t x160; - uint8_t x161; - uint8_t x162; - uint64_t x163; - uint8_t x164; - uint64_t x165; - uint8_t x166; - uint64_t x167; - uint8_t x168; - uint64_t x169; - uint8_t x170; - uint64_t x171; - uint8_t x172; - uint64_t x173; - uint8_t x174; - fiat_secp521r1_uint1 x175; - fiat_secp521r1_subborrowx_u58(&x1, &x2, 0x0, (arg1[0]), - UINT64_C(0x3ffffffffffffff)); - fiat_secp521r1_subborrowx_u58(&x3, &x4, x2, (arg1[1]), - UINT64_C(0x3ffffffffffffff)); - fiat_secp521r1_subborrowx_u58(&x5, &x6, x4, (arg1[2]), - UINT64_C(0x3ffffffffffffff)); - fiat_secp521r1_subborrowx_u58(&x7, &x8, x6, (arg1[3]), - UINT64_C(0x3ffffffffffffff)); - fiat_secp521r1_subborrowx_u58(&x9, &x10, x8, (arg1[4]), - UINT64_C(0x3ffffffffffffff)); - fiat_secp521r1_subborrowx_u58(&x11, &x12, x10, (arg1[5]), - UINT64_C(0x3ffffffffffffff)); - fiat_secp521r1_subborrowx_u58(&x13, &x14, x12, (arg1[6]), - UINT64_C(0x3ffffffffffffff)); - fiat_secp521r1_subborrowx_u58(&x15, &x16, x14, (arg1[7]), - UINT64_C(0x3ffffffffffffff)); - fiat_secp521r1_subborrowx_u57(&x17, &x18, x16, (arg1[8]), - UINT64_C(0x1ffffffffffffff)); - fiat_secp521r1_cmovznz_u64(&x19, x18, 0x0, UINT64_C(0xffffffffffffffff)); - fiat_secp521r1_addcarryx_u58(&x20, &x21, 0x0, x1, - (x19 & UINT64_C(0x3ffffffffffffff))); - fiat_secp521r1_addcarryx_u58(&x22, &x23, x21, x3, - (x19 & UINT64_C(0x3ffffffffffffff))); - fiat_secp521r1_addcarryx_u58(&x24, &x25, x23, x5, - (x19 & UINT64_C(0x3ffffffffffffff))); - fiat_secp521r1_addcarryx_u58(&x26, &x27, x25, x7, - (x19 & UINT64_C(0x3ffffffffffffff))); - fiat_secp521r1_addcarryx_u58(&x28, &x29, x27, x9, - (x19 & UINT64_C(0x3ffffffffffffff))); - fiat_secp521r1_addcarryx_u58(&x30, &x31, x29, x11, - (x19 & UINT64_C(0x3ffffffffffffff))); - fiat_secp521r1_addcarryx_u58(&x32, &x33, x31, x13, - (x19 & UINT64_C(0x3ffffffffffffff))); - fiat_secp521r1_addcarryx_u58(&x34, &x35, x33, x15, - (x19 & UINT64_C(0x3ffffffffffffff))); - fiat_secp521r1_addcarryx_u57(&x36, &x37, x35, x17, - (x19 & UINT64_C(0x1ffffffffffffff))); - x38 = (x34 << 6); - x39 = (x32 << 4); - x40 = (x30 << 2); - x41 = (x26 << 6); - x42 = (x24 << 4); - x43 = (x22 << 2); - x44 = (uint8_t)(x20 & UINT8_C(0xff)); - x45 = (x20 >> 8); - x46 = (uint8_t)(x45 & UINT8_C(0xff)); - x47 = (x45 >> 8); - x48 = (uint8_t)(x47 & UINT8_C(0xff)); - x49 = (x47 >> 8); - x50 = (uint8_t)(x49 & UINT8_C(0xff)); - x51 = (x49 >> 8); - x52 = (uint8_t)(x51 & UINT8_C(0xff)); - x53 = (x51 >> 8); - x54 = (uint8_t)(x53 & UINT8_C(0xff)); - x55 = (x53 >> 8); - x56 = (uint8_t)(x55 & UINT8_C(0xff)); - x57 = (uint8_t)(x55 >> 8); - x58 = (x43 + (uint64_t)x57); - x59 = (uint8_t)(x58 & UINT8_C(0xff)); - x60 = (x58 >> 8); - x61 = (uint8_t)(x60 & UINT8_C(0xff)); - x62 = (x60 >> 8); - x63 = (uint8_t)(x62 & UINT8_C(0xff)); - x64 = (x62 >> 8); - x65 = (uint8_t)(x64 & UINT8_C(0xff)); - x66 = (x64 >> 8); - x67 = (uint8_t)(x66 & UINT8_C(0xff)); - x68 = (x66 >> 8); - x69 = (uint8_t)(x68 & UINT8_C(0xff)); - x70 = (x68 >> 8); - x71 = (uint8_t)(x70 & UINT8_C(0xff)); - x72 = (uint8_t)(x70 >> 8); - x73 = (x42 + (uint64_t)x72); - x74 = (uint8_t)(x73 & UINT8_C(0xff)); - x75 = (x73 >> 8); - x76 = (uint8_t)(x75 & UINT8_C(0xff)); - x77 = (x75 >> 8); - x78 = (uint8_t)(x77 & UINT8_C(0xff)); - x79 = (x77 >> 8); - x80 = (uint8_t)(x79 & UINT8_C(0xff)); - x81 = (x79 >> 8); - x82 = (uint8_t)(x81 & UINT8_C(0xff)); - x83 = (x81 >> 8); - x84 = (uint8_t)(x83 & UINT8_C(0xff)); - x85 = (x83 >> 8); - x86 = (uint8_t)(x85 & UINT8_C(0xff)); - x87 = (uint8_t)(x85 >> 8); - x88 = (x41 + (uint64_t)x87); - x89 = (uint8_t)(x88 & UINT8_C(0xff)); - x90 = (x88 >> 8); - x91 = (uint8_t)(x90 & UINT8_C(0xff)); - x92 = (x90 >> 8); - x93 = (uint8_t)(x92 & UINT8_C(0xff)); - x94 = (x92 >> 8); - x95 = (uint8_t)(x94 & UINT8_C(0xff)); - x96 = (x94 >> 8); - x97 = (uint8_t)(x96 & UINT8_C(0xff)); - x98 = (x96 >> 8); - x99 = (uint8_t)(x98 & UINT8_C(0xff)); - x100 = (x98 >> 8); - x101 = (uint8_t)(x100 & UINT8_C(0xff)); - x102 = (uint8_t)(x100 >> 8); - x103 = (uint8_t)(x28 & UINT8_C(0xff)); - x104 = (x28 >> 8); - x105 = (uint8_t)(x104 & UINT8_C(0xff)); - x106 = (x104 >> 8); - x107 = (uint8_t)(x106 & UINT8_C(0xff)); - x108 = (x106 >> 8); - x109 = (uint8_t)(x108 & UINT8_C(0xff)); - x110 = (x108 >> 8); - x111 = (uint8_t)(x110 & UINT8_C(0xff)); - x112 = (x110 >> 8); - x113 = (uint8_t)(x112 & UINT8_C(0xff)); - x114 = (x112 >> 8); - x115 = (uint8_t)(x114 & UINT8_C(0xff)); - x116 = (uint8_t)(x114 >> 8); - x117 = (x40 + (uint64_t)x116); - x118 = (uint8_t)(x117 & UINT8_C(0xff)); - x119 = (x117 >> 8); - x120 = (uint8_t)(x119 & UINT8_C(0xff)); - x121 = (x119 >> 8); - x122 = (uint8_t)(x121 & UINT8_C(0xff)); - x123 = (x121 >> 8); - x124 = (uint8_t)(x123 & UINT8_C(0xff)); - x125 = (x123 >> 8); - x126 = (uint8_t)(x125 & UINT8_C(0xff)); - x127 = (x125 >> 8); - x128 = (uint8_t)(x127 & UINT8_C(0xff)); - x129 = (x127 >> 8); - x130 = (uint8_t)(x129 & UINT8_C(0xff)); - x131 = (uint8_t)(x129 >> 8); - x132 = (x39 + (uint64_t)x131); - x133 = (uint8_t)(x132 & UINT8_C(0xff)); - x134 = (x132 >> 8); - x135 = (uint8_t)(x134 & UINT8_C(0xff)); - x136 = (x134 >> 8); - x137 = (uint8_t)(x136 & UINT8_C(0xff)); - x138 = (x136 >> 8); - x139 = (uint8_t)(x138 & UINT8_C(0xff)); - x140 = (x138 >> 8); - x141 = (uint8_t)(x140 & UINT8_C(0xff)); - x142 = (x140 >> 8); - x143 = (uint8_t)(x142 & UINT8_C(0xff)); - x144 = (x142 >> 8); - x145 = (uint8_t)(x144 & UINT8_C(0xff)); - x146 = (uint8_t)(x144 >> 8); - x147 = (x38 + (uint64_t)x146); - x148 = (uint8_t)(x147 & UINT8_C(0xff)); - x149 = (x147 >> 8); - x150 = (uint8_t)(x149 & UINT8_C(0xff)); - x151 = (x149 >> 8); - x152 = (uint8_t)(x151 & UINT8_C(0xff)); - x153 = (x151 >> 8); - x154 = (uint8_t)(x153 & UINT8_C(0xff)); - x155 = (x153 >> 8); - x156 = (uint8_t)(x155 & UINT8_C(0xff)); - x157 = (x155 >> 8); - x158 = (uint8_t)(x157 & UINT8_C(0xff)); - x159 = (x157 >> 8); - x160 = (uint8_t)(x159 & UINT8_C(0xff)); - x161 = (uint8_t)(x159 >> 8); - x162 = (uint8_t)(x36 & UINT8_C(0xff)); - x163 = (x36 >> 8); - x164 = (uint8_t)(x163 & UINT8_C(0xff)); - x165 = (x163 >> 8); - x166 = (uint8_t)(x165 & UINT8_C(0xff)); - x167 = (x165 >> 8); - x168 = (uint8_t)(x167 & UINT8_C(0xff)); - x169 = (x167 >> 8); - x170 = (uint8_t)(x169 & UINT8_C(0xff)); - x171 = (x169 >> 8); - x172 = (uint8_t)(x171 & UINT8_C(0xff)); - x173 = (x171 >> 8); - x174 = (uint8_t)(x173 & UINT8_C(0xff)); - x175 = (fiat_secp521r1_uint1)(x173 >> 8); - out1[0] = x44; - out1[1] = x46; - out1[2] = x48; - out1[3] = x50; - out1[4] = x52; - out1[5] = x54; - out1[6] = x56; - out1[7] = x59; - out1[8] = x61; - out1[9] = x63; - out1[10] = x65; - out1[11] = x67; - out1[12] = x69; - out1[13] = x71; - out1[14] = x74; - out1[15] = x76; - out1[16] = x78; - out1[17] = x80; - out1[18] = x82; - out1[19] = x84; - out1[20] = x86; - out1[21] = x89; - out1[22] = x91; - out1[23] = x93; - out1[24] = x95; - out1[25] = x97; - out1[26] = x99; - out1[27] = x101; - out1[28] = x102; - out1[29] = x103; - out1[30] = x105; - out1[31] = x107; - out1[32] = x109; - out1[33] = x111; - out1[34] = x113; - out1[35] = x115; - out1[36] = x118; - out1[37] = x120; - out1[38] = x122; - out1[39] = x124; - out1[40] = x126; - out1[41] = x128; - out1[42] = x130; - out1[43] = x133; - out1[44] = x135; - out1[45] = x137; - out1[46] = x139; - out1[47] = x141; - out1[48] = x143; - out1[49] = x145; - out1[50] = x148; - out1[51] = x150; - out1[52] = x152; - out1[53] = x154; - out1[54] = x156; - out1[55] = x158; - out1[56] = x160; - out1[57] = x161; - out1[58] = x162; - out1[59] = x164; - out1[60] = x166; - out1[61] = x168; - out1[62] = x170; - out1[63] = x172; - out1[64] = x174; - out1[65] = x175; -} - -/* - * The function fiat_secp521r1_from_bytes deserializes a field element from bytes in little-endian order. - * - * Postconditions: - * eval out1 mod m = bytes_eval arg1 mod m - * - * Input Bounds: - * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x1]] - */ -static void -fiat_secp521r1_from_bytes(fiat_secp521r1_tight_field_element out1, - const uint8_t arg1[66]) -{ - uint64_t x1; - uint64_t x2; - uint64_t x3; - uint64_t x4; - uint64_t x5; - uint64_t x6; - uint64_t x7; - uint8_t x8; - uint64_t x9; - uint64_t x10; - uint64_t x11; - uint64_t x12; - uint64_t x13; - uint64_t x14; - uint64_t x15; - uint64_t x16; - uint64_t x17; - uint64_t x18; - uint64_t x19; - uint64_t x20; - uint64_t x21; - uint64_t x22; - uint64_t x23; - uint64_t x24; - uint64_t x25; - uint64_t x26; - uint64_t x27; - uint64_t x28; - uint64_t x29; - uint64_t x30; - uint64_t x31; - uint64_t x32; - uint64_t x33; - uint64_t x34; - uint64_t x35; - uint64_t x36; - uint8_t x37; - uint64_t x38; - uint64_t x39; - uint64_t x40; - uint64_t x41; - uint64_t x42; - uint64_t x43; - uint64_t x44; - uint64_t x45; - uint64_t x46; - uint64_t x47; - uint64_t x48; - uint64_t x49; - uint64_t x50; - uint64_t x51; - uint64_t x52; - uint64_t x53; - uint64_t x54; - uint64_t x55; - uint64_t x56; - uint64_t x57; - uint64_t x58; - uint64_t x59; - uint64_t x60; - uint64_t x61; - uint64_t x62; - uint64_t x63; - uint64_t x64; - uint64_t x65; - uint8_t x66; - uint64_t x67; - uint64_t x68; - uint64_t x69; - uint64_t x70; - uint64_t x71; - uint64_t x72; - uint64_t x73; - uint64_t x74; - uint8_t x75; - uint64_t x76; - uint64_t x77; - uint64_t x78; - uint64_t x79; - uint64_t x80; - uint64_t x81; - uint64_t x82; - uint64_t x83; - uint8_t x84; - uint64_t x85; - uint64_t x86; - uint64_t x87; - uint64_t x88; - uint64_t x89; - uint64_t x90; - uint64_t x91; - uint64_t x92; - uint8_t x93; - uint64_t x94; - uint64_t x95; - uint64_t x96; - uint64_t x97; - uint64_t x98; - uint64_t x99; - uint64_t x100; - uint64_t x101; - uint64_t x102; - uint64_t x103; - uint64_t x104; - uint64_t x105; - uint64_t x106; - uint64_t x107; - uint64_t x108; - uint8_t x109; - uint64_t x110; - uint64_t x111; - uint64_t x112; - uint64_t x113; - uint64_t x114; - uint64_t x115; - uint64_t x116; - uint64_t x117; - uint8_t x118; - uint64_t x119; - uint64_t x120; - uint64_t x121; - uint64_t x122; - uint64_t x123; - uint64_t x124; - uint64_t x125; - uint64_t x126; - uint8_t x127; - uint64_t x128; - uint64_t x129; - uint64_t x130; - uint64_t x131; - uint64_t x132; - uint64_t x133; - uint64_t x134; - uint64_t x135; - uint64_t x136; - uint64_t x137; - uint64_t x138; - uint64_t x139; - uint64_t x140; - uint64_t x141; - x1 = ((uint64_t)(fiat_secp521r1_uint1)(arg1[65]) << 56); - x2 = ((uint64_t)(arg1[64]) << 48); - x3 = ((uint64_t)(arg1[63]) << 40); - x4 = ((uint64_t)(arg1[62]) << 32); - x5 = ((uint64_t)(arg1[61]) << 24); - x6 = ((uint64_t)(arg1[60]) << 16); - x7 = ((uint64_t)(arg1[59]) << 8); - x8 = (arg1[58]); - x9 = ((uint64_t)(arg1[57]) << 50); - x10 = ((uint64_t)(arg1[56]) << 42); - x11 = ((uint64_t)(arg1[55]) << 34); - x12 = ((uint64_t)(arg1[54]) << 26); - x13 = ((uint64_t)(arg1[53]) << 18); - x14 = ((uint64_t)(arg1[52]) << 10); - x15 = ((uint64_t)(arg1[51]) << 2); - x16 = ((uint64_t)(arg1[50]) << 52); - x17 = ((uint64_t)(arg1[49]) << 44); - x18 = ((uint64_t)(arg1[48]) << 36); - x19 = ((uint64_t)(arg1[47]) << 28); - x20 = ((uint64_t)(arg1[46]) << 20); - x21 = ((uint64_t)(arg1[45]) << 12); - x22 = ((uint64_t)(arg1[44]) << 4); - x23 = ((uint64_t)(arg1[43]) << 54); - x24 = ((uint64_t)(arg1[42]) << 46); - x25 = ((uint64_t)(arg1[41]) << 38); - x26 = ((uint64_t)(arg1[40]) << 30); - x27 = ((uint64_t)(arg1[39]) << 22); - x28 = ((uint64_t)(arg1[38]) << 14); - x29 = ((uint64_t)(arg1[37]) << 6); - x30 = ((uint64_t)(arg1[36]) << 56); - x31 = ((uint64_t)(arg1[35]) << 48); - x32 = ((uint64_t)(arg1[34]) << 40); - x33 = ((uint64_t)(arg1[33]) << 32); - x34 = ((uint64_t)(arg1[32]) << 24); - x35 = ((uint64_t)(arg1[31]) << 16); - x36 = ((uint64_t)(arg1[30]) << 8); - x37 = (arg1[29]); - x38 = ((uint64_t)(arg1[28]) << 50); - x39 = ((uint64_t)(arg1[27]) << 42); - x40 = ((uint64_t)(arg1[26]) << 34); - x41 = ((uint64_t)(arg1[25]) << 26); - x42 = ((uint64_t)(arg1[24]) << 18); - x43 = ((uint64_t)(arg1[23]) << 10); - x44 = ((uint64_t)(arg1[22]) << 2); - x45 = ((uint64_t)(arg1[21]) << 52); - x46 = ((uint64_t)(arg1[20]) << 44); - x47 = ((uint64_t)(arg1[19]) << 36); - x48 = ((uint64_t)(arg1[18]) << 28); - x49 = ((uint64_t)(arg1[17]) << 20); - x50 = ((uint64_t)(arg1[16]) << 12); - x51 = ((uint64_t)(arg1[15]) << 4); - x52 = ((uint64_t)(arg1[14]) << 54); - x53 = ((uint64_t)(arg1[13]) << 46); - x54 = ((uint64_t)(arg1[12]) << 38); - x55 = ((uint64_t)(arg1[11]) << 30); - x56 = ((uint64_t)(arg1[10]) << 22); - x57 = ((uint64_t)(arg1[9]) << 14); - x58 = ((uint64_t)(arg1[8]) << 6); - x59 = ((uint64_t)(arg1[7]) << 56); - x60 = ((uint64_t)(arg1[6]) << 48); - x61 = ((uint64_t)(arg1[5]) << 40); - x62 = ((uint64_t)(arg1[4]) << 32); - x63 = ((uint64_t)(arg1[3]) << 24); - x64 = ((uint64_t)(arg1[2]) << 16); - x65 = ((uint64_t)(arg1[1]) << 8); - x66 = (arg1[0]); - x67 = (x65 + (uint64_t)x66); - x68 = (x64 + x67); - x69 = (x63 + x68); - x70 = (x62 + x69); - x71 = (x61 + x70); - x72 = (x60 + x71); - x73 = (x59 + x72); - x74 = (x73 & UINT64_C(0x3ffffffffffffff)); - x75 = (uint8_t)(x73 >> 58); - x76 = (x58 + (uint64_t)x75); - x77 = (x57 + x76); - x78 = (x56 + x77); - x79 = (x55 + x78); - x80 = (x54 + x79); - x81 = (x53 + x80); - x82 = (x52 + x81); - x83 = (x82 & UINT64_C(0x3ffffffffffffff)); - x84 = (uint8_t)(x82 >> 58); - x85 = (x51 + (uint64_t)x84); - x86 = (x50 + x85); - x87 = (x49 + x86); - x88 = (x48 + x87); - x89 = (x47 + x88); - x90 = (x46 + x89); - x91 = (x45 + x90); - x92 = (x91 & UINT64_C(0x3ffffffffffffff)); - x93 = (uint8_t)(x91 >> 58); - x94 = (x44 + (uint64_t)x93); - x95 = (x43 + x94); - x96 = (x42 + x95); - x97 = (x41 + x96); - x98 = (x40 + x97); - x99 = (x39 + x98); - x100 = (x38 + x99); - x101 = (x36 + (uint64_t)x37); - x102 = (x35 + x101); - x103 = (x34 + x102); - x104 = (x33 + x103); - x105 = (x32 + x104); - x106 = (x31 + x105); - x107 = (x30 + x106); - x108 = (x107 & UINT64_C(0x3ffffffffffffff)); - x109 = (uint8_t)(x107 >> 58); - x110 = (x29 + (uint64_t)x109); - x111 = (x28 + x110); - x112 = (x27 + x111); - x113 = (x26 + x112); - x114 = (x25 + x113); - x115 = (x24 + x114); - x116 = (x23 + x115); - x117 = (x116 & UINT64_C(0x3ffffffffffffff)); - x118 = (uint8_t)(x116 >> 58); - x119 = (x22 + (uint64_t)x118); - x120 = (x21 + x119); - x121 = (x20 + x120); - x122 = (x19 + x121); - x123 = (x18 + x122); - x124 = (x17 + x123); - x125 = (x16 + x124); - x126 = (x125 & UINT64_C(0x3ffffffffffffff)); - x127 = (uint8_t)(x125 >> 58); - x128 = (x15 + (uint64_t)x127); - x129 = (x14 + x128); - x130 = (x13 + x129); - x131 = (x12 + x130); - x132 = (x11 + x131); - x133 = (x10 + x132); - x134 = (x9 + x133); - x135 = (x7 + (uint64_t)x8); - x136 = (x6 + x135); - x137 = (x5 + x136); - x138 = (x4 + x137); - x139 = (x3 + x138); - x140 = (x2 + x139); - x141 = (x1 + x140); - out1[0] = x74; - out1[1] = x83; - out1[2] = x92; - out1[3] = x100; - out1[4] = x108; - out1[5] = x117; - out1[6] = x126; - out1[7] = x134; - out1[8] = x141; -} - -/* END verbatim fiat code */ - -/* curve-related constants */ - -static const limb_t const_one[9] = { - UINT64_C(0x0000000000000001), UINT64_C(0x0000000000000000), - UINT64_C(0x0000000000000000), UINT64_C(0x0000000000000000), - UINT64_C(0x0000000000000000), UINT64_C(0x0000000000000000), - UINT64_C(0x0000000000000000), UINT64_C(0x0000000000000000), - UINT64_C(0x0000000000000000) -}; - -static const limb_t const_b[9] = { - UINT64_C(0x03451FD46B503F00), UINT64_C(0x00F7E20F4B0D3C7B), - UINT64_C(0x000BD3BB1BF07357), UINT64_C(0x0147B1FA4DEC594B), - UINT64_C(0x018EF109E1561939), UINT64_C(0x026CC57CEE2D2264), - UINT64_C(0x00540EEA2DA725B9), UINT64_C(0x02687E4A688682DA), - UINT64_C(0x0051953EB9618E1C) -}; - -/* LUT for scalar multiplication by comb interleaving */ -static const pt_aff_t lut_cmb[13][16] = { - { - { { UINT64_C(0x017E7E31C2E5BD66), UINT64_C(0x022CF0615A90A6FE), - UINT64_C(0x00127A2FFA8DE334), UINT64_C(0x01DFBF9D64A3F877), - UINT64_C(0x006B4D3DBAA14B5E), UINT64_C(0x014FED487E0A2BD8), - UINT64_C(0x015B4429C6481390), UINT64_C(0x03A73678FB2D988E), - UINT64_C(0x00C6858E06B70404) }, - { UINT64_C(0x00BE94769FD16650), UINT64_C(0x031C21A89CB09022), - UINT64_C(0x039013FAD0761353), UINT64_C(0x02657BD099031542), - UINT64_C(0x03273E662C97EE72), UINT64_C(0x01E6D11A05EBEF45), - UINT64_C(0x03D1BD998F544495), UINT64_C(0x03001172297ED0B1), - UINT64_C(0x011839296A789A3B) } }, - { { UINT64_C(0x01919D2EDE37AD7D), UINT64_C(0x0124218B0CBA8169), - UINT64_C(0x03D16B59FE21BAEB), UINT64_C(0x0128E920C814769A), - UINT64_C(0x012D7A8DD1AD3F16), UINT64_C(0x008F66AE796B5E84), - UINT64_C(0x0159479B52A6E5B1), UINT64_C(0x0065776475A992D6), - UINT64_C(0x01A73D352443DE29) }, - { UINT64_C(0x03588CA1EE86C0E5), UINT64_C(0x01726F24E9641097), - UINT64_C(0x00ED1DEC3C70CF10), UINT64_C(0x033E3715D6C0B56B), - UINT64_C(0x03A355CEEC2E2DD4), UINT64_C(0x02A740C5F4BE2AC7), - UINT64_C(0x03814F2F1557FA82), UINT64_C(0x0377665E7E1B1B2A), - UINT64_C(0x013E9B03B97DFA62) } }, - { { UINT64_C(0x01AB5096EC8F3078), UINT64_C(0x01F879B624C5CE35), - UINT64_C(0x03EAF137E79A329D), UINT64_C(0x01B578C0508DC44B), - UINT64_C(0x00F177ACE4383C0C), UINT64_C(0x014FC34933C0F6AE), - UINT64_C(0x00EB0BF7A596EFDB), UINT64_C(0x00CB1CF6F0CE4701), - UINT64_C(0x00652BF3C52927A4) }, - { UINT64_C(0x033CC3E8DEB090CB), UINT64_C(0x0001C95CD53DFE05), - UINT64_C(0x000211CF5FF79D1F), UINT64_C(0x03241CB3CDD0C455), - UINT64_C(0x01A0347087BB6897), UINT64_C(0x01CB80147B7605F2), - UINT64_C(0x00112911CD8FE8E8), UINT64_C(0x035BB228ADCC452A), - UINT64_C(0x015BE6EF1BDD6601) } }, - { { UINT64_C(0x01CEAD882816ECD4), UINT64_C(0x014FD43F70986680), - UINT64_C(0x01F30DCE3BBC46F9), UINT64_C(0x002AFF1A6363269B), - UINT64_C(0x02F7114C5D8C308D), UINT64_C(0x01520C8A3C0634B0), - UINT64_C(0x0073A0C5F22E0E8F), UINT64_C(0x018D1BBAD97F682C), - UINT64_C(0x0056D5D1D99D5B7F) }, - { UINT64_C(0x006B8BC90525251B), UINT64_C(0x019C4A9777BF1ED7), - UINT64_C(0x0234591CE1A5F9E7), UINT64_C(0x024F37B278AE548E), - UINT64_C(0x0226CBDE556BD0F2), UINT64_C(0x02093C375C76F662), - UINT64_C(0x0168478B5C582D02), UINT64_C(0x0284434760C5E8E7), - UINT64_C(0x003D2D1B7D9BAAA2) } }, - { { UINT64_C(0x0345627967CBE207), UINT64_C(0x002EAF61734A1987), - UINT64_C(0x016DF725A318F4F5), UINT64_C(0x00E584D368D7CF15), - UINT64_C(0x01B8C6B6657429E1), UINT64_C(0x0221D1A64B12AC51), - UINT64_C(0x016D488ED34541B9), UINT64_C(0x00609A8BD6FC55C5), - UINT64_C(0x01585389E359E1E2) }, - { UINT64_C(0x02A0EA86B9AD2A4E), UINT64_C(0x030ABA4A2203CD0E), - UINT64_C(0x02ECF4ABFD87D736), UINT64_C(0x01D5815EB2103FD5), - UINT64_C(0x023DDB446E0D69E5), UINT64_C(0x03873AEDB2096E89), - UINT64_C(0x02E938E3088A654E), UINT64_C(0x03CE7C2D5555E89E), - UINT64_C(0x002A2E618C9A8AED) } }, - { { UINT64_C(0x00C0E02DDA0CDB9A), UINT64_C(0x030093E9326A40BB), - UINT64_C(0x01AEBE3191085015), UINT64_C(0x00CC998F686F466C), - UINT64_C(0x00F2991652F3DBC5), UINT64_C(0x0305E12550FBCB15), - UINT64_C(0x00315CFED5DC7ED7), UINT64_C(0x03FD51BC68E55CED), - UINT64_C(0x008A75841259FDED) }, - { UINT64_C(0x00874F92CE48C808), UINT64_C(0x032038FD2066D756), - UINT64_C(0x0331914A95336DCA), UINT64_C(0x003A2D0A92ACE248), - UINT64_C(0x00E0B9B82B1BC8A9), UINT64_C(0x002F4124FB4BA575), - UINT64_C(0x00FB2293ADD56621), UINT64_C(0x00A6127432A1DC15), - UINT64_C(0x0096FB303FCBBA21) } }, - { { UINT64_C(0x0087848D32FBCDA7), UINT64_C(0x030EC02ACE3BFE06), - UINT64_C(0x025E79AB88EE94BE), UINT64_C(0x002380F265A8D542), - UINT64_C(0x02AF5B866132C459), UINT64_C(0x006D308E13BB74AF), - UINT64_C(0x024861A93F736CDE), UINT64_C(0x02B6735E1974AD24), - UINT64_C(0x007E3E98F984C396) }, - { UINT64_C(0x011A01FB022A71C9), UINT64_C(0x027AABE445FA7DCA), - UINT64_C(0x01D351CBFBBC3619), UINT64_C(0x0160E2F1D8FC9B7F), - UINT64_C(0x025C1E212AC1BD5D), UINT64_C(0x03550871A71E99EB), - UINT64_C(0x02D5A08CED50A386), UINT64_C(0x03B6A468649B6A8F), - UINT64_C(0x0108EE58EB6D781F) } }, - { { UINT64_C(0x01AFE337BCB8DB55), UINT64_C(0x0365A6078FE4AF7A), - UINT64_C(0x03D1C8FC0331D9B8), UINT64_C(0x009F6F403FF9E1D6), - UINT64_C(0x02DF128E11B91CCE), UINT64_C(0x01028214B5A5ED4C), - UINT64_C(0x014300FB8FBCC30B), UINT64_C(0x0197C105563F151B), - UINT64_C(0x006B6AD89ABCB924) }, - { UINT64_C(0x02343480A1475465), UINT64_C(0x036433111AAF7655), - UINT64_C(0x022232C96C99246F), UINT64_C(0x0322651C2A008523), - UINT64_C(0x0197485ED57E9062), UINT64_C(0x02B4832E92D8841A), - UINT64_C(0x02DBF63DF0496A9B), UINT64_C(0x0075A9F399348CCF), - UINT64_C(0x01B468DA27157139) } }, - { { UINT64_C(0x02F817A853110AE0), UINT64_C(0x00C10ABC3469041D), - UINT64_C(0x0399B5681380FF8C), UINT64_C(0x0399D3F80A1F7D39), - UINT64_C(0x0269250858760A69), UINT64_C(0x03E8ACED3599493C), - UINT64_C(0x023906A99EE9E269), UINT64_C(0x03684E82E1D19164), - UINT64_C(0x01B00DDB707F130E) }, - { UINT64_C(0x01B9CB7C70E64647), UINT64_C(0x00156530ADD57D4D), - UINT64_C(0x0357F16ADF420E69), UINT64_C(0x013BDB742FC34BD9), - UINT64_C(0x0322A1323DF9DA56), UINT64_C(0x01A6442A635A2B0A), - UINT64_C(0x01DD106B799534CF), UINT64_C(0x01DB6F04475392BB), - UINT64_C(0x0085683F1D7DB165) } }, - { { UINT64_C(0x00FF0B2418D6A19B), UINT64_C(0x03D0C79C96EF791E), - UINT64_C(0x0157D7A45970DFEC), UINT64_C(0x0258D899A59E48C9), - UINT64_C(0x033790E7F1FA3B30), UINT64_C(0x0177D51FBFFC2B36), - UINT64_C(0x021A07245B77E075), UINT64_C(0x00D21F03E5230B56), - UINT64_C(0x00998DCCE486419C) }, - { UINT64_C(0x01091A695BFD0575), UINT64_C(0x013627AA7EFF912A), - UINT64_C(0x039991631C377F5A), UINT64_C(0x00FFCBAE33E6C3B0), - UINT64_C(0x036545772773AD96), UINT64_C(0x02DEF3D2B3143BB8), - UINT64_C(0x01B245D67D28AEE2), UINT64_C(0x03B5730E50925D4D), - UINT64_C(0x0137D5DA0626A021) } }, - { { UINT64_C(0x02EF399693C8C9ED), UINT64_C(0x032480E4E91B4B50), - UINT64_C(0x03EAED827D75B37A), UINT64_C(0x02B9358A8C276525), - UINT64_C(0x019C467FA946257E), UINT64_C(0x03B457A606548F9D), - UINT64_C(0x02D3B10268BB98C2), UINT64_C(0x034BECF321542167), - UINT64_C(0x01A1CBB2C11A742B) }, - { UINT64_C(0x020BC43C9CBA4DF5), UINT64_C(0x02C3C5D92732D879), - UINT64_C(0x03A372C63EEC57C9), UINT64_C(0x014F6920CA56FAD0), - UINT64_C(0x036BAFA7F7DF741A), UINT64_C(0x01464F9B06028A5B), - UINT64_C(0x000CE62E83C0059C), UINT64_C(0x00F520B04B69F179), - UINT64_C(0x011A209D7D4F8EEB) } }, - { { UINT64_C(0x01C6A5ECE2AF535C), UINT64_C(0x007C6B09AB9601A8), - UINT64_C(0x038E9A5EC53E207E), UINT64_C(0x03F26BD6C2BFA78F), - UINT64_C(0x010CDD45101F6F83), UINT64_C(0x0217ECA0924348D3), - UINT64_C(0x0147B8EEE7A39BA7), UINT64_C(0x024DDB6C72B3B17D), - UINT64_C(0x01AE0B275D729015) }, - { UINT64_C(0x0015C3536FA0D000), UINT64_C(0x02D1142A348E15B6), - UINT64_C(0x0327BB07DD0C2213), UINT64_C(0x0187BA5FF3D0F09E), - UINT64_C(0x0044C2DC0E108433), UINT64_C(0x0034160CAD0C591E), - UINT64_C(0x028471C7D759FF89), UINT64_C(0x00E019A28A163F01), - UINT64_C(0x00F2C97A825E5385) } }, - { { UINT64_C(0x038C2460BF70ACE0), UINT64_C(0x0383AC70974FEC4F), - UINT64_C(0x03E2AA648FF27E41), UINT64_C(0x0245F0DBB9355BA1), - UINT64_C(0x005499994AA91856), UINT64_C(0x006C41EC471DCB23), - UINT64_C(0x01FF9D2007310265), UINT64_C(0x0060D28D61D29BD7), - UINT64_C(0x0154E84C6D5C5A9A) }, - { UINT64_C(0x0325BCE404C78230), UINT64_C(0x038A9519CB9ADB50), - UINT64_C(0x0370A6A5972F5EED), UINT64_C(0x00D5CBEF06834788), - UINT64_C(0x00151666A6DEE354), UINT64_C(0x0008A831FD9B0A22), - UINT64_C(0x0360D3F15A923EB0), UINT64_C(0x011CEB88A8A3E02E), - UINT64_C(0x00CD0FDCE9171910) } }, - { { UINT64_C(0x017643017002D68B), UINT64_C(0x01581124BB115A0D), - UINT64_C(0x03AEDA0D3163CB21), UINT64_C(0x00F69C67520D44D4), - UINT64_C(0x03E135854D80B212), UINT64_C(0x0393E18B0CFCD461), - UINT64_C(0x01E646F8739535D0), UINT64_C(0x02DA9D8A9353AE22), - UINT64_C(0x0160373EDF8218F9) }, - { UINT64_C(0x03E6AECA5D90B740), UINT64_C(0x03FF9C27516B2CFC), - UINT64_C(0x034F4A8BB572E463), UINT64_C(0x007B64BAF1504EE1), - UINT64_C(0x021A1B22011EFA49), UINT64_C(0x03D4B0EED295BDE3), - UINT64_C(0x006A3FA9FD193C5C), UINT64_C(0x038717960A1006B0), - UINT64_C(0x00F1597050014DCF) } }, - { { UINT64_C(0x003927618EDA25DC), UINT64_C(0x0361657547DB658B), - UINT64_C(0x02B8E847FFB9EF33), UINT64_C(0x001A1DB5CA45000E), - UINT64_C(0x037664A1305CA9BC), UINT64_C(0x0218997B0A2FBCE3), - UINT64_C(0x01A085FF9F45131E), UINT64_C(0x00A1F6CF07EFF2D9), - UINT64_C(0x0174C644D6C94B68) }, - { UINT64_C(0x007BBBC4821A0C30), UINT64_C(0x02649F09BAEFEF46), - UINT64_C(0x0332D706D303F067), UINT64_C(0x0254B383642D4309), - UINT64_C(0x0395AD34B7BE0E21), UINT64_C(0x02D9107F2D73D7AD), - UINT64_C(0x037B7820233EF8FC), UINT64_C(0x0279A016B3256D06), - UINT64_C(0x011AF3A7C2F87F41) } }, - { { UINT64_C(0x0257D0E0C16A8803), UINT64_C(0x03ED792238920488), - UINT64_C(0x001AC09CD6B220DC), UINT64_C(0x02A4132750A7F053), - UINT64_C(0x00A5E7726CD65543), UINT64_C(0x01F0A9985C982A0F), - UINT64_C(0x0307B7DB57458965), UINT64_C(0x01985401A96336DC), - UINT64_C(0x00D8E9920CF30F0C) }, - { UINT64_C(0x024677C739792D19), UINT64_C(0x02F65F1ED50C62B2), - UINT64_C(0x0068CAE4CC263AA1), UINT64_C(0x00C913451E404E6A), - UINT64_C(0x00BED1AA30F76B8C), UINT64_C(0x03C4320182BBEDCB), - UINT64_C(0x00A30EC8B5406328), UINT64_C(0x00E61F7C2704E885), - UINT64_C(0x0127B023B5454A66) } }, - }, - { - { { UINT64_C(0x00E9E114E43C6A8B), UINT64_C(0x027E2C20105A2E23), - UINT64_C(0x03D5B5FA745094EE), UINT64_C(0x01337080223BD7FF), - UINT64_C(0x00D8CCA5AD4589D8), UINT64_C(0x0132DCA140336E19), - UINT64_C(0x0302098FAB8EE167), UINT64_C(0x00625B5791BF1AAD), - UINT64_C(0x01ECCAEB2EF79CDB) }, - { UINT64_C(0x01886BBC26B04438), UINT64_C(0x004F43B6559C663D), - UINT64_C(0x035D8CA99B91E616), UINT64_C(0x01354ED06659D27A), - UINT64_C(0x0054DF4765586194), UINT64_C(0x021052BBF70881C7), - UINT64_C(0x031C5EA1F6288A8B), UINT64_C(0x018AC1ACD36CBDFF), - UINT64_C(0x002E5EDF2873FF52) } }, - { { UINT64_C(0x0192DA26804ED5E3), UINT64_C(0x019DEC17F31925DE), - UINT64_C(0x01585208EBD95AC4), UINT64_C(0x039C6674D066C682), - UINT64_C(0x000715A11D1C0CFA), UINT64_C(0x032AD56C1F218BD5), - UINT64_C(0x0310FABD23E934F9), UINT64_C(0x009AF7F574942B50), - UINT64_C(0x005E0976782CAEF4) }, - { UINT64_C(0x038B0A7A2A7D5B37), UINT64_C(0x0315653FB7DA77BD), - UINT64_C(0x023F157F76616F31), UINT64_C(0x03C8C103329ACAE7), - UINT64_C(0x005A72502EE9CFA2), UINT64_C(0x03204345A2A46FC3), - UINT64_C(0x03666DC71F8A5B63), UINT64_C(0x01671725C07390A9), - UINT64_C(0x01E82DA80D6C216A) } }, - { { UINT64_C(0x02F28395A29D2024), UINT64_C(0x031A09859C9B6A2D), - UINT64_C(0x0047073FD20F177A), UINT64_C(0x03D961594C7CA571), - UINT64_C(0x019555237A9B2EC3), UINT64_C(0x029EFFFB7289E9D9), - UINT64_C(0x008D541E497546F7), UINT64_C(0x0270E93D46DCEE94), - UINT64_C(0x00396B23A204BEFD) }, - { UINT64_C(0x024295052DDD93A9), UINT64_C(0x0081670F33C07709), - UINT64_C(0x00B1D851D4CDFDA9), UINT64_C(0x014DF8329142BB29), - UINT64_C(0x00CDDB9A15F7FCFB), UINT64_C(0x0225454F3A1F5B86), - UINT64_C(0x01A46C8B126C191D), UINT64_C(0x03D3D3229D104DF9), - UINT64_C(0x018B36AD8A91DE12) } }, - { { UINT64_C(0x008FA75A590E92D6), UINT64_C(0x02223AFBB681AD2D), - UINT64_C(0x000DD9E71FEC0AB1), UINT64_C(0x03B4A988F4ABFEC5), - UINT64_C(0x02BDD3FD9A8FB4C8), UINT64_C(0x037A5B9AD9171110), - UINT64_C(0x0225D2934ADB68F2), UINT64_C(0x008BA6F5E067B164), - UINT64_C(0x014EA0A8B0C5768B) }, - { UINT64_C(0x000AB8407662F537), UINT64_C(0x02F781E22DFF31BF), - UINT64_C(0x03E22656A1F21F75), UINT64_C(0x01054C62C579B73D), - UINT64_C(0x0177A8529E6C1116), UINT64_C(0x03211865DCC5D46F), - UINT64_C(0x012706123E7C2723), UINT64_C(0x0396C31AADED99AB), - UINT64_C(0x01637E315762AAD0) } }, - { { UINT64_C(0x03847D336B9839DA), UINT64_C(0x02200E98133D266E), - UINT64_C(0x0039A8261B62D7DC), UINT64_C(0x033295F072A9D5EA), - UINT64_C(0x000C3FE4DCCB2B2A), UINT64_C(0x03907B7861011A91), - UINT64_C(0x023BC0EFEDB5EE58), UINT64_C(0x0288D6CD63BC03CD), - UINT64_C(0x01280E54E8A553CA) }, - { UINT64_C(0x036493BB1C1962CE), UINT64_C(0x0361F9CAD30DAC24), - UINT64_C(0x023856E058F7248C), UINT64_C(0x01EBC4CE9BBA1951), - UINT64_C(0x00FE14205169D78D), UINT64_C(0x01237D85837C8C98), - UINT64_C(0x017C4E2A95E40B90), UINT64_C(0x004E446F2E2C7819), - UINT64_C(0x0007FA80EDA9F2C8) } }, - { { UINT64_C(0x009A65815D2BF9A7), UINT64_C(0x027CB047E8DF8668), - UINT64_C(0x0391C32A60456677), UINT64_C(0x01CBC26A69AB3F09), - UINT64_C(0x0334D4D8DE25229B), UINT64_C(0x0383C0FA69B0DD79), - UINT64_C(0x01D206CDCC54B9E2), UINT64_C(0x02E51DE738338588), - UINT64_C(0x006112D5229EA977) }, - { UINT64_C(0x03CE85BEE20C30CB), UINT64_C(0x02FEBC02D12BC9D5), - UINT64_C(0x02AEDC3A968E7052), UINT64_C(0x02090B846E5AD878), - UINT64_C(0x00E4B6AEE2DDC2E3), UINT64_C(0x00269BE91139208A), - UINT64_C(0x02FEA688006D25C9), UINT64_C(0x002F5EFACF2F785D), - UINT64_C(0x009FE82D05CAC96A) } }, - { { UINT64_C(0x02EE8F69AB2E6D92), UINT64_C(0x0213F64F73B9A354), - UINT64_C(0x000A9DDA2E925D3C), UINT64_C(0x0192E31297313B4F), - UINT64_C(0x02B3145C4DD947AF), UINT64_C(0x03401B39394615DA), - UINT64_C(0x01C98D9DFBE6AE7D), UINT64_C(0x02BB8069EC7A7746), - UINT64_C(0x00A8BDC9CF002A7B) }, - { UINT64_C(0x00A3BF702EB71C5F), UINT64_C(0x00A25EDAE6446CE2), - UINT64_C(0x00108D65D5F288B8), UINT64_C(0x02FF972C1494ABED), - UINT64_C(0x0398342A5B4A102C), UINT64_C(0x00CD83A6E3855FF3), - UINT64_C(0x02D6848441981C93), UINT64_C(0x0335A209E0E8D9AA), - UINT64_C(0x01ED6F04D42258A5) } }, - { { UINT64_C(0x01FC3B47C1490429), UINT64_C(0x01B9A21B27B6F4B1), - UINT64_C(0x0193FF421EE32901), UINT64_C(0x03CC9F551147E445), - UINT64_C(0x01773B6B14BB7010), UINT64_C(0x005040A2326FD6EA), - UINT64_C(0x01949206C0BB7211), UINT64_C(0x02643DEA7E3C37CC), - UINT64_C(0x01725F6694BF623F) }, - { UINT64_C(0x014D9BD8587CA374), UINT64_C(0x020B8D6C1F3C983C), - UINT64_C(0x0395B0E3A7CCCE2F), UINT64_C(0x0071FCA214298293), - UINT64_C(0x038CF96F2462B942), UINT64_C(0x00DD1C97E2E6BCA4), - UINT64_C(0x00DEC4ACF114C9D6), UINT64_C(0x005DCE68C5288587), - UINT64_C(0x017B1DC591DEA2A9) } }, - { { UINT64_C(0x01A03D95A3ACF0F9), UINT64_C(0x0123031B8850C86B), - UINT64_C(0x0269AB94408A086E), UINT64_C(0x0181DEF245438334), - UINT64_C(0x00AB4F62CC0E7BA5), UINT64_C(0x0294A03CC0C2A98D), - UINT64_C(0x02234FBFCCAA23F6), UINT64_C(0x0304B9AF501D1961), - UINT64_C(0x0037258E9F9B8667) }, - { UINT64_C(0x0344657939436D81), UINT64_C(0x010709812083B7CE), - UINT64_C(0x00DBCA5B5A81714D), UINT64_C(0x00396E25D33E3896), - UINT64_C(0x00C0A65FA9547A23), UINT64_C(0x03F6796EDC3F72D8), - UINT64_C(0x022AA55EA0053589), UINT64_C(0x031E838C917FDA1B), - UINT64_C(0x014AF707C515D93F) } }, - { { UINT64_C(0x00E48C0436C8D427), UINT64_C(0x02A85992128BD380), - UINT64_C(0x03861C4538E26A42), UINT64_C(0x027A6E7784D042DB), - UINT64_C(0x0129555575E66B0A), UINT64_C(0x017362D6E2713125), - UINT64_C(0x00A08F82306ED961), UINT64_C(0x007FCDDA0F78CBC0), - UINT64_C(0x010F4598B67DA097) }, - { UINT64_C(0x03448C05AD400463), UINT64_C(0x03CB26D3975CCFCD), - UINT64_C(0x0067B9FD99A88F1D), UINT64_C(0x001F257A56DADDC1), - UINT64_C(0x03AEAFB6384BA84C), UINT64_C(0x0010C9301FE7F887), - UINT64_C(0x03D65C213A46C68C), UINT64_C(0x029BB4A1F8A5E81E), - UINT64_C(0x00C1838AFD6E3F39) } }, - { { UINT64_C(0x03CE07505924C15F), UINT64_C(0x0043A08ED31A1B99), - UINT64_C(0x0339C4C25E8B8B88), UINT64_C(0x0380DFF73DEBF4DA), - UINT64_C(0x031FBA11E366BE60), UINT64_C(0x001D2B7C0FA8BD42), - UINT64_C(0x009DE3ACE8B8A24D), UINT64_C(0x02B5F07FB5B5BD4F), - UINT64_C(0x018247CA534C6F7F) }, - { UINT64_C(0x01E0A02B3DBEEE78), UINT64_C(0x001E200666AB15CD), - UINT64_C(0x0186BEA684E8C48E), UINT64_C(0x00F3F1894CDB68E0), - UINT64_C(0x032ECC59DF1BBB85), UINT64_C(0x02D06C53B9B53209), - UINT64_C(0x004A86739B90C8A8), UINT64_C(0x03AD8A97D98C89BC), - UINT64_C(0x00F01344204A1E2F) } }, - { { UINT64_C(0x03582A68690F8C80), UINT64_C(0x012E151E3D7485DA), - UINT64_C(0x02527AD70F6AC0B4), UINT64_C(0x018B935CB107A3CD), - UINT64_C(0x036AA37D7A7E3625), UINT64_C(0x034CFB229578C67F), - UINT64_C(0x00A3FBC7740B7E16), UINT64_C(0x03D0C73BF6F5756D), - UINT64_C(0x009FFA51FEAC33FA) }, - { UINT64_C(0x0208A8D791982847), UINT64_C(0x03EDDBD997642B6C), - UINT64_C(0x025D551977914C26), UINT64_C(0x02DD352759CA1376), - UINT64_C(0x00654090371E1000), UINT64_C(0x004AC720BEC03C34), - UINT64_C(0x03C06BE7F6C95884), UINT64_C(0x01FA475777DF0765), - UINT64_C(0x00A99275E15E46C7) } }, - { { UINT64_C(0x016A50E0A643409F), UINT64_C(0x0122617180184D38), - UINT64_C(0x0105E92945AC97AB), UINT64_C(0x01A1B865FE31BAD8), - UINT64_C(0x033E0DC143E2D46B), UINT64_C(0x03DD157DF58A1946), - UINT64_C(0x02DF8E8C2EC7FB6D), UINT64_C(0x00E031916AFF1478), - UINT64_C(0x017A7BE92C9A8A1C) }, - { UINT64_C(0x02063F9B1AF2F29D), UINT64_C(0x0275AF845DF62346), - UINT64_C(0x010016B05B22BD9F), UINT64_C(0x03772DD9DE8A3F70), - UINT64_C(0x011B489BE6C04500), UINT64_C(0x0122DEDE177B839E), - UINT64_C(0x008B9ED1DBF81860), UINT64_C(0x00CDA67D0D8CEDC1), - UINT64_C(0x01984030C18BF083) } }, - { { UINT64_C(0x02791762137B93A2), UINT64_C(0x01F9DE3C5491E823), - UINT64_C(0x01E50243877F23E4), UINT64_C(0x0144F0B0081F37BC), - UINT64_C(0x00D7A781DD6DE5E2), UINT64_C(0x036A5EFE959E26D1), - UINT64_C(0x03A51922038AEEA2), UINT64_C(0x0054D452C10BD4F0), - UINT64_C(0x01B8A51151884AEF) }, - { UINT64_C(0x0241D85F77A00331), UINT64_C(0x023528AF19A313C4), - UINT64_C(0x0176DFC98292A79E), UINT64_C(0x03AADEBB4F7B06B1), - UINT64_C(0x00DAB141E4CE727F), UINT64_C(0x0388E18953348B42), - UINT64_C(0x03FD5A751265E468), UINT64_C(0x024673750B3DB1AB), - UINT64_C(0x00E57DD5F1A23923) } }, - { { UINT64_C(0x019D69A891328CE4), UINT64_C(0x008F01053E7A765C), - UINT64_C(0x030B5EE16F612292), UINT64_C(0x020A99C1AB590289), - UINT64_C(0x01D62D438BE82D64), UINT64_C(0x037D8D3250B87A70), - UINT64_C(0x03ACF90A3316DB71), UINT64_C(0x011F2D638816284F), - UINT64_C(0x000D63B1CF94E578) }, - { UINT64_C(0x026288694B620A88), UINT64_C(0x01D7EC9688B643F5), - UINT64_C(0x0329AC344C36F494), UINT64_C(0x01F7C91E725E18A1), - UINT64_C(0x02FEB98C58EA0341), UINT64_C(0x00A508DDA6BF1EC5), - UINT64_C(0x00733B2463BD7A85), UINT64_C(0x0384EBC8AB299B36), - UINT64_C(0x00074909BD45312A) } }, - { { UINT64_C(0x03E08C2C5C95FF29), UINT64_C(0x00C670644C808211), - UINT64_C(0x012D8021671FE338), UINT64_C(0x039F033363AA44CD), - UINT64_C(0x0337E7DB83662796), UINT64_C(0x03DDF327E2706223), - UINT64_C(0x005FBC050700CAFA), UINT64_C(0x020FC3C9D5CBB556), - UINT64_C(0x0105E1BC0BF33DC4) }, - { UINT64_C(0x03F3D06894519732), UINT64_C(0x029248D001BE65FE), - UINT64_C(0x011EC77A8F1A11E3), UINT64_C(0x0365A31B2279F38F), - UINT64_C(0x014E2577747A12CD), UINT64_C(0x0160E01F73DAA243), - UINT64_C(0x01E3B9CC567EDCCC), UINT64_C(0x03E1B7F6A7B42960), - UINT64_C(0x01809B863B2F3F5A) } }, - }, - { - { { UINT64_C(0x0373B24CDED2EB86), UINT64_C(0x02402CCFAA26116F), - UINT64_C(0x005073857CDB6102), UINT64_C(0x01AE6F89575C7623), - UINT64_C(0x022FF653B3A939A7), UINT64_C(0x0190B7CB0A3545D4), - UINT64_C(0x02353B26D8170467), UINT64_C(0x003C64522D17855F), - UINT64_C(0x01E5D565F776B34F) }, - { UINT64_C(0x025185A2C4B5DE1E), UINT64_C(0x02B3AFFAB7E382B2), - UINT64_C(0x0194B86479736527), UINT64_C(0x026B4BE5E81594AE), - UINT64_C(0x01D6960578E25220), UINT64_C(0x00993E60F26C1FF2), - UINT64_C(0x019B938479BA949D), UINT64_C(0x01FCA32034CAD7A3), - UINT64_C(0x017759280D580A6A) } }, - { { UINT64_C(0x02346AE90C2CA70B), UINT64_C(0x013757CC55F070F5), - UINT64_C(0x017E107D86CA7681), UINT64_C(0x005AD490EBA565E0), - UINT64_C(0x02C9C614514CB60C), UINT64_C(0x03BEAF2AC475AF2B), - UINT64_C(0x008C591B4CE3CC44), UINT64_C(0x014A9DDFA491CE57), - UINT64_C(0x001268735793A719) }, - { UINT64_C(0x007F97B31426994D), UINT64_C(0x01A96DF191B418F1), - UINT64_C(0x027DF055755518F4), UINT64_C(0x025DAAC2254C5D3C), - UINT64_C(0x0262D34E340FC2C3), UINT64_C(0x01F14824C8F72557), - UINT64_C(0x02A4819301BACB9F), UINT64_C(0x0268E03E6BEAB510), - UINT64_C(0x00EA805018D6E199) } }, - { { UINT64_C(0x00FEA5E6ABEE1F7B), UINT64_C(0x00538DB9B2D8E2D4), - UINT64_C(0x0305BA64218318A0), UINT64_C(0x022BD39A67AA3F20), - UINT64_C(0x01157632723B17F9), UINT64_C(0x00C8DAAF646E78C9), - UINT64_C(0x0158EFBD367A27CD), UINT64_C(0x011375E95CB4F12F), - UINT64_C(0x005E40D5A4D44054) }, - { UINT64_C(0x0297475C1D71A4FA), UINT64_C(0x03C1DABD876A7908), - UINT64_C(0x0038CB20D99CAE76), UINT64_C(0x03D63A3A005959E9), - UINT64_C(0x02AF78B93B764B6F), UINT64_C(0x0109A0342CFC2D30), - UINT64_C(0x01C301BEC294E434), UINT64_C(0x01972384DAD5FD67), - UINT64_C(0x01C3F5C9DF46F8D3) } }, - { { UINT64_C(0x03C115A0432574BE), UINT64_C(0x01495DBDA1F302E5), - UINT64_C(0x010568069CC94673), UINT64_C(0x000A2EEAB0E37751), - UINT64_C(0x033EE9D566902CC4), UINT64_C(0x006B34AFED584340), - UINT64_C(0x02B50803E9B165A1), UINT64_C(0x03E38D1CBBEC3EC2), - UINT64_C(0x0023CF19CC14F82C) }, - { UINT64_C(0x01CCAAFE462EC0F0), UINT64_C(0x02E714845D028EE6), - UINT64_C(0x02DCB47FF5021595), UINT64_C(0x030908AA9B079880), - UINT64_C(0x00371B5A69854385), UINT64_C(0x0185FE540E9AE9FF), - UINT64_C(0x02EE86F4F1A83CE4), UINT64_C(0x03AB730574E67F57), - UINT64_C(0x01F85953DB252C4B) } }, - { { UINT64_C(0x02EC254BFD8CB3CC), UINT64_C(0x01DFEE8DE5F7858B), - UINT64_C(0x019C8AD2711F9096), UINT64_C(0x00B1E57CC4C26707), - UINT64_C(0x03511BB53983E402), UINT64_C(0x02A4019CDD626E9F), - UINT64_C(0x03BA2E0AC5C44D84), UINT64_C(0x00A965FE7663AD49), - UINT64_C(0x01739420DA2DD7E5) }, - { UINT64_C(0x001E59C7B82FB619), UINT64_C(0x007B29CCEEF8AD83), - UINT64_C(0x02907C71BFFAE931), UINT64_C(0x003F110EC15CB5CF), - UINT64_C(0x02A76ECA58531793), UINT64_C(0x02D8D0EB5EA2FA03), - UINT64_C(0x0302231943B524FC), UINT64_C(0x01EBC24F8F0A0C29), - UINT64_C(0x019802CBF5F3CE73) } }, - { { UINT64_C(0x01852168BF26ECDA), UINT64_C(0x03BA5FFA1597B73C), - UINT64_C(0x00E55E47A88BF735), UINT64_C(0x03EF5511C575EFAA), - UINT64_C(0x03BEAAED274CB2F4), UINT64_C(0x01A2B7AEE5E82012), - UINT64_C(0x00161524928CEDED), UINT64_C(0x0243FB8CEB1DB1ED), - UINT64_C(0x00A939AAE7662875) }, - { UINT64_C(0x035FC996431E0BB4), UINT64_C(0x03871F05A029588C), - UINT64_C(0x024685D44F302D5A), UINT64_C(0x03D65DBBB0A24C64), - UINT64_C(0x031CCDBD89C13824), UINT64_C(0x03EEC80794841ADF), - UINT64_C(0x02BDD19433E827DB), UINT64_C(0x025D0DEF338BCA12), - UINT64_C(0x019DD1E057A3957F) } }, - { { UINT64_C(0x028221686CEBC7BE), UINT64_C(0x00550CAC829C5C56), - UINT64_C(0x024473DA711003E5), UINT64_C(0x01D2D356A63016BD), - UINT64_C(0x016B5C937B93F5AA), UINT64_C(0x016BA509AE911631), - UINT64_C(0x03BB387F2983AA08), UINT64_C(0x0087050F624145D1), - UINT64_C(0x00430D39E6B578E6) }, - { UINT64_C(0x02E690EFE2E3859D), UINT64_C(0x021D189217E0C7B9), - UINT64_C(0x03BC89797B1B794C), UINT64_C(0x01D6B16B566AB9D7), - UINT64_C(0x02935CEB8993E4D1), UINT64_C(0x03C0BF4C7D6967AE), - UINT64_C(0x00EA7B0862929371), UINT64_C(0x014624F22194B5D9), - UINT64_C(0x00D68221B3478C47) } }, - { { UINT64_C(0x03BEC558C2EB8133), UINT64_C(0x031106A5F911659D), - UINT64_C(0x00D07C39AEFB3CBE), UINT64_C(0x02F06E730A651F25), - UINT64_C(0x0183C527F019A937), UINT64_C(0x0153E778C8608775), - UINT64_C(0x0214C61DB43A7203), UINT64_C(0x00CD284ED5892F97), - UINT64_C(0x0198EB083CFD5B2B) }, - { UINT64_C(0x0393B136D6835A15), UINT64_C(0x03ED1013491B6647), - UINT64_C(0x00702068040A8E55), UINT64_C(0x0136DD3C55BF5BE4), - UINT64_C(0x03D053D6F8B28F3A), UINT64_C(0x00FAF9585D310B40), - UINT64_C(0x002690874B88A2A9), UINT64_C(0x02651384F1D8C181), - UINT64_C(0x00E5D3BFA7EC53DE) } }, - { { UINT64_C(0x033F039A91D85118), UINT64_C(0x03A170E9A74E89EC), - UINT64_C(0x03EBE8F17E2B4C68), UINT64_C(0x032E08DD52962FFF), - UINT64_C(0x01F682C887362E38), UINT64_C(0x02848A835A72A2EE), - UINT64_C(0x00AFA36F7A88966F), UINT64_C(0x02D505E8ED473B2D), - UINT64_C(0x007B6EF0E4DAA123) }, - { UINT64_C(0x03F322E8CD472029), UINT64_C(0x009B31F349123C63), - UINT64_C(0x024396A463AE29B2), UINT64_C(0x035A559411C8D9B7), - UINT64_C(0x0302AAF84FEF53A7), UINT64_C(0x00322717487DC79C), - UINT64_C(0x02CA6AE27A92266C), UINT64_C(0x03E6B6580391B525), - UINT64_C(0x00647CC677EE4353) } }, - { { UINT64_C(0x0015F4FB3CE12393), UINT64_C(0x013D9CD65B87D1CA), - UINT64_C(0x03ED1458BDACF05A), UINT64_C(0x011BC2A44D7A03F7), - UINT64_C(0x00D1E2748EE247CF), UINT64_C(0x025C05134193D6D7), - UINT64_C(0x03D8D4701057B20F), UINT64_C(0x03CD86409D914C19), - UINT64_C(0x0123EE9725146150) }, - { UINT64_C(0x03B85772CCE5DBF5), UINT64_C(0x024E60E34E33C627), - UINT64_C(0x00CEB58FBCFD7F20), UINT64_C(0x0213A9AF85D15B81), - UINT64_C(0x00879FD075FE76EA), UINT64_C(0x01883D1962AC7DA6), - UINT64_C(0x0041CDD770D92E82), UINT64_C(0x024CF83E19940701), - UINT64_C(0x0001A7D69F562E49) } }, - { { UINT64_C(0x03F06D3661D1EEDB), UINT64_C(0x01062600B09B6B3E), - UINT64_C(0x01A0A640D07EFC7A), UINT64_C(0x0317F67E20F296A1), - UINT64_C(0x034843017C701C3C), UINT64_C(0x033891152A103E33), - UINT64_C(0x01C00AE12BC93968), UINT64_C(0x0280A3403412AA1F), - UINT64_C(0x0111DA6A8E2C4EE1) }, - { UINT64_C(0x0138BBADC5A4238D), UINT64_C(0x02BB1A5504498DAF), - UINT64_C(0x03D55FD7A02F99F7), UINT64_C(0x030B36D2716AAE98), - UINT64_C(0x00846799916170BE), UINT64_C(0x021843A1130EBD86), - UINT64_C(0x01602A0048ED7277), UINT64_C(0x010F628883F5C170), - UINT64_C(0x00A879F20138FE97) } }, - { { UINT64_C(0x010B697E6BB71E17), UINT64_C(0x00A5FF1EE44F8A1A), - UINT64_C(0x02F0A65F0594ADDF), UINT64_C(0x01B97DFF3B989E00), - UINT64_C(0x02EBB1D34E1BC0B6), UINT64_C(0x0318AB0F908D45CA), - UINT64_C(0x006D84E0ECA51F49), UINT64_C(0x022CBEFDFAF29F0C), - UINT64_C(0x019FF3250EDA2D48) }, - { UINT64_C(0x0247BD9A1791633D), UINT64_C(0x001017CA6D44DB39), - UINT64_C(0x001392DBCF3C08AE), UINT64_C(0x00BBFD8C9245DBED), - UINT64_C(0x03C6094D363A2A9B), UINT64_C(0x0026C46C1B980722), - UINT64_C(0x014C00915831C495), UINT64_C(0x03480A51EA642A61), - UINT64_C(0x018A2CD0EE26C545) } }, - { { UINT64_C(0x00179F4F97812A25), UINT64_C(0x02A5E9E3F33BC581), - UINT64_C(0x000BD5248493D239), UINT64_C(0x02B7DE8E94D0B6E5), - UINT64_C(0x01D8674B49C2359A), UINT64_C(0x020163E368BE3C3B), - UINT64_C(0x0332717F9505C7C1), UINT64_C(0x035A143000B7EC9C), - UINT64_C(0x00C999A3E0BCCAF1) }, - { UINT64_C(0x007B047729EF75E3), UINT64_C(0x02CC12EE110A5B9B), - UINT64_C(0x0330E2E6286E55F0), UINT64_C(0x00C6FC4CB1CD5C12), - UINT64_C(0x014B93EA65F0CCE4), UINT64_C(0x01E5A20D3788D937), - UINT64_C(0x039AB1AC6BF17BFB), UINT64_C(0x0397FE82B1886D3A), - UINT64_C(0x000C112A21CE8FCD) } }, - { { UINT64_C(0x02B7C1C48CF8D334), UINT64_C(0x0078EAF1E0B9AA5A), - UINT64_C(0x0397B9A209EF9EF0), UINT64_C(0x001CFFAFD847B222), - UINT64_C(0x0321A14F818F0142), UINT64_C(0x0214D3F98F9D0ED8), - UINT64_C(0x011305B71C04D0D3), UINT64_C(0x03DE98EACA808006), - UINT64_C(0x01360AA21413198A) }, - { UINT64_C(0x028D3F07FD51E170), UINT64_C(0x023F03474306CBA2), - UINT64_C(0x034205D496752F99), UINT64_C(0x02D4BC03F380060F), - UINT64_C(0x01E2CE3EBF008299), UINT64_C(0x03EE2B7C9CF44A54), - UINT64_C(0x022CB7C6BCE06379), UINT64_C(0x03934E9100F4AD3F), - UINT64_C(0x001B8D6D7EA30D7F) } }, - { { UINT64_C(0x0175E6F14594D02E), UINT64_C(0x0107CFBBB666C104), - UINT64_C(0x0043C920F3FC7184), UINT64_C(0x01D3F596321DF679), - UINT64_C(0x034FBFA8E62660AC), UINT64_C(0x02F07B7B2F64B7D6), - UINT64_C(0x020B7A4B1CB30890), UINT64_C(0x0027370AF3A01ACE), - UINT64_C(0x004C3DF94ED57F1B) }, - { UINT64_C(0x02F7E28D420891BB), UINT64_C(0x00A165AF3355D551), - UINT64_C(0x03E2077F4C7840E2), UINT64_C(0x010A42F1F956CFC2), - UINT64_C(0x01586FF6FC545309), UINT64_C(0x00E2A2E3F8A44D6A), - UINT64_C(0x01BCD7CFAB0CD9EA), UINT64_C(0x02CD7B5AA257EF8B), - UINT64_C(0x01E161EB6461E56F) } }, - { { UINT64_C(0x03AA1E440B1B7656), UINT64_C(0x02DB3F4D449DEBD4), - UINT64_C(0x025617A010F1A335), UINT64_C(0x010C03757E20D72C), - UINT64_C(0x01EA95F9EFACD59B), UINT64_C(0x0126D8DDDE17B239), - UINT64_C(0x02DBF2D291F6AEC7), UINT64_C(0x02F6100FC8834353), - UINT64_C(0x00C18C83BB58FB77) }, - { UINT64_C(0x03754C15A7EEE80E), UINT64_C(0x00247AB9412690FE), - UINT64_C(0x016E9C7BD742F5DF), UINT64_C(0x02361FAE95827D75), - UINT64_C(0x029E41CC30EA15A1), UINT64_C(0x005F53D5863CB83F), - UINT64_C(0x0025C9FC701A2B9B), UINT64_C(0x0389C7702E9DAFBA), - UINT64_C(0x00ED3C35310B5895) } }, - }, - { - { { UINT64_C(0x0373C85A8201C48B), UINT64_C(0x000BE293272BB8C3), - UINT64_C(0x0299641D84048EF5), UINT64_C(0x012EE83CEE0A37DD), - UINT64_C(0x00D6A81ED893F8A3), UINT64_C(0x01988A5103EE9A5B), - UINT64_C(0x01495F90BE6C8319), UINT64_C(0x00954437A6A3C821), - UINT64_C(0x010E12D843E6580B) }, - { UINT64_C(0x007820FBE51DE678), UINT64_C(0x013364C5E0C684D4), - UINT64_C(0x009D1721196C2E40), UINT64_C(0x01933769A5FD2063), - UINT64_C(0x00BAB8B58BEFA01A), UINT64_C(0x012866F6B7334CBC), - UINT64_C(0x025340A51AC6E1FB), UINT64_C(0x03B1135009A4FD38), - UINT64_C(0x018AD6567590AFBB) } }, - { { UINT64_C(0x03F7CC1DCD9C3B89), UINT64_C(0x03F2238DF027BB54), - UINT64_C(0x014C7FD4BA95DD01), UINT64_C(0x01DBD8CC489F6AB6), - UINT64_C(0x03A6066BFEA7BAB5), UINT64_C(0x0065E8AD52465D5E), - UINT64_C(0x03E8F9DA8D525106), UINT64_C(0x001A6869F0B37603), - UINT64_C(0x016D47A0587C292E) }, - { UINT64_C(0x0374FC0618A5170B), UINT64_C(0x0152FB1A3C0C1CC0), - UINT64_C(0x01710A373C6A380E), UINT64_C(0x00845789535E37A3), - UINT64_C(0x035D0DA356C25D05), UINT64_C(0x00C2670CA5FED688), - UINT64_C(0x010367DAE1D930AA), UINT64_C(0x0109B528D8B5E2DD), - UINT64_C(0x0160EAA2FD7C6C7E) } }, - { { UINT64_C(0x02EB058989126FAC), UINT64_C(0x03391866A50E5BF0), - UINT64_C(0x0249D99C7ECCC796), UINT64_C(0x031F124A928D03B2), - UINT64_C(0x0106FA952E20ED57), UINT64_C(0x001BC6E7D0224A59), - UINT64_C(0x00CE05E4690915C9), UINT64_C(0x020A90266CA1AD52), - UINT64_C(0x0094293617B76FE5) }, - { UINT64_C(0x034B04313831CD9D), UINT64_C(0x03B7732D91E90928), - UINT64_C(0x014A1E82A9C3D51E), UINT64_C(0x02AEC53126F32DDD), - UINT64_C(0x028AC8F7A359BD6C), UINT64_C(0x01B3A0EDE3DB4B4B), - UINT64_C(0x028EB875F2FBF434), UINT64_C(0x01AE764FB3A07035), - UINT64_C(0x006701271A1304D0) } }, - { { UINT64_C(0x0015B0C258BC45E5), UINT64_C(0x00500CF779654876), - UINT64_C(0x00D61185031EC91A), UINT64_C(0x0237D26B8AB4ABC0), - UINT64_C(0x0303DB5DD0B1113F), UINT64_C(0x02C21386988E1A69), - UINT64_C(0x002A78FA27F52A38), UINT64_C(0x02373FFEB8A111FB), - UINT64_C(0x01ED316A4A837D78) }, - { UINT64_C(0x02151FA30AE71753), UINT64_C(0x018559984522D236), - UINT64_C(0x02AA1CED8D6E9D2C), UINT64_C(0x0336B3277D457875), - UINT64_C(0x01FEB5FD684C784F), UINT64_C(0x0312F506AD5C57EB), - UINT64_C(0x026506BE8AA4F453), UINT64_C(0x0334630A573CB20E), - UINT64_C(0x00AA6EBCFBE68959) } }, - { { UINT64_C(0x0339D37CD0D9229F), UINT64_C(0x0170E57961291D98), - UINT64_C(0x029AE28566E91600), UINT64_C(0x02402C0C57E9B401), - UINT64_C(0x01EC520A49429756), UINT64_C(0x02A2CF079E7747FF), - UINT64_C(0x03751BAC838751C0), UINT64_C(0x021ED034A3B7C53C), - UINT64_C(0x0118500D09678BBC) }, - { UINT64_C(0x007E207E14E4C072), UINT64_C(0x039277F4D05B1F1F), - UINT64_C(0x02A052EAB5B31E63), UINT64_C(0x02B6A467E3451DEA), - UINT64_C(0x001613AC11B73C00), UINT64_C(0x00C5A6FA0FE24B0C), - UINT64_C(0x034F01404D69886A), UINT64_C(0x00324E28B3CA9FD4), - UINT64_C(0x005A3181E5A8A0B8) } }, - { { UINT64_C(0x02CE6BA9219403A6), UINT64_C(0x030DFB5CBE0CA405), - UINT64_C(0x039D700EFB6B4704), UINT64_C(0x0365CAD8F9D06BE7), - UINT64_C(0x00FE6873B0456CD8), UINT64_C(0x0090EC1026095A01), - UINT64_C(0x016F3A2CC5EC6B62), UINT64_C(0x001AD035AE2286FC), - UINT64_C(0x018819632B44D890) }, - { UINT64_C(0x039574FA6B48EFBA), UINT64_C(0x029D9BE545F8EFA2), - UINT64_C(0x00F42C7789B73AA2), UINT64_C(0x03CB90D731504D3E), - UINT64_C(0x0202ACD7E2DE6E8A), UINT64_C(0x02C8AD45BF6E2A24), - UINT64_C(0x0067A40E7FC99B4D), UINT64_C(0x03E0738CFADACE29), - UINT64_C(0x01177C98831102AA) } }, - { { UINT64_C(0x030A8610AC5E165D), UINT64_C(0x014AA32172C55EC2), - UINT64_C(0x027CE551CABE6211), UINT64_C(0x02477F69861DB6E6), - UINT64_C(0x01E8FF337E7E36EC), UINT64_C(0x0054ACDF3E1C9EF7), - UINT64_C(0x03DED626009E6F01), UINT64_C(0x02E49BFEF7555C32), - UINT64_C(0x002E4F1C3DB00152) }, - { UINT64_C(0x0332D8B606C8A9BC), UINT64_C(0x03AD929E6D810A1A), - UINT64_C(0x02C0030394592734), UINT64_C(0x02442FE9824BDA03), - UINT64_C(0x03CBAC9513FF99FB), UINT64_C(0x03B3D4E910EDA5AD), - UINT64_C(0x005A6F83029FFE7F), UINT64_C(0x02F6FF8D9E1F29A6), - UINT64_C(0x0188A1C08A99132D) } }, - { { UINT64_C(0x001F1A68F391B195), UINT64_C(0x00F016D21D573BA5), - UINT64_C(0x00EB4A4B11B13F56), UINT64_C(0x0390443801100BE8), - UINT64_C(0x00CDF1786689F09F), UINT64_C(0x008708E6F68D807B), - UINT64_C(0x00CFC70B63E2B318), UINT64_C(0x02DA65CABECA51A9), - UINT64_C(0x01BB4CC16417876B) }, - { UINT64_C(0x002270E155C4416F), UINT64_C(0x0275E82A3EE6287C), - UINT64_C(0x019550DEBAE641A6), UINT64_C(0x0189E9D792313D48), - UINT64_C(0x022E11801B0D93FC), UINT64_C(0x006308C9DD555E4E), - UINT64_C(0x02F9EBC6E275E976), UINT64_C(0x00011D5E55FC63C6), - UINT64_C(0x01D3E16AA048085F) } }, - { { UINT64_C(0x01C6845EE45C5FF5), UINT64_C(0x03B6D8ADC4E97112), - UINT64_C(0x0068C305E2731ED0), UINT64_C(0x037AFCABEDF2C8B5), - UINT64_C(0x016C0203DF9F154E), UINT64_C(0x03FF6DCCA97B1A6C), - UINT64_C(0x019D691BB5C8CD06), UINT64_C(0x022C5EA48F6FE25F), - UINT64_C(0x00553B7F4065FABA) }, - { UINT64_C(0x006009B918BF712A), UINT64_C(0x0087FAC6655FF7A7), - UINT64_C(0x039DB19E2FDB3477), UINT64_C(0x014389D0D15C2072), - UINT64_C(0x02B3AB48E4A3E0DF), UINT64_C(0x00D55CD68B325E8D), - UINT64_C(0x020332F2B62898A4), UINT64_C(0x019DB12158F6D4D6), - UINT64_C(0x010E1F4D65633E42) } }, - { { UINT64_C(0x035FDBF97A66FBB8), UINT64_C(0x0397FDA15F48E249), - UINT64_C(0x0314912B73A0AD12), UINT64_C(0x018B5A1F5856CC06), - UINT64_C(0x026DB1F90C057E46), UINT64_C(0x02BC203FE8141974), - UINT64_C(0x032698D0DBE8152C), UINT64_C(0x01BC802ED9745CEA), - UINT64_C(0x00B1E80CFCF35D14) }, - { UINT64_C(0x026A4890175570A1), UINT64_C(0x03DEFA508892558E), - UINT64_C(0x00D274862CB6E1EF), UINT64_C(0x02F12D3DF3D2916D), - UINT64_C(0x01D9AF2100AA8841), UINT64_C(0x024123BB5E94517B), - UINT64_C(0x00CEA1686B604BBF), UINT64_C(0x007E9A1A2F8E072B), - UINT64_C(0x012919949C3170DE) } }, - { { UINT64_C(0x028CFBD7509B3F23), UINT64_C(0x0341392CF0D37CE2), - UINT64_C(0x03BB3B849E04FCBA), UINT64_C(0x004BCCA7E7C71C3F), - UINT64_C(0x007EAF927839C8E2), UINT64_C(0x0061602F3DAFE11E), - UINT64_C(0x01D0F1831E9A3AE7), UINT64_C(0x032630A59BC245BA), - UINT64_C(0x00C9122EE0775F54) }, - { UINT64_C(0x027706840C226E2C), UINT64_C(0x021FC974C3A78386), - UINT64_C(0x0254E3803EE94792), UINT64_C(0x02763098FB07712F), - UINT64_C(0x03085BE39396F8D2), UINT64_C(0x039CDBB83C0DCAE5), - UINT64_C(0x0275170CD909C685), UINT64_C(0x02A48EFA2F7CBD9D), - UINT64_C(0x0151800A47F18A8F) } }, - { { UINT64_C(0x0266B421EDA35EBF), UINT64_C(0x016EE661AEE22D67), - UINT64_C(0x02189CC63A33934C), UINT64_C(0x02035BBEEF2E6505), - UINT64_C(0x03A21BDAB12827FF), UINT64_C(0x010837E5E86E37F7), - UINT64_C(0x000889F4FF18C641), UINT64_C(0x00B83D668CF5F701), - UINT64_C(0x00A90A0E4C84A45C) }, - { UINT64_C(0x014A9DB7546020F0), UINT64_C(0x026B8123F183E007), - UINT64_C(0x014172F8A29A74BC), UINT64_C(0x03ECB113DDF05CC6), - UINT64_C(0x0056019B554AE591), UINT64_C(0x01C3E5A8AC670B45), - UINT64_C(0x0328112932236FCD), UINT64_C(0x0147D09F4CAD8D13), - UINT64_C(0x007CA80EB751C2E8) } }, - { { UINT64_C(0x03260C3CA6A09384), UINT64_C(0x01A2DAEF9F24A534), - UINT64_C(0x01FA415780AE38B6), UINT64_C(0x02FE728B02BEADE2), - UINT64_C(0x031F71486AA63A4A), UINT64_C(0x021F907074346F6D), - UINT64_C(0x00225A4DA564511F), UINT64_C(0x02CC4C97BC497C99), - UINT64_C(0x01C2DD5CCD878296) }, - { UINT64_C(0x03CD4A619B2264B8), UINT64_C(0x03093FC7F1583EA2), - UINT64_C(0x02B47AD7D9A2FB6F), UINT64_C(0x00C0D0B440BCA2A9), - UINT64_C(0x00B22B3DB051C447), UINT64_C(0x01CEC4D502303875), - UINT64_C(0x0340F66A4D33C79A), UINT64_C(0x00C02F44477E4379), - UINT64_C(0x01A54038DE4CD448) } }, - { { UINT64_C(0x036F26FDD184B415), UINT64_C(0x0077144A843CA00F), - UINT64_C(0x012DE3D50936A2A0), UINT64_C(0x00F1A915BEF669FD), - UINT64_C(0x02A728B908D36285), UINT64_C(0x023009A8F3585930), - UINT64_C(0x01AFE37F5F6903E6), UINT64_C(0x015BE42AC69043A0), - UINT64_C(0x0029A3961324FE67) }, - { UINT64_C(0x03744629EA87B468), UINT64_C(0x01B1B421D820F115), - UINT64_C(0x009DEF11D39EF564), UINT64_C(0x002A1D3B4419573F), - UINT64_C(0x00558617DEFBD955), UINT64_C(0x03E4BE19D9F46F14), - UINT64_C(0x012A38F1BF3ED4C3), UINT64_C(0x00B5C5CD4AC51A53), - UINT64_C(0x00A0E10EBF360168) } }, - { { UINT64_C(0x011616DEF784F95B), UINT64_C(0x02677312C6AD8D2D), - UINT64_C(0x03F3EF6B22617C90), UINT64_C(0x029E26932332F57D), - UINT64_C(0x0285AE820DE6D58A), UINT64_C(0x014C9337216D597B), - UINT64_C(0x00A6F170854E55AF), UINT64_C(0x010EA56E5DFB91ED), - UINT64_C(0x012F8DBABA868C11) }, - { UINT64_C(0x015249FC91DCCF70), UINT64_C(0x0306C5CB46C7DD02), - UINT64_C(0x021954201045F6CB), UINT64_C(0x00E2B058688BC602), - UINT64_C(0x002D5DDCF79B78E3), UINT64_C(0x03AF429058EAD023), - UINT64_C(0x016A3FA5F7DB5234), UINT64_C(0x01EAFE34B82E4D26), - UINT64_C(0x0095115BD2F5AE74) } }, - { { UINT64_C(0x01C1741308F9B528), UINT64_C(0x011456D2FA27C256), - UINT64_C(0x029EE8BA38AC33BC), UINT64_C(0x0162AD2DF7E46CB7), - UINT64_C(0x01239C1DD2198564), UINT64_C(0x00D634D586B52D14), - UINT64_C(0x00362033A3D5AE2B), UINT64_C(0x00F403720300250C), - UINT64_C(0x0134664850978D32) }, - { UINT64_C(0x032ECC2C4837554E), UINT64_C(0x008F4BC077701F7F), - UINT64_C(0x002D0F7435107071), UINT64_C(0x015A21A6D90E61B2), - UINT64_C(0x03E1B78AD2E928DC), UINT64_C(0x02A2214D7306E1AF), - UINT64_C(0x01C4FCA92A1694C1), UINT64_C(0x00656FBD23561E1B), - UINT64_C(0x013FF3454072CB98) } }, - }, - { - { { UINT64_C(0x003C182D851368EE), UINT64_C(0x0128CF55F2467CB0), - UINT64_C(0x00767E333ACE3BB9), UINT64_C(0x011F65D379FE73C3), - UINT64_C(0x038B18FA5C037C7D), UINT64_C(0x01B3CD7DFA5B80B3), - UINT64_C(0x0086C596F1A3E912), UINT64_C(0x00A8AD1EBFF700CD), - UINT64_C(0x00E12C370BFEEC8C) }, - { UINT64_C(0x00E5DE2C18A3F84B), UINT64_C(0x02D9CB8AB50B28B7), - UINT64_C(0x01D7EDD0731B2C4B), UINT64_C(0x0328A026B1FAD960), - UINT64_C(0x02189B0FF8B6CA46), UINT64_C(0x03FD18C777A3B6E8), - UINT64_C(0x0004BCBA72EE3E81), UINT64_C(0x0214C7D12A3F1BC4), - UINT64_C(0x01CA103DD1B9C887) } }, - { { UINT64_C(0x00A781D5DE024391), UINT64_C(0x01D4AC6B9AA04C66), - UINT64_C(0x0298088919924A4E), UINT64_C(0x02295F237B9E2B5F), - UINT64_C(0x0228FA8EA8570017), UINT64_C(0x01AE7F1814C6B59C), - UINT64_C(0x008FF64625C08899), UINT64_C(0x002A626C4EECF6A1), - UINT64_C(0x0118A9AD8CEFC12E) }, - { UINT64_C(0x014B05DA9E9AB68C), UINT64_C(0x036EDCE530984903), - UINT64_C(0x03147DF5F527C318), UINT64_C(0x0196BC1DED347CDD), - UINT64_C(0x01BB4AC96E14A591), UINT64_C(0x03C4F3EDF23B9460), - UINT64_C(0x03547D14C90381B8), UINT64_C(0x03693FA10D27208C), - UINT64_C(0x003B75AA5EA458F7) } }, - { { UINT64_C(0x02779CC419496A3E), UINT64_C(0x01D3BB2E4FE62409), - UINT64_C(0x032F4C70FCAE21C4), UINT64_C(0x013310DA0ECE14A3), - UINT64_C(0x03F3B3593FC9DDBB), UINT64_C(0x0051822EF8CFB99D), - UINT64_C(0x012D89EA3AE1C997), UINT64_C(0x00D12E2856922EAE), - UINT64_C(0x00E81549D787C4C8) }, - { UINT64_C(0x02337896D4B88B67), UINT64_C(0x00A59FC2D1584FBE), - UINT64_C(0x02FAA1ED2840EB09), UINT64_C(0x02061203F2AA6499), - UINT64_C(0x03BF834C1997385E), UINT64_C(0x02274588F3F24162), - UINT64_C(0x001CC1FD4A622D5A), UINT64_C(0x0044FEAA4FA76E84), - UINT64_C(0x00B3619A1E813DA3) } }, - { { UINT64_C(0x0276BEE0D076683D), UINT64_C(0x030210C875AFAF69), - UINT64_C(0x0011EDC7657E64F0), UINT64_C(0x02488D3166D94F20), - UINT64_C(0x011EA313A85E0E01), UINT64_C(0x032E12BF7FFAF1B4), - UINT64_C(0x00327C5A8CCEF85B), UINT64_C(0x0252EF23E4C30C4E), - UINT64_C(0x01CC6A9EB749B839) }, - { UINT64_C(0x02B00795BB99594F), UINT64_C(0x01F383BC6F8BE7AA), - UINT64_C(0x00760524F18BF5F2), UINT64_C(0x013AA36073E7DDA9), - UINT64_C(0x025A0A5A67DE0097), UINT64_C(0x01A61B644AB9486A), - UINT64_C(0x0313B98AABF5EA94), UINT64_C(0x003BB89B65E51F0D), - UINT64_C(0x01776B040E0F32AB) } }, - { { UINT64_C(0x01721BA5B2662A6A), UINT64_C(0x0215447AF117F66C), - UINT64_C(0x03DB83ECC5D3D99A), UINT64_C(0x0215A6C6CE2794E3), - UINT64_C(0x010BE3489ECF31F8), UINT64_C(0x012B3FA3634CDEF2), - UINT64_C(0x017C1F03CDFBCD8A), UINT64_C(0x02EE6A91A626677E), - UINT64_C(0x003FF1568F6BE74E) }, - { UINT64_C(0x01995519CD76A58E), UINT64_C(0x02DC3A3040585EF5), - UINT64_C(0x0061DDCAE3A68494), UINT64_C(0x025E1A1EF3C2AAA5), - UINT64_C(0x00CA54B0D55B6CE8), UINT64_C(0x00543A97F9E4CC22), - UINT64_C(0x01F7F09EDEFF8BFA), UINT64_C(0x00168473D37DD44E), - UINT64_C(0x00FE410E086ACD40) } }, - { { UINT64_C(0x006AF7630DA09D54), UINT64_C(0x010ABA844C57F2B5), - UINT64_C(0x03C9AC1832567F47), UINT64_C(0x00B3CFD3C603E8BB), - UINT64_C(0x01A04969EEACA1C9), UINT64_C(0x02E57B7E17E4591D), - UINT64_C(0x03E68AB3619DA17B), UINT64_C(0x00ECCA930F030279), - UINT64_C(0x01B2C98B4036BF1D) }, - { UINT64_C(0x0077C78B045007F6), UINT64_C(0x03CCE2791A0C0815), - UINT64_C(0x01688DB89F24D07A), UINT64_C(0x0017DBDDD43EAD41), - UINT64_C(0x033A80BF740D6693), UINT64_C(0x02F768ED65974242), - UINT64_C(0x026B74A3E2B11EFF), UINT64_C(0x023E110BE2C45B38), - UINT64_C(0x00B98CD56F7AB2CD) } }, - { { UINT64_C(0x0383E5A50FB0D3ED), UINT64_C(0x034513587B8AB555), - UINT64_C(0x03B1C6783B97BD45), UINT64_C(0x0062B781B344D4E1), - UINT64_C(0x00FD5DFB5083FED9), UINT64_C(0x00CF4B880197BC29), - UINT64_C(0x02084C42BE014183), UINT64_C(0x01C81317B056C149), - UINT64_C(0x016318E131F69642) }, - { UINT64_C(0x019B4B41240FA002), UINT64_C(0x0312BAA4E914151E), - UINT64_C(0x0180907D9FACF5B0), UINT64_C(0x007774B33895C1D0), - UINT64_C(0x017E17EBCCA7FA72), UINT64_C(0x030812EEB0BC890A), - UINT64_C(0x02294B1CB2912B73), UINT64_C(0x03835B7F1FA5A17D), - UINT64_C(0x001712AC45AB3EC9) } }, - { { UINT64_C(0x006603D4F696BA83), UINT64_C(0x00D22CAFE710B52F), - UINT64_C(0x00A86019255DD155), UINT64_C(0x03D9E86EE758D999), - UINT64_C(0x024051D5CE463A6D), UINT64_C(0x02906D0203D86E6E), - UINT64_C(0x02B53E1EA3B77733), UINT64_C(0x01298EBA501720C6), - UINT64_C(0x00A49AB3D5669F64) }, - { UINT64_C(0x00C3477F5E8C01EF), UINT64_C(0x02CFF8B3EED1F46C), - UINT64_C(0x02588DBF2A1259EE), UINT64_C(0x01BC0AE8F9969F27), - UINT64_C(0x0284232123DA5F9F), UINT64_C(0x03E79C894325C436), - UINT64_C(0x00FE809311DA7F3B), UINT64_C(0x0102255D12EBA535), - UINT64_C(0x01F50E25AE34114E) } }, - { { UINT64_C(0x0277D803646C1FB6), UINT64_C(0x02488A5E5052BBB1), - UINT64_C(0x000391356EAC8F11), UINT64_C(0x01646437C00A834F), - UINT64_C(0x02EAB8F940B93B40), UINT64_C(0x024958DF1C74ED20), - UINT64_C(0x03F2F1AF37BD1D73), UINT64_C(0x011FE3F5381F17F4), - UINT64_C(0x00EF826DAE390184) }, - { UINT64_C(0x00D2D6B4BA78B572), UINT64_C(0x0073D6C96322203E), - UINT64_C(0x018C7B2E976AA1E5), UINT64_C(0x026E3F6920E5F016), - UINT64_C(0x01E846537687AFF5), UINT64_C(0x017563948203FD81), - UINT64_C(0x019F1D17DABC8810), UINT64_C(0x00F8ED530C4E3A67), - UINT64_C(0x0196F10721B62324) } }, - { { UINT64_C(0x032F87D12878503F), UINT64_C(0x03648B98DC48ECC8), - UINT64_C(0x0184FD4C8EF53242), UINT64_C(0x01333846A9EEDB04), - UINT64_C(0x02C1DF317872BBBF), UINT64_C(0x002D6E1FAF12E7FB), - UINT64_C(0x039480C808CCDA38), UINT64_C(0x02845D8F6413B928), - UINT64_C(0x01979462C493957E) }, - { UINT64_C(0x02E38CCA2947A480), UINT64_C(0x00298B225770DDF9), - UINT64_C(0x02859B366A105BC5), UINT64_C(0x00C80C32E8803179), - UINT64_C(0x01DEC1627A49675D), UINT64_C(0x018FD7B10ED2384C), - UINT64_C(0x00CE729C9A700811), UINT64_C(0x00B9251157C6408C), - UINT64_C(0x00D18FB5EDB29090) } }, - { { UINT64_C(0x0019C27F1002FA40), UINT64_C(0x0187B6686A1976EA), - UINT64_C(0x03089E6ABFDCA1BA), UINT64_C(0x01E3A9276DAB6A31), - UINT64_C(0x01010381B56E1374), UINT64_C(0x02059C3444CA22AD), - UINT64_C(0x0340D48C52418852), UINT64_C(0x001C397FEACAD014), - UINT64_C(0x00A9B91476DE1E3B) }, - { UINT64_C(0x01B18811D2203C97), UINT64_C(0x006802C3244A5143), - UINT64_C(0x034CC7484B00B0C2), UINT64_C(0x02D138E88D39FE0E), - UINT64_C(0x00035A355C8D48A2), UINT64_C(0x01257073943DE7F1), - UINT64_C(0x003B2AA49BD592AC), UINT64_C(0x03D7C1DBA4418663), - UINT64_C(0x01A24E3A67DAF410) } }, - { { UINT64_C(0x02B819FA06A8409F), UINT64_C(0x004A52ACCE9D798F), - UINT64_C(0x0342BCE5E942F51F), UINT64_C(0x01499CF92BE85899), - UINT64_C(0x03ACD69B9655760D), UINT64_C(0x020F4E9A7813F0D0), - UINT64_C(0x03880853D5E05E02), UINT64_C(0x02B0666045F612A7), - UINT64_C(0x00302D53FFFEEF1D) }, - { UINT64_C(0x025294489593BC03), UINT64_C(0x013D42D26192AAEB), - UINT64_C(0x010D09630D5F95E5), UINT64_C(0x02152684A6D53F7C), - UINT64_C(0x022DD5DAD7C7B4A8), UINT64_C(0x02966500C48498D3), - UINT64_C(0x03D763E4EB3C2E33), UINT64_C(0x027FAC6AFEDC5F61), - UINT64_C(0x0074EA2C83E52FE7) } }, - { { UINT64_C(0x01DB9F78868172DA), UINT64_C(0x0100A5C0A0C25D2E), - UINT64_C(0x023587D7C3E66CE7), UINT64_C(0x0234D19B042FCCD7), - UINT64_C(0x0059721B0F60680E), UINT64_C(0x03A0B2DF23AB3A42), - UINT64_C(0x0177AFB700329CAC), UINT64_C(0x03D5A5CFAF392AE7), - UINT64_C(0x00CF59BC96ECDBA2) }, - { UINT64_C(0x03CE38933BF1C993), UINT64_C(0x0388C35CC45F89F5), - UINT64_C(0x039286D1ED3DB46C), UINT64_C(0x0061947308D0F830), - UINT64_C(0x0307100E3F7C9C8E), UINT64_C(0x00967048E8CC7CC9), - UINT64_C(0x03CAD0590370F457), UINT64_C(0x0110D9420ECE3996), - UINT64_C(0x009955E94586B830) } }, - { { UINT64_C(0x03B6822745F0E5DA), UINT64_C(0x03120B5D07E9C6A5), - UINT64_C(0x01F88B173B2A0839), UINT64_C(0x0245CA639869EE96), - UINT64_C(0x0199F585B26F8120), UINT64_C(0x01D2153C5D41B782), - UINT64_C(0x009EAD730F2E3B2D), UINT64_C(0x007E27FEF3F3388E), - UINT64_C(0x01DD0BBF32960B2B) }, - { UINT64_C(0x0298F45E5931C0F0), UINT64_C(0x012A6F48D3898EAD), - UINT64_C(0x01EFD537B310CFED), UINT64_C(0x030390CD48666C4B), - UINT64_C(0x01DCF41DD16073BB), UINT64_C(0x035CF923EABD525A), - UINT64_C(0x00DDF48F41B47311), UINT64_C(0x0316E0000BFFF7E2), - UINT64_C(0x003C6A0632821286) } }, - { { UINT64_C(0x006FA434852228CC), UINT64_C(0x03EE279533E093C6), - UINT64_C(0x03C215EE36B974E7), UINT64_C(0x02FA330552481892), - UINT64_C(0x01ABFC67F3C2F700), UINT64_C(0x000945F47832719D), - UINT64_C(0x01BA378921E29D68), UINT64_C(0x0364936B83B66609), - UINT64_C(0x0137B7B2011DE260) }, - { UINT64_C(0x00A7EBAC8BA1E090), UINT64_C(0x0343E15BB9BADFCE), - UINT64_C(0x01C5AFA1059527D8), UINT64_C(0x039CE94C694D78AB), - UINT64_C(0x020EE7FF8C758AFB), UINT64_C(0x03859CF409F61041), - UINT64_C(0x033F2682BABD9F38), UINT64_C(0x0344ED7AA22D40CE), - UINT64_C(0x00C59BE4543774E1) } }, - { { UINT64_C(0x01B5777A8F1CAC2C), UINT64_C(0x001A1BB0AB5E6822), - UINT64_C(0x011BC043646DAF27), UINT64_C(0x03F711C68F6A2900), - UINT64_C(0x001C279115DF5830), UINT64_C(0x017D6649CFD4D909), - UINT64_C(0x02270B8E48C4FC60), UINT64_C(0x01D402B5FB5683E0), - UINT64_C(0x001F8DB87807BBF7) }, - { UINT64_C(0x00C9DAC0A9244F78), UINT64_C(0x02B03A3698AE7AB0), - UINT64_C(0x02CCF3FF50BC045B), UINT64_C(0x03BCD2148E821FFF), - UINT64_C(0x035E87616BD7E71C), UINT64_C(0x034B54F4034B6093), - UINT64_C(0x02C5BEA4BCD01770), UINT64_C(0x0219F4B5BD513DB4), - UINT64_C(0x01DF5AC58C13B575) } }, - }, - { - { { UINT64_C(0x019885D110E10587), UINT64_C(0x0225E6982614E90C), - UINT64_C(0x03FE389B08EF52DA), UINT64_C(0x02986A5F6773FA41), - UINT64_C(0x02D7E3FB92A3A338), UINT64_C(0x02804DB8E96B46A6), - UINT64_C(0x02ED29A77A3BFC07), UINT64_C(0x021EDA658D1622A9), - UINT64_C(0x00DC41F148BEEF47) }, - { UINT64_C(0x00671195EBF698BD), UINT64_C(0x02DA5978A5D3B8AE), - UINT64_C(0x0067084C20702323), UINT64_C(0x01BAE92F07B45047), - UINT64_C(0x01EECFF9A6840B39), UINT64_C(0x00B5A0A6F615E949), - UINT64_C(0x02CE02C0AFAD4F4D), UINT64_C(0x02CCCE13BD8C56FD), - UINT64_C(0x001BC38FE857CCC6) } }, - { { UINT64_C(0x00081356B6965640), UINT64_C(0x006CE26431E83C07), - UINT64_C(0x01BA4874007EE7A0), UINT64_C(0x02537377BE8BDCBF), - UINT64_C(0x0248DB2FA66BD85D), UINT64_C(0x028C676B603EF79F), - UINT64_C(0x011FB7160B2BE1C4), UINT64_C(0x02E60E65885FEFB9), - UINT64_C(0x012B85F1B13BE0ED) }, - { UINT64_C(0x0353AA14ECFB1D0D), UINT64_C(0x01FF0DDD82885F37), - UINT64_C(0x0331E99B56FBDDD7), UINT64_C(0x03AEB28F8419966F), - UINT64_C(0x021F907EA8D0F042), UINT64_C(0x013BD7D21430856E), - UINT64_C(0x0386870C6BB892CA), UINT64_C(0x03E04B0EFADCEFFA), - UINT64_C(0x007C04B740BD4123) } }, - { { UINT64_C(0x0003B2CD3E0BF039), UINT64_C(0x00C735DA6B8581E9), - UINT64_C(0x0012D9341E1131F3), UINT64_C(0x03D2B2BBE7116022), - UINT64_C(0x00A056CCF73BDC37), UINT64_C(0x027C9AA3BBBDE400), - UINT64_C(0x02165FF6E36E8907), UINT64_C(0x0139C88969C85A96), - UINT64_C(0x00C7B0F49EEA4A8D) }, - { UINT64_C(0x01F03CD678EAF6EB), UINT64_C(0x01BF3F1E8FBD78DF), - UINT64_C(0x00857FD3BFA434E9), UINT64_C(0x008641B0E586D15E), - UINT64_C(0x021227FC18AF0795), UINT64_C(0x022F892EEA381B7A), - UINT64_C(0x00B3FA1F0F06E680), UINT64_C(0x01EAB02BC55C4EE1), - UINT64_C(0x01116BB9BA45D30F) } }, - { { UINT64_C(0x03B557A9EDCBF5E2), UINT64_C(0x00B1DFD3ECC7A54C), - UINT64_C(0x02DCE258E5A7E8D4), UINT64_C(0x00CA7703C434FC01), - UINT64_C(0x038801282507AB56), UINT64_C(0x025FD9FA5A9E7C74), - UINT64_C(0x0084D0CBBC9F71D9), UINT64_C(0x00D621CCEBB93EC1), - UINT64_C(0x007E0D7D26AF06B2) }, - { UINT64_C(0x02584763447D2B4B), UINT64_C(0x00E02402AF814CEB), - UINT64_C(0x01A0946A66DEBE3C), UINT64_C(0x025BDCD462246772), - UINT64_C(0x032E9062B0C5E215), UINT64_C(0x037BCF49D9FBECDC), - UINT64_C(0x001F56138C539278), UINT64_C(0x000AEA3CABF951BB), - UINT64_C(0x007AA80F0C621590) } }, - { { UINT64_C(0x00B8EEBBBD959BD9), UINT64_C(0x001BE3997D083340), - UINT64_C(0x01B3F063154C5C54), UINT64_C(0x0258C476F7A9A983), - UINT64_C(0x0042A485E75D36E5), UINT64_C(0x034928BB28AF526A), - UINT64_C(0x01BA009661FE033D), UINT64_C(0x039E10035E2FEDA5), - UINT64_C(0x01AFFCC1198129AF) }, - { UINT64_C(0x030AD5348384E611), UINT64_C(0x01579499B7C9277C), - UINT64_C(0x01969EE33931346F), UINT64_C(0x025C5C1EBDB572DA), - UINT64_C(0x033A65D217266A39), UINT64_C(0x026F0D4AD6360EAB), - UINT64_C(0x037599346289BDA2), UINT64_C(0x0092404E9E02CE9C), - UINT64_C(0x01D0C694EC0434A7) } }, - { { UINT64_C(0x0099723AA10FBD04), UINT64_C(0x03F7E7474E4B9E21), - UINT64_C(0x03ECBDF12C367638), UINT64_C(0x009B6D83C1B5EFBE), - UINT64_C(0x03E6CE2FC3522A5D), UINT64_C(0x0083A6DEF388FDCF), - UINT64_C(0x0001D8542F4EA36B), UINT64_C(0x035D032BD68C8381), - UINT64_C(0x0131DF4BF7A79938) }, - { UINT64_C(0x008A14C7B9493BE8), UINT64_C(0x0273BD54452391FF), - UINT64_C(0x035758B804AAD2E8), UINT64_C(0x0218D8B66AABA8CD), - UINT64_C(0x0013BC5120CE58B7), UINT64_C(0x027C6BF5C3CF36BB), - UINT64_C(0x0325B4A1E773C0D4), UINT64_C(0x01C2F7A449EA2D3B), - UINT64_C(0x01C6E6D30CAF29F6) } }, - { { UINT64_C(0x0321B0EB2DAA2FB7), UINT64_C(0x001AF441996ABD26), - UINT64_C(0x0075B82E9704E625), UINT64_C(0x00FD42C4DDFBEF6D), - UINT64_C(0x0199707C61408809), UINT64_C(0x017F62CF54E5FBA8), - UINT64_C(0x03E8914D3356B6E7), UINT64_C(0x010B415870E01C17), - UINT64_C(0x01B8D0304825F773) }, - { UINT64_C(0x01AA92433FDAA949), UINT64_C(0x01186BD47A9D105F), - UINT64_C(0x03D995A63573F12F), UINT64_C(0x032129C097A55B0D), - UINT64_C(0x01817B31A05D6C77), UINT64_C(0x03D1CAF9B4BCAF81), - UINT64_C(0x01524CCC3B01B281), UINT64_C(0x0296DAA6FDAA7E18), - UINT64_C(0x002F1DC74BE29F0C) } }, - { { UINT64_C(0x02171F9BDC8D6167), UINT64_C(0x03D306F736B287BD), - UINT64_C(0x021943224F5B91BE), UINT64_C(0x02B6BA63BB681A7A), - UINT64_C(0x003527F99B16E603), UINT64_C(0x00CC933DC7095468), - UINT64_C(0x0265D81677BFCEEF), UINT64_C(0x028AA225CE78ABEA), - UINT64_C(0x00837C63F321EE01) }, - { UINT64_C(0x00A4B775684BF04E), UINT64_C(0x00AB33042AB3CA3F), - UINT64_C(0x019796F5B70DA12B), UINT64_C(0x00CD06B6726983AD), - UINT64_C(0x002698B98D097375), UINT64_C(0x03BB3A2632FF6007), - UINT64_C(0x00B02BB6915F2608), UINT64_C(0x0267E64CB1F79BA2), - UINT64_C(0x01DAB183858DB0F4) } }, - { { UINT64_C(0x01D545A21757C756), UINT64_C(0x001D934F1E31FF52), - UINT64_C(0x023B0285CE4B1861), UINT64_C(0x031354B83A06220D), - UINT64_C(0x017177FFE06AFE14), UINT64_C(0x019E6D07584A960E), - UINT64_C(0x0119B9405A4BEA49), UINT64_C(0x019D70486EC70531), - UINT64_C(0x00D7844A95DDF521) }, - { UINT64_C(0x02045C5C7288CF7B), UINT64_C(0x00677CB68405B1B1), - UINT64_C(0x01845055E3EA0793), UINT64_C(0x035EFB9C55059FBD), - UINT64_C(0x038843F3AF91E7EA), UINT64_C(0x00822747CA170235), - UINT64_C(0x037B132A90F3A94C), UINT64_C(0x00526CF439B472A8), - UINT64_C(0x00132F18D93B62FB) } }, - { { UINT64_C(0x01D84FC9D0CF69E7), UINT64_C(0x006503AA38D2A5EE), - UINT64_C(0x03A94DFC118DD98F), UINT64_C(0x03B7F19AE7F392FF), - UINT64_C(0x007287A7DC1849A3), UINT64_C(0x00067A7B188F6CE5), - UINT64_C(0x02A347BDE0D7D087), UINT64_C(0x0268E88CC6AAFE02), - UINT64_C(0x010F44A365B11B99) }, - { UINT64_C(0x018F73AC92AE7427), UINT64_C(0x0371CC00B812BB06), - UINT64_C(0x0093D3088101FF62), UINT64_C(0x00C8613B7544141B), - UINT64_C(0x01AF7C6201945AC7), UINT64_C(0x030C7CA555FE097F), - UINT64_C(0x025B2E6EDA00AB31), UINT64_C(0x0214A3B6A76443D0), - UINT64_C(0x0040A360259C7CDD) } }, - { { UINT64_C(0x006047E27F3DE4D2), UINT64_C(0x01FC4A47DA6A0A53), - UINT64_C(0x015A543BD0BC352A), UINT64_C(0x014AACDA98A2B65E), - UINT64_C(0x036FE6BD165C71A3), UINT64_C(0x02DF772BAC823A1F), - UINT64_C(0x00416598B2CD1443), UINT64_C(0x032CA3B1D0CAEDD0), - UINT64_C(0x0032FB284CCCEF17) }, - { UINT64_C(0x006DC83E96A2607F), UINT64_C(0x013B7280B80B6341), - UINT64_C(0x004551B88CA47813), UINT64_C(0x01849A56EE6AB37F), - UINT64_C(0x00C3074BC3D0074A), UINT64_C(0x0049915404661EF6), - UINT64_C(0x017F0B8543807006), UINT64_C(0x01235802E0AA61E9), - UINT64_C(0x016866C456C5454B) } }, - { { UINT64_C(0x0397A466381DC2A6), UINT64_C(0x00CD4D54FE413A43), - UINT64_C(0x0320035D8FD47311), UINT64_C(0x03FEF7B90109A77E), - UINT64_C(0x01FF2C161A6CFCBA), UINT64_C(0x014089BF152955D6), - UINT64_C(0x00595A7ADB79909F), UINT64_C(0x02E10BC4FB022F89), - UINT64_C(0x012739D14BF39AB2) }, - { UINT64_C(0x03045804E123BA29), UINT64_C(0x037196AFA31BDBE1), - UINT64_C(0x01A3BADADE7D8795), UINT64_C(0x005FE72D3736F1F7), - UINT64_C(0x00B261A79C9F5DAE), UINT64_C(0x00CC055F3C4A27EA), - UINT64_C(0x018DD7C9E5958FC2), UINT64_C(0x0096748344CCC75E), - UINT64_C(0x0065ADD88400A218) } }, - { { UINT64_C(0x033557744356B52C), UINT64_C(0x03DD368D0EA0209F), - UINT64_C(0x02EA630FD3CCDE4D), UINT64_C(0x037A07B902382B40), - UINT64_C(0x000B7AF2CF41C092), UINT64_C(0x0221D85556DCC533), - UINT64_C(0x03C92114F14EA6E1), UINT64_C(0x006813B827858B16), - UINT64_C(0x011933B0203B754D) }, - { UINT64_C(0x03A2396D5A659158), UINT64_C(0x0350A8E07708486E), - UINT64_C(0x0306EEBAE2B49C8B), UINT64_C(0x00EC9E65F76A5B29), - UINT64_C(0x03CECDD7F9A47F6A), UINT64_C(0x024DB8B97AA04533), - UINT64_C(0x028D089D2C8EBEAE), UINT64_C(0x01959F5D1CB2E7ED), - UINT64_C(0x0024A23BD4403D34) } }, - { { UINT64_C(0x038B31C4EED9CDF5), UINT64_C(0x0185AFF2C98A930A), - UINT64_C(0x0245E4B7D7DD3E7E), UINT64_C(0x00232AA32609076B), - UINT64_C(0x023F2A9E6F982A24), UINT64_C(0x03087A8E3FF2F39E), - UINT64_C(0x02F6CA050121ACCC), UINT64_C(0x03568930B3D90B8C), - UINT64_C(0x01C922F3A5335B36) }, - { UINT64_C(0x032AD6EEE92B1FE6), UINT64_C(0x02FC436D7BD6B2C7), - UINT64_C(0x023EDD35035286A3), UINT64_C(0x003D77B6144EB9BC), - UINT64_C(0x0304C9A105C2BAEE), UINT64_C(0x01ADB987C7CA786C), - UINT64_C(0x0132676ADD1D742E), UINT64_C(0x02A9E9CB749E88B9), - UINT64_C(0x00A99A53E3A5AC0A) } }, - { { UINT64_C(0x03639306E80DE633), UINT64_C(0x01AB767B97949EED), - UINT64_C(0x006F4BAA789B6820), UINT64_C(0x039D5F497550BD7A), - UINT64_C(0x00B4B2B380BC772D), UINT64_C(0x03022AD28F3A1DD0), - UINT64_C(0x0017950F61ACF7EB), UINT64_C(0x019CAC6E06DC1B93), - UINT64_C(0x008470E16670F97A) }, - { UINT64_C(0x03C11D39EE5D0D74), UINT64_C(0x01C090F08CC26FEC), - UINT64_C(0x0006AD970C46C574), UINT64_C(0x015907C555DF013E), - UINT64_C(0x0070AB35D20A91F0), UINT64_C(0x00C0481F822220A4), - UINT64_C(0x03A92E8B413E83FE), UINT64_C(0x00C3982C5F8D922E), - UINT64_C(0x017CB1B97D4ED7B4) } }, - { { UINT64_C(0x0057D40664DA7708), UINT64_C(0x00D1DC31FC3ED514), - UINT64_C(0x01C1C72DE7D6ECFF), UINT64_C(0x00DAEABFA1F9C5DE), - UINT64_C(0x0027EE8200E32455), UINT64_C(0x00F2A2064D51F4F3), - UINT64_C(0x0087C336FD335B37), UINT64_C(0x0350C7F9A0D4FC4D), - UINT64_C(0x01D53465439099CD) }, - { UINT64_C(0x01B27DD4E9031706), UINT64_C(0x0197F1275CBBB42C), - UINT64_C(0x015ABB1962BC7CE5), UINT64_C(0x015AEBA4FCC2D21C), - UINT64_C(0x01DB34AC91849D8B), UINT64_C(0x02168D50E8D52313), - UINT64_C(0x024C7BCFFA60FB49), UINT64_C(0x00653790EC4A5122), - UINT64_C(0x0021ECA115250E74) } }, - }, - { - { { UINT64_C(0x01017ED5F1C86157), UINT64_C(0x01C5FACEAAF3291A), - UINT64_C(0x01980E57AC2978AD), UINT64_C(0x012E4C78C1EF8537), - UINT64_C(0x019080B37DC2F0DA), UINT64_C(0x0104D379379FF55E), - UINT64_C(0x0019CF345BF6F641), UINT64_C(0x01CE7973781C9EB0), - UINT64_C(0x00E6B4E5C2E7863E) }, - { UINT64_C(0x014E085628E15F36), UINT64_C(0x03113ED189D82402), - UINT64_C(0x0198521CB21CCF92), UINT64_C(0x03CB794E55F64866), - UINT64_C(0x01B6C417EBCEDCD4), UINT64_C(0x001D79C7600B1BE5), - UINT64_C(0x02EC6810EA41A2B6), UINT64_C(0x0083606535BEC6E7), - UINT64_C(0x01CA8E7CD41F2E03) } }, - { { UINT64_C(0x01BA87BAF1C9C2EC), UINT64_C(0x00D55499AAADC0DE), - UINT64_C(0x019712C990B590E5), UINT64_C(0x00384B1ACA78C747), - UINT64_C(0x03563BCAB01E0B5D), UINT64_C(0x0190C274005354FF), - UINT64_C(0x00B9D6C425986F2F), UINT64_C(0x038E491D7F2754C6), - UINT64_C(0x01B202739C50FF59) }, - { UINT64_C(0x03F58DFC16F1CACC), UINT64_C(0x00EE939AC23381A2), - UINT64_C(0x020399FE184301C9), UINT64_C(0x0351F7998C95E6D7), - UINT64_C(0x03713D0FEFC9F67B), UINT64_C(0x02651504977BC9CC), - UINT64_C(0x039962831BD8B37B), UINT64_C(0x03398A2CADA7CFCE), - UINT64_C(0x00D4F08A7E5A3118) } }, - { { UINT64_C(0x03C9826425A2D6F0), UINT64_C(0x00ECC054CD119CA9), - UINT64_C(0x00C8AF9373A85F21), UINT64_C(0x03167F72CB478C61), - UINT64_C(0x01CE9F2616361F7A), UINT64_C(0x03FB08CCEB9E536B), - UINT64_C(0x0319FD98C00E9131), UINT64_C(0x0010725A47005067), - UINT64_C(0x01D7C9A8F84C990D) }, - { UINT64_C(0x029CA261BAF35FA1), UINT64_C(0x0220865C1BFEF071), - UINT64_C(0x0115DF412660A5A4), UINT64_C(0x02257646F5EF524C), - UINT64_C(0x019648D3BF5907D4), UINT64_C(0x03B8287D6BB4E923), - UINT64_C(0x00C1831BA518EF96), UINT64_C(0x01147F1EC444000D), - UINT64_C(0x001BEB2743E8CF72) } }, - { { UINT64_C(0x017385BC9719C87C), UINT64_C(0x038E9A8AC23E84A0), - UINT64_C(0x03B86FA4168B29E6), UINT64_C(0x0259140D286A2701), - UINT64_C(0x0248D5F9426712B4), UINT64_C(0x01E876B4EE205101), - UINT64_C(0x016F0D598FB30248), UINT64_C(0x020D4EEE450E3327), - UINT64_C(0x0075F0EB2FEC4E8C) }, - { UINT64_C(0x02999066B392D834), UINT64_C(0x03A4F34FCBCA75D9), - UINT64_C(0x029F3E28ABFA2CC4), UINT64_C(0x0207E1A7B58B1513), - UINT64_C(0x036C4EE93B0C1C40), UINT64_C(0x038D0C53869B6127), - UINT64_C(0x02203321AF3FCDF2), UINT64_C(0x0016E986CD98C912), - UINT64_C(0x019AB5DBF8618B76) } }, - { { UINT64_C(0x02775F5E811FA55B), UINT64_C(0x002FF97CDF8F7EDE), - UINT64_C(0x00AA05F646486F8F), UINT64_C(0x0357ABB8FF5CB222), - UINT64_C(0x0047A8176117A59D), UINT64_C(0x01ED8538F6CBC1A6), - UINT64_C(0x0209FE9034A7F53F), UINT64_C(0x0364120EC4B9D3CF), - UINT64_C(0x019B67A37C660EDC) }, - { UINT64_C(0x0038B0D828C7A5B7), UINT64_C(0x015D9C74EAC7C806), - UINT64_C(0x0118152AAA9222B5), UINT64_C(0x01B83339A6AA2783), - UINT64_C(0x01993B4601A314EF), UINT64_C(0x0325A7A416B3D288), - UINT64_C(0x019D7FD16DD01F3A), UINT64_C(0x021D190386BFFC60), - UINT64_C(0x011CF2C0B0E2A983) } }, - { { UINT64_C(0x00D7DE7D18D8BE36), UINT64_C(0x02F0734BAAC04BF5), - UINT64_C(0x0048BB9E44C3F40B), UINT64_C(0x035994B7094672F1), - UINT64_C(0x02BD0CFD78BD4138), UINT64_C(0x0015A28B8F06A61A), - UINT64_C(0x014D5DF2A7F95274), UINT64_C(0x028141F42EAB92B1), - UINT64_C(0x00B25EF25C149754) }, - { UINT64_C(0x0057378C324BFA00), UINT64_C(0x001F4C62175258AF), - UINT64_C(0x03153B4FD5FCA3E4), UINT64_C(0x000682DC5C05BE3E), - UINT64_C(0x0330954DA1D1973A), UINT64_C(0x01BC1D711118932D), - UINT64_C(0x0168D97A2A9692FD), UINT64_C(0x012BBEB288330777), - UINT64_C(0x00E133BE00A38BE4) } }, - { { UINT64_C(0x03F431A945F8022D), UINT64_C(0x01CDF8AABB4F5212), - UINT64_C(0x02CC1D637215E00A), UINT64_C(0x03D36BA40B447ED7), - UINT64_C(0x02513AB7E6956FDD), UINT64_C(0x008D5E83EDDB9727), - UINT64_C(0x01B75785B4FDC3C7), UINT64_C(0x01EAB35E8B3CAE24), - UINT64_C(0x01339E1C87AA8ECC) }, - { UINT64_C(0x02D325A33450FD39), UINT64_C(0x00322202FEDA09D5), - UINT64_C(0x024827340C12DF41), UINT64_C(0x01E66CCCF20D3B06), - UINT64_C(0x02001372B74C978F), UINT64_C(0x012C696C6F55CD58), - UINT64_C(0x02D10F2EED8A9308), UINT64_C(0x02688747F53110D6), - UINT64_C(0x0188C13D0F26D624) } }, - { { UINT64_C(0x0239E7FBF9FFF942), UINT64_C(0x024391DE07C9C0A8), - UINT64_C(0x03BB90544685654F), UINT64_C(0x010453EE881DA06B), - UINT64_C(0x02D2A672E21ACDCD), UINT64_C(0x0047CF596F209D90), - UINT64_C(0x0321D4C73047EE1B), UINT64_C(0x008011F4FFA1ADC5), - UINT64_C(0x0051B7DD6F083F62) }, - { UINT64_C(0x00B4E0D173BF30CF), UINT64_C(0x0142CF0DBD8DD71C), - UINT64_C(0x02FE7953062D3E36), UINT64_C(0x02A5AB5A7D6604A9), - UINT64_C(0x03CC08A13AACC423), UINT64_C(0x024662C655FF1A2F), - UINT64_C(0x0179D6E29B6B1FCA), UINT64_C(0x03C8D9EF4E5B76E6), - UINT64_C(0x00CD341C315CEB11) } }, - { { UINT64_C(0x00CC4030AC8B2AF6), UINT64_C(0x016D6A39FA7E9D4C), - UINT64_C(0x0392D441BAE14C3A), UINT64_C(0x038840FEA9B7D65B), - UINT64_C(0x02398CE4933605AF), UINT64_C(0x022CD8745AC294D0), - UINT64_C(0x00B8391D34172B85), UINT64_C(0x035C1A0D5C360EA4), - UINT64_C(0x00B2CE02EA54ADC4) }, - { UINT64_C(0x004B32E432779E4D), UINT64_C(0x0396A43E6B80B056), - UINT64_C(0x035AEFC64CE26A3C), UINT64_C(0x01E9181F393D3B2C), - UINT64_C(0x0224B7B616D6F2A9), UINT64_C(0x0127AF2D0AF23C91), - UINT64_C(0x000AD7965D20EADA), UINT64_C(0x0379FD4481124D87), - UINT64_C(0x01BB6F3DFED6FF8E) } }, - { { UINT64_C(0x001E54056209B80C), UINT64_C(0x01535B3A19C72F26), - UINT64_C(0x0160AA689BA423E2), UINT64_C(0x0188ECB5D9CC3A27), - UINT64_C(0x02349FCF75CC0736), UINT64_C(0x0298585615D70FD1), - UINT64_C(0x03A32918B91165DF), UINT64_C(0x022291948224D8DA), - UINT64_C(0x0099F8E69358E726) }, - { UINT64_C(0x01F00247AE9F76E1), UINT64_C(0x0128BAD6165EB802), - UINT64_C(0x01B045052E08E61D), UINT64_C(0x032D595886F8C4D8), - UINT64_C(0x00186E393A2F7214), UINT64_C(0x016991BB5064F4DD), - UINT64_C(0x02AD9C4CF5574CEF), UINT64_C(0x0255AD5071D22CCE), - UINT64_C(0x01456916FD8D5687) } }, - { { UINT64_C(0x0133F0C2BD45283F), UINT64_C(0x01B7E6242FDEFD97), - UINT64_C(0x035D6B97C76FCAF7), UINT64_C(0x01DEAC7652ACAD19), - UINT64_C(0x03C4E3BEA33C8BB3), UINT64_C(0x0217A37165F99AD5), - UINT64_C(0x0269B9B99EC2F11A), UINT64_C(0x028A7868FC6E7D80), - UINT64_C(0x01D15668B929808B) }, - { UINT64_C(0x028D12F5F8D82B0E), UINT64_C(0x03E7880D363FAA5E), - UINT64_C(0x00437A04942C06CB), UINT64_C(0x0049CD3A9C99AEE3), - UINT64_C(0x015E2D9B6B404613), UINT64_C(0x0162924B16171DEA), - UINT64_C(0x00D5B19300B07C85), UINT64_C(0x02FDE0650EE6F8B2), - UINT64_C(0x00BB3143583D139C) } }, - { { UINT64_C(0x009BBB9CD613AC50), UINT64_C(0x0128ACBF00659E30), - UINT64_C(0x003847B178A6C039), UINT64_C(0x03CE96D95CB2F3AB), - UINT64_C(0x0319F2188F1C72FB), UINT64_C(0x0082FCC27E7E96A0), - UINT64_C(0x00E32363BCE8DAB7), UINT64_C(0x0014FD07C4ADAC1E), - UINT64_C(0x0130440FC8AE58D8) }, - { UINT64_C(0x0065ADF64359ED2E), UINT64_C(0x037ED7D5FA4BC647), - UINT64_C(0x03FF76F3555C909F), UINT64_C(0x03512196FF57D59B), - UINT64_C(0x00299F8EAAC04382), UINT64_C(0x0329BF8D6A784DA0), - UINT64_C(0x0175E680B9D87F6E), UINT64_C(0x000779614D617559), - UINT64_C(0x0091C31FD7BBAA02) } }, - { { UINT64_C(0x007961B4B2C087ED), UINT64_C(0x019162C863ECAFF8), - UINT64_C(0x02BAA68FEDC62170), UINT64_C(0x00E14BEB5E7390A9), - UINT64_C(0x014BD12090B0D96E), UINT64_C(0x01E7BB1B54107513), - UINT64_C(0x023B8205C7A4AC9C), UINT64_C(0x0077AA83FD6A3B9F), - UINT64_C(0x00B556918DDE426E) }, - { UINT64_C(0x007982C0406E7D53), UINT64_C(0x00514C5527392914), - UINT64_C(0x030F83C68AD1F365), UINT64_C(0x01248844664ABB22), - UINT64_C(0x00E9372C39E53CD3), UINT64_C(0x019288EBDD26390E), - UINT64_C(0x0175B25020B2C5E2), UINT64_C(0x01BE6F3235A8D35E), - UINT64_C(0x01BF2B1514039839) } }, - { { UINT64_C(0x00ACAC37A302E505), UINT64_C(0x027765CE9E34F2E4), - UINT64_C(0x02EC67D63AAF96D8), UINT64_C(0x000F998F38DDD8C4), - UINT64_C(0x01F09C36E648CC10), UINT64_C(0x00F522A0C94D1ACD), - UINT64_C(0x01621C139782CB28), UINT64_C(0x002ADC14FDA30F4F), - UINT64_C(0x000AFE14E60E403A) }, - { UINT64_C(0x03F6E66F873938D8), UINT64_C(0x008370549C4A240B), - UINT64_C(0x019BCDB6FBB27AB2), UINT64_C(0x03968D48A1554399), - UINT64_C(0x02AE029F24D2343E), UINT64_C(0x008518D4096DF4BA), - UINT64_C(0x011410655CE49E44), UINT64_C(0x030585BCC07AC55D), - UINT64_C(0x00DBC52BEF1D2C2E) } }, - { { UINT64_C(0x031E0D6D77452267), UINT64_C(0x02FDA38F6A949512), - UINT64_C(0x01F65ED3128F260F), UINT64_C(0x0268DE30B333E479), - UINT64_C(0x03FD84E6AC2E676C), UINT64_C(0x0393B320720BDA53), - UINT64_C(0x009EDD5FCCBB47ED), UINT64_C(0x01B82B4900272372), - UINT64_C(0x01D21A307BE4561F) }, - { UINT64_C(0x01FB6C41FDBC2674), UINT64_C(0x02FC0F6001620C6D), - UINT64_C(0x009450A0F3C6CB0F), UINT64_C(0x015385B69A47DECA), - UINT64_C(0x026E2296F08B9474), UINT64_C(0x0194DEC7BE891DCB), - UINT64_C(0x008B5DA06C5F46EF), UINT64_C(0x019F5A58030A2A18), - UINT64_C(0x00207771A8172F5B) } }, - { { UINT64_C(0x02D0EED2AA2FCC67), UINT64_C(0x028799FC7DD58724), - UINT64_C(0x01664BF5933707D3), UINT64_C(0x039B5E487A0167D1), - UINT64_C(0x02767C865F544F76), UINT64_C(0x012879933B9C8060), - UINT64_C(0x03EBB40C5524547A), UINT64_C(0x0173A7851D6D690E), - UINT64_C(0x01CF4AB59422F25D) }, - { UINT64_C(0x02E0C44B926C197B), UINT64_C(0x021DCFA310FAD65B), - UINT64_C(0x03309DFCCBCED9CA), UINT64_C(0x02A11F05E3D88EA0), - UINT64_C(0x039FE02B0CE3AE95), UINT64_C(0x023B5E3CAC5E3536), - UINT64_C(0x02C9903F85BF51A2), UINT64_C(0x018141A1EBBB4D03), - UINT64_C(0x01B6F9AE1517FBCC) } }, - }, - { - { { UINT64_C(0x01CE126EEC3D1383), UINT64_C(0x03E60292016C63B4), - UINT64_C(0x01086FC1B1F4E0C7), UINT64_C(0x02B824B832819651), - UINT64_C(0x018B5EE5C0AC1703), UINT64_C(0x03467EED60D31DFE), - UINT64_C(0x0370BD13E722F576), UINT64_C(0x01C406BA2A512BD9), - UINT64_C(0x00D7E1D110502A7C) }, - { UINT64_C(0x02029FD2CA303000), UINT64_C(0x031CB26B2D4BB358), - UINT64_C(0x001AACC8DD8A2366), UINT64_C(0x02FD746E61373E27), - UINT64_C(0x01D1A80D5295C235), UINT64_C(0x01FA56B74D0D3443), - UINT64_C(0x0203660094D0A8F7), UINT64_C(0x006ACC0E24009F44), - UINT64_C(0x007532FAF2732979) } }, - { { UINT64_C(0x00CC8937C5CFE5E0), UINT64_C(0x036CA3F94D098379), - UINT64_C(0x0127E76C1F2F6B01), UINT64_C(0x03F376385910CC44), - UINT64_C(0x005AE2B93F0F4F7C), UINT64_C(0x001F51D975E23E7E), - UINT64_C(0x0159FF4F64431F80), UINT64_C(0x0215FECEB62BCA1C), - UINT64_C(0x00168401E32600A7) }, - { UINT64_C(0x01B5A301E78A8DB5), UINT64_C(0x00FF512D35D3F2D2), - UINT64_C(0x0354D19F77E5A97B), UINT64_C(0x0271EFC5E9AFD789), - UINT64_C(0x006980179F908FBC), UINT64_C(0x034A31A6FEF922C2), - UINT64_C(0x01832DCC33A8480C), UINT64_C(0x02589E9D28BAFB44), - UINT64_C(0x0115572B5F3957D4) } }, - { { UINT64_C(0x02B1A9337E8401D3), UINT64_C(0x0290DCDD374D1722), - UINT64_C(0x03B06DFC52EC6DB8), UINT64_C(0x0230EA32F50E3F05), - UINT64_C(0x00FF74654453A452), UINT64_C(0x01A248F21E47C014), - UINT64_C(0x01E2CED97C15ABF4), UINT64_C(0x0283D12E9548735C), - UINT64_C(0x011DE7FF5CC44367) }, - { UINT64_C(0x0397C8B2CA828FA8), UINT64_C(0x023C2C16EF221608), - UINT64_C(0x0079F7CCDCEE62D1), UINT64_C(0x02ABBC4A12FA2ABB), - UINT64_C(0x02D3E0D3AF058906), UINT64_C(0x016EE5FFCAFF1F4D), - UINT64_C(0x0383A01497A17543), UINT64_C(0x015456C9C2BA3AA0), - UINT64_C(0x00833A7F70B8DB1E) } }, - { { UINT64_C(0x02874A121147F509), UINT64_C(0x00814720ED638371), - UINT64_C(0x03306823E9395088), UINT64_C(0x02A5E552F8389554), - UINT64_C(0x00F06CF7F0BA5751), UINT64_C(0x030415DEE1815B81), - UINT64_C(0x00E24A9DB057CA02), UINT64_C(0x0130F23B0BDFF500), - UINT64_C(0x00CD32356D2FBCF3) }, - { UINT64_C(0x031835514BB690A0), UINT64_C(0x011475889E6369E4), - UINT64_C(0x02A366B8DA44B373), UINT64_C(0x01336BAE9A4C91D2), - UINT64_C(0x0321F6D6C8947D98), UINT64_C(0x0331E2910F0F8ECA), - UINT64_C(0x01F6B3937B0234FE), UINT64_C(0x016C792D27998656), - UINT64_C(0x009729CAFA8B37BB) } }, - { { UINT64_C(0x030BF08BF55F34E4), UINT64_C(0x01472A877A6E6046), - UINT64_C(0x03502971975705FE), UINT64_C(0x00F5A66B1DDF090E), - UINT64_C(0x01DD9C80102CADCC), UINT64_C(0x004EB57A202D88C1), - UINT64_C(0x0383DED93A003D31), UINT64_C(0x00DF42EE4835E279), - UINT64_C(0x010B2A2DF2E8CDFC) }, - { UINT64_C(0x00E3757112860379), UINT64_C(0x0049E41486F1D305), - UINT64_C(0x007F50407D2B699F), UINT64_C(0x0186CFF64543014A), - UINT64_C(0x015D637AD6EB6B8D), UINT64_C(0x03EDC1A07906ADD6), - UINT64_C(0x025B1CE8EFA6E451), UINT64_C(0x0281938DC6CCB3C0), - UINT64_C(0x01E95BF35241E85F) } }, - { { UINT64_C(0x01900B5C8B1B724E), UINT64_C(0x00091B0E23027016), - UINT64_C(0x033EA7B567F8D8DD), UINT64_C(0x0149CA26370EF3C0), - UINT64_C(0x0224F7CCEEAEB621), UINT64_C(0x01056822C07633BE), - UINT64_C(0x02682C8A34D4C312), UINT64_C(0x017F1D80C56ACAFB), - UINT64_C(0x000D28BD510F85EC) }, - { UINT64_C(0x0031C759D505A0E7), UINT64_C(0x00695B369E0D5C70), - UINT64_C(0x007414EC503E140D), UINT64_C(0x02998878F14B0559), - UINT64_C(0x03EB48B235BD02B9), UINT64_C(0x02030C241863472E), - UINT64_C(0x00302A0DF1BDB378), UINT64_C(0x02ADB25754F52D99), - UINT64_C(0x01EBEAF9E9BDE9AC) } }, - { { UINT64_C(0x0016D2E6C4CB8040), UINT64_C(0x0251BE4AB3BBC8D1), - UINT64_C(0x00979A86B1EA6004), UINT64_C(0x03197F4F1967EFAE), - UINT64_C(0x03A8E572D3878481), UINT64_C(0x0175BC0B4A3D453E), - UINT64_C(0x0067A078B9E4BDD5), UINT64_C(0x00C290F9DB5CD51A), - UINT64_C(0x00C8A1050BE75174) }, - { UINT64_C(0x0138FA01526AE111), UINT64_C(0x01E92EC50AC0E2D9), - UINT64_C(0x03430EFE4DD66F27), UINT64_C(0x027E3E362221AF89), - UINT64_C(0x0065DC30B6D8ED5E), UINT64_C(0x0194B4AA3299C658), - UINT64_C(0x03FCCBD1A1EE5AFC), UINT64_C(0x0011C786A00C112C), - UINT64_C(0x01770EC65BD04CBD) } }, - { { UINT64_C(0x0219978F485193F0), UINT64_C(0x0169EF77837E1846), - UINT64_C(0x039A4F73B9DC8ADB), UINT64_C(0x0060DDE7E026EABA), - UINT64_C(0x033EDEE638C66335), UINT64_C(0x0296BFF6A6D575A3), - UINT64_C(0x01B793FCB261CF96), UINT64_C(0x00066B2DAA6E8B8E), - UINT64_C(0x00FAA4EE0DF08936) }, - { UINT64_C(0x0082665D53161177), UINT64_C(0x00BF125BA82F6D39), - UINT64_C(0x022B5DABCDFDBE3B), UINT64_C(0x021CD6983941E0F2), - UINT64_C(0x010414D9EC902549), UINT64_C(0x03C8E709DAE4453B), - UINT64_C(0x03B39712A9467665), UINT64_C(0x01718D188F0108E5), - UINT64_C(0x0001E683E6E53299) } }, - { { UINT64_C(0x026BEC9ED63E2975), UINT64_C(0x02445B0FA3670F21), - UINT64_C(0x01B0436EA7FA88A2), UINT64_C(0x01B3E0317834AC34), - UINT64_C(0x0370A51D7EBF7519), UINT64_C(0x028FE5E7A5374634), - UINT64_C(0x004F9C7DD9D61B9E), UINT64_C(0x024629F3A018136E), - UINT64_C(0x01B14207DD17A593) }, - { UINT64_C(0x02B49CBF0B981980), UINT64_C(0x03D510AA4EE52E56), - UINT64_C(0x0223FC5E38C54336), UINT64_C(0x006CECAD3BD995A0), - UINT64_C(0x01C1E9CE9CFF80F2), UINT64_C(0x03F2A4F91A9DFFC4), - UINT64_C(0x023C10907D4D0C02), UINT64_C(0x0266DE5575DC75DB), - UINT64_C(0x00C42F22C54D0AE1) } }, - { { UINT64_C(0x02CA7240C82B5AA4), UINT64_C(0x009FC67BD6157E6E), - UINT64_C(0x0237AEA0E986F61E), UINT64_C(0x0295536DA6F6D324), - UINT64_C(0x03CCCEAED7D090D6), UINT64_C(0x02AEB5185AD3ED8F), - UINT64_C(0x01709E10CC89909F), UINT64_C(0x02104E7DD9DB3C2E), - UINT64_C(0x018FBE92AA69FDDA) }, - { UINT64_C(0x019CC5A0410AA767), UINT64_C(0x01BD2A1F9D7CB636), - UINT64_C(0x016925EEC5FA539B), UINT64_C(0x030EE211BCC86603), - UINT64_C(0x02286DD13B9B314D), UINT64_C(0x019EE14925C53864), - UINT64_C(0x03BA30594CCCD2C4), UINT64_C(0x03CF135ECF524017), - UINT64_C(0x009675B7F38F7A5F) } }, - { { UINT64_C(0x034097FDD5C529C4), UINT64_C(0x022BABC53852C90D), - UINT64_C(0x005FA5449B2CFEAE), UINT64_C(0x0213E3712D2D891B), - UINT64_C(0x01EC7B3EEE99C138), UINT64_C(0x027C357D0B9CBABB), - UINT64_C(0x025A19E877887A6F), UINT64_C(0x00D4CD3E5DC97F03), - UINT64_C(0x01A0BD7971FE9BC8) }, - { UINT64_C(0x01302079C035FA1B), UINT64_C(0x03A553C1D7472F9E), - UINT64_C(0x01A4254310460FA3), UINT64_C(0x00172E37209ED67F), - UINT64_C(0x01598766A435004B), UINT64_C(0x015F6DA2FE9089F7), - UINT64_C(0x03D7A8AD6610ED72), UINT64_C(0x00218A47CD395F7C), - UINT64_C(0x01CEBC586BD69C42) } }, - { { UINT64_C(0x005E156C633E8718), UINT64_C(0x036F6921E8311E5A), - UINT64_C(0x012516B3E4747664), UINT64_C(0x016B6481265AF56F), - UINT64_C(0x005B9CA959873FB0), UINT64_C(0x01215A2E38706CDD), - UINT64_C(0x00C64AAAEE1FE5AB), UINT64_C(0x009494AE29DD5833), - UINT64_C(0x001DE0FFFA144A84) }, - { UINT64_C(0x01AB0B04D7864A53), UINT64_C(0x03B6589B739D3720), - UINT64_C(0x0342AE6EE03B4D2D), UINT64_C(0x0366C4CD40B083D3), - UINT64_C(0x02E583D735216939), UINT64_C(0x028069A08705938A), - UINT64_C(0x03470E4558BB0247), UINT64_C(0x037269A3A352E23F), - UINT64_C(0x000A1B500F437A69) } }, - { { UINT64_C(0x017C93D92A097CC4), UINT64_C(0x001BA88CC46C7150), - UINT64_C(0x01AE786C3A4D3E20), UINT64_C(0x028BF5869DC58997), - UINT64_C(0x02E52726A122777F), UINT64_C(0x00972F198872159B), - UINT64_C(0x02552DD5544B0BA5), UINT64_C(0x009FAC089C64945A), - UINT64_C(0x00A926F159FE26EE) }, - { UINT64_C(0x003998CBAECC32F4), UINT64_C(0x01BD7CE18DCAAA28), - UINT64_C(0x00A1F5FB988BB383), UINT64_C(0x03AEB19DEFD835C2), - UINT64_C(0x00244E47BC8D865E), UINT64_C(0x0038157724E1BB10), - UINT64_C(0x007BD8BF38E25231), UINT64_C(0x00C5E24E2CD69DAB), - UINT64_C(0x01A779CC34494897) } }, - { { UINT64_C(0x004BD43B7D176E2E), UINT64_C(0x005E93AB83087469), - UINT64_C(0x03E80C170CBB6730), UINT64_C(0x02CA4F7C8BEDBE63), - UINT64_C(0x02A85DD542AB5799), UINT64_C(0x0066D2B71D97D372), - UINT64_C(0x03558E6854EDDBC6), UINT64_C(0x01014B87714911B3), - UINT64_C(0x0150C0A4F996E45F) }, - { UINT64_C(0x01E0E94EA8A05AA1), UINT64_C(0x02AFE47CFC92BB70), - UINT64_C(0x0203EC4D3CE6EAF1), UINT64_C(0x024771DB1D696301), - UINT64_C(0x0196D9AA529C496E), UINT64_C(0x03B56E31398127F0), - UINT64_C(0x0387E08D7862B4A2), UINT64_C(0x032941073AE64CE3), - UINT64_C(0x0000E769C78F3C16) } }, - { { UINT64_C(0x034AFDE7FF46E9D5), UINT64_C(0x01174874945BB22A), - UINT64_C(0x0315AE08354CD33E), UINT64_C(0x020944101FCD5584), - UINT64_C(0x02AD3EF0CDDE6E15), UINT64_C(0x030A2698AB480B82), - UINT64_C(0x03BF15403C92749F), UINT64_C(0x025EFF1408AEDEF4), - UINT64_C(0x00853B2112F03584) }, - { UINT64_C(0x017A76C60E367447), UINT64_C(0x031C3B84E9CFE4B6), - UINT64_C(0x0383807320E00DD1), UINT64_C(0x02152F5E5EE3BE00), - UINT64_C(0x035287A9CC92FA2D), UINT64_C(0x0007C4F52ABBB00A), - UINT64_C(0x006B2558DC7D9071), UINT64_C(0x0266DBFFAED357E3), - UINT64_C(0x007E76EA86C8A78C) } }, - { { UINT64_C(0x00DA97D33D831A04), UINT64_C(0x0273CA87AB20DA80), - UINT64_C(0x004C77C7C118ED92), UINT64_C(0x00F87131473BDF57), - UINT64_C(0x036EC3E2E0DE7125), UINT64_C(0x00C7E8EADB491D0D), - UINT64_C(0x0299CB19B912B7BF), UINT64_C(0x0399A443D4E010F6), - UINT64_C(0x0098FCF8A99C2A16) }, - { UINT64_C(0x030D9571D49B2FC3), UINT64_C(0x02127D20D334D6E9), - UINT64_C(0x00CF98756BB05081), UINT64_C(0x02A955A34EA7C78A), - UINT64_C(0x0099BBA4C82FA729), UINT64_C(0x03B80CA8EED74492), - UINT64_C(0x03A7668CD742B7C3), UINT64_C(0x039AA1A4CD0B2F61), - UINT64_C(0x01769BB74BE7BFCF) } }, - }, - { - { { UINT64_C(0x01AE6D7AF8ECE594), UINT64_C(0x004BD233382C1067), - UINT64_C(0x02FC7E73749707AD), UINT64_C(0x01A0C47D78BA765F), - UINT64_C(0x02BB7416407B8B16), UINT64_C(0x02F996A9035A29ED), - UINT64_C(0x01C78A5F9EA3DEA9), UINT64_C(0x03997AA8F9A04684), - UINT64_C(0x0062155AD4E50AC6) }, - { UINT64_C(0x0136D4FEFEBBFAD7), UINT64_C(0x03C498A8C3B5B196), - UINT64_C(0x03AF4B2081A7DC94), UINT64_C(0x02FE1693A20D804F), - UINT64_C(0x0019DBDAD1684FFD), UINT64_C(0x03E47903EABFC90E), - UINT64_C(0x00EA7078F3484441), UINT64_C(0x037A0851741BD87B), - UINT64_C(0x004DEB7A4980ECBA) } }, - { { UINT64_C(0x02A998A0008164D4), UINT64_C(0x014B73504FD3FC3A), - UINT64_C(0x00C19E4FF76A915D), UINT64_C(0x00D30C3B2FD0EC60), - UINT64_C(0x01518FD432879FDC), UINT64_C(0x018585905FB0DE73), - UINT64_C(0x002E0E88A51BB32E), UINT64_C(0x011E824BA1621756), - UINT64_C(0x008F5503550AE008) }, - { UINT64_C(0x01F4C5CC039B003C), UINT64_C(0x034FE4F1205365F7), - UINT64_C(0x029B502075F020C8), UINT64_C(0x02E622483E3884F2), - UINT64_C(0x0096DBF1B7347D87), UINT64_C(0x03E49F71A5BBC472), - UINT64_C(0x028F694B092BA1CC), UINT64_C(0x03911DA84B731F41), - UINT64_C(0x00AEE98DB68D16A6) } }, - { { UINT64_C(0x03335FA8EB78796F), UINT64_C(0x02878D6632487FA2), - UINT64_C(0x023DC13EBB873632), UINT64_C(0x0328E4AB268A2A07), - UINT64_C(0x017A111FE36EA0A1), UINT64_C(0x02DD260BC4AB23DF), - UINT64_C(0x02BD012E8019E481), UINT64_C(0x02DAEA5C2102ACDC), - UINT64_C(0x0191F08F46778030) }, - { UINT64_C(0x01DAFF85FF6CA70B), UINT64_C(0x00C20C713262D23C), - UINT64_C(0x0002F4B44F09083A), UINT64_C(0x014BFF17F10ECF45), - UINT64_C(0x025ADB2237EA42A8), UINT64_C(0x03E47544193ED683), - UINT64_C(0x016D405A3F97D5CE), UINT64_C(0x03412AAA28009BC3), - UINT64_C(0x0061A9DB41BEFEDC) } }, - { { UINT64_C(0x02DE586F26762E69), UINT64_C(0x016435D71514BA52), - UINT64_C(0x016D7A3D17B63A4D), UINT64_C(0x026D50DCE42619B6), - UINT64_C(0x0071889F59482029), UINT64_C(0x011CE57167125C3C), - UINT64_C(0x00A0EA2BE409EA4A), UINT64_C(0x009EDE87052C5E58), - UINT64_C(0x01024A33C8A03073) }, - { UINT64_C(0x0190FE7C2B54A6C6), UINT64_C(0x006AD6F23DFB4339), - UINT64_C(0x01A290051C927B4A), UINT64_C(0x001E3AB0900247C6), - UINT64_C(0x02F0CF556BD9F5D6), UINT64_C(0x0044A9D7E6F09A3D), - UINT64_C(0x03647C4823C77404), UINT64_C(0x0174246A05A125F4), - UINT64_C(0x005046F70E49B3B4) } }, - { { UINT64_C(0x0168F14947F5FEA0), UINT64_C(0x00769E99AB9E6CB3), - UINT64_C(0x0132518C89E21038), UINT64_C(0x01B680C1A8696720), - UINT64_C(0x002ED6053CD44327), UINT64_C(0x01D30DD43B7E58A9), - UINT64_C(0x00944E2E081D9491), UINT64_C(0x006831ACBEAD123C), - UINT64_C(0x0152C11DC5777195) }, - { UINT64_C(0x00241773802E1A49), UINT64_C(0x01BAF7037807F846), - UINT64_C(0x03D3C7A48FA494BE), UINT64_C(0x011E5017010FAAB7), - UINT64_C(0x02754857375E5F4A), UINT64_C(0x03779B43EFE7F8E1), - UINT64_C(0x0012FF3BABC982CB), UINT64_C(0x00FFF200A782A57D), - UINT64_C(0x01525BFCB1CE27F1) } }, - { { UINT64_C(0x03E552EA093A81E5), UINT64_C(0x0289B3D7E8ED9281), - UINT64_C(0x0342009AC81D0D79), UINT64_C(0x03AD34454A991783), - UINT64_C(0x01E2910F69599605), UINT64_C(0x03D879F03BB2582D), - UINT64_C(0x027BC06449C49ACB), UINT64_C(0x008DC219F862EDC8), - UINT64_C(0x01C5BFA6129C1E94) }, - { UINT64_C(0x026A51D1748353E7), UINT64_C(0x0181475224C056F6), - UINT64_C(0x00C626EAA883505E), UINT64_C(0x0279EE327830A7B4), - UINT64_C(0x0320D8F515A684E8), UINT64_C(0x00C3F8E23CD44D3F), - UINT64_C(0x02C122EE12C67CA1), UINT64_C(0x00E99C91530D5183), - UINT64_C(0x0021144C6B142C61) } }, - { { UINT64_C(0x011D351AD93C77DA), UINT64_C(0x03AA1509EA474780), - UINT64_C(0x018659BD1EF489E2), UINT64_C(0x003305C7CD548712), - UINT64_C(0x0274078260A570D7), UINT64_C(0x0053143C92277CEB), - UINT64_C(0x002C9848EA865C9F), UINT64_C(0x02CCE08E86A1AEA9), - UINT64_C(0x017387D78B16B104) }, - { UINT64_C(0x004AA27AD541016D), UINT64_C(0x018249526E484E54), - UINT64_C(0x02AB312423D0089E), UINT64_C(0x0219D7F11A43C693), - UINT64_C(0x02063682A176BD49), UINT64_C(0x03B53A444F4AA295), - UINT64_C(0x00795B99C8C7C949), UINT64_C(0x03E13055864354E1), - UINT64_C(0x00AD0290F60CD7D0) } }, - { { UINT64_C(0x012D2A436D526DD9), UINT64_C(0x01CD402DD6D978C6), - UINT64_C(0x00A58E861B88A485), UINT64_C(0x02D5660B63C2B513), - UINT64_C(0x00AC661A50344950), UINT64_C(0x005912EC7C3046DF), - UINT64_C(0x00386C50A42C0A1A), UINT64_C(0x03AB81C1B172201D), - UINT64_C(0x00C7E276190DAFE0) }, - { UINT64_C(0x02C2EF02CE4F4EFB), UINT64_C(0x036C62A28EE8E529), - UINT64_C(0x007713DEA66609AC), UINT64_C(0x0335AC64B1B06D35), - UINT64_C(0x030C33E87E4697D9), UINT64_C(0x02A8B6DA5FD2C060), - UINT64_C(0x00A7681837DA7123), UINT64_C(0x034383051138278A), - UINT64_C(0x0100BA5CB675B5C3) } }, - { { UINT64_C(0x007A90498A37CD61), UINT64_C(0x00C21A3950646D6E), - UINT64_C(0x00E24CC900B23BA5), UINT64_C(0x00177482F428680B), - UINT64_C(0x008C265BAA81CF89), UINT64_C(0x035D3B4D224FFF8E), - UINT64_C(0x036D6B85A5B0977B), UINT64_C(0x00D1075A6C1311DD), - UINT64_C(0x01CE20C3E0DE4C26) }, - { UINT64_C(0x03983305308A7408), UINT64_C(0x034CC1C79BB9BDAE), - UINT64_C(0x02079940C900D507), UINT64_C(0x011184B7705AB688), - UINT64_C(0x00BE018DECC7C858), UINT64_C(0x00059833EA10EFD5), - UINT64_C(0x03D3C58726A0CFF9), UINT64_C(0x03FAC56BC268E09A), - UINT64_C(0x00AF6C171D653277) } }, - { { UINT64_C(0x01151276D19DDB66), UINT64_C(0x00BE849EE9A2D3A8), - UINT64_C(0x02C6A7580CC1CD5D), UINT64_C(0x03AE7FCF32E2402D), - UINT64_C(0x0077F3388646E57B), UINT64_C(0x0321275FFC38AED4), - UINT64_C(0x035220194FAC16E6), UINT64_C(0x00AC60DD1664CBF4), - UINT64_C(0x005C9F4FAEB1E475) }, - { UINT64_C(0x03454E2FDA228C02), UINT64_C(0x03CE54CE918B9E80), - UINT64_C(0x01E6700CB1251E2C), UINT64_C(0x004D9EF2E269258E), - UINT64_C(0x0271A9DFD10397F8), UINT64_C(0x01D68E1301C08065), - UINT64_C(0x0255D3F4888FC07C), UINT64_C(0x01EA14C32D6DB6C1), - UINT64_C(0x00641A5E7FF0CED4) } }, - { { UINT64_C(0x03D2DB7494E80EB1), UINT64_C(0x03429AAC7DF50EDF), - UINT64_C(0x0193B4233D776372), UINT64_C(0x00FA6676BCB0445B), - UINT64_C(0x00962AF93FA06ADE), UINT64_C(0x00ED262149C44EC5), - UINT64_C(0x00DD0F0802C2CD3B), UINT64_C(0x0349A7F09C0CD9BA), - UINT64_C(0x019BCEE240624924) }, - { UINT64_C(0x0301B8CB30F92986), UINT64_C(0x02FBD5618F84FCAA), - UINT64_C(0x020844CC6DEA56EF), UINT64_C(0x0399AC423AE9922A), - UINT64_C(0x0304B577679CF04F), UINT64_C(0x033A00D5B3E1E90B), - UINT64_C(0x02E0EA5DF7501CB6), UINT64_C(0x01AEEBA7909CF3AB), - UINT64_C(0x00D1F739C1192316) } }, - { { UINT64_C(0x03FBED19829AE558), UINT64_C(0x018A508538E70057), - UINT64_C(0x00CB16FE844A9E7C), UINT64_C(0x02A5D97534D7DBBC), - UINT64_C(0x005769E43FDAB701), UINT64_C(0x02371B260F0C6E67), - UINT64_C(0x0088CED91D562ACB), UINT64_C(0x03FF0E5F0D26F719), - UINT64_C(0x009911094F5E4AA4) }, - { UINT64_C(0x014DA634DAAD22D1), UINT64_C(0x0126CD74DB263614), - UINT64_C(0x00B20F1368A80FE1), UINT64_C(0x01C40150F01BDEEF), - UINT64_C(0x036B7B115D665EA4), UINT64_C(0x00E64D810EAB1790), - UINT64_C(0x037432C58B6DDE4A), UINT64_C(0x02689716E469337C), - UINT64_C(0x009023B703EED1A4) } }, - { { UINT64_C(0x0168DF986EB8B398), UINT64_C(0x0373053537795BF1), - UINT64_C(0x018911988685F26D), UINT64_C(0x0387383FA6C93770), - UINT64_C(0x019704736EAD528F), UINT64_C(0x0271A2FD2A7AB31F), - UINT64_C(0x016F759D385DF60B), UINT64_C(0x00588A673CE9E385), - UINT64_C(0x00F00D2C74D140B1) }, - { UINT64_C(0x037761186D05FF6A), UINT64_C(0x021D5810D7AE7578), - UINT64_C(0x032F7D951B6FE596), UINT64_C(0x00F101711823BB39), - UINT64_C(0x028DE92770998580), UINT64_C(0x037C0C99F0D97BF8), - UINT64_C(0x030EB60AA7504E10), UINT64_C(0x038624C9A9EBB17E), - UINT64_C(0x0117D8E0506A5993) } }, - { { UINT64_C(0x02D315A154D9F1F8), UINT64_C(0x00A34DBD30332164), - UINT64_C(0x0306F497C34DB615), UINT64_C(0x03599315A4DB339F), - UINT64_C(0x007E9E0F8E2399AC), UINT64_C(0x003A93148F4FA95A), - UINT64_C(0x011F62B5F0DC45EF), UINT64_C(0x02C2CA027E1C8CCA), - UINT64_C(0x017EDB2AB60DCF2F) }, - { UINT64_C(0x03D0BE47BDAF0C41), UINT64_C(0x0261770EA9BAF337), - UINT64_C(0x00123C9A8D5C885C), UINT64_C(0x02304942CA223A54), - UINT64_C(0x027514FEE2CC680A), UINT64_C(0x02845D9CADE7E084), - UINT64_C(0x037BF3E603649E24), UINT64_C(0x00221D7FD1EC9BB3), - UINT64_C(0x019ABE2E017E3282) } }, - { { UINT64_C(0x022C310986DBC74A), UINT64_C(0x016910C9D8D292FA), - UINT64_C(0x0168FBA7C0C784B2), UINT64_C(0x02F0C2E785D2A006), - UINT64_C(0x01AE45ADAA754923), UINT64_C(0x0340D3039A77094C), - UINT64_C(0x028C800560A74DE4), UINT64_C(0x0209DAB7CF99A92A), - UINT64_C(0x01A7AE95C3D65A81) }, - { UINT64_C(0x03D0EF28C4FA3D53), UINT64_C(0x01C7BD38B1347859), - UINT64_C(0x0005A7461F21783E), UINT64_C(0x01367207E2FE3122), - UINT64_C(0x033746BBB79E2E44), UINT64_C(0x0279FE17A5803572), - UINT64_C(0x03015592FFEC7617), UINT64_C(0x02742174C25F4D16), - UINT64_C(0x00E410A0B89682D7) } }, - { { UINT64_C(0x02B22FBEE727DDB2), UINT64_C(0x024FD40DFE0DC5F9), - UINT64_C(0x015C3DCCFE2E8278), UINT64_C(0x029992449755EB6E), - UINT64_C(0x03FD36B4574277E1), UINT64_C(0x02D49C964F2299EE), - UINT64_C(0x021CD67B9805D246), UINT64_C(0x0157D17DBA6DBB8F), - UINT64_C(0x014315532B63B009) }, - { UINT64_C(0x0192F41C11B068CF), UINT64_C(0x013ADE386B9A6252), - UINT64_C(0x0023510A4F9C5B28), UINT64_C(0x027BD3DC9B9B0039), - UINT64_C(0x02377F19B4B907D4), UINT64_C(0x0292B925A6106638), - UINT64_C(0x01058CF22E01616A), UINT64_C(0x017799C00E576B04), - UINT64_C(0x00A289A954F56291) } }, - }, - { - { { UINT64_C(0x00C4AC143FFE4858), UINT64_C(0x0306D22EAAC4A5AD), - UINT64_C(0x01F0A5791E3783D9), UINT64_C(0x03A0A974CB2ACA2D), - UINT64_C(0x02E76FB3F03AA34D), UINT64_C(0x0217400AE3A40C22), - UINT64_C(0x0040CD3B74A7ED3C), UINT64_C(0x00FCB122891AAD96), - UINT64_C(0x01B8C8494718771D) }, - { UINT64_C(0x03F57D14A28DA023), UINT64_C(0x022E364741E3E46C), - UINT64_C(0x01A7ABA67F27FDBC), UINT64_C(0x030FF1837DC3E97D), - UINT64_C(0x00618486CF4908AD), UINT64_C(0x02CF161553F374F8), - UINT64_C(0x019DD012E725571E), UINT64_C(0x033EDF6BF47BD717), - UINT64_C(0x0125806554EE19B9) } }, - { { UINT64_C(0x018E9A7BA994A7B1), UINT64_C(0x02AC0D7BEC6A8983), - UINT64_C(0x03D38D705E07CD01), UINT64_C(0x005566DD3C426505), - UINT64_C(0x0067EB2AB8C5C6E4), UINT64_C(0x02833D0E2656CD6B), - UINT64_C(0x01DDCA9C78AA1909), UINT64_C(0x00EDF1FB3DAA7F12), - UINT64_C(0x0166F72F3DE51C63) }, - { UINT64_C(0x02B78FAEB96F6D73), UINT64_C(0x02052F35A5545293), - UINT64_C(0x005CD62AD9BF553E), UINT64_C(0x00B728FA50CC968E), - UINT64_C(0x019295FA16301250), UINT64_C(0x0287D8B59A13D480), - UINT64_C(0x0316813DDF4A21F3), UINT64_C(0x01769E5723184C7C), - UINT64_C(0x0066E0E7009AE7B5) } }, - { { UINT64_C(0x021F2EE46CDE12CD), UINT64_C(0x003D0000412CCD1F), - UINT64_C(0x02C67E761CB63537), UINT64_C(0x02C1A38D4F403A59), - UINT64_C(0x03B812F8D1F26B87), UINT64_C(0x029994AD5ACE97AC), - UINT64_C(0x026C55C785488093), UINT64_C(0x01869CEF172A91D6), - UINT64_C(0x01661593B4702F1D) }, - { UINT64_C(0x0197935A2366B021), UINT64_C(0x01C8C53ECC9EEE7B), - UINT64_C(0x02C636CFB825AB8B), UINT64_C(0x02EEC0E46E96B427), - UINT64_C(0x00525F145382F270), UINT64_C(0x0133F597DCA61576), - UINT64_C(0x0237ACF913367D38), UINT64_C(0x02C6B96EB5398F41), - UINT64_C(0x0088A6A556F6EF14) } }, - { { UINT64_C(0x03AE1C8DCCD34315), UINT64_C(0x0157B6DF5CCF4DF6), - UINT64_C(0x02191AB191DCA071), UINT64_C(0x01897CF46F10173C), - UINT64_C(0x02767320BD61533A), UINT64_C(0x01A9DAB7019D6315), - UINT64_C(0x01911BB32715F1BB), UINT64_C(0x001C7F74F8A656CA), - UINT64_C(0x0009C70F08ACB68E) }, - { UINT64_C(0x0072A1ED9356A25A), UINT64_C(0x01556970A7D5EEF6), - UINT64_C(0x0350BEDB0F71D649), UINT64_C(0x03EA3565DDFF826F), - UINT64_C(0x013B29E08B1AF8F4), UINT64_C(0x0331B92ACB74C5CA), - UINT64_C(0x03A4E6E26F5AAC1D), UINT64_C(0x036F06A79D110118), - UINT64_C(0x00631FDFA318D2BC) } }, - { { UINT64_C(0x035871450EAD4FF9), UINT64_C(0x0045783A9CFF37E4), - UINT64_C(0x03713AE92AC33512), UINT64_C(0x009A3896CE34EF6D), - UINT64_C(0x03A8EE82555DC9D1), UINT64_C(0x002C620829E4335D), - UINT64_C(0x0375E016D1AE1B50), UINT64_C(0x016D891B140E00CD), - UINT64_C(0x00097FE78FE880E9) }, - { UINT64_C(0x01A323FFCB8B195A), UINT64_C(0x014E7DA6CA0AAFF4), - UINT64_C(0x00C88E8E6528DDB5), UINT64_C(0x01A720372EE878E6), - UINT64_C(0x015A2426F3EF9BB8), UINT64_C(0x01604A559CF4A620), - UINT64_C(0x02C8F10B967488E1), UINT64_C(0x028191262B209448), - UINT64_C(0x019E5661C083C48E) } }, - { { UINT64_C(0x01D1ED07D6920A2A), UINT64_C(0x03909AA105A814DB), - UINT64_C(0x029B1BBB7F2ECAC2), UINT64_C(0x03BB4096CC1FBE27), - UINT64_C(0x0382CAD68C150CCC), UINT64_C(0x00F1CBB480EE5E69), - UINT64_C(0x03933B382F4CE45C), UINT64_C(0x0283D1969E6EC1D6), - UINT64_C(0x008C6BE4F8FBF5F9) }, - { UINT64_C(0x00C2A30AF1CA3CCC), UINT64_C(0x02FF4D4359C3CABE), - UINT64_C(0x020AA78B337657B0), UINT64_C(0x01C5C613D10C423A), - UINT64_C(0x003249BB2418CB6D), UINT64_C(0x00CAB4378A53687C), - UINT64_C(0x0147E31B6118850C), UINT64_C(0x02D08DC29C2D596C), - UINT64_C(0x00409A1F9C9C0372) } }, - { { UINT64_C(0x03985FC5DEB5DCD3), UINT64_C(0x02328F30C46302C2), - UINT64_C(0x00260388D4747802), UINT64_C(0x03BFBB0240E60F52), - UINT64_C(0x03B209042D288213), UINT64_C(0x00F7BBEE239C04F6), - UINT64_C(0x039A7EE4CF9007B4), UINT64_C(0x01BFEC97A07FF7ED), - UINT64_C(0x00F46BA7F4461BE4) }, - { UINT64_C(0x02FF04BE53B68E6C), UINT64_C(0x01CA69133AC1C9A1), - UINT64_C(0x001C0711D4BE94AE), UINT64_C(0x02E7507B45945E53), - UINT64_C(0x011B7A5F7EC81DBE), UINT64_C(0x0329BFC6DA7CDB63), - UINT64_C(0x01FCD3B287A0A497), UINT64_C(0x01F250F924D3B826), - UINT64_C(0x0174EABAF5F90BA0) } }, - { { UINT64_C(0x0288B8614B07B1BF), UINT64_C(0x00AE0C951E1C4290), - UINT64_C(0x01FC49AB7CD0CA2F), UINT64_C(0x0139ED7FA367ECE7), - UINT64_C(0x007ACFF8F0933B14), UINT64_C(0x01BE527A6CE02D5F), - UINT64_C(0x03F3D3A06B11DFFE), UINT64_C(0x021959D14B1DF4BB), - UINT64_C(0x01BC6741AD8DA8F8) }, - { UINT64_C(0x034CD028C42166D8), UINT64_C(0x0185807E32738495), - UINT64_C(0x005883F1CCD9FD2E), UINT64_C(0x03CA0BFCEE08ED5A), - UINT64_C(0x03EAF8CDFF12C8BC), UINT64_C(0x039F9E6871AF8AEE), - UINT64_C(0x0109893E423B3304), UINT64_C(0x0120DC6E783F51AB), - UINT64_C(0x011A855D5413AED9) } }, - { { UINT64_C(0x03EC078648AA3834), UINT64_C(0x022666BDFBC08928), - UINT64_C(0x020CD318C559ED79), UINT64_C(0x031A1F3F1113AB91), - UINT64_C(0x0225DA57498B9B85), UINT64_C(0x00501D2B9387A084), - UINT64_C(0x01462ED6150B49FB), UINT64_C(0x0270A359C4EB430D), - UINT64_C(0x01AD03ACD7F1F2DA) }, - { UINT64_C(0x00577220553E08C6), UINT64_C(0x02711DCC2A6176C2), - UINT64_C(0x00D41E0F942DF9B3), UINT64_C(0x032019849BF44B40), - UINT64_C(0x006F6F65E6AF51C1), UINT64_C(0x02192F8FD6395745), - UINT64_C(0x0369C64E6D49408A), UINT64_C(0x01C1CA82AADBB384), - UINT64_C(0x00252180D9240A33) } }, - { { UINT64_C(0x03B36603F69B34EA), UINT64_C(0x023601EA98DB7FF6), - UINT64_C(0x0119384D5B4D0084), UINT64_C(0x009CB1557E1A2117), - UINT64_C(0x0120F29FC187E5AB), UINT64_C(0x020795FEFEF91AF3), - UINT64_C(0x01654BD2C20FF213), UINT64_C(0x0193B09B2AFFB3A3), - UINT64_C(0x01F2DBD41C09A92B) }, - { UINT64_C(0x0190B8EB79047156), UINT64_C(0x002863629F98DF90), - UINT64_C(0x0131D825BFCD5C94), UINT64_C(0x012459BCEEE81461), - UINT64_C(0x012AEB328B250B06), UINT64_C(0x031E1C2DAC09694B), - UINT64_C(0x000530A4AD5276F9), UINT64_C(0x02B3D1F18BB7C853), - UINT64_C(0x01E8BD2FCCA04F6F) } }, - { { UINT64_C(0x02834F110665B1CF), UINT64_C(0x017AA90109CDC18A), - UINT64_C(0x009242A3E1F2E720), UINT64_C(0x02D5A60BD5F8954E), - UINT64_C(0x03508324EB838D5B), UINT64_C(0x02EDD0C3ED33B190), - UINT64_C(0x00AAD5DC3A119996), UINT64_C(0x01CD04A457847144), - UINT64_C(0x008F9F585EE51416) }, - { UINT64_C(0x0353544CA94CC511), UINT64_C(0x03C458B74ECFBB85), - UINT64_C(0x00DFB34B9CF940F6), UINT64_C(0x025DDCAA8FA2C670), - UINT64_C(0x005DE224A75FEDB1), UINT64_C(0x0133692E8F60712D), - UINT64_C(0x0273753106CAA7BE), UINT64_C(0x01408D58EA2D6196), - UINT64_C(0x00E26553508F8448) } }, - { { UINT64_C(0x01A3A4F60BB13D25), UINT64_C(0x0023ED9ED8B71298), - UINT64_C(0x03FFC9A520FCC5AA), UINT64_C(0x0045A041830B9268), - UINT64_C(0x00CC9DB2983FF213), UINT64_C(0x0121E74580D3BD97), - UINT64_C(0x03180DFFF5302191), UINT64_C(0x017F708B61C069C2), - UINT64_C(0x00AFC5190BADFB44) }, - { UINT64_C(0x0059EAFDA4B66F01), UINT64_C(0x007705DA965D6F67), - UINT64_C(0x020B87871134FA29), UINT64_C(0x01AD088735B31B4F), - UINT64_C(0x018012C061713383), UINT64_C(0x0284C3C51E97DE38), - UINT64_C(0x011439AE9AC5E3B5), UINT64_C(0x0201A73CE2ADC421), - UINT64_C(0x013663825C862321) } }, - { { UINT64_C(0x018D68C0B140A004), UINT64_C(0x01BFAA6599011216), - UINT64_C(0x01E7950576D7B0B1), UINT64_C(0x0078B24B131D0E5F), - UINT64_C(0x02AD5C3FFEDF02C1), UINT64_C(0x0322CFD3147C6177), - UINT64_C(0x038BD27915C61C9C), UINT64_C(0x02F37687B9498DE9), - UINT64_C(0x00EBB6AC6E166ECF) }, - { UINT64_C(0x01DE078E81F8F797), UINT64_C(0x036F3FD0C148612A), - UINT64_C(0x00D42800CEE62CC8), UINT64_C(0x02EF08C94C9988E1), - UINT64_C(0x02A200E24C7221CE), UINT64_C(0x0087BB91FBA9446C), - UINT64_C(0x01AEF9F64351AA5D), UINT64_C(0x0379F61D1F515F5C), - UINT64_C(0x01D6BBEA838FBDE0) } }, - { { UINT64_C(0x029C5257AC98DFAE), UINT64_C(0x033122DA34CA0C86), - UINT64_C(0x02E5AEB04EB596D8), UINT64_C(0x01866E31FF449E97), - UINT64_C(0x01EFC618512D868E), UINT64_C(0x02AB8DD8A2E422DD), - UINT64_C(0x0315FBBF0AB5F678), UINT64_C(0x029B64EE769245C7), - UINT64_C(0x006C6C12185D61E3) }, - { UINT64_C(0x008781A5F0C92FB5), UINT64_C(0x02186CDBC76A7DC2), - UINT64_C(0x02BF30F2AE35EBF2), UINT64_C(0x02A9033768598F59), - UINT64_C(0x026D8F763CE2DDB2), UINT64_C(0x000096A41DC06247), - UINT64_C(0x0378DBDD308791A2), UINT64_C(0x0303B0E7D471E5F3), - UINT64_C(0x0047B4CFEAEEA101) } }, - { { UINT64_C(0x03329136A629DD22), UINT64_C(0x00E5BE3AD1E98750), - UINT64_C(0x00E718574118A518), UINT64_C(0x0001BFD334A31B85), - UINT64_C(0x010ACC7BD56131AD), UINT64_C(0x01BAE8680FF31AF2), - UINT64_C(0x033BF365D3656538), UINT64_C(0x01275681F6A3E780), - UINT64_C(0x01D9134C0EBA1F9E) }, - { UINT64_C(0x03FC0784F75200EB), UINT64_C(0x02505880E37CB45D), - UINT64_C(0x02D012B6F4AEDF75), UINT64_C(0x0239FE68EEDA06B2), - UINT64_C(0x0214FD97D35A83E1), UINT64_C(0x0161FD60913389DA), - UINT64_C(0x02E06AA08A955A74), UINT64_C(0x00A478BB3A540872), - UINT64_C(0x0194213360ACA782) } }, - { { UINT64_C(0x01C7D837402145D7), UINT64_C(0x029A3987EA8CF574), - UINT64_C(0x017B7322E3920EED), UINT64_C(0x01DA90CCE8A07229), - UINT64_C(0x019966632762CF1A), UINT64_C(0x02EA82E975BFDBB2), - UINT64_C(0x00D089776CD7C2DA), UINT64_C(0x01094FFA3D38BAB2), - UINT64_C(0x00ED9425E7C61A8F) }, - { UINT64_C(0x030890ADFDDB406F), UINT64_C(0x02F38194427778C1), - UINT64_C(0x02645A577E29DB0B), UINT64_C(0x02B73BB5A04F839F), - UINT64_C(0x02CBE569872B94D6), UINT64_C(0x034D3051E8314100), - UINT64_C(0x0228FAA39358328C), UINT64_C(0x00F6B458D19C41F5), - UINT64_C(0x01B60D6BFFF120A1) } }, - }, - { - { { UINT64_C(0x03B0D91DCEF34144), UINT64_C(0x0240FE90ACAA2EEA), - UINT64_C(0x02F5638E4C5FABC5), UINT64_C(0x0279B56C13AF89E7), - UINT64_C(0x007BB923CEB3416E), UINT64_C(0x024528E9111E0646), - UINT64_C(0x0019F3658FEFA212), UINT64_C(0x007942C115ACBB8B), - UINT64_C(0x00B3176361BBE92C) }, - { UINT64_C(0x0056A1AF824FDE34), UINT64_C(0x03EFECC262943F2F), - UINT64_C(0x00F55AB9CFA7333B), UINT64_C(0x02E423937E89B9C8), - UINT64_C(0x0177865B2FF1E104), UINT64_C(0x00D9D0346E5AE2AF), - UINT64_C(0x0250F4369EB257AA), UINT64_C(0x02479F5CEE51B49A), - UINT64_C(0x007A588E4A1470CD) } }, - { { UINT64_C(0x006FD0B27FF5FDD9), UINT64_C(0x0315207EADCA6EB7), - UINT64_C(0x038531FDE9E82663), UINT64_C(0x03E9C7DA1307DC24), - UINT64_C(0x007FCF66FC293D27), UINT64_C(0x0073411170172CF4), - UINT64_C(0x03FA0B1709D86BA1), UINT64_C(0x0023FC735B565525), - UINT64_C(0x00C65EABD8A0D474) }, - { UINT64_C(0x001EA477B6B64713), UINT64_C(0x03CAD4127E803700), - UINT64_C(0x02F97EFCE2EC6148), UINT64_C(0x021B881732700041), - UINT64_C(0x01A6D874ACACA115), UINT64_C(0x00A7CA705835C220), - UINT64_C(0x01191B137DD5C14D), UINT64_C(0x02CB4161AB1B2384), - UINT64_C(0x01EA96470F229677) } }, - { { UINT64_C(0x016F41AA44BE78BD), UINT64_C(0x00DBC87805312BB8), - UINT64_C(0x0318156EA17D7B54), UINT64_C(0x026CDF0148DE5C45), - UINT64_C(0x03F974EA0D77EB08), UINT64_C(0x02136BB03794FF4E), - UINT64_C(0x01B53A227C4C2E9C), UINT64_C(0x02B0229F1C11498E), - UINT64_C(0x01CDAB34CEF9122C) }, - { UINT64_C(0x01942B2B520FED74), UINT64_C(0x0278BB0606178C91), - UINT64_C(0x03C70799A5848E33), UINT64_C(0x01024AF0188FBCA7), - UINT64_C(0x017502FD5E81CD21), UINT64_C(0x0341AC8FD5BE6E9F), - UINT64_C(0x03807308C0C55507), UINT64_C(0x02DA9120D7D39BD9), - UINT64_C(0x0078E0C0ADC9F3B8) } }, - { { UINT64_C(0x0249E4056736B7A8), UINT64_C(0x000AD5FD0E326A32), - UINT64_C(0x00F1D8DD5BD49BAE), UINT64_C(0x03C65D240FD61C7B), - UINT64_C(0x0348AA1A2246B05E), UINT64_C(0x03D6D10E55244A30), - UINT64_C(0x02E9906E8F8D085E), UINT64_C(0x0187FD8BEFA8BFBF), - UINT64_C(0x00F8ECD06F55C492) }, - { UINT64_C(0x003A56FE1DEF19D6), UINT64_C(0x0197C74F933E6798), - UINT64_C(0x005694559A51C48D), UINT64_C(0x028423114901AE4B), - UINT64_C(0x006C134B2FD133CC), UINT64_C(0x01F5B1FDE595A9F1), - UINT64_C(0x037CDF87E407C290), UINT64_C(0x01C9430D19026B6E), - UINT64_C(0x00AE4EBC0B91EEC4) } }, - { { UINT64_C(0x0027F5A2CFACC519), UINT64_C(0x0007D8CA3F95188A), - UINT64_C(0x02386E76D1ED1FA2), UINT64_C(0x012CFC615ECB44AE), - UINT64_C(0x02BAC8E16C4EECC0), UINT64_C(0x030FC8B6EACB48A4), - UINT64_C(0x0356F1C94FF8F3DD), UINT64_C(0x00E7898C9228D80E), - UINT64_C(0x0100391DE5D28C45) }, - { UINT64_C(0x00DDA167BAEA3E6E), UINT64_C(0x024E9B6238591A96), - UINT64_C(0x000B124B20D76C9C), UINT64_C(0x00844E80DAD85B15), - UINT64_C(0x006322B9CC9CFBC9), UINT64_C(0x03C3F3E68B0EC1FB), - UINT64_C(0x0198C8988C8CDF43), UINT64_C(0x012F63F58B2E6769), - UINT64_C(0x0146D6A4BBF8FA16) } }, - { { UINT64_C(0x025929A379C36058), UINT64_C(0x03AA8D69D0F228FC), - UINT64_C(0x03137C58503106D0), UINT64_C(0x031D3407BEC09250), - UINT64_C(0x012A5E9F3CB78FCD), UINT64_C(0x03C89A97F7DE8B2F), - UINT64_C(0x03FFA336D8C2CB9D), UINT64_C(0x03CDFCCBE0B2ABB7), - UINT64_C(0x018DB520A44381C3) }, - { UINT64_C(0x037F91B7E71EFA02), UINT64_C(0x02CD2A4F8F2A0051), - UINT64_C(0x03247FBAA82739BD), UINT64_C(0x004F7652DC5CA6F6), - UINT64_C(0x0247D54BFA1094B5), UINT64_C(0x01201F41A5F24EA8), - UINT64_C(0x036AE048899075C8), UINT64_C(0x008DE5B2C2092D5F), - UINT64_C(0x01A05D1DEF90E6C9) } }, - { { UINT64_C(0x009C63F00DDEF055), UINT64_C(0x029E867514AE17BD), - UINT64_C(0x0071477B7FA6548A), UINT64_C(0x01DCF23B30CCB894), - UINT64_C(0x039F3EAF10214846), UINT64_C(0x0131314742EE42E6), - UINT64_C(0x025A42537B162041), UINT64_C(0x0344D321CAEDE286), - UINT64_C(0x00C49346566A2F80) }, - { UINT64_C(0x00AC1057A1A2F1BD), UINT64_C(0x01B16F3F4CF6D85A), - UINT64_C(0x00470A35FA26D12C), UINT64_C(0x02FDF7EC571664A6), - UINT64_C(0x00357DE22954AF5D), UINT64_C(0x01CB9B6C3295D89E), - UINT64_C(0x02A6D5E003D32198), UINT64_C(0x02BCFEFCD08395C8), - UINT64_C(0x0024E3256C9EC29E) } }, - { { UINT64_C(0x02E3E3726899A80A), UINT64_C(0x0026F9277D12E5D8), - UINT64_C(0x03A9F147B7CC784D), UINT64_C(0x02D1E1BE2785B816), - UINT64_C(0x035FD35148DBC7EB), UINT64_C(0x008735EF566F4D0B), - UINT64_C(0x023A56774FF10ABF), UINT64_C(0x02650BA6B7B26925), - UINT64_C(0x016ADF49024BBCF1) }, - { UINT64_C(0x003AD342E4E67976), UINT64_C(0x03C92192D00DAB16), - UINT64_C(0x020460FDED50A384), UINT64_C(0x034C8C7A7CCCB477), - UINT64_C(0x026F1F63625979C2), UINT64_C(0x01C81B4E10D5FC66), - UINT64_C(0x036A3D003DC0490C), UINT64_C(0x012B902A026C1347), - UINT64_C(0x01F7B86A36390DAD) } }, - { { UINT64_C(0x000691E2EC112CB8), UINT64_C(0x024EF99D143B7D60), - UINT64_C(0x0115A42EEFCFA47F), UINT64_C(0x01E802D725D2BBE5), - UINT64_C(0x0121B37EFA442937), UINT64_C(0x0017BB506D32E10E), - UINT64_C(0x026AAA87600CCD57), UINT64_C(0x016CF4C8E0A70FF4), - UINT64_C(0x009FFBF163AE94B4) }, - { UINT64_C(0x0295886926814D18), UINT64_C(0x03A0FBF4C1A9E1DB), - UINT64_C(0x03C42214E510B980), UINT64_C(0x01795048E2D2FBCB), - UINT64_C(0x007E6ECA8AF45230), UINT64_C(0x03B7348F6C6F8B62), - UINT64_C(0x0082EEE297D2810F), UINT64_C(0x001262A01DEC143A), - UINT64_C(0x01B9903A2D05B891) } }, - { { UINT64_C(0x023634A86BE77EA4), UINT64_C(0x00A0B41ED63F1BFE), - UINT64_C(0x0275C4824374C264), UINT64_C(0x02608A7A328E460A), - UINT64_C(0x00FED89AAE8DD2B7), UINT64_C(0x02109029EF3CE021), - UINT64_C(0x011969F67E04BEBE), UINT64_C(0x01A57DE74BB6D7CF), - UINT64_C(0x0032260FF5FAEF2A) }, - { UINT64_C(0x02058C1764B8EB93), UINT64_C(0x034A7BEAEE142796), - UINT64_C(0x01C4178E14455ABA), UINT64_C(0x0089C0C3FD3F4E75), - UINT64_C(0x006C6AD7C0E981DA), UINT64_C(0x0228FCA3E86007B0), - UINT64_C(0x025CE2ECCA48B8F4), UINT64_C(0x01E5A636E10EA6E7), - UINT64_C(0x00B998D460C196E1) } }, - { { UINT64_C(0x0160926185730C8D), UINT64_C(0x032DE7C19EF3EB5F), - UINT64_C(0x01B89DB78DA4AF19), UINT64_C(0x03E8BF1A8A7D683F), - UINT64_C(0x00C74484F132486E), UINT64_C(0x0020C78A33777ADF), - UINT64_C(0x028B418FCCA39E1E), UINT64_C(0x03C6B30F7BDFA864), - UINT64_C(0x012E1D3651FF3815) }, - { UINT64_C(0x023FC40DA01A8D36), UINT64_C(0x0396DC8A8E0AC356), - UINT64_C(0x0257ECBA277518BE), UINT64_C(0x015E0BE8CDCF0B5F), - UINT64_C(0x017CA95C0BC967EE), UINT64_C(0x0305AA19591EC746), - UINT64_C(0x00ECEE9B1C5E531F), UINT64_C(0x017F62DDF7CD8C93), - UINT64_C(0x01843F3A5D58D681) } }, - { { UINT64_C(0x008235BF1CE87EAC), UINT64_C(0x0337B13BA7D5C15E), - UINT64_C(0x03846B02056DE241), UINT64_C(0x033C6CAEB5DEAB90), - UINT64_C(0x030248638020D787), UINT64_C(0x0224F8D01B9221DD), - UINT64_C(0x01F402C62FF58E8A), UINT64_C(0x03AAD9850E5506F5), - UINT64_C(0x003902A9875C05FB) }, - { UINT64_C(0x0020DA18AA01F6F0), UINT64_C(0x030A6715F4E78D18), - UINT64_C(0x037807033B777232), UINT64_C(0x01B7606FD787D415), - UINT64_C(0x008A9CC327698B87), UINT64_C(0x0061BCA066C82FF1), - UINT64_C(0x01BFA28EB25A2709), UINT64_C(0x024D6272DC7593CB), - UINT64_C(0x00EC0BB76A281871) } }, - { { UINT64_C(0x032999435C8AA41D), UINT64_C(0x01A489157A228E17), - UINT64_C(0x0156F793B6B0E956), UINT64_C(0x028D96D92EBD33D6), - UINT64_C(0x0359740492EFE167), UINT64_C(0x015A71262E572E91), - UINT64_C(0x01FA4485B8FC6399), UINT64_C(0x0347A0956647A542), - UINT64_C(0x010E38E5A425F12F) }, - { UINT64_C(0x00AEFDFC244C41BB), UINT64_C(0x003952945BE8B3B5), - UINT64_C(0x0319FE9C6BCFD1F0), UINT64_C(0x03F504A658EDEE0B), - UINT64_C(0x02ED873A43F5A1E1), UINT64_C(0x02712F6EE0434187), - UINT64_C(0x03F8F26F084CADB4), UINT64_C(0x0037A2587E5D9BC4), - UINT64_C(0x007E3E8815CB75BB) } }, - { { UINT64_C(0x00D0B08F2FB80E07), UINT64_C(0x001F1C3F02C8AA99), - UINT64_C(0x02C965AB70A7B621), UINT64_C(0x02934839B849A6F8), - UINT64_C(0x003F88BA718D98ED), UINT64_C(0x02899A10EC155762), - UINT64_C(0x0019825E2EA0BBFE), UINT64_C(0x031BADAF50BB1556), - UINT64_C(0x00C2052564BF2D01) }, - { UINT64_C(0x02BBD600B64986F4), UINT64_C(0x0001308CBE96F1C1), - UINT64_C(0x00C849F303B9F9E3), UINT64_C(0x02D14076FC63D1DE), - UINT64_C(0x0236169D2D35EA78), UINT64_C(0x0264B3B8EE95BD05), - UINT64_C(0x002F66E82F19619B), UINT64_C(0x0095E5BD3AAECF3F), - UINT64_C(0x004DAC1BA614BE0C) } }, - { { UINT64_C(0x031F00ED67DF6D6E), UINT64_C(0x03D70047AC4E0BA7), - UINT64_C(0x02D8711992AA1754), UINT64_C(0x036ECAEB89D30859), - UINT64_C(0x0036A42A32CE3566), UINT64_C(0x01D98A9D0A6301E2), - UINT64_C(0x0254343364F9506D), UINT64_C(0x00BA44E9D5246E7C), - UINT64_C(0x01A19768E78BDB19) }, - { UINT64_C(0x01612B559D4C1CFE), UINT64_C(0x00FD06AC0FA53998), - UINT64_C(0x01000FCBA8F910A9), UINT64_C(0x02941E6AFC5E6D3F), - UINT64_C(0x00CAEFF18F01E2A7), UINT64_C(0x00C3611A9DC5189A), - UINT64_C(0x004BD42C721A7B6E), UINT64_C(0x02CFCE0AB6DE8255), - UINT64_C(0x0157E0604D9A6299) } }, - { { UINT64_C(0x004C36A17F3F00C1), UINT64_C(0x03AAE85897960B4C), - UINT64_C(0x00162519D94A771E), UINT64_C(0x00EFA894195CFB14), - UINT64_C(0x0377393E0BEA5785), UINT64_C(0x01275D68934C0C3C), - UINT64_C(0x020E33D09CE0D489), UINT64_C(0x00636664BBECE0A2), - UINT64_C(0x01D94E3BA2F10531) }, - { UINT64_C(0x00F1D932B72461C9), UINT64_C(0x030803CCCD33A980), - UINT64_C(0x03D527D0F91F6DBE), UINT64_C(0x032A75271076B0B3), - UINT64_C(0x00618C0762DDDF10), UINT64_C(0x0023381E1F452B93), - UINT64_C(0x02E55888093553F9), UINT64_C(0x0179B91A78A3270C), - UINT64_C(0x008109452184E2A2) } }, - }, - { - { { UINT64_C(0x039BF352B2648196), UINT64_C(0x0255A7410BF9D82B), - UINT64_C(0x00E69B9D9444400A), UINT64_C(0x0115B8CE4ADD0E15), - UINT64_C(0x0286C0702CA01A26), UINT64_C(0x0343E585D0F62B8D), - UINT64_C(0x0270AB3B658EDEED), UINT64_C(0x00BDF019DAC3BE2C), - UINT64_C(0x01DA71CEBA8F0207) }, - { UINT64_C(0x031B398D4D9BC7BB), UINT64_C(0x000CF24C3929C7AB), - UINT64_C(0x01B421C8D3FD5E6F), UINT64_C(0x007CC4196EE4E246), - UINT64_C(0x020BD4BEA34DCA8A), UINT64_C(0x0290B50CAE9698DF), - UINT64_C(0x00FCD1330F886EB9), UINT64_C(0x01E1AC79F03E8C00), - UINT64_C(0x00DA9DFFAC1D7299) } }, - { { UINT64_C(0x023B6F4171DE62A2), UINT64_C(0x02483565211B08E1), - UINT64_C(0x03590C48E9F4C557), UINT64_C(0x0300655D7CA7761E), - UINT64_C(0x000FC94679705CC8), UINT64_C(0x03F1F51E4C554176), - UINT64_C(0x02F4AA91C9B85DEC), UINT64_C(0x01830B06FDF1C0BD), - UINT64_C(0x01705BC114A4818F) }, - { UINT64_C(0x026AF34683BFC242), UINT64_C(0x02704B0386A138E6), - UINT64_C(0x0201A2D902335BC5), UINT64_C(0x00F97548337FE82F), - UINT64_C(0x0068481E95BAAC46), UINT64_C(0x02198BC38D3244C8), - UINT64_C(0x02FB3AE37E76F25B), UINT64_C(0x0051FD7A6C46B763), - UINT64_C(0x00BB4F63544525E2) } }, - { { UINT64_C(0x0184463DCFE3927A), UINT64_C(0x038592C4A5446C69), - UINT64_C(0x00820DA1FCA22B30), UINT64_C(0x01BE68F5BD638385), - UINT64_C(0x01820BD08BDBAACC), UINT64_C(0x02A44306C3D5797E), - UINT64_C(0x0038CCA1AA697778), UINT64_C(0x00C7C5B9FA5A6346), - UINT64_C(0x00AF09862D4121FA) }, - { UINT64_C(0x01CB3F3FBEBC6638), UINT64_C(0x037E0A83514FED33), - UINT64_C(0x03EACD5523409D6F), UINT64_C(0x020D6BA55D786340), - UINT64_C(0x01CCC13F9ADFA032), UINT64_C(0x0019CA4869978150), - UINT64_C(0x039E387EBA3B5F3E), UINT64_C(0x02E531E4CE95EAED), - UINT64_C(0x019F9D4B6C1E271A) } }, - { { UINT64_C(0x03D9C637E6B4D0F2), UINT64_C(0x02F39727B4A2B4A9), - UINT64_C(0x03B1C91C466BE1FF), UINT64_C(0x0002CA1D422DB470), - UINT64_C(0x035959F6F8064E3B), UINT64_C(0x01A06409B64B70C1), - UINT64_C(0x0138166589198416), UINT64_C(0x01E4D2E6E69DFBF6), - UINT64_C(0x01235B6CCAD8ED3A) }, - { UINT64_C(0x036BC004511EBBDB), UINT64_C(0x03C77128404EB6AD), - UINT64_C(0x02C7DBC63944D083), UINT64_C(0x00A0B83D92DC53A7), - UINT64_C(0x0236B4A39AE88503), UINT64_C(0x03A8D6E5C0E1C279), - UINT64_C(0x029FE38FA8BE1456), UINT64_C(0x03585B0A0A7CC668), - UINT64_C(0x00A7641453F65799) } }, - { { UINT64_C(0x00158306BEA400A9), UINT64_C(0x007F40534A2A445F), - UINT64_C(0x01C35C303D86F4A4), UINT64_C(0x00EDDE592FDFA8FD), - UINT64_C(0x0103A9EFC14289AA), UINT64_C(0x03407BDDBE6E50BA), - UINT64_C(0x009401AB57CFB13E), UINT64_C(0x0399C8A12EA5A5B1), - UINT64_C(0x00FC6AFA631B2401) }, - { UINT64_C(0x03676F7FA3EA1F68), UINT64_C(0x0292D21900F132BA), - UINT64_C(0x023C1FDE32777454), UINT64_C(0x016AD44E9E4A043B), - UINT64_C(0x034CE0B6BF5A83B8), UINT64_C(0x007C5DBECEE12BCA), - UINT64_C(0x034C6521C9D71204), UINT64_C(0x0295DA0F38E7DE8B), - UINT64_C(0x0062381F9092A871) } }, - { { UINT64_C(0x021E20A63FBBA24C), UINT64_C(0x036388882DF52B55), - UINT64_C(0x00530F2F7C7C2371), UINT64_C(0x03643DB108CC955E), - UINT64_C(0x024B18165F1B6107), UINT64_C(0x02769559E8B8FA46), - UINT64_C(0x00ABDA3964357585), UINT64_C(0x006A3DE26D6BDE65), - UINT64_C(0x00FA0EF45FF0F7F0) }, - { UINT64_C(0x0328AF72F4ADEFE3), UINT64_C(0x00F209DB1F3C181A), - UINT64_C(0x01A0AC16B36B8052), UINT64_C(0x03FE68F1AFEB358F), - UINT64_C(0x011BB7B356C432BB), UINT64_C(0x03D087AF0D447953), - UINT64_C(0x00088B00BECEF91E), UINT64_C(0x0330A2DA3B763B85), - UINT64_C(0x01CC26379FF0902A) } }, - { { UINT64_C(0x02451A0F72841A85), UINT64_C(0x0354FC0056ED797F), - UINT64_C(0x03F4EAB6EB12B346), UINT64_C(0x0032B842273C8FB8), - UINT64_C(0x024B836D935DD874), UINT64_C(0x0090627CCD9E0492), - UINT64_C(0x0244927C3C49DF5D), UINT64_C(0x0042534A4E5AA66E), - UINT64_C(0x00B4C23CB62729C6) }, - { UINT64_C(0x00295DE15E7B0D82), UINT64_C(0x003481AED4B38216), - UINT64_C(0x020CB574DA2A8CEB), UINT64_C(0x03DB292DC006EFC3), - UINT64_C(0x03153DE3966C31DB), UINT64_C(0x0398C0D13BB538D2), - UINT64_C(0x00D2735B5509DAE6), UINT64_C(0x00BBE1C7422AD656), - UINT64_C(0x006495E2F55306CC) } }, - { { UINT64_C(0x00FC0E58752517BF), UINT64_C(0x0287DC3FE2714AA6), - UINT64_C(0x024BBBD332D8AADB), UINT64_C(0x000BF6FA0D08504F), - UINT64_C(0x02E724A624D71D7E), UINT64_C(0x01F16EF435B7F288), - UINT64_C(0x024E6F71370923F3), UINT64_C(0x00C2B9525922566C), - UINT64_C(0x005733338A43CFE0) }, - { UINT64_C(0x0372270A8BB6E5C0), UINT64_C(0x0023295E1C578E27), - UINT64_C(0x01EA019B1BDD171A), UINT64_C(0x0243564F2EC5E9B6), - UINT64_C(0x01283B58FFA9DAE7), UINT64_C(0x00215CCB462BFC41), - UINT64_C(0x03E3900D562119A3), UINT64_C(0x0273C10EF622442D), - UINT64_C(0x00D7B5F5A5718A0A) } }, - { { UINT64_C(0x03E792204254F3D7), UINT64_C(0x0197A7FB52460AD3), - UINT64_C(0x0387DC97132E1376), UINT64_C(0x00D82DE34F7F5873), - UINT64_C(0x03B853655C8CF8AC), UINT64_C(0x0173E013A8BD55E9), - UINT64_C(0x008A7D4896369A87), UINT64_C(0x024DBCC16EA9BB3A), - UINT64_C(0x010910C0CEC40352) }, - { UINT64_C(0x03B95A34F108C612), UINT64_C(0x0333E2F3D8672331), - UINT64_C(0x028C77D48D5C235B), UINT64_C(0x0233CC3106C11962), - UINT64_C(0x03EBBF90DDDA15FE), UINT64_C(0x0369066DD81ED647), - UINT64_C(0x03BD05AA96CD4304), UINT64_C(0x039E3FFACDB3BA32), - UINT64_C(0x01EAC4B260DDEC7F) } }, - { { UINT64_C(0x035858F23BBE227D), UINT64_C(0x00EAE5030697E923), - UINT64_C(0x02368A87F3DE71C5), UINT64_C(0x0168E7B6DEE0F7C3), - UINT64_C(0x00527543ED139D52), UINT64_C(0x0127219B1CDD187E), - UINT64_C(0x023DB1516D99AC2E), UINT64_C(0x008101C88F395DB5), - UINT64_C(0x00C6A87659F9030E) }, - { UINT64_C(0x039C69A3A7EC3A20), UINT64_C(0x02842173900384B8), - UINT64_C(0x0136BA0852E2F7FE), UINT64_C(0x034921364764BE1F), - UINT64_C(0x02C74764840F38B3), UINT64_C(0x02F37D32908AE4DC), - UINT64_C(0x0138C24B162396AC), UINT64_C(0x02A70AD1A514245D), - UINT64_C(0x00C442ABF244BFAF) } }, - { { UINT64_C(0x02A6B09F093E7BB1), UINT64_C(0x027395A268EC7AC7), - UINT64_C(0x028CC643D554CA43), UINT64_C(0x0035243849E2C949), - UINT64_C(0x03CF25745B571D36), UINT64_C(0x00F8968B891A06D4), - UINT64_C(0x03F9158462DF4912), UINT64_C(0x0277B23F176B632C), - UINT64_C(0x0100FDC9203FE38B) }, - { UINT64_C(0x024667E35C0213B3), UINT64_C(0x001C9D8E55C59D73), - UINT64_C(0x03C67911C028CE7C), UINT64_C(0x01D6BE78640D4CA8), - UINT64_C(0x024E359FD8B3F600), UINT64_C(0x03240449153262A6), - UINT64_C(0x03B253E7A16A83A5), UINT64_C(0x02FDB9879C3019FF), - UINT64_C(0x01D5771531A45180) } }, - { { UINT64_C(0x02FFF1EEAD72BA02), UINT64_C(0x01773B2AD40CD7B5), - UINT64_C(0x00B549067C93A24B), UINT64_C(0x0040E568D769A5B9), - UINT64_C(0x01CBA8C547CFD559), UINT64_C(0x01B900D1740D29F8), - UINT64_C(0x0153A5FEC2807EDD), UINT64_C(0x003616B13CBFDC6E), - UINT64_C(0x014FA30FBEC2B9FF) }, - { UINT64_C(0x03CEBD84555A3B73), UINT64_C(0x011642C087A74BA4), - UINT64_C(0x03FAF4C90C28B568), UINT64_C(0x00D2B6FE13831FC3), - UINT64_C(0x02F1845F4A404C99), UINT64_C(0x03031352DB2945ED), - UINT64_C(0x0192B108B24A2CC8), UINT64_C(0x008B79F2C497B8AE), - UINT64_C(0x016844B1F9A48A1A) } }, - { { UINT64_C(0x033F1B159EA0B318), UINT64_C(0x015BA4F73890FCA5), - UINT64_C(0x03AB1671767AEB58), UINT64_C(0x0190DE3F4B53983C), - UINT64_C(0x01C67D39EE1606B7), UINT64_C(0x02092898897E0832), - UINT64_C(0x016BC61B17E221D9), UINT64_C(0x0302B2A3F7863F1A), - UINT64_C(0x0153FC11A3315E45) }, - { UINT64_C(0x02AC9E25352466CC), UINT64_C(0x03A49408E6FA3892), - UINT64_C(0x03B3B7FC83F96BAA), UINT64_C(0x02447E01B52DE677), - UINT64_C(0x01EB6353F032192D), UINT64_C(0x00910C3CF3E5926D), - UINT64_C(0x02261F650A5EA2DB), UINT64_C(0x03AA8819EC45E274), - UINT64_C(0x01F274F4B47595FA) } }, - { { UINT64_C(0x0026282EB3F78C83), UINT64_C(0x00C28C0709CFCB19), - UINT64_C(0x01821376CE1FE0A2), UINT64_C(0x01FDCED392DF4511), - UINT64_C(0x007CEFA4CDFC46EC), UINT64_C(0x01C18D201835A1D3), - UINT64_C(0x021190BA9D0FC1B3), UINT64_C(0x01CF1181F215C327), - UINT64_C(0x0144F63DC1DC2337) }, - { UINT64_C(0x02467154F82AE76F), UINT64_C(0x00A8E4BC6B21A6C1), - UINT64_C(0x003C5960D11DFC29), UINT64_C(0x02CCE05B7F97DFEA), - UINT64_C(0x0155EBEF61A21A64), UINT64_C(0x02E5A1DD22DB3809), - UINT64_C(0x008CACD3BAEA4ADC), UINT64_C(0x01AF102BA92E48C7), - UINT64_C(0x0060B7381DB1721E) } }, - { { UINT64_C(0x03861A0264B1FB35), UINT64_C(0x02F8C8B3CD33A6FA), - UINT64_C(0x030806F41BBA295F), UINT64_C(0x0164D82631325495), - UINT64_C(0x00CE9EA6FF0E358B), UINT64_C(0x0079012DD18DCC6B), - UINT64_C(0x000CC353D3BB1AC0), UINT64_C(0x03AB6D47DE397D50), - UINT64_C(0x00AD096897EA08E2) }, - { UINT64_C(0x023B78EFC3812C10), UINT64_C(0x0089EFA9532A659C), - UINT64_C(0x0281A0EB9A3DF013), UINT64_C(0x03AE4559CDF48DB0), - UINT64_C(0x00CF5D05BA21B5A4), UINT64_C(0x000FB2B315217C86), - UINT64_C(0x018D07209C8D7927), UINT64_C(0x0142BF514B4FAA4C), - UINT64_C(0x002374D59706AD5B) } }, - { { UINT64_C(0x00C15F67DD00894F), UINT64_C(0x0365718AE78487A2), - UINT64_C(0x01F5CF8A8DD7221A), UINT64_C(0x00B966824944DA72), - UINT64_C(0x039495E53E96A028), UINT64_C(0x017A489926C99CDF), - UINT64_C(0x03E7DBA2A6042AD8), UINT64_C(0x0070896FE2C77ED8), - UINT64_C(0x01DE2D3E99009396) }, - { UINT64_C(0x02CDACE519305F18), UINT64_C(0x0199321FCFA0FFC9), - UINT64_C(0x01FDEB80C6DC481C), UINT64_C(0x02944307EF501A18), - UINT64_C(0x0007F535095DB6A0), UINT64_C(0x01898CF112F16E56), - UINT64_C(0x00CB5741AFE7E00B), UINT64_C(0x01926B1FD8D17FCB), - UINT64_C(0x015E5CD28BDE5A59) } }, - }, - { - { { UINT64_C(0x0287283D0F0DB502), UINT64_C(0x01F7D518BD1DEC47), - UINT64_C(0x0110E901D0288278), UINT64_C(0x000A9C8AA5A57C0C), - UINT64_C(0x03B765C5FA16BDCF), UINT64_C(0x03E5DF4E7DE798D7), - UINT64_C(0x00F43CD382F586CB), UINT64_C(0x016DF729B4C5BFE2), - UINT64_C(0x00F84CAB1D3D3490) }, - { UINT64_C(0x03C62F43F45CE248), UINT64_C(0x01779CCA073E2076), - UINT64_C(0x003E7EB22E4B1573), UINT64_C(0x0192926CE48BFBEA), - UINT64_C(0x00AEAE190B45D381), UINT64_C(0x02BD36FBE7AB443A), - UINT64_C(0x00906E0CD124F126), UINT64_C(0x025881B2A14C49E4), - UINT64_C(0x016E768F54273911) } }, - { { UINT64_C(0x0339D7B298B06389), UINT64_C(0x00171C63E44DC1B1), - UINT64_C(0x00C31B1589FD2080), UINT64_C(0x00B27F131898A9FA), - UINT64_C(0x0342FE5ADE76B5A2), UINT64_C(0x01090D97105A2655), - UINT64_C(0x0388BB1432187198), UINT64_C(0x02D27D0C82BF52D7), - UINT64_C(0x00807B9F1B11A583) }, - { UINT64_C(0x01F3344975177EBC), UINT64_C(0x00D1C4854243F6DB), - UINT64_C(0x00CF85E1839AB312), UINT64_C(0x00D9C19A12D20012), - UINT64_C(0x01709110819085E7), UINT64_C(0x011FEDA170483D5C), - UINT64_C(0x01B28F055EEB31A0), UINT64_C(0x02289D0F2CBAB0E6), - UINT64_C(0x000867BA2963A0E1) } }, - { { UINT64_C(0x03F6911B90581DC0), UINT64_C(0x01F1FB19987F20FB), - UINT64_C(0x0134E22EFA2F437F), UINT64_C(0x00398E1EB156A4E0), - UINT64_C(0x0325F4C0DBD2FAF4), UINT64_C(0x0204D252D5C55B5B), - UINT64_C(0x00E279F64EA373DA), UINT64_C(0x01DB9B5CD34A8E6F), - UINT64_C(0x00D14F2FC1B2EE3D) }, - { UINT64_C(0x0391CF084FAB453E), UINT64_C(0x016D9E632F3C4388), - UINT64_C(0x01D15FD339420C4A), UINT64_C(0x026356CC61C907C7), - UINT64_C(0x026E23E3D6197795), UINT64_C(0x0142F5E058DB2B6C), - UINT64_C(0x020EFE8EAFF59180), UINT64_C(0x00A481A4F4563A8C), - UINT64_C(0x012FEE21C8B4C4E9) } }, - { { UINT64_C(0x02056DCD3DB8A57B), UINT64_C(0x0317AAE4B46AB720), - UINT64_C(0x031833D064C1F1CD), UINT64_C(0x03A3CC17BEBD056B), - UINT64_C(0x03F05A7034003715), UINT64_C(0x009FAC41671C58C9), - UINT64_C(0x01BEE4D8BD8671CA), UINT64_C(0x0004BC6DBD8A8392), - UINT64_C(0x01F15A2D6E92E74A) }, - { UINT64_C(0x010933993D4BD6B6), UINT64_C(0x028502613D6FDD77), - UINT64_C(0x0134D55E73D97A09), UINT64_C(0x001DB5E602D2AA86), - UINT64_C(0x00FE1E6979BF531F), UINT64_C(0x02AC99028117960B), - UINT64_C(0x03849A42EAAB4E66), UINT64_C(0x0190FBBD3B94D87F), - UINT64_C(0x011CAB9AC249065C) } }, - { { UINT64_C(0x03000D01D5AD0B4E), UINT64_C(0x01E094F415439045), - UINT64_C(0x0071645EF32A823C), UINT64_C(0x013C18E27FCF9EA5), - UINT64_C(0x00B2733886CDC7A9), UINT64_C(0x02902330EF732EA5), - UINT64_C(0x003C25CEA5C5686B), UINT64_C(0x029DF5773028F0CD), - UINT64_C(0x016FB941FCD6583D) }, - { UINT64_C(0x01DEA99AF3494AD9), UINT64_C(0x03BA2C1B9C712901), - UINT64_C(0x02E32E4B0A8430F2), UINT64_C(0x00CB695E8BF6F96B), - UINT64_C(0x0161F767B32907C2), UINT64_C(0x002FC8531B5E7CEC), - UINT64_C(0x00298C1304153AFA), UINT64_C(0x0189BCBF02EE4544), - UINT64_C(0x0035592EC7CAC39B) } }, - { { UINT64_C(0x0359513866647B76), UINT64_C(0x00DB6945523879DD), - UINT64_C(0x0349C662AF030344), UINT64_C(0x03638440AAB5A275), - UINT64_C(0x02A0720FE9DC8A6B), UINT64_C(0x011CEE4DF271AE5F), - UINT64_C(0x00BC676869500BE5), UINT64_C(0x02F5135FF9B7674F), - UINT64_C(0x00142511483B55E9) }, - { UINT64_C(0x02DE083E6D8A2C33), UINT64_C(0x014C0545D4B8062F), - UINT64_C(0x01AD94143AC28589), UINT64_C(0x01AEBAA37C00A634), - UINT64_C(0x0078E06973DA0209), UINT64_C(0x03F56A237FA0E6B0), - UINT64_C(0x02879F4A94D49E71), UINT64_C(0x01BE6BF822D1FD4F), - UINT64_C(0x00F9E2018F9FBF87) } }, - { { UINT64_C(0x025B8DCB938F6A40), UINT64_C(0x0026725B42FA4F9B), - UINT64_C(0x039198D12A999847), UINT64_C(0x010A9C957A1EFA18), - UINT64_C(0x012FAA8E7E5D1356), UINT64_C(0x0205AB8BB7E3A8BA), - UINT64_C(0x015652F190E95489), UINT64_C(0x0231452E385A88C6), - UINT64_C(0x0096A500D25B0C46) }, - { UINT64_C(0x01B6696514F1EAD3), UINT64_C(0x026BE39E6BD0E127), - UINT64_C(0x01725DEFE2C66DD3), UINT64_C(0x01FEAE05ECA5B5BB), - UINT64_C(0x015AA101430609C7), UINT64_C(0x0274AAB1807123A3), - UINT64_C(0x02A446B243B7DBAC), UINT64_C(0x007DC3A911987A6B), - UINT64_C(0x005309D7E2813F76) } }, - { { UINT64_C(0x01966924104023FD), UINT64_C(0x0020B1F67AD27833), - UINT64_C(0x03DFD742FB1D5AC6), UINT64_C(0x017F6DD6D843D1C9), - UINT64_C(0x01DEAB06F70CFD0B), UINT64_C(0x00F3AAA1D84BA46E), - UINT64_C(0x01535D03B00F23FA), UINT64_C(0x02F223786ADE70A7), - UINT64_C(0x00DC3F149A4B2AAE) }, - { UINT64_C(0x0318A8079CA626DD), UINT64_C(0x00A1DE38CE5C6BE6), - UINT64_C(0x032F55E2E4E50992), UINT64_C(0x0192257A6FB7EED9), - UINT64_C(0x020B9106C175FDEB), UINT64_C(0x001ACA988C739470), - UINT64_C(0x02A12D0A78C3DAD7), UINT64_C(0x02A0BFDBC1802E4D), - UINT64_C(0x0138CB75E6BBB8BA) } }, - { { UINT64_C(0x00B271637F32AB3F), UINT64_C(0x02196867BE3CDC78), - UINT64_C(0x00647C1710CC4F5D), UINT64_C(0x00A0EDE0B8D8DB71), - UINT64_C(0x0092AB51B9BB942A), UINT64_C(0x030CEE5FF47C8C77), - UINT64_C(0x0172B6296758CE89), UINT64_C(0x03FBF70A184CFE5F), - UINT64_C(0x0101B88E67F1E05D) }, - { UINT64_C(0x02FFBCD12737D38E), UINT64_C(0x02754305441EA3F7), - UINT64_C(0x0174766ADA98B6A0), UINT64_C(0x00EEEAD822C29CD7), - UINT64_C(0x02D88F6B991FA26B), UINT64_C(0x02CB655B1E5DF95B), - UINT64_C(0x03DD0BD505307E4F), UINT64_C(0x010182FDFC359D4A), - UINT64_C(0x00755C3675A01A9E) } }, - { { UINT64_C(0x00371ACBFD4D4113), UINT64_C(0x01CD0CEE90EDA0C0), - UINT64_C(0x023F0667BA099F71), UINT64_C(0x0122476EC028AFF8), - UINT64_C(0x0057490C1B9D3C8E), UINT64_C(0x0037D1A2CAFBC030), - UINT64_C(0x0357613B144BA059), UINT64_C(0x030B5ED5F7E2DFAA), - UINT64_C(0x00C03407E66571BC) }, - { UINT64_C(0x015B2051592A3113), UINT64_C(0x033C0B977FE1CA61), - UINT64_C(0x0114564ECE17F466), UINT64_C(0x02770F5D995C1ECC), - UINT64_C(0x01D8797648C617E7), UINT64_C(0x00B30F6FB78CAD34), - UINT64_C(0x036CD504495109EC), UINT64_C(0x02EA78A9F6758E7F), - UINT64_C(0x007A71C9E769E9C6) } }, - { { UINT64_C(0x011D5BE35201CD59), UINT64_C(0x0209D1C58765C0EE), - UINT64_C(0x01D25192839B1DB8), UINT64_C(0x03EAD38ED4A2B60E), - UINT64_C(0x0057B36709A7B7AA), UINT64_C(0x0085B62AF338BC2B), - UINT64_C(0x030F3BEF5577F894), UINT64_C(0x0390BAA242140FD9), - UINT64_C(0x011B9BF27FA21CD6) }, - { UINT64_C(0x031FF60458FFB263), UINT64_C(0x00D71C9EC589C2CE), - UINT64_C(0x006C50B6449B7493), UINT64_C(0x034EF7D63824AD56), - UINT64_C(0x038578A6820938F3), UINT64_C(0x00843B021ED27247), - UINT64_C(0x02672B0B7E864C01), UINT64_C(0x00FE28A0AD914F56), - UINT64_C(0x01870F7E6544AD26) } }, - { { UINT64_C(0x03FABFF21E593E49), UINT64_C(0x01EB902CACEDCD38), - UINT64_C(0x010907F07EA1634E), UINT64_C(0x013A3B3D20F1ACCD), - UINT64_C(0x035F3C751269190C), UINT64_C(0x02F6BAE3746C46A6), - UINT64_C(0x00097CBB9F7B998C), UINT64_C(0x016B88BF2C151BD8), - UINT64_C(0x01317587E7C4BAF5) }, - { UINT64_C(0x027516E2062B46F6), UINT64_C(0x01703ECD4583F2AB), - UINT64_C(0x007D01ABE67B4364), UINT64_C(0x00F1753628034E7C), - UINT64_C(0x0108FF0FECD3BD76), UINT64_C(0x033B697531A2F0AC), - UINT64_C(0x010AC9943B9A6425), UINT64_C(0x020BC633526FFAA7), - UINT64_C(0x0006E03EC9A132B1) } }, - { { UINT64_C(0x016BC247531FFCBB), UINT64_C(0x02EE2DDBF721D516), - UINT64_C(0x0052E0725E10638A), UINT64_C(0x013566F49B1AAC88), - UINT64_C(0x007343ED5106C60D), UINT64_C(0x02985C4AAAB232AC), - UINT64_C(0x0113830C6312DE7A), UINT64_C(0x0136F1CF05895FFF), - UINT64_C(0x01ED7817C0B0027B) }, - { UINT64_C(0x02716A42F749B010), UINT64_C(0x039DC807B7BDBC44), - UINT64_C(0x035DFD64A2C7F19C), UINT64_C(0x00AFE5B488D67F84), - UINT64_C(0x03831B1AD5D8B241), UINT64_C(0x00FEF3BA557CC901), - UINT64_C(0x0082C2A38F96B970), UINT64_C(0x027380F80F3D96E5), - UINT64_C(0x014FDF6544812C07) } }, - { { UINT64_C(0x03600187B0C6A752), UINT64_C(0x019E405A0263FA53), - UINT64_C(0x000E0EA369E1C1BF), UINT64_C(0x0130C422E3895E24), - UINT64_C(0x035F4072E884BDCB), UINT64_C(0x0284B4DBC9FDB267), - UINT64_C(0x0159D4401B2054DE), UINT64_C(0x03649FACE16E526C), - UINT64_C(0x0100AC3AAFFE225D) }, - { UINT64_C(0x03BA224ACAFA8C2B), UINT64_C(0x031E5C26E31FAF8C), - UINT64_C(0x00B183566D47E97E), UINT64_C(0x0020C64F9C9C2688), - UINT64_C(0x02F6655D04CC893B), UINT64_C(0x03908BE8D4648FE4), - UINT64_C(0x02F14F85922DC116), UINT64_C(0x031D345610C10114), - UINT64_C(0x00FC287447A5FA2D) } }, - { { UINT64_C(0x020880798CEE5802), UINT64_C(0x03BE370A4C38C7FF), - UINT64_C(0x00934BE76CF041A3), UINT64_C(0x011B7A12BC50EEE4), - UINT64_C(0x0301BD4FC9636CD4), UINT64_C(0x03C53C2A0264C2CE), - UINT64_C(0x0347FF0A389DC319), UINT64_C(0x03A848048891AD07), - UINT64_C(0x0110D35394388CFB) }, - { UINT64_C(0x0042E86EE18DA0C0), UINT64_C(0x0359DB5D730A12EE), - UINT64_C(0x03D8CD72D5690026), UINT64_C(0x01FD191FD18F2690), - UINT64_C(0x00B8691FD8727A16), UINT64_C(0x0135130205267C55), - UINT64_C(0x011FDBAF57A304DB), UINT64_C(0x012D7FC9DED7342D), - UINT64_C(0x01BFE56058019C74) } }, - { { UINT64_C(0x00ADCF21754184BF), UINT64_C(0x02532EC18F101A1B), - UINT64_C(0x02E7AA58B7598AF4), UINT64_C(0x0297C67528666348), - UINT64_C(0x022BAF11DF85DAD5), UINT64_C(0x0097F7BCDA9CFFA7), - UINT64_C(0x03F0C563228A2E65), UINT64_C(0x0316126723B57D49), - UINT64_C(0x019B45ECCD3F5983) }, - { UINT64_C(0x02B86D25E0A95EDC), UINT64_C(0x027ED42D9C73BD22), - UINT64_C(0x0385F10181D77392), UINT64_C(0x02C8AA05E16378DB), - UINT64_C(0x02962E884B04947C), UINT64_C(0x00A054D788CF48A9), - UINT64_C(0x006616654F6E2CF7), UINT64_C(0x021848D66B0ACC97), - UINT64_C(0x00E73704171C5696) } }, - } -}; - -/*- - * Finite field inversion. - * Computed with exponentiation via FLT. - * Autogenerated: ecp/secp521r1/fe_inv.op3 - * custom repunit addition chain - * NB: this is not a real fiat-crypto function, just named that way for consistency. - */ -static void -fiat_secp521r1_inv(fe_t output, const fe_t t1) -{ - int i; - /* temporary variables */ - fe_t acc, t128, t16, t2, t256, t32, t4, t512, t516, t518, t519, t64, t8; - - fiat_secp521r1_carry_square(acc, t1); - fiat_secp521r1_carry_mul(t2, acc, t1); - fiat_secp521r1_carry_square(acc, t2); - fiat_secp521r1_carry_square(acc, acc); - fiat_secp521r1_carry_mul(t4, acc, t2); - fiat_secp521r1_carry_square(acc, t4); - for (i = 0; i < 3; i++) - fiat_secp521r1_carry_square(acc, acc); - fiat_secp521r1_carry_mul(t8, acc, t4); - fiat_secp521r1_carry_square(acc, t8); - for (i = 0; i < 7; i++) - fiat_secp521r1_carry_square(acc, acc); - fiat_secp521r1_carry_mul(t16, acc, t8); - fiat_secp521r1_carry_square(acc, t16); - for (i = 0; i < 15; i++) - fiat_secp521r1_carry_square(acc, acc); - fiat_secp521r1_carry_mul(t32, acc, t16); - fiat_secp521r1_carry_square(acc, t32); - for (i = 0; i < 31; i++) - fiat_secp521r1_carry_square(acc, acc); - fiat_secp521r1_carry_mul(t64, acc, t32); - fiat_secp521r1_carry_square(acc, t64); - for (i = 0; i < 63; i++) - fiat_secp521r1_carry_square(acc, acc); - fiat_secp521r1_carry_mul(t128, acc, t64); - fiat_secp521r1_carry_square(acc, t128); - for (i = 0; i < 127; i++) - fiat_secp521r1_carry_square(acc, acc); - fiat_secp521r1_carry_mul(t256, acc, t128); - fiat_secp521r1_carry_square(acc, t256); - for (i = 0; i < 255; i++) - fiat_secp521r1_carry_square(acc, acc); - fiat_secp521r1_carry_mul(t512, acc, t256); - fiat_secp521r1_carry_square(acc, t512); - for (i = 0; i < 3; i++) - fiat_secp521r1_carry_square(acc, acc); - fiat_secp521r1_carry_mul(t516, acc, t4); - fiat_secp521r1_carry_square(acc, t516); - fiat_secp521r1_carry_square(acc, acc); - fiat_secp521r1_carry_mul(t518, acc, t2); - fiat_secp521r1_carry_square(acc, t518); - fiat_secp521r1_carry_mul(t519, acc, t1); - fiat_secp521r1_carry_square(acc, t519); - fiat_secp521r1_carry_square(acc, acc); - fiat_secp521r1_carry_mul(output, acc, t1); -} - -/*- - * Q := 2P, both projective, Q and P same pointers OK - * Autogenerated: op3/dbl_proj.op3 - * https://eprint.iacr.org/2015/1060 Alg 6 - * ASSERT: a = -3 - */ -static void -point_double(pt_prj_t *Q, const pt_prj_t *P) -{ - /* temporary variables */ - fe_t t0, t1, t2, t3, t4; - /* constants */ - const limb_t *b = const_b; - /* set pointers for legacy curve arith */ - const limb_t *X = P->X; - const limb_t *Y = P->Y; - const limb_t *Z = P->Z; - limb_t *X3 = Q->X; - limb_t *Y3 = Q->Y; - limb_t *Z3 = Q->Z; - - /* the curve arith formula */ - fiat_secp521r1_carry_square(t0, X); - fiat_secp521r1_carry_square(t1, Y); - fiat_secp521r1_carry_square(t2, Z); - fiat_secp521r1_carry_mul(t3, X, Y); - fiat_secp521r1_carry_add(t3, t3, t3); - fiat_secp521r1_carry_mul(t4, Y, Z); - fiat_secp521r1_carry_mul(Z3, X, Z); - fiat_secp521r1_carry_add(Z3, Z3, Z3); - fiat_secp521r1_carry_mul(Y3, b, t2); - fiat_secp521r1_carry_sub(Y3, Y3, Z3); - fiat_secp521r1_carry_add(X3, Y3, Y3); - fiat_secp521r1_carry_add(Y3, X3, Y3); - fiat_secp521r1_carry_sub(X3, t1, Y3); - fiat_secp521r1_carry_add(Y3, t1, Y3); - fiat_secp521r1_carry_mul(Y3, X3, Y3); - fiat_secp521r1_carry_mul(X3, X3, t3); - fiat_secp521r1_carry_add(t3, t2, t2); - fiat_secp521r1_carry_add(t2, t2, t3); - fiat_secp521r1_carry_mul(Z3, b, Z3); - fiat_secp521r1_carry_sub(Z3, Z3, t2); - fiat_secp521r1_carry_sub(Z3, Z3, t0); - fiat_secp521r1_carry_add(t3, Z3, Z3); - fiat_secp521r1_carry_add(Z3, Z3, t3); - fiat_secp521r1_carry_add(t3, t0, t0); - fiat_secp521r1_carry_add(t0, t3, t0); - fiat_secp521r1_carry_sub(t0, t0, t2); - fiat_secp521r1_carry_mul(t0, t0, Z3); - fiat_secp521r1_carry_add(Y3, Y3, t0); - fiat_secp521r1_carry_add(t0, t4, t4); - fiat_secp521r1_carry_mul(Z3, t0, Z3); - fiat_secp521r1_carry_sub(X3, X3, Z3); - fiat_secp521r1_carry_mul(Z3, t0, t1); - fiat_secp521r1_carry_add(Z3, Z3, Z3); - fiat_secp521r1_carry_add(Z3, Z3, Z3); -} - -/*- - * out1 = (arg1 == 0) ? 0 : nz - * NB: this is not a "mod p equiv" 0, but literal 0 - * NB: this is not a real fiat-crypto function, just named that way for consistency. + * Point Validation for P-521. */ -static void -fiat_secp521r1_nonzero(limb_t *out1, const fe_t arg1) -{ - limb_t x1 = 0; - int i; - - for (i = 0; i < LIMB_CNT; i++) - x1 |= arg1[i]; - *out1 = x1; -} - -/*- - * R := Q + P where R and Q are projective, P affine. - * R and Q same pointers OK - * R and P same pointers not OK - * Autogenerated: op3/add_mixed.op3 - * https://eprint.iacr.org/2015/1060 Alg 5 - * ASSERT: a = -3 - */ -static void -point_add_mixed(pt_prj_t *R, const pt_prj_t *Q, const pt_aff_t *P) -{ - /* temporary variables */ - fe_t t0, t1, t2, t3, t4; - /* constants */ - const limb_t *b = const_b; - /* set pointers for legacy curve arith */ - const limb_t *X1 = Q->X; - const limb_t *Y1 = Q->Y; - const limb_t *Z1 = Q->Z; - const limb_t *X2 = P->X; - const limb_t *Y2 = P->Y; - fe_t X3; - fe_t Y3; - fe_t Z3; - limb_t nz; - /* check P for affine inf */ - fiat_secp521r1_nonzero(&nz, P->Y); - - /* the curve arith formula */ - fiat_secp521r1_carry_mul(t0, X1, X2); - fiat_secp521r1_carry_mul(t1, Y1, Y2); - fiat_secp521r1_carry_add(t3, X2, Y2); - fiat_secp521r1_carry_add(t4, X1, Y1); - fiat_secp521r1_carry_mul(t3, t3, t4); - fiat_secp521r1_carry_add(t4, t0, t1); - fiat_secp521r1_carry_sub(t3, t3, t4); - fiat_secp521r1_carry_mul(t4, Y2, Z1); - fiat_secp521r1_carry_add(t4, t4, Y1); - fiat_secp521r1_carry_mul(Y3, X2, Z1); - fiat_secp521r1_carry_add(Y3, Y3, X1); - fiat_secp521r1_carry_mul(Z3, b, Z1); - fiat_secp521r1_carry_sub(X3, Y3, Z3); - fiat_secp521r1_carry_add(Z3, X3, X3); - fiat_secp521r1_carry_add(X3, X3, Z3); - fiat_secp521r1_carry_sub(Z3, t1, X3); - fiat_secp521r1_carry_add(X3, t1, X3); - fiat_secp521r1_carry_mul(Y3, b, Y3); - fiat_secp521r1_carry_add(t1, Z1, Z1); - fiat_secp521r1_carry_add(t2, t1, Z1); - fiat_secp521r1_carry_sub(Y3, Y3, t2); - fiat_secp521r1_carry_sub(Y3, Y3, t0); - fiat_secp521r1_carry_add(t1, Y3, Y3); - fiat_secp521r1_carry_add(Y3, t1, Y3); - fiat_secp521r1_carry_add(t1, t0, t0); - fiat_secp521r1_carry_add(t0, t1, t0); - fiat_secp521r1_carry_sub(t0, t0, t2); - fiat_secp521r1_carry_mul(t1, t4, Y3); - fiat_secp521r1_carry_mul(t2, t0, Y3); - fiat_secp521r1_carry_mul(Y3, X3, Z3); - fiat_secp521r1_carry_add(Y3, Y3, t2); - fiat_secp521r1_carry_mul(X3, t3, X3); - fiat_secp521r1_carry_sub(X3, X3, t1); - fiat_secp521r1_carry_mul(Z3, t4, Z3); - fiat_secp521r1_carry_mul(t1, t3, t0); - fiat_secp521r1_carry_add(Z3, Z3, t1); - - /* if P is inf, throw all that away and take Q */ - fiat_secp521r1_selectznz(R->X, nz, Q->X, X3); - fiat_secp521r1_selectznz(R->Y, nz, Q->Y, Y3); - fiat_secp521r1_selectznz(R->Z, nz, Q->Z, Z3); -} - -/*- - * R := Q + P all projective. - * R and Q same pointers OK - * R and P same pointers not OK - * Autogenerated: op3/add_proj.op3 - * https://eprint.iacr.org/2015/1060 Alg 4 - * ASSERT: a = -3 - */ -static void -point_add_proj(pt_prj_t *R, const pt_prj_t *Q, const pt_prj_t *P) +SECStatus +ec_secp521r1_pt_validate(const SECItem *pt) { - /* temporary variables */ - fe_t t0, t1, t2, t3, t4, t5; - /* constants */ - const limb_t *b = const_b; - /* set pointers for legacy curve arith */ - const limb_t *X1 = Q->X; - const limb_t *Y1 = Q->Y; - const limb_t *Z1 = Q->Z; - const limb_t *X2 = P->X; - const limb_t *Y2 = P->Y; - const limb_t *Z2 = P->Z; - limb_t *X3 = R->X; - limb_t *Y3 = R->Y; - limb_t *Z3 = R->Z; - - /* the curve arith formula */ - fiat_secp521r1_carry_mul(t0, X1, X2); - fiat_secp521r1_carry_mul(t1, Y1, Y2); - fiat_secp521r1_carry_mul(t2, Z1, Z2); - fiat_secp521r1_carry_add(t3, X1, Y1); - fiat_secp521r1_carry_add(t4, X2, Y2); - fiat_secp521r1_carry_mul(t3, t3, t4); - fiat_secp521r1_carry_add(t4, t0, t1); - fiat_secp521r1_carry_sub(t3, t3, t4); - fiat_secp521r1_carry_add(t4, Y1, Z1); - fiat_secp521r1_carry_add(t5, Y2, Z2); - fiat_secp521r1_carry_mul(t4, t4, t5); - fiat_secp521r1_carry_add(t5, t1, t2); - fiat_secp521r1_carry_sub(t4, t4, t5); - fiat_secp521r1_carry_add(X3, X1, Z1); - fiat_secp521r1_carry_add(Y3, X2, Z2); - fiat_secp521r1_carry_mul(X3, X3, Y3); - fiat_secp521r1_carry_add(Y3, t0, t2); - fiat_secp521r1_carry_sub(Y3, X3, Y3); - fiat_secp521r1_carry_mul(Z3, b, t2); - fiat_secp521r1_carry_sub(X3, Y3, Z3); - fiat_secp521r1_carry_add(Z3, X3, X3); - fiat_secp521r1_carry_add(X3, X3, Z3); - fiat_secp521r1_carry_sub(Z3, t1, X3); - fiat_secp521r1_carry_add(X3, t1, X3); - fiat_secp521r1_carry_mul(Y3, b, Y3); - fiat_secp521r1_carry_add(t1, t2, t2); - fiat_secp521r1_carry_add(t2, t1, t2); - fiat_secp521r1_carry_sub(Y3, Y3, t2); - fiat_secp521r1_carry_sub(Y3, Y3, t0); - fiat_secp521r1_carry_add(t1, Y3, Y3); - fiat_secp521r1_carry_add(Y3, t1, Y3); - fiat_secp521r1_carry_add(t1, t0, t0); - fiat_secp521r1_carry_add(t0, t1, t0); - fiat_secp521r1_carry_sub(t0, t0, t2); - fiat_secp521r1_carry_mul(t1, t4, Y3); - fiat_secp521r1_carry_mul(t2, t0, Y3); - fiat_secp521r1_carry_mul(Y3, X3, Z3); - fiat_secp521r1_carry_add(Y3, Y3, t2); - fiat_secp521r1_carry_mul(X3, t3, X3); - fiat_secp521r1_carry_sub(X3, X3, t1); - fiat_secp521r1_carry_mul(Z3, t4, Z3); - fiat_secp521r1_carry_mul(t1, t3, t0); - fiat_secp521r1_carry_add(Z3, Z3, t1); -} - -/* constants */ -#define RADIX 5 -#define DRADIX (1 << RADIX) -#define DRADIX_WNAF ((DRADIX) << 1) - -/*- - * precomp for wnaf scalar multiplication: - * precomp[0] = 1P - * precomp[1] = 3P - * precomp[2] = 5P - * precomp[3] = 7P - * precomp[4] = 9P - * ... - */ -static void -precomp_wnaf(pt_prj_t precomp[DRADIX / 2], const pt_aff_t *P) -{ - int i; - - fe_copy(precomp[0].X, P->X); - fe_copy(precomp[0].Y, P->Y); - fe_copy(precomp[0].Z, const_one); - point_double(&precomp[DRADIX / 2 - 1], &precomp[0]); - - for (i = 1; i < DRADIX / 2; i++) - point_add_proj(&precomp[i], &precomp[DRADIX / 2 - 1], &precomp[i - 1]); -} - -/* fetch a scalar bit */ -static int -scalar_get_bit(const unsigned char in[66], int idx) -{ - int widx, rshift; - - widx = idx >> 3; - rshift = idx & 0x7; - - if (idx < 0 || widx >= 66) - return 0; - - return (in[widx] >> rshift) & 0x1; -} - -/*- - * Compute "regular" wnaf representation of a scalar. - * See "Exponent Recoding and Regular Exponentiation Algorithms", - * Tunstall et al., AfricaCrypt 2009, Alg 6. - * It forces an odd scalar and outputs digits in - * {\pm 1, \pm 3, \pm 5, \pm 7, \pm 9, ...} - * i.e. signed odd digits with _no zeroes_ -- that makes it "regular". - */ -static void -scalar_rwnaf(int8_t out[106], const unsigned char in[66]) -{ - int i; - int8_t window, d; - - window = (in[0] & (DRADIX_WNAF - 1)) | 1; - for (i = 0; i < 105; i++) { - d = (window & (DRADIX_WNAF - 1)) - DRADIX; - out[i] = d; - window = (window - d) >> RADIX; - window += scalar_get_bit(in, (i + 1) * RADIX + 1) << 1; - window += scalar_get_bit(in, (i + 1) * RADIX + 2) << 2; - window += scalar_get_bit(in, (i + 1) * RADIX + 3) << 3; - window += scalar_get_bit(in, (i + 1) * RADIX + 4) << 4; - window += scalar_get_bit(in, (i + 1) * RADIX + 5) << 5; + SECStatus res = SECSuccess; + if (!pt || !pt->data) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + res = SECFailure; + return res; } - out[i] = window; -} -/*- - * Compute "textbook" wnaf representation of a scalar. - * NB: not constant time - */ -static void -scalar_wnaf(int8_t out[529], const unsigned char in[66]) -{ - int i; - int8_t window, d; - - window = in[0] & (DRADIX_WNAF - 1); - for (i = 0; i < 529; i++) { - d = 0; - if ((window & 1) && ((d = window & (DRADIX_WNAF - 1)) & DRADIX)) - d -= DRADIX_WNAF; - out[i] = d; - window = (window - d) >> 1; - window += scalar_get_bit(in, i + 1 + RADIX) << RADIX; + if (pt->len != 133) { + PORT_SetError(SEC_ERROR_BAD_KEY); + res = SECFailure; + return res; } -} - -/*- - * Simultaneous scalar multiplication: interleaved "textbook" wnaf. - * NB: not constant time - */ -static void -var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[66], - const unsigned char b[66], const pt_aff_t *P) -{ - int i, d, is_neg, is_inf = 1, flipped = 0; - int8_t anaf[529] = { 0 }; - int8_t bnaf[529] = { 0 }; - pt_prj_t Q = { { 0 }, { 0 }, { 0 } }; - pt_prj_t precomp[DRADIX / 2]; - precomp_wnaf(precomp, P); - scalar_wnaf(anaf, a); - scalar_wnaf(bnaf, b); - - for (i = 528; i >= 0; i--) { - if (!is_inf) - point_double(&Q, &Q); - if ((d = bnaf[i])) { - if ((is_neg = d < 0) != flipped) { - fiat_secp521r1_carry_opp(Q.Y, Q.Y); - flipped ^= 1; - } - d = (is_neg) ? (-d - 1) >> 1 : (d - 1) >> 1; - if (is_inf) { - /* initialize accumulator */ - fe_copy(Q.X, &precomp[d].X); - fe_copy(Q.Y, &precomp[d].Y); - fe_copy(Q.Z, &precomp[d].Z); - is_inf = 0; - } else - point_add_proj(&Q, &Q, &precomp[d]); - } - if ((d = anaf[i])) { - if ((is_neg = d < 0) != flipped) { - fiat_secp521r1_carry_opp(Q.Y, Q.Y); - flipped ^= 1; - } - d = (is_neg) ? (-d - 1) >> 1 : (d - 1) >> 1; - if (is_inf) { - /* initialize accumulator */ - fe_copy(Q.X, &lut_cmb[0][d].X); - fe_copy(Q.Y, &lut_cmb[0][d].Y); - fe_copy(Q.Z, const_one); - is_inf = 0; - } else - point_add_mixed(&Q, &Q, &lut_cmb[0][d]); - } + if (pt->data[0] != EC_POINT_FORM_UNCOMPRESSED) { + PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM); + res = SECFailure; + return res; } - if (is_inf) { - /* initialize accumulator to inf: all-zero scalars */ - fe_set_zero(Q.X); - fe_copy(Q.Y, const_one); - fe_set_zero(Q.Z); - } + bool b = Hacl_P521_validate_public_key(pt->data + 1); - if (flipped) { - /* correct sign */ - fiat_secp521r1_carry_opp(Q.Y, Q.Y); + if (!b) { + PORT_SetError(SEC_ERROR_BAD_KEY); + res = SECFailure; } - - /* convert to affine -- NB depends on coordinate system */ - fiat_secp521r1_inv(Q.Z, Q.Z); - fiat_secp521r1_carry_mul(out->X, Q.X, Q.Z); - fiat_secp521r1_carry_mul(out->Y, Q.Y, Q.Z); + return res; } -/*- - * Variable point scalar multiplication with "regular" wnaf. - * Here "regular" means _no zeroes_, so the sequence of - * EC arithmetic ops is fixed. +/* + * Scalar Validation for P-521. */ -static void -var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[66], - const pt_aff_t *P) -{ - int i, j, d, diff, is_neg; - int8_t rnaf[106] = { 0 }; - pt_prj_t Q = { { 0 }, { 0 }, { 0 } }, lut = { { 0 }, { 0 }, { 0 } }; - pt_prj_t precomp[DRADIX / 2]; - - precomp_wnaf(precomp, P); - scalar_rwnaf(rnaf, scalar); - -#if defined(_MSC_VER) - /* result still unsigned: yes we know */ -#pragma warning(push) -#pragma warning(disable : 4146) -#endif - /* initialize accumulator to high digit */ - d = (rnaf[105] - 1) >> 1; - for (j = 0; j < DRADIX / 2; j++) { - diff = (1 - (-(d ^ j) >> (8 * sizeof(int) - 1))) & 1; - fiat_secp521r1_selectznz(Q.X, diff, Q.X, precomp[j].X); - fiat_secp521r1_selectznz(Q.Y, diff, Q.Y, precomp[j].Y); - fiat_secp521r1_selectznz(Q.Z, diff, Q.Z, precomp[j].Z); +SECStatus +ec_secp521r1_scalar_validate(const SECItem *scalar) +{ + SECStatus res = SECSuccess; + if (!scalar || !scalar->data) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + res = SECFailure; + return res; } - for (i = 104; i >= 0; i--) { - for (j = 0; j < RADIX; j++) - point_double(&Q, &Q); - d = rnaf[i]; - /* is_neg = (d < 0) ? 1 : 0 */ - is_neg = (d >> (8 * sizeof(int) - 1)) & 1; - /* d = abs(d) */ - d = (d ^ -is_neg) + is_neg; - d = (d - 1) >> 1; - for (j = 0; j < DRADIX / 2; j++) { - diff = (1 - (-(d ^ j) >> (8 * sizeof(int) - 1))) & 1; - fiat_secp521r1_selectznz(lut.X, diff, lut.X, precomp[j].X); - fiat_secp521r1_selectznz(lut.Y, diff, lut.Y, precomp[j].Y); - fiat_secp521r1_selectznz(lut.Z, diff, lut.Z, precomp[j].Z); - } - /* negate lut point if digit is negative */ - fiat_secp521r1_carry_opp(out->Y, lut.Y); - fiat_secp521r1_selectznz(lut.Y, is_neg, lut.Y, out->Y); - point_add_proj(&Q, &Q, &lut); + if (scalar->len != 66) { + PORT_SetError(SEC_ERROR_BAD_KEY); + res = SECFailure; + return res; } -#if defined(_MSC_VER) -#pragma warning(pop) -#endif - - /* conditionally subtract P if the scalar was even */ - fe_copy(lut.X, precomp[0].X); - fiat_secp521r1_carry_opp(lut.Y, precomp[0].Y); - fe_copy(lut.Z, precomp[0].Z); - point_add_proj(&lut, &lut, &Q); - fiat_secp521r1_selectznz(Q.X, scalar[0] & 1, lut.X, Q.X); - fiat_secp521r1_selectznz(Q.Y, scalar[0] & 1, lut.Y, Q.Y); - fiat_secp521r1_selectznz(Q.Z, scalar[0] & 1, lut.Z, Q.Z); - - /* convert to affine -- NB depends on coordinate system */ - fiat_secp521r1_inv(Q.Z, Q.Z); - fiat_secp521r1_carry_mul(out->X, Q.X, Q.Z); - fiat_secp521r1_carry_mul(out->Y, Q.Y, Q.Z); -} - -/*- - * Fixed scalar multiplication: comb with interleaving. - */ -static void -fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[66]) -{ - int i, j, k, d, diff, is_neg = 0; - int8_t rnaf[106] = { 0 }; - pt_prj_t Q = { { 0 }, { 0 }, { 0 } }, R = { { 0 }, { 0 }, { 0 } }; - pt_aff_t lut = { { 0 }, { 0 } }; - - scalar_rwnaf(rnaf, scalar); - - /* initalize accumulator to inf */ - fe_set_zero(Q.X); - fe_copy(Q.Y, const_one); - fe_set_zero(Q.Z); + bool b = Hacl_P521_validate_private_key(scalar->data); -#if defined(_MSC_VER) - /* result still unsigned: yes we know */ -#pragma warning(push) -#pragma warning(disable : 4146) -#endif - - for (i = 8; i >= 0; i--) { - for (j = 0; i != 8 && j < RADIX; j++) - point_double(&Q, &Q); - for (j = 0; j < 13; j++) { - if (j * 9 + i > 105) - continue; - d = rnaf[j * 9 + i]; - /* is_neg = (d < 0) ? 1 : 0 */ - is_neg = (d >> (8 * sizeof(int) - 1)) & 1; - /* d = abs(d) */ - d = (d ^ -is_neg) + is_neg; - d = (d - 1) >> 1; - for (k = 0; k < DRADIX / 2; k++) { - diff = (1 - (-(d ^ k) >> (8 * sizeof(int) - 1))) & 1; - fiat_secp521r1_selectznz(lut.X, diff, lut.X, lut_cmb[j][k].X); - fiat_secp521r1_selectznz(lut.Y, diff, lut.Y, lut_cmb[j][k].Y); - } - /* negate lut point if digit is negative */ - fiat_secp521r1_carry_opp(out->Y, lut.Y); - fiat_secp521r1_selectznz(lut.Y, is_neg, lut.Y, out->Y); - point_add_mixed(&Q, &Q, &lut); - } + if (!b) { + PORT_SetError(SEC_ERROR_BAD_KEY); + res = SECFailure; } - -#if defined(_MSC_VER) -#pragma warning(pop) -#endif - - /* conditionally subtract P if the scalar was even */ - fe_copy(lut.X, lut_cmb[0][0].X); - fiat_secp521r1_carry_opp(lut.Y, lut_cmb[0][0].Y); - point_add_mixed(&R, &Q, &lut); - fiat_secp521r1_selectznz(Q.X, scalar[0] & 1, R.X, Q.X); - fiat_secp521r1_selectznz(Q.Y, scalar[0] & 1, R.Y, Q.Y); - fiat_secp521r1_selectznz(Q.Z, scalar[0] & 1, R.Z, Q.Z); - - /* convert to affine -- NB depends on coordinate system */ - fiat_secp521r1_inv(Q.Z, Q.Z); - fiat_secp521r1_carry_mul(out->X, Q.X, Q.Z); - fiat_secp521r1_carry_mul(out->Y, Q.Y, Q.Z); -} - -/*- - * Wrapper: simultaneous scalar mutiplication. - * outx, outy := a * G + b * P - * where P = (inx, iny). - * Everything is LE byte ordering. - */ -void -point_mul_two_secp521r1(unsigned char outx[66], unsigned char outy[66], - const unsigned char a[66], - const unsigned char b[66], - const unsigned char inx[66], - const unsigned char iny[66]) -{ - pt_aff_t P; - - fiat_secp521r1_from_bytes(P.X, inx); - fiat_secp521r1_from_bytes(P.Y, iny); - /* simultaneous scalar multiplication */ - var_smul_wnaf_two(&P, a, b, &P); - - fiat_secp521r1_to_bytes(outx, P.X); - fiat_secp521r1_to_bytes(outy, P.Y); -} - -/*- - * Wrapper: fixed scalar mutiplication. - * outx, outy := scalar * G - * Everything is LE byte ordering. - */ -void -point_mul_g_secp521r1(unsigned char outx[66], unsigned char outy[66], - const unsigned char scalar[66]) -{ - pt_aff_t P; - - /* fixed scmul function */ - fixed_smul_cmb(&P, scalar); - fiat_secp521r1_to_bytes(outx, P.X); - fiat_secp521r1_to_bytes(outy, P.Y); + return res; } -/*- - * Wrapper: variable point scalar mutiplication. - * outx, outy := scalar * P - * where P = (inx, iny). - * Everything is LE byte ordering. - */ -void -point_mul_secp521r1(unsigned char outx[66], unsigned char outy[66], - const unsigned char scalar[66], - const unsigned char inx[66], - const unsigned char iny[66]) -{ - pt_aff_t P; - - fiat_secp521r1_from_bytes(P.X, inx); - fiat_secp521r1_from_bytes(P.Y, iny); - /* var scmul function */ - var_smul_rwnaf(&P, scalar, &P); - fiat_secp521r1_to_bytes(outx, P.X); - fiat_secp521r1_to_bytes(outy, P.Y); -} - -#else /* __SIZEOF_INT128__ */ - -#include "ecp_secp521r1.h" -#include <stdint.h> -#include <string.h> -#define LIMB_BITS 32 -#define LIMB_CNT 19 -/* Field elements */ -typedef uint32_t fe_t[LIMB_CNT]; -typedef uint32_t limb_t; - -#define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) -#define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) - -/* Projective points */ -typedef struct { - fe_t X; - fe_t Y; - fe_t Z; -} pt_prj_t; - -/* Affine points */ -typedef struct { - fe_t X; - fe_t Y; -} pt_aff_t; - -/* BEGIN verbatim fiat code https://github.com/mit-plv/fiat-crypto */ -/*- - * MIT License - * - * Copyright (c) 2015-2021 the fiat-crypto authors (see the AUTHORS file). - * https://github.com/mit-plv/fiat-crypto/blob/master/AUTHORS - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -/* Autogenerated: unsaturated_solinas --static --use-value-barrier secp521r1 32 '(auto)' '2^521 - 1' */ -/* curve description: secp521r1 */ -/* machine_wordsize = 32 (from "32") */ -/* requested operations: (all) */ -/* n = 19 (from "(auto)") */ -/* s-c = 2^521 - [(1, 1)] (from "2^521 - 1") */ -/* tight_bounds_multiplier = 1 (from "") */ -/* */ -/* Computed values: */ -/* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 0, 1] */ -/* eval z = z[0] + (z[1] << 28) + (z[2] << 55) + (z[3] << 83) + (z[4] << 110) + (z[5] << 138) + (z[6] << 165) + (z[7] << 192) + (z[8] << 220) + (z[9] << 247) + (z[10] << 0x113) + (z[11] << 0x12e) + (z[12] << 0x14a) + (z[13] << 0x165) + (z[14] << 0x180) + (z[15] << 0x19c) + (z[16] << 0x1b7) + (z[17] << 0x1d3) + (z[18] << 0x1ee) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) + (z[64] << 2^9) + (z[65] << 0x208) */ -/* balance = [0x1ffffffe, 0xffffffe, 0x1ffffffe, 0xffffffe, 0x1ffffffe, 0xffffffe, 0xffffffe, 0x1ffffffe, 0xffffffe, 0x1ffffffe, 0xffffffe, 0x1ffffffe, 0xffffffe, 0xffffffe, 0x1ffffffe, 0xffffffe, 0x1ffffffe, 0xffffffe, 0xffffffe] */ - -#include <stdint.h> -typedef unsigned char fiat_secp521r1_uint1; -typedef signed char fiat_secp521r1_int1; -#ifdef __GNUC__ -#define FIAT_SECP521R1_FIAT_INLINE __inline__ -#else -#define FIAT_SECP521R1_FIAT_INLINE -#endif - -/* The type fiat_secp521r1_loose_field_element is a field element with loose bounds. */ -/* Bounds: [[0x0 ~> 0x30000000], [0x0 ~> 0x18000000], [0x0 ~> 0x30000000], [0x0 ~> 0x18000000], [0x0 ~> 0x30000000], [0x0 ~> 0x18000000], [0x0 ~> 0x18000000], [0x0 ~> 0x30000000], [0x0 ~> 0x18000000], [0x0 ~> 0x30000000], [0x0 ~> 0x18000000], [0x0 ~> 0x30000000], [0x0 ~> 0x18000000], [0x0 ~> 0x18000000], [0x0 ~> 0x30000000], [0x0 ~> 0x18000000], [0x0 ~> 0x30000000], [0x0 ~> 0x18000000], [0x0 ~> 0x18000000]] */ -typedef uint32_t fiat_secp521r1_loose_field_element[19]; - -/* The type fiat_secp521r1_tight_field_element is a field element with tight bounds. */ -/* Bounds: [[0x0 ~> 0x10000000], [0x0 ~> 0x8000000], [0x0 ~> 0x10000000], [0x0 ~> 0x8000000], [0x0 ~> 0x10000000], [0x0 ~> 0x8000000], [0x0 ~> 0x8000000], [0x0 ~> 0x10000000], [0x0 ~> 0x8000000], [0x0 ~> 0x10000000], [0x0 ~> 0x8000000], [0x0 ~> 0x10000000], [0x0 ~> 0x8000000], [0x0 ~> 0x8000000], [0x0 ~> 0x10000000], [0x0 ~> 0x8000000], [0x0 ~> 0x10000000], [0x0 ~> 0x8000000], [0x0 ~> 0x8000000]] */ -typedef uint32_t fiat_secp521r1_tight_field_element[19]; - -#if (-1 & 3) != 3 -#error "This code only works on a two's complement system" -#endif - -#if !defined(FIAT_SECP521R1_NO_ASM) && (defined(__GNUC__) || defined(__clang__)) -static __inline__ uint32_t -fiat_secp521r1_value_barrier_u32(uint32_t a) -{ - __asm__("" - : "+r"(a) - : /* no inputs */); - return a; -} -#else -#define fiat_secp521r1_value_barrier_u32(x) (x) -#endif - /* - * The function fiat_secp521r1_addcarryx_u28 is an addition with carry. - * - * Postconditions: - * out1 = (arg1 + arg2 + arg3) mod 2^28 - * out2 = ⌊(arg1 + arg2 + arg3) / 2^28⌋ - * - * Input Bounds: - * arg1: [0x0 ~> 0x1] - * arg2: [0x0 ~> 0xfffffff] - * arg3: [0x0 ~> 0xfffffff] - * Output Bounds: - * out1: [0x0 ~> 0xfffffff] - * out2: [0x0 ~> 0x1] + * Scalar multiplication for P-521. + * If P == NULL, the base point is used. + * Returns X = k*P */ -static void -fiat_secp521r1_addcarryx_u28(uint32_t *out1, - fiat_secp521r1_uint1 *out2, - fiat_secp521r1_uint1 arg1, - uint32_t arg2, uint32_t arg3) -{ - uint32_t x1; - uint32_t x2; - fiat_secp521r1_uint1 x3; - x1 = ((arg1 + arg2) + arg3); - x2 = (x1 & UINT32_C(0xfffffff)); - x3 = (fiat_secp521r1_uint1)(x1 >> 28); - *out1 = x2; - *out2 = x3; -} -/* - * The function fiat_secp521r1_subborrowx_u28 is a subtraction with borrow. - * - * Postconditions: - * out1 = (-arg1 + arg2 + -arg3) mod 2^28 - * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^28⌋ - * - * Input Bounds: - * arg1: [0x0 ~> 0x1] - * arg2: [0x0 ~> 0xfffffff] - * arg3: [0x0 ~> 0xfffffff] - * Output Bounds: - * out1: [0x0 ~> 0xfffffff] - * out2: [0x0 ~> 0x1] - */ -static void -fiat_secp521r1_subborrowx_u28(uint32_t *out1, - fiat_secp521r1_uint1 *out2, - fiat_secp521r1_uint1 arg1, - uint32_t arg2, uint32_t arg3) +SECStatus +ec_secp521r1_pt_mul(SECItem *X, SECItem *k, SECItem *P) { - int32_t x1; - fiat_secp521r1_int1 x2; - uint32_t x3; - x1 = ((int32_t)(arg2 - arg1) - (int32_t)arg3); - x2 = (fiat_secp521r1_int1)(x1 >> 28); - x3 = (x1 & UINT32_C(0xfffffff)); - *out1 = x3; - *out2 = (fiat_secp521r1_uint1)(0x0 - x2); -} + SECStatus res = SECSuccess; + if (!P) { + uint8_t derived[132] = { 0 }; -/* - * The function fiat_secp521r1_addcarryx_u27 is an addition with carry. - * - * Postconditions: - * out1 = (arg1 + arg2 + arg3) mod 2^27 - * out2 = ⌊(arg1 + arg2 + arg3) / 2^27⌋ - * - * Input Bounds: - * arg1: [0x0 ~> 0x1] - * arg2: [0x0 ~> 0x7ffffff] - * arg3: [0x0 ~> 0x7ffffff] - * Output Bounds: - * out1: [0x0 ~> 0x7ffffff] - * out2: [0x0 ~> 0x1] - */ -static void -fiat_secp521r1_addcarryx_u27(uint32_t *out1, - fiat_secp521r1_uint1 *out2, - fiat_secp521r1_uint1 arg1, - uint32_t arg2, uint32_t arg3) -{ - uint32_t x1; - uint32_t x2; - fiat_secp521r1_uint1 x3; - x1 = ((arg1 + arg2) + arg3); - x2 = (x1 & UINT32_C(0x7ffffff)); - x3 = (fiat_secp521r1_uint1)(x1 >> 27); - *out1 = x2; - *out2 = x3; -} + if (!X || !k || !X->data || !k->data || + X->len < 133 || k->len != 66) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + res = SECFailure; + return res; + } -/* - * The function fiat_secp521r1_subborrowx_u27 is a subtraction with borrow. - * - * Postconditions: - * out1 = (-arg1 + arg2 + -arg3) mod 2^27 - * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^27⌋ - * - * Input Bounds: - * arg1: [0x0 ~> 0x1] - * arg2: [0x0 ~> 0x7ffffff] - * arg3: [0x0 ~> 0x7ffffff] - * Output Bounds: - * out1: [0x0 ~> 0x7ffffff] - * out2: [0x0 ~> 0x1] - */ -static void -fiat_secp521r1_subborrowx_u27(uint32_t *out1, - fiat_secp521r1_uint1 *out2, - fiat_secp521r1_uint1 arg1, - uint32_t arg2, uint32_t arg3) -{ - int32_t x1; - fiat_secp521r1_int1 x2; - uint32_t x3; - x1 = ((int32_t)(arg2 - arg1) - (int32_t)arg3); - x2 = (fiat_secp521r1_int1)(x1 >> 27); - x3 = (x1 & UINT32_C(0x7ffffff)); - *out1 = x3; - *out2 = (fiat_secp521r1_uint1)(0x0 - x2); -} + bool b = Hacl_P521_dh_initiator(derived, k->data); -/* - * The function fiat_secp521r1_cmovznz_u32 is a single-word conditional move. - * - * Postconditions: - * out1 = (if arg1 = 0 then arg2 else arg3) - * - * Input Bounds: - * arg1: [0x0 ~> 0x1] - * arg2: [0x0 ~> 0xffffffff] - * arg3: [0x0 ~> 0xffffffff] - * Output Bounds: - * out1: [0x0 ~> 0xffffffff] - */ -static void -fiat_secp521r1_cmovznz_u32(uint32_t *out1, - fiat_secp521r1_uint1 arg1, uint32_t arg2, - uint32_t arg3) -{ - fiat_secp521r1_uint1 x1; - uint32_t x2; - uint32_t x3; - x1 = (!(!arg1)); - x2 = ((fiat_secp521r1_int1)(0x0 - x1) & UINT32_C(0xffffffff)); - x3 = ((fiat_secp521r1_value_barrier_u32(x2) & arg3) | - (fiat_secp521r1_value_barrier_u32((~x2)) & arg2)); - *out1 = x3; -} + if (!b) { + PORT_SetError(SEC_ERROR_BAD_KEY); + res = SECFailure; + return res; + } -/* - * The function fiat_secp521r1_carry_mul multiplies two field elements and reduces the result. - * - * Postconditions: - * eval out1 mod m = (eval arg1 * eval arg2) mod m - * - */ -static void -fiat_secp521r1_carry_mul( - fiat_secp521r1_tight_field_element out1, - const fiat_secp521r1_loose_field_element arg1, - const fiat_secp521r1_loose_field_element arg2) -{ - uint64_t x1; - uint64_t x2; - uint64_t x3; - uint64_t x4; - uint64_t x5; - uint64_t x6; - uint64_t x7; - uint64_t x8; - uint64_t x9; - uint64_t x10; - uint64_t x11; - uint64_t x12; - uint64_t x13; - uint64_t x14; - uint64_t x15; - uint64_t x16; - uint64_t x17; - uint64_t x18; - uint64_t x19; - uint64_t x20; - uint64_t x21; - uint64_t x22; - uint64_t x23; - uint64_t x24; - uint64_t x25; - uint64_t x26; - uint64_t x27; - uint64_t x28; - uint64_t x29; - uint64_t x30; - uint64_t x31; - uint64_t x32; - uint64_t x33; - uint64_t x34; - uint64_t x35; - uint64_t x36; - uint64_t x37; - uint64_t x38; - uint64_t x39; - uint64_t x40; - uint64_t x41; - uint64_t x42; - uint64_t x43; - uint64_t x44; - uint64_t x45; - uint64_t x46; - uint64_t x47; - uint64_t x48; - uint64_t x49; - uint64_t x50; - uint64_t x51; - uint64_t x52; - uint64_t x53; - uint64_t x54; - uint64_t x55; - uint64_t x56; - uint64_t x57; - uint64_t x58; - uint64_t x59; - uint64_t x60; - uint64_t x61; - uint64_t x62; - uint64_t x63; - uint64_t x64; - uint64_t x65; - uint64_t x66; - uint64_t x67; - uint64_t x68; - uint64_t x69; - uint64_t x70; - uint64_t x71; - uint64_t x72; - uint64_t x73; - uint64_t x74; - uint64_t x75; - uint64_t x76; - uint64_t x77; - uint64_t x78; - uint64_t x79; - uint64_t x80; - uint64_t x81; - uint64_t x82; - uint64_t x83; - uint64_t x84; - uint64_t x85; - uint64_t x86; - uint64_t x87; - uint64_t x88; - uint64_t x89; - uint64_t x90; - uint64_t x91; - uint64_t x92; - uint64_t x93; - uint64_t x94; - uint64_t x95; - uint64_t x96; - uint64_t x97; - uint64_t x98; - uint64_t x99; - uint64_t x100; - uint64_t x101; - uint64_t x102; - uint64_t x103; - uint64_t x104; - uint64_t x105; - uint64_t x106; - uint64_t x107; - uint64_t x108; - uint64_t x109; - uint64_t x110; - uint64_t x111; - uint64_t x112; - uint64_t x113; - uint64_t x114; - uint64_t x115; - uint64_t x116; - uint64_t x117; - uint64_t x118; - uint64_t x119; - uint64_t x120; - uint64_t x121; - uint64_t x122; - uint64_t x123; - uint64_t x124; - uint64_t x125; - uint64_t x126; - uint64_t x127; - uint64_t x128; - uint64_t x129; - uint64_t x130; - uint64_t x131; - uint64_t x132; - uint64_t x133; - uint64_t x134; - uint64_t x135; - uint64_t x136; - uint64_t x137; - uint64_t x138; - uint64_t x139; - uint64_t x140; - uint64_t x141; - uint64_t x142; - uint64_t x143; - uint64_t x144; - uint64_t x145; - uint64_t x146; - uint64_t x147; - uint64_t x148; - uint64_t x149; - uint64_t x150; - uint64_t x151; - uint64_t x152; - uint64_t x153; - uint64_t x154; - uint64_t x155; - uint64_t x156; - uint64_t x157; - uint64_t x158; - uint64_t x159; - uint64_t x160; - uint64_t x161; - uint64_t x162; - uint64_t x163; - uint64_t x164; - uint64_t x165; - uint64_t x166; - uint64_t x167; - uint64_t x168; - uint64_t x169; - uint64_t x170; - uint64_t x171; - uint64_t x172; - uint64_t x173; - uint64_t x174; - uint64_t x175; - uint64_t x176; - uint64_t x177; - uint64_t x178; - uint64_t x179; - uint64_t x180; - uint64_t x181; - uint64_t x182; - uint64_t x183; - uint64_t x184; - uint64_t x185; - uint64_t x186; - uint64_t x187; - uint64_t x188; - uint64_t x189; - uint64_t x190; - uint64_t x191; - uint64_t x192; - uint64_t x193; - uint64_t x194; - uint64_t x195; - uint64_t x196; - uint64_t x197; - uint64_t x198; - uint64_t x199; - uint64_t x200; - uint64_t x201; - uint64_t x202; - uint64_t x203; - uint64_t x204; - uint64_t x205; - uint64_t x206; - uint64_t x207; - uint64_t x208; - uint64_t x209; - uint64_t x210; - uint64_t x211; - uint64_t x212; - uint64_t x213; - uint64_t x214; - uint64_t x215; - uint64_t x216; - uint64_t x217; - uint64_t x218; - uint64_t x219; - uint64_t x220; - uint64_t x221; - uint64_t x222; - uint64_t x223; - uint64_t x224; - uint64_t x225; - uint64_t x226; - uint64_t x227; - uint64_t x228; - uint64_t x229; - uint64_t x230; - uint64_t x231; - uint64_t x232; - uint64_t x233; - uint64_t x234; - uint64_t x235; - uint64_t x236; - uint64_t x237; - uint64_t x238; - uint64_t x239; - uint64_t x240; - uint64_t x241; - uint64_t x242; - uint64_t x243; - uint64_t x244; - uint64_t x245; - uint64_t x246; - uint64_t x247; - uint64_t x248; - uint64_t x249; - uint64_t x250; - uint64_t x251; - uint64_t x252; - uint64_t x253; - uint64_t x254; - uint64_t x255; - uint64_t x256; - uint64_t x257; - uint64_t x258; - uint64_t x259; - uint64_t x260; - uint64_t x261; - uint64_t x262; - uint64_t x263; - uint64_t x264; - uint64_t x265; - uint64_t x266; - uint64_t x267; - uint64_t x268; - uint64_t x269; - uint64_t x270; - uint64_t x271; - uint64_t x272; - uint64_t x273; - uint64_t x274; - uint64_t x275; - uint64_t x276; - uint64_t x277; - uint64_t x278; - uint64_t x279; - uint64_t x280; - uint64_t x281; - uint64_t x282; - uint64_t x283; - uint64_t x284; - uint64_t x285; - uint64_t x286; - uint64_t x287; - uint64_t x288; - uint64_t x289; - uint64_t x290; - uint64_t x291; - uint64_t x292; - uint64_t x293; - uint64_t x294; - uint64_t x295; - uint64_t x296; - uint64_t x297; - uint64_t x298; - uint64_t x299; - uint64_t x300; - uint64_t x301; - uint64_t x302; - uint64_t x303; - uint64_t x304; - uint64_t x305; - uint64_t x306; - uint64_t x307; - uint64_t x308; - uint64_t x309; - uint64_t x310; - uint64_t x311; - uint64_t x312; - uint64_t x313; - uint64_t x314; - uint64_t x315; - uint64_t x316; - uint64_t x317; - uint64_t x318; - uint64_t x319; - uint64_t x320; - uint64_t x321; - uint64_t x322; - uint64_t x323; - uint64_t x324; - uint64_t x325; - uint64_t x326; - uint64_t x327; - uint64_t x328; - uint64_t x329; - uint64_t x330; - uint64_t x331; - uint64_t x332; - uint64_t x333; - uint64_t x334; - uint64_t x335; - uint64_t x336; - uint64_t x337; - uint64_t x338; - uint64_t x339; - uint64_t x340; - uint64_t x341; - uint64_t x342; - uint64_t x343; - uint64_t x344; - uint64_t x345; - uint64_t x346; - uint64_t x347; - uint64_t x348; - uint64_t x349; - uint64_t x350; - uint64_t x351; - uint64_t x352; - uint64_t x353; - uint64_t x354; - uint64_t x355; - uint64_t x356; - uint64_t x357; - uint64_t x358; - uint64_t x359; - uint64_t x360; - uint64_t x361; - uint64_t x362; - uint64_t x363; - uint32_t x364; - uint64_t x365; - uint64_t x366; - uint64_t x367; - uint64_t x368; - uint64_t x369; - uint64_t x370; - uint64_t x371; - uint64_t x372; - uint64_t x373; - uint64_t x374; - uint64_t x375; - uint64_t x376; - uint64_t x377; - uint64_t x378; - uint64_t x379; - uint64_t x380; - uint64_t x381; - uint64_t x382; - uint64_t x383; - uint64_t x384; - uint32_t x385; - uint64_t x386; - uint64_t x387; - uint32_t x388; - uint64_t x389; - uint64_t x390; - uint32_t x391; - uint64_t x392; - uint64_t x393; - uint32_t x394; - uint64_t x395; - uint64_t x396; - uint32_t x397; - uint64_t x398; - uint64_t x399; - uint32_t x400; - uint64_t x401; - uint64_t x402; - uint32_t x403; - uint64_t x404; - uint64_t x405; - uint32_t x406; - uint64_t x407; - uint64_t x408; - uint32_t x409; - uint64_t x410; - uint64_t x411; - uint32_t x412; - uint64_t x413; - uint64_t x414; - uint32_t x415; - uint64_t x416; - uint64_t x417; - uint32_t x418; - uint64_t x419; - uint64_t x420; - uint32_t x421; - uint64_t x422; - uint64_t x423; - uint32_t x424; - uint64_t x425; - uint64_t x426; - uint32_t x427; - uint64_t x428; - uint64_t x429; - uint32_t x430; - uint64_t x431; - uint64_t x432; - uint32_t x433; - uint64_t x434; - uint64_t x435; - uint32_t x436; - uint64_t x437; - uint32_t x438; - uint32_t x439; - uint32_t x440; - fiat_secp521r1_uint1 x441; - uint32_t x442; - uint32_t x443; - x1 = ((uint64_t)(arg1[18]) * (arg2[18])); - x2 = ((uint64_t)(arg1[18]) * ((arg2[17]) * 0x2)); - x3 = ((uint64_t)(arg1[18]) * (arg2[16])); - x4 = ((uint64_t)(arg1[18]) * ((arg2[15]) * 0x2)); - x5 = ((uint64_t)(arg1[18]) * (arg2[14])); - x6 = ((uint64_t)(arg1[18]) * (arg2[13])); - x7 = ((uint64_t)(arg1[18]) * ((arg2[12]) * 0x2)); - x8 = ((uint64_t)(arg1[18]) * (arg2[11])); - x9 = ((uint64_t)(arg1[18]) * ((arg2[10]) * 0x2)); - x10 = ((uint64_t)(arg1[18]) * (arg2[9])); - x11 = ((uint64_t)(arg1[18]) * ((arg2[8]) * 0x2)); - x12 = ((uint64_t)(arg1[18]) * (arg2[7])); - x13 = ((uint64_t)(arg1[18]) * (arg2[6])); - x14 = ((uint64_t)(arg1[18]) * ((arg2[5]) * 0x2)); - x15 = ((uint64_t)(arg1[18]) * (arg2[4])); - x16 = ((uint64_t)(arg1[18]) * ((arg2[3]) * 0x2)); - x17 = ((uint64_t)(arg1[18]) * (arg2[2])); - x18 = ((uint64_t)(arg1[18]) * ((arg2[1]) * 0x2)); - x19 = ((uint64_t)(arg1[17]) * ((arg2[18]) * 0x2)); - x20 = ((uint64_t)(arg1[17]) * ((arg2[17]) * 0x2)); - x21 = ((uint64_t)(arg1[17]) * ((arg2[16]) * 0x2)); - x22 = ((uint64_t)(arg1[17]) * ((arg2[15]) * 0x2)); - x23 = ((uint64_t)(arg1[17]) * (arg2[14])); - x24 = ((uint64_t)(arg1[17]) * ((arg2[13]) * 0x2)); - x25 = ((uint64_t)(arg1[17]) * ((arg2[12]) * 0x2)); - x26 = ((uint64_t)(arg1[17]) * ((arg2[11]) * 0x2)); - x27 = ((uint64_t)(arg1[17]) * ((arg2[10]) * 0x2)); - x28 = ((uint64_t)(arg1[17]) * ((arg2[9]) * 0x2)); - x29 = ((uint64_t)(arg1[17]) * ((arg2[8]) * 0x2)); - x30 = ((uint64_t)(arg1[17]) * (arg2[7])); - x31 = ((uint64_t)(arg1[17]) * ((arg2[6]) * 0x2)); - x32 = ((uint64_t)(arg1[17]) * ((arg2[5]) * 0x2)); - x33 = ((uint64_t)(arg1[17]) * ((arg2[4]) * 0x2)); - x34 = ((uint64_t)(arg1[17]) * ((arg2[3]) * 0x2)); - x35 = ((uint64_t)(arg1[17]) * ((arg2[2]) * 0x2)); - x36 = ((uint64_t)(arg1[16]) * (arg2[18])); - x37 = ((uint64_t)(arg1[16]) * ((arg2[17]) * 0x2)); - x38 = ((uint64_t)(arg1[16]) * (arg2[16])); - x39 = ((uint64_t)(arg1[16]) * (arg2[15])); - x40 = ((uint64_t)(arg1[16]) * (arg2[14])); - x41 = ((uint64_t)(arg1[16]) * (arg2[13])); - x42 = ((uint64_t)(arg1[16]) * ((arg2[12]) * 0x2)); - x43 = ((uint64_t)(arg1[16]) * (arg2[11])); - x44 = ((uint64_t)(arg1[16]) * ((arg2[10]) * 0x2)); - x45 = ((uint64_t)(arg1[16]) * (arg2[9])); - x46 = ((uint64_t)(arg1[16]) * (arg2[8])); - x47 = ((uint64_t)(arg1[16]) * (arg2[7])); - x48 = ((uint64_t)(arg1[16]) * (arg2[6])); - x49 = ((uint64_t)(arg1[16]) * ((arg2[5]) * 0x2)); - x50 = ((uint64_t)(arg1[16]) * (arg2[4])); - x51 = ((uint64_t)(arg1[16]) * ((arg2[3]) * 0x2)); - x52 = ((uint64_t)(arg1[15]) * ((arg2[18]) * 0x2)); - x53 = ((uint64_t)(arg1[15]) * ((arg2[17]) * 0x2)); - x54 = ((uint64_t)(arg1[15]) * (arg2[16])); - x55 = ((uint64_t)(arg1[15]) * ((arg2[15]) * 0x2)); - x56 = ((uint64_t)(arg1[15]) * (arg2[14])); - x57 = ((uint64_t)(arg1[15]) * ((arg2[13]) * 0x2)); - x58 = ((uint64_t)(arg1[15]) * ((arg2[12]) * 0x2)); - x59 = ((uint64_t)(arg1[15]) * ((arg2[11]) * 0x2)); - x60 = ((uint64_t)(arg1[15]) * ((arg2[10]) * 0x2)); - x61 = ((uint64_t)(arg1[15]) * (arg2[9])); - x62 = ((uint64_t)(arg1[15]) * ((arg2[8]) * 0x2)); - x63 = ((uint64_t)(arg1[15]) * (arg2[7])); - x64 = ((uint64_t)(arg1[15]) * ((arg2[6]) * 0x2)); - x65 = ((uint64_t)(arg1[15]) * ((arg2[5]) * 0x2)); - x66 = ((uint64_t)(arg1[15]) * ((arg2[4]) * 0x2)); - x67 = ((uint64_t)(arg1[14]) * (arg2[18])); - x68 = ((uint64_t)(arg1[14]) * (arg2[17])); - x69 = ((uint64_t)(arg1[14]) * (arg2[16])); - x70 = ((uint64_t)(arg1[14]) * (arg2[15])); - x71 = ((uint64_t)(arg1[14]) * (arg2[14])); - x72 = ((uint64_t)(arg1[14]) * (arg2[13])); - x73 = ((uint64_t)(arg1[14]) * ((arg2[12]) * 0x2)); - x74 = ((uint64_t)(arg1[14]) * (arg2[11])); - x75 = ((uint64_t)(arg1[14]) * (arg2[10])); - x76 = ((uint64_t)(arg1[14]) * (arg2[9])); - x77 = ((uint64_t)(arg1[14]) * (arg2[8])); - x78 = ((uint64_t)(arg1[14]) * (arg2[7])); - x79 = ((uint64_t)(arg1[14]) * (arg2[6])); - x80 = ((uint64_t)(arg1[14]) * ((arg2[5]) * 0x2)); - x81 = ((uint64_t)(arg1[13]) * (arg2[18])); - x82 = ((uint64_t)(arg1[13]) * ((arg2[17]) * 0x2)); - x83 = ((uint64_t)(arg1[13]) * (arg2[16])); - x84 = ((uint64_t)(arg1[13]) * ((arg2[15]) * 0x2)); - x85 = ((uint64_t)(arg1[13]) * (arg2[14])); - x86 = ((uint64_t)(arg1[13]) * ((arg2[13]) * 0x2)); - x87 = ((uint64_t)(arg1[13]) * ((arg2[12]) * 0x2)); - x88 = ((uint64_t)(arg1[13]) * (arg2[11])); - x89 = ((uint64_t)(arg1[13]) * ((arg2[10]) * 0x2)); - x90 = ((uint64_t)(arg1[13]) * (arg2[9])); - x91 = ((uint64_t)(arg1[13]) * ((arg2[8]) * 0x2)); - x92 = ((uint64_t)(arg1[13]) * (arg2[7])); - x93 = ((uint64_t)(arg1[13]) * ((arg2[6]) * 0x2)); - x94 = ((uint64_t)(arg1[12]) * ((arg2[18]) * 0x2)); - x95 = ((uint64_t)(arg1[12]) * ((arg2[17]) * 0x2)); - x96 = ((uint64_t)(arg1[12]) * ((arg2[16]) * 0x2)); - x97 = ((uint64_t)(arg1[12]) * ((arg2[15]) * 0x2)); - x98 = ((uint64_t)(arg1[12]) * ((arg2[14]) * 0x2)); - x99 = ((uint64_t)(arg1[12]) * ((arg2[13]) * 0x2)); - x100 = ((uint64_t)(arg1[12]) * ((arg2[12]) * 0x2)); - x101 = ((uint64_t)(arg1[12]) * ((arg2[11]) * 0x2)); - x102 = ((uint64_t)(arg1[12]) * ((arg2[10]) * 0x2)); - x103 = ((uint64_t)(arg1[12]) * ((arg2[9]) * 0x2)); - x104 = ((uint64_t)(arg1[12]) * ((arg2[8]) * 0x2)); - x105 = ((uint64_t)(arg1[12]) * ((arg2[7]) * 0x2)); - x106 = ((uint64_t)(arg1[11]) * (arg2[18])); - x107 = ((uint64_t)(arg1[11]) * ((arg2[17]) * 0x2)); - x108 = ((uint64_t)(arg1[11]) * (arg2[16])); - x109 = ((uint64_t)(arg1[11]) * ((arg2[15]) * 0x2)); - x110 = ((uint64_t)(arg1[11]) * (arg2[14])); - x111 = ((uint64_t)(arg1[11]) * (arg2[13])); - x112 = ((uint64_t)(arg1[11]) * ((arg2[12]) * 0x2)); - x113 = ((uint64_t)(arg1[11]) * (arg2[11])); - x114 = ((uint64_t)(arg1[11]) * ((arg2[10]) * 0x2)); - x115 = ((uint64_t)(arg1[11]) * (arg2[9])); - x116 = ((uint64_t)(arg1[11]) * ((arg2[8]) * 0x2)); - x117 = ((uint64_t)(arg1[10]) * ((arg2[18]) * 0x2)); - x118 = ((uint64_t)(arg1[10]) * ((arg2[17]) * 0x2)); - x119 = ((uint64_t)(arg1[10]) * ((arg2[16]) * 0x2)); - x120 = ((uint64_t)(arg1[10]) * ((arg2[15]) * 0x2)); - x121 = ((uint64_t)(arg1[10]) * (arg2[14])); - x122 = ((uint64_t)(arg1[10]) * ((arg2[13]) * 0x2)); - x123 = ((uint64_t)(arg1[10]) * ((arg2[12]) * 0x2)); - x124 = ((uint64_t)(arg1[10]) * ((arg2[11]) * 0x2)); - x125 = ((uint64_t)(arg1[10]) * ((arg2[10]) * 0x2)); - x126 = ((uint64_t)(arg1[10]) * ((arg2[9]) * 0x2)); - x127 = ((uint64_t)(arg1[9]) * (arg2[18])); - x128 = ((uint64_t)(arg1[9]) * ((arg2[17]) * 0x2)); - x129 = ((uint64_t)(arg1[9]) * (arg2[16])); - x130 = ((uint64_t)(arg1[9]) * (arg2[15])); - x131 = ((uint64_t)(arg1[9]) * (arg2[14])); - x132 = ((uint64_t)(arg1[9]) * (arg2[13])); - x133 = ((uint64_t)(arg1[9]) * ((arg2[12]) * 0x2)); - x134 = ((uint64_t)(arg1[9]) * (arg2[11])); - x135 = ((uint64_t)(arg1[9]) * ((arg2[10]) * 0x2)); - x136 = ((uint64_t)(arg1[8]) * ((arg2[18]) * 0x2)); - x137 = ((uint64_t)(arg1[8]) * ((arg2[17]) * 0x2)); - x138 = ((uint64_t)(arg1[8]) * (arg2[16])); - x139 = ((uint64_t)(arg1[8]) * ((arg2[15]) * 0x2)); - x140 = ((uint64_t)(arg1[8]) * (arg2[14])); - x141 = ((uint64_t)(arg1[8]) * ((arg2[13]) * 0x2)); - x142 = ((uint64_t)(arg1[8]) * ((arg2[12]) * 0x2)); - x143 = ((uint64_t)(arg1[8]) * ((arg2[11]) * 0x2)); - x144 = ((uint64_t)(arg1[7]) * (arg2[18])); - x145 = ((uint64_t)(arg1[7]) * (arg2[17])); - x146 = ((uint64_t)(arg1[7]) * (arg2[16])); - x147 = ((uint64_t)(arg1[7]) * (arg2[15])); - x148 = ((uint64_t)(arg1[7]) * (arg2[14])); - x149 = ((uint64_t)(arg1[7]) * (arg2[13])); - x150 = ((uint64_t)(arg1[7]) * ((arg2[12]) * 0x2)); - x151 = ((uint64_t)(arg1[6]) * (arg2[18])); - x152 = ((uint64_t)(arg1[6]) * ((arg2[17]) * 0x2)); - x153 = ((uint64_t)(arg1[6]) * (arg2[16])); - x154 = ((uint64_t)(arg1[6]) * ((arg2[15]) * 0x2)); - x155 = ((uint64_t)(arg1[6]) * (arg2[14])); - x156 = ((uint64_t)(arg1[6]) * ((arg2[13]) * 0x2)); - x157 = ((uint64_t)(arg1[5]) * ((arg2[18]) * 0x2)); - x158 = ((uint64_t)(arg1[5]) * ((arg2[17]) * 0x2)); - x159 = ((uint64_t)(arg1[5]) * ((arg2[16]) * 0x2)); - x160 = ((uint64_t)(arg1[5]) * ((arg2[15]) * 0x2)); - x161 = ((uint64_t)(arg1[5]) * ((arg2[14]) * 0x2)); - x162 = ((uint64_t)(arg1[4]) * (arg2[18])); - x163 = ((uint64_t)(arg1[4]) * ((arg2[17]) * 0x2)); - x164 = ((uint64_t)(arg1[4]) * (arg2[16])); - x165 = ((uint64_t)(arg1[4]) * ((arg2[15]) * 0x2)); - x166 = ((uint64_t)(arg1[3]) * ((arg2[18]) * 0x2)); - x167 = ((uint64_t)(arg1[3]) * ((arg2[17]) * 0x2)); - x168 = ((uint64_t)(arg1[3]) * ((arg2[16]) * 0x2)); - x169 = ((uint64_t)(arg1[2]) * (arg2[18])); - x170 = ((uint64_t)(arg1[2]) * ((arg2[17]) * 0x2)); - x171 = ((uint64_t)(arg1[1]) * ((arg2[18]) * 0x2)); - x172 = ((uint64_t)(arg1[18]) * (arg2[0])); - x173 = ((uint64_t)(arg1[17]) * ((arg2[1]) * 0x2)); - x174 = ((uint64_t)(arg1[17]) * (arg2[0])); - x175 = ((uint64_t)(arg1[16]) * (arg2[2])); - x176 = ((uint64_t)(arg1[16]) * (arg2[1])); - x177 = ((uint64_t)(arg1[16]) * (arg2[0])); - x178 = ((uint64_t)(arg1[15]) * ((arg2[3]) * 0x2)); - x179 = ((uint64_t)(arg1[15]) * (arg2[2])); - x180 = ((uint64_t)(arg1[15]) * ((arg2[1]) * 0x2)); - x181 = ((uint64_t)(arg1[15]) * (arg2[0])); - x182 = ((uint64_t)(arg1[14]) * (arg2[4])); - x183 = ((uint64_t)(arg1[14]) * (arg2[3])); - x184 = ((uint64_t)(arg1[14]) * (arg2[2])); - x185 = ((uint64_t)(arg1[14]) * (arg2[1])); - x186 = ((uint64_t)(arg1[14]) * (arg2[0])); - x187 = ((uint64_t)(arg1[13]) * ((arg2[5]) * 0x2)); - x188 = ((uint64_t)(arg1[13]) * (arg2[4])); - x189 = ((uint64_t)(arg1[13]) * ((arg2[3]) * 0x2)); - x190 = ((uint64_t)(arg1[13]) * (arg2[2])); - x191 = ((uint64_t)(arg1[13]) * ((arg2[1]) * 0x2)); - x192 = ((uint64_t)(arg1[13]) * (arg2[0])); - x193 = ((uint64_t)(arg1[12]) * ((arg2[6]) * 0x2)); - x194 = ((uint64_t)(arg1[12]) * ((arg2[5]) * 0x2)); - x195 = ((uint64_t)(arg1[12]) * ((arg2[4]) * 0x2)); - x196 = ((uint64_t)(arg1[12]) * ((arg2[3]) * 0x2)); - x197 = ((uint64_t)(arg1[12]) * ((arg2[2]) * 0x2)); - x198 = ((uint64_t)(arg1[12]) * ((arg2[1]) * 0x2)); - x199 = ((uint64_t)(arg1[12]) * (arg2[0])); - x200 = ((uint64_t)(arg1[11]) * (arg2[7])); - x201 = ((uint64_t)(arg1[11]) * (arg2[6])); - x202 = ((uint64_t)(arg1[11]) * ((arg2[5]) * 0x2)); - x203 = ((uint64_t)(arg1[11]) * (arg2[4])); - x204 = ((uint64_t)(arg1[11]) * ((arg2[3]) * 0x2)); - x205 = ((uint64_t)(arg1[11]) * (arg2[2])); - x206 = ((uint64_t)(arg1[11]) * (arg2[1])); - x207 = ((uint64_t)(arg1[11]) * (arg2[0])); - x208 = ((uint64_t)(arg1[10]) * ((arg2[8]) * 0x2)); - x209 = ((uint64_t)(arg1[10]) * (arg2[7])); - x210 = ((uint64_t)(arg1[10]) * ((arg2[6]) * 0x2)); - x211 = ((uint64_t)(arg1[10]) * ((arg2[5]) * 0x2)); - x212 = ((uint64_t)(arg1[10]) * ((arg2[4]) * 0x2)); - x213 = ((uint64_t)(arg1[10]) * ((arg2[3]) * 0x2)); - x214 = ((uint64_t)(arg1[10]) * (arg2[2])); - x215 = ((uint64_t)(arg1[10]) * ((arg2[1]) * 0x2)); - x216 = ((uint64_t)(arg1[10]) * (arg2[0])); - x217 = ((uint64_t)(arg1[9]) * (arg2[9])); - x218 = ((uint64_t)(arg1[9]) * (arg2[8])); - x219 = ((uint64_t)(arg1[9]) * (arg2[7])); - x220 = ((uint64_t)(arg1[9]) * (arg2[6])); - x221 = ((uint64_t)(arg1[9]) * ((arg2[5]) * 0x2)); - x222 = ((uint64_t)(arg1[9]) * (arg2[4])); - x223 = ((uint64_t)(arg1[9]) * (arg2[3])); - x224 = ((uint64_t)(arg1[9]) * (arg2[2])); - x225 = ((uint64_t)(arg1[9]) * (arg2[1])); - x226 = ((uint64_t)(arg1[9]) * (arg2[0])); - x227 = ((uint64_t)(arg1[8]) * ((arg2[10]) * 0x2)); - x228 = ((uint64_t)(arg1[8]) * (arg2[9])); - x229 = ((uint64_t)(arg1[8]) * ((arg2[8]) * 0x2)); - x230 = ((uint64_t)(arg1[8]) * (arg2[7])); - x231 = ((uint64_t)(arg1[8]) * ((arg2[6]) * 0x2)); - x232 = ((uint64_t)(arg1[8]) * ((arg2[5]) * 0x2)); - x233 = ((uint64_t)(arg1[8]) * (arg2[4])); - x234 = ((uint64_t)(arg1[8]) * ((arg2[3]) * 0x2)); - x235 = ((uint64_t)(arg1[8]) * (arg2[2])); - x236 = ((uint64_t)(arg1[8]) * ((arg2[1]) * 0x2)); - x237 = ((uint64_t)(arg1[8]) * (arg2[0])); - x238 = ((uint64_t)(arg1[7]) * (arg2[11])); - x239 = ((uint64_t)(arg1[7]) * (arg2[10])); - x240 = ((uint64_t)(arg1[7]) * (arg2[9])); - x241 = ((uint64_t)(arg1[7]) * (arg2[8])); - x242 = ((uint64_t)(arg1[7]) * (arg2[7])); - x243 = ((uint64_t)(arg1[7]) * (arg2[6])); - x244 = ((uint64_t)(arg1[7]) * (arg2[5])); - x245 = ((uint64_t)(arg1[7]) * (arg2[4])); - x246 = ((uint64_t)(arg1[7]) * (arg2[3])); - x247 = ((uint64_t)(arg1[7]) * (arg2[2])); - x248 = ((uint64_t)(arg1[7]) * (arg2[1])); - x249 = ((uint64_t)(arg1[7]) * (arg2[0])); - x250 = ((uint64_t)(arg1[6]) * ((arg2[12]) * 0x2)); - x251 = ((uint64_t)(arg1[6]) * (arg2[11])); - x252 = ((uint64_t)(arg1[6]) * ((arg2[10]) * 0x2)); - x253 = ((uint64_t)(arg1[6]) * (arg2[9])); - x254 = ((uint64_t)(arg1[6]) * ((arg2[8]) * 0x2)); - x255 = ((uint64_t)(arg1[6]) * (arg2[7])); - x256 = ((uint64_t)(arg1[6]) * (arg2[6])); - x257 = ((uint64_t)(arg1[6]) * ((arg2[5]) * 0x2)); - x258 = ((uint64_t)(arg1[6]) * (arg2[4])); - x259 = ((uint64_t)(arg1[6]) * ((arg2[3]) * 0x2)); - x260 = ((uint64_t)(arg1[6]) * (arg2[2])); - x261 = ((uint64_t)(arg1[6]) * ((arg2[1]) * 0x2)); - x262 = ((uint64_t)(arg1[6]) * (arg2[0])); - x263 = ((uint64_t)(arg1[5]) * ((arg2[13]) * 0x2)); - x264 = ((uint64_t)(arg1[5]) * ((arg2[12]) * 0x2)); - x265 = ((uint64_t)(arg1[5]) * ((arg2[11]) * 0x2)); - x266 = ((uint64_t)(arg1[5]) * ((arg2[10]) * 0x2)); - x267 = ((uint64_t)(arg1[5]) * ((arg2[9]) * 0x2)); - x268 = ((uint64_t)(arg1[5]) * ((arg2[8]) * 0x2)); - x269 = ((uint64_t)(arg1[5]) * (arg2[7])); - x270 = ((uint64_t)(arg1[5]) * ((arg2[6]) * 0x2)); - x271 = ((uint64_t)(arg1[5]) * ((arg2[5]) * 0x2)); - x272 = ((uint64_t)(arg1[5]) * ((arg2[4]) * 0x2)); - x273 = ((uint64_t)(arg1[5]) * ((arg2[3]) * 0x2)); - x274 = ((uint64_t)(arg1[5]) * ((arg2[2]) * 0x2)); - x275 = ((uint64_t)(arg1[5]) * ((arg2[1]) * 0x2)); - x276 = ((uint64_t)(arg1[5]) * (arg2[0])); - x277 = ((uint64_t)(arg1[4]) * (arg2[14])); - x278 = ((uint64_t)(arg1[4]) * (arg2[13])); - x279 = ((uint64_t)(arg1[4]) * ((arg2[12]) * 0x2)); - x280 = ((uint64_t)(arg1[4]) * (arg2[11])); - x281 = ((uint64_t)(arg1[4]) * ((arg2[10]) * 0x2)); - x282 = ((uint64_t)(arg1[4]) * (arg2[9])); - x283 = ((uint64_t)(arg1[4]) * (arg2[8])); - x284 = ((uint64_t)(arg1[4]) * (arg2[7])); - x285 = ((uint64_t)(arg1[4]) * (arg2[6])); - x286 = ((uint64_t)(arg1[4]) * ((arg2[5]) * 0x2)); - x287 = ((uint64_t)(arg1[4]) * (arg2[4])); - x288 = ((uint64_t)(arg1[4]) * ((arg2[3]) * 0x2)); - x289 = ((uint64_t)(arg1[4]) * (arg2[2])); - x290 = ((uint64_t)(arg1[4]) * (arg2[1])); - x291 = ((uint64_t)(arg1[4]) * (arg2[0])); - x292 = ((uint64_t)(arg1[3]) * ((arg2[15]) * 0x2)); - x293 = ((uint64_t)(arg1[3]) * (arg2[14])); - x294 = ((uint64_t)(arg1[3]) * ((arg2[13]) * 0x2)); - x295 = ((uint64_t)(arg1[3]) * ((arg2[12]) * 0x2)); - x296 = ((uint64_t)(arg1[3]) * ((arg2[11]) * 0x2)); - x297 = ((uint64_t)(arg1[3]) * ((arg2[10]) * 0x2)); - x298 = ((uint64_t)(arg1[3]) * (arg2[9])); - x299 = ((uint64_t)(arg1[3]) * ((arg2[8]) * 0x2)); - x300 = ((uint64_t)(arg1[3]) * (arg2[7])); - x301 = ((uint64_t)(arg1[3]) * ((arg2[6]) * 0x2)); - x302 = ((uint64_t)(arg1[3]) * ((arg2[5]) * 0x2)); - x303 = ((uint64_t)(arg1[3]) * ((arg2[4]) * 0x2)); - x304 = ((uint64_t)(arg1[3]) * ((arg2[3]) * 0x2)); - x305 = ((uint64_t)(arg1[3]) * (arg2[2])); - x306 = ((uint64_t)(arg1[3]) * ((arg2[1]) * 0x2)); - x307 = ((uint64_t)(arg1[3]) * (arg2[0])); - x308 = ((uint64_t)(arg1[2]) * (arg2[16])); - x309 = ((uint64_t)(arg1[2]) * (arg2[15])); - x310 = ((uint64_t)(arg1[2]) * (arg2[14])); - x311 = ((uint64_t)(arg1[2]) * (arg2[13])); - x312 = ((uint64_t)(arg1[2]) * ((arg2[12]) * 0x2)); - x313 = ((uint64_t)(arg1[2]) * (arg2[11])); - x314 = ((uint64_t)(arg1[2]) * (arg2[10])); - x315 = ((uint64_t)(arg1[2]) * (arg2[9])); - x316 = ((uint64_t)(arg1[2]) * (arg2[8])); - x317 = ((uint64_t)(arg1[2]) * (arg2[7])); - x318 = ((uint64_t)(arg1[2]) * (arg2[6])); - x319 = ((uint64_t)(arg1[2]) * ((arg2[5]) * 0x2)); - x320 = ((uint64_t)(arg1[2]) * (arg2[4])); - x321 = ((uint64_t)(arg1[2]) * (arg2[3])); - x322 = ((uint64_t)(arg1[2]) * (arg2[2])); - x323 = ((uint64_t)(arg1[2]) * (arg2[1])); - x324 = ((uint64_t)(arg1[2]) * (arg2[0])); - x325 = ((uint64_t)(arg1[1]) * ((arg2[17]) * 0x2)); - x326 = ((uint64_t)(arg1[1]) * (arg2[16])); - x327 = ((uint64_t)(arg1[1]) * ((arg2[15]) * 0x2)); - x328 = ((uint64_t)(arg1[1]) * (arg2[14])); - x329 = ((uint64_t)(arg1[1]) * ((arg2[13]) * 0x2)); - x330 = ((uint64_t)(arg1[1]) * ((arg2[12]) * 0x2)); - x331 = ((uint64_t)(arg1[1]) * (arg2[11])); - x332 = ((uint64_t)(arg1[1]) * ((arg2[10]) * 0x2)); - x333 = ((uint64_t)(arg1[1]) * (arg2[9])); - x334 = ((uint64_t)(arg1[1]) * ((arg2[8]) * 0x2)); - x335 = ((uint64_t)(arg1[1]) * (arg2[7])); - x336 = ((uint64_t)(arg1[1]) * ((arg2[6]) * 0x2)); - x337 = ((uint64_t)(arg1[1]) * ((arg2[5]) * 0x2)); - x338 = ((uint64_t)(arg1[1]) * (arg2[4])); - x339 = ((uint64_t)(arg1[1]) * ((arg2[3]) * 0x2)); - x340 = ((uint64_t)(arg1[1]) * (arg2[2])); - x341 = ((uint64_t)(arg1[1]) * ((arg2[1]) * 0x2)); - x342 = ((uint64_t)(arg1[1]) * (arg2[0])); - x343 = ((uint64_t)(arg1[0]) * (arg2[18])); - x344 = ((uint64_t)(arg1[0]) * (arg2[17])); - x345 = ((uint64_t)(arg1[0]) * (arg2[16])); - x346 = ((uint64_t)(arg1[0]) * (arg2[15])); - x347 = ((uint64_t)(arg1[0]) * (arg2[14])); - x348 = ((uint64_t)(arg1[0]) * (arg2[13])); - x349 = ((uint64_t)(arg1[0]) * (arg2[12])); - x350 = ((uint64_t)(arg1[0]) * (arg2[11])); - x351 = ((uint64_t)(arg1[0]) * (arg2[10])); - x352 = ((uint64_t)(arg1[0]) * (arg2[9])); - x353 = ((uint64_t)(arg1[0]) * (arg2[8])); - x354 = ((uint64_t)(arg1[0]) * (arg2[7])); - x355 = ((uint64_t)(arg1[0]) * (arg2[6])); - x356 = ((uint64_t)(arg1[0]) * (arg2[5])); - x357 = ((uint64_t)(arg1[0]) * (arg2[4])); - x358 = ((uint64_t)(arg1[0]) * (arg2[3])); - x359 = ((uint64_t)(arg1[0]) * (arg2[2])); - x360 = ((uint64_t)(arg1[0]) * (arg2[1])); - x361 = ((uint64_t)(arg1[0]) * (arg2[0])); - x362 = - (x361 + - (x171 + - (x170 + - (x168 + - (x165 + - (x161 + - (x156 + - (x150 + - (x143 + - (x135 + - (x126 + - (x116 + - (x105 + - (x93 + (x80 + (x66 + (x51 + (x35 + x18)))))))))))))))))); - x363 = (x362 >> 28); - x364 = (uint32_t)(x362 & UINT32_C(0xfffffff)); - x365 = (x343 + - (x325 + - (x308 + - (x292 + - (x277 + - (x263 + - (x250 + - (x238 + - (x227 + - (x217 + - (x208 + - (x200 + - (x193 + - (x187 + - (x182 + (x178 + (x175 + (x173 + x172)))))))))))))))))); - x366 = (x344 + - (x326 + - (x309 + - (x293 + - (x278 + - (x264 + - (x251 + - (x239 + - (x228 + - (x218 + - (x209 + - (x201 + - (x194 + - (x188 + - (x183 + (x179 + (x176 + (x174 + x1)))))))))))))))))); - x367 = (x345 + - (x327 + - (x310 + - (x294 + - (x279 + - (x265 + - (x252 + - (x240 + - (x229 + - (x219 + - (x210 + - (x202 + - (x195 + - (x189 + - (x184 + (x180 + (x177 + (x19 + x2)))))))))))))))))); - x368 = - (x346 + - (x328 + - (x311 + - (x295 + - (x280 + - (x266 + - (x253 + - (x241 + - (x230 + - (x220 + - (x211 + - (x203 + - (x196 + - (x190 + (x185 + (x181 + (x36 + (x20 + x3)))))))))))))))))); - x369 = - (x347 + - (x329 + - (x312 + - (x296 + - (x281 + - (x267 + - (x254 + - (x242 + - (x231 + - (x221 + - (x212 + - (x204 + - (x197 + - (x191 + (x186 + (x52 + (x37 + (x21 + x4)))))))))))))))))); - x370 = - (x348 + - (x330 + - (x313 + - (x297 + - (x282 + - (x268 + - (x255 + - (x243 + - (x232 + - (x222 + - (x213 + - (x205 + - (x198 + - (x192 + (x67 + (x53 + (x38 + (x22 + x5)))))))))))))))))); - x371 = (x349 + - (x331 + - (x314 + - (x298 + - (x283 + - (x269 + - (x256 + - (x244 + - (x233 + - (x223 + - (x214 + - (x206 + - (x199 + - (x81 + (x68 + (x54 + (x39 + (x23 + x6)))))))))))))))))); - x372 = (x350 + - (x332 + - (x315 + - (x299 + - (x284 + - (x270 + - (x257 + - (x245 + - (x234 + - (x224 + - (x215 + - (x207 + - (x94 + - (x82 + (x69 + (x55 + (x40 + (x24 + x7)))))))))))))))))); - x373 = (x351 + - (x333 + - (x316 + - (x300 + - (x285 + - (x271 + - (x258 + - (x246 + - (x235 + - (x225 + - (x216 + - (x106 + - (x95 + - (x83 + (x70 + (x56 + (x41 + (x25 + x8)))))))))))))))))); - x374 = (x352 + - (x334 + - (x317 + - (x301 + - (x286 + - (x272 + - (x259 + - (x247 + - (x236 + - (x226 + - (x117 + - (x107 + - (x96 + - (x84 + (x71 + (x57 + (x42 + (x26 + x9)))))))))))))))))); - x375 = - (x353 + - (x335 + - (x318 + - (x302 + - (x287 + - (x273 + - (x260 + - (x248 + - (x237 + - (x127 + - (x118 + - (x108 + - (x97 + - (x85 + (x72 + (x58 + (x43 + (x27 + x10)))))))))))))))))); - x376 = - (x354 + - (x336 + - (x319 + - (x303 + - (x288 + - (x274 + - (x261 + - (x249 + - (x136 + - (x128 + - (x119 + - (x109 + - (x98 + - (x86 + (x73 + (x59 + (x44 + (x28 + x11)))))))))))))))))); - x377 = - (x355 + - (x337 + - (x320 + - (x304 + - (x289 + - (x275 + - (x262 + - (x144 + - (x137 + - (x129 + - (x120 + - (x110 + - (x99 + - (x87 + (x74 + (x60 + (x45 + (x29 + x12)))))))))))))))))); - x378 = - (x356 + - (x338 + - (x321 + - (x305 + - (x290 + - (x276 + - (x151 + - (x145 + - (x138 + - (x130 + - (x121 + - (x111 + - (x100 + - (x88 + (x75 + (x61 + (x46 + (x30 + x13)))))))))))))))))); - x379 = - (x357 + - (x339 + - (x322 + - (x306 + - (x291 + - (x157 + - (x152 + - (x146 + - (x139 + - (x131 + - (x122 + - (x112 + - (x101 + - (x89 + (x76 + (x62 + (x47 + (x31 + x14)))))))))))))))))); - x380 = - (x358 + - (x340 + - (x323 + - (x307 + - (x162 + - (x158 + - (x153 + - (x147 + - (x140 + - (x132 + - (x123 + - (x113 + - (x102 + - (x90 + (x77 + (x63 + (x48 + (x32 + x15)))))))))))))))))); - x381 = - (x359 + - (x341 + - (x324 + - (x166 + - (x163 + - (x159 + - (x154 + - (x148 + - (x141 + - (x133 + - (x124 + - (x114 + - (x103 + - (x91 + (x78 + (x64 + (x49 + (x33 + x16)))))))))))))))))); - x382 = - (x360 + - (x342 + - (x169 + - (x167 + - (x164 + - (x160 + - (x155 + - (x149 + - (x142 + - (x134 + - (x125 + - (x115 + - (x104 + - (x92 + (x79 + (x65 + (x50 + (x34 + x17)))))))))))))))))); - x383 = (x363 + x382); - x384 = (x383 >> 27); - x385 = (uint32_t)(x383 & UINT32_C(0x7ffffff)); - x386 = (x384 + x381); - x387 = (x386 >> 28); - x388 = (uint32_t)(x386 & UINT32_C(0xfffffff)); - x389 = (x387 + x380); - x390 = (x389 >> 27); - x391 = (uint32_t)(x389 & UINT32_C(0x7ffffff)); - x392 = (x390 + x379); - x393 = (x392 >> 28); - x394 = (uint32_t)(x392 & UINT32_C(0xfffffff)); - x395 = (x393 + x378); - x396 = (x395 >> 27); - x397 = (uint32_t)(x395 & UINT32_C(0x7ffffff)); - x398 = (x396 + x377); - x399 = (x398 >> 27); - x400 = (uint32_t)(x398 & UINT32_C(0x7ffffff)); - x401 = (x399 + x376); - x402 = (x401 >> 28); - x403 = (uint32_t)(x401 & UINT32_C(0xfffffff)); - x404 = (x402 + x375); - x405 = (x404 >> 27); - x406 = (uint32_t)(x404 & UINT32_C(0x7ffffff)); - x407 = (x405 + x374); - x408 = (x407 >> 28); - x409 = (uint32_t)(x407 & UINT32_C(0xfffffff)); - x410 = (x408 + x373); - x411 = (x410 >> 27); - x412 = (uint32_t)(x410 & UINT32_C(0x7ffffff)); - x413 = (x411 + x372); - x414 = (x413 >> 28); - x415 = (uint32_t)(x413 & UINT32_C(0xfffffff)); - x416 = (x414 + x371); - x417 = (x416 >> 27); - x418 = (uint32_t)(x416 & UINT32_C(0x7ffffff)); - x419 = (x417 + x370); - x420 = (x419 >> 27); - x421 = (uint32_t)(x419 & UINT32_C(0x7ffffff)); - x422 = (x420 + x369); - x423 = (x422 >> 28); - x424 = (uint32_t)(x422 & UINT32_C(0xfffffff)); - x425 = (x423 + x368); - x426 = (x425 >> 27); - x427 = (uint32_t)(x425 & UINT32_C(0x7ffffff)); - x428 = (x426 + x367); - x429 = (x428 >> 28); - x430 = (uint32_t)(x428 & UINT32_C(0xfffffff)); - x431 = (x429 + x366); - x432 = (x431 >> 27); - x433 = (uint32_t)(x431 & UINT32_C(0x7ffffff)); - x434 = (x432 + x365); - x435 = (x434 >> 27); - x436 = (uint32_t)(x434 & UINT32_C(0x7ffffff)); - x437 = (x364 + x435); - x438 = (uint32_t)(x437 >> 28); - x439 = (uint32_t)(x437 & UINT32_C(0xfffffff)); - x440 = (x438 + x385); - x441 = (fiat_secp521r1_uint1)(x440 >> 27); - x442 = (x440 & UINT32_C(0x7ffffff)); - x443 = (x441 + x388); - out1[0] = x439; - out1[1] = x442; - out1[2] = x443; - out1[3] = x391; - out1[4] = x394; - out1[5] = x397; - out1[6] = x400; - out1[7] = x403; - out1[8] = x406; - out1[9] = x409; - out1[10] = x412; - out1[11] = x415; - out1[12] = x418; - out1[13] = x421; - out1[14] = x424; - out1[15] = x427; - out1[16] = x430; - out1[17] = x433; - out1[18] = x436; -} + X->len = 133; + X->data[0] = EC_POINT_FORM_UNCOMPRESSED; + memcpy(X->data + 1, derived, 132); + + } else { + uint8_t full_key[66] = { 0 }; + uint8_t *key; + uint8_t derived[132] = { 0 }; + + if (!X || !k || !P || !X->data || !k->data || !P->data || + X->len < 66 || P->len != 133 || + P->data[0] != EC_POINT_FORM_UNCOMPRESSED) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + res = SECFailure; + return res; + } -/* - * The function fiat_secp521r1_carry_square squares a field element and reduces the result. - * - * Postconditions: - * eval out1 mod m = (eval arg1 * eval arg1) mod m - * - */ -static void -fiat_secp521r1_carry_square( - fiat_secp521r1_tight_field_element out1, - const fiat_secp521r1_loose_field_element arg1) -{ - uint32_t x1; - uint32_t x2; - uint32_t x3; - uint32_t x4; - uint32_t x5; - uint32_t x6; - uint32_t x7; - uint32_t x8; - uint32_t x9; - uint32_t x10; - uint32_t x11; - uint32_t x12; - uint32_t x13; - uint32_t x14; - uint32_t x15; - uint32_t x16; - uint32_t x17; - uint32_t x18; - uint32_t x19; - uint32_t x20; - uint32_t x21; - uint32_t x22; - uint32_t x23; - uint32_t x24; - uint32_t x25; - uint32_t x26; - uint32_t x27; - uint32_t x28; - uint32_t x29; - uint32_t x30; - uint32_t x31; - uint32_t x32; - uint32_t x33; - uint32_t x34; - uint32_t x35; - uint32_t x36; - uint64_t x37; - uint64_t x38; - uint64_t x39; - uint64_t x40; - uint64_t x41; - uint64_t x42; - uint64_t x43; - uint64_t x44; - uint64_t x45; - uint64_t x46; - uint64_t x47; - uint64_t x48; - uint64_t x49; - uint64_t x50; - uint64_t x51; - uint64_t x52; - uint64_t x53; - uint64_t x54; - uint64_t x55; - uint64_t x56; - uint64_t x57; - uint64_t x58; - uint64_t x59; - uint64_t x60; - uint64_t x61; - uint64_t x62; - uint64_t x63; - uint64_t x64; - uint64_t x65; - uint64_t x66; - uint64_t x67; - uint64_t x68; - uint64_t x69; - uint64_t x70; - uint64_t x71; - uint64_t x72; - uint64_t x73; - uint64_t x74; - uint64_t x75; - uint64_t x76; - uint64_t x77; - uint64_t x78; - uint64_t x79; - uint64_t x80; - uint64_t x81; - uint64_t x82; - uint64_t x83; - uint64_t x84; - uint64_t x85; - uint64_t x86; - uint64_t x87; - uint64_t x88; - uint64_t x89; - uint64_t x90; - uint64_t x91; - uint64_t x92; - uint64_t x93; - uint64_t x94; - uint64_t x95; - uint64_t x96; - uint64_t x97; - uint64_t x98; - uint64_t x99; - uint64_t x100; - uint64_t x101; - uint64_t x102; - uint64_t x103; - uint64_t x104; - uint64_t x105; - uint64_t x106; - uint64_t x107; - uint64_t x108; - uint64_t x109; - uint64_t x110; - uint64_t x111; - uint64_t x112; - uint64_t x113; - uint64_t x114; - uint64_t x115; - uint64_t x116; - uint64_t x117; - uint64_t x118; - uint64_t x119; - uint64_t x120; - uint64_t x121; - uint64_t x122; - uint64_t x123; - uint64_t x124; - uint64_t x125; - uint64_t x126; - uint64_t x127; - uint64_t x128; - uint64_t x129; - uint64_t x130; - uint64_t x131; - uint64_t x132; - uint64_t x133; - uint64_t x134; - uint64_t x135; - uint64_t x136; - uint64_t x137; - uint64_t x138; - uint64_t x139; - uint64_t x140; - uint64_t x141; - uint64_t x142; - uint64_t x143; - uint64_t x144; - uint64_t x145; - uint64_t x146; - uint64_t x147; - uint64_t x148; - uint64_t x149; - uint64_t x150; - uint64_t x151; - uint64_t x152; - uint64_t x153; - uint64_t x154; - uint64_t x155; - uint64_t x156; - uint64_t x157; - uint64_t x158; - uint64_t x159; - uint64_t x160; - uint64_t x161; - uint64_t x162; - uint64_t x163; - uint64_t x164; - uint64_t x165; - uint64_t x166; - uint64_t x167; - uint64_t x168; - uint64_t x169; - uint64_t x170; - uint64_t x171; - uint64_t x172; - uint64_t x173; - uint64_t x174; - uint64_t x175; - uint64_t x176; - uint64_t x177; - uint64_t x178; - uint64_t x179; - uint64_t x180; - uint64_t x181; - uint64_t x182; - uint64_t x183; - uint64_t x184; - uint64_t x185; - uint64_t x186; - uint64_t x187; - uint64_t x188; - uint64_t x189; - uint64_t x190; - uint64_t x191; - uint64_t x192; - uint64_t x193; - uint64_t x194; - uint64_t x195; - uint64_t x196; - uint64_t x197; - uint64_t x198; - uint64_t x199; - uint64_t x200; - uint64_t x201; - uint64_t x202; - uint64_t x203; - uint64_t x204; - uint64_t x205; - uint64_t x206; - uint64_t x207; - uint64_t x208; - uint64_t x209; - uint64_t x210; - uint64_t x211; - uint64_t x212; - uint64_t x213; - uint64_t x214; - uint64_t x215; - uint64_t x216; - uint64_t x217; - uint64_t x218; - uint64_t x219; - uint64_t x220; - uint64_t x221; - uint64_t x222; - uint64_t x223; - uint64_t x224; - uint64_t x225; - uint64_t x226; - uint64_t x227; - uint64_t x228; - uint32_t x229; - uint64_t x230; - uint64_t x231; - uint64_t x232; - uint64_t x233; - uint64_t x234; - uint64_t x235; - uint64_t x236; - uint64_t x237; - uint64_t x238; - uint64_t x239; - uint64_t x240; - uint64_t x241; - uint64_t x242; - uint64_t x243; - uint64_t x244; - uint64_t x245; - uint64_t x246; - uint64_t x247; - uint64_t x248; - uint64_t x249; - uint32_t x250; - uint64_t x251; - uint64_t x252; - uint32_t x253; - uint64_t x254; - uint64_t x255; - uint32_t x256; - uint64_t x257; - uint64_t x258; - uint32_t x259; - uint64_t x260; - uint64_t x261; - uint32_t x262; - uint64_t x263; - uint64_t x264; - uint32_t x265; - uint64_t x266; - uint64_t x267; - uint32_t x268; - uint64_t x269; - uint64_t x270; - uint32_t x271; - uint64_t x272; - uint64_t x273; - uint32_t x274; - uint64_t x275; - uint64_t x276; - uint32_t x277; - uint64_t x278; - uint64_t x279; - uint32_t x280; - uint64_t x281; - uint64_t x282; - uint32_t x283; - uint64_t x284; - uint64_t x285; - uint32_t x286; - uint64_t x287; - uint64_t x288; - uint32_t x289; - uint64_t x290; - uint64_t x291; - uint32_t x292; - uint64_t x293; - uint64_t x294; - uint32_t x295; - uint64_t x296; - uint64_t x297; - uint32_t x298; - uint64_t x299; - uint64_t x300; - uint32_t x301; - uint64_t x302; - uint32_t x303; - uint32_t x304; - uint32_t x305; - fiat_secp521r1_uint1 x306; - uint32_t x307; - uint32_t x308; - x1 = (arg1[18]); - x2 = (x1 * 0x2); - x3 = ((arg1[18]) * 0x2); - x4 = (arg1[17]); - x5 = (x4 * 0x2); - x6 = ((arg1[17]) * 0x2); - x7 = (arg1[16]); - x8 = (x7 * 0x2); - x9 = ((arg1[16]) * 0x2); - x10 = (arg1[15]); - x11 = (x10 * 0x2); - x12 = ((arg1[15]) * 0x2); - x13 = (arg1[14]); - x14 = (x13 * 0x2); - x15 = ((arg1[14]) * 0x2); - x16 = (arg1[13]); - x17 = (x16 * 0x2); - x18 = ((arg1[13]) * 0x2); - x19 = (arg1[12]); - x20 = (x19 * 0x2); - x21 = ((arg1[12]) * 0x2); - x22 = (arg1[11]); - x23 = (x22 * 0x2); - x24 = ((arg1[11]) * 0x2); - x25 = (arg1[10]); - x26 = (x25 * 0x2); - x27 = ((arg1[10]) * 0x2); - x28 = ((arg1[9]) * 0x2); - x29 = ((arg1[8]) * 0x2); - x30 = ((arg1[7]) * 0x2); - x31 = ((arg1[6]) * 0x2); - x32 = ((arg1[5]) * 0x2); - x33 = ((arg1[4]) * 0x2); - x34 = ((arg1[3]) * 0x2); - x35 = ((arg1[2]) * 0x2); - x36 = ((arg1[1]) * 0x2); - x37 = ((uint64_t)(arg1[18]) * x1); - x38 = ((uint64_t)(arg1[17]) * (x2 * 0x2)); - x39 = ((uint64_t)(arg1[17]) * (x4 * 0x2)); - x40 = ((uint64_t)(arg1[16]) * x2); - x41 = ((uint64_t)(arg1[16]) * (x5 * 0x2)); - x42 = ((uint64_t)(arg1[16]) * x7); - x43 = ((uint64_t)(arg1[15]) * (x2 * 0x2)); - x44 = ((uint64_t)(arg1[15]) * (x5 * 0x2)); - x45 = ((uint64_t)(arg1[15]) * x8); - x46 = ((uint64_t)(arg1[15]) * (x10 * 0x2)); - x47 = ((uint64_t)(arg1[14]) * x2); - x48 = ((uint64_t)(arg1[14]) * x5); - x49 = ((uint64_t)(arg1[14]) * x8); - x50 = ((uint64_t)(arg1[14]) * x11); - x51 = ((uint64_t)(arg1[14]) * x13); - x52 = ((uint64_t)(arg1[13]) * x2); - x53 = ((uint64_t)(arg1[13]) * (x5 * 0x2)); - x54 = ((uint64_t)(arg1[13]) * x8); - x55 = ((uint64_t)(arg1[13]) * (x11 * 0x2)); - x56 = ((uint64_t)(arg1[13]) * x14); - x57 = ((uint64_t)(arg1[13]) * (x16 * 0x2)); - x58 = ((uint64_t)(arg1[12]) * (x2 * 0x2)); - x59 = ((uint64_t)(arg1[12]) * (x5 * 0x2)); - x60 = ((uint64_t)(arg1[12]) * (x8 * 0x2)); - x61 = ((uint64_t)(arg1[12]) * (x11 * 0x2)); - x62 = ((uint64_t)(arg1[12]) * (x14 * 0x2)); - x63 = ((uint64_t)(arg1[12]) * (x17 * 0x2)); - x64 = ((uint64_t)(arg1[12]) * (x19 * 0x2)); - x65 = ((uint64_t)(arg1[11]) * x2); - x66 = ((uint64_t)(arg1[11]) * (x5 * 0x2)); - x67 = ((uint64_t)(arg1[11]) * x8); - x68 = ((uint64_t)(arg1[11]) * (x11 * 0x2)); - x69 = ((uint64_t)(arg1[11]) * x14); - x70 = ((uint64_t)(arg1[11]) * x17); - x71 = ((uint64_t)(arg1[11]) * (x20 * 0x2)); - x72 = ((uint64_t)(arg1[11]) * x22); - x73 = ((uint64_t)(arg1[10]) * (x2 * 0x2)); - x74 = ((uint64_t)(arg1[10]) * (x5 * 0x2)); - x75 = ((uint64_t)(arg1[10]) * (x8 * 0x2)); - x76 = ((uint64_t)(arg1[10]) * (x11 * 0x2)); - x77 = ((uint64_t)(arg1[10]) * x14); - x78 = ((uint64_t)(arg1[10]) * (x17 * 0x2)); - x79 = ((uint64_t)(arg1[10]) * (x20 * 0x2)); - x80 = ((uint64_t)(arg1[10]) * (x23 * 0x2)); - x81 = ((uint64_t)(arg1[10]) * (x25 * 0x2)); - x82 = ((uint64_t)(arg1[9]) * x2); - x83 = ((uint64_t)(arg1[9]) * (x5 * 0x2)); - x84 = ((uint64_t)(arg1[9]) * x8); - x85 = ((uint64_t)(arg1[9]) * x11); - x86 = ((uint64_t)(arg1[9]) * x14); - x87 = ((uint64_t)(arg1[9]) * x17); - x88 = ((uint64_t)(arg1[9]) * (x20 * 0x2)); - x89 = ((uint64_t)(arg1[9]) * x23); - x90 = ((uint64_t)(arg1[9]) * (x26 * 0x2)); - x91 = ((uint64_t)(arg1[9]) * (arg1[9])); - x92 = ((uint64_t)(arg1[8]) * (x2 * 0x2)); - x93 = ((uint64_t)(arg1[8]) * (x5 * 0x2)); - x94 = ((uint64_t)(arg1[8]) * x8); - x95 = ((uint64_t)(arg1[8]) * (x11 * 0x2)); - x96 = ((uint64_t)(arg1[8]) * x14); - x97 = ((uint64_t)(arg1[8]) * (x17 * 0x2)); - x98 = ((uint64_t)(arg1[8]) * (x20 * 0x2)); - x99 = ((uint64_t)(arg1[8]) * (x23 * 0x2)); - x100 = ((uint64_t)(arg1[8]) * (x27 * 0x2)); - x101 = ((uint64_t)(arg1[8]) * x28); - x102 = ((uint64_t)(arg1[8]) * ((arg1[8]) * 0x2)); - x103 = ((uint64_t)(arg1[7]) * x2); - x104 = ((uint64_t)(arg1[7]) * x5); - x105 = ((uint64_t)(arg1[7]) * x8); - x106 = ((uint64_t)(arg1[7]) * x11); - x107 = ((uint64_t)(arg1[7]) * x14); - x108 = ((uint64_t)(arg1[7]) * x17); - x109 = ((uint64_t)(arg1[7]) * (x20 * 0x2)); - x110 = ((uint64_t)(arg1[7]) * x24); - x111 = ((uint64_t)(arg1[7]) * x27); - x112 = ((uint64_t)(arg1[7]) * x28); - x113 = ((uint64_t)(arg1[7]) * x29); - x114 = ((uint64_t)(arg1[7]) * (arg1[7])); - x115 = ((uint64_t)(arg1[6]) * x2); - x116 = ((uint64_t)(arg1[6]) * (x5 * 0x2)); - x117 = ((uint64_t)(arg1[6]) * x8); - x118 = ((uint64_t)(arg1[6]) * (x11 * 0x2)); - x119 = ((uint64_t)(arg1[6]) * x14); - x120 = ((uint64_t)(arg1[6]) * (x17 * 0x2)); - x121 = ((uint64_t)(arg1[6]) * (x21 * 0x2)); - x122 = ((uint64_t)(arg1[6]) * x24); - x123 = ((uint64_t)(arg1[6]) * (x27 * 0x2)); - x124 = ((uint64_t)(arg1[6]) * x28); - x125 = ((uint64_t)(arg1[6]) * (x29 * 0x2)); - x126 = ((uint64_t)(arg1[6]) * x30); - x127 = ((uint64_t)(arg1[6]) * (arg1[6])); - x128 = ((uint64_t)(arg1[5]) * (x2 * 0x2)); - x129 = ((uint64_t)(arg1[5]) * (x5 * 0x2)); - x130 = ((uint64_t)(arg1[5]) * (x8 * 0x2)); - x131 = ((uint64_t)(arg1[5]) * (x11 * 0x2)); - x132 = ((uint64_t)(arg1[5]) * (x14 * 0x2)); - x133 = ((uint64_t)(arg1[5]) * (x18 * 0x2)); - x134 = ((uint64_t)(arg1[5]) * (x21 * 0x2)); - x135 = ((uint64_t)(arg1[5]) * (x24 * 0x2)); - x136 = ((uint64_t)(arg1[5]) * (x27 * 0x2)); - x137 = ((uint64_t)(arg1[5]) * (x28 * 0x2)); - x138 = ((uint64_t)(arg1[5]) * (x29 * 0x2)); - x139 = ((uint64_t)(arg1[5]) * x30); - x140 = ((uint64_t)(arg1[5]) * (x31 * 0x2)); - x141 = ((uint64_t)(arg1[5]) * ((arg1[5]) * 0x2)); - x142 = ((uint64_t)(arg1[4]) * x2); - x143 = ((uint64_t)(arg1[4]) * (x5 * 0x2)); - x144 = ((uint64_t)(arg1[4]) * x8); - x145 = ((uint64_t)(arg1[4]) * (x11 * 0x2)); - x146 = ((uint64_t)(arg1[4]) * x15); - x147 = ((uint64_t)(arg1[4]) * x18); - x148 = ((uint64_t)(arg1[4]) * (x21 * 0x2)); - x149 = ((uint64_t)(arg1[4]) * x24); - x150 = ((uint64_t)(arg1[4]) * (x27 * 0x2)); - x151 = ((uint64_t)(arg1[4]) * x28); - x152 = ((uint64_t)(arg1[4]) * x29); - x153 = ((uint64_t)(arg1[4]) * x30); - x154 = ((uint64_t)(arg1[4]) * x31); - x155 = ((uint64_t)(arg1[4]) * (x32 * 0x2)); - x156 = ((uint64_t)(arg1[4]) * (arg1[4])); - x157 = ((uint64_t)(arg1[3]) * (x2 * 0x2)); - x158 = ((uint64_t)(arg1[3]) * (x5 * 0x2)); - x159 = ((uint64_t)(arg1[3]) * (x8 * 0x2)); - x160 = ((uint64_t)(arg1[3]) * (x12 * 0x2)); - x161 = ((uint64_t)(arg1[3]) * x15); - x162 = ((uint64_t)(arg1[3]) * (x18 * 0x2)); - x163 = ((uint64_t)(arg1[3]) * (x21 * 0x2)); - x164 = ((uint64_t)(arg1[3]) * (x24 * 0x2)); - x165 = ((uint64_t)(arg1[3]) * (x27 * 0x2)); - x166 = ((uint64_t)(arg1[3]) * x28); - x167 = ((uint64_t)(arg1[3]) * (x29 * 0x2)); - x168 = ((uint64_t)(arg1[3]) * x30); - x169 = ((uint64_t)(arg1[3]) * (x31 * 0x2)); - x170 = ((uint64_t)(arg1[3]) * (x32 * 0x2)); - x171 = ((uint64_t)(arg1[3]) * (x33 * 0x2)); - x172 = ((uint64_t)(arg1[3]) * ((arg1[3]) * 0x2)); - x173 = ((uint64_t)(arg1[2]) * x2); - x174 = ((uint64_t)(arg1[2]) * (x5 * 0x2)); - x175 = ((uint64_t)(arg1[2]) * x9); - x176 = ((uint64_t)(arg1[2]) * x12); - x177 = ((uint64_t)(arg1[2]) * x15); - x178 = ((uint64_t)(arg1[2]) * x18); - x179 = ((uint64_t)(arg1[2]) * (x21 * 0x2)); - x180 = ((uint64_t)(arg1[2]) * x24); - x181 = ((uint64_t)(arg1[2]) * x27); - x182 = ((uint64_t)(arg1[2]) * x28); - x183 = ((uint64_t)(arg1[2]) * x29); - x184 = ((uint64_t)(arg1[2]) * x30); - x185 = ((uint64_t)(arg1[2]) * x31); - x186 = ((uint64_t)(arg1[2]) * (x32 * 0x2)); - x187 = ((uint64_t)(arg1[2]) * x33); - x188 = ((uint64_t)(arg1[2]) * x34); - x189 = ((uint64_t)(arg1[2]) * (arg1[2])); - x190 = ((uint64_t)(arg1[1]) * (x2 * 0x2)); - x191 = ((uint64_t)(arg1[1]) * (x6 * 0x2)); - x192 = ((uint64_t)(arg1[1]) * x9); - x193 = ((uint64_t)(arg1[1]) * (x12 * 0x2)); - x194 = ((uint64_t)(arg1[1]) * x15); - x195 = ((uint64_t)(arg1[1]) * (x18 * 0x2)); - x196 = ((uint64_t)(arg1[1]) * (x21 * 0x2)); - x197 = ((uint64_t)(arg1[1]) * x24); - x198 = ((uint64_t)(arg1[1]) * (x27 * 0x2)); - x199 = ((uint64_t)(arg1[1]) * x28); - x200 = ((uint64_t)(arg1[1]) * (x29 * 0x2)); - x201 = ((uint64_t)(arg1[1]) * x30); - x202 = ((uint64_t)(arg1[1]) * (x31 * 0x2)); - x203 = ((uint64_t)(arg1[1]) * (x32 * 0x2)); - x204 = ((uint64_t)(arg1[1]) * x33); - x205 = ((uint64_t)(arg1[1]) * (x34 * 0x2)); - x206 = ((uint64_t)(arg1[1]) * x35); - x207 = ((uint64_t)(arg1[1]) * ((arg1[1]) * 0x2)); - x208 = ((uint64_t)(arg1[0]) * x3); - x209 = ((uint64_t)(arg1[0]) * x6); - x210 = ((uint64_t)(arg1[0]) * x9); - x211 = ((uint64_t)(arg1[0]) * x12); - x212 = ((uint64_t)(arg1[0]) * x15); - x213 = ((uint64_t)(arg1[0]) * x18); - x214 = ((uint64_t)(arg1[0]) * x21); - x215 = ((uint64_t)(arg1[0]) * x24); - x216 = ((uint64_t)(arg1[0]) * x27); - x217 = ((uint64_t)(arg1[0]) * x28); - x218 = ((uint64_t)(arg1[0]) * x29); - x219 = ((uint64_t)(arg1[0]) * x30); - x220 = ((uint64_t)(arg1[0]) * x31); - x221 = ((uint64_t)(arg1[0]) * x32); - x222 = ((uint64_t)(arg1[0]) * x33); - x223 = ((uint64_t)(arg1[0]) * x34); - x224 = ((uint64_t)(arg1[0]) * x35); - x225 = ((uint64_t)(arg1[0]) * x36); - x226 = ((uint64_t)(arg1[0]) * (arg1[0])); - x227 = - (x226 + - (x190 + - (x174 + (x159 + (x145 + (x132 + (x120 + (x109 + (x99 + x90))))))))); - x228 = (x227 >> 28); - x229 = (uint32_t)(x227 & UINT32_C(0xfffffff)); - x230 = - (x208 + - (x191 + - (x175 + (x160 + (x146 + (x133 + (x121 + (x110 + (x100 + x91))))))))); - x231 = - (x209 + - (x192 + - (x176 + (x161 + (x147 + (x134 + (x122 + (x111 + (x101 + x37))))))))); - x232 = - (x210 + - (x193 + - (x177 + (x162 + (x148 + (x135 + (x123 + (x112 + (x102 + x38))))))))); - x233 = - (x211 + - (x194 + - (x178 + (x163 + (x149 + (x136 + (x124 + (x113 + (x40 + x39))))))))); - x234 = - (x212 + - (x195 + - (x179 + (x164 + (x150 + (x137 + (x125 + (x114 + (x43 + x41))))))))); - x235 = (x213 + - (x196 + - (x180 + (x165 + (x151 + (x138 + (x126 + (x47 + (x44 + x42))))))))); - x236 = (x214 + - (x197 + - (x181 + (x166 + (x152 + (x139 + (x127 + (x52 + (x48 + x45))))))))); - x237 = (x215 + - (x198 + - (x182 + (x167 + (x153 + (x140 + (x58 + (x53 + (x49 + x46))))))))); - x238 = (x216 + - (x199 + - (x183 + (x168 + (x154 + (x141 + (x65 + (x59 + (x54 + x50))))))))); - x239 = (x217 + - (x200 + - (x184 + (x169 + (x155 + (x73 + (x66 + (x60 + (x55 + x51))))))))); - x240 = (x218 + - (x201 + - (x185 + (x170 + (x156 + (x82 + (x74 + (x67 + (x61 + x56))))))))); - x241 = (x219 + - (x202 + - (x186 + (x171 + (x92 + (x83 + (x75 + (x68 + (x62 + x57))))))))); - x242 = (x220 + - (x203 + - (x187 + (x172 + (x103 + (x93 + (x84 + (x76 + (x69 + x63))))))))); - x243 = (x221 + - (x204 + - (x188 + (x115 + (x104 + (x94 + (x85 + (x77 + (x70 + x64))))))))); - x244 = (x222 + - (x205 + - (x189 + (x128 + (x116 + (x105 + (x95 + (x86 + (x78 + x71))))))))); - x245 = (x223 + - (x206 + - (x142 + (x129 + (x117 + (x106 + (x96 + (x87 + (x79 + x72))))))))); - x246 = (x224 + - (x207 + - (x157 + (x143 + (x130 + (x118 + (x107 + (x97 + (x88 + x80))))))))); - x247 = (x225 + - (x173 + - (x158 + (x144 + (x131 + (x119 + (x108 + (x98 + (x89 + x81))))))))); - x248 = (x228 + x247); - x249 = (x248 >> 27); - x250 = (uint32_t)(x248 & UINT32_C(0x7ffffff)); - x251 = (x249 + x246); - x252 = (x251 >> 28); - x253 = (uint32_t)(x251 & UINT32_C(0xfffffff)); - x254 = (x252 + x245); - x255 = (x254 >> 27); - x256 = (uint32_t)(x254 & UINT32_C(0x7ffffff)); - x257 = (x255 + x244); - x258 = (x257 >> 28); - x259 = (uint32_t)(x257 & UINT32_C(0xfffffff)); - x260 = (x258 + x243); - x261 = (x260 >> 27); - x262 = (uint32_t)(x260 & UINT32_C(0x7ffffff)); - x263 = (x261 + x242); - x264 = (x263 >> 27); - x265 = (uint32_t)(x263 & UINT32_C(0x7ffffff)); - x266 = (x264 + x241); - x267 = (x266 >> 28); - x268 = (uint32_t)(x266 & UINT32_C(0xfffffff)); - x269 = (x267 + x240); - x270 = (x269 >> 27); - x271 = (uint32_t)(x269 & UINT32_C(0x7ffffff)); - x272 = (x270 + x239); - x273 = (x272 >> 28); - x274 = (uint32_t)(x272 & UINT32_C(0xfffffff)); - x275 = (x273 + x238); - x276 = (x275 >> 27); - x277 = (uint32_t)(x275 & UINT32_C(0x7ffffff)); - x278 = (x276 + x237); - x279 = (x278 >> 28); - x280 = (uint32_t)(x278 & UINT32_C(0xfffffff)); - x281 = (x279 + x236); - x282 = (x281 >> 27); - x283 = (uint32_t)(x281 & UINT32_C(0x7ffffff)); - x284 = (x282 + x235); - x285 = (x284 >> 27); - x286 = (uint32_t)(x284 & UINT32_C(0x7ffffff)); - x287 = (x285 + x234); - x288 = (x287 >> 28); - x289 = (uint32_t)(x287 & UINT32_C(0xfffffff)); - x290 = (x288 + x233); - x291 = (x290 >> 27); - x292 = (uint32_t)(x290 & UINT32_C(0x7ffffff)); - x293 = (x291 + x232); - x294 = (x293 >> 28); - x295 = (uint32_t)(x293 & UINT32_C(0xfffffff)); - x296 = (x294 + x231); - x297 = (x296 >> 27); - x298 = (uint32_t)(x296 & UINT32_C(0x7ffffff)); - x299 = (x297 + x230); - x300 = (x299 >> 27); - x301 = (uint32_t)(x299 & UINT32_C(0x7ffffff)); - x302 = (x229 + x300); - x303 = (uint32_t)(x302 >> 28); - x304 = (uint32_t)(x302 & UINT32_C(0xfffffff)); - x305 = (x303 + x250); - x306 = (fiat_secp521r1_uint1)(x305 >> 27); - x307 = (x305 & UINT32_C(0x7ffffff)); - x308 = (x306 + x253); - out1[0] = x304; - out1[1] = x307; - out1[2] = x308; - out1[3] = x256; - out1[4] = x259; - out1[5] = x262; - out1[6] = x265; - out1[7] = x268; - out1[8] = x271; - out1[9] = x274; - out1[10] = x277; - out1[11] = x280; - out1[12] = x283; - out1[13] = x286; - out1[14] = x289; - out1[15] = x292; - out1[16] = x295; - out1[17] = x298; - out1[18] = x301; -} + /* We consider keys of up to size 66, or of size 67 with a single leading 0 */ + if (k->len < 66) { + memcpy(full_key + 66 - k->len, k->data, k->len); + key = full_key; + } else if (k->len == 66) { + key = k->data; + } else if (k->len == 67 && k->data[0] == 0) { + key = k->data + 1; + } else { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + res = SECFailure; + return res; + } -/* - * The function fiat_secp521r1_carry_add adds two field elements. - * - * Postconditions: - * eval out1 mod m = (eval arg1 + eval arg2) mod m - * - */ -static void -fiat_secp521r1_carry_add( - fiat_secp521r1_tight_field_element out1, - const fiat_secp521r1_tight_field_element arg1, - const fiat_secp521r1_tight_field_element arg2) -{ - uint32_t x1; - uint32_t x2; - uint32_t x3; - uint32_t x4; - uint32_t x5; - uint32_t x6; - uint32_t x7; - uint32_t x8; - uint32_t x9; - uint32_t x10; - uint32_t x11; - uint32_t x12; - uint32_t x13; - uint32_t x14; - uint32_t x15; - uint32_t x16; - uint32_t x17; - uint32_t x18; - uint32_t x19; - uint32_t x20; - uint32_t x21; - uint32_t x22; - uint32_t x23; - uint32_t x24; - uint32_t x25; - uint32_t x26; - uint32_t x27; - uint32_t x28; - uint32_t x29; - uint32_t x30; - uint32_t x31; - uint32_t x32; - uint32_t x33; - uint32_t x34; - uint32_t x35; - uint32_t x36; - uint32_t x37; - uint32_t x38; - uint32_t x39; - uint32_t x40; - x1 = ((arg1[0]) + (arg2[0])); - x2 = ((x1 >> 28) + ((arg1[1]) + (arg2[1]))); - x3 = ((x2 >> 27) + ((arg1[2]) + (arg2[2]))); - x4 = ((x3 >> 28) + ((arg1[3]) + (arg2[3]))); - x5 = ((x4 >> 27) + ((arg1[4]) + (arg2[4]))); - x6 = ((x5 >> 28) + ((arg1[5]) + (arg2[5]))); - x7 = ((x6 >> 27) + ((arg1[6]) + (arg2[6]))); - x8 = ((x7 >> 27) + ((arg1[7]) + (arg2[7]))); - x9 = ((x8 >> 28) + ((arg1[8]) + (arg2[8]))); - x10 = ((x9 >> 27) + ((arg1[9]) + (arg2[9]))); - x11 = ((x10 >> 28) + ((arg1[10]) + (arg2[10]))); - x12 = ((x11 >> 27) + ((arg1[11]) + (arg2[11]))); - x13 = ((x12 >> 28) + ((arg1[12]) + (arg2[12]))); - x14 = ((x13 >> 27) + ((arg1[13]) + (arg2[13]))); - x15 = ((x14 >> 27) + ((arg1[14]) + (arg2[14]))); - x16 = ((x15 >> 28) + ((arg1[15]) + (arg2[15]))); - x17 = ((x16 >> 27) + ((arg1[16]) + (arg2[16]))); - x18 = ((x17 >> 28) + ((arg1[17]) + (arg2[17]))); - x19 = ((x18 >> 27) + ((arg1[18]) + (arg2[18]))); - x20 = ((x1 & UINT32_C(0xfffffff)) + (x19 >> 27)); - x21 = ((fiat_secp521r1_uint1)(x20 >> 28) + (x2 & UINT32_C(0x7ffffff))); - x22 = (x20 & UINT32_C(0xfffffff)); - x23 = (x21 & UINT32_C(0x7ffffff)); - x24 = ((fiat_secp521r1_uint1)(x21 >> 27) + (x3 & UINT32_C(0xfffffff))); - x25 = (x4 & UINT32_C(0x7ffffff)); - x26 = (x5 & UINT32_C(0xfffffff)); - x27 = (x6 & UINT32_C(0x7ffffff)); - x28 = (x7 & UINT32_C(0x7ffffff)); - x29 = (x8 & UINT32_C(0xfffffff)); - x30 = (x9 & UINT32_C(0x7ffffff)); - x31 = (x10 & UINT32_C(0xfffffff)); - x32 = (x11 & UINT32_C(0x7ffffff)); - x33 = (x12 & UINT32_C(0xfffffff)); - x34 = (x13 & UINT32_C(0x7ffffff)); - x35 = (x14 & UINT32_C(0x7ffffff)); - x36 = (x15 & UINT32_C(0xfffffff)); - x37 = (x16 & UINT32_C(0x7ffffff)); - x38 = (x17 & UINT32_C(0xfffffff)); - x39 = (x18 & UINT32_C(0x7ffffff)); - x40 = (x19 & UINT32_C(0x7ffffff)); - out1[0] = x22; - out1[1] = x23; - out1[2] = x24; - out1[3] = x25; - out1[4] = x26; - out1[5] = x27; - out1[6] = x28; - out1[7] = x29; - out1[8] = x30; - out1[9] = x31; - out1[10] = x32; - out1[11] = x33; - out1[12] = x34; - out1[13] = x35; - out1[14] = x36; - out1[15] = x37; - out1[16] = x38; - out1[17] = x39; - out1[18] = x40; -} + bool b = Hacl_P521_dh_responder(derived, P->data + 1, key); -/* - * The function fiat_secp521r1_carry_sub subtracts two field elements. - * - * Postconditions: - * eval out1 mod m = (eval arg1 - eval arg2) mod m - * - */ -static void -fiat_secp521r1_carry_sub( - fiat_secp521r1_tight_field_element out1, - const fiat_secp521r1_tight_field_element arg1, - const fiat_secp521r1_tight_field_element arg2) -{ - uint32_t x1; - uint32_t x2; - uint32_t x3; - uint32_t x4; - uint32_t x5; - uint32_t x6; - uint32_t x7; - uint32_t x8; - uint32_t x9; - uint32_t x10; - uint32_t x11; - uint32_t x12; - uint32_t x13; - uint32_t x14; - uint32_t x15; - uint32_t x16; - uint32_t x17; - uint32_t x18; - uint32_t x19; - uint32_t x20; - uint32_t x21; - uint32_t x22; - uint32_t x23; - uint32_t x24; - uint32_t x25; - uint32_t x26; - uint32_t x27; - uint32_t x28; - uint32_t x29; - uint32_t x30; - uint32_t x31; - uint32_t x32; - uint32_t x33; - uint32_t x34; - uint32_t x35; - uint32_t x36; - uint32_t x37; - uint32_t x38; - uint32_t x39; - uint32_t x40; - x1 = ((UINT32_C(0x1ffffffe) + (arg1[0])) - (arg2[0])); - x2 = ((x1 >> 28) + ((UINT32_C(0xffffffe) + (arg1[1])) - (arg2[1]))); - x3 = ((x2 >> 27) + ((UINT32_C(0x1ffffffe) + (arg1[2])) - (arg2[2]))); - x4 = ((x3 >> 28) + ((UINT32_C(0xffffffe) + (arg1[3])) - (arg2[3]))); - x5 = ((x4 >> 27) + ((UINT32_C(0x1ffffffe) + (arg1[4])) - (arg2[4]))); - x6 = ((x5 >> 28) + ((UINT32_C(0xffffffe) + (arg1[5])) - (arg2[5]))); - x7 = ((x6 >> 27) + ((UINT32_C(0xffffffe) + (arg1[6])) - (arg2[6]))); - x8 = ((x7 >> 27) + ((UINT32_C(0x1ffffffe) + (arg1[7])) - (arg2[7]))); - x9 = ((x8 >> 28) + ((UINT32_C(0xffffffe) + (arg1[8])) - (arg2[8]))); - x10 = ((x9 >> 27) + ((UINT32_C(0x1ffffffe) + (arg1[9])) - (arg2[9]))); - x11 = ((x10 >> 28) + ((UINT32_C(0xffffffe) + (arg1[10])) - (arg2[10]))); - x12 = ((x11 >> 27) + ((UINT32_C(0x1ffffffe) + (arg1[11])) - (arg2[11]))); - x13 = ((x12 >> 28) + ((UINT32_C(0xffffffe) + (arg1[12])) - (arg2[12]))); - x14 = ((x13 >> 27) + ((UINT32_C(0xffffffe) + (arg1[13])) - (arg2[13]))); - x15 = ((x14 >> 27) + ((UINT32_C(0x1ffffffe) + (arg1[14])) - (arg2[14]))); - x16 = ((x15 >> 28) + ((UINT32_C(0xffffffe) + (arg1[15])) - (arg2[15]))); - x17 = ((x16 >> 27) + ((UINT32_C(0x1ffffffe) + (arg1[16])) - (arg2[16]))); - x18 = ((x17 >> 28) + ((UINT32_C(0xffffffe) + (arg1[17])) - (arg2[17]))); - x19 = ((x18 >> 27) + ((UINT32_C(0xffffffe) + (arg1[18])) - (arg2[18]))); - x20 = ((x1 & UINT32_C(0xfffffff)) + (x19 >> 27)); - x21 = ((fiat_secp521r1_uint1)(x20 >> 28) + (x2 & UINT32_C(0x7ffffff))); - x22 = (x20 & UINT32_C(0xfffffff)); - x23 = (x21 & UINT32_C(0x7ffffff)); - x24 = ((fiat_secp521r1_uint1)(x21 >> 27) + (x3 & UINT32_C(0xfffffff))); - x25 = (x4 & UINT32_C(0x7ffffff)); - x26 = (x5 & UINT32_C(0xfffffff)); - x27 = (x6 & UINT32_C(0x7ffffff)); - x28 = (x7 & UINT32_C(0x7ffffff)); - x29 = (x8 & UINT32_C(0xfffffff)); - x30 = (x9 & UINT32_C(0x7ffffff)); - x31 = (x10 & UINT32_C(0xfffffff)); - x32 = (x11 & UINT32_C(0x7ffffff)); - x33 = (x12 & UINT32_C(0xfffffff)); - x34 = (x13 & UINT32_C(0x7ffffff)); - x35 = (x14 & UINT32_C(0x7ffffff)); - x36 = (x15 & UINT32_C(0xfffffff)); - x37 = (x16 & UINT32_C(0x7ffffff)); - x38 = (x17 & UINT32_C(0xfffffff)); - x39 = (x18 & UINT32_C(0x7ffffff)); - x40 = (x19 & UINT32_C(0x7ffffff)); - out1[0] = x22; - out1[1] = x23; - out1[2] = x24; - out1[3] = x25; - out1[4] = x26; - out1[5] = x27; - out1[6] = x28; - out1[7] = x29; - out1[8] = x30; - out1[9] = x31; - out1[10] = x32; - out1[11] = x33; - out1[12] = x34; - out1[13] = x35; - out1[14] = x36; - out1[15] = x37; - out1[16] = x38; - out1[17] = x39; - out1[18] = x40; -} + if (!b) { + PORT_SetError(SEC_ERROR_BAD_KEY); + res = SECFailure; + return res; + } -/* - * The function fiat_secp521r1_carry_opp negates a field element. - * - * Postconditions: - * eval out1 mod m = -eval arg1 mod m - * - */ -static void -fiat_secp521r1_carry_opp( - fiat_secp521r1_tight_field_element out1, - const fiat_secp521r1_tight_field_element arg1) -{ - uint32_t x1; - uint32_t x2; - uint32_t x3; - uint32_t x4; - uint32_t x5; - uint32_t x6; - uint32_t x7; - uint32_t x8; - uint32_t x9; - uint32_t x10; - uint32_t x11; - uint32_t x12; - uint32_t x13; - uint32_t x14; - uint32_t x15; - uint32_t x16; - uint32_t x17; - uint32_t x18; - uint32_t x19; - uint32_t x20; - uint32_t x21; - uint32_t x22; - uint32_t x23; - uint32_t x24; - uint32_t x25; - uint32_t x26; - uint32_t x27; - uint32_t x28; - uint32_t x29; - uint32_t x30; - uint32_t x31; - uint32_t x32; - uint32_t x33; - uint32_t x34; - uint32_t x35; - uint32_t x36; - uint32_t x37; - uint32_t x38; - uint32_t x39; - uint32_t x40; - x1 = (UINT32_C(0x1ffffffe) - (arg1[0])); - x2 = ((fiat_secp521r1_uint1)(x1 >> 28) + (UINT32_C(0xffffffe) - (arg1[1]))); - x3 = - ((fiat_secp521r1_uint1)(x2 >> 27) + (UINT32_C(0x1ffffffe) - (arg1[2]))); - x4 = ((fiat_secp521r1_uint1)(x3 >> 28) + (UINT32_C(0xffffffe) - (arg1[3]))); - x5 = - ((fiat_secp521r1_uint1)(x4 >> 27) + (UINT32_C(0x1ffffffe) - (arg1[4]))); - x6 = ((fiat_secp521r1_uint1)(x5 >> 28) + (UINT32_C(0xffffffe) - (arg1[5]))); - x7 = ((fiat_secp521r1_uint1)(x6 >> 27) + (UINT32_C(0xffffffe) - (arg1[6]))); - x8 = - ((fiat_secp521r1_uint1)(x7 >> 27) + (UINT32_C(0x1ffffffe) - (arg1[7]))); - x9 = ((fiat_secp521r1_uint1)(x8 >> 28) + (UINT32_C(0xffffffe) - (arg1[8]))); - x10 = - ((fiat_secp521r1_uint1)(x9 >> 27) + (UINT32_C(0x1ffffffe) - (arg1[9]))); - x11 = ((fiat_secp521r1_uint1)(x10 >> 28) + - (UINT32_C(0xffffffe) - (arg1[10]))); - x12 = ((fiat_secp521r1_uint1)(x11 >> 27) + - (UINT32_C(0x1ffffffe) - (arg1[11]))); - x13 = ((fiat_secp521r1_uint1)(x12 >> 28) + - (UINT32_C(0xffffffe) - (arg1[12]))); - x14 = ((fiat_secp521r1_uint1)(x13 >> 27) + - (UINT32_C(0xffffffe) - (arg1[13]))); - x15 = ((fiat_secp521r1_uint1)(x14 >> 27) + - (UINT32_C(0x1ffffffe) - (arg1[14]))); - x16 = ((fiat_secp521r1_uint1)(x15 >> 28) + - (UINT32_C(0xffffffe) - (arg1[15]))); - x17 = ((fiat_secp521r1_uint1)(x16 >> 27) + - (UINT32_C(0x1ffffffe) - (arg1[16]))); - x18 = ((fiat_secp521r1_uint1)(x17 >> 28) + - (UINT32_C(0xffffffe) - (arg1[17]))); - x19 = ((fiat_secp521r1_uint1)(x18 >> 27) + - (UINT32_C(0xffffffe) - (arg1[18]))); - x20 = ((x1 & UINT32_C(0xfffffff)) + - (uint32_t)(fiat_secp521r1_uint1)(x19 >> 27)); - x21 = ((fiat_secp521r1_uint1)(x20 >> 28) + (x2 & UINT32_C(0x7ffffff))); - x22 = (x20 & UINT32_C(0xfffffff)); - x23 = (x21 & UINT32_C(0x7ffffff)); - x24 = ((fiat_secp521r1_uint1)(x21 >> 27) + (x3 & UINT32_C(0xfffffff))); - x25 = (x4 & UINT32_C(0x7ffffff)); - x26 = (x5 & UINT32_C(0xfffffff)); - x27 = (x6 & UINT32_C(0x7ffffff)); - x28 = (x7 & UINT32_C(0x7ffffff)); - x29 = (x8 & UINT32_C(0xfffffff)); - x30 = (x9 & UINT32_C(0x7ffffff)); - x31 = (x10 & UINT32_C(0xfffffff)); - x32 = (x11 & UINT32_C(0x7ffffff)); - x33 = (x12 & UINT32_C(0xfffffff)); - x34 = (x13 & UINT32_C(0x7ffffff)); - x35 = (x14 & UINT32_C(0x7ffffff)); - x36 = (x15 & UINT32_C(0xfffffff)); - x37 = (x16 & UINT32_C(0x7ffffff)); - x38 = (x17 & UINT32_C(0xfffffff)); - x39 = (x18 & UINT32_C(0x7ffffff)); - x40 = (x19 & UINT32_C(0x7ffffff)); - out1[0] = x22; - out1[1] = x23; - out1[2] = x24; - out1[3] = x25; - out1[4] = x26; - out1[5] = x27; - out1[6] = x28; - out1[7] = x29; - out1[8] = x30; - out1[9] = x31; - out1[10] = x32; - out1[11] = x33; - out1[12] = x34; - out1[13] = x35; - out1[14] = x36; - out1[15] = x37; - out1[16] = x38; - out1[17] = x39; - out1[18] = x40; -} + X->len = 66; + memcpy(X->data, derived, 66); + } -/* - * The function fiat_secp521r1_selectznz is a multi-limb conditional select. - * - * Postconditions: - * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) - * - * Input Bounds: - * arg1: [0x0 ~> 0x1] - * arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -static void -fiat_secp521r1_selectznz(uint32_t out1[19], - fiat_secp521r1_uint1 arg1, - const uint32_t arg2[19], - const uint32_t arg3[19]) -{ - uint32_t x1; - uint32_t x2; - uint32_t x3; - uint32_t x4; - uint32_t x5; - uint32_t x6; - uint32_t x7; - uint32_t x8; - uint32_t x9; - uint32_t x10; - uint32_t x11; - uint32_t x12; - uint32_t x13; - uint32_t x14; - uint32_t x15; - uint32_t x16; - uint32_t x17; - uint32_t x18; - uint32_t x19; - fiat_secp521r1_cmovznz_u32(&x1, arg1, (arg2[0]), (arg3[0])); - fiat_secp521r1_cmovznz_u32(&x2, arg1, (arg2[1]), (arg3[1])); - fiat_secp521r1_cmovznz_u32(&x3, arg1, (arg2[2]), (arg3[2])); - fiat_secp521r1_cmovznz_u32(&x4, arg1, (arg2[3]), (arg3[3])); - fiat_secp521r1_cmovznz_u32(&x5, arg1, (arg2[4]), (arg3[4])); - fiat_secp521r1_cmovznz_u32(&x6, arg1, (arg2[5]), (arg3[5])); - fiat_secp521r1_cmovznz_u32(&x7, arg1, (arg2[6]), (arg3[6])); - fiat_secp521r1_cmovznz_u32(&x8, arg1, (arg2[7]), (arg3[7])); - fiat_secp521r1_cmovznz_u32(&x9, arg1, (arg2[8]), (arg3[8])); - fiat_secp521r1_cmovznz_u32(&x10, arg1, (arg2[9]), (arg3[9])); - fiat_secp521r1_cmovznz_u32(&x11, arg1, (arg2[10]), (arg3[10])); - fiat_secp521r1_cmovznz_u32(&x12, arg1, (arg2[11]), (arg3[11])); - fiat_secp521r1_cmovznz_u32(&x13, arg1, (arg2[12]), (arg3[12])); - fiat_secp521r1_cmovznz_u32(&x14, arg1, (arg2[13]), (arg3[13])); - fiat_secp521r1_cmovznz_u32(&x15, arg1, (arg2[14]), (arg3[14])); - fiat_secp521r1_cmovznz_u32(&x16, arg1, (arg2[15]), (arg3[15])); - fiat_secp521r1_cmovznz_u32(&x17, arg1, (arg2[16]), (arg3[16])); - fiat_secp521r1_cmovznz_u32(&x18, arg1, (arg2[17]), (arg3[17])); - fiat_secp521r1_cmovznz_u32(&x19, arg1, (arg2[18]), (arg3[18])); - out1[0] = x1; - out1[1] = x2; - out1[2] = x3; - out1[3] = x4; - out1[4] = x5; - out1[5] = x6; - out1[6] = x7; - out1[7] = x8; - out1[8] = x9; - out1[9] = x10; - out1[10] = x11; - out1[11] = x12; - out1[12] = x13; - out1[13] = x14; - out1[14] = x15; - out1[15] = x16; - out1[16] = x17; - out1[17] = x18; - out1[18] = x19; + return res; } /* - * The function fiat_secp521r1_to_bytes serializes a field element to bytes in little-endian order. - * - * Postconditions: - * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..65] - * - * Output Bounds: - * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x1]] + * ECDSA Signature for P-521 */ -static void -fiat_secp521r1_to_bytes( - uint8_t out1[66], const fiat_secp521r1_tight_field_element arg1) -{ - uint32_t x1; - fiat_secp521r1_uint1 x2; - uint32_t x3; - fiat_secp521r1_uint1 x4; - uint32_t x5; - fiat_secp521r1_uint1 x6; - uint32_t x7; - fiat_secp521r1_uint1 x8; - uint32_t x9; - fiat_secp521r1_uint1 x10; - uint32_t x11; - fiat_secp521r1_uint1 x12; - uint32_t x13; - fiat_secp521r1_uint1 x14; - uint32_t x15; - fiat_secp521r1_uint1 x16; - uint32_t x17; - fiat_secp521r1_uint1 x18; - uint32_t x19; - fiat_secp521r1_uint1 x20; - uint32_t x21; - fiat_secp521r1_uint1 x22; - uint32_t x23; - fiat_secp521r1_uint1 x24; - uint32_t x25; - fiat_secp521r1_uint1 x26; - uint32_t x27; - fiat_secp521r1_uint1 x28; - uint32_t x29; - fiat_secp521r1_uint1 x30; - uint32_t x31; - fiat_secp521r1_uint1 x32; - uint32_t x33; - fiat_secp521r1_uint1 x34; - uint32_t x35; - fiat_secp521r1_uint1 x36; - uint32_t x37; - fiat_secp521r1_uint1 x38; - uint32_t x39; - uint32_t x40; - fiat_secp521r1_uint1 x41; - uint32_t x42; - fiat_secp521r1_uint1 x43; - uint32_t x44; - fiat_secp521r1_uint1 x45; - uint32_t x46; - fiat_secp521r1_uint1 x47; - uint32_t x48; - fiat_secp521r1_uint1 x49; - uint32_t x50; - fiat_secp521r1_uint1 x51; - uint32_t x52; - fiat_secp521r1_uint1 x53; - uint32_t x54; - fiat_secp521r1_uint1 x55; - uint32_t x56; - fiat_secp521r1_uint1 x57; - uint32_t x58; - fiat_secp521r1_uint1 x59; - uint32_t x60; - fiat_secp521r1_uint1 x61; - uint32_t x62; - fiat_secp521r1_uint1 x63; - uint32_t x64; - fiat_secp521r1_uint1 x65; - uint32_t x66; - fiat_secp521r1_uint1 x67; - uint32_t x68; - fiat_secp521r1_uint1 x69; - uint32_t x70; - fiat_secp521r1_uint1 x71; - uint32_t x72; - fiat_secp521r1_uint1 x73; - uint32_t x74; - fiat_secp521r1_uint1 x75; - uint32_t x76; - fiat_secp521r1_uint1 x77; - uint64_t x78; - uint32_t x79; - uint64_t x80; - uint32_t x81; - uint32_t x82; - uint32_t x83; - uint64_t x84; - uint32_t x85; - uint64_t x86; - uint32_t x87; - uint32_t x88; - uint32_t x89; - uint64_t x90; - uint32_t x91; - uint64_t x92; - uint32_t x93; - uint8_t x94; - uint32_t x95; - uint8_t x96; - uint32_t x97; - uint8_t x98; - uint8_t x99; - uint32_t x100; - uint8_t x101; - uint32_t x102; - uint8_t x103; - uint32_t x104; - uint8_t x105; - uint8_t x106; - uint64_t x107; - uint8_t x108; - uint32_t x109; - uint8_t x110; - uint32_t x111; - uint8_t x112; - uint32_t x113; - uint8_t x114; - uint8_t x115; - uint32_t x116; - uint8_t x117; - uint32_t x118; - uint8_t x119; - uint32_t x120; - uint8_t x121; - uint8_t x122; - uint64_t x123; - uint8_t x124; - uint32_t x125; - uint8_t x126; - uint32_t x127; - uint8_t x128; - uint32_t x129; - uint8_t x130; - uint8_t x131; - uint32_t x132; - uint8_t x133; - uint32_t x134; - uint8_t x135; - uint32_t x136; - uint8_t x137; - uint8_t x138; - uint32_t x139; - uint8_t x140; - uint32_t x141; - uint8_t x142; - uint32_t x143; - uint8_t x144; - uint8_t x145; - uint8_t x146; - uint32_t x147; - uint8_t x148; - uint32_t x149; - uint8_t x150; - uint8_t x151; - uint32_t x152; - uint8_t x153; - uint32_t x154; - uint8_t x155; - uint32_t x156; - uint8_t x157; - uint8_t x158; - uint64_t x159; - uint8_t x160; - uint32_t x161; - uint8_t x162; - uint32_t x163; - uint8_t x164; - uint32_t x165; - uint8_t x166; - uint8_t x167; - uint32_t x168; - uint8_t x169; - uint32_t x170; - uint8_t x171; - uint32_t x172; - uint8_t x173; - uint8_t x174; - uint64_t x175; - uint8_t x176; - uint32_t x177; - uint8_t x178; - uint32_t x179; - uint8_t x180; - uint32_t x181; - uint8_t x182; - uint8_t x183; - uint32_t x184; - uint8_t x185; - uint32_t x186; - uint8_t x187; - uint32_t x188; - uint8_t x189; - uint8_t x190; - uint32_t x191; - uint8_t x192; - uint32_t x193; - uint8_t x194; - uint32_t x195; - uint8_t x196; - uint8_t x197; - uint8_t x198; - uint32_t x199; - uint8_t x200; - uint32_t x201; - uint8_t x202; - uint8_t x203; - uint32_t x204; - uint8_t x205; - uint32_t x206; - uint8_t x207; - uint32_t x208; - uint8_t x209; - uint8_t x210; - uint64_t x211; - uint8_t x212; - uint32_t x213; - uint8_t x214; - uint32_t x215; - uint8_t x216; - uint32_t x217; - uint8_t x218; - uint8_t x219; - uint32_t x220; - uint8_t x221; - uint32_t x222; - uint8_t x223; - uint32_t x224; - uint8_t x225; - uint8_t x226; - uint64_t x227; - uint8_t x228; - uint32_t x229; - uint8_t x230; - uint32_t x231; - uint8_t x232; - uint32_t x233; - uint8_t x234; - fiat_secp521r1_uint1 x235; - fiat_secp521r1_subborrowx_u28(&x1, &x2, 0x0, (arg1[0]), - UINT32_C(0xfffffff)); - fiat_secp521r1_subborrowx_u27(&x3, &x4, x2, (arg1[1]), UINT32_C(0x7ffffff)); - fiat_secp521r1_subborrowx_u28(&x5, &x6, x4, (arg1[2]), UINT32_C(0xfffffff)); - fiat_secp521r1_subborrowx_u27(&x7, &x8, x6, (arg1[3]), UINT32_C(0x7ffffff)); - fiat_secp521r1_subborrowx_u28(&x9, &x10, x8, (arg1[4]), - UINT32_C(0xfffffff)); - fiat_secp521r1_subborrowx_u27(&x11, &x12, x10, (arg1[5]), - UINT32_C(0x7ffffff)); - fiat_secp521r1_subborrowx_u27(&x13, &x14, x12, (arg1[6]), - UINT32_C(0x7ffffff)); - fiat_secp521r1_subborrowx_u28(&x15, &x16, x14, (arg1[7]), - UINT32_C(0xfffffff)); - fiat_secp521r1_subborrowx_u27(&x17, &x18, x16, (arg1[8]), - UINT32_C(0x7ffffff)); - fiat_secp521r1_subborrowx_u28(&x19, &x20, x18, (arg1[9]), - UINT32_C(0xfffffff)); - fiat_secp521r1_subborrowx_u27(&x21, &x22, x20, (arg1[10]), - UINT32_C(0x7ffffff)); - fiat_secp521r1_subborrowx_u28(&x23, &x24, x22, (arg1[11]), - UINT32_C(0xfffffff)); - fiat_secp521r1_subborrowx_u27(&x25, &x26, x24, (arg1[12]), - UINT32_C(0x7ffffff)); - fiat_secp521r1_subborrowx_u27(&x27, &x28, x26, (arg1[13]), - UINT32_C(0x7ffffff)); - fiat_secp521r1_subborrowx_u28(&x29, &x30, x28, (arg1[14]), - UINT32_C(0xfffffff)); - fiat_secp521r1_subborrowx_u27(&x31, &x32, x30, (arg1[15]), - UINT32_C(0x7ffffff)); - fiat_secp521r1_subborrowx_u28(&x33, &x34, x32, (arg1[16]), - UINT32_C(0xfffffff)); - fiat_secp521r1_subborrowx_u27(&x35, &x36, x34, (arg1[17]), - UINT32_C(0x7ffffff)); - fiat_secp521r1_subborrowx_u27(&x37, &x38, x36, (arg1[18]), - UINT32_C(0x7ffffff)); - fiat_secp521r1_cmovznz_u32(&x39, x38, 0x0, UINT32_C(0xffffffff)); - fiat_secp521r1_addcarryx_u28(&x40, &x41, 0x0, x1, - (x39 & UINT32_C(0xfffffff))); - fiat_secp521r1_addcarryx_u27(&x42, &x43, x41, x3, - (x39 & UINT32_C(0x7ffffff))); - fiat_secp521r1_addcarryx_u28(&x44, &x45, x43, x5, - (x39 & UINT32_C(0xfffffff))); - fiat_secp521r1_addcarryx_u27(&x46, &x47, x45, x7, - (x39 & UINT32_C(0x7ffffff))); - fiat_secp521r1_addcarryx_u28(&x48, &x49, x47, x9, - (x39 & UINT32_C(0xfffffff))); - fiat_secp521r1_addcarryx_u27(&x50, &x51, x49, x11, - (x39 & UINT32_C(0x7ffffff))); - fiat_secp521r1_addcarryx_u27(&x52, &x53, x51, x13, - (x39 & UINT32_C(0x7ffffff))); - fiat_secp521r1_addcarryx_u28(&x54, &x55, x53, x15, - (x39 & UINT32_C(0xfffffff))); - fiat_secp521r1_addcarryx_u27(&x56, &x57, x55, x17, - (x39 & UINT32_C(0x7ffffff))); - fiat_secp521r1_addcarryx_u28(&x58, &x59, x57, x19, - (x39 & UINT32_C(0xfffffff))); - fiat_secp521r1_addcarryx_u27(&x60, &x61, x59, x21, - (x39 & UINT32_C(0x7ffffff))); - fiat_secp521r1_addcarryx_u28(&x62, &x63, x61, x23, - (x39 & UINT32_C(0xfffffff))); - fiat_secp521r1_addcarryx_u27(&x64, &x65, x63, x25, - (x39 & UINT32_C(0x7ffffff))); - fiat_secp521r1_addcarryx_u27(&x66, &x67, x65, x27, - (x39 & UINT32_C(0x7ffffff))); - fiat_secp521r1_addcarryx_u28(&x68, &x69, x67, x29, - (x39 & UINT32_C(0xfffffff))); - fiat_secp521r1_addcarryx_u27(&x70, &x71, x69, x31, - (x39 & UINT32_C(0x7ffffff))); - fiat_secp521r1_addcarryx_u28(&x72, &x73, x71, x33, - (x39 & UINT32_C(0xfffffff))); - fiat_secp521r1_addcarryx_u27(&x74, &x75, x73, x35, - (x39 & UINT32_C(0x7ffffff))); - fiat_secp521r1_addcarryx_u27(&x76, &x77, x75, x37, - (x39 & UINT32_C(0x7ffffff))); - x78 = ((uint64_t)x76 << 6); - x79 = (x74 << 3); - x80 = ((uint64_t)x72 << 7); - x81 = (x70 << 4); - x82 = (x66 << 5); - x83 = (x64 << 2); - x84 = ((uint64_t)x62 << 6); - x85 = (x60 << 3); - x86 = ((uint64_t)x58 << 7); - x87 = (x56 << 4); - x88 = (x52 << 5); - x89 = (x50 << 2); - x90 = ((uint64_t)x48 << 6); - x91 = (x46 << 3); - x92 = ((uint64_t)x44 << 7); - x93 = (x42 << 4); - x94 = (uint8_t)(x40 & UINT8_C(0xff)); - x95 = (x40 >> 8); - x96 = (uint8_t)(x95 & UINT8_C(0xff)); - x97 = (x95 >> 8); - x98 = (uint8_t)(x97 & UINT8_C(0xff)); - x99 = (uint8_t)(x97 >> 8); - x100 = (x93 + (uint32_t)x99); - x101 = (uint8_t)(x100 & UINT8_C(0xff)); - x102 = (x100 >> 8); - x103 = (uint8_t)(x102 & UINT8_C(0xff)); - x104 = (x102 >> 8); - x105 = (uint8_t)(x104 & UINT8_C(0xff)); - x106 = (uint8_t)(x104 >> 8); - x107 = (x92 + (uint64_t)x106); - x108 = (uint8_t)(x107 & UINT8_C(0xff)); - x109 = (uint32_t)(x107 >> 8); - x110 = (uint8_t)(x109 & UINT8_C(0xff)); - x111 = (x109 >> 8); - x112 = (uint8_t)(x111 & UINT8_C(0xff)); - x113 = (x111 >> 8); - x114 = (uint8_t)(x113 & UINT8_C(0xff)); - x115 = (uint8_t)(x113 >> 8); - x116 = (x91 + (uint32_t)x115); - x117 = (uint8_t)(x116 & UINT8_C(0xff)); - x118 = (x116 >> 8); - x119 = (uint8_t)(x118 & UINT8_C(0xff)); - x120 = (x118 >> 8); - x121 = (uint8_t)(x120 & UINT8_C(0xff)); - x122 = (uint8_t)(x120 >> 8); - x123 = (x90 + (uint64_t)x122); - x124 = (uint8_t)(x123 & UINT8_C(0xff)); - x125 = (uint32_t)(x123 >> 8); - x126 = (uint8_t)(x125 & UINT8_C(0xff)); - x127 = (x125 >> 8); - x128 = (uint8_t)(x127 & UINT8_C(0xff)); - x129 = (x127 >> 8); - x130 = (uint8_t)(x129 & UINT8_C(0xff)); - x131 = (uint8_t)(x129 >> 8); - x132 = (x89 + (uint32_t)x131); - x133 = (uint8_t)(x132 & UINT8_C(0xff)); - x134 = (x132 >> 8); - x135 = (uint8_t)(x134 & UINT8_C(0xff)); - x136 = (x134 >> 8); - x137 = (uint8_t)(x136 & UINT8_C(0xff)); - x138 = (uint8_t)(x136 >> 8); - x139 = (x88 + (uint32_t)x138); - x140 = (uint8_t)(x139 & UINT8_C(0xff)); - x141 = (x139 >> 8); - x142 = (uint8_t)(x141 & UINT8_C(0xff)); - x143 = (x141 >> 8); - x144 = (uint8_t)(x143 & UINT8_C(0xff)); - x145 = (uint8_t)(x143 >> 8); - x146 = (uint8_t)(x54 & UINT8_C(0xff)); - x147 = (x54 >> 8); - x148 = (uint8_t)(x147 & UINT8_C(0xff)); - x149 = (x147 >> 8); - x150 = (uint8_t)(x149 & UINT8_C(0xff)); - x151 = (uint8_t)(x149 >> 8); - x152 = (x87 + (uint32_t)x151); - x153 = (uint8_t)(x152 & UINT8_C(0xff)); - x154 = (x152 >> 8); - x155 = (uint8_t)(x154 & UINT8_C(0xff)); - x156 = (x154 >> 8); - x157 = (uint8_t)(x156 & UINT8_C(0xff)); - x158 = (uint8_t)(x156 >> 8); - x159 = (x86 + (uint64_t)x158); - x160 = (uint8_t)(x159 & UINT8_C(0xff)); - x161 = (uint32_t)(x159 >> 8); - x162 = (uint8_t)(x161 & UINT8_C(0xff)); - x163 = (x161 >> 8); - x164 = (uint8_t)(x163 & UINT8_C(0xff)); - x165 = (x163 >> 8); - x166 = (uint8_t)(x165 & UINT8_C(0xff)); - x167 = (uint8_t)(x165 >> 8); - x168 = (x85 + (uint32_t)x167); - x169 = (uint8_t)(x168 & UINT8_C(0xff)); - x170 = (x168 >> 8); - x171 = (uint8_t)(x170 & UINT8_C(0xff)); - x172 = (x170 >> 8); - x173 = (uint8_t)(x172 & UINT8_C(0xff)); - x174 = (uint8_t)(x172 >> 8); - x175 = (x84 + (uint64_t)x174); - x176 = (uint8_t)(x175 & UINT8_C(0xff)); - x177 = (uint32_t)(x175 >> 8); - x178 = (uint8_t)(x177 & UINT8_C(0xff)); - x179 = (x177 >> 8); - x180 = (uint8_t)(x179 & UINT8_C(0xff)); - x181 = (x179 >> 8); - x182 = (uint8_t)(x181 & UINT8_C(0xff)); - x183 = (uint8_t)(x181 >> 8); - x184 = (x83 + (uint32_t)x183); - x185 = (uint8_t)(x184 & UINT8_C(0xff)); - x186 = (x184 >> 8); - x187 = (uint8_t)(x186 & UINT8_C(0xff)); - x188 = (x186 >> 8); - x189 = (uint8_t)(x188 & UINT8_C(0xff)); - x190 = (uint8_t)(x188 >> 8); - x191 = (x82 + (uint32_t)x190); - x192 = (uint8_t)(x191 & UINT8_C(0xff)); - x193 = (x191 >> 8); - x194 = (uint8_t)(x193 & UINT8_C(0xff)); - x195 = (x193 >> 8); - x196 = (uint8_t)(x195 & UINT8_C(0xff)); - x197 = (uint8_t)(x195 >> 8); - x198 = (uint8_t)(x68 & UINT8_C(0xff)); - x199 = (x68 >> 8); - x200 = (uint8_t)(x199 & UINT8_C(0xff)); - x201 = (x199 >> 8); - x202 = (uint8_t)(x201 & UINT8_C(0xff)); - x203 = (uint8_t)(x201 >> 8); - x204 = (x81 + (uint32_t)x203); - x205 = (uint8_t)(x204 & UINT8_C(0xff)); - x206 = (x204 >> 8); - x207 = (uint8_t)(x206 & UINT8_C(0xff)); - x208 = (x206 >> 8); - x209 = (uint8_t)(x208 & UINT8_C(0xff)); - x210 = (uint8_t)(x208 >> 8); - x211 = (x80 + (uint64_t)x210); - x212 = (uint8_t)(x211 & UINT8_C(0xff)); - x213 = (uint32_t)(x211 >> 8); - x214 = (uint8_t)(x213 & UINT8_C(0xff)); - x215 = (x213 >> 8); - x216 = (uint8_t)(x215 & UINT8_C(0xff)); - x217 = (x215 >> 8); - x218 = (uint8_t)(x217 & UINT8_C(0xff)); - x219 = (uint8_t)(x217 >> 8); - x220 = (x79 + (uint32_t)x219); - x221 = (uint8_t)(x220 & UINT8_C(0xff)); - x222 = (x220 >> 8); - x223 = (uint8_t)(x222 & UINT8_C(0xff)); - x224 = (x222 >> 8); - x225 = (uint8_t)(x224 & UINT8_C(0xff)); - x226 = (uint8_t)(x224 >> 8); - x227 = (x78 + (uint64_t)x226); - x228 = (uint8_t)(x227 & UINT8_C(0xff)); - x229 = (uint32_t)(x227 >> 8); - x230 = (uint8_t)(x229 & UINT8_C(0xff)); - x231 = (x229 >> 8); - x232 = (uint8_t)(x231 & UINT8_C(0xff)); - x233 = (x231 >> 8); - x234 = (uint8_t)(x233 & UINT8_C(0xff)); - x235 = (fiat_secp521r1_uint1)(x233 >> 8); - out1[0] = x94; - out1[1] = x96; - out1[2] = x98; - out1[3] = x101; - out1[4] = x103; - out1[5] = x105; - out1[6] = x108; - out1[7] = x110; - out1[8] = x112; - out1[9] = x114; - out1[10] = x117; - out1[11] = x119; - out1[12] = x121; - out1[13] = x124; - out1[14] = x126; - out1[15] = x128; - out1[16] = x130; - out1[17] = x133; - out1[18] = x135; - out1[19] = x137; - out1[20] = x140; - out1[21] = x142; - out1[22] = x144; - out1[23] = x145; - out1[24] = x146; - out1[25] = x148; - out1[26] = x150; - out1[27] = x153; - out1[28] = x155; - out1[29] = x157; - out1[30] = x160; - out1[31] = x162; - out1[32] = x164; - out1[33] = x166; - out1[34] = x169; - out1[35] = x171; - out1[36] = x173; - out1[37] = x176; - out1[38] = x178; - out1[39] = x180; - out1[40] = x182; - out1[41] = x185; - out1[42] = x187; - out1[43] = x189; - out1[44] = x192; - out1[45] = x194; - out1[46] = x196; - out1[47] = x197; - out1[48] = x198; - out1[49] = x200; - out1[50] = x202; - out1[51] = x205; - out1[52] = x207; - out1[53] = x209; - out1[54] = x212; - out1[55] = x214; - out1[56] = x216; - out1[57] = x218; - out1[58] = x221; - out1[59] = x223; - out1[60] = x225; - out1[61] = x228; - out1[62] = x230; - out1[63] = x232; - out1[64] = x234; - out1[65] = x235; -} -/* - * The function fiat_secp521r1_from_bytes deserializes a field element from bytes in little-endian order. - * - * Postconditions: - * eval out1 mod m = bytes_eval arg1 mod m - * - * Input Bounds: - * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x1]] - */ -static void -fiat_secp521r1_from_bytes(fiat_secp521r1_tight_field_element out1, - const uint8_t arg1[66]) +SECStatus +ec_secp521r1_sign_digest(ECPrivateKey *ecPrivKey, SECItem *signature, + const SECItem *digest, const unsigned char *kb, + const unsigned int kblen) { - uint32_t x1; - uint32_t x2; - uint32_t x3; - uint32_t x4; - uint32_t x5; - uint32_t x6; - uint32_t x7; - uint64_t x8; - uint32_t x9; - uint32_t x10; - uint32_t x11; - uint32_t x12; - uint32_t x13; - uint32_t x14; - uint32_t x15; - uint32_t x16; - uint32_t x17; - uint8_t x18; - uint32_t x19; - uint32_t x20; - uint32_t x21; - uint32_t x22; - uint32_t x23; - uint32_t x24; - uint64_t x25; - uint32_t x26; - uint32_t x27; - uint32_t x28; - uint32_t x29; - uint32_t x30; - uint32_t x31; - uint64_t x32; - uint32_t x33; - uint32_t x34; - uint32_t x35; - uint32_t x36; - uint32_t x37; - uint32_t x38; - uint32_t x39; - uint32_t x40; - uint32_t x41; - uint8_t x42; - uint32_t x43; - uint32_t x44; - uint32_t x45; - uint32_t x46; - uint32_t x47; - uint32_t x48; - uint64_t x49; - uint32_t x50; - uint32_t x51; - uint32_t x52; - uint32_t x53; - uint32_t x54; - uint32_t x55; - uint64_t x56; - uint32_t x57; - uint32_t x58; - uint32_t x59; - uint32_t x60; - uint32_t x61; - uint32_t x62; - uint32_t x63; - uint32_t x64; - uint32_t x65; - uint8_t x66; - uint32_t x67; - uint32_t x68; - uint32_t x69; - uint32_t x70; - uint8_t x71; - uint32_t x72; - uint32_t x73; - uint32_t x74; - uint32_t x75; - fiat_secp521r1_uint1 x76; - uint32_t x77; - uint32_t x78; - uint32_t x79; - uint64_t x80; - uint32_t x81; - uint8_t x82; - uint32_t x83; - uint32_t x84; - uint32_t x85; - uint32_t x86; - uint8_t x87; - uint32_t x88; - uint32_t x89; - uint32_t x90; - uint64_t x91; - uint32_t x92; - uint8_t x93; - uint32_t x94; - uint32_t x95; - uint32_t x96; - uint32_t x97; - uint8_t x98; - uint32_t x99; - uint32_t x100; - uint32_t x101; - uint32_t x102; - uint32_t x103; - uint32_t x104; - uint32_t x105; - uint8_t x106; - uint32_t x107; - uint32_t x108; - uint32_t x109; - uint32_t x110; - fiat_secp521r1_uint1 x111; - uint32_t x112; - uint32_t x113; - uint32_t x114; - uint64_t x115; - uint32_t x116; - uint8_t x117; - uint32_t x118; - uint32_t x119; - uint32_t x120; - uint32_t x121; - uint8_t x122; - uint32_t x123; - uint32_t x124; - uint32_t x125; - uint64_t x126; - uint32_t x127; - uint8_t x128; - uint32_t x129; - uint32_t x130; - uint32_t x131; - uint32_t x132; - uint8_t x133; - uint32_t x134; - uint32_t x135; - uint32_t x136; - uint32_t x137; - uint32_t x138; - uint32_t x139; - uint32_t x140; - uint8_t x141; - uint32_t x142; - uint32_t x143; - uint32_t x144; - uint32_t x145; - fiat_secp521r1_uint1 x146; - uint32_t x147; - uint32_t x148; - uint32_t x149; - uint64_t x150; - uint32_t x151; - uint8_t x152; - uint32_t x153; - uint32_t x154; - uint32_t x155; - uint32_t x156; - uint8_t x157; - uint32_t x158; - uint32_t x159; - uint32_t x160; - uint32_t x161; - x1 = ((uint32_t)(fiat_secp521r1_uint1)(arg1[65]) << 26); - x2 = ((uint32_t)(arg1[64]) << 18); - x3 = ((uint32_t)(arg1[63]) << 10); - x4 = ((uint32_t)(arg1[62]) << 2); - x5 = ((uint32_t)(arg1[61]) << 21); - x6 = ((uint32_t)(arg1[60]) << 13); - x7 = ((uint32_t)(arg1[59]) << 5); - x8 = ((uint64_t)(arg1[58]) << 25); - x9 = ((uint32_t)(arg1[57]) << 17); - x10 = ((uint32_t)(arg1[56]) << 9); - x11 = ((uint32_t)(arg1[55]) * 0x2); - x12 = ((uint32_t)(arg1[54]) << 20); - x13 = ((uint32_t)(arg1[53]) << 12); - x14 = ((uint32_t)(arg1[52]) << 4); - x15 = ((uint32_t)(arg1[51]) << 24); - x16 = ((uint32_t)(arg1[50]) << 16); - x17 = ((uint32_t)(arg1[49]) << 8); - x18 = (arg1[48]); - x19 = ((uint32_t)(arg1[47]) << 19); - x20 = ((uint32_t)(arg1[46]) << 11); - x21 = ((uint32_t)(arg1[45]) << 3); - x22 = ((uint32_t)(arg1[44]) << 22); - x23 = ((uint32_t)(arg1[43]) << 14); - x24 = ((uint32_t)(arg1[42]) << 6); - x25 = ((uint64_t)(arg1[41]) << 26); - x26 = ((uint32_t)(arg1[40]) << 18); - x27 = ((uint32_t)(arg1[39]) << 10); - x28 = ((uint32_t)(arg1[38]) << 2); - x29 = ((uint32_t)(arg1[37]) << 21); - x30 = ((uint32_t)(arg1[36]) << 13); - x31 = ((uint32_t)(arg1[35]) << 5); - x32 = ((uint64_t)(arg1[34]) << 25); - x33 = ((uint32_t)(arg1[33]) << 17); - x34 = ((uint32_t)(arg1[32]) << 9); - x35 = ((uint32_t)(arg1[31]) * 0x2); - x36 = ((uint32_t)(arg1[30]) << 20); - x37 = ((uint32_t)(arg1[29]) << 12); - x38 = ((uint32_t)(arg1[28]) << 4); - x39 = ((uint32_t)(arg1[27]) << 24); - x40 = ((uint32_t)(arg1[26]) << 16); - x41 = ((uint32_t)(arg1[25]) << 8); - x42 = (arg1[24]); - x43 = ((uint32_t)(arg1[23]) << 19); - x44 = ((uint32_t)(arg1[22]) << 11); - x45 = ((uint32_t)(arg1[21]) << 3); - x46 = ((uint32_t)(arg1[20]) << 22); - x47 = ((uint32_t)(arg1[19]) << 14); - x48 = ((uint32_t)(arg1[18]) << 6); - x49 = ((uint64_t)(arg1[17]) << 26); - x50 = ((uint32_t)(arg1[16]) << 18); - x51 = ((uint32_t)(arg1[15]) << 10); - x52 = ((uint32_t)(arg1[14]) << 2); - x53 = ((uint32_t)(arg1[13]) << 21); - x54 = ((uint32_t)(arg1[12]) << 13); - x55 = ((uint32_t)(arg1[11]) << 5); - x56 = ((uint64_t)(arg1[10]) << 25); - x57 = ((uint32_t)(arg1[9]) << 17); - x58 = ((uint32_t)(arg1[8]) << 9); - x59 = ((uint32_t)(arg1[7]) * 0x2); - x60 = ((uint32_t)(arg1[6]) << 20); - x61 = ((uint32_t)(arg1[5]) << 12); - x62 = ((uint32_t)(arg1[4]) << 4); - x63 = ((uint32_t)(arg1[3]) << 24); - x64 = ((uint32_t)(arg1[2]) << 16); - x65 = ((uint32_t)(arg1[1]) << 8); - x66 = (arg1[0]); - x67 = (x65 + (uint32_t)x66); - x68 = (x64 + x67); - x69 = (x63 + x68); - x70 = (x69 & UINT32_C(0xfffffff)); - x71 = (uint8_t)(x69 >> 28); - x72 = (x62 + (uint32_t)x71); - x73 = (x61 + x72); - x74 = (x60 + x73); - x75 = (x74 & UINT32_C(0x7ffffff)); - x76 = (fiat_secp521r1_uint1)(x74 >> 27); - x77 = (x59 + (uint32_t)x76); - x78 = (x58 + x77); - x79 = (x57 + x78); - x80 = (x56 + x79); - x81 = (uint32_t)(x80 & UINT32_C(0xfffffff)); - x82 = (uint8_t)(x80 >> 28); - x83 = (x55 + (uint32_t)x82); - x84 = (x54 + x83); - x85 = (x53 + x84); - x86 = (x85 & UINT32_C(0x7ffffff)); - x87 = (uint8_t)(x85 >> 27); - x88 = (x52 + (uint32_t)x87); - x89 = (x51 + x88); - x90 = (x50 + x89); - x91 = (x49 + x90); - x92 = (uint32_t)(x91 & UINT32_C(0xfffffff)); - x93 = (uint8_t)(x91 >> 28); - x94 = (x48 + (uint32_t)x93); - x95 = (x47 + x94); - x96 = (x46 + x95); - x97 = (x96 & UINT32_C(0x7ffffff)); - x98 = (uint8_t)(x96 >> 27); - x99 = (x45 + (uint32_t)x98); - x100 = (x44 + x99); - x101 = (x43 + x100); - x102 = (x41 + (uint32_t)x42); - x103 = (x40 + x102); - x104 = (x39 + x103); - x105 = (x104 & UINT32_C(0xfffffff)); - x106 = (uint8_t)(x104 >> 28); - x107 = (x38 + (uint32_t)x106); - x108 = (x37 + x107); - x109 = (x36 + x108); - x110 = (x109 & UINT32_C(0x7ffffff)); - x111 = (fiat_secp521r1_uint1)(x109 >> 27); - x112 = (x35 + (uint32_t)x111); - x113 = (x34 + x112); - x114 = (x33 + x113); - x115 = (x32 + x114); - x116 = (uint32_t)(x115 & UINT32_C(0xfffffff)); - x117 = (uint8_t)(x115 >> 28); - x118 = (x31 + (uint32_t)x117); - x119 = (x30 + x118); - x120 = (x29 + x119); - x121 = (x120 & UINT32_C(0x7ffffff)); - x122 = (uint8_t)(x120 >> 27); - x123 = (x28 + (uint32_t)x122); - x124 = (x27 + x123); - x125 = (x26 + x124); - x126 = (x25 + x125); - x127 = (uint32_t)(x126 & UINT32_C(0xfffffff)); - x128 = (uint8_t)(x126 >> 28); - x129 = (x24 + (uint32_t)x128); - x130 = (x23 + x129); - x131 = (x22 + x130); - x132 = (x131 & UINT32_C(0x7ffffff)); - x133 = (uint8_t)(x131 >> 27); - x134 = (x21 + (uint32_t)x133); - x135 = (x20 + x134); - x136 = (x19 + x135); - x137 = (x17 + (uint32_t)x18); - x138 = (x16 + x137); - x139 = (x15 + x138); - x140 = (x139 & UINT32_C(0xfffffff)); - x141 = (uint8_t)(x139 >> 28); - x142 = (x14 + (uint32_t)x141); - x143 = (x13 + x142); - x144 = (x12 + x143); - x145 = (x144 & UINT32_C(0x7ffffff)); - x146 = (fiat_secp521r1_uint1)(x144 >> 27); - x147 = (x11 + (uint32_t)x146); - x148 = (x10 + x147); - x149 = (x9 + x148); - x150 = (x8 + x149); - x151 = (uint32_t)(x150 & UINT32_C(0xfffffff)); - x152 = (uint8_t)(x150 >> 28); - x153 = (x7 + (uint32_t)x152); - x154 = (x6 + x153); - x155 = (x5 + x154); - x156 = (x155 & UINT32_C(0x7ffffff)); - x157 = (uint8_t)(x155 >> 27); - x158 = (x4 + (uint32_t)x157); - x159 = (x3 + x158); - x160 = (x2 + x159); - x161 = (x1 + x160); - out1[0] = x70; - out1[1] = x75; - out1[2] = x81; - out1[3] = x86; - out1[4] = x92; - out1[5] = x97; - out1[6] = x101; - out1[7] = x105; - out1[8] = x110; - out1[9] = x116; - out1[10] = x121; - out1[11] = x127; - out1[12] = x132; - out1[13] = x136; - out1[14] = x140; - out1[15] = x145; - out1[16] = x151; - out1[17] = x156; - out1[18] = x161; -} - -/* END verbatim fiat code */ - -/* curve-related constants */ - -static const limb_t const_one[19] = { - UINT32_C(0x00000001), UINT32_C(0x00000000), UINT32_C(0x00000000), - UINT32_C(0x00000000), UINT32_C(0x00000000), UINT32_C(0x00000000), - UINT32_C(0x00000000), UINT32_C(0x00000000), UINT32_C(0x00000000), - UINT32_C(0x00000000), UINT32_C(0x00000000), UINT32_C(0x00000000), - UINT32_C(0x00000000), UINT32_C(0x00000000), UINT32_C(0x00000000), - UINT32_C(0x00000000), UINT32_C(0x00000000), UINT32_C(0x00000000), - UINT32_C(0x00000000) -}; + SECStatus res = SECSuccess; -static const limb_t const_b[19] = { - UINT32_C(0x0B503F00), UINT32_C(0x0451FD46), UINT32_C(0x0869E3DE), - UINT32_C(0x03F107A5), UINT32_C(0x0C1CD5CF), UINT32_C(0x074EEC6F), - UINT32_C(0x00B29605), UINT32_C(0x0C7E937B), UINT32_C(0x0193951E), - UINT32_C(0x0213C2AC), UINT32_C(0x013231DE), UINT32_C(0x07CEE2D2), - UINT32_C(0x06E66CC5), UINT32_C(0x0516D392), UINT32_C(0x068540EE), - UINT32_C(0x01A21A0B), UINT32_C(0x09343F25), UINT32_C(0x072C31C3), - UINT32_C(0x014654FA) -}; - -/* LUT for scalar multiplication by comb interleaving */ -static const pt_aff_t lut_cmb[13][16] = { - { - { { UINT32_C(0x02E5BD66), UINT32_C(0x07E7E31C), UINT32_C(0x048537F2), - UINT32_C(0x067830AD), UINT32_C(0x0378CD22), UINT32_C(0x01E8BFEA), - UINT32_C(0x07F0EE09), UINT32_C(0x0FE75928), UINT32_C(0x04B5E77E), - UINT32_C(0x0A7B7542), UINT32_C(0x05EC0D69), UINT32_C(0x0487E0A2), - UINT32_C(0x06414FED), UINT32_C(0x04E32409), UINT32_C(0x0395B442), - UINT32_C(0x03ECB662), UINT32_C(0x09D39B3C), UINT32_C(0x00D6E080), - UINT32_C(0x031A1638) }, - { UINT32_C(0x0FD16650), UINT32_C(0x03E94769), UINT32_C(0x05848111), - UINT32_C(0x0610D44E), UINT32_C(0x0D84D4F1), UINT32_C(0x004FEB41), - UINT32_C(0x062A85C8), UINT32_C(0x0EF42640), UINT32_C(0x06E72995), - UINT32_C(0x0CCC592F), UINT32_C(0x07A2E4E7), UINT32_C(0x01A05EBE), - UINT32_C(0x0255E6D1), UINT32_C(0x04C7AA22), UINT32_C(0x0C7D1BD9), - UINT32_C(0x00A5FB42), UINT32_C(0x078008B9), UINT32_C(0x054F1347), - UINT32_C(0x0460E4A5) } }, - { { UINT32_C(0x0E37AD7D), UINT32_C(0x0119D2ED), UINT32_C(0x05D40B4B), - UINT32_C(0x0210C586), UINT32_C(0x086EBAD2), UINT32_C(0x05AD67F8), - UINT32_C(0x00ED35E8), UINT32_C(0x0A483205), UINT32_C(0x03F164A3), - UINT32_C(0x051BA35A), UINT32_C(0x074225AF), UINT32_C(0x0AE796B5), - UINT32_C(0x06C48F66), UINT32_C(0x05A95372), UINT32_C(0x05959479), - UINT32_C(0x01D6A64B), UINT32_C(0x0232BBB2), UINT32_C(0x04887BC5), - UINT32_C(0x069CF4D4) }, - { UINT32_C(0x0E86C0E5), UINT32_C(0x0588CA1E), UINT32_C(0x0B2084BE), - UINT32_C(0x01379274), UINT32_C(0x0C33C417), UINT32_C(0x0477B0F1), - UINT32_C(0x016AD676), UINT32_C(0x0DC575B0), UINT32_C(0x02DD4CF8), - UINT32_C(0x0B9DD85C), UINT32_C(0x0563F46A), UINT32_C(0x0C5F4BE2), - UINT32_C(0x020AA740), UINT32_C(0x078AABFD), UINT32_C(0x0AB814F2), - UINT32_C(0x01F86C6C), UINT32_C(0x05BBB32F), UINT32_C(0x072FBF4C), - UINT32_C(0x04FA6C0E) } }, - { { UINT32_C(0x0C8F3078), UINT32_C(0x02B5096E), UINT32_C(0x062E71AB), - UINT32_C(0x043CDB12), UINT32_C(0x068CA75F), UINT32_C(0x03C4DF9E), - UINT32_C(0x038897F5), UINT32_C(0x0E301423), UINT32_C(0x03C0C6D5), - UINT32_C(0x0F59C870), UINT32_C(0x03571E2E), UINT32_C(0x04933C0F), - UINT32_C(0x076D4FC3), UINT32_C(0x03D2CB77), UINT32_C(0x004EB0BF), - UINT32_C(0x03C3391C), UINT32_C(0x08658E7B), UINT32_C(0x00A524F4), - UINT32_C(0x0194AFCF) }, - { UINT32_C(0x0EB090CB), UINT32_C(0x03CC3E8D), UINT32_C(0x09EFF02E), - UINT32_C(0x00E4AE6A), UINT32_C(0x0DE747C0), UINT32_C(0x00473D7F), - UINT32_C(0x0188AA01), UINT32_C(0x072CF374), UINT32_C(0x06897C90), - UINT32_C(0x08E10F76), UINT32_C(0x02F93406), UINT32_C(0x0147B760), - UINT32_C(0x03A1CB80), UINT32_C(0x00E6C7F4), UINT32_C(0x0A811291), - UINT32_C(0x02B73114), UINT32_C(0x03ADD914), UINT32_C(0x037BACC0), - UINT32_C(0x056F9BBC) } }, - { { UINT32_C(0x0816ECD4), UINT32_C(0x04EAD882), UINT32_C(0x04C33403), - UINT32_C(0x07EA1FB8), UINT32_C(0x0F11BE54), UINT32_C(0x043738EE), - UINT32_C(0x064D36F9), UINT32_C(0x0FC698D8), UINT32_C(0x0308D0AB), - UINT32_C(0x0298BB18), UINT32_C(0x02585EE2), UINT32_C(0x08A3C063), - UINT32_C(0x023D520C), UINT32_C(0x02F91707), UINT32_C(0x0B073A0C), - UINT32_C(0x0365FDA0), UINT32_C(0x0EC68DDD), UINT32_C(0x0333AB6F), - UINT32_C(0x015B5747) }, - { UINT32_C(0x0525251B), UINT32_C(0x06B8BC90), UINT32_C(0x0DF8F6B8), - UINT32_C(0x06254BBB), UINT32_C(0x097E79D9), UINT32_C(0x01647386), - UINT32_C(0x04A91D1A), UINT32_C(0x0DEC9E2B), UINT32_C(0x050F293C), - UINT32_C(0x07BCAAD7), UINT32_C(0x033144D9), UINT32_C(0x0375C76F), - UINT32_C(0x040A093C), UINT32_C(0x05AE2C16), UINT32_C(0x09D68478), - UINT32_C(0x058317A3), UINT32_C(0x054221A3), UINT32_C(0x07B37554), - UINT32_C(0x00F4B46D) } }, - { { UINT32_C(0x07CBE207), UINT32_C(0x04562796), UINT32_C(0x0A50CC3E), - UINT32_C(0x0757B0B9), UINT32_C(0x063D3D42), UINT32_C(0x07DC968C), - UINT32_C(0x079E2AB6), UINT32_C(0x0134DA35), UINT32_C(0x029E1396), - UINT32_C(0x0D6CCAE8), UINT32_C(0x0628B718), UINT32_C(0x0A64B12A), - UINT32_C(0x06E621D1), UINT32_C(0x0769A2A0), UINT32_C(0x0156D488), - UINT32_C(0x075BF157), UINT32_C(0x04304D45), UINT32_C(0x046B3C3C), - UINT32_C(0x05614E27) }, - { UINT32_C(0x09AD2A4E), UINT32_C(0x020EA86B), UINT32_C(0x001E6875), - UINT32_C(0x055D2511), UINT32_C(0x01F5CDB0), UINT32_C(0x03D2AFF6), - UINT32_C(0x007FAB76), UINT32_C(0x0057AC84), UINT32_C(0x069E5756), - UINT32_C(0x0688DC1A), UINT32_C(0x0744C7BB), UINT32_C(0x0EDB2096), - UINT32_C(0x053B873A), UINT32_C(0x01844532), UINT32_C(0x07AE938E), - UINT32_C(0x055557A2), UINT32_C(0x0BE73E16), UINT32_C(0x0193515D), - UINT32_C(0x00A8B986) } }, - { { UINT32_C(0x0A0CDB9A), UINT32_C(0x040E02DD), UINT32_C(0x035205D9), - UINT32_C(0x0049F499), UINT32_C(0x02140570), UINT32_C(0x02F8C644), - UINT32_C(0x068CD8D7), UINT32_C(0x0663DA1B), UINT32_C(0x05BC5332), - UINT32_C(0x022CA5E7), UINT32_C(0x058A9E53), UINT32_C(0x02550FBC), - UINT32_C(0x035F05E1), UINT32_C(0x076AEE3F), UINT32_C(0x0B4315CF), - UINT32_C(0x01A39573), UINT32_C(0x0BFEA8DE), UINT32_C(0x024B3FBD), - UINT32_C(0x0229D610) }, - { UINT32_C(0x0E48C808), UINT32_C(0x0074F92C), UINT32_C(0x0336BAB1), - UINT32_C(0x001C7E90), UINT32_C(0x0CDB72B2), UINT32_C(0x06452A54), - UINT32_C(0x01C49198), UINT32_C(0x0B42A4AB), UINT32_C(0x048A90E8), - UINT32_C(0x03705637), UINT32_C(0x02BA9C17), UINT32_C(0x024FB4BA), - UINT32_C(0x00842F41), UINT32_C(0x01D6EAB3), UINT32_C(0x054FB229), - UINT32_C(0x00CA8770), UINT32_C(0x0253093A), UINT32_C(0x07F97744), - UINT32_C(0x025BECC0) } }, - { { UINT32_C(0x02FBCDA7), UINT32_C(0x007848D3), UINT32_C(0x01DFF031), - UINT32_C(0x07601567), UINT32_C(0x0BA52FB0), UINT32_C(0x01E6AE23), - UINT32_C(0x01AA852F), UINT32_C(0x003C996A), UINT32_C(0x0445908E), - UINT32_C(0x070CC265), UINT32_C(0x0257D5EB), UINT32_C(0x08E13BB7), - UINT32_C(0x03786D30), UINT32_C(0x049FB9B6), UINT32_C(0x0924861A), - UINT32_C(0x0065D2B4), UINT32_C(0x0D5B39AF), UINT32_C(0x07309872), - UINT32_C(0x01F8FA63) }, - { UINT32_C(0x022A71C9), UINT32_C(0x01A01FB0), UINT32_C(0x0FD3EE52), - UINT32_C(0x0555F222), UINT32_C(0x0F0D8667), UINT32_C(0x05472FEE), - UINT32_C(0x0136FEE9), UINT32_C(0x08BC763F), UINT32_C(0x03D5D583), - UINT32_C(0x0C425583), UINT32_C(0x04F5CB83), UINT32_C(0x071A71E9), - UINT32_C(0x061B5508), UINT32_C(0x0676A851), UINT32_C(0x03ED5A08), - UINT32_C(0x01926DAA), UINT32_C(0x0FDB5234), UINT32_C(0x056DAF03), - UINT32_C(0x0423B963) } }, - { { UINT32_C(0x0CB8DB55), UINT32_C(0x02FE337B), UINT32_C(0x0F257BD3), - UINT32_C(0x02D303C7), UINT32_C(0x0C766E36), UINT32_C(0x0723F00C), - UINT32_C(0x03C3ADE8), UINT32_C(0x0BD00FFE), UINT32_C(0x01CCE27D), - UINT32_C(0x051C2372), UINT32_C(0x06A65BE2), UINT32_C(0x014B5A5E), - UINT32_C(0x042D0282), UINT32_C(0x05C7DE61), UINT32_C(0x06D4300F), - UINT32_C(0x0558FC54), UINT32_C(0x08CBE082), UINT32_C(0x03579724), - UINT32_C(0x01ADAB62) }, - { UINT32_C(0x01475465), UINT32_C(0x0343480A), UINT32_C(0x057BB2AC), - UINT32_C(0x0219888D), UINT32_C(0x06491BF6), UINT32_C(0x00CB25B2), - UINT32_C(0x010A4711), UINT32_C(0x09470A80), UINT32_C(0x01062C89), - UINT32_C(0x00BDAAFD), UINT32_C(0x020D32E9), UINT32_C(0x02E92D88), - UINT32_C(0x026EB483), UINT32_C(0x06F824B5), UINT32_C(0x03EDBF63), - UINT32_C(0x0664D233), UINT32_C(0x023AD4F9), UINT32_C(0x04E2AE27), - UINT32_C(0x06D1A368) } }, - { { UINT32_C(0x03110AE0), UINT32_C(0x07817A85), UINT32_C(0x034820ED), - UINT32_C(0x00855E1A), UINT32_C(0x003FE30C), UINT32_C(0x06D5A04E), - UINT32_C(0x06FA73CC), UINT32_C(0x04FE0287), UINT32_C(0x00A69E67), - UINT32_C(0x0A10B0EC), UINT32_C(0x049E4D24), UINT32_C(0x0ED35994), - UINT32_C(0x01A7E8AC), UINT32_C(0x04CF74F1), UINT32_C(0x0923906A), - UINT32_C(0x03874645), UINT32_C(0x0DB42741), UINT32_C(0x060FE261), - UINT32_C(0x06C0376D) }, - { UINT32_C(0x00E64647), UINT32_C(0x039CB7C7), UINT32_C(0x0EABEA6B), - UINT32_C(0x02B29856), UINT32_C(0x00839A41), UINT32_C(0x07C5AB7D), - UINT32_C(0x0697B3AB), UINT32_C(0x06DD0BF0), UINT32_C(0x05A564EF), - UINT32_C(0x02647BF3), UINT32_C(0x05856454), UINT32_C(0x02A635A2), - UINT32_C(0x033DA644), UINT32_C(0x05BCCA9A), UINT32_C(0x0EDDD106), - UINT32_C(0x011D4E4A), UINT32_C(0x0AEDB782), UINT32_C(0x03AFB62C), - UINT32_C(0x0215A0FC) } }, - { { UINT32_C(0x08D6A19B), UINT32_C(0x07F0B241), UINT32_C(0x077BC8F1), - UINT32_C(0x0063CE4B), UINT32_C(0x0C37FB3D), UINT32_C(0x075E9165), - UINT32_C(0x049192AB), UINT32_C(0x06266967), UINT32_C(0x03B30963), - UINT32_C(0x01CFE3F4), UINT32_C(0x059B66F2), UINT32_C(0x01FBFFC2), - UINT32_C(0x01D577D5), UINT32_C(0x022DBBF0), UINT32_C(0x05A1A072), - UINT32_C(0x07948C2D), UINT32_C(0x08690F81), UINT32_C(0x0490C833), - UINT32_C(0x02663733) }, - { UINT32_C(0x0BFD0575), UINT32_C(0x0091A695), UINT32_C(0x07FC8952), - UINT32_C(0x0313D53F), UINT32_C(0x0DDFD693), UINT32_C(0x06458C70), - UINT32_C(0x058761CC), UINT32_C(0x02EB8CF9), UINT32_C(0x02D963FF), - UINT32_C(0x0AEE4EE7), UINT32_C(0x05DC6CA8), UINT32_C(0x0D2B3143), - UINT32_C(0x038ADEF3), UINT32_C(0x033E9457), UINT32_C(0x035B245D), - UINT32_C(0x01424975), UINT32_C(0x03DAB987), UINT32_C(0x00C4D404), - UINT32_C(0x04DF5768) } }, - { { UINT32_C(0x03C8C9ED), UINT32_C(0x06F39969), UINT32_C(0x08DA5A85), - UINT32_C(0x02407274), UINT32_C(0x0D6CDEB2), UINT32_C(0x03B609F5), - UINT32_C(0x06CA4BF5), UINT32_C(0x0D62A309), UINT32_C(0x0257EAE4), - UINT32_C(0x0CFF528C), UINT32_C(0x07CEB388), UINT32_C(0x0A606548), - UINT32_C(0x030BB457), UINT32_C(0x01345DCC), UINT32_C(0x09ED3B10), - UINT32_C(0x04855085), UINT32_C(0x07A5F679), UINT32_C(0x00234E85), - UINT32_C(0x06872ECB) }, - { UINT32_C(0x0CBA4DF5), UINT32_C(0x00BC43C9), UINT32_C(0x0996C3CC), - UINT32_C(0x01E2EC93), UINT32_C(0x0B15F26C), UINT32_C(0x05CB18FB), - UINT32_C(0x05F5A1D1), UINT32_C(0x0A483295), UINT32_C(0x0741A53D), - UINT32_C(0x0F4FEFBE), UINT32_C(0x052DED75), UINT32_C(0x09B06028), - UINT32_C(0x0671464F), UINT32_C(0x0741E002), UINT32_C(0x0E40CE62), - UINT32_C(0x012DA7C5), UINT32_C(0x067A9058), UINT32_C(0x07A9F1DD), - UINT32_C(0x04688275) } }, - { { UINT32_C(0x02AF535C), UINT32_C(0x046A5ECE), UINT32_C(0x0CB00D43), - UINT32_C(0x063584D5), UINT32_C(0x0F881F87), UINT32_C(0x02697B14), - UINT32_C(0x074F1FC7), UINT32_C(0x0AF5B0AF), UINT32_C(0x06F83FC9), - UINT32_C(0x0A8A203E), UINT32_C(0x0469A19B), UINT32_C(0x0A092434), - UINT32_C(0x069E17EC), UINT32_C(0x0773D1CD), UINT32_C(0x0F547B8E), - UINT32_C(0x01CACEC5), UINT32_C(0x0B26EDB6), UINT32_C(0x03AE5202), - UINT32_C(0x06B82C9D) }, - { UINT32_C(0x0FA0D000), UINT32_C(0x015C3536), UINT32_C(0x0470ADB0), - UINT32_C(0x008A151A), UINT32_C(0x030884ED), UINT32_C(0x06EC1F74), - UINT32_C(0x01E13D93), UINT32_C(0x0E97FCF4), UINT32_C(0x0043361E), - UINT32_C(0x05B81C21), UINT32_C(0x048F0898), UINT32_C(0x00CAD0C5), - UINT32_C(0x06243416), UINT32_C(0x03EBACFF), UINT32_C(0x0068471C), - UINT32_C(0x022858FC), UINT32_C(0x0A700CD1), UINT32_C(0x004BCA70), - UINT32_C(0x03CB25EA) } }, - { { UINT32_C(0x0F70ACE0), UINT32_C(0x00C2460B), UINT32_C(0x0A7F627F), - UINT32_C(0x01D6384B), UINT32_C(0x0C9F9078), UINT32_C(0x02A9923F), - UINT32_C(0x02B743F1), UINT32_C(0x0C36EE4D), UINT32_C(0x01856917), - UINT32_C(0x03329552), UINT32_C(0x05918A93), UINT32_C(0x0EC471DC), - UINT32_C(0x01946C41), UINT32_C(0x00039881), UINT32_C(0x05DFF9D2), - UINT32_C(0x05874A6F), UINT32_C(0x04306946), UINT32_C(0x05AB8B53), - UINT32_C(0x0553A131) }, - { UINT32_C(0x04C78230), UINT32_C(0x025BCE40), UINT32_C(0x0CD6DA86), - UINT32_C(0x054A8CE5), UINT32_C(0x0BD7BB78), UINT32_C(0x029A965C), - UINT32_C(0x068F11B8), UINT32_C(0x02FBC1A0), UINT32_C(0x06354357), - UINT32_C(0x0CCD4DBD), UINT32_C(0x051102A2), UINT32_C(0x031FD9B0), - UINT32_C(0x02C008A8), UINT32_C(0x00AD491F), UINT32_C(0x0BB60D3F), - UINT32_C(0x02A28F80), UINT32_C(0x008E75C4), UINT32_C(0x0522E322), - UINT32_C(0x03343F73) } }, - { { UINT32_C(0x0002D68B), UINT32_C(0x07643017), UINT32_C(0x088AD06A), - UINT32_C(0x0408925D), UINT32_C(0x08F2C855), UINT32_C(0x036834C5), - UINT32_C(0x0289A9D7), UINT32_C(0x0719D483), UINT32_C(0x032123DA), - UINT32_C(0x0B0A9B01), UINT32_C(0x0230FC26), UINT32_C(0x08B0CFCD), - UINT32_C(0x074393E1), UINT32_C(0x0439CA9A), UINT32_C(0x089E646F), - UINT32_C(0x024D4EB8), UINT32_C(0x036D4EC5), UINT32_C(0x03F0431F), - UINT32_C(0x0580DCFB) }, - { UINT32_C(0x0D90B740), UINT32_C(0x066AECA5), UINT32_C(0x0B5967E7), - UINT32_C(0x07CE13A8), UINT32_C(0x0CB918FF), UINT32_C(0x052A2ED5), - UINT32_C(0x009DC3A7), UINT32_C(0x092EBC54), UINT32_C(0x07A491ED), - UINT32_C(0x0644023D), UINT32_C(0x06F1C343), UINT32_C(0x0EED295B), - UINT32_C(0x0173D4B0), UINT32_C(0x04FE8C9E), UINT32_C(0x0C06A3FA), - UINT32_C(0x0028401A), UINT32_C(0x0FC38BCB), UINT32_C(0x020029B9), - UINT32_C(0x03C565C1) } }, - { { UINT32_C(0x0EDA25DC), UINT32_C(0x03927618), UINT32_C(0x0EDB2C58), - UINT32_C(0x00B2BAA3), UINT32_C(0x0E7BCCF6), UINT32_C(0x03A11FFE), - UINT32_C(0x02001D5C), UINT32_C(0x076D7291), UINT32_C(0x029BC068), - UINT32_C(0x094260B9), UINT32_C(0x0671EECC), UINT32_C(0x07B0A2FB), - UINT32_C(0x047A1899), UINT32_C(0x07CFA289), UINT32_C(0x065A085F), - UINT32_C(0x041FBFCB), UINT32_C(0x0050FB67), UINT32_C(0x02D9296D), - UINT32_C(0x05D31913) }, - { UINT32_C(0x021A0C30), UINT32_C(0x07BBBC48), UINT32_C(0x077F7A30), - UINT32_C(0x024F84DD), UINT32_C(0x00FC19E6), UINT32_C(0x035C1B4C), - UINT32_C(0x02861399), UINT32_C(0x0CE0D90B), UINT32_C(0x00E21952), - UINT32_C(0x0A696F7C), UINT32_C(0x03D6F2B5), UINT32_C(0x07F2D73D), - UINT32_C(0x03F2D910), UINT32_C(0x00119F7C), UINT32_C(0x01B7B782), - UINT32_C(0x02CC95B4), UINT32_C(0x033CD00B), UINT32_C(0x005F0FE8), - UINT32_C(0x046BCE9F) } }, - { { UINT32_C(0x016A8803), UINT32_C(0x057D0E0C), UINT32_C(0x04902444), - UINT32_C(0x06BC911C), UINT32_C(0x0C88373E), UINT32_C(0x0302735A), - UINT32_C(0x07E0A60D), UINT32_C(0x04C9D429), UINT32_C(0x05543A90), - UINT32_C(0x0EE4D9AC), UINT32_C(0x050794BC), UINT32_C(0x0985C982), - UINT32_C(0x0595F0A9), UINT32_C(0x05ABA2C4), UINT32_C(0x07307B7D), - UINT32_C(0x06A58CDB), UINT32_C(0x08CC2A00), UINT32_C(0x019E61E1), - UINT32_C(0x0363A648) }, - { UINT32_C(0x09792D19), UINT32_C(0x04677C73), UINT32_C(0x08631594), - UINT32_C(0x032F8F6A), UINT32_C(0x098EA86F), UINT32_C(0x032B9330), - UINT32_C(0x009CD434), UINT32_C(0x04D14790), UINT32_C(0x06B8C324), - UINT32_C(0x035461EE), UINT32_C(0x06E597DA), UINT32_C(0x00182BBE), - UINT32_C(0x04A3C432), UINT32_C(0x045AA031), UINT32_C(0x014A30EC), - UINT32_C(0x009C13A2), UINT32_C(0x0C730FBE), UINT32_C(0x06A8A94C), - UINT32_C(0x049EC08E) } }, - }, - { - { { UINT32_C(0x043C6A8B), UINT32_C(0x069E114E), UINT32_C(0x02D17119), - UINT32_C(0x07161008), UINT32_C(0x04253BA7), UINT32_C(0x06D7E9D1), - UINT32_C(0x07AFFFEA), UINT32_C(0x0C20088E), UINT32_C(0x009D84CD), - UINT32_C(0x094B5A8B), UINT32_C(0x070C9B19), UINT32_C(0x0A140336), - UINT32_C(0x059D32DC), UINT32_C(0x07D5C770), UINT32_C(0x0B702098), - UINT32_C(0x0646FC6A), UINT32_C(0x06312DAB), UINT32_C(0x05DEF39B), - UINT32_C(0x07B32BAC) }, - { UINT32_C(0x06B04438), UINT32_C(0x0086BBC2), UINT32_C(0x0CE331EB), - UINT32_C(0x07A1DB2A), UINT32_C(0x04798584), UINT32_C(0x0632A66E), - UINT32_C(0x03A4F5AE), UINT32_C(0x03B41996), UINT32_C(0x061944D5), - UINT32_C(0x0E8ECAB0), UINT32_C(0x00E38A9B), UINT32_C(0x0BBF7088), - UINT32_C(0x022E1052), UINT32_C(0x00FB1445), UINT32_C(0x0FF1C5EA), - UINT32_C(0x034DB2F7), UINT32_C(0x04C560D6), UINT32_C(0x050E7FEA), - UINT32_C(0x00B97B7C) } }, - { { UINT32_C(0x004ED5E3), UINT32_C(0x012DA268), UINT32_C(0x08C92EF3), - UINT32_C(0x06F60BF9), UINT32_C(0x0656B119), UINT32_C(0x014823AF), - UINT32_C(0x058D04AC), UINT32_C(0x099D3419), UINT32_C(0x00CFAE71), - UINT32_C(0x0B423A38), UINT32_C(0x05EA80E2), UINT32_C(0x06C1F218), - UINT32_C(0x03E72AD5), UINT32_C(0x0691F49A), UINT32_C(0x04310FAB), - UINT32_C(0x05D250AD), UINT32_C(0x084D7BFA), UINT32_C(0x070595DE), - UINT32_C(0x017825D9) }, - { UINT32_C(0x0A7D5B37), UINT32_C(0x00B0A7A2), UINT32_C(0x0ED3BDEF), - UINT32_C(0x02B29FDB), UINT32_C(0x085BCC71), UINT32_C(0x0455FDD9), - UINT32_C(0x0595CF1F), UINT32_C(0x0040CCA6), UINT32_C(0x04FA2F23), - UINT32_C(0x04A05DD3), UINT32_C(0x07E18B4E), UINT32_C(0x045A2A46), - UINT32_C(0x058F2043), UINT32_C(0x038FC52D), UINT32_C(0x0A7666DC), - UINT32_C(0x0701CE42), UINT32_C(0x04B38B92), UINT32_C(0x01AD842D), - UINT32_C(0x07A0B6A0) } }, - { { UINT32_C(0x029D2024), UINT32_C(0x0728395A), UINT32_C(0x04DB516D), - UINT32_C(0x0504C2CE), UINT32_C(0x03C5DEB1), UINT32_C(0x041CFF48), - UINT32_C(0x014AE223), UINT32_C(0x0856531F), UINT32_C(0x02EC3F65), - UINT32_C(0x0A46F536), UINT32_C(0x04ECB2AA), UINT32_C(0x0FB7289E), - UINT32_C(0x03DE9EFF), UINT32_C(0x0724BAA3), UINT32_C(0x0508D541), - UINT32_C(0x051B73BA), UINT32_C(0x0B38749E), UINT32_C(0x044097DF), - UINT32_C(0x00E5AC8E) }, - { UINT32_C(0x0DDD93A9), UINT32_C(0x04295052), UINT32_C(0x0E03B84C), - UINT32_C(0x00B38799), UINT32_C(0x037F6A48), UINT32_C(0x07614753), - UINT32_C(0x05765258), UINT32_C(0x0E0CA450), UINT32_C(0x07CFB537), - UINT32_C(0x07342BEF), UINT32_C(0x05C319BB), UINT32_C(0x04F3A1F5), - UINT32_C(0x04762545), UINT32_C(0x0589360C), UINT32_C(0x0E5A46C8), - UINT32_C(0x02744137), UINT32_C(0x05E9E991), UINT32_C(0x01523BC2), - UINT32_C(0x062CDAB6) } }, - { { UINT32_C(0x090E92D6), UINT32_C(0x00FA75A5), UINT32_C(0x040D6969), - UINT32_C(0x011D7DDB), UINT32_C(0x0B02AC62), UINT32_C(0x07679C7F), - UINT32_C(0x07FD8A06), UINT32_C(0x0A623D2A), UINT32_C(0x034C8ED2), - UINT32_C(0x07FB351F), UINT32_C(0x008857BA), UINT32_C(0x09AD9171), - UINT32_C(0x03CB7A5B), UINT32_C(0x01A56DB4), UINT32_C(0x09225D29), - UINT32_C(0x07819EC5), UINT32_C(0x0645D37A), UINT32_C(0x0618AED1), - UINT32_C(0x053A82A2) }, - { UINT32_C(0x0662F537), UINT32_C(0x00AB8407), UINT32_C(0x0FF98DF8), - UINT32_C(0x03C0F116), UINT32_C(0x0C87DD6F), UINT32_C(0x00995A87), - UINT32_C(0x036E7BF1), UINT32_C(0x0318B15E), UINT32_C(0x01116415), - UINT32_C(0x00A53CD8), UINT32_C(0x0237AEF5), UINT32_C(0x065DCC5D), - UINT32_C(0x048F2118), UINT32_C(0x011F3E13), UINT32_C(0x0AD27061), - UINT32_C(0x02B7B666), UINT32_C(0x01CB618D), UINT32_C(0x02EC555A), - UINT32_C(0x058DF8C5) } }, - { { UINT32_C(0x0B9839DA), UINT32_C(0x0047D336), UINT32_C(0x09E93377), - UINT32_C(0x00074C09), UINT32_C(0x08B5F722), UINT32_C(0x06A0986D), - UINT32_C(0x03ABD41C), UINT32_C(0x057C1CAA), UINT32_C(0x02B2ACCA), - UINT32_C(0x0FC9B996), UINT32_C(0x05488187), UINT32_C(0x07861011), - UINT32_C(0x0163907B), UINT32_C(0x07F6DAF7), UINT32_C(0x0363BC0E), - UINT32_C(0x058EF00F), UINT32_C(0x05446B66), UINT32_C(0x0514AA79), - UINT32_C(0x04A03953) }, - { UINT32_C(0x0C1962CE), UINT32_C(0x06493BB1), UINT32_C(0x086D6126), - UINT32_C(0x00FCE569), UINT32_C(0x0DC92336), UINT32_C(0x015B8163), - UINT32_C(0x0432A31C), UINT32_C(0x0133A6EE), UINT32_C(0x0578D7AF), - UINT32_C(0x0840A2D3), UINT32_C(0x064C1FC2), UINT32_C(0x085837C8), - UINT32_C(0x0641237D), UINT32_C(0x054AF205), UINT32_C(0x0657C4E2), - UINT32_C(0x04B8B1E0), UINT32_C(0x00272237), UINT32_C(0x05B53E59), - UINT32_C(0x001FEA03) } }, - { { UINT32_C(0x0D2BF9A7), UINT32_C(0x01A65815), UINT32_C(0x06FC3341), - UINT32_C(0x065823F4), UINT32_C(0x01599DE7), UINT32_C(0x070CA981), - UINT32_C(0x067E13C8), UINT32_C(0x009A9A6A), UINT32_C(0x0229B72F), - UINT32_C(0x09B1BC4A), UINT32_C(0x06BCE69A), UINT32_C(0x0FA69B0D), - UINT32_C(0x078B83C0), UINT32_C(0x06E62A5C), UINT32_C(0x021D206C), - UINT32_C(0x04E0CE16), UINT32_C(0x0F728EF3), UINT32_C(0x0453D52E), - UINT32_C(0x01844B54) }, - { UINT32_C(0x020C30CB), UINT32_C(0x04E85BEE), UINT32_C(0x095E4EAF), - UINT32_C(0x075E0168), UINT32_C(0x039C14AF), UINT32_C(0x0370EA5A), - UINT32_C(0x05B0F157), UINT32_C(0x02E11B96), UINT32_C(0x042E3824), - UINT32_C(0x0D5DC5BB), UINT32_C(0x00451C96), UINT32_C(0x0E911392), - UINT32_C(0x0724269B), UINT32_C(0x04003692), UINT32_C(0x076FEA68), - UINT32_C(0x033CBDE1), UINT32_C(0x0417AF7D), UINT32_C(0x00B9592D), - UINT32_C(0x027FA0B4) } }, - { { UINT32_C(0x0B2E6D92), UINT32_C(0x06E8F69A), UINT32_C(0x0DCD1AA5), - UINT32_C(0x01FB27B9), UINT32_C(0x04974F21), UINT32_C(0x027768BA), - UINT32_C(0x02769E05), UINT32_C(0x08C4A5CC), UINT32_C(0x047AF64B), - UINT32_C(0x08B89BB2), UINT32_C(0x02ED5662), UINT32_C(0x03939461), - UINT32_C(0x01F7401B), UINT32_C(0x06FDF357), UINT32_C(0x019C98D9), - UINT32_C(0x07B1E9DD), UINT32_C(0x075DC034), UINT32_C(0x01E0054F), - UINT32_C(0x02A2F727) }, - { UINT32_C(0x0EB71C5F), UINT32_C(0x023BF702), UINT32_C(0x02236711), - UINT32_C(0x012F6D73), UINT32_C(0x0CA22E0A), UINT32_C(0x02359757), - UINT32_C(0x0157DA08), UINT32_C(0x05CB0525), UINT32_C(0x0102CBFE), - UINT32_C(0x0854B694), UINT32_C(0x07F9F306), UINT32_C(0x0A6E3855), - UINT32_C(0x024CCD83), UINT32_C(0x0220CC0E), UINT32_C(0x0AAD6848), - UINT32_C(0x0783A366), UINT32_C(0x0B9AD104), UINT32_C(0x02844B14), - UINT32_C(0x07B5BC13) } }, - { { UINT32_C(0x01490429), UINT32_C(0x07C3B47C), UINT32_C(0x0DB7A58B), - UINT32_C(0x04D10D93), UINT32_C(0x08CA405B), UINT32_C(0x07FD087B), - UINT32_C(0x07C88AC9), UINT32_C(0x07D54451), UINT32_C(0x07010F32), - UINT32_C(0x06D62976), UINT32_C(0x03752EE7), UINT32_C(0x0A2326FD), - UINT32_C(0x00445040), UINT32_C(0x03605DB9), UINT32_C(0x03194920), - UINT32_C(0x01F8F0DF), UINT32_C(0x0F321EF5), UINT32_C(0x0297EC47), - UINT32_C(0x05C97D9A) }, - { UINT32_C(0x087CA374), UINT32_C(0x04D9BD85), UINT32_C(0x09E4C1E2), - UINT32_C(0x05C6B60F), UINT32_C(0x03338BE0), UINT32_C(0x06C38E9F), - UINT32_C(0x030527CA), UINT32_C(0x0F28850A), UINT32_C(0x039421C7), - UINT32_C(0x02DE48C5), UINT32_C(0x0652719F), UINT32_C(0x097E2E6B), - UINT32_C(0x0758DD1C), UINT32_C(0x06788A64), UINT32_C(0x01CDEC4A), - UINT32_C(0x0314A216), UINT32_C(0x022EE734), UINT32_C(0x023BD455), - UINT32_C(0x05EC7716) } }, - { { UINT32_C(0x03ACF0F9), UINT32_C(0x0203D95A), UINT32_C(0x0286435B), - UINT32_C(0x01818DC4), UINT32_C(0x02821B92), UINT32_C(0x06AE5102), - UINT32_C(0x07066934), UINT32_C(0x07BC9150), UINT32_C(0x07BA5607), - UINT32_C(0x0EC5981C), UINT32_C(0x04C69569), UINT32_C(0x03CC0C2A), - UINT32_C(0x07DA94A0), UINT32_C(0x07E65511), UINT32_C(0x086234FB), - UINT32_C(0x05407465), UINT32_C(0x0F825CD7), UINT32_C(0x03F370CC), - UINT32_C(0x00DC963A) }, - { UINT32_C(0x09436D81), UINT32_C(0x04465793), UINT32_C(0x041DBE76), - UINT32_C(0x0384C090), UINT32_C(0x005C5350), UINT32_C(0x07296D6A), - UINT32_C(0x04712C6D), UINT32_C(0x0B8974CF), UINT32_C(0x07A230E5), - UINT32_C(0x0CBF52A8), UINT32_C(0x016C1814), UINT32_C(0x06EDC3F7), - UINT32_C(0x0627F679), UINT32_C(0x0750029A), UINT32_C(0x06E2AA55), - UINT32_C(0x0245FF68), UINT32_C(0x0F8F41C6), UINT32_C(0x00A2BB27), - UINT32_C(0x052BDC1F) } }, - { { UINT32_C(0x06C8D427), UINT32_C(0x0648C043), UINT32_C(0x045E9C01), - UINT32_C(0x042CC909), UINT32_C(0x089A90AA), UINT32_C(0x007114E3), - UINT32_C(0x0085B7C3), UINT32_C(0x0B9DE134), UINT32_C(0x06B0A9E9), - UINT32_C(0x0AAAEBCC), UINT32_C(0x0092A52A), UINT32_C(0x0D6E2713), - UINT32_C(0x05857362), UINT32_C(0x0118376C), UINT32_C(0x000A08F8), - UINT32_C(0x003DE32F), UINT32_C(0x0E3FE6ED), UINT32_C(0x06CFB412), - UINT32_C(0x043D1662) }, - { UINT32_C(0x0D400463), UINT32_C(0x0448C05A), UINT32_C(0x0AE67E6E), - UINT32_C(0x059369CB), UINT32_C(0x0A23C77C), UINT32_C(0x06E7F666), - UINT32_C(0x05BB8233), UINT32_C(0x095E95B6), UINT32_C(0x0284C07C), - UINT32_C(0x0F6C7097), UINT32_C(0x0443F5D5), UINT32_C(0x0301FE7F), - UINT32_C(0x023010C9), UINT32_C(0x009D2363), UINT32_C(0x07BD65C2), - UINT32_C(0x07E297A0), UINT32_C(0x034DDA50), UINT32_C(0x07ADC7E7), - UINT32_C(0x03060E2B) } }, - { { UINT32_C(0x0924C15F), UINT32_C(0x04E07505), UINT32_C(0x08D0DCCF), - UINT32_C(0x01D04769), UINT32_C(0x02E2E204), UINT32_C(0x0713097A), - UINT32_C(0x07E9B59C), UINT32_C(0x07FDCF7A), UINT32_C(0x03E60E03), - UINT32_C(0x0423C6CD), UINT32_C(0x06A163F7), UINT32_C(0x07C0FA8B), - UINT32_C(0x01341D2B), UINT32_C(0x06745C51), UINT32_C(0x03C9DE3A), - UINT32_C(0x06D6D6F5), UINT32_C(0x0F5AF83F), UINT32_C(0x02698DEF), - UINT32_C(0x06091F29) }, - { UINT32_C(0x0DBEEE78), UINT32_C(0x060A02B3), UINT32_C(0x0558AE6B), - UINT32_C(0x07100333), UINT32_C(0x0A312381), UINT32_C(0x02FA9A13), - UINT32_C(0x06D1C0C3), UINT32_C(0x0C625336), UINT32_C(0x03B853CF), - UINT32_C(0x08B3BE37), UINT32_C(0x0104E5D9), UINT32_C(0x053B9B53), - UINT32_C(0x02A2D06C), UINT32_C(0x01CDC864), UINT32_C(0x0F04A867), - UINT32_C(0x07663226), UINT32_C(0x0FD6C54B), UINT32_C(0x040943C5), - UINT32_C(0x03C04D10) } }, - { { UINT32_C(0x090F8C80), UINT32_C(0x0582A686), UINT32_C(0x0BA42ED6), - UINT32_C(0x070A8F1E), UINT32_C(0x0AB02D12), UINT32_C(0x01EB5C3D), - UINT32_C(0x07479B29), UINT32_C(0x04D72C41), UINT32_C(0x0362562E), - UINT32_C(0x06FAF4FC), UINT32_C(0x033FED54), UINT32_C(0x0229578C), - UINT32_C(0x005B4CFB), UINT32_C(0x03BA05BF), UINT32_C(0x0B4A3FBC), - UINT32_C(0x07DBD5D5), UINT32_C(0x05E8639D), UINT32_C(0x07D5867F), - UINT32_C(0x027FE947) }, - { UINT32_C(0x01982847), UINT32_C(0x008A8D79), UINT32_C(0x0B215B64), - UINT32_C(0x06EDECCB), UINT32_C(0x045309BE), UINT32_C(0x055465DE), - UINT32_C(0x0426ED2E), UINT32_C(0x0D49D672), UINT32_C(0x01000B74), - UINT32_C(0x01206E3C), UINT32_C(0x061A0CA8), UINT32_C(0x020BEC03), - UINT32_C(0x02104AC7), UINT32_C(0x03FB64AC), UINT32_C(0x097C06BE), - UINT32_C(0x05DF7C1D), UINT32_C(0x0EFD23AB), UINT32_C(0x042BC8D8), - UINT32_C(0x02A649D7) } }, - { { UINT32_C(0x0643409F), UINT32_C(0x06A50E0A), UINT32_C(0x00C269C2), - UINT32_C(0x0130B8C0), UINT32_C(0x0B25EAD2), UINT32_C(0x07A4A516), - UINT32_C(0x0375B082), UINT32_C(0x0E197F8C), UINT32_C(0x0546B686), - UINT32_C(0x0B8287C5), UINT32_C(0x04A367C1), UINT32_C(0x07DF58A1), - UINT32_C(0x05B7DD15), UINT32_C(0x061763FD), UINT32_C(0x0E2DF8E8), - UINT32_C(0x05ABFC51), UINT32_C(0x087018C8), UINT32_C(0x05935143), - UINT32_C(0x05E9EFA4) }, - { UINT32_C(0x0AF2F29D), UINT32_C(0x0063F9B1), UINT32_C(0x0FB11A34), - UINT32_C(0x02D7C22E), UINT32_C(0x08AF67E7), UINT32_C(0x005AC16C), - UINT32_C(0x047EE080), UINT32_C(0x0B7677A2), UINT32_C(0x04500DDC), - UINT32_C(0x0137CD80), UINT32_C(0x01CF2369), UINT32_C(0x0DE177B8), - UINT32_C(0x018122DE), UINT32_C(0x00EDFC0C), UINT32_C(0x0048B9ED), - UINT32_C(0x043633B7), UINT32_C(0x0666D33E), UINT32_C(0x00317E10), - UINT32_C(0x066100C3) } }, - { { UINT32_C(0x037B93A2), UINT32_C(0x07917621), UINT32_C(0x048F411C), - UINT32_C(0x04EF1E2A), UINT32_C(0x0FC8F91F), UINT32_C(0x04090E1D), - UINT32_C(0x066F78F2), UINT32_C(0x0C2C0207), UINT32_C(0x065E2513), - UINT32_C(0x0F03BADB), UINT32_C(0x03689AF4), UINT32_C(0x0FE959E2), - UINT32_C(0x028B6A5E), UINT32_C(0x0101C577), UINT32_C(0x0C3A5192), - UINT32_C(0x03042F53), UINT32_C(0x0E2A6A29), UINT32_C(0x0231095D), - UINT32_C(0x06E29445) }, - { UINT32_C(0x07A00331), UINT32_C(0x041D85F7), UINT32_C(0x0D189E24), - UINT32_C(0x0294578C), UINT32_C(0x04A9E7A3), UINT32_C(0x037F260A), - UINT32_C(0x060D62BB), UINT32_C(0x07AED3DE), UINT32_C(0x0727FEAB), - UINT32_C(0x0283C99C), UINT32_C(0x05A11B56), UINT32_C(0x08953348), - UINT32_C(0x01A388E1), UINT32_C(0x028932F2), UINT32_C(0x0AFFD5A7), - UINT32_C(0x042CF6C6), UINT32_C(0x072339BA), UINT32_C(0x06344724), - UINT32_C(0x0395F757) } }, - { { UINT32_C(0x01328CE4), UINT32_C(0x01D69A89), UINT32_C(0x03D3B2E3), - UINT32_C(0x0780829F), UINT32_C(0x0848A488), UINT32_C(0x057B85BD), - UINT32_C(0x02051385), UINT32_C(0x06706AD6), UINT32_C(0x02D6482A), - UINT32_C(0x0A8717D0), UINT32_C(0x05383AC5), UINT32_C(0x03250B87), - UINT32_C(0x05C77D8D), UINT32_C(0x05198B6D), UINT32_C(0x03FACF90), - UINT32_C(0x062058A1), UINT32_C(0x008F96B1), UINT32_C(0x01F29CAF), - UINT32_C(0x00358EC7) }, - { UINT32_C(0x0B620A88), UINT32_C(0x06288694), UINT32_C(0x05B21FAC), - UINT32_C(0x03F64B44), UINT32_C(0x0DBD251D), UINT32_C(0x06B0D130), - UINT32_C(0x04314394), UINT32_C(0x02479C97), UINT32_C(0x003417DF), - UINT32_C(0x0318B1D4), UINT32_C(0x0762DFD7), UINT32_C(0x0DDA6BF1), - UINT32_C(0x0214A508), UINT32_C(0x0231DEBD), UINT32_C(0x0D8733B2), - UINT32_C(0x02ACA66C), UINT32_C(0x05C275E4), UINT32_C(0x07A8A625), - UINT32_C(0x001D2426) } }, - { { UINT32_C(0x0C95FF29), UINT32_C(0x0608C2C5), UINT32_C(0x0404108F), - UINT32_C(0x03383226), UINT32_C(0x07F8CE0C), UINT32_C(0x0600859C), - UINT32_C(0x04899A96), UINT32_C(0x00CCD8EA), UINT32_C(0x02796E7C), - UINT32_C(0x0FB706CC), UINT32_C(0x0111E6FC), UINT32_C(0x027E2706), - UINT32_C(0x03EBDDF3), UINT32_C(0x02838065), UINT32_C(0x0585FBC0), - UINT32_C(0x07572ED5), UINT32_C(0x0907E1E4), UINT32_C(0x017E67B8), - UINT32_C(0x041786F0) }, - { UINT32_C(0x04519732), UINT32_C(0x073D0689), UINT32_C(0x0DF32FF7), - UINT32_C(0x01246800), UINT32_C(0x068478E9), UINT32_C(0x031DEA3C), - UINT32_C(0x03E71E8F), UINT32_C(0x08C6C89E), UINT32_C(0x012CDD96), - UINT32_C(0x0AEEE8F4), UINT32_C(0x0121A9C4), UINT32_C(0x01F73DAA), - UINT32_C(0x033160E0), UINT32_C(0x062B3F6E), UINT32_C(0x081E3B9C), - UINT32_C(0x029ED0A5), UINT32_C(0x05F0DBFB), UINT32_C(0x0765E7EB), - UINT32_C(0x06026E18) } }, - }, - { - { { UINT32_C(0x0ED2EB86), UINT32_C(0x073B24CD), UINT32_C(0x01308B7E), - UINT32_C(0x001667D5), UINT32_C(0x06D840A4), UINT32_C(0x01CE15F3), - UINT32_C(0x00EC4628), UINT32_C(0x0BE255D7), UINT32_C(0x039A76B9), - UINT32_C(0x0CA76752), UINT32_C(0x02EA45FE), UINT32_C(0x0CB0A354), - UINT32_C(0x019D90B7), UINT32_C(0x036C0B82), UINT32_C(0x07E353B2), - UINT32_C(0x00B45E15), UINT32_C(0x0E1E3229), UINT32_C(0x06EED669), - UINT32_C(0x07975597) }, - { UINT32_C(0x04B5DE1E), UINT32_C(0x05185A2C), UINT32_C(0x0F1C1594), - UINT32_C(0x01D7FD5B), UINT32_C(0x0CD949EB), UINT32_C(0x02E191E5), - UINT32_C(0x03295CCA), UINT32_C(0x02F97A05), UINT32_C(0x052209AD), - UINT32_C(0x0C0AF1C4), UINT32_C(0x07F93AD2), UINT32_C(0x060F26C1), - UINT32_C(0x0274993E), UINT32_C(0x023CDD4A), UINT32_C(0x08D9B938), - UINT32_C(0x00D32B5E), UINT32_C(0x04FE5190), UINT32_C(0x01AB014D), - UINT32_C(0x05DD64A0) } }, - { { UINT32_C(0x0C2CA70B), UINT32_C(0x0346AE90), UINT32_C(0x0F8387AC), - UINT32_C(0x03ABE62A), UINT32_C(0x029DA053), UINT32_C(0x0041F61B), - UINT32_C(0x02CBC0BF), UINT32_C(0x05243AE9), UINT32_C(0x0360C16B), - UINT32_C(0x0C28A299), UINT32_C(0x0795D938), UINT32_C(0x02AC475A), - UINT32_C(0x0113BEAF), UINT32_C(0x05A671E6), UINT32_C(0x05C8C591), - UINT32_C(0x06924739), UINT32_C(0x02A54EEF), UINT32_C(0x02F274E3), - UINT32_C(0x0049A1CD) }, - { UINT32_C(0x0426994D), UINT32_C(0x07F97B31), UINT32_C(0x0DA0C788), - UINT32_C(0x04B6F8C8), UINT32_C(0x05463D1A), UINT32_C(0x07C155D5), - UINT32_C(0x00BA793E), UINT32_C(0x0AB08953), UINT32_C(0x042C3976), - UINT32_C(0x069C681F), UINT32_C(0x02ABCC5A), UINT32_C(0x024C8F72), - UINT32_C(0x067DF148), UINT32_C(0x0180DD65), UINT32_C(0x042A4819), - UINT32_C(0x01AFAAD4), UINT32_C(0x0334701F), UINT32_C(0x031ADC33), - UINT32_C(0x03AA0140) } }, - { { UINT32_C(0x0BEE1F7B), UINT32_C(0x07EA5E6A), UINT32_C(0x06C716A1), - UINT32_C(0x01C6DCD9), UINT32_C(0x00C62805), UINT32_C(0x06E99086), - UINT32_C(0x047E4182), UINT32_C(0x04E699EA), UINT32_C(0x017F98AF), - UINT32_C(0x0C64E476), UINT32_C(0x0464A2AE), UINT32_C(0x0AF646E7), - UINT32_C(0x0734C8DA), UINT32_C(0x069B3D13), UINT32_C(0x0BD58EFB), - UINT32_C(0x0572D3C4), UINT32_C(0x0889BAF4), UINT32_C(0x049A880A), - UINT32_C(0x01790356) }, - { UINT32_C(0x0D71A4FA), UINT32_C(0x017475C1), UINT32_C(0x0B53C845), - UINT32_C(0x00ED5EC3), UINT32_C(0x072B9DBC), UINT32_C(0x032C8366), - UINT32_C(0x02B3D21C), UINT32_C(0x0E8E8016), UINT32_C(0x04B6FF58), - UINT32_C(0x017276EC), UINT32_C(0x069855EF), UINT32_C(0x0342CFC2), - UINT32_C(0x00D109A0), UINT32_C(0x07614A72), UINT32_C(0x09DC301B), - UINT32_C(0x036B57F5), UINT32_C(0x06CB91C2), UINT32_C(0x03E8DF1A), - UINT32_C(0x070FD727) } }, - { { UINT32_C(0x032574BE), UINT32_C(0x04115A04), UINT32_C(0x0F98172F), - UINT32_C(0x04AEDED0), UINT32_C(0x02519CD4), UINT32_C(0x05A01A73), - UINT32_C(0x06EEA282), UINT32_C(0x0BBAAC38), UINT32_C(0x02CC4028), - UINT32_C(0x03AACD20), UINT32_C(0x01A067DD), UINT32_C(0x0AFED584), - UINT32_C(0x06846B34), UINT32_C(0x01F4D8B2), UINT32_C(0x00AB5080), - UINT32_C(0x02EFB0FB), UINT32_C(0x09F1C68E), UINT32_C(0x01829F05), - UINT32_C(0x008F3C67) }, - { UINT32_C(0x062EC0F0), UINT32_C(0x04CAAFE4), UINT32_C(0x08147733), - UINT32_C(0x038A422E), UINT32_C(0x0085656E), UINT32_C(0x02D1FFD4), - UINT32_C(0x0731016E), UINT32_C(0x022AA6C1), UINT32_C(0x04385C24), - UINT32_C(0x06B4D30A), UINT32_C(0x04FF86E3), UINT32_C(0x0540E9AE), - UINT32_C(0x039185FE), UINT32_C(0x0278D41E), UINT32_C(0x05EEE86F), - UINT32_C(0x05D399FD), UINT32_C(0x07D5B982), UINT32_C(0x0364A589), - UINT32_C(0x07E1654F) } }, - { { UINT32_C(0x0D8CB3CC), UINT32_C(0x06C254BF), UINT32_C(0x0FBC2C5D), - UINT32_C(0x07F746F2), UINT32_C(0x07E4259D), UINT32_C(0x022B49C4), - UINT32_C(0x04CE0ECE), UINT32_C(0x095F3130), UINT32_C(0x064022C7), - UINT32_C(0x076A7307), UINT32_C(0x074FEA23), UINT32_C(0x09CDD626), - UINT32_C(0x0612A401), UINT32_C(0x0562E226), UINT32_C(0x027BA2E0), - UINT32_C(0x01D98EB5), UINT32_C(0x0A54B2FF), UINT32_C(0x0345BAFC), - UINT32_C(0x05CE5083) }, - { UINT32_C(0x082FB619), UINT32_C(0x01E59C7B), UINT32_C(0x07C56C18), - UINT32_C(0x0594E677), UINT32_C(0x0EBA4C47), UINT32_C(0x01F1C6FF), - UINT32_C(0x016B9F48), UINT32_C(0x0443B057), UINT32_C(0x017930FC), - UINT32_C(0x0D94B0A6), UINT32_C(0x0501D4ED), UINT32_C(0x0EB5EA2F), - UINT32_C(0x03F2D8D0), UINT32_C(0x04A1DA92), UINT32_C(0x0A702231), - UINT32_C(0x063C2830), UINT32_C(0x06F5E127), UINT32_C(0x06BE79CE), - UINT32_C(0x06600B2F) } }, - { { UINT32_C(0x0F26ECDA), UINT32_C(0x0052168B), UINT32_C(0x0CBDB9E3), - UINT32_C(0x052FFD0A), UINT32_C(0x02FDCD7B), UINT32_C(0x05791EA2), - UINT32_C(0x03DF5472), UINT32_C(0x0544715D), UINT32_C(0x032F4FBD), - UINT32_C(0x05DA4E99), UINT32_C(0x000977D5), UINT32_C(0x0AEE5E82), - UINT32_C(0x07B5A2B7), UINT32_C(0x02494676), UINT32_C(0x0B416152), - UINT32_C(0x03AC76C7), UINT32_C(0x0B21FDC6), UINT32_C(0x04ECC50E), - UINT32_C(0x02A4E6AB) }, - { UINT32_C(0x031E0BB4), UINT32_C(0x05FC9964), UINT32_C(0x014AC466), - UINT32_C(0x038F82D0), UINT32_C(0x0C0B56B8), UINT32_C(0x0217513C), - UINT32_C(0x0498C923), UINT32_C(0x076EEC28), UINT32_C(0x03824F59), - UINT32_C(0x0B7B1382), UINT32_C(0x056FE399), UINT32_C(0x00794841), - UINT32_C(0x076FEEC8), UINT32_C(0x0219F413), UINT32_C(0x04ABDD19), - UINT32_C(0x04CE2F28), UINT32_C(0x0F2E86F7), UINT32_C(0x02F472AF), - UINT32_C(0x06774781) } }, - { { UINT32_C(0x0CEBC7BE), UINT32_C(0x00221686), UINT32_C(0x04E2E2B5), - UINT32_C(0x02865641), UINT32_C(0x0400F945), UINT32_C(0x01CF69C4), - UINT32_C(0x002D7B22), UINT32_C(0x04D5A98C), UINT32_C(0x075AA74B), - UINT32_C(0x0926F727), UINT32_C(0x0318AD6B), UINT32_C(0x009AE911), - UINT32_C(0x00216BA5), UINT32_C(0x0794C1D5), UINT32_C(0x047BB387), - UINT32_C(0x05890517), UINT32_C(0x0C438287), UINT32_C(0x04D6AF1C), - UINT32_C(0x010C34E7) }, - { UINT32_C(0x02E3859D), UINT32_C(0x06690EFE), UINT32_C(0x0F063DCD), - UINT32_C(0x068C490B), UINT32_C(0x06DE5321), UINT32_C(0x0225E5EC), - UINT32_C(0x0573AFDE), UINT32_C(0x0C5AD59A), UINT32_C(0x064D175A), - UINT32_C(0x09D71327), UINT32_C(0x03D7526B), UINT32_C(0x04C7D696), - UINT32_C(0x05C7C0BF), UINT32_C(0x04314949), UINT32_C(0x064EA7B0), - UINT32_C(0x008652D7), UINT32_C(0x0EA31279), UINT32_C(0x0668F188), - UINT32_C(0x035A0886) } }, - { { UINT32_C(0x02EB8133), UINT32_C(0x03EC558C), UINT32_C(0x088B2CEF), - UINT32_C(0x008352FC), UINT32_C(0x0ECF2FB1), UINT32_C(0x01F0E6BB), - UINT32_C(0x023E4A68), UINT32_C(0x0B9CC299), UINT32_C(0x02937BC1), - UINT32_C(0x0A4FE033), UINT32_C(0x03BAB078), UINT32_C(0x078C8608), - UINT32_C(0x000D53E7), UINT32_C(0x06DA1D39), UINT32_C(0x05E14C61), - UINT32_C(0x035624BE), UINT32_C(0x06669427), UINT32_C(0x079FAB65), - UINT32_C(0x0663AC20) }, - { UINT32_C(0x06835A15), UINT32_C(0x013B136D), UINT32_C(0x08DB323F), - UINT32_C(0x068809A4), UINT32_C(0x02A3957E), UINT32_C(0x0081A010), - UINT32_C(0x06B7C838), UINT32_C(0x074F156F), UINT32_C(0x00F3A4DB), - UINT32_C(0x07ADF165), UINT32_C(0x05A07A0A), UINT32_C(0x0585D310), - UINT32_C(0x02A4FAF9), UINT32_C(0x03A5C451), UINT32_C(0x00426908), - UINT32_C(0x03C76306), UINT32_C(0x0D3289C2), UINT32_C(0x04FD8A7B), - UINT32_C(0x03974EFE) } }, - { { UINT32_C(0x01D85118), UINT32_C(0x03F039A9), UINT32_C(0x0A744F66), - UINT32_C(0x00B874D3), UINT32_C(0x0AD31A3A), UINT32_C(0x07A3C5F8), - UINT32_C(0x045FFFF5), UINT32_C(0x023754A5), UINT32_C(0x02E38CB8), - UINT32_C(0x05910E6C), UINT32_C(0x01773ED0), UINT32_C(0x0835A72A), - UINT32_C(0x01BE848A), UINT32_C(0x07BD444B), UINT32_C(0x0B4AFA36), - UINT32_C(0x03B51CEC), UINT32_C(0x076A82F4), UINT32_C(0x049B5424), - UINT32_C(0x01EDBBC3) }, - { UINT32_C(0x0D472029), UINT32_C(0x07322E8C), UINT32_C(0x0891E31F), - UINT32_C(0x0598F9A4), UINT32_C(0x0B8A6C89), UINT32_C(0x065A918E), - UINT32_C(0x01B36F21), UINT32_C(0x05650472), UINT32_C(0x053A7D69), - UINT32_C(0x05F09FDE), UINT32_C(0x03CE6055), UINT32_C(0x017487DC), - UINT32_C(0x01B03227), UINT32_C(0x013D4913), UINT32_C(0x096CA6AE), - UINT32_C(0x000E46D4), UINT32_C(0x07F35B2C), UINT32_C(0x06FDC86A), - UINT32_C(0x0191F319) } }, - { { UINT32_C(0x0CE12393), UINT32_C(0x015F4FB3), UINT32_C(0x0C3E8E50), - UINT32_C(0x06CE6B2D), UINT32_C(0x0B3C1693), UINT32_C(0x045162F6), - UINT32_C(0x0407EFF6), UINT32_C(0x00A9135E), UINT32_C(0x047CF46F), - UINT32_C(0x04E91DC4), UINT32_C(0x036B9A3C), UINT32_C(0x0134193D), - UINT32_C(0x003E5C05), UINT32_C(0x00082BD9), UINT32_C(0x067D8D47), - UINT32_C(0x02764530), UINT32_C(0x01E6C320), UINT32_C(0x04A28C2A), - UINT32_C(0x048FBA5C) }, - { UINT32_C(0x0CE5DBF5), UINT32_C(0x0385772C), UINT32_C(0x019E313F), - UINT32_C(0x073071A7), UINT32_C(0x0F5FC824), UINT32_C(0x02D63EF3), - UINT32_C(0x02B70267), UINT32_C(0x0A6BE174), UINT32_C(0x076EA84E), - UINT32_C(0x0FA0EBFC), UINT32_C(0x06D310F3), UINT32_C(0x01962AC7), - UINT32_C(0x0209883D), UINT32_C(0x03B86C97), UINT32_C(0x00441CDD), - UINT32_C(0x0066501C), UINT32_C(0x03267C1F), UINT32_C(0x03EAC5C9), - UINT32_C(0x00069F5A) } }, - { { UINT32_C(0x01D1EEDB), UINT32_C(0x0706D366), UINT32_C(0x04DB59F7), - UINT32_C(0x03130058), UINT32_C(0x0FBF1E90), UINT32_C(0x02990341), - UINT32_C(0x052D42D0), UINT32_C(0x0D9F883C), UINT32_C(0x01C3CC5F), - UINT32_C(0x0602F8E0), UINT32_C(0x0719E908), UINT32_C(0x0152A103), - UINT32_C(0x05A33891), UINT32_C(0x0095E49C), UINT32_C(0x07DC00AE), - UINT32_C(0x00D04AA8), UINT32_C(0x034051A0), UINT32_C(0x01C589DC), - UINT32_C(0x044769AA) }, - { UINT32_C(0x05A4238D), UINT32_C(0x038BBADC), UINT32_C(0x024C6D7A), - UINT32_C(0x058D2A82), UINT32_C(0x0BE67DEB), UINT32_C(0x057F5E80), - UINT32_C(0x055D31EA), UINT32_C(0x0DB49C5A), UINT32_C(0x070BEC2C), - UINT32_C(0x0F3322C2), UINT32_C(0x06C3108C), UINT32_C(0x0A1130EB), - UINT32_C(0x01DE1843), UINT32_C(0x002476B9), UINT32_C(0x0C1602A0), - UINT32_C(0x020FD705), UINT32_C(0x0E87B144), UINT32_C(0x00271FD2), - UINT32_C(0x02A1E7C8) } }, - { { UINT32_C(0x0BB71E17), UINT32_C(0x00B697E6), UINT32_C(0x027C50D2), - UINT32_C(0x02FF8F72), UINT32_C(0x052B77CA), UINT32_C(0x02997C16), - UINT32_C(0x013C0178), UINT32_C(0x0F7FCEE6), UINT32_C(0x040B66E5), - UINT32_C(0x03A69C37), UINT32_C(0x02E55D76), UINT32_C(0x00F908D4), - UINT32_C(0x052718AB), UINT32_C(0x0076528F), UINT32_C(0x0306D84E), - UINT32_C(0x07EBCA7C), UINT32_C(0x01165F7E), UINT32_C(0x01DB45A9), - UINT32_C(0x067FCC94) }, - { UINT32_C(0x0791633D), UINT32_C(0x047BD9A1), UINT32_C(0x0A26D9CC), - UINT32_C(0x000BE536), UINT32_C(0x0F022B81), UINT32_C(0x064B6F3C), - UINT32_C(0x03B7DA09), UINT32_C(0x0F632491), UINT32_C(0x02A9B2EF), - UINT32_C(0x029A6C74), UINT32_C(0x039178C1), UINT32_C(0x06C1B980), - UINT32_C(0x025426C4), UINT32_C(0x00AC18E2), UINT32_C(0x0854C009), - UINT32_C(0x07A990A9), UINT32_C(0x0BA40528), UINT32_C(0x05C4D8A8), - UINT32_C(0x0628B343) } }, - { { UINT32_C(0x07812A25), UINT32_C(0x0179F4F9), UINT32_C(0x09DE2C08), - UINT32_C(0x02F4F1F9), UINT32_C(0x04F48E6A), UINT32_C(0x07549212), - UINT32_C(0x016DCA05), UINT32_C(0x07A3A534), UINT32_C(0x0359AADF), - UINT32_C(0x0E969384), UINT32_C(0x061DBB0C), UINT32_C(0x0E368BE3), - UINT32_C(0x07060163), UINT32_C(0x07CA82E3), UINT32_C(0x07332717), - UINT32_C(0x0002DFB2), UINT32_C(0x03AD0A18), UINT32_C(0x0417995E), - UINT32_C(0x0326668F) }, - { UINT32_C(0x09EF75E3), UINT32_C(0x07B04772), UINT32_C(0x0852DCD8), - UINT32_C(0x06097708), UINT32_C(0x0B957C2C), UINT32_C(0x038B98A1), - UINT32_C(0x02B82598), UINT32_C(0x0F132C73), UINT32_C(0x04CE431B), - UINT32_C(0x07D4CBE1), UINT32_C(0x049BA972), UINT32_C(0x00D3788D), - UINT32_C(0x07EDE5A2), UINT32_C(0x0635F8BD), UINT32_C(0x0EB9AB1A), - UINT32_C(0x02C621B4), UINT32_C(0x0BCBFF41), UINT32_C(0x0439D1F9), - UINT32_C(0x003044A8) } }, - { { UINT32_C(0x0CF8D334), UINT32_C(0x037C1C48), UINT32_C(0x05CD52D5), - UINT32_C(0x047578F0), UINT32_C(0x0BE7BC07), UINT32_C(0x06E68827), - UINT32_C(0x076445CB), UINT32_C(0x0FEBF611), UINT32_C(0x00142073), - UINT32_C(0x029F031E), UINT32_C(0x076C6434), UINT32_C(0x0F98F9D0), - UINT32_C(0x034E14D3), UINT32_C(0x038E0268), UINT32_C(0x0191305B), - UINT32_C(0x032A0200), UINT32_C(0x05EF4C75), UINT32_C(0x02826331), - UINT32_C(0x04D82A88) }, - { UINT32_C(0x0D51E170), UINT32_C(0x00D3F07F), UINT32_C(0x08365D15), - UINT32_C(0x0781A3A1), UINT32_C(0x0D4BE663), UINT32_C(0x00175259), - UINT32_C(0x000C1FA1), UINT32_C(0x0F00FCE0), UINT32_C(0x00299B52), - UINT32_C(0x0C7D7E01), UINT32_C(0x052A3C59), UINT32_C(0x07C9CF44), - UINT32_C(0x05E7EE2B), UINT32_C(0x035E7031), UINT32_C(0x0FE2CB7C), - UINT32_C(0x0403D2B4), UINT32_C(0x0FC9A748), UINT32_C(0x07D461AF), - UINT32_C(0x006E35B5) } }, - { { UINT32_C(0x0594D02E), UINT32_C(0x075E6F14), UINT32_C(0x03360822), - UINT32_C(0x03E7DDDB), UINT32_C(0x0F1C6110), UINT32_C(0x072483CF), - UINT32_C(0x03ECF221), UINT32_C(0x0D658C87), UINT32_C(0x060AC74F), - UINT32_C(0x0F51CC4C), UINT32_C(0x03EB69F7), UINT32_C(0x07B2F64B), - UINT32_C(0x0242F07B), UINT32_C(0x058E5984), UINT32_C(0x03A0B7A4), - UINT32_C(0x03CE806B), UINT32_C(0x06139B85), UINT32_C(0x01DAAFE3), - UINT32_C(0x0130F7E5) }, - { UINT32_C(0x020891BB), UINT32_C(0x077E28D4), UINT32_C(0x0AAEAA8D), - UINT32_C(0x00B2D799), UINT32_C(0x0E10388A), UINT32_C(0x001DFD31), - UINT32_C(0x059F85F1), UINT32_C(0x00BC7E55), UINT32_C(0x05309429), - UINT32_C(0x0FEDF8A8), UINT32_C(0x06B52B0D), UINT32_C(0x0E3F8A44), - UINT32_C(0x07A8E2A2), UINT32_C(0x07D5866C), UINT32_C(0x02DBCD7C), - UINT32_C(0x02895FBE), UINT32_C(0x0F66BDAD), UINT32_C(0x048C3CAD), - UINT32_C(0x078587AD) } }, - { { UINT32_C(0x0B1B7656), UINT32_C(0x02A1E440), UINT32_C(0x04EF5EA7), - UINT32_C(0x059FA6A2), UINT32_C(0x0C68CD6D), UINT32_C(0x005E8043), - UINT32_C(0x01AE592B), UINT32_C(0x00DD5F88), UINT32_C(0x0559B430), - UINT32_C(0x0BF3DF59), UINT32_C(0x011CBD52), UINT32_C(0x0DDDE17B), - UINT32_C(0x031D26D8), UINT32_C(0x0148FB57), UINT32_C(0x04EDBF2D), - UINT32_C(0x07220D0D), UINT32_C(0x0F7B0807), UINT32_C(0x076B1F6E), - UINT32_C(0x0306320E) }, - { UINT32_C(0x07EEE80E), UINT32_C(0x0754C15A), UINT32_C(0x093487F6), - UINT32_C(0x023D5CA0), UINT32_C(0x00BD77C2), UINT32_C(0x0271EF5D), - UINT32_C(0x04FAEAB7), UINT32_C(0x07EBA560), UINT32_C(0x015A18D8), - UINT32_C(0x039861D4), UINT32_C(0x041FD3C8), UINT32_C(0x0D5863CB), - UINT32_C(0x066C5F53), UINT32_C(0x06380D15), UINT32_C(0x0E825C9F), - UINT32_C(0x00BA76BE), UINT32_C(0x0BC4E3B8), UINT32_C(0x06216B12), - UINT32_C(0x03B4F0D4) } }, - }, - { - { { UINT32_C(0x0201C48B), UINT32_C(0x073C85A8), UINT32_C(0x095DC61E), - UINT32_C(0x05F14993), UINT32_C(0x0123BD40), UINT32_C(0x05907610), - UINT32_C(0x046FBB4C), UINT32_C(0x0A0F3B82), UINT32_C(0x078A34BB), - UINT32_C(0x003DB127), UINT32_C(0x052D9AD5), UINT32_C(0x05103EE9), - UINT32_C(0x0465988A), UINT32_C(0x005F3641), UINT32_C(0x085495F9), - UINT32_C(0x069A8F20), UINT32_C(0x064AA21B), UINT32_C(0x007CCB01), - UINT32_C(0x04384B61) }, - { UINT32_C(0x051DE678), UINT32_C(0x07820FBE), UINT32_C(0x063426A0), - UINT32_C(0x01B262F0), UINT32_C(0x0B0B9013), UINT32_C(0x045C8465), - UINT32_C(0x0240C64E), UINT32_C(0x0DDA697F), UINT32_C(0x0201A64C), - UINT32_C(0x016B17DF), UINT32_C(0x065E1757), UINT32_C(0x0F6B7334), - UINT32_C(0x07ED2866), UINT32_C(0x028D6370), UINT32_C(0x0E25340A), - UINT32_C(0x002693F4), UINT32_C(0x07D889A8), UINT32_C(0x06B215F7), - UINT32_C(0x062B5959) } }, - { { UINT32_C(0x0D9C3B89), UINT32_C(0x077CC1DC), UINT32_C(0x013DDAA7), - UINT32_C(0x0111C6F8), UINT32_C(0x0577407F), UINT32_C(0x01FF52EA), - UINT32_C(0x06D56CA6), UINT32_C(0x06331227), UINT32_C(0x03AB576F), - UINT32_C(0x0CD7FD4F), UINT32_C(0x06AF74C0), UINT32_C(0x0AD52465), - UINT32_C(0x041865E8), UINT32_C(0x0546A928), UINT32_C(0x00FE8F9D), - UINT32_C(0x07C2CDD8), UINT32_C(0x0C0D3434), UINT32_C(0x030F8525), - UINT32_C(0x05B51E81) }, - { UINT32_C(0x08A5170B), UINT32_C(0x074FC061), UINT32_C(0x0060E606), - UINT32_C(0x017D8D1E), UINT32_C(0x0A8E0395), UINT32_C(0x0428DCF1), - UINT32_C(0x046F46B8), UINT32_C(0x05E254D7), UINT32_C(0x05D05211), - UINT32_C(0x0B46AD84), UINT32_C(0x03446BA1), UINT32_C(0x00CA5FED), - UINT32_C(0x02A8C267), UINT32_C(0x0570EC98), UINT32_C(0x0750367D), - UINT32_C(0x0362D78B), UINT32_C(0x0C84DA94), UINT32_C(0x07AF8D8F), - UINT32_C(0x0583AA8B) } }, - { { UINT32_C(0x09126FAC), UINT32_C(0x06B05898), UINT32_C(0x0872DF85), - UINT32_C(0x048C3352), UINT32_C(0x0331E5B3), UINT32_C(0x076671FB), - UINT32_C(0x02076524), UINT32_C(0x0492A4A3), UINT32_C(0x06D57C7C), - UINT32_C(0x052A5C41), UINT32_C(0x052CA0DF), UINT32_C(0x0E7D0224), - UINT32_C(0x07241BC6), UINT32_C(0x0234848A), UINT32_C(0x048CE05E), - UINT32_C(0x01B286B5), UINT32_C(0x0B054813), UINT32_C(0x02F6EDFC), - UINT32_C(0x0250A4D8) }, - { UINT32_C(0x0831CD9D), UINT32_C(0x04B04313), UINT32_C(0x0F484946), - UINT32_C(0x03B996C8), UINT32_C(0x00F547BB), UINT32_C(0x007A0AA7), - UINT32_C(0x065BBAA5), UINT32_C(0x014C49BC), UINT32_C(0x03D6CABB), - UINT32_C(0x01EF46B3), UINT32_C(0x05A5D159), UINT32_C(0x0EDE3DB4), - UINT32_C(0x00D1B3A0), UINT32_C(0x02F97DFA), UINT32_C(0x0D68EB87), - UINT32_C(0x06CE81C0), UINT32_C(0x00D73B27), UINT32_C(0x0342609A), - UINT32_C(0x019C049C) } }, - { { UINT32_C(0x08BC45E5), UINT32_C(0x015B0C25), UINT32_C(0x0B2A43B0), - UINT32_C(0x00067BBC), UINT32_C(0x07B24685), UINT32_C(0x0046140C), - UINT32_C(0x0157806B), UINT32_C(0x049AE2AD), UINT32_C(0x0113F8DF), - UINT32_C(0x06BBA162), UINT32_C(0x0534E07B), UINT32_C(0x086988E1), - UINT32_C(0x00E2C213), UINT32_C(0x0513FA95), UINT32_C(0x0EC2A78F), - UINT32_C(0x02E28447), UINT32_C(0x011B9FFF), UINT32_C(0x01506FAF), - UINT32_C(0x07B4C5A9) }, - { UINT32_C(0x0AE71753), UINT32_C(0x0151FA30), UINT32_C(0x091691B4), - UINT32_C(0x02ACCC22), UINT32_C(0x0BA74B18), UINT32_C(0x0073B635), - UINT32_C(0x02F0EB55), UINT32_C(0x0CC9DF51), UINT32_C(0x0784FCDA), - UINT32_C(0x0BFAD098), UINT32_C(0x03F5BFD6), UINT32_C(0x006AD5C5), - UINT32_C(0x014F12F5), UINT32_C(0x0745527A), UINT32_C(0x03A6506B), - UINT32_C(0x015CF2C8), UINT32_C(0x039A3185), UINT32_C(0x077CD12B), - UINT32_C(0x02A9BAF3) } }, - { { UINT32_C(0x00D9229F), UINT32_C(0x039D37CD), UINT32_C(0x0948ECC6), - UINT32_C(0x0072BCB0), UINT32_C(0x0A458017), UINT32_C(0x038A159B), - UINT32_C(0x0368034D), UINT32_C(0x0B0315FA), UINT32_C(0x01756900), - UINT32_C(0x04149285), UINT32_C(0x03FFBD8A), UINT32_C(0x0079E774), - UINT32_C(0x0702A2CF), UINT32_C(0x0641C3A8), UINT32_C(0x0F3751BA), - UINT32_C(0x028EDF14), UINT32_C(0x090F681A), UINT32_C(0x012CF177), - UINT32_C(0x04614034) }, - { UINT32_C(0x04E4C072), UINT32_C(0x07E207E1), UINT32_C(0x02D8F8F8), - UINT32_C(0x013BFA68), UINT32_C(0x0CC798F9), UINT32_C(0x014BAAD6), - UINT32_C(0x023BD550), UINT32_C(0x0919F8D1), UINT32_C(0x03C00ADA), - UINT32_C(0x0758236E), UINT32_C(0x058602C2), UINT32_C(0x0FA0FE24), - UINT32_C(0x01A8C5A6), UINT32_C(0x0026B4C4), UINT32_C(0x0534F014), - UINT32_C(0x02CF2A7F), UINT32_C(0x00192714), UINT32_C(0x04B51417), - UINT32_C(0x0168C607) } }, - { { UINT32_C(0x019403A6), UINT32_C(0x04E6BA92), UINT32_C(0x0065202D), - UINT32_C(0x06FDAE5F), UINT32_C(0x0AD1C130), UINT32_C(0x05C03BED), - UINT32_C(0x00D7CFCE), UINT32_C(0x02B63E74), UINT32_C(0x06CD8D97), - UINT32_C(0x00E7608A), UINT32_C(0x05009FCD), UINT32_C(0x01026095), - UINT32_C(0x058890EC), UINT32_C(0x0662F635), UINT32_C(0x0F16F3A2), - UINT32_C(0x06B88A1B), UINT32_C(0x000D681A), UINT32_C(0x05689B12), - UINT32_C(0x0620658C) }, - { UINT32_C(0x0B48EFBA), UINT32_C(0x01574FA6), UINT32_C(0x0FC77D17), - UINT32_C(0x06CDF2A2), UINT32_C(0x0DCEA8A9), UINT32_C(0x00B1DE26), - UINT32_C(0x009A7C7A), UINT32_C(0x0435CC54), UINT32_C(0x06E8AF2E), - UINT32_C(0x09AFC5BC), UINT32_C(0x05124055), UINT32_C(0x045BF6E2), - UINT32_C(0x0536C8AD), UINT32_C(0x073FE4CD), UINT32_C(0x0A467A40), - UINT32_C(0x03EB6B38), UINT32_C(0x05F039C6), UINT32_C(0x00622055), - UINT32_C(0x045DF262) } }, - { { UINT32_C(0x0C5E165D), UINT32_C(0x00A8610A), UINT32_C(0x062AF616), - UINT32_C(0x055190B9), UINT32_C(0x0F988454), UINT32_C(0x0395472A), - UINT32_C(0x036DCD3E), UINT32_C(0x0FDA6187), UINT32_C(0x036EC91D), - UINT32_C(0x0E66FCFC), UINT32_C(0x077BBD1F), UINT32_C(0x0DF3E1C9), - UINT32_C(0x040454AC), UINT32_C(0x03004F37), UINT32_C(0x0CBDED62), - UINT32_C(0x03DD5570), UINT32_C(0x05724DFF), UINT32_C(0x07B6002A), - UINT32_C(0x00B93C70) }, - { UINT32_C(0x06C8A9BC), UINT32_C(0x032D8B60), UINT32_C(0x0C0850D6), - UINT32_C(0x06C94F36), UINT32_C(0x0649CD3A), UINT32_C(0x000C0E51), - UINT32_C(0x07B40760), UINT32_C(0x0BFA6092), UINT32_C(0x019FB910), - UINT32_C(0x092A27FF), UINT32_C(0x02D6F975), UINT32_C(0x0E910EDA), - UINT32_C(0x01FFB3D4), UINT32_C(0x01814FFF), UINT32_C(0x0985A6F8), - UINT32_C(0x06787CA6), UINT32_C(0x0B7B7FC6), UINT32_C(0x01532265), - UINT32_C(0x06228702) } }, - { { UINT32_C(0x0391B195), UINT32_C(0x01F1A68F), UINT32_C(0x0AB9DD28), - UINT32_C(0x000B690E), UINT32_C(0x0C4FD58F), UINT32_C(0x05292C46), - UINT32_C(0x0017D075), UINT32_C(0x010E0044), UINT32_C(0x0709FE41), - UINT32_C(0x02F0CD13), UINT32_C(0x003D99BE), UINT32_C(0x0E6F68D8), - UINT32_C(0x04608708), UINT32_C(0x05B1F159), UINT32_C(0x0A4CFC70), - UINT32_C(0x02FB2946), UINT32_C(0x076D32E5), UINT32_C(0x0482F0ED), - UINT32_C(0x06ED3305) }, - { UINT32_C(0x05C4416F), UINT32_C(0x02270E15), UINT32_C(0x073143E0), - UINT32_C(0x02F4151F), UINT32_C(0x099069A7), UINT32_C(0x05437AEB), - UINT32_C(0x027A90CA), UINT32_C(0x0A75E48C), UINT32_C(0x013FC627), - UINT32_C(0x0300361B), UINT32_C(0x072745C2), UINT32_C(0x0C9DD555), - UINT32_C(0x05D86308), UINT32_C(0x03713AF4), UINT32_C(0x01AF9EBC), - UINT32_C(0x0157F18F), UINT32_C(0x0E008EAF), UINT32_C(0x0409010B), - UINT32_C(0x074F85AA) } }, - { { UINT32_C(0x045C5FF5), UINT32_C(0x046845EE), UINT32_C(0x074B8893), - UINT32_C(0x036C56E2), UINT32_C(0x0CC7B43B), UINT32_C(0x030C1789), - UINT32_C(0x05916A34), UINT32_C(0x0F2AFB7C), UINT32_C(0x0154EDEB), - UINT32_C(0x0407BF3E), UINT32_C(0x05362D80), UINT32_C(0x0CCA97B1), - UINT32_C(0x041BFF6D), UINT32_C(0x05DAE466), UINT32_C(0x07D9D691), - UINT32_C(0x023DBF89), UINT32_C(0x05162F52), UINT32_C(0x000CBF57), - UINT32_C(0x0154EDFD) }, - { UINT32_C(0x08BF712A), UINT32_C(0x06009B91), UINT32_C(0x0AFFBD38), - UINT32_C(0x03FD6332), UINT32_C(0x06CD1DC8), UINT32_C(0x06C678BF), - UINT32_C(0x0040E5CE), UINT32_C(0x02743457), UINT32_C(0x060DF50E), - UINT32_C(0x0691C947), UINT32_C(0x0746D675), UINT32_C(0x0D68B325), - UINT32_C(0x0290D55C), UINT32_C(0x015B144C), UINT32_C(0x05A0332F), - UINT32_C(0x0563DB53), UINT32_C(0x04CED890), UINT32_C(0x04AC67C8), - UINT32_C(0x04387D35) } }, - { { UINT32_C(0x0A66FBB8), UINT32_C(0x05FDBF97), UINT32_C(0x0A47124E), - UINT32_C(0x03FED0AF), UINT32_C(0x082B44B9), UINT32_C(0x0244ADCE), - UINT32_C(0x05980D8A), UINT32_C(0x0687D615), UINT32_C(0x07E4662D), - UINT32_C(0x03F2180A), UINT32_C(0x04BA4DB6), UINT32_C(0x03FE8141), - UINT32_C(0x04B2BC20), UINT32_C(0x006DF40A), UINT32_C(0x0AB2698D), - UINT32_C(0x0365D173), UINT32_C(0x08DE4017), UINT32_C(0x079E6BA2), - UINT32_C(0x02C7A033) }, - { UINT32_C(0x075570A1), UINT32_C(0x06A48901), UINT32_C(0x0492AC74), - UINT32_C(0x077D2844), UINT32_C(0x0DB87BFD), UINT32_C(0x01D218B2), - UINT32_C(0x0522DA69), UINT32_C(0x0B4F7CF4), UINT32_C(0x00841BC4), - UINT32_C(0x0E420155), UINT32_C(0x00BDBB35), UINT32_C(0x0BB5E945), - UINT32_C(0x06FE4123), UINT32_C(0x0435B025), UINT32_C(0x0ACCEA16), - UINT32_C(0x00BE381C), UINT32_C(0x0C3F4D0D), UINT32_C(0x03862E1B), - UINT32_C(0x04A46652) } }, - { { UINT32_C(0x009B3F23), UINT32_C(0x00CFBD75), UINT32_C(0x069BE715), - UINT32_C(0x009C9678), UINT32_C(0x013F2EB4), UINT32_C(0x04EE1278), - UINT32_C(0x06387FDD), UINT32_C(0x0329F9F1), UINT32_C(0x048E212F), - UINT32_C(0x0F24F073), UINT32_C(0x008F0FD5), UINT32_C(0x02F3DAFE), - UINT32_C(0x039C6160), UINT32_C(0x018F4D1D), UINT32_C(0x0E9D0F18), - UINT32_C(0x066F0916), UINT32_C(0x09931852), UINT32_C(0x040EEBEA), - UINT32_C(0x032448BB) }, - { UINT32_C(0x0C226E2C), UINT32_C(0x07706840), UINT32_C(0x0D3C1C34), - UINT32_C(0x07E4BA61), UINT32_C(0x0A51E4A1), UINT32_C(0x038E00FB), - UINT32_C(0x06E25F2A), UINT32_C(0x0C263EC1), UINT32_C(0x078D29D8), - UINT32_C(0x07C7272D), UINT32_C(0x0572E10B), UINT32_C(0x0B83C0DC), - UINT32_C(0x02179CDB), UINT32_C(0x066C84E3), UINT32_C(0x07675170), - UINT32_C(0x00BDF2F6), UINT32_C(0x0F52477D), UINT32_C(0x00FE3151), - UINT32_C(0x05460029) } }, - { { UINT32_C(0x0DA35EBF), UINT32_C(0x066B421E), UINT32_C(0x07116B3C), - UINT32_C(0x077330D7), UINT32_C(0x0CE4D316), UINT32_C(0x027318E8), - UINT32_C(0x04CA0B0C), UINT32_C(0x06EFBBCB), UINT32_C(0x027FF80D), - UINT32_C(0x07B56250), UINT32_C(0x03FBF443), UINT32_C(0x0E5E86E3), - UINT32_C(0x01050837), UINT32_C(0x027F8C63), UINT32_C(0x0040889F), - UINT32_C(0x0233D7DC), UINT32_C(0x085C1EB3), UINT32_C(0x0190948B), - UINT32_C(0x02A42839) }, - { UINT32_C(0x046020F0), UINT32_C(0x04A9DB75), UINT32_C(0x0C1F003A), - UINT32_C(0x05C091F8), UINT32_C(0x069D2F26), UINT32_C(0x05CBE28A), - UINT32_C(0x00B98CA0), UINT32_C(0x0C44F77C), UINT32_C(0x06591FB2), - UINT32_C(0x0336AA95), UINT32_C(0x05A28AC0), UINT32_C(0x0A8AC670), - UINT32_C(0x0735C3E5), UINT32_C(0x049911B7), UINT32_C(0x04F28112), - UINT32_C(0x0532B634), UINT32_C(0x00A3E84F), UINT32_C(0x06EA385D), - UINT32_C(0x01F2A03A) } }, - { { UINT32_C(0x06A09384), UINT32_C(0x0260C3CA), UINT32_C(0x092529A6), - UINT32_C(0x016D77CF), UINT32_C(0x0B8E2D9A), UINT32_C(0x01055E02), - UINT32_C(0x055BC4FD), UINT32_C(0x0CA2C0AF), UINT32_C(0x03A4ABF9), - UINT32_C(0x0290D54C), UINT32_C(0x07B6E3EE), UINT32_C(0x07074346), - UINT32_C(0x047E1F90), UINT32_C(0x06D2B228), UINT32_C(0x064225A4), - UINT32_C(0x06F125F2), UINT32_C(0x0D66264B), UINT32_C(0x01B0F052), - UINT32_C(0x070B7573) }, - { UINT32_C(0x0B2264B8), UINT32_C(0x04D4A619), UINT32_C(0x0AC1F517), - UINT32_C(0x049FE3F8), UINT32_C(0x08BEDBF0), UINT32_C(0x01EB5F66), - UINT32_C(0x0145535A), UINT32_C(0x042D102F), UINT32_C(0x04447303), - UINT32_C(0x067B60A3), UINT32_C(0x043A9645), UINT32_C(0x0D502303), - UINT32_C(0x0669CEC4), UINT32_C(0x052699E3), UINT32_C(0x0E740F66), - UINT32_C(0x011DF90D), UINT32_C(0x006017A2), UINT32_C(0x03C99A89), - UINT32_C(0x069500E3) } }, - { { UINT32_C(0x0184B415), UINT32_C(0x06F26FDD), UINT32_C(0x01E5007E), - UINT32_C(0x038A2542), UINT32_C(0x0DA8A807), UINT32_C(0x078F5424), - UINT32_C(0x04D3FA96), UINT32_C(0x0A456FBD), UINT32_C(0x062853C6), - UINT32_C(0x017211A6), UINT32_C(0x049854E5), UINT32_C(0x0A8F3585), - UINT32_C(0x079A3009), UINT32_C(0x07AFB481), UINT32_C(0x081AFE37), - UINT32_C(0x031A410E), UINT32_C(0x0EADF215), UINT32_C(0x02649FCC), - UINT32_C(0x00A68E58) }, - { UINT32_C(0x0A87B468), UINT32_C(0x0744629E), UINT32_C(0x010788AE), - UINT32_C(0x00DA10EC), UINT32_C(0x07BD591B), UINT32_C(0x07BC474E), - UINT32_C(0x02AE7E4E), UINT32_C(0x074ED106), UINT32_C(0x059550A8), - UINT32_C(0x0C2FBDF7), UINT32_C(0x078A0AB0), UINT32_C(0x019D9F46), - UINT32_C(0x030FE4BE), UINT32_C(0x00DF9F6A), UINT32_C(0x04D2A38F), - UINT32_C(0x052B1469), UINT32_C(0x005AE2E6), UINT32_C(0x07E6C02D), - UINT32_C(0x0283843A) } }, - { { UINT32_C(0x0784F95B), UINT32_C(0x01616DEF), UINT32_C(0x056C696A), - UINT32_C(0x03B98963), UINT32_C(0x085F2426), UINT32_C(0x07BDAC89), - UINT32_C(0x05EAFBF9), UINT32_C(0x09A4C8CC), UINT32_C(0x0558AA78), - UINT32_C(0x0D041BCD), UINT32_C(0x04BDD0B5), UINT32_C(0x037216D5), - UINT32_C(0x06BD4C93), UINT32_C(0x0042A72A), UINT32_C(0x0B4A6F17), - UINT32_C(0x0177EE47), UINT32_C(0x028752B7), UINT32_C(0x0750D182), - UINT32_C(0x04BE36EA) }, - { UINT32_C(0x01DCCF70), UINT32_C(0x05249FC9), UINT32_C(0x063EE812), - UINT32_C(0x0362E5A3), UINT32_C(0x017DB2F0), UINT32_C(0x05508041), - UINT32_C(0x078C050C), UINT32_C(0x0C161A22), UINT32_C(0x078E338A), - UINT32_C(0x0BB9EF36), UINT32_C(0x001185AB), UINT32_C(0x09058EAD), - UINT32_C(0x00D3AF42), UINT32_C(0x02FBEDA9), UINT32_C(0x0996A3FA), - UINT32_C(0x02E0B934), UINT32_C(0x08F57F1A), UINT32_C(0x025EB5CE), - UINT32_C(0x0254456F) } }, - { { UINT32_C(0x08F9B528), UINT32_C(0x04174130), UINT32_C(0x013E12B3), - UINT32_C(0x022B697D), UINT32_C(0x0B0CEF11), UINT32_C(0x03A2E8E2), - UINT32_C(0x00D96F4F), UINT32_C(0x0B4B7DF9), UINT32_C(0x0056458A), - UINT32_C(0x083BA433), UINT32_C(0x068A2473), UINT32_C(0x0D586B52), - UINT32_C(0x00ACD634), UINT32_C(0x01D1EAD7), UINT32_C(0x03036203), - UINT32_C(0x000C0094), UINT32_C(0x047A01B9), UINT32_C(0x0212F1A6), - UINT32_C(0x04D19921) }, - { UINT32_C(0x0837554E), UINT32_C(0x02ECC2C4), UINT32_C(0x0B80FBFE), - UINT32_C(0x07A5E03B), UINT32_C(0x041C1C48), UINT32_C(0x043DD0D4), - UINT32_C(0x04C36416), UINT32_C(0x0869B643), UINT32_C(0x028DC568), - UINT32_C(0x0F15A5D2), UINT32_C(0x00D7FC36), UINT32_C(0x04D7306E), - UINT32_C(0x0306A221), UINT32_C(0x04950B4A), UINT32_C(0x06DC4FCA), - UINT32_C(0x048D5878), UINT32_C(0x0032B7DE), UINT32_C(0x000E5973), - UINT32_C(0x04FFCD15) } }, - }, - { - { { UINT32_C(0x051368EE), UINT32_C(0x03C182D8), UINT32_C(0x0233E580), - UINT32_C(0x0467AAF9), UINT32_C(0x038EEE52), UINT32_C(0x01F8CCEB), - UINT32_C(0x04E7863B), UINT32_C(0x0974DE7F), UINT32_C(0x07C7D47D), - UINT32_C(0x01F4B806), UINT32_C(0x0059F163), UINT32_C(0x07DFA5B8), - UINT32_C(0x0449B3CD), UINT32_C(0x0378D1F4), UINT32_C(0x03486C59), - UINT32_C(0x02FFDC03), UINT32_C(0x0854568F), UINT32_C(0x017FDD91), - UINT32_C(0x0384B0DC) }, - { UINT32_C(0x08A3F84B), UINT32_C(0x065DE2C1), UINT32_C(0x085945B9), - UINT32_C(0x04E5C55A), UINT32_C(0x06CB12ED), UINT32_C(0x07B741CC), - UINT32_C(0x05B2C0EB), UINT32_C(0x0809AC7E), UINT32_C(0x04A46CA2), - UINT32_C(0x061FF16D), UINT32_C(0x03744313), UINT32_C(0x0C777A3B), - UINT32_C(0x0207FD18), UINT32_C(0x0539771F), UINT32_C(0x01004BCB), - UINT32_C(0x04A8FC6F), UINT32_C(0x0F0A63E8), UINT32_C(0x02373910), - UINT32_C(0x072840F7) } }, - { { UINT32_C(0x0E024391), UINT32_C(0x02781D5D), UINT32_C(0x05026331), - UINT32_C(0x025635CD), UINT32_C(0x0492939D), UINT32_C(0x00222466), - UINT32_C(0x0456BF4C), UINT32_C(0x07C8DEE7), UINT32_C(0x000178A5), - UINT32_C(0x051D50AE), UINT32_C(0x02CE451F), UINT32_C(0x01814C6B), - UINT32_C(0x0265AE7F), UINT32_C(0x0312E044), UINT32_C(0x0848FF64), - UINT32_C(0x013BB3DA), UINT32_C(0x0C153136), UINT32_C(0x019DF825), - UINT32_C(0x0462A6B6) }, - { UINT32_C(0x0E9AB68C), UINT32_C(0x04B05DA9), UINT32_C(0x04C2481A), - UINT32_C(0x076E7298), UINT32_C(0x09F0C636), UINT32_C(0x01F7D7D4), - UINT32_C(0x00F9BB8A), UINT32_C(0x0F077B4D), UINT32_C(0x0259165A), - UINT32_C(0x0592DC29), UINT32_C(0x02303769), UINT32_C(0x0EDF23B9), - UINT32_C(0x06E3C4F3), UINT32_C(0x026481C0), UINT32_C(0x033547D1), - UINT32_C(0x04349C82), UINT32_C(0x0FB49FD0), UINT32_C(0x03D48B1E), - UINT32_C(0x00EDD6A9) } }, - { { UINT32_C(0x09496A3E), UINT32_C(0x0779CC41), UINT32_C(0x0F31204C), - UINT32_C(0x01DD9727), UINT32_C(0x0B88711D), UINT32_C(0x0531C3F2), - UINT32_C(0x04294797), UINT32_C(0x043683B3), UINT32_C(0x05DBB4CC), - UINT32_C(0x06B27F93), UINT32_C(0x04CEFE76), UINT32_C(0x02EF8CFB), - UINT32_C(0x065C5182), UINT32_C(0x051D70E4), UINT32_C(0x0B92D89E), - UINT32_C(0x015A48BA), UINT32_C(0x00689714), UINT32_C(0x02F0F899), - UINT32_C(0x03A05527) }, - { UINT32_C(0x04B88B67), UINT32_C(0x0337896D), UINT32_C(0x0AC27DF4), - UINT32_C(0x02CFE168), UINT32_C(0x003AC24A), UINT32_C(0x0287B4A1), - UINT32_C(0x04C9337D), UINT32_C(0x0480FCAA), UINT32_C(0x0385E818), - UINT32_C(0x0698332E), UINT32_C(0x00B177F0), UINT32_C(0x088F3F24), - UINT32_C(0x056A2745), UINT32_C(0x06A53116), UINT32_C(0x0101CC1F), - UINT32_C(0x013E9DBA), UINT32_C(0x06227F55), UINT32_C(0x03D027B4), - UINT32_C(0x02CD8668) } }, - { { UINT32_C(0x0076683D), UINT32_C(0x076BEE0D), UINT32_C(0x0D7D7B4C), - UINT32_C(0x0108643A), UINT32_C(0x0F993C30), UINT32_C(0x07B71D95), - UINT32_C(0x029E4008), UINT32_C(0x034C59B6), UINT32_C(0x00E01922), - UINT32_C(0x062750BC), UINT32_C(0x00DA23D4), UINT32_C(0x0BF7FFAF), - UINT32_C(0x016F2E12), UINT32_C(0x0546677C), UINT32_C(0x038327C5), - UINT32_C(0x07930C31), UINT32_C(0x03297791), UINT32_C(0x06E93707), - UINT32_C(0x0731AA7A) }, - { UINT32_C(0x0B99594F), UINT32_C(0x0300795B), UINT32_C(0x0C5F3D55), - UINT32_C(0x01C1DE37), UINT32_C(0x02FD7C9F), UINT32_C(0x001493C6), - UINT32_C(0x07BB523B), UINT32_C(0x08D81CF9), UINT32_C(0x000974EA), - UINT32_C(0x04B4CFBC), UINT32_C(0x04354B41), UINT32_C(0x0644AB94), - UINT32_C(0x0251A61B), UINT32_C(0x0555FAF5), UINT32_C(0x03713B98), - UINT32_C(0x0597947C), UINT32_C(0x061DDC4D), UINT32_C(0x01C1E655), - UINT32_C(0x05DDAC10) } }, - { { UINT32_C(0x02662A6A), UINT32_C(0x0721BA5B), UINT32_C(0x08BFB362), - UINT32_C(0x02A23D78), UINT32_C(0x04F666A1), UINT32_C(0x060FB317), - UINT32_C(0x0729C7ED), UINT32_C(0x09B1B389), UINT32_C(0x031F8856), - UINT32_C(0x06913D9E), UINT32_C(0x0779217C), UINT32_C(0x0A3634CD), - UINT32_C(0x06292B3F), UINT32_C(0x01E6FDE6), UINT32_C(0x0F97C1F0), - UINT32_C(0x0698999D), UINT32_C(0x0D773548), UINT32_C(0x01ED7CE9), - UINT32_C(0x00FFC55A) }, - { UINT32_C(0x0D76A58E), UINT32_C(0x0195519C), UINT32_C(0x02C2F7AB), - UINT32_C(0x061D1820), UINT32_C(0x09A1252D), UINT32_C(0x07772B8E), - UINT32_C(0x05554A30), UINT32_C(0x0687BCF0), UINT32_C(0x06CE8978), - UINT32_C(0x0961AAB6), UINT32_C(0x0611194A), UINT32_C(0x097F9E4C), - UINT32_C(0x07E8543A), UINT32_C(0x076F7FC5), UINT32_C(0x039F7F09), - UINT32_C(0x074DF751), UINT32_C(0x000B4239), UINT32_C(0x010D59A8), - UINT32_C(0x03F90438) } }, - { { UINT32_C(0x0DA09D54), UINT32_C(0x06AF7630), UINT32_C(0x02BF95A8), - UINT32_C(0x055D4226), UINT32_C(0x059FD1D0), UINT32_C(0x06B060C9), - UINT32_C(0x07D177E4), UINT32_C(0x03F4F180), UINT32_C(0x021C92CF), - UINT32_C(0x02D3DD59), UINT32_C(0x048EB409), UINT32_C(0x07E17E45), - UINT32_C(0x05EEE57B), UINT32_C(0x01B0CED0), UINT32_C(0x0E7E68AB), - UINT32_C(0x043C0C09), UINT32_C(0x0A766549), UINT32_C(0x0006D7E3), - UINT32_C(0x06CB262D) }, - { UINT32_C(0x045007F6), UINT32_C(0x077C78B0), UINT32_C(0x006040A8), - UINT32_C(0x06713C8D), UINT32_C(0x09341EBC), UINT32_C(0x0236E27C), - UINT32_C(0x055A82B4), UINT32_C(0x06F7750F), UINT32_C(0x0669305F), - UINT32_C(0x017EE81A), UINT32_C(0x01216750), UINT32_C(0x0ED65974), - UINT32_C(0x03FEF768), UINT32_C(0x01F1588F), UINT32_C(0x0E26B74A), - UINT32_C(0x078B116C), UINT32_C(0x0B1F0885), UINT32_C(0x05EF5659), - UINT32_C(0x02E63355) } }, - { { UINT32_C(0x0FB0D3ED), UINT32_C(0x003E5A50), UINT32_C(0x0C55AAAF), - UINT32_C(0x0289AC3D), UINT32_C(0x05EF5174), UINT32_C(0x0719E0EE), - UINT32_C(0x01A9C3D8), UINT32_C(0x0DE06CD1), UINT32_C(0x07ED918A), - UINT32_C(0x0BF6A107), UINT32_C(0x06149FAB), UINT32_C(0x0880197B), - UINT32_C(0x060CCF4B), UINT32_C(0x015F00A0), UINT32_C(0x026084C4), - UINT32_C(0x06C15B05), UINT32_C(0x04E4098B), UINT32_C(0x063ED2C8), - UINT32_C(0x058C6384) }, - { UINT32_C(0x040FA002), UINT32_C(0x01B4B412), UINT32_C(0x08A0A8F3), - UINT32_C(0x015D5274), UINT32_C(0x0B3D6C31), UINT32_C(0x0241F67E), - UINT32_C(0x0383A0C0), UINT32_C(0x0D2CCE25), UINT32_C(0x07A721DD), - UINT32_C(0x0FD7994F), UINT32_C(0x04852FC2), UINT32_C(0x0EEB0BC8), - UINT32_C(0x05CF0812), UINT32_C(0x06594895), UINT32_C(0x0F6294B1), - UINT32_C(0x047E9685), UINT32_C(0x03C1ADBF), UINT32_C(0x00B567D9), - UINT32_C(0x005C4AB1) } }, - { { UINT32_C(0x0696BA83), UINT32_C(0x06603D4F), UINT32_C(0x0885A978), - UINT32_C(0x011657F3), UINT32_C(0x0774554D), UINT32_C(0x01806495), - UINT32_C(0x01B33254), UINT32_C(0x0A1BB9D6), UINT32_C(0x03A6DF67), - UINT32_C(0x03AB9C8C), UINT32_C(0x0737480A), UINT32_C(0x00203D86), - UINT32_C(0x04CE906D), UINT32_C(0x0751DBBB), UINT32_C(0x01AB53E1), - UINT32_C(0x01405C83), UINT32_C(0x0894C75D), UINT32_C(0x02ACD3EC), - UINT32_C(0x02926ACF) }, - { UINT32_C(0x0E8C01EF), UINT32_C(0x043477F5), UINT32_C(0x068FA361), - UINT32_C(0x07FC59F7), UINT32_C(0x04967BAC), UINT32_C(0x0236FCA8), - UINT32_C(0x053E4F2C), UINT32_C(0x02BA3E65), UINT32_C(0x05F9F6F0), - UINT32_C(0x064247B4), UINT32_C(0x021B5084), UINT32_C(0x0894325C), - UINT32_C(0x04EFE79C), UINT32_C(0x0188ED3F), UINT32_C(0x0D4FE809), - UINT32_C(0x044BAE94), UINT32_C(0x0C8112AE), UINT32_C(0x05C68229), - UINT32_C(0x07D43896) } }, - { { UINT32_C(0x046C1FB6), UINT32_C(0x077D8036), UINT32_C(0x0295DD8C), - UINT32_C(0x04452F28), UINT32_C(0x0B23C464), UINT32_C(0x0644D5BA), - UINT32_C(0x05069E01), UINT32_C(0x090DF002), UINT32_C(0x03B40591), - UINT32_C(0x01F28172), UINT32_C(0x06905D57), UINT32_C(0x0DF1C74E), - UINT32_C(0x05CE4958), UINT32_C(0x079BDE8E), UINT32_C(0x0D3F2F1A), - UINT32_C(0x04E07C5F), UINT32_C(0x088FF1FA), UINT32_C(0x05C72030), - UINT32_C(0x03BE09B6) }, - { UINT32_C(0x0A78B572), UINT32_C(0x052D6B4B), UINT32_C(0x091101F1), - UINT32_C(0x01EB64B1), UINT32_C(0x0AA87947), UINT32_C(0x01ECBA5D), - UINT32_C(0x03E02CC6), UINT32_C(0x0FDA4839), UINT32_C(0x02FF59B8), - UINT32_C(0x0CA6ED0F), UINT32_C(0x06C0BD08), UINT32_C(0x0948203F), - UINT32_C(0x00417563), UINT32_C(0x03ED5E44), UINT32_C(0x09D9F1D1), - UINT32_C(0x043138E9), UINT32_C(0x087C76A9), UINT32_C(0x0436C464), - UINT32_C(0x065BC41C) } }, - { { UINT32_C(0x0878503F), UINT32_C(0x02F87D12), UINT32_C(0x02476646), - UINT32_C(0x0245CC6E), UINT32_C(0x0D4C90B6), UINT32_C(0x03F5323B), - UINT32_C(0x05B608C2), UINT32_C(0x0E11AA7B), UINT32_C(0x03BBF4CC), - UINT32_C(0x0E62F0E5), UINT32_C(0x03FDD83B), UINT32_C(0x01FAF12E), - UINT32_C(0x00E02D6E), UINT32_C(0x0404666D), UINT32_C(0x0A39480C), - UINT32_C(0x05904EE4), UINT32_C(0x0D422EC7), UINT32_C(0x009272AF), - UINT32_C(0x065E518B) }, - { UINT32_C(0x0947A480), UINT32_C(0x0638CCA2), UINT32_C(0x0B86EFCD), - UINT32_C(0x04C5912B), UINT32_C(0x0416F142), UINT32_C(0x066CD9A8), - UINT32_C(0x0062F342), UINT32_C(0x030CBA20), UINT32_C(0x0675D320), - UINT32_C(0x02C4F492), UINT32_C(0x04263BD8), UINT32_C(0x0B10ED23), - UINT32_C(0x00458FD7), UINT32_C(0x064D3804), UINT32_C(0x030CE729), - UINT32_C(0x055F1902), UINT32_C(0x005C9288), UINT32_C(0x05B65212), - UINT32_C(0x03463ED7) } }, - { { UINT32_C(0x0002FA40), UINT32_C(0x019C27F1), UINT32_C(0x00CBB750), - UINT32_C(0x03DB3435), UINT32_C(0x07286E98), UINT32_C(0x0279AAFF), - UINT32_C(0x06D46384), UINT32_C(0x0A49DB6A), UINT32_C(0x0137478E), - UINT32_C(0x07036ADC), UINT32_C(0x0156A020), UINT32_C(0x03444CA2), - UINT32_C(0x014A059C), UINT32_C(0x062920C4), UINT32_C(0x05340D48), - UINT32_C(0x07AB2B40), UINT32_C(0x060E1CBF), UINT32_C(0x06DBC3C7), - UINT32_C(0x02A6E451) }, - { UINT32_C(0x02203C97), UINT32_C(0x0318811D), UINT32_C(0x02528A1B), - UINT32_C(0x04016192), UINT32_C(0x002C3086), UINT32_C(0x031D212C), - UINT32_C(0x03FC1DA6), UINT32_C(0x0E3A234E), UINT32_C(0x048A2B44), - UINT32_C(0x046AB91A), UINT32_C(0x03F8806B), UINT32_C(0x073943DE), - UINT32_C(0x02B12570), UINT32_C(0x024DEAC9), UINT32_C(0x08C3B2AA), - UINT32_C(0x06910619), UINT32_C(0x01EBE0ED), UINT32_C(0x04FB5E82), - UINT32_C(0x068938E9) } }, - { { UINT32_C(0x06A8409F), UINT32_C(0x03819FA0), UINT32_C(0x04EBCC7D), - UINT32_C(0x05295667), UINT32_C(0x00BD47C4), UINT32_C(0x02F397A5), - UINT32_C(0x00B133A1), UINT32_C(0x073E4AFA), UINT32_C(0x0760D526), - UINT32_C(0x0D372CAA), UINT32_C(0x0068759A), UINT32_C(0x09A7813F), - UINT32_C(0x000A0F4E), UINT32_C(0x01EAF02F), UINT32_C(0x09F88085), - UINT32_C(0x0117D84A), UINT32_C(0x0B583330), UINT32_C(0x07FFDDE3), - UINT32_C(0x00C0B54F) }, - { UINT32_C(0x0593BC03), UINT32_C(0x05294489), UINT32_C(0x0C95575C), - UINT32_C(0x06A16930), UINT32_C(0x07E57953), UINT32_C(0x04258C35), - UINT32_C(0x027EF886), UINT32_C(0x09A129B5), UINT32_C(0x034A8854), - UINT32_C(0x0BB5AF8F), UINT32_C(0x0469C5BA), UINT32_C(0x000C4849), - UINT32_C(0x00CE9665), UINT32_C(0x02759E17), UINT32_C(0x087D763E), - UINT32_C(0x03FB717D), UINT32_C(0x0F3FD635), UINT32_C(0x007CA5FC), - UINT32_C(0x01D3A8B2) } }, - { { UINT32_C(0x068172DA), UINT32_C(0x05B9F788), UINT32_C(0x0612E973), - UINT32_C(0x0052E050), UINT32_C(0x099B39D0), UINT32_C(0x061F5F0F), - UINT32_C(0x0799AF1A), UINT32_C(0x0466C10B), UINT32_C(0x0680E8D3), - UINT32_C(0x04361EC0), UINT32_C(0x05210B2E), UINT32_C(0x0DF23AB3), - UINT32_C(0x02B3A0B2), UINT32_C(0x0380194E), UINT32_C(0x09D77AFB), - UINT32_C(0x06BCE4AB), UINT32_C(0x05EAD2E7), UINT32_C(0x02DD9B74), - UINT32_C(0x033D66F2) }, - { UINT32_C(0x0BF1C993), UINT32_C(0x04E38933), UINT32_C(0x02FC4FAF), - UINT32_C(0x0461AE62), UINT32_C(0x0F6D1B38), UINT32_C(0x021B47B4), - UINT32_C(0x01F061C9), UINT32_C(0x051CC234), UINT32_C(0x01C8E186), - UINT32_C(0x001C7EF9), UINT32_C(0x0664E0E2), UINT32_C(0x048E8CC7), - UINT32_C(0x015C9670), UINT32_C(0x0481B87A), UINT32_C(0x05BCAD05), - UINT32_C(0x003B38E6), UINT32_C(0x00886CA1), UINT32_C(0x00B0D706), - UINT32_C(0x026557A5) } }, - { { UINT32_C(0x05F0E5DA), UINT32_C(0x03682274), UINT32_C(0x0F4E352F), - UINT32_C(0x0105AE83), UINT32_C(0x0A820E71), UINT32_C(0x022C5CEC), - UINT32_C(0x03DD2CFC), UINT32_C(0x0298E61A), UINT32_C(0x00120917), - UINT32_C(0x0B0B64DF), UINT32_C(0x03C1333E), UINT32_C(0x03C5D41B), - UINT32_C(0x04B5D215), UINT32_C(0x0187971D), UINT32_C(0x0389EAD7), - UINT32_C(0x03CFCCE2), UINT32_C(0x063F13FF), UINT32_C(0x0652C165), - UINT32_C(0x07742EFC) }, - { UINT32_C(0x0931C0F0), UINT32_C(0x018F45E5), UINT32_C(0x0C4C756D), - UINT32_C(0x0537A469), UINT32_C(0x0433FB52), UINT32_C(0x0754DECC), - UINT32_C(0x04D896F7), UINT32_C(0x04335219), UINT32_C(0x073BBC0E), - UINT32_C(0x083BA2C0), UINT32_C(0x012D3B9E), UINT32_C(0x023EABD5), - UINT32_C(0x04475CF9), UINT32_C(0x07A0DA39), UINT32_C(0x088DDF48), - UINT32_C(0x002FFFDF), UINT32_C(0x0D8B7000), UINT32_C(0x06504250), - UINT32_C(0x00F1A818) } }, - { { UINT32_C(0x052228CC), UINT32_C(0x06FA4348), UINT32_C(0x0F049E30), - UINT32_C(0x0713CA99), UINT32_C(0x0E5D39FE), UINT32_C(0x0057B8DA), - UINT32_C(0x003125E1), UINT32_C(0x0CC15492), UINT32_C(0x07700BE8), - UINT32_C(0x08CFE785), UINT32_C(0x00CEB57F), UINT32_C(0x0F478327), - UINT32_C(0x05A00945), UINT32_C(0x0490F14E), UINT32_C(0x025BA378), - UINT32_C(0x060ED998), UINT32_C(0x01B249B5), UINT32_C(0x0023BC4C), - UINT32_C(0x04DEDEC8) }, - { UINT32_C(0x0BA1E090), UINT32_C(0x027EBAC8), UINT32_C(0x0DD6FE71), - UINT32_C(0x01F0ADDC), UINT32_C(0x0549F634), UINT32_C(0x06BE8416), - UINT32_C(0x02F156E2), UINT32_C(0x0A531A53), UINT32_C(0x00AFBE73), - UINT32_C(0x0FFF18EB), UINT32_C(0x0020C1DC), UINT32_C(0x0F409F61), - UINT32_C(0x04E3859C), UINT32_C(0x015D5ECF), UINT32_C(0x03B3F268), - UINT32_C(0x0288B503), UINT32_C(0x03A276BD), UINT32_C(0x0286EE9C), - UINT32_C(0x03166F91) } }, - { { UINT32_C(0x0F1CAC2C), UINT32_C(0x035777A8), UINT32_C(0x0AF34113), - UINT32_C(0x050DD855), UINT32_C(0x0B6BC9C1), UINT32_C(0x07010D91), - UINT32_C(0x0452008D), UINT32_C(0x0471A3DA), UINT32_C(0x05830FDC), - UINT32_C(0x0F222BBE), UINT32_C(0x04848384), UINT32_C(0x049CFD4D), - UINT32_C(0x01817D66), UINT32_C(0x0724627E), UINT32_C(0x082270B8), - UINT32_C(0x07ED5A0F), UINT32_C(0x0EEA015A), UINT32_C(0x0700F77E), - UINT32_C(0x007E36E1) }, - { UINT32_C(0x09244F78), UINT32_C(0x049DAC0A), UINT32_C(0x0573D581), - UINT32_C(0x001D1B4C), UINT32_C(0x0F0116EB), UINT32_C(0x03CFFD42), - UINT32_C(0x043FFF66), UINT32_C(0x048523A0), UINT32_C(0x0671CEF3), - UINT32_C(0x0EC2D7AF), UINT32_C(0x0049EBD0), UINT32_C(0x0F4034B6), - UINT32_C(0x05C34B54), UINT32_C(0x025E680B), UINT32_C(0x0D2C5BEA), - UINT32_C(0x06F544F6), UINT32_C(0x0B0CFA5A), UINT32_C(0x018276AE), - UINT32_C(0x077D6B16) } }, - }, - { - { { UINT32_C(0x00E10587), UINT32_C(0x01885D11), UINT32_C(0x00A74863), - UINT32_C(0x02F34C13), UINT32_C(0x0BD4B6A2), UINT32_C(0x00E26C23), - UINT32_C(0x07F483FF), UINT32_C(0x0A97D9DC), UINT32_C(0x02338A61), - UINT32_C(0x07F72547), UINT32_C(0x03535AFC), UINT32_C(0x0B8E96B4), - UINT32_C(0x001E804D), UINT32_C(0x03BD1DFE), UINT32_C(0x0A6ED29A), - UINT32_C(0x0634588A), UINT32_C(0x0F0F6D32), UINT32_C(0x0117DDE8), - UINT32_C(0x037107C5) }, - { UINT32_C(0x0BF698BD), UINT32_C(0x0671195E), UINT32_C(0x0E9DC570), - UINT32_C(0x052CBC52), UINT32_C(0x0C08C8ED), UINT32_C(0x04213081), - UINT32_C(0x00A08E33), UINT32_C(0x0A4BC1ED), UINT32_C(0x00B396EB), - UINT32_C(0x0FF34D08), UINT32_C(0x04A4BDD9), UINT32_C(0x0A6F615E), - UINT32_C(0x0534B5A0), UINT32_C(0x0057D6A7), UINT32_C(0x0F6CE02C), - UINT32_C(0x06F6315B), UINT32_C(0x0D666709), UINT32_C(0x050AF998), - UINT32_C(0x006F0E3F) } }, - { { UINT32_C(0x06965640), UINT32_C(0x0081356B), UINT32_C(0x0F41E038), - UINT32_C(0x06713218), UINT32_C(0x0FB9E806), UINT32_C(0x0121D001), - UINT32_C(0x07B97EDD), UINT32_C(0x0CDDEFA2), UINT32_C(0x0585D94D), - UINT32_C(0x065F4CD7), UINT32_C(0x03CFC91B), UINT32_C(0x06B603EF), - UINT32_C(0x07128C67), UINT32_C(0x030595F0), UINT32_C(0x0E51FB71), - UINT32_C(0x06217FBE), UINT32_C(0x0B730732), UINT32_C(0x06277C1D), - UINT32_C(0x04AE17C6) }, - { UINT32_C(0x0CFB1D0D), UINT32_C(0x053AA14E), UINT32_C(0x0442F9BE), - UINT32_C(0x0786EEC1), UINT32_C(0x0EF775DF), UINT32_C(0x07A66D5B), - UINT32_C(0x032CDF98), UINT32_C(0x0CA3E106), UINT32_C(0x07042EBA), - UINT32_C(0x00FD51A1), UINT32_C(0x02B743F2), UINT32_C(0x0D214308), - UINT32_C(0x03293BD7), UINT32_C(0x0635DC49), UINT32_C(0x0EB86870), - UINT32_C(0x03EB73BF), UINT32_C(0x07F02587), UINT32_C(0x0017A824), - UINT32_C(0x01F012DD) } }, - { { UINT32_C(0x0E0BF039), UINT32_C(0x003B2CD3), UINT32_C(0x0C2C0F48), - UINT32_C(0x039AED35), UINT32_C(0x044C7CCC), UINT32_C(0x0364D078), - UINT32_C(0x02C04409), UINT32_C(0x0CAEF9C4), UINT32_C(0x05C37F4A), - UINT32_C(0x0D99EE77), UINT32_C(0x0200140A), UINT32_C(0x0A3BBBDE), - UINT32_C(0x041E7C9A), UINT32_C(0x0371B744), UINT32_C(0x05A165FF), - UINT32_C(0x05A7216A), UINT32_C(0x0A9CE444), UINT32_C(0x03DD4951), - UINT32_C(0x031EC3D2) }, - { UINT32_C(0x08EAF6EB), UINT32_C(0x0703CD67), UINT32_C(0x0DEBC6FB), - UINT32_C(0x079F8F47), UINT32_C(0x090D3A5B), UINT32_C(0x05FF4EFE), - UINT32_C(0x05A2BC42), UINT32_C(0x006C3961), UINT32_C(0x00795219), - UINT32_C(0x0FF8315E), UINT32_C(0x05BD4244), UINT32_C(0x02EEA381), - UINT32_C(0x02022F89), UINT32_C(0x07878373), UINT32_C(0x084B3FA1), - UINT32_C(0x0715713B), UINT32_C(0x0EF55815), UINT32_C(0x0748BA61), - UINT32_C(0x0445AEE6) } }, - { { UINT32_C(0x0DCBF5E2), UINT32_C(0x03557A9E), UINT32_C(0x063D2A67), - UINT32_C(0x00EFE9F6), UINT32_C(0x09FA350B), UINT32_C(0x03896396), - UINT32_C(0x01F8036E), UINT32_C(0x0DC0F10D), UINT32_C(0x02B56329), - UINT32_C(0x02504A0F), UINT32_C(0x063A7100), UINT32_C(0x0FA5A9E7), - UINT32_C(0x07665FD9), UINT32_C(0x05DE4FB8), UINT32_C(0x00484D0C), - UINT32_C(0x03AEE4FB), UINT32_C(0x046B10E6), UINT32_C(0x04D5E0D6), - UINT32_C(0x01F835F4) }, - { UINT32_C(0x047D2B4B), UINT32_C(0x05847634), UINT32_C(0x0C0A675C), - UINT32_C(0x00120157), UINT32_C(0x07AF8F0E), UINT32_C(0x0251A99B), - UINT32_C(0x00CEE4D0), UINT32_C(0x07351889), UINT32_C(0x0621596F), - UINT32_C(0x00C5618B), UINT32_C(0x066E65D2), UINT32_C(0x049D9FBE), - UINT32_C(0x01E37BCF), UINT32_C(0x01C629C9), UINT32_C(0x0EC1F561), - UINT32_C(0x02AFE546), UINT32_C(0x0005751E), UINT32_C(0x018C42B2), - UINT32_C(0x01EAA03C) } }, - { { UINT32_C(0x0D959BD9), UINT32_C(0x038EEBBB), UINT32_C(0x08419A01), - UINT32_C(0x05F1CCBE), UINT32_C(0x03171501), UINT32_C(0x07C18C55), - UINT32_C(0x035306D9), UINT32_C(0x011DBDEA), UINT32_C(0x036E5963), - UINT32_C(0x090BCEBA), UINT32_C(0x01350854), UINT32_C(0x0BB28AF5), - UINT32_C(0x04F74928), UINT32_C(0x0330FF01), UINT32_C(0x095BA009), - UINT32_C(0x0578BFB6), UINT32_C(0x0FCF0801), UINT32_C(0x03302535), - UINT32_C(0x06BFF304) }, - { UINT32_C(0x0384E611), UINT32_C(0x00AD5348), UINT32_C(0x0E493BE6), - UINT32_C(0x03CA4CDB), UINT32_C(0x0C4D1BD5), UINT32_C(0x027B8CE4), - UINT32_C(0x02E5B4CB), UINT32_C(0x0707AF6D), UINT32_C(0x06A39971), - UINT32_C(0x0BA42E4C), UINT32_C(0x0755E74C), UINT32_C(0x04AD6360), - UINT32_C(0x068A6F0D), UINT32_C(0x023144DE), UINT32_C(0x07375993), - UINT32_C(0x02780B3A), UINT32_C(0x0E492027), UINT32_C(0x05808694), - UINT32_C(0x07431A53) } }, - { { UINT32_C(0x010FBD04), UINT32_C(0x019723AA), UINT32_C(0x025CF109), - UINT32_C(0x03F3A3A7), UINT32_C(0x0D9D8E3F), UINT32_C(0x02F7C4B0), - UINT32_C(0x03DF7DF6), UINT32_C(0x0B60F06D), UINT32_C(0x02A5D26D), - UINT32_C(0x0C5F86A4), UINT32_C(0x06E7FCD9), UINT32_C(0x0DEF388F), - UINT32_C(0x05AC83A6), UINT32_C(0x0217A751), UINT32_C(0x00401D85), - UINT32_C(0x075A320E), UINT32_C(0x01AE8195), UINT32_C(0x06F4F327), - UINT32_C(0x04C77D2F) }, - { UINT32_C(0x09493BE8), UINT32_C(0x00A14C7B), UINT32_C(0x091C8FF9), - UINT32_C(0x01DEAA22), UINT32_C(0x0AB4BA27), UINT32_C(0x0562E012), - UINT32_C(0x07519BAB), UINT32_C(0x062D9AAA), UINT32_C(0x058B7863), - UINT32_C(0x08A2419C), UINT32_C(0x035D8277), UINT32_C(0x0F5C3CF3), - UINT32_C(0x03527C6B), UINT32_C(0x00F3B9E0), UINT32_C(0x0EF25B4A), - UINT32_C(0x0127A8B4), UINT32_C(0x0CE17BD2), UINT32_C(0x0195E53E), - UINT32_C(0x071B9B4C) } }, - { { UINT32_C(0x0DAA2FB7), UINT32_C(0x021B0EB2), UINT32_C(0x0B55E936), - UINT32_C(0x057A20CC), UINT32_C(0x01398941), UINT32_C(0x06E0BA5C), - UINT32_C(0x07DEDA3A), UINT32_C(0x00B1377E), UINT32_C(0x008093F5), - UINT32_C(0x00F8C281), UINT32_C(0x05D4332E), UINT32_C(0x0CF54E5F), - UINT32_C(0x039D7F62), UINT32_C(0x0699AB5B), UINT32_C(0x05FE8914), - UINT32_C(0x01C38070), UINT32_C(0x0685A0AC), UINT32_C(0x0104BEEE), - UINT32_C(0x06E340C1) }, - { UINT32_C(0x0FDAA949), UINT32_C(0x02A92433), UINT32_C(0x04E882FB), - UINT32_C(0x0435EA3D), UINT32_C(0x0CFC4BD1), UINT32_C(0x065698D5), - UINT32_C(0x02B61BEC), UINT32_C(0x0A7025E9), UINT32_C(0x06C77C84), - UINT32_C(0x066340BA), UINT32_C(0x07C0B02F), UINT32_C(0x0F9B4BCA), - UINT32_C(0x0207D1CA), UINT32_C(0x061D80D9), UINT32_C(0x061524CC), - UINT32_C(0x03F6A9F8), UINT32_C(0x094B6D53), UINT32_C(0x017C53E1), - UINT32_C(0x00BC771D) } }, - { { UINT32_C(0x0C8D6167), UINT32_C(0x0171F9BD), UINT32_C(0x05943DEC), - UINT32_C(0x01837B9B), UINT32_C(0x06E46FBD), UINT32_C(0x050C893D), - UINT32_C(0x0034F50C), UINT32_C(0x0E98EEDA), UINT32_C(0x06603ADA), - UINT32_C(0x0FF3362D), UINT32_C(0x023406A4), UINT32_C(0x03DC7095), - UINT32_C(0x03BCCC93), UINT32_C(0x033BDFE7), UINT32_C(0x0AA65D81), - UINT32_C(0x0739E2AF), UINT32_C(0x03455112), UINT32_C(0x06643DC0), - UINT32_C(0x020DF18F) }, - { UINT32_C(0x084BF04E), UINT32_C(0x024B7756), UINT32_C(0x059E51F9), - UINT32_C(0x05998215), UINT32_C(0x03684ACA), UINT32_C(0x065BD6DC), - UINT32_C(0x03075ACB), UINT32_C(0x01AD9C9A), UINT32_C(0x07375334), - UINT32_C(0x01731A12), UINT32_C(0x000384D3), UINT32_C(0x02632FF6), - UINT32_C(0x0023BB3A), UINT32_C(0x0348AF93), UINT32_C(0x088B02BB), - UINT32_C(0x02C7DE6E), UINT32_C(0x0933F326), UINT32_C(0x00B1B61E), - UINT32_C(0x076AC60E) } }, - { { UINT32_C(0x0757C756), UINT32_C(0x05545A21), UINT32_C(0x018FFA93), - UINT32_C(0x06C9A78F), UINT32_C(0x02C61841), UINT32_C(0x040A1739), - UINT32_C(0x04441B1D), UINT32_C(0x052E0E81), UINT32_C(0x07E14C4D), - UINT32_C(0x0FFFC0D5), UINT32_C(0x03072E2E), UINT32_C(0x007584A9), - UINT32_C(0x01259E6D), UINT32_C(0x002D25F5), UINT32_C(0x0C519B94), - UINT32_C(0x01BB1C14), UINT32_C(0x02CEB824), UINT32_C(0x02BBBEA4), - UINT32_C(0x035E112A) }, - { UINT32_C(0x0288CF7B), UINT32_C(0x0045C5C7), UINT32_C(0x002D8D8C), - UINT32_C(0x03BE5B42), UINT32_C(0x0A81E4C6), UINT32_C(0x0141578F), - UINT32_C(0x033F7AC2), UINT32_C(0x0EE71541), UINT32_C(0x067EAD7B), - UINT32_C(0x07E75F23), UINT32_C(0x011AF108), UINT32_C(0x047CA170), - UINT32_C(0x05308227), UINT32_C(0x054879D4), UINT32_C(0x0A37B132), - UINT32_C(0x00E6D1CA), UINT32_C(0x0629367A), UINT32_C(0x03276C5F), - UINT32_C(0x004CBC63) } }, - { { UINT32_C(0x00CF69E7), UINT32_C(0x0584FC9D), UINT32_C(0x06952F73), - UINT32_C(0x0281D51C), UINT32_C(0x037663C6), UINT32_C(0x0537F046), - UINT32_C(0x0725FFD4), UINT32_C(0x0C66B9FC), UINT32_C(0x049A3EDF), - UINT32_C(0x0F4FB830), UINT32_C(0x06728E50), UINT32_C(0x07B188F6), - UINT32_C(0x021C067A), UINT32_C(0x06F06BE8), UINT32_C(0x00AA347B), - UINT32_C(0x031AABF8), UINT32_C(0x03347446), UINT32_C(0x04B62373), - UINT32_C(0x043D128D) }, - { UINT32_C(0x02AE7427), UINT32_C(0x00F73AC9), UINT32_C(0x0095D833), - UINT32_C(0x00E6005C), UINT32_C(0x007FD8B7), UINT32_C(0x074C2204), - UINT32_C(0x00283649), UINT32_C(0x084EDD51), UINT32_C(0x05AC7321), - UINT32_C(0x08C40328), UINT32_C(0x04BFB5EF), UINT32_C(0x0A555FE0), - UINT32_C(0x04C70C7C), UINT32_C(0x076D0055), UINT32_C(0x0425B2E6), - UINT32_C(0x029D910F), UINT32_C(0x0B0A51DB), UINT32_C(0x04B38F9B), - UINT32_C(0x01028D80) } }, - { { UINT32_C(0x0F3DE4D2), UINT32_C(0x06047E27), UINT32_C(0x03505298), - UINT32_C(0x062523ED), UINT32_C(0x0F0D4A9F), UINT32_C(0x0150EF42), - UINT32_C(0x056CBCAD), UINT32_C(0x0B36A628), UINT32_C(0x071A352A), - UINT32_C(0x0D7A2CB8), UINT32_C(0x050FEDFC), UINT32_C(0x02BAC823), - UINT32_C(0x010EDF77), UINT32_C(0x0459668A), UINT32_C(0x04041659), - UINT32_C(0x07432BB7), UINT32_C(0x0F9651D8), UINT32_C(0x01999DE2), - UINT32_C(0x00CBECA1) }, - { UINT32_C(0x06A2607F), UINT32_C(0x06DC83E9), UINT32_C(0x005B1A08), - UINT32_C(0x05B9405C), UINT32_C(0x091E04D3), UINT32_C(0x0546E232), - UINT32_C(0x0566FE22), UINT32_C(0x0695BB9A), UINT32_C(0x0074A612), - UINT32_C(0x0E9787A0), UINT32_C(0x077B1860), UINT32_C(0x05404661), - UINT32_C(0x00184991), UINT32_C(0x02A1C038), UINT32_C(0x0A57F0B8), - UINT32_C(0x0382A987), UINT32_C(0x0691AC01), UINT32_C(0x02D8A8A9), - UINT32_C(0x05A19B11) } }, - { { UINT32_C(0x081DC2A6), UINT32_C(0x017A4663), UINT32_C(0x0209D21F), - UINT32_C(0x06A6AA7F), UINT32_C(0x051CC44C), UINT32_C(0x000D763F), - UINT32_C(0x034EFD90), UINT32_C(0x0DEE4042), UINT32_C(0x07CBAFFB), - UINT32_C(0x082C34D9), UINT32_C(0x02EB3FE5), UINT32_C(0x0BF15295), - UINT32_C(0x027D4089), UINT32_C(0x056DBCC8), UINT32_C(0x024595A7), - UINT32_C(0x03EC08BE), UINT32_C(0x057085E2), UINT32_C(0x017E7356), - UINT32_C(0x049CE745) }, - { UINT32_C(0x0123BA29), UINT32_C(0x0045804E), UINT32_C(0x08DEDF0E), - UINT32_C(0x00CB57D1), UINT32_C(0x0F61E577), UINT32_C(0x06EB6B79), - UINT32_C(0x05E3EED1), UINT32_C(0x09CB4DCD), UINT32_C(0x05DAE17F), - UINT32_C(0x034F393E), UINT32_C(0x03F5164C), UINT32_C(0x05F3C4A2), - UINT32_C(0x0708CC05), UINT32_C(0x04F2CAC7), UINT32_C(0x0798DD7C), - UINT32_C(0x0513331D), UINT32_C(0x004B3A41), UINT32_C(0x00801443), - UINT32_C(0x0196B762) } }, - { { UINT32_C(0x0356B52C), UINT32_C(0x03557744), UINT32_C(0x050104FE), - UINT32_C(0x069B4687), UINT32_C(0x0337937D), UINT32_C(0x018C3F4F), - UINT32_C(0x00568175), UINT32_C(0x01EE408E), UINT32_C(0x04092DE8), - UINT32_C(0x05E59E83), UINT32_C(0x0299816F), UINT32_C(0x05556DCC), - UINT32_C(0x038621D8), UINT32_C(0x0278A753), UINT32_C(0x05BC9211), - UINT32_C(0x009E162C), UINT32_C(0x0A3409DC), UINT32_C(0x04076EA9), - UINT32_C(0x0464CEC0) }, - { UINT32_C(0x0A659158), UINT32_C(0x022396D5), UINT32_C(0x08424377), - UINT32_C(0x0054703B), UINT32_C(0x0D2722F5), UINT32_C(0x03BAEB8A), - UINT32_C(0x04B65383), UINT32_C(0x07997DDA), UINT32_C(0x07F6A3B2), - UINT32_C(0x0BAFF348), UINT32_C(0x0299F9D9), UINT32_C(0x0B97AA04), - UINT32_C(0x02BA4DB8), UINT32_C(0x0696475F), UINT32_C(0x0B68D089), - UINT32_C(0x0472CB9F), UINT32_C(0x08CACFAE), UINT32_C(0x028807A6), - UINT32_C(0x009288EF) } }, - { { UINT32_C(0x0ED9CDF5), UINT32_C(0x00B31C4E), UINT32_C(0x0C549857), - UINT32_C(0x02D7F964), UINT32_C(0x074F9F98), UINT32_C(0x0792DF5F), - UINT32_C(0x020ED722), UINT32_C(0x0AA8C982), UINT32_C(0x02A2408C), - UINT32_C(0x053CDF30), UINT32_C(0x01CF47E5), UINT32_C(0x08E3FF2F), - UINT32_C(0x0333087A), UINT32_C(0x028090D6), UINT32_C(0x032F6CA0), - UINT32_C(0x02CF642E), UINT32_C(0x0DAB4498), UINT32_C(0x04A66B66), - UINT32_C(0x07248BCE) }, - { UINT32_C(0x092B1FE6), UINT32_C(0x02AD6EEE), UINT32_C(0x0EB5963E), - UINT32_C(0x0621B6BD), UINT32_C(0x04A1A8EF), UINT32_C(0x0374D40D), - UINT32_C(0x0573791F), UINT32_C(0x0DED8513), UINT32_C(0x03AEE0F5), - UINT32_C(0x03420B85), UINT32_C(0x04366099), UINT32_C(0x087C7CA7), - UINT32_C(0x00B9ADB9), UINT32_C(0x056E8EBA), UINT32_C(0x0E532676), - UINT32_C(0x05D27A22), UINT32_C(0x0554F4E5), UINT32_C(0x0474B581), - UINT32_C(0x02A6694F) } }, - { { UINT32_C(0x080DE633), UINT32_C(0x0639306E), UINT32_C(0x0CA4F76E), - UINT32_C(0x05BB3DCB), UINT32_C(0x06DA081A), UINT32_C(0x052EA9E2), - UINT32_C(0x017AF437), UINT32_C(0x07D25D54), UINT32_C(0x0772DE75), - UINT32_C(0x05670178), UINT32_C(0x06E81696), UINT32_C(0x0D28F3A1), - UINT32_C(0x07AF022A), UINT32_C(0x07B0D67B), UINT32_C(0x04C17950), - UINT32_C(0x001B706E), UINT32_C(0x04CE5637), UINT32_C(0x04CE1F2F), - UINT32_C(0x0211C385) }, - { UINT32_C(0x0E5D0D74), UINT32_C(0x0411D39E), UINT32_C(0x06137F67), - UINT32_C(0x00487846), UINT32_C(0x01B15D1C), UINT32_C(0x02B65C31), - UINT32_C(0x06027C03), UINT32_C(0x01F15577), UINT32_C(0x011F0564), - UINT32_C(0x066BA415), UINT32_C(0x00520E15), UINT32_C(0x01F82222), - UINT32_C(0x07F8C048), UINT32_C(0x05A09F41), UINT32_C(0x0BBA92E8), - UINT32_C(0x017E3648), UINT32_C(0x0861CC16), UINT32_C(0x07A9DAF6), - UINT32_C(0x05F2C6E5) } }, - { { UINT32_C(0x04DA7708), UINT32_C(0x057D4066), UINT32_C(0x01F6A8A0), - UINT32_C(0x00EE18FE), UINT32_C(0x05BB3FCD), UINT32_C(0x071CB79F), - UINT32_C(0x038BBCE0), UINT32_C(0x0AAFE87E), UINT32_C(0x0245536B), - UINT32_C(0x0D0401C6), UINT32_C(0x027984FD), UINT32_C(0x0064D51F), - UINT32_C(0x04DCF2A2), UINT32_C(0x037E99AD), UINT32_C(0x03487C33), - UINT32_C(0x068353F1), UINT32_C(0x0BA863FC), UINT32_C(0x00721339), - UINT32_C(0x0754D195) }, - { UINT32_C(0x09031706), UINT32_C(0x0327DD4E), UINT32_C(0x05DDA163), - UINT32_C(0x03F893AE), UINT32_C(0x0F1F3959), UINT32_C(0x02EC658A), - UINT32_C(0x05A438AD), UINT32_C(0x0AE93F30), UINT32_C(0x01D8B56B), - UINT32_C(0x09592309), UINT32_C(0x0189BB66), UINT32_C(0x050E8D52), - UINT32_C(0x0526168D), UINT32_C(0x07FD307D), UINT32_C(0x08A4C7BC), - UINT32_C(0x03B12944), UINT32_C(0x08329BC8), UINT32_C(0x02A4A1CE), - UINT32_C(0x0087B284) } }, - }, - { - { { UINT32_C(0x01C86157), UINT32_C(0x0017ED5F), UINT32_C(0x079948D2), - UINT32_C(0x02FD6755), UINT32_C(0x0A5E2B5C), UINT32_C(0x00395EB0), - UINT32_C(0x070A6ECC), UINT32_C(0x031E307B), UINT32_C(0x070DA4B9), - UINT32_C(0x0166FB85), UINT32_C(0x02AF3210), UINT32_C(0x079379FF), - UINT32_C(0x010504D3), UINT32_C(0x022DFB7B), UINT32_C(0x0C019CF3), - UINT32_C(0x05E0727A), UINT32_C(0x0CE73CB9), UINT32_C(0x005CF0C7), - UINT32_C(0x039AD397) }, - { UINT32_C(0x08E15F36), UINT32_C(0x04E08562), UINT32_C(0x0EC12012), - UINT32_C(0x009F68C4), UINT32_C(0x0733E4B1), UINT32_C(0x014872C8), - UINT32_C(0x0490CCCC), UINT32_C(0x0E53957D), UINT32_C(0x05CD4F2D), - UINT32_C(0x082FD79D), UINT32_C(0x05F2B6D8), UINT32_C(0x0C7600B1), - UINT32_C(0x02D81D79), UINT32_C(0x007520D1), UINT32_C(0x09EEC681), - UINT32_C(0x04D6FB1B), UINT32_C(0x0641B032), UINT32_C(0x0283E5C0), - UINT32_C(0x072A39F3) } }, - { { UINT32_C(0x01C9C2EC), UINT32_C(0x03A87BAF), UINT32_C(0x056E06F3), - UINT32_C(0x02AA4CD5), UINT32_C(0x0D64394D), UINT32_C(0x044B2642), - UINT32_C(0x018E8ECB), UINT32_C(0x02C6B29E), UINT32_C(0x00B5D0E1), - UINT32_C(0x0795603C), UINT32_C(0x027FEAC7), UINT32_C(0x07400535), - UINT32_C(0x04BD90C2), UINT32_C(0x0212CC37), UINT32_C(0x018B9D6C), - UINT32_C(0x05FC9D53), UINT32_C(0x03C7248E), UINT32_C(0x038A1FEB), - UINT32_C(0x06C809CE) }, - { UINT32_C(0x06F1CACC), UINT32_C(0x0758DFC1), UINT32_C(0x019C0D17), - UINT32_C(0x0749CD61), UINT32_C(0x00C0724E), UINT32_C(0x0667F861), - UINT32_C(0x03CDAF01), UINT32_C(0x0DE66325), UINT32_C(0x0767BD47), - UINT32_C(0x0A1FDF93), UINT32_C(0x04E66E27), UINT32_C(0x004977BC), - UINT32_C(0x05EE6515), UINT32_C(0x018DEC59), UINT32_C(0x03B99628), - UINT32_C(0x02B69F3F), UINT32_C(0x019CC516), UINT32_C(0x07CB4623), - UINT32_C(0x0353C229) } }, - { { UINT32_C(0x05A2D6F0), UINT32_C(0x04982642), UINT32_C(0x088CE54F), - UINT32_C(0x06602A66), UINT32_C(0x0A17C84E), UINT32_C(0x02BE4DCE), - UINT32_C(0x0718C264), UINT32_C(0x0FDCB2D1), UINT32_C(0x01F7AC59), - UINT32_C(0x0E4C2C6C), UINT32_C(0x01B5B9D3), UINT32_C(0x0CCEB9E5), - UINT32_C(0x04C7FB08), UINT32_C(0x04600748), UINT32_C(0x09F19FD9), - UINT32_C(0x011C0141), UINT32_C(0x0A08392D), UINT32_C(0x07099321), - UINT32_C(0x075F26A3) }, - { UINT32_C(0x0AF35FA1), UINT32_C(0x01CA261B), UINT32_C(0x0FF7838D), - UINT32_C(0x00432E0D), UINT32_C(0x08296922), UINT32_C(0x077D0499), - UINT32_C(0x06A4988A), UINT32_C(0x0D91BD7B), UINT32_C(0x007D4895), - UINT32_C(0x01A77EB2), UINT32_C(0x0491B2C9), UINT32_C(0x07D6BB4E), - UINT32_C(0x065BB828), UINT32_C(0x05D28C77), UINT32_C(0x034C1831), - UINT32_C(0x03111000), UINT32_C(0x048A3F8F), UINT32_C(0x007D19EE), - UINT32_C(0x006FAC9D) } }, - { { UINT32_C(0x0719C87C), UINT32_C(0x07385BC9), UINT32_C(0x01F42502), - UINT32_C(0x074D4561), UINT32_C(0x02CA79B8), UINT32_C(0x01BE905A), - UINT32_C(0x044E03DC), UINT32_C(0x05034A1A), UINT32_C(0x012B4964), - UINT32_C(0x0BF284CE), UINT32_C(0x0080C91A), UINT32_C(0x0B4EE205), - UINT32_C(0x0121E876), UINT32_C(0x04C7D981), UINT32_C(0x09D6F0D5), - UINT32_C(0x011438CC), UINT32_C(0x0906A777), UINT32_C(0x05FD89D1), - UINT32_C(0x01D7C3AC) }, - { UINT32_C(0x0392D834), UINT32_C(0x0199066B), UINT32_C(0x0E53AECD), - UINT32_C(0x0279A7E5), UINT32_C(0x0E8B313A), UINT32_C(0x04F8A2AF), - UINT32_C(0x062A274F), UINT32_C(0x0869ED62), UINT32_C(0x01C4081F), - UINT32_C(0x0DD27618), UINT32_C(0x0093ED89), UINT32_C(0x053869B6), - UINT32_C(0x07CB8D0C), UINT32_C(0x00D79FE6), UINT32_C(0x04A20332), - UINT32_C(0x03366324), UINT32_C(0x0C0B74C3), UINT32_C(0x070C316E), - UINT32_C(0x066AD76F) } }, - { { UINT32_C(0x011FA55B), UINT32_C(0x0775F5E8), UINT32_C(0x0C7BF6F4), - UINT32_C(0x07FCBE6F), UINT32_C(0x021BE3C2), UINT32_C(0x0017D919), - UINT32_C(0x01644455), UINT32_C(0x0AEE3FD7), UINT32_C(0x0259DD5E), - UINT32_C(0x002EC22F), UINT32_C(0x00D308F5), UINT32_C(0x038F6CBC), - UINT32_C(0x04FDED85), UINT32_C(0x001A53FA), UINT32_C(0x03E09FE9), - UINT32_C(0x0312E74F), UINT32_C(0x09B20907), UINT32_C(0x078CC1DB), - UINT32_C(0x066D9E8D) }, - { UINT32_C(0x08C7A5B7), UINT32_C(0x038B0D82), UINT32_C(0x063E4030), - UINT32_C(0x06CE3A75), UINT32_C(0x0488AD55), UINT32_C(0x0054AAAA), - UINT32_C(0x044F068C), UINT32_C(0x0CCE69AA), UINT32_C(0x014EF6E0), - UINT32_C(0x068C0346), UINT32_C(0x01443327), UINT32_C(0x0A416B3D), - UINT32_C(0x04EB25A7), UINT32_C(0x00B6E80F), UINT32_C(0x0819D7FD), - UINT32_C(0x061AFFF1), UINT32_C(0x070E8C81), UINT32_C(0x061C5530), - UINT32_C(0x0473CB02) } }, - { { UINT32_C(0x08D8BE36), UINT32_C(0x057DE7D1), UINT32_C(0x06025FA9), - UINT32_C(0x0039A5D5), UINT32_C(0x00FD02EF), UINT32_C(0x02EE7913), - UINT32_C(0x04E5E224), UINT32_C(0x052DC251), UINT32_C(0x04138D66), - UINT32_C(0x09FAF17A), UINT32_C(0x030D57A1), UINT32_C(0x08B8F06A), - UINT32_C(0x01D015A2), UINT32_C(0x0153FCA9), UINT32_C(0x0C54D5DF), - UINT32_C(0x00BAAE4A), UINT32_C(0x0940A0FA), UINT32_C(0x038292EA), - UINT32_C(0x02C97BC9) }, - { UINT32_C(0x024BFA00), UINT32_C(0x057378C3), UINT32_C(0x0A92C578), - UINT32_C(0x07A6310B), UINT32_C(0x0F28F901), UINT32_C(0x04ED3F57), - UINT32_C(0x037C7D8A), UINT32_C(0x00B71701), UINT32_C(0x0173A01A), - UINT32_C(0x0A9B43A3), UINT32_C(0x0196E612), UINT32_C(0x07111189), - UINT32_C(0x03F5BC1D), UINT32_C(0x05154B49), UINT32_C(0x0DD68D97), - UINT32_C(0x0220CC1D), UINT32_C(0x0895DF59), UINT32_C(0x0014717C), - UINT32_C(0x0384CEF8) } }, - { { UINT32_C(0x05F8022D), UINT32_C(0x07431A94), UINT32_C(0x0A7A9097), - UINT32_C(0x06FC555D), UINT32_C(0x0578029C), UINT32_C(0x00758DC8), - UINT32_C(0x00FDAF66), UINT32_C(0x0AE902D1), UINT32_C(0x06FDDF4D), - UINT32_C(0x056FCD2A), UINT32_C(0x0393CA27), UINT32_C(0x083EDDB9), - UINT32_C(0x071C8D5E), UINT32_C(0x02DA7EE1), UINT32_C(0x091B7578), - UINT32_C(0x022CF2B8), UINT32_C(0x08F559AF), UINT32_C(0x00F551D9), - UINT32_C(0x04CE7872) }, - { UINT32_C(0x0450FD39), UINT32_C(0x05325A33), UINT32_C(0x06D04EAD), - UINT32_C(0x0111017F), UINT32_C(0x04B7D043), UINT32_C(0x009CD030), - UINT32_C(0x02760D24), UINT32_C(0x0B333C83), UINT32_C(0x0178F799), - UINT32_C(0x06E56E99), UINT32_C(0x06AC4002), UINT32_C(0x06C6F55C), - UINT32_C(0x04212C69), UINT32_C(0x0776C549), UINT32_C(0x05AD10F2), - UINT32_C(0x07D4C443), UINT32_C(0x093443A3), UINT32_C(0x01E4DAC4), - UINT32_C(0x062304F4) } }, - { { UINT32_C(0x09FFF942), UINT32_C(0x039E7FBF), UINT32_C(0x0E4E0544), - UINT32_C(0x01C8EF03), UINT32_C(0x015953E4), UINT32_C(0x0641511A), - UINT32_C(0x0340D7DD), UINT32_C(0x04FBA207), UINT32_C(0x04DCD411), - UINT32_C(0x0CE5C435), UINT32_C(0x06C85A54), UINT32_C(0x0596F209), - UINT32_C(0x006C47CF), UINT32_C(0x039823F7), UINT32_C(0x01721D4C), - UINT32_C(0x03FE86B7), UINT32_C(0x044008FA), UINT32_C(0x05E107EC), - UINT32_C(0x0146DF75) }, - { UINT32_C(0x03BF30CF), UINT32_C(0x034E0D17), UINT32_C(0x0C6EB8E1), - UINT32_C(0x016786DE), UINT32_C(0x0B4F8D94), UINT32_C(0x01E54C18), - UINT32_C(0x0409537F), UINT32_C(0x0AD69F59), UINT32_C(0x04423A96), - UINT32_C(0x01427559), UINT32_C(0x0517F981), UINT32_C(0x0C655FF1), - UINT32_C(0x072A4662), UINT32_C(0x014DB58F), UINT32_C(0x09979D6E), - UINT32_C(0x05396DDB), UINT32_C(0x03E46CF7), UINT32_C(0x062B9D62), - UINT32_C(0x0334D070) } }, - { { UINT32_C(0x0C8B2AF6), UINT32_C(0x04C4030A), UINT32_C(0x03F4EA61), - UINT32_C(0x06B51CFD), UINT32_C(0x08530E96), UINT32_C(0x035106EB), - UINT32_C(0x07ACB7C9), UINT32_C(0x003FAA6D), UINT32_C(0x005AFE21), - UINT32_C(0x09C9266C), UINT32_C(0x02684731), UINT32_C(0x0745AC29), - UINT32_C(0x06162CD8), UINT32_C(0x069A0B95), UINT32_C(0x090B8391), - UINT32_C(0x0570D83A), UINT32_C(0x09AE0D06), UINT32_C(0x054A95B8), - UINT32_C(0x02CB380B) }, - { UINT32_C(0x02779E4D), UINT32_C(0x04B32E43), UINT32_C(0x0C0582B0), - UINT32_C(0x03521F35), UINT32_C(0x089A8F39), UINT32_C(0x03BF1933), - UINT32_C(0x027659AD), UINT32_C(0x0607CE4F), UINT32_C(0x072A97A4), - UINT32_C(0x0F6C2DAD), UINT32_C(0x0648C496), UINT32_C(0x02D0AF23), - UINT32_C(0x036927AF), UINT32_C(0x032E9075), UINT32_C(0x01C0AD79), - UINT32_C(0x02044936), UINT32_C(0x0DBCFEA2), UINT32_C(0x07DADFF1), - UINT32_C(0x06EDBCF7) } }, - { { UINT32_C(0x0209B80C), UINT32_C(0x01E54056), UINT32_C(0x0E397930), - UINT32_C(0x01AD9D0C), UINT32_C(0x0908F895), UINT32_C(0x02A9A26E), - UINT32_C(0x00744EB0), UINT32_C(0x0B2D7673), UINT32_C(0x00736623), - UINT32_C(0x0F9EEB98), UINT32_C(0x07E8C693), UINT32_C(0x05615D70), - UINT32_C(0x077E9858), UINT32_C(0x045C88B2), UINT32_C(0x06BA3291), - UINT32_C(0x02089363), UINT32_C(0x0D1148CA), UINT32_C(0x026B1CE4), - UINT32_C(0x0267E39A) }, - { UINT32_C(0x0E9F76E1), UINT32_C(0x0700247A), UINT32_C(0x02F5C013), - UINT32_C(0x045D6B0B), UINT32_C(0x02398752), UINT32_C(0x011414B8), - UINT32_C(0x0189B0D8), UINT32_C(0x065621BE), UINT32_C(0x07214CB5), - UINT32_C(0x0C72745E), UINT32_C(0x026E830D), UINT32_C(0x0BB5064F), - UINT32_C(0x03BD6991), UINT32_C(0x067AABA6), UINT32_C(0x03AAD9C4), - UINT32_C(0x01C748B3), UINT32_C(0x0F2AD6A8), UINT32_C(0x07B1AAD0), - UINT32_C(0x0515A45B) } }, - { { UINT32_C(0x0D45283F), UINT32_C(0x033F0C2B), UINT32_C(0x0EF7ECBA), - UINT32_C(0x03F31217), UINT32_C(0x0BF2BDDB), UINT32_C(0x05AE5F1D), - UINT32_C(0x015A33AE), UINT32_C(0x0B1D94AB), UINT32_C(0x00BB377A), - UINT32_C(0x077D4679), UINT32_C(0x056AF89C), UINT32_C(0x07165F99), - UINT32_C(0x046A17A3), UINT32_C(0x04CF6178), UINT32_C(0x00269B9B), - UINT32_C(0x03F1B9F6), UINT32_C(0x07453C34), UINT32_C(0x07253011), - UINT32_C(0x074559A2) }, - { UINT32_C(0x08D82B0E), UINT32_C(0x00D12F5F), UINT32_C(0x01FD52F5), - UINT32_C(0x03C4069B), UINT32_C(0x0B01B2FE), UINT32_C(0x05E81250), - UINT32_C(0x035DC621), UINT32_C(0x034EA726), UINT32_C(0x04613127), - UINT32_C(0x0B36D680), UINT32_C(0x06F52BC5), UINT32_C(0x04B16171), - UINT32_C(0x02156292), UINT32_C(0x0180583E), UINT32_C(0x0C8D5B19), - UINT32_C(0x043B9BE2), UINT32_C(0x097EF032), UINT32_C(0x0307A273), - UINT32_C(0x02ECC50D) } }, - { { UINT32_C(0x0613AC50), UINT32_C(0x01BBB9CD), UINT32_C(0x032CF181), - UINT32_C(0x04565F80), UINT32_C(0x09B00E52), UINT32_C(0x011EC5E2), - UINT32_C(0x05E7561C), UINT32_C(0x05B6572C), UINT32_C(0x072FBF3A), - UINT32_C(0x04311E38), UINT32_C(0x0350633E), UINT32_C(0x0C27E7E9), - UINT32_C(0x02DC82FC), UINT32_C(0x01DE746D), UINT32_C(0x078E3236), - UINT32_C(0x0712B6B0), UINT32_C(0x000A7E83), UINT32_C(0x0115CB1B), - UINT32_C(0x04C1103F) }, - { UINT32_C(0x0359ED2E), UINT32_C(0x065ADF64), UINT32_C(0x025E3238), - UINT32_C(0x076BEAFD), UINT32_C(0x072427F7), UINT32_C(0x05DBCD55), - UINT32_C(0x07AB37FF), UINT32_C(0x0865BFD5), UINT32_C(0x04382D44), - UINT32_C(0x0F1D5580), UINT32_C(0x06D00533), UINT32_C(0x08D6A784), - UINT32_C(0x05BB29BF), UINT32_C(0x005CEC3F), UINT32_C(0x06575E68), - UINT32_C(0x053585D5), UINT32_C(0x0403BCB0), UINT32_C(0x02F77540), - UINT32_C(0x02470C7F) } }, - { { UINT32_C(0x02C087ED), UINT32_C(0x07961B4B), UINT32_C(0x0F657FC0), - UINT32_C(0x00B16431), UINT32_C(0x01885C19), UINT32_C(0x029A3FB7), - UINT32_C(0x0721535D), UINT32_C(0x02FAD79C), UINT32_C(0x0596E385), - UINT32_C(0x02412161), UINT32_C(0x0289A97A), UINT32_C(0x01B54107), - UINT32_C(0x0271E7BB), UINT32_C(0x02E3D256), UINT32_C(0x07E3B820), - UINT32_C(0x07F5A8EE), UINT32_C(0x0C3BD541), UINT32_C(0x01BBC84D), - UINT32_C(0x02D55A46) }, - { UINT32_C(0x006E7D53), UINT32_C(0x07982C04), UINT32_C(0x09C948A0), - UINT32_C(0x00A62A93), UINT32_C(0x047CD945), UINT32_C(0x060F1A2B), - UINT32_C(0x05764587), UINT32_C(0x02111992), UINT32_C(0x03CD3492), - UINT32_C(0x0E5873CA), UINT32_C(0x04871D26), UINT32_C(0x0EBDD263), - UINT32_C(0x07899288), UINT32_C(0x00105962), UINT32_C(0x07975B25), - UINT32_C(0x00D6A34D), UINT32_C(0x02DF3799), UINT32_C(0x02807307), - UINT32_C(0x06FCAC54) } }, - { { UINT32_C(0x0302E505), UINT32_C(0x02CAC37A), UINT32_C(0x01A79721), - UINT32_C(0x03B2E74F), UINT32_C(0x0BE5B627), UINT32_C(0x019F58EA), - UINT32_C(0x03B18976), UINT32_C(0x0663CE37), UINT32_C(0x04C1003E), - UINT32_C(0x086DCC91), UINT32_C(0x0566BE13), UINT32_C(0x0A0C94D1), - UINT32_C(0x04A0F522), UINT32_C(0x01CBC165), UINT32_C(0x03D621C1), - UINT32_C(0x03F68C3D), UINT32_C(0x04156E0A), UINT32_C(0x04C1C807), - UINT32_C(0x002BF853) }, - { UINT32_C(0x073938D8), UINT32_C(0x076E66F8), UINT32_C(0x0251205F), - UINT32_C(0x01B82A4E), UINT32_C(0x0C9EAC88), UINT32_C(0x0736DBEE), - UINT32_C(0x028732CD), UINT32_C(0x03522855), UINT32_C(0x0343EE5A), - UINT32_C(0x053E49A4), UINT32_C(0x025D55C0), UINT32_C(0x0D4096DF), - UINT32_C(0x01108518), UINT32_C(0x02AE724F), UINT32_C(0x07514106), - UINT32_C(0x0301EB15), UINT32_C(0x0D82C2DE), UINT32_C(0x05E3A585), - UINT32_C(0x036F14AF) } }, - { { UINT32_C(0x07452267), UINT32_C(0x01E0D6D7), UINT32_C(0x04A4A896), - UINT32_C(0x06D1C7B5), UINT32_C(0x03C983EF), UINT32_C(0x017B4C4A), - UINT32_C(0x07C8F2FB), UINT32_C(0x078C2CCC), UINT32_C(0x0676C9A3), - UINT32_C(0x09CD585C), UINT32_C(0x0529FFB0), UINT32_C(0x020720BD), - UINT32_C(0x07B793B3), UINT32_C(0x07E65DA3), UINT32_C(0x0C89EDD5), - UINT32_C(0x04009C8D), UINT32_C(0x0EDC15A4), UINT32_C(0x077C8AC3), - UINT32_C(0x074868C1) }, - { UINT32_C(0x0DBC2674), UINT32_C(0x07B6C41F), UINT32_C(0x0B10636B), - UINT32_C(0x0607B000), UINT32_C(0x01B2C3EF), UINT32_C(0x014283CF), - UINT32_C(0x07BD944A), UINT32_C(0x016DA691), UINT32_C(0x0147454E), - UINT32_C(0x052DE117), UINT32_C(0x06E5CDC4), UINT32_C(0x0C7BE891), - UINT32_C(0x03BD94DE), UINT32_C(0x00362FA3), UINT32_C(0x0608B5DA), - UINT32_C(0x000C28A8), UINT32_C(0x06CFAD2C), UINT32_C(0x0502E5EB), - UINT32_C(0x0081DDC6) } }, - { { UINT32_C(0x0A2FCC67), UINT32_C(0x050EED2A), UINT32_C(0x0EAC3925), - UINT32_C(0x03CCFE3E), UINT32_C(0x0DC1F4E8), UINT32_C(0x012FD64C), - UINT32_C(0x02CFA2B3), UINT32_C(0x07921E80), UINT32_C(0x04F76E6D), - UINT32_C(0x090CBEA8), UINT32_C(0x00304ECF), UINT32_C(0x0933B9C8), - UINT32_C(0x01E92879), UINT32_C(0x062A922A), UINT32_C(0x03BEBB40), - UINT32_C(0x0475B5A4), UINT32_C(0x0AB9D3C2), UINT32_C(0x02845E4B), - UINT32_C(0x073D2AD6) }, - { UINT32_C(0x026C197B), UINT32_C(0x060C44B9), UINT32_C(0x07D6B2DD), - UINT32_C(0x06E7D188), UINT32_C(0x03B672A1), UINT32_C(0x0277F32F), - UINT32_C(0x011D4198), UINT32_C(0x07C178F6), UINT32_C(0x02E95A84), - UINT32_C(0x005619C7), UINT32_C(0x029B73FC), UINT32_C(0x03CAC5E3), - UINT32_C(0x068A3B5E), UINT32_C(0x07C2DFA8), UINT32_C(0x00EC9903), - UINT32_C(0x07AEED34), UINT32_C(0x08C0A0D0), UINT32_C(0x02A2FF79), - UINT32_C(0x06DBE6B8) } }, - }, - { - { { UINT32_C(0x0C3D1383), UINT32_C(0x04E126EE), UINT32_C(0x0B631DA3), - UINT32_C(0x03014900), UINT32_C(0x0D3831FE), UINT32_C(0x01BF06C7), - UINT32_C(0x032CA284), UINT32_C(0x092E0CA0), UINT32_C(0x01703AE0), - UINT32_C(0x0DCB8158), UINT32_C(0x06FF316B), UINT32_C(0x0ED60D31), - UINT32_C(0x05DB467E), UINT32_C(0x01F3917A), UINT32_C(0x06770BD1), - UINT32_C(0x00A944AF), UINT32_C(0x08E2035D), UINT32_C(0x020A054F), - UINT32_C(0x035F8744) }, - { UINT32_C(0x0A303000), UINT32_C(0x0029FD2C), UINT32_C(0x0A5D9AC4), - UINT32_C(0x06593596), UINT32_C(0x0288D9B1), UINT32_C(0x02B32376), - UINT32_C(0x067C4E0D), UINT32_C(0x0D1B984D), UINT32_C(0x04235BF5), - UINT32_C(0x001AA52B), UINT32_C(0x0221BA35), UINT32_C(0x0B74D0D3), - UINT32_C(0x03DDFA56), UINT32_C(0x004A6854), UINT32_C(0x01203660), - UINT32_C(0x0090027D), UINT32_C(0x02356607), UINT32_C(0x064E652F), - UINT32_C(0x01D4CBEB) } }, - { { UINT32_C(0x05CFE5E0), UINT32_C(0x04C8937C), UINT32_C(0x084C1BC9), - UINT32_C(0x0651FCA6), UINT32_C(0x0BDAC076), UINT32_C(0x079DB07C), - UINT32_C(0x01988893), UINT32_C(0x0D8E1644), UINT32_C(0x04F7CFCD), - UINT32_C(0x05727E1E), UINT32_C(0x073F0B5C), UINT32_C(0x0D975E23), - UINT32_C(0x06001F51), UINT32_C(0x07B2218F), UINT32_C(0x07159FF4), - UINT32_C(0x02D8AF28), UINT32_C(0x0F0AFF67), UINT32_C(0x0464C014), - UINT32_C(0x005A1007) }, - { UINT32_C(0x078A8DB5), UINT32_C(0x035A301E), UINT32_C(0x0E9F9693), - UINT32_C(0x07A8969A), UINT32_C(0x096A5ECF), UINT32_C(0x03467DDF), - UINT32_C(0x07AF13AA), UINT32_C(0x0BF17A6B), UINT32_C(0x00FBC9C7), - UINT32_C(0x002F3F21), UINT32_C(0x01610D30), UINT32_C(0x0A6FEF92), - UINT32_C(0x00334A31), UINT32_C(0x0619D424), UINT32_C(0x011832DC), - UINT32_C(0x04A2EBED), UINT32_C(0x092C4F4E), UINT32_C(0x03E72AFA), - UINT32_C(0x04555CAD) } }, - { { UINT32_C(0x0E8401D3), UINT32_C(0x031A9337), UINT32_C(0x0A68B915), - UINT32_C(0x006E6E9B), UINT32_C(0x0B1B6E29), UINT32_C(0x01B7F14B), - UINT32_C(0x047E0BD8), UINT32_C(0x0A8CBD43), UINT32_C(0x024528C3), - UINT32_C(0x08CA88A7), UINT32_C(0x000A1FEE), UINT32_C(0x0F21E47C), - UINT32_C(0x07D1A248), UINT32_C(0x04BE0AD5), UINT32_C(0x071E2CED), - UINT32_C(0x025521CD), UINT32_C(0x0F41E897), UINT32_C(0x0398886C), - UINT32_C(0x04779FFD) }, - { UINT32_C(0x0A828FA8), UINT32_C(0x017C8B2C), UINT32_C(0x0910B047), - UINT32_C(0x06160B77), UINT32_C(0x0B98B463), UINT32_C(0x07DF3373), - UINT32_C(0x0455763C), UINT32_C(0x0F1284BE), UINT32_C(0x00906AAE), - UINT32_C(0x01A75E0B), UINT32_C(0x07A6DA7C), UINT32_C(0x0FFCAFF1), - UINT32_C(0x050D6EE5), UINT32_C(0x024BD0BA), UINT32_C(0x08383A01), - UINT32_C(0x070AE8EA), UINT32_C(0x0CAA2B64), UINT32_C(0x06171B63), - UINT32_C(0x020CE9FD) } }, - { { UINT32_C(0x0147F509), UINT32_C(0x0074A121), UINT32_C(0x0B1C1B8D), - UINT32_C(0x00A39076), UINT32_C(0x0E542208), UINT32_C(0x01A08FA4), - UINT32_C(0x012AA998), UINT32_C(0x0954BE0E), UINT32_C(0x05751A97), - UINT32_C(0x09EFE174), UINT32_C(0x05C09E0D), UINT32_C(0x0DEE1815), - UINT32_C(0x000B0415), UINT32_C(0x06D82BE5), UINT32_C(0x000E24A9), - UINT32_C(0x042F7FD4), UINT32_C(0x0698791D), UINT32_C(0x05A5F79E), - UINT32_C(0x0334C8D5) }, - { UINT32_C(0x0BB690A0), UINT32_C(0x01835514), UINT32_C(0x031B4F26), - UINT32_C(0x023AC44F), UINT32_C(0x012CDCD1), UINT32_C(0x059AE369), - UINT32_C(0x0123A551), UINT32_C(0x0AEBA693), UINT32_C(0x07D984CD), - UINT32_C(0x0DAD9128), UINT32_C(0x0765643E), UINT32_C(0x0910F0F8), - UINT32_C(0x03FB31E2), UINT32_C(0x01BD811A), UINT32_C(0x059F6B39), - UINT32_C(0x049E6619), UINT32_C(0x06B63C96), UINT32_C(0x075166F7), - UINT32_C(0x025CA72B) } }, - { { UINT32_C(0x055F34E4), UINT32_C(0x00BF08BF), UINT32_C(0x03730236), - UINT32_C(0x039543BD), UINT32_C(0x05C17F94), UINT32_C(0x00A5C65D), - UINT32_C(0x06121DA8), UINT32_C(0x099AC777), UINT32_C(0x02DCC3D6), - UINT32_C(0x09002059), UINT32_C(0x0460BBB3), UINT32_C(0x07A202D8), - UINT32_C(0x04C44EB5), UINT32_C(0x049D001E), UINT32_C(0x0E783DED), - UINT32_C(0x0120D789), UINT32_C(0x086FA177), UINT32_C(0x065D19BF), - UINT32_C(0x042CA8B7) }, - { UINT32_C(0x02860379), UINT32_C(0x06375711), UINT32_C(0x078E9829), - UINT32_C(0x04F20A43), UINT32_C(0x0ADA67C4), UINT32_C(0x054101F4), - UINT32_C(0x0602943F), UINT32_C(0x03FD9150), UINT32_C(0x06B8D61B), - UINT32_C(0x06F5ADD6), UINT32_C(0x06EB2BAC), UINT32_C(0x0A07906A), - UINT32_C(0x0147EDC1), UINT32_C(0x0477D372), UINT32_C(0x0025B1CE), - UINT32_C(0x071B32CF), UINT32_C(0x0F40C9C6), UINT32_C(0x02483D0B), - UINT32_C(0x07A56FCD) } }, - { { UINT32_C(0x0B1B724E), UINT32_C(0x0100B5C8), UINT32_C(0x081380B3), - UINT32_C(0x048D8711), UINT32_C(0x0E363740), UINT32_C(0x029ED59F), - UINT32_C(0x05E7819F), UINT32_C(0x02898DC3), UINT32_C(0x03621527), - UINT32_C(0x0F99DD5D), UINT32_C(0x01DF449E), UINT32_C(0x022C0763), - UINT32_C(0x04490568), UINT32_C(0x051A6A61), UINT32_C(0x0EE682C8), - UINT32_C(0x0315AB2B), UINT32_C(0x08BF8EC0), UINT32_C(0x0221F0BD), - UINT32_C(0x0034A2F5) }, - { UINT32_C(0x0505A0E7), UINT32_C(0x031C759D), UINT32_C(0x006AE380), - UINT32_C(0x04AD9B4F), UINT32_C(0x0F850346), UINT32_C(0x0053B140), - UINT32_C(0x060AB23A), UINT32_C(0x021E3C52), UINT32_C(0x002B9A66), - UINT32_C(0x01646B7A), UINT32_C(0x03977D69), UINT32_C(0x02418634), - UINT32_C(0x05E2030C), UINT32_C(0x06F8DED9), UINT32_C(0x064302A0), - UINT32_C(0x0553D4B6), UINT32_C(0x0956D92B), UINT32_C(0x0537BD35), - UINT32_C(0x07AFABE7) } }, - { { UINT32_C(0x04CB8040), UINT32_C(0x016D2E6C), UINT32_C(0x0DDE4688), - UINT32_C(0x00DF2559), UINT32_C(0x0A980125), UINT32_C(0x066A1AC7), - UINT32_C(0x07DF5C4B), UINT32_C(0x0FD3C659), UINT32_C(0x00481C65), - UINT32_C(0x0AE5A70F), UINT32_C(0x029F751C), UINT32_C(0x00B4A3D4), - UINT32_C(0x075575BC), UINT32_C(0x045CF25E), UINT32_C(0x06867A07), - UINT32_C(0x076D7354), UINT32_C(0x0861487C), UINT32_C(0x017CEA2E), - UINT32_C(0x03228414) }, - { UINT32_C(0x026AE111), UINT32_C(0x038FA015), UINT32_C(0x060716CA), - UINT32_C(0x04976285), UINT32_C(0x059BC9DE), UINT32_C(0x043BF937), - UINT32_C(0x035F13A1), UINT32_C(0x0F8D8888), UINT32_C(0x06D5E9F8), - UINT32_C(0x08616DB1), UINT32_C(0x032C0CBB), UINT32_C(0x0AA3299C), - UINT32_C(0x03F194B4), UINT32_C(0x00D0F72D), UINT32_C(0x0B3FCCBD), - UINT32_C(0x02803044), UINT32_C(0x0A08E3C3), UINT32_C(0x037A0997), - UINT32_C(0x05DC3B19) } }, - { { UINT32_C(0x085193F0), UINT32_C(0x019978F4), UINT32_C(0x0BF0C234), - UINT32_C(0x04F7BBC1), UINT32_C(0x0722B6D6), UINT32_C(0x013DCEE7), - UINT32_C(0x05D575CD), UINT32_C(0x0779F809), UINT32_C(0x06335183), - UINT32_C(0x0DCC718C), UINT32_C(0x02D1E7DB), UINT32_C(0x0F6A6D57), - UINT32_C(0x065A96BF), UINT32_C(0x065930E7), UINT32_C(0x039B793F), - UINT32_C(0x06A9BA2E), UINT32_C(0x0C033596), UINT32_C(0x01BE1126), - UINT32_C(0x03EA93B8) }, - { UINT32_C(0x03161177), UINT32_C(0x002665D5), UINT32_C(0x017B69C9), - UINT32_C(0x07892DD4), UINT32_C(0x0F6F8ECB), UINT32_C(0x0576AF37), - UINT32_C(0x03C1E515), UINT32_C(0x05A60E50), UINT32_C(0x02549873), - UINT32_C(0x09B3D920), UINT32_C(0x029DA082), UINT32_C(0x009DAE44), - UINT32_C(0x0197C8E7), UINT32_C(0x0154A33B), UINT32_C(0x097B3971), - UINT32_C(0x023C0423), UINT32_C(0x02B8C68C), UINT32_C(0x04DCA653), - UINT32_C(0x00079A0F) } }, - { { UINT32_C(0x063E2975), UINT32_C(0x06BEC9ED), UINT32_C(0x0B38790C), - UINT32_C(0x022D87D1), UINT32_C(0x0EA228A4), UINT32_C(0x010DBA9F), - UINT32_C(0x015868D8), UINT32_C(0x080C5E0D), UINT32_C(0x075196CF), - UINT32_C(0x0A3AFD7E), UINT32_C(0x031A6E14), UINT32_C(0x0E7A5374), - UINT32_C(0x067A8FE5), UINT32_C(0x06ECEB0D), UINT32_C(0x0B84F9C7), - UINT32_C(0x0680604D), UINT32_C(0x072314F9), UINT32_C(0x03A2F4B2), - UINT32_C(0x06C5081F) }, - { UINT32_C(0x0B981980), UINT32_C(0x0349CBF0), UINT32_C(0x072972B5), - UINT32_C(0x02885527), UINT32_C(0x0150CDBD), UINT32_C(0x07F178E3), - UINT32_C(0x032B4111), UINT32_C(0x0B2B4EF6), UINT32_C(0x000F21B3), - UINT32_C(0x039D39FF), UINT32_C(0x07E2383D), UINT32_C(0x0F91A9DF), - UINT32_C(0x000BF2A4), UINT32_C(0x003EA686), UINT32_C(0x06E3C109), - UINT32_C(0x05D771D7), UINT32_C(0x03336F2A), UINT32_C(0x00A9A15C), - UINT32_C(0x0310BC8B) } }, - { { UINT32_C(0x082B5AA4), UINT32_C(0x04A7240C), UINT32_C(0x00ABF375), - UINT32_C(0x07E33DEB), UINT32_C(0x01BD8789), UINT32_C(0x06BA83A6), - UINT32_C(0x05A6491B), UINT32_C(0x04DB69BD), UINT32_C(0x010D6A55), - UINT32_C(0x0D5DAFA1), UINT32_C(0x06C7F999), UINT32_C(0x0185AD3E), - UINT32_C(0x027EAEB5), UINT32_C(0x006644C8), UINT32_C(0x0B9709E1), - UINT32_C(0x07676CF0), UINT32_C(0x0508273E), UINT32_C(0x054D3FBB), - UINT32_C(0x063EFA4A) }, - { UINT32_C(0x010AA767), UINT32_C(0x01CC5A04), UINT32_C(0x0BE5B1B3), - UINT32_C(0x06950FCE), UINT32_C(0x0E94E6DB), UINT32_C(0x0497BB17), - UINT32_C(0x00CC06B4), UINT32_C(0x08846F32), UINT32_C(0x0314DC3B), - UINT32_C(0x0BA27736), UINT32_C(0x0432450D), UINT32_C(0x04925C53), - UINT32_C(0x03119EE1), UINT32_C(0x04A66669), UINT32_C(0x05FBA305), - UINT32_C(0x033D4900), UINT32_C(0x0FE789AF), UINT32_C(0x0671EF4B), - UINT32_C(0x0259D6DF) } }, - { { UINT32_C(0x05C529C4), UINT32_C(0x04097FDD), UINT32_C(0x0296486E), - UINT32_C(0x05D5E29C), UINT32_C(0x0B3FABA2), UINT32_C(0x0695126C), - UINT32_C(0x0312362F), UINT32_C(0x08DC4B4B), UINT32_C(0x0413884F), - UINT32_C(0x067DDD33), UINT32_C(0x055DBD8F), UINT32_C(0x07D0B9CB), - UINT32_C(0x01BE7C35), UINT32_C(0x043BC43D), UINT32_C(0x00E5A19E), - UINT32_C(0x017725FC), UINT32_C(0x006A669F), UINT32_C(0x063FD379), - UINT32_C(0x0682F5E5) }, - { UINT32_C(0x0035FA1B), UINT32_C(0x0302079C), UINT32_C(0x0A397CF2), - UINT32_C(0x02A9E0EB), UINT32_C(0x0183E8FA), UINT32_C(0x00950C41), - UINT32_C(0x05ACFED2), UINT32_C(0x0B8DC827), UINT32_C(0x0004B05C), - UINT32_C(0x0ECD486A), UINT32_C(0x04FBAB30), UINT32_C(0x0A2FE908), - UINT32_C(0x05C95F6D), UINT32_C(0x06B30876), UINT32_C(0x0F3D7A8A), - UINT32_C(0x0734E57D), UINT32_C(0x0410C523), UINT32_C(0x057AD388), - UINT32_C(0x073AF161) } }, - { { UINT32_C(0x033E8718), UINT32_C(0x05E156C6), UINT32_C(0x0188F2D0), - UINT32_C(0x07B490F4), UINT32_C(0x0D1D9936), UINT32_C(0x045ACF91), - UINT32_C(0x05EADE92), UINT32_C(0x09204996), UINT32_C(0x03FB05AD), - UINT32_C(0x0952B30E), UINT32_C(0x066E8B73), UINT32_C(0x02E38706), - UINT32_C(0x06AD215A), UINT32_C(0x05770FF2), UINT32_C(0x0CCC64AA), - UINT32_C(0x00A77560), UINT32_C(0x084A4A57), UINT32_C(0x07428950), - UINT32_C(0x007783FF) }, - { UINT32_C(0x07864A53), UINT32_C(0x02B0B04D), UINT32_C(0x0CE9B903), - UINT32_C(0x032C4DB9), UINT32_C(0x0ED34B7B), UINT32_C(0x02B9BB80), - UINT32_C(0x0107A7A1), UINT32_C(0x0133502C), UINT32_C(0x06939D9B), - UINT32_C(0x07AE6A42), UINT32_C(0x01C55CB0), UINT32_C(0x0A087059), - UINT32_C(0x011E8069), UINT32_C(0x02AC5D81), UINT32_C(0x0FF470E4), - UINT32_C(0x068D4B88), UINT32_C(0x03B934D1), UINT32_C(0x01E86F4D), - UINT32_C(0x00286D40) } }, - { { UINT32_C(0x0A097CC4), UINT32_C(0x07C93D92), UINT32_C(0x03638A82), - UINT32_C(0x05D44662), UINT32_C(0x034F8801), UINT32_C(0x01E1B0E9), - UINT32_C(0x03132ED7), UINT32_C(0x0D61A771), UINT32_C(0x0777FA2F), - UINT32_C(0x0E4D4244), UINT32_C(0x02CDDCA4), UINT32_C(0x01988721), - UINT32_C(0x0694972F), UINT32_C(0x02AA2585), UINT32_C(0x06A552DD), - UINT32_C(0x02719251), UINT32_C(0x0C4FD604), UINT32_C(0x033FC4DD), - UINT32_C(0x02A49BC5) }, - { UINT32_C(0x0ECC32F4), UINT32_C(0x03998CBA), UINT32_C(0x0E555140), - UINT32_C(0x06BE70C6), UINT32_C(0x02ECE0DB), UINT32_C(0x07D7EE62), - UINT32_C(0x006B8450), UINT32_C(0x0C677BF6), UINT32_C(0x0065EEBA), - UINT32_C(0x0C8F791B), UINT32_C(0x05880489), UINT32_C(0x07724E1B), - UINT32_C(0x00C43815), UINT32_C(0x079C7129), UINT32_C(0x0AC7BD8B), - UINT32_C(0x00B35A76), UINT32_C(0x0E62F127), UINT32_C(0x06892912), - UINT32_C(0x069DE730) } }, - { { UINT32_C(0x0D176E2E), UINT32_C(0x04BD43B7), UINT32_C(0x0843A348), - UINT32_C(0x0749D5C1), UINT32_C(0x0ED9CC05), UINT32_C(0x00305C32), - UINT32_C(0x037CC7F4), UINT32_C(0x03DF22FB), UINT32_C(0x05799B29), - UINT32_C(0x0BAA8556), UINT32_C(0x01B9550B), UINT32_C(0x0B71D97D), - UINT32_C(0x071866D2), UINT32_C(0x042A76ED), UINT32_C(0x0CF558E6), - UINT32_C(0x05C52446), UINT32_C(0x0E80A5C3), UINT32_C(0x0732DC8B), - UINT32_C(0x05430293) }, - { UINT32_C(0x08A05AA1), UINT32_C(0x060E94EA), UINT32_C(0x0495DB83), - UINT32_C(0x07F23E7E), UINT32_C(0x09BABC6A), UINT32_C(0x07B134F3), - UINT32_C(0x02C60301), UINT32_C(0x0C76C75A), UINT32_C(0x0496E91D), - UINT32_C(0x0354A538), UINT32_C(0x03F832DB), UINT32_C(0x03139812), - UINT32_C(0x028BB56E), UINT32_C(0x06BC315A), UINT32_C(0x08F87E08), - UINT32_C(0x04EB9933), UINT32_C(0x0D94A083), UINT32_C(0x00F1E782), - UINT32_C(0x00039DA7) } }, - { { UINT32_C(0x0F46E9D5), UINT32_C(0x04AFDE7F), UINT32_C(0x02DD9156), - UINT32_C(0x03A43A4A), UINT32_C(0x0334CF91), UINT32_C(0x06B820D5), - UINT32_C(0x02AB098A), UINT32_C(0x010407F3), UINT32_C(0x06E15825), - UINT32_C(0x0DE19BBC), UINT32_C(0x05C155A7), UINT32_C(0x098AB480), - UINT32_C(0x027F0A26), UINT32_C(0x001E493A), UINT32_C(0x0D3BF154), - UINT32_C(0x0022BB7B), UINT32_C(0x092F7F8A), UINT32_C(0x025E06B0), - UINT32_C(0x0214EC84) }, - { UINT32_C(0x0E367447), UINT32_C(0x07A76C60), UINT32_C(0x0E7F25B2), - UINT32_C(0x061DC274), UINT32_C(0x08037471), UINT32_C(0x0601CC83), - UINT32_C(0x077C01C1), UINT32_C(0x0BD797B8), UINT32_C(0x07A2D854), - UINT32_C(0x0F539925), UINT32_C(0x00056A50), UINT32_C(0x0F52ABBB), - UINT32_C(0x01C407C4), UINT32_C(0x046E3EC8), UINT32_C(0x08C6B255), - UINT32_C(0x06BB4D5F), UINT32_C(0x09336DFF), UINT32_C(0x00D914F1), - UINT32_C(0x01F9DBAA) } }, - { { UINT32_C(0x0D831A04), UINT32_C(0x05A97D33), UINT32_C(0x0906D401), - UINT32_C(0x01E543D5), UINT32_C(0x063B64A7), UINT32_C(0x01DF1F04), - UINT32_C(0x07BEAE26), UINT32_C(0x0C4C51CE), UINT32_C(0x071253E1), - UINT32_C(0x07C5C1BC), UINT32_C(0x0686EDD8), UINT32_C(0x0EADB491), - UINT32_C(0x06FCC7E8), UINT32_C(0x04DC895B), UINT32_C(0x0DA99CB1), - UINT32_C(0x07538043), UINT32_C(0x0DCCD221), UINT32_C(0x05338542), - UINT32_C(0x0263F3E2) }, - { UINT32_C(0x049B2FC3), UINT32_C(0x00D9571D), UINT32_C(0x09A6B74E), - UINT32_C(0x013E9069), UINT32_C(0x0C142061), UINT32_C(0x0661D5AE), - UINT32_C(0x078F1467), UINT32_C(0x0568D3A9), UINT32_C(0x02729AA5), - UINT32_C(0x0749905F), UINT32_C(0x02491337), UINT32_C(0x0A8EED74), - UINT32_C(0x070FB80C), UINT32_C(0x066BA15B), UINT32_C(0x087A7668), - UINT32_C(0x03342CBD), UINT32_C(0x0FCD50D2), UINT32_C(0x017CF7F9), - UINT32_C(0x05DA6EDD) } }, - }, - { - { { UINT32_C(0x08ECE594), UINT32_C(0x02E6D7AF), UINT32_C(0x0160833B), - UINT32_C(0x05E9199C), UINT32_C(0x05C1EB44), UINT32_C(0x01F9CDD2), - UINT32_C(0x04ECBF7E), UINT32_C(0x011F5E2E), UINT32_C(0x00B16683), - UINT32_C(0x082C80F7), UINT32_C(0x04F6D76E), UINT32_C(0x0A9035A2), - UINT32_C(0x02A6F996), UINT32_C(0x07CF51EF), UINT32_C(0x011C78A5), - UINT32_C(0x03E6811A), UINT32_C(0x0DCCBD54), UINT32_C(0x029CA158), - UINT32_C(0x0188556B) }, - { UINT32_C(0x0EBBFAD7), UINT32_C(0x036D4FEF), UINT32_C(0x0DAD8CB2), - UINT32_C(0x024C5461), UINT32_C(0x09F7253C), UINT32_C(0x052C8206), - UINT32_C(0x03009FD7), UINT32_C(0x05A4E883), UINT32_C(0x04FFDBF8), - UINT32_C(0x07B5A2D0), UINT32_C(0x0487033B), UINT32_C(0x003EABFC), - UINT32_C(0x0107E479), UINT32_C(0x0479A422), UINT32_C(0x0ECEA707), - UINT32_C(0x05D06F61), UINT32_C(0x05BD0428), UINT32_C(0x01301D97), - UINT32_C(0x0137ADE9) } }, - { { UINT32_C(0x008164D4), UINT32_C(0x02998A00), UINT32_C(0x0E9FE1D5), - UINT32_C(0x05B9A827), UINT32_C(0x0AA45754), UINT32_C(0x06793FDD), - UINT32_C(0x01D8C060), UINT32_C(0x030ECBF4), UINT32_C(0x01FDC34C), - UINT32_C(0x0FA8650F), UINT32_C(0x0739AA31), UINT32_C(0x0905FB0D), - UINT32_C(0x04B98585), UINT32_C(0x04528DD9), UINT32_C(0x0582E0E8), - UINT32_C(0x0685885D), UINT32_C(0x008F4125), UINT32_C(0x02A15C01), - UINT32_C(0x023D540D) }, - { UINT32_C(0x039B003C), UINT32_C(0x074C5CC0), UINT32_C(0x029B2FBB), - UINT32_C(0x07F27890), UINT32_C(0x0C083234), UINT32_C(0x054081D7), - UINT32_C(0x0109E54D), UINT32_C(0x08920F8E), UINT32_C(0x07D87B98), - UINT32_C(0x07E36E68), UINT32_C(0x023912DB), UINT32_C(0x071A5BBC), - UINT32_C(0x0733E49F), UINT32_C(0x058495D0), UINT32_C(0x0068F694), - UINT32_C(0x012DCC7D), UINT32_C(0x0DC88ED4), UINT32_C(0x06D1A2D4), - UINT32_C(0x02BBA636) } }, - { { UINT32_C(0x0B78796F), UINT32_C(0x0335FA8E), UINT32_C(0x0243FD16), - UINT32_C(0x03C6B319), UINT32_C(0x01CD8CA8), UINT32_C(0x0704FAEE), - UINT32_C(0x04540F1E), UINT32_C(0x092AC9A2), UINT32_C(0x020A1CA3), - UINT32_C(0x023FC6DD), UINT32_C(0x01EFAF42), UINT32_C(0x00BC4AB2), - UINT32_C(0x0206DD26), UINT32_C(0x07400CF2), UINT32_C(0x072BD012), - UINT32_C(0x00840AB3), UINT32_C(0x016D752E), UINT32_C(0x00CEF006), - UINT32_C(0x0647C23D) }, - { UINT32_C(0x0F6CA70B), UINT32_C(0x05AFF85F), UINT32_C(0x031691E3), - UINT32_C(0x01063899), UINT32_C(0x02420E8C), UINT32_C(0x03D2D13C), - UINT32_C(0x059E8A01), UINT32_C(0x0FC5FC43), UINT32_C(0x042A852F), - UINT32_C(0x06446FD4), UINT32_C(0x0341CB5B), UINT32_C(0x044193ED), - UINT32_C(0x073BE475), UINT32_C(0x051FCBEA), UINT32_C(0x00D6D405), - UINT32_C(0x00A0026F), UINT32_C(0x09A09555), UINT32_C(0x0037DFDB), - UINT32_C(0x0186A76D) } }, - { { UINT32_C(0x06762E69), UINT32_C(0x05E586F2), UINT32_C(0x08A5D295), - UINT32_C(0x021AEB8A), UINT32_C(0x0D8E9356), UINT32_C(0x05E8F45E), - UINT32_C(0x04336CB6), UINT32_C(0x04373909), UINT32_C(0x020299B5), - UINT32_C(0x013EB290), UINT32_C(0x061E0E31), UINT32_C(0x07167125), - UINT32_C(0x01291CE5), UINT32_C(0x05F204F5), UINT32_C(0x060A0EA2), - UINT32_C(0x0414B179), UINT32_C(0x064F6F43), UINT32_C(0x0114060E), - UINT32_C(0x040928CF) }, - { UINT32_C(0x0B54A6C6), UINT32_C(0x010FE7C2), UINT32_C(0x0FDA19CB), - UINT32_C(0x056B791E), UINT32_C(0x049ED286), UINT32_C(0x02401472), - UINT32_C(0x048F8CD1), UINT32_C(0x0EAC2400), UINT32_C(0x075D6078), - UINT32_C(0x0EAAD7B3), UINT32_C(0x051EDE19), UINT32_C(0x0D7E6F09), - UINT32_C(0x001044A9), UINT32_C(0x0411E3BA), UINT32_C(0x0D3647C4), - UINT32_C(0x00168497), UINT32_C(0x08BA1235), UINT32_C(0x01C93676), - UINT32_C(0x01411BDC) } }, - { { UINT32_C(0x07F5FEA0), UINT32_C(0x068F1494), UINT32_C(0x0CF3659A), - UINT32_C(0x034F4CD5), UINT32_C(0x08840E07), UINT32_C(0x01463227), - UINT32_C(0x02CE4099), UINT32_C(0x00306A1A), UINT32_C(0x043276DA), - UINT32_C(0x0C0A79A8), UINT32_C(0x045485DA), UINT32_C(0x0D43B7E5), - UINT32_C(0x0245D30D), UINT32_C(0x07040ECA), UINT32_C(0x0F0944E2), - UINT32_C(0x02FAB448), UINT32_C(0x0A3418D6), UINT32_C(0x00AEEE32), - UINT32_C(0x054B0477) }, - { UINT32_C(0x002E1A49), UINT32_C(0x02417738), UINT32_C(0x003FC230), - UINT32_C(0x057B81BC), UINT32_C(0x09252F9B), UINT32_C(0x071E923E), - UINT32_C(0x07556FE9), UINT32_C(0x0405C043), UINT32_C(0x05F4A479), - UINT32_C(0x00AE6EBC), UINT32_C(0x0470CEA9), UINT32_C(0x043EFE7F), - UINT32_C(0x032F779B), UINT32_C(0x05D5E4C1), UINT32_C(0x0F412FF3), - UINT32_C(0x029E0A95), UINT32_C(0x027FF900), UINT32_C(0x0639C4FE), - UINT32_C(0x05496FF2) } }, - { { UINT32_C(0x093A81E5), UINT32_C(0x06552EA0), UINT32_C(0x076C940F), - UINT32_C(0x04D9EBF4), UINT32_C(0x07435E68), UINT32_C(0x00026B20), - UINT32_C(0x022F07A1), UINT32_C(0x0D1152A6), UINT32_C(0x01605EB4), - UINT32_C(0x021ED2B3), UINT32_C(0x0416BC52), UINT32_C(0x0F03BB25), - UINT32_C(0x032FD879), UINT32_C(0x0224E24D), UINT32_C(0x0227BC06), - UINT32_C(0x07E18BB7), UINT32_C(0x0846E10C), UINT32_C(0x025383D2), - UINT32_C(0x0716FE98) }, - { UINT32_C(0x048353E7), UINT32_C(0x06A51D17), UINT32_C(0x0602B7B4), - UINT32_C(0x00A3A912), UINT32_C(0x00D41798), UINT32_C(0x009BAAA2), - UINT32_C(0x014F6863), UINT32_C(0x0B8C9E0C), UINT32_C(0x004E89E7), - UINT32_C(0x01EA2B4D), UINT32_C(0x069FE41B), UINT32_C(0x0E23CD44), - UINT32_C(0x0284C3F8), UINT32_C(0x0709633E), UINT32_C(0x00EC122E), - UINT32_C(0x054C3546), UINT32_C(0x0274CE48), UINT32_C(0x0562858C), - UINT32_C(0x00845131) } }, - { { UINT32_C(0x093C77DA), UINT32_C(0x01D351AD), UINT32_C(0x023A3C02), - UINT32_C(0x050A84F5), UINT32_C(0x0D2278BA), UINT32_C(0x0166F47B), - UINT32_C(0x010E24C3), UINT32_C(0x0171F355), UINT32_C(0x070D70CC), - UINT32_C(0x0F04C14A), UINT32_C(0x0675CE80), UINT32_C(0x03C92277), - UINT32_C(0x027C5314), UINT32_C(0x0475432E), UINT32_C(0x0A42C984), - UINT32_C(0x021A86BA), UINT32_C(0x09667047), UINT32_C(0x0162D620), - UINT32_C(0x05CE1F5E) }, - { UINT32_C(0x0541016D), UINT32_C(0x04AA27AD), UINT32_C(0x024272A0), - UINT32_C(0x0124A937), UINT32_C(0x04022798), UINT32_C(0x04C4908F), - UINT32_C(0x078D2755), UINT32_C(0x05FC4690), UINT32_C(0x03D49867), - UINT32_C(0x0D0542ED), UINT32_C(0x014AC0C6), UINT32_C(0x0444F4AA), - UINT32_C(0x0527B53A), UINT32_C(0x04E463E4), UINT32_C(0x084795B9), - UINT32_C(0x06190D53), UINT32_C(0x01F0982A), UINT32_C(0x06C19AFA), - UINT32_C(0x02B40A43) } }, - { { UINT32_C(0x0D526DD9), UINT32_C(0x02D2A436), UINT32_C(0x06CBC632), - UINT32_C(0x06A016EB), UINT32_C(0x0229215C), UINT32_C(0x063A186E), - UINT32_C(0x056A2652), UINT32_C(0x0982D8F0), UINT32_C(0x04950B55), - UINT32_C(0x0C34A068), UINT32_C(0x036F958C), UINT32_C(0x0EC7C304), - UINT32_C(0x00685912), UINT32_C(0x00521605), UINT32_C(0x074386C5), - UINT32_C(0x06C5C880), UINT32_C(0x01D5C0E0), UINT32_C(0x0321B5FC), - UINT32_C(0x031F89D8) }, - { UINT32_C(0x0E4F4EFB), UINT32_C(0x042EF02C), UINT32_C(0x0747294D), - UINT32_C(0x06315147), UINT32_C(0x09826B36), UINT32_C(0x044F7A99), - UINT32_C(0x00DA6A3B), UINT32_C(0x0B192C6C), UINT32_C(0x017D9CD6), - UINT32_C(0x07D0FC8D), UINT32_C(0x00306186), UINT32_C(0x0DA5FD2C), - UINT32_C(0x048EA8B6), UINT32_C(0x041BED38), UINT32_C(0x028A7681), - UINT32_C(0x0444E09E), UINT32_C(0x07A1C182), UINT32_C(0x06CEB6B8), - UINT32_C(0x0402E972) } }, - { { UINT32_C(0x0A37CD61), UINT32_C(0x07A90498), UINT32_C(0x03236B70), - UINT32_C(0x010D1CA8), UINT32_C(0x0C8EE94C), UINT32_C(0x01332402), - UINT32_C(0x00D01671), UINT32_C(0x0D20BD0A), UINT32_C(0x04F8905D), - UINT32_C(0x0CB75503), UINT32_C(0x07C71184), UINT32_C(0x04D224FF), - UINT32_C(0x05EF5D3B), UINT32_C(0x02D2D84B), UINT32_C(0x0776D6B8), - UINT32_C(0x01B04C47), UINT32_C(0x0C6883AD), UINT32_C(0x041BC984), - UINT32_C(0x0738830F) }, - { UINT32_C(0x008A7408), UINT32_C(0x01833053), UINT32_C(0x0DCDED77), - UINT32_C(0x0660E3CD), UINT32_C(0x003541F4), UINT32_C(0x06650324), - UINT32_C(0x056D1103), UINT32_C(0x012DDC16), UINT32_C(0x04858446), - UINT32_C(0x031BD98F), UINT32_C(0x07EA97C0), UINT32_C(0x033EA10E), - UINT32_C(0x07E40598), UINT32_C(0x03935067), UINT32_C(0x06BD3C58), - UINT32_C(0x0709A382), UINT32_C(0x0FFD62B5), UINT32_C(0x03ACA64E), - UINT32_C(0x02BDB05C) } }, - { { UINT32_C(0x019DDB66), UINT32_C(0x0151276D), UINT32_C(0x0D169D42), - UINT32_C(0x07424F74), UINT32_C(0x0073574B), UINT32_C(0x029D6033), - UINT32_C(0x04805B63), UINT32_C(0x0FF3CCB8), UINT32_C(0x0657BEB9), - UINT32_C(0x06710C8D), UINT32_C(0x076A0EFE), UINT32_C(0x05FFC38A), - UINT32_C(0x039B2127), UINT32_C(0x04A7D60B), UINT32_C(0x0D352201), - UINT32_C(0x0459932F), UINT32_C(0x0A56306E), UINT32_C(0x05D63C8E), - UINT32_C(0x01727D3E) }, - { UINT32_C(0x0A228C02), UINT32_C(0x0454E2FD), UINT32_C(0x0C5CF406), - UINT32_C(0x072A6748), UINT32_C(0x09478B3C), UINT32_C(0x01C032C4), - UINT32_C(0x024B1CF3), UINT32_C(0x07BCB89A), UINT32_C(0x017F8136), - UINT32_C(0x03BFA207), UINT32_C(0x0032CE35), UINT32_C(0x01301C08), - UINT32_C(0x01F1D68E), UINT32_C(0x024447E0), UINT32_C(0x00655D3F), - UINT32_C(0x04B5B6DB), UINT32_C(0x08F50A61), UINT32_C(0x07FE19DA), - UINT32_C(0x01906979) } }, - { { UINT32_C(0x04E80EB1), UINT32_C(0x052DB749), UINT32_C(0x0FA876FF), - UINT32_C(0x014D563E), UINT32_C(0x0DD8DCB4), UINT32_C(0x06D08CF5), - UINT32_C(0x0088B6C9), UINT32_C(0x099DAF2C), UINT32_C(0x06ADE3E9), - UINT32_C(0x05F27F40), UINT32_C(0x076292C5), UINT32_C(0x02149C44), - UINT32_C(0x04ECED26), UINT32_C(0x04016166), UINT32_C(0x0E8DD0F0), - UINT32_C(0x02703366), UINT32_C(0x09A4D3F8), UINT32_C(0x000C4924), - UINT32_C(0x066F3B89) }, - { UINT32_C(0x00F92986), UINT32_C(0x001B8CB3), UINT32_C(0x0C27E556), - UINT32_C(0x05EAB0C7), UINT32_C(0x0A95BBEF), UINT32_C(0x011331B7), - UINT32_C(0x03245504), UINT32_C(0x0B108EBA), UINT32_C(0x0704FE66), - UINT32_C(0x0AEECF39), UINT32_C(0x0485E096), UINT32_C(0x0D5B3E1E), - UINT32_C(0x02DB3A00), UINT32_C(0x06FBA80E), UINT32_C(0x0AEE0EA5), - UINT32_C(0x064273CE), UINT32_C(0x0CD775D3), UINT32_C(0x00232462), - UINT32_C(0x0347DCE7) } }, - { { UINT32_C(0x029AE558), UINT32_C(0x07BED198), UINT32_C(0x073802BF), - UINT32_C(0x0528429C), UINT32_C(0x02A79F18), UINT32_C(0x045BFA11), - UINT32_C(0x07B77865), UINT32_C(0x065D4D35), UINT32_C(0x03701A97), - UINT32_C(0x03C87FB5), UINT32_C(0x07338AED), UINT32_C(0x0260F0C6), - UINT32_C(0x032E371B), UINT32_C(0x048EAB15), UINT32_C(0x06488CED), - UINT32_C(0x04349BDC), UINT32_C(0x09FF872F), UINT32_C(0x01EBC954), - UINT32_C(0x02644425) }, - { UINT32_C(0x0AAD22D1), UINT32_C(0x04DA634D), UINT32_C(0x0931B0A2), - UINT32_C(0x0366BA6D), UINT32_C(0x0A03F852), UINT32_C(0x003C4DA2), - UINT32_C(0x07BDDE59), UINT32_C(0x00543C06), UINT32_C(0x05EA4710), - UINT32_C(0x0622BACC), UINT32_C(0x03C86D6F), UINT32_C(0x0810EAB1), - UINT32_C(0x0128E64D), UINT32_C(0x02C5B6EF), UINT32_C(0x0F37432C), - UINT32_C(0x0391A4CD), UINT32_C(0x09344B8B), UINT32_C(0x007DDA34), - UINT32_C(0x02408EDC) } }, - { { UINT32_C(0x0EB8B398), UINT32_C(0x068DF986), UINT32_C(0x0BCADF8A), - UINT32_C(0x01829A9B), UINT32_C(0x017C9B77), UINT32_C(0x0446621A), - UINT32_C(0x026EE0C4), UINT32_C(0x0E0FE9B2), UINT32_C(0x0528FE1C), - UINT32_C(0x08E6DD5A), UINT32_C(0x018FB2E0), UINT32_C(0x0FD2A7AB), - UINT32_C(0x002E71A2), UINT32_C(0x069C2EFB), UINT32_C(0x0156F759), - UINT32_C(0x04F3A78E), UINT32_C(0x022C4533), UINT32_C(0x069A2816), - UINT32_C(0x03C034B1) }, - { UINT32_C(0x0D05FF6A), UINT32_C(0x07761186), UINT32_C(0x0D73ABC6), - UINT32_C(0x06AC086B), UINT32_C(0x0BF965A1), UINT32_C(0x05F6546D), - UINT32_C(0x07767397), UINT32_C(0x005C4608), UINT32_C(0x005803C4), - UINT32_C(0x024EE133), UINT32_C(0x05FC51BD), UINT32_C(0x099F0D97), - UINT32_C(0x00437C0C), UINT32_C(0x0553A827), UINT32_C(0x0FB0EB60), - UINT32_C(0x06A7AEC5), UINT32_C(0x07C31264), UINT32_C(0x020D4B32), - UINT32_C(0x045F6381) } }, - { { UINT32_C(0x04D9F1F8), UINT32_C(0x05315A15), UINT32_C(0x01990B25), - UINT32_C(0x01A6DE98), UINT32_C(0x036D854A), UINT32_C(0x03D25F0D), - UINT32_C(0x06673F83), UINT32_C(0x04C56936), UINT32_C(0x019ACD66), - UINT32_C(0x0C1F1C47), UINT32_C(0x04AD0FD3), UINT32_C(0x0148F4FA), - UINT32_C(0x07BC3A93), UINT32_C(0x02F86E22), UINT32_C(0x0291F62B), - UINT32_C(0x01F87233), UINT32_C(0x0F616501), UINT32_C(0x06C1B9E5), - UINT32_C(0x05FB6CAA) }, - { UINT32_C(0x0DAF0C41), UINT32_C(0x050BE47B), UINT32_C(0x0DD799BF), - UINT32_C(0x00BB8754), UINT32_C(0x07221726), UINT32_C(0x00F26A35), - UINT32_C(0x0474A809), UINT32_C(0x0250B288), UINT32_C(0x0680A8C1), - UINT32_C(0x09FDC598), UINT32_C(0x00424EA2), UINT32_C(0x09CADE7E), - UINT32_C(0x0092845D), UINT32_C(0x0301B24F), UINT32_C(0x0CF7BF3E), - UINT32_C(0x0747B26E), UINT32_C(0x04110EBF), UINT32_C(0x002FC650), - UINT32_C(0x066AF8B8) } }, - { { UINT32_C(0x06DBC74A), UINT32_C(0x02C31098), UINT32_C(0x069497D4), - UINT32_C(0x048864EC), UINT32_C(0x01E12C96), UINT32_C(0x03EE9F03), - UINT32_C(0x05400CB4), UINT32_C(0x00B9E174), UINT32_C(0x04923BC3), - UINT32_C(0x0B5B54EA), UINT32_C(0x04A635C8), UINT32_C(0x0039A770), - UINT32_C(0x079340D3), UINT32_C(0x02B053A6), UINT32_C(0x0AA8C800), - UINT32_C(0x073E66A4), UINT32_C(0x0304ED5B), UINT32_C(0x007ACB50), - UINT32_C(0x069EBA57) }, - { UINT32_C(0x04FA3D53), UINT32_C(0x050EF28C), UINT32_C(0x09A3C2CF), - UINT32_C(0x03DE9C58), UINT32_C(0x085E0F9C), UINT32_C(0x069D187C), - UINT32_C(0x04624402), UINT32_C(0x0C81F8BF), UINT32_C(0x02E444D9), - UINT32_C(0x0D776F3C), UINT32_C(0x02B966E8), UINT32_C(0x017A5803), - UINT32_C(0x005E79FE), UINT32_C(0x017FF63B), UINT32_C(0x05B01559), - UINT32_C(0x03097D34), UINT32_C(0x0F3A10BA), UINT32_C(0x0712D05A), - UINT32_C(0x03904282) } }, - { { UINT32_C(0x0727DDB2), UINT32_C(0x0322FBEE), UINT32_C(0x006E2FCD), - UINT32_C(0x07EA06FF), UINT32_C(0x0BA09E24), UINT32_C(0x00F733F8), - UINT32_C(0x03D6DCAE), UINT32_C(0x049125D5), UINT32_C(0x077E1A66), - UINT32_C(0x0D68AE84), UINT32_C(0x04F77FA6), UINT32_C(0x0964F229), - UINT32_C(0x011AD49C), UINT32_C(0x05CC02E9), UINT32_C(0x03E1CD67), - UINT32_C(0x06E9B6EE), UINT32_C(0x02ABE8BE), UINT32_C(0x056C7601), - UINT32_C(0x050C554C) }, - { UINT32_C(0x01B068CF), UINT32_C(0x012F41C1), UINT32_C(0x0CD31293), - UINT32_C(0x056F1C35), UINT32_C(0x0716CA13), UINT32_C(0x0544293E), - UINT32_C(0x06007211), UINT32_C(0x04F726E6), UINT32_C(0x007D49EF), - UINT32_C(0x0E336972), UINT32_C(0x031C46EF), UINT32_C(0x025A6106), - UINT32_C(0x05AA92B9), UINT32_C(0x011700B0), UINT32_C(0x011058CF), - UINT32_C(0x00395DAC), UINT32_C(0x02BBCCE0), UINT32_C(0x029EAC52), - UINT32_C(0x028A26A5) } }, - }, - { - { { UINT32_C(0x0FFE4858), UINT32_C(0x044AC143), UINT32_C(0x06252D69), - UINT32_C(0x03691755), UINT32_C(0x0DE0F670), UINT32_C(0x0295E478), - UINT32_C(0x05945AF8), UINT32_C(0x0A5D32CA), UINT32_C(0x0234DE82), - UINT32_C(0x0F67E075), UINT32_C(0x06115CED), UINT32_C(0x00AE3A40), - UINT32_C(0x04F21740), UINT32_C(0x05BA53F6), UINT32_C(0x05840CD3), - UINT32_C(0x02246AB6), UINT32_C(0x0A7E5891), UINT32_C(0x00E30EE3), - UINT32_C(0x06E32125) }, - { UINT32_C(0x028DA023), UINT32_C(0x0757D14A), UINT32_C(0x0F1F2367), - UINT32_C(0x071B23A0), UINT32_C(0x09FF6F22), UINT32_C(0x06AE99FC), - UINT32_C(0x07D2FAD3), UINT32_C(0x0C60DF70), UINT32_C(0x008ADC3F), - UINT32_C(0x090D9E92), UINT32_C(0x027C0C30), UINT32_C(0x01553F37), - UINT32_C(0x047ACF16), UINT32_C(0x017392AB), UINT32_C(0x05D9DD01), - UINT32_C(0x07D1EF5C), UINT32_C(0x039F6FB5), UINT32_C(0x029DC337), - UINT32_C(0x04960195) } }, - { { UINT32_C(0x0994A7B1), UINT32_C(0x00E9A7BA), UINT32_C(0x03544C1B), - UINT32_C(0x0606BDF6), UINT32_C(0x01F3406A), UINT32_C(0x0635C178), - UINT32_C(0x04CA0BE9), UINT32_C(0x09B74F10), UINT32_C(0x046E4155), - UINT32_C(0x0655718B), UINT32_C(0x06B58CFD), UINT32_C(0x00E2656C), - UINT32_C(0x0426833D), UINT32_C(0x063C550C), UINT32_C(0x049DDCA9), - UINT32_C(0x04F6A9FC), UINT32_C(0x0676F8FD), UINT32_C(0x07BCA38C), - UINT32_C(0x059BDCBC) }, - { UINT32_C(0x096F6D73), UINT32_C(0x0378FAEB), UINT32_C(0x0AA2949D), - UINT32_C(0x02979AD2), UINT32_C(0x0FD54FA0), UINT32_C(0x0358AB66), - UINT32_C(0x012D1C2E), UINT32_C(0x0A3E9433), UINT32_C(0x012502DC), - UINT32_C(0x0BF42C60), UINT32_C(0x02403252), UINT32_C(0x0B59A13D), - UINT32_C(0x07CE87D8), UINT32_C(0x06EFA510), UINT32_C(0x0F316813), - UINT32_C(0x048C6131), UINT32_C(0x0ABB4F2B), UINT32_C(0x00135CF6), - UINT32_C(0x019B839C) } }, - { { UINT32_C(0x0CDE12CD), UINT32_C(0x01F2EE46), UINT32_C(0x096668FC), - UINT32_C(0x06800020), UINT32_C(0x0D8D4DC3), UINT32_C(0x01F9D872), - UINT32_C(0x0074B363), UINT32_C(0x08E353D0), UINT32_C(0x06B87B06), - UINT32_C(0x05F1A3E4), UINT32_C(0x03D67702), UINT32_C(0x0AD5ACE9), - UINT32_C(0x024E9994), UINT32_C(0x03C2A440), UINT32_C(0x05A6C55C), - UINT32_C(0x045CAA47), UINT32_C(0x0AC34E77), UINT32_C(0x068E05E3), - UINT32_C(0x0598564E) }, - { UINT32_C(0x0366B021), UINT32_C(0x017935A2), UINT32_C(0x04F773DB), - UINT32_C(0x04629F66), UINT32_C(0x096AE2DC), UINT32_C(0x00DB3EE0), - UINT32_C(0x05684F63), UINT32_C(0x00391BA5), UINT32_C(0x07270BBB), - UINT32_C(0x0E28A705), UINT32_C(0x02BB0A4B), UINT32_C(0x097DCA61), - UINT32_C(0x04E133F5), UINT32_C(0x04899B3E), UINT32_C(0x00637ACF), - UINT32_C(0x02D4E63D), UINT32_C(0x09635CB7), UINT32_C(0x02DEDDE2), - UINT32_C(0x02229A95) } }, - { { UINT32_C(0x0CD34315), UINT32_C(0x02E1C8DC), UINT32_C(0x067A6FB7), - UINT32_C(0x03DB6FAE), UINT32_C(0x07281C55), UINT32_C(0x046AC647), - UINT32_C(0x002E790C), UINT32_C(0x0F3D1BC4), UINT32_C(0x0533A625), - UINT32_C(0x06417AC2), UINT32_C(0x018ACECE), UINT32_C(0x0B7019D6), - UINT32_C(0x06EDA9DA), UINT32_C(0x01938AF8), UINT32_C(0x029911BB), - UINT32_C(0x03E2995B), UINT32_C(0x0C0E3FBA), UINT32_C(0x011596D1), - UINT32_C(0x00271C3C) }, - { UINT32_C(0x0356A25A), UINT32_C(0x072A1ED9), UINT32_C(0x0EAF77B0), - UINT32_C(0x02B4B853), UINT32_C(0x0C759255), UINT32_C(0x02FB6C3D), - UINT32_C(0x0704DFA8), UINT32_C(0x0D59777F), UINT32_C(0x078F4FA8), - UINT32_C(0x03C11635), UINT32_C(0x02E52765), UINT32_C(0x02ACB74C), - UINT32_C(0x007731B9), UINT32_C(0x0137AD56), UINT32_C(0x063A4E6E), - UINT32_C(0x06744404), UINT32_C(0x09B78353), UINT32_C(0x04631A57), - UINT32_C(0x018C7F7E) } }, - { { UINT32_C(0x0EAD4FF9), UINT32_C(0x05871450), UINT32_C(0x07F9BF26), - UINT32_C(0x02BC1D4E), UINT32_C(0x00CD4484), UINT32_C(0x04EBA4AB), - UINT32_C(0x01DEDBB8), UINT32_C(0x0E25B38D), UINT32_C(0x049D1268), - UINT32_C(0x0D04AABB), UINT32_C(0x01AEF51D), UINT32_C(0x00829E43), - UINT32_C(0x05402C62), UINT32_C(0x0368D70D), UINT32_C(0x03775E01), - UINT32_C(0x04503803), UINT32_C(0x02B6C48D), UINT32_C(0x01FD101D), - UINT32_C(0x0025FF9E) }, - { UINT32_C(0x0B8B195A), UINT32_C(0x02323FFC), UINT32_C(0x00557FA3), - UINT32_C(0x073ED365), UINT32_C(0x0A376D54), UINT32_C(0x023A3994), - UINT32_C(0x00F1CC64), UINT32_C(0x080DCBBA), UINT32_C(0x01BB869C), - UINT32_C(0x084DE7DF), UINT32_C(0x03102B44), UINT32_C(0x0559CF4A), - UINT32_C(0x0385604A), UINT32_C(0x05CB3A44), UINT32_C(0x022C8F10), - UINT32_C(0x00AC8251), UINT32_C(0x0D40C893), UINT32_C(0x00107891), - UINT32_C(0x06795987) } }, - { { UINT32_C(0x06920A2A), UINT32_C(0x051ED07D), UINT32_C(0x0D40A6DB), - UINT32_C(0x004D5082), UINT32_C(0x0BB2B0B9), UINT32_C(0x046EEDFC), - UINT32_C(0x077C4F4D), UINT32_C(0x0025B307), UINT32_C(0x00CCCEED), - UINT32_C(0x05AD182A), UINT32_C(0x0734F059), UINT32_C(0x0B480EE5), - UINT32_C(0x0170F1CB), UINT32_C(0x0417A672), UINT32_C(0x05B933B3), - UINT32_C(0x0279BB07), UINT32_C(0x0341E8CB), UINT32_C(0x071F7EBF), - UINT32_C(0x0231AF93) }, - { UINT32_C(0x01CA3CCC), UINT32_C(0x042A30AF), UINT32_C(0x0E1E55F1), - UINT32_C(0x07A6A1AC), UINT32_C(0x0D95EC2F), UINT32_C(0x029E2CCD), - UINT32_C(0x00847505), UINT32_C(0x0184F443), UINT32_C(0x04B6D717), - UINT32_C(0x03764831), UINT32_C(0x043E0649), UINT32_C(0x0378A536), - UINT32_C(0x0430CAB4), UINT32_C(0x05B08C42), UINT32_C(0x0B147E31), - UINT32_C(0x0270B565), UINT32_C(0x056846E1), UINT32_C(0x0393806E), - UINT32_C(0x0102687E) } }, - { { UINT32_C(0x0EB5DCD3), UINT32_C(0x0185FC5D), UINT32_C(0x03181617), - UINT32_C(0x01479862), UINT32_C(0x0D1E00A3), UINT32_C(0x000E2351), - UINT32_C(0x041EA413), UINT32_C(0x0EC09039), UINT32_C(0x00213EFE), - UINT32_C(0x02085A51), UINT32_C(0x027B7641), UINT32_C(0x0EE239C0), - UINT32_C(0x06D0F7BB), UINT32_C(0x0267C803), UINT32_C(0x0B79A7EE), - UINT32_C(0x0681FFDF), UINT32_C(0x08DFF64B), UINT32_C(0x0688C37C), - UINT32_C(0x03D1AE9F) }, - { UINT32_C(0x03B68E6C), UINT32_C(0x07F04BE5), UINT32_C(0x060E4D0D), - UINT32_C(0x0534899D), UINT32_C(0x0FA52B9C), UINT32_C(0x001C4752), - UINT32_C(0x00BCA60E), UINT32_C(0x041ED165), UINT32_C(0x01DBEB9D), - UINT32_C(0x04BEFD90), UINT32_C(0x05B1A36F), UINT32_C(0x0C6DA7CD), - UINT32_C(0x025F29BF), UINT32_C(0x0143D052), UINT32_C(0x099FCD3B), - UINT32_C(0x04934EE0), UINT32_C(0x00F9287C), UINT32_C(0x06BF2174), - UINT32_C(0x05D3AAEB) } }, - { { UINT32_C(0x0B07B1BF), UINT32_C(0x008B8614), UINT32_C(0x00E21485), - UINT32_C(0x07064A8F), UINT32_C(0x04328BCA), UINT32_C(0x0126ADF3), - UINT32_C(0x07D9CEFE), UINT32_C(0x0B5FE8D9), UINT32_C(0x03B144E7), - UINT32_C(0x0FF1E126), UINT32_C(0x06AF8F59), UINT32_C(0x07A6CE02), - UINT32_C(0x07F9BE52), UINT32_C(0x003588EF), UINT32_C(0x0EFF3D3A), - UINT32_C(0x052C77D2), UINT32_C(0x010CACE8), UINT32_C(0x05B1B51F), - UINT32_C(0x06F19D06) }, - { UINT32_C(0x042166D8), UINT32_C(0x04CD028C), UINT32_C(0x039C24AE), - UINT32_C(0x02C03F19), UINT32_C(0x067F4B98), UINT32_C(0x020FC733), - UINT32_C(0x01DAB42C), UINT32_C(0x02FF3B82), UINT32_C(0x048BCF28), - UINT32_C(0x019BFE25), UINT32_C(0x05777D5F), UINT32_C(0x06871AF8), - UINT32_C(0x04139F9E), UINT32_C(0x07211D99), UINT32_C(0x0AD09893), - UINT32_C(0x01E0FD46), UINT32_C(0x02906E37), UINT32_C(0x028275DB), - UINT32_C(0x046A1575) } }, - { { UINT32_C(0x08AA3834), UINT32_C(0x06C07864), UINT32_C(0x0E044947), - UINT32_C(0x03335EFD), UINT32_C(0x067B5E62), UINT32_C(0x034C6315), - UINT32_C(0x07572306), UINT32_C(0x07CFC444), UINT32_C(0x01B85C68), - UINT32_C(0x04AE9317), UINT32_C(0x004244BB), UINT32_C(0x02B9387A), - UINT32_C(0x07EC501D), UINT32_C(0x030A85A4), UINT32_C(0x035462ED), - UINT32_C(0x0713AD0C), UINT32_C(0x053851AC), UINT32_C(0x02FE3E5B), - UINT32_C(0x06B40EB3) }, - { UINT32_C(0x053E08C6), UINT32_C(0x05772205), UINT32_C(0x030BB610), - UINT32_C(0x008EE615), UINT32_C(0x0B7E6CE7), UINT32_C(0x00783E50), - UINT32_C(0x0096806A), UINT32_C(0x066126FD), UINT32_C(0x051C1C80), - UINT32_C(0x0ECBCD5E), UINT32_C(0x03A28DED), UINT32_C(0x08FD6395), - UINT32_C(0x022A192F), UINT32_C(0x0736A4A0), UINT32_C(0x01369C64), - UINT32_C(0x02AB6ECE), UINT32_C(0x06E0E541), UINT32_C(0x03248146), - UINT32_C(0x00948603) } }, - { { UINT32_C(0x069B34EA), UINT32_C(0x0336603F), UINT32_C(0x06DBFFB7), - UINT32_C(0x0300F54C), UINT32_C(0x03402123), UINT32_C(0x04E1356D), - UINT32_C(0x04422E8C), UINT32_C(0x0C555F86), UINT32_C(0x065AB272), - UINT32_C(0x053F830F), UINT32_C(0x0579A41E), UINT32_C(0x0FEFEF91), - UINT32_C(0x004E0795), UINT32_C(0x016107F9), UINT32_C(0x08D654BD), - UINT32_C(0x04ABFECE), UINT32_C(0x06C9D84D), UINT32_C(0x03813525), - UINT32_C(0x07CB6F50) }, - { UINT32_C(0x09047156), UINT32_C(0x010B8EB7), UINT32_C(0x0CC6FC83), - UINT32_C(0x0431B14F), UINT32_C(0x03572502), UINT32_C(0x076096FF), - UINT32_C(0x0028C298), UINT32_C(0x066F3BBA), UINT32_C(0x00B06491), - UINT32_C(0x0665164A), UINT32_C(0x04A5A55D), UINT32_C(0x02DAC096), - UINT32_C(0x03E71E1C), UINT32_C(0x0256A93B), UINT32_C(0x04C0530A), - UINT32_C(0x062EDF21), UINT32_C(0x0F59E8F8), UINT32_C(0x019409ED), - UINT32_C(0x07A2F4BF) } }, - { { UINT32_C(0x0665B1CF), UINT32_C(0x0034F110), UINT32_C(0x0E6E0C55), - UINT32_C(0x05548084), UINT32_C(0x0CB9C817), UINT32_C(0x010A8F87), - UINT32_C(0x012A9C49), UINT32_C(0x0982F57E), UINT32_C(0x00D5BB56), - UINT32_C(0x0649D707), UINT32_C(0x00C86A10), UINT32_C(0x0C3ED33B), - UINT32_C(0x065AEDD0), UINT32_C(0x061D08CC), UINT32_C(0x010AAD5D), - UINT32_C(0x015E11C5), UINT32_C(0x0CE68252), UINT32_C(0x03DCA282), - UINT32_C(0x023E7D61) }, - { UINT32_C(0x094CC511), UINT32_C(0x053544CA), UINT32_C(0x067DDC2E), - UINT32_C(0x022C5BA7), UINT32_C(0x0E503DBC), UINT32_C(0x06CD2E73), - UINT32_C(0x058CE06F), UINT32_C(0x072AA3E8), UINT32_C(0x06DB1977), - UINT32_C(0x04494EBF), UINT32_C(0x00968BBC), UINT32_C(0x02E8F607), - UINT32_C(0x06F93369), UINT32_C(0x00836553), UINT32_C(0x05A73753), - UINT32_C(0x03A8B586), UINT32_C(0x00A046AC), UINT32_C(0x0211F089), - UINT32_C(0x0389954D) } }, - { { UINT32_C(0x0BB13D25), UINT32_C(0x023A4F60), UINT32_C(0x05B894C3), - UINT32_C(0x01F6CF6C), UINT32_C(0x0F316A82), UINT32_C(0x07269483), - UINT32_C(0x0724D1FF), UINT32_C(0x081060C2), UINT32_C(0x07213116), - UINT32_C(0x0B65307F), UINT32_C(0x06CB9993), UINT32_C(0x04580D3B), - UINT32_C(0x064521E7), UINT32_C(0x07FA9810), UINT32_C(0x00B180DF), - UINT32_C(0x058701A7), UINT32_C(0x08BFB845), UINT32_C(0x0175BF68), - UINT32_C(0x02BF1464) }, - { UINT32_C(0x04B66F01), UINT32_C(0x059EAFDA), UINT32_C(0x02EB7B38), - UINT32_C(0x0382ED4B), UINT32_C(0x0D3E8A47), UINT32_C(0x061E1C44), - UINT32_C(0x06369F05), UINT32_C(0x0221CD6C), UINT32_C(0x033836B4), - UINT32_C(0x0580C2E2), UINT32_C(0x071C3002), UINT32_C(0x0C51E97D), - UINT32_C(0x06D684C3), UINT32_C(0x074D62F1), UINT32_C(0x0851439A), - UINT32_C(0x038AB710), UINT32_C(0x0300D39E), UINT32_C(0x0390C464), - UINT32_C(0x04D98E09) } }, - { { UINT32_C(0x0140A004), UINT32_C(0x00D68C0B), UINT32_C(0x080890B3), - UINT32_C(0x07D532CC), UINT32_C(0x05EC2C5B), UINT32_C(0x065415DB), - UINT32_C(0x021CBEF3), UINT32_C(0x0C92C4C7), UINT32_C(0x002C11E2), - UINT32_C(0x087FFDBE), UINT32_C(0x00BBD5AB), UINT32_C(0x0D3147C6), - UINT32_C(0x027322CF), UINT32_C(0x048AE30E), UINT32_C(0x0A78BD27), - UINT32_C(0x06E52637), UINT32_C(0x0F79BB43), UINT32_C(0x05C2CDD9), - UINT32_C(0x03AEDAB1) }, - { UINT32_C(0x01F8F797), UINT32_C(0x05E078E8), UINT32_C(0x0A430953), - UINT32_C(0x079FE860), UINT32_C(0x098B3236), UINT32_C(0x00A0033B), - UINT32_C(0x0311C26A), UINT32_C(0x02325326), UINT32_C(0x021CEBBC), - UINT32_C(0x01C498E4), UINT32_C(0x02365440), UINT32_C(0x091FBA94), - UINT32_C(0x017487BB), UINT32_C(0x0321A8D5), UINT32_C(0x071AEF9F), - UINT32_C(0x047D457D), UINT32_C(0x01BCFB0E), UINT32_C(0x0071F7BC), - UINT32_C(0x075AEFAA) } }, - { { UINT32_C(0x0C98DFAE), UINT32_C(0x01C5257A), UINT32_C(0x06506435), - UINT32_C(0x00916D1A), UINT32_C(0x0D65B633), UINT32_C(0x06BAC13A), - UINT32_C(0x013D2F72), UINT32_C(0x0B8C7FD1), UINT32_C(0x0068E619), - UINT32_C(0x0C30A25B), UINT32_C(0x016EBDF8), UINT32_C(0x0D8A2E42), - UINT32_C(0x01E2AB8D), UINT32_C(0x07855AFB), UINT32_C(0x01F15FBB), - UINT32_C(0x01DA4917), UINT32_C(0x074DB277), UINT32_C(0x030BAC3C), - UINT32_C(0x01B1B048) }, - { UINT32_C(0x00C92FB5), UINT32_C(0x00781A5F), UINT32_C(0x0B53EE11), - UINT32_C(0x04366DE3), UINT32_C(0x0D7AFCA1), UINT32_C(0x04C3CAB8), - UINT32_C(0x031EB35F), UINT32_C(0x00CDDA16), UINT32_C(0x05DB2AA4), - UINT32_C(0x0EEC79C5), UINT32_C(0x0123CDB1), UINT32_C(0x0A41DC06), - UINT32_C(0x06880096), UINT32_C(0x069843C8), UINT32_C(0x0CF78DBD), - UINT32_C(0x0751C797), UINT32_C(0x0381D873), UINT32_C(0x055DD420), - UINT32_C(0x011ED33F) } }, - { { UINT32_C(0x0629DD22), UINT32_C(0x0329136A), UINT32_C(0x0F4C3A86), - UINT32_C(0x02DF1D68), UINT32_C(0x0629460E), UINT32_C(0x04615D04), - UINT32_C(0x06370A73), UINT32_C(0x0FF4CD28), UINT32_C(0x031AD006), - UINT32_C(0x08F7AAC2), UINT32_C(0x05792159), UINT32_C(0x0680FF31), - UINT32_C(0x04E1BAE8), UINT32_C(0x02E9B2B2), UINT32_C(0x0033BF36), - UINT32_C(0x07DA8F9E), UINT32_C(0x0C93AB40), UINT32_C(0x01D743F3), - UINT32_C(0x07644D30) }, - { UINT32_C(0x075200EB), UINT32_C(0x07C0784F), UINT32_C(0x0BE5A2EF), - UINT32_C(0x002C4071), UINT32_C(0x0BB7DD65), UINT32_C(0x004ADBD2), - UINT32_C(0x040D6568), UINT32_C(0x0F9A3BB6), UINT32_C(0x003E18E7), - UINT32_C(0x0B2FA6B5), UINT32_C(0x04ED429F), UINT32_C(0x06091338), - UINT32_C(0x01D161FD), UINT32_C(0x00454AAD), UINT32_C(0x0CAE06AA), - UINT32_C(0x04E95021), UINT32_C(0x04523C5D), UINT32_C(0x041594F0), - UINT32_C(0x065084CD) } }, - { { UINT32_C(0x002145D7), UINT32_C(0x047D8374), UINT32_C(0x0467ABA3), - UINT32_C(0x051CC3F5), UINT32_C(0x0483BB69), UINT32_C(0x05CC8B8E), - UINT32_C(0x00E452BD), UINT32_C(0x04333A28), UINT32_C(0x04F1A76A), - UINT32_C(0x0CC64EC5), UINT32_C(0x05D9332C), UINT32_C(0x0E975BFD), - UINT32_C(0x036AEA82), UINT32_C(0x03B66BE1), UINT32_C(0x0C8D0897), - UINT32_C(0x00F4E2EA), UINT32_C(0x0E84A7FD), UINT32_C(0x04F8C351), - UINT32_C(0x03B65097) }, - { UINT32_C(0x0DDB406F), UINT32_C(0x00890ADF), UINT32_C(0x03BBC60E), - UINT32_C(0x01C0CA21), UINT32_C(0x0A76C2EF), UINT32_C(0x01695DF8), - UINT32_C(0x07073F32), UINT32_C(0x0EED6813), UINT32_C(0x014D6ADC), - UINT32_C(0x0AD30E57), UINT32_C(0x0080597C), UINT32_C(0x051E8314), - UINT32_C(0x02334D30), UINT32_C(0x01C9AC19), UINT32_C(0x0D628FAA), - UINT32_C(0x03467107), UINT32_C(0x027B5A2C), UINT32_C(0x07FE2414), - UINT32_C(0x06D835AF) } }, - }, - { - { { UINT32_C(0x0EF34144), UINT32_C(0x030D91DC), UINT32_C(0x05517757), - UINT32_C(0x007F4856), UINT32_C(0x07EAF164), UINT32_C(0x058E3931), - UINT32_C(0x0713CF7A), UINT32_C(0x0D5B04EB), UINT32_C(0x0416E9E6), - UINT32_C(0x02479D66), UINT32_C(0x03230F77), UINT32_C(0x0E9111E0), - UINT32_C(0x004A4528), UINT32_C(0x02C7F7D1), UINT32_C(0x02C19F36), - UINT32_C(0x0456B2EE), UINT32_C(0x083CA160), UINT32_C(0x04377D25), - UINT32_C(0x02CC5D8D) }, - { UINT32_C(0x024FDE34), UINT32_C(0x056A1AF8), UINT32_C(0x04A1F978), - UINT32_C(0x07F66131), UINT32_C(0x09CCCEFE), UINT32_C(0x056AE73E), - UINT32_C(0x0373907A), UINT32_C(0x08E4DFA2), UINT32_C(0x06104B90), - UINT32_C(0x0CB65FE3), UINT32_C(0x0157AEF0), UINT32_C(0x0346E5AE), - UINT32_C(0x06A8D9D0), UINT32_C(0x034F592B), UINT32_C(0x06A50F43), - UINT32_C(0x03B946D2), UINT32_C(0x0B23CFAE), UINT32_C(0x01428E19), - UINT32_C(0x01E96239) } }, - { { UINT32_C(0x0FF5FDD9), UINT32_C(0x06FD0B27), UINT32_C(0x0E5375B8), - UINT32_C(0x02903F56), UINT32_C(0x0A0998F1), UINT32_C(0x04C7F7A7), - UINT32_C(0x07B849C2), UINT32_C(0x01F684C1), UINT32_C(0x03D27FA7), - UINT32_C(0x0ECDF852), UINT32_C(0x067A0FF9), UINT32_C(0x01170172), - UINT32_C(0x06847341), UINT32_C(0x0384EC35), UINT32_C(0x097FA0B1), - UINT32_C(0x056D5954), UINT32_C(0x0811FE39), UINT32_C(0x03141A8E), - UINT32_C(0x03197AAF) }, - { UINT32_C(0x06B64713), UINT32_C(0x01EA477B), UINT32_C(0x0401B800), - UINT32_C(0x056A093F), UINT32_C(0x0B18523C), UINT32_C(0x05FBF38B), - UINT32_C(0x0000837C), UINT32_C(0x0205CC9C), UINT32_C(0x0211586E), - UINT32_C(0x00E95959), UINT32_C(0x011034DB), UINT32_C(0x0705835C), - UINT32_C(0x0534A7CA), UINT32_C(0x01BEEAE0), UINT32_C(0x011191B1), - UINT32_C(0x06AC6C8E), UINT32_C(0x0F65A0B0), UINT32_C(0x01E452CE), - UINT32_C(0x07AA591C) } }, - { { UINT32_C(0x04BE78BD), UINT32_C(0x06F41AA4), UINT32_C(0x09895DC2), - UINT32_C(0x05E43C02), UINT32_C(0x0F5ED50D), UINT32_C(0x0055BA85), - UINT32_C(0x04B88B8C), UINT32_C(0x07C05237), UINT32_C(0x06B089B3), - UINT32_C(0x09D41AEF), UINT32_C(0x07A77F2E), UINT32_C(0x0B03794F), - UINT32_C(0x0272136B), UINT32_C(0x013E2617), UINT32_C(0x039B53A2), - UINT32_C(0x04704526), UINT32_C(0x0958114F), UINT32_C(0x01DF2245), - UINT32_C(0x0736ACD3) }, - { UINT32_C(0x020FED74), UINT32_C(0x0142B2B5), UINT32_C(0x00BC648B), - UINT32_C(0x045D8303), UINT32_C(0x01238CE7), UINT32_C(0x041E6696), - UINT32_C(0x07794FE3), UINT32_C(0x02BC0623), UINT32_C(0x04D21409), - UINT32_C(0x05FABD03), UINT32_C(0x074FAEA0), UINT32_C(0x08FD5BE6), - UINT32_C(0x041F41AC), UINT32_C(0x046062AA), UINT32_C(0x06780730), - UINT32_C(0x035F4E6F), UINT32_C(0x016D4890), UINT32_C(0x05B93E77), - UINT32_C(0x01E38302) } }, - { { UINT32_C(0x0736B7A8), UINT32_C(0x049E4056), UINT32_C(0x01935194), - UINT32_C(0x056AFE87), UINT32_C(0x0526EB80), UINT32_C(0x0763756F), - UINT32_C(0x0438F678), UINT32_C(0x074903F5), UINT32_C(0x0305EF19), - UINT32_C(0x0434448D), UINT32_C(0x05186915), UINT32_C(0x00E55244), - UINT32_C(0x017BD6D1), UINT32_C(0x0747C684), UINT32_C(0x0FEE9906), - UINT32_C(0x07BEA2FE), UINT32_C(0x04C3FEC5), UINT32_C(0x05EAB892), - UINT32_C(0x03E3B341) }, - { UINT32_C(0x0DEF19D6), UINT32_C(0x03A56FE1), UINT32_C(0x09F33CC0), - UINT32_C(0x03E3A7C9), UINT32_C(0x04712359), UINT32_C(0x02515669), - UINT32_C(0x035C962B), UINT32_C(0x08C45240), UINT32_C(0x033CCA10), - UINT32_C(0x06965FA2), UINT32_C(0x04F88D82), UINT32_C(0x0FDE595A), - UINT32_C(0x0241F5B1), UINT32_C(0x03F203E1), UINT32_C(0x0BB7CDF8), - UINT32_C(0x046409AD), UINT32_C(0x08E4A186), UINT32_C(0x01723DD8), - UINT32_C(0x02B93AF0) } }, - { { UINT32_C(0x0FACC519), UINT32_C(0x027F5A2C), UINT32_C(0x0CA8C450), - UINT32_C(0x03EC651F), UINT32_C(0x0B47E880), UINT32_C(0x01B9DB47), - UINT32_C(0x06895D1C), UINT32_C(0x0F1857B2), UINT32_C(0x06CC04B3), - UINT32_C(0x01C2D89D), UINT32_C(0x04525759), UINT32_C(0x0B6EACB4), - UINT32_C(0x07770FC8), UINT32_C(0x04A7FC79), UINT32_C(0x03B56F1C), - UINT32_C(0x0248A360), UINT32_C(0x0A73C4C6), UINT32_C(0x04BA5188), - UINT32_C(0x0400E477) }, - { UINT32_C(0x0AEA3E6E), UINT32_C(0x05DA167B), UINT32_C(0x02C8D4B1), - UINT32_C(0x074DB11C), UINT32_C(0x05DB2724), UINT32_C(0x04492C83), - UINT32_C(0x00B62A05), UINT32_C(0x03A036B6), UINT32_C(0x07BC9211), - UINT32_C(0x05739939), UINT32_C(0x00FD8C64), UINT32_C(0x0E68B0EC), - UINT32_C(0x050FC3F3), UINT32_C(0x0446466F), UINT32_C(0x0A598C89), - UINT32_C(0x062CB99D), UINT32_C(0x0C97B1FA), UINT32_C(0x077F1F42), - UINT32_C(0x051B5A92) } }, - { { UINT32_C(0x09C36058), UINT32_C(0x05929A37), UINT32_C(0x079147E4), - UINT32_C(0x0546B4E8), UINT32_C(0x0C41B43A), UINT32_C(0x05F16140), - UINT32_C(0x0124A189), UINT32_C(0x0D01EFB0), UINT32_C(0x00FCDC74), - UINT32_C(0x0D3E796F), UINT32_C(0x0597A54B), UINT32_C(0x097F7DE8), - UINT32_C(0x0677C89A), UINT32_C(0x036C6165), UINT32_C(0x0DFFFA33), - UINT32_C(0x0782CAAE), UINT32_C(0x07E6FE65), UINT32_C(0x04887038), - UINT32_C(0x0636D482) }, - { UINT32_C(0x071EFA02), UINT32_C(0x07F91B7E), UINT32_C(0x0950028E), - UINT32_C(0x069527C7), UINT32_C(0x09CE6F6C), UINT32_C(0x01FEEAA0), - UINT32_C(0x014DED92), UINT32_C(0x0D94B717), UINT32_C(0x014B513D), - UINT32_C(0x0A97F421), UINT32_C(0x075448FA), UINT32_C(0x041A5F24), - UINT32_C(0x0721201F), UINT32_C(0x0444C83A), UINT32_C(0x07F6AE04), - UINT32_C(0x030824B5), UINT32_C(0x0246F2D9), UINT32_C(0x05F21CD9), - UINT32_C(0x06817477) } }, - { { UINT32_C(0x0DDEF055), UINT32_C(0x01C63F00), UINT32_C(0x0570BDE9), - UINT32_C(0x07433A8A), UINT32_C(0x099522A9), UINT32_C(0x051DEDFE), - UINT32_C(0x01712838), UINT32_C(0x0C8ECC33), UINT32_C(0x04846773), - UINT32_C(0x0D5E2042), UINT32_C(0x017373E7), UINT32_C(0x04742EE4), - UINT32_C(0x01053131), UINT32_C(0x01BD8B10), UINT32_C(0x01A5A425), - UINT32_C(0x072BB78A), UINT32_C(0x01A26990), UINT32_C(0x02CD45F0), - UINT32_C(0x03124D19) }, - { UINT32_C(0x01A2F1BD), UINT32_C(0x02C1057A), UINT32_C(0x07B6C2D1), - UINT32_C(0x00B79FA6), UINT32_C(0x09B44B1B), UINT32_C(0x0428D7E8), - UINT32_C(0x04C94C23), UINT32_C(0x0DFB15C5), UINT32_C(0x02F5DBF7), - UINT32_C(0x0BC452A9), UINT32_C(0x044F06AF), UINT32_C(0x06C3295D), - UINT32_C(0x0661CB9B), UINT32_C(0x0001E990), UINT32_C(0x022A6D5E), - UINT32_C(0x03420E57), UINT32_C(0x0D5E7F7E), UINT32_C(0x0593D853), - UINT32_C(0x00938C95) } }, - { { UINT32_C(0x0899A80A), UINT32_C(0x063E3726), UINT32_C(0x08972EC5), - UINT32_C(0x037C93BE), UINT32_C(0x031E1342), UINT32_C(0x07C51EDF), - UINT32_C(0x03702DD4), UINT32_C(0x086F89E1), UINT32_C(0x047EBB47), - UINT32_C(0x06A291B7), UINT32_C(0x0685EBFA), UINT32_C(0x0EF566F4), - UINT32_C(0x02FC8735), UINT32_C(0x03A7F885), UINT32_C(0x0963A567), - UINT32_C(0x02DEC9A4), UINT32_C(0x033285D3), UINT32_C(0x0049779E), - UINT32_C(0x05AB7D24) }, - { UINT32_C(0x04E67976), UINT32_C(0x03AD342E), UINT32_C(0x006D58B0), - UINT32_C(0x0490C968), UINT32_C(0x0428E13C), UINT32_C(0x0183F7B5), - UINT32_C(0x0168EF02), UINT32_C(0x031E9F33), UINT32_C(0x079C2D32), - UINT32_C(0x0EC6C4B2), UINT32_C(0x06334DE3), UINT32_C(0x04E10D5F), - UINT32_C(0x0431C81B), UINT32_C(0x001EE024), UINT32_C(0x01F6A3D0), - UINT32_C(0x0009B04D), UINT32_C(0x0A95C815), UINT32_C(0x06C721B5), - UINT32_C(0x07DEE1A8) } }, - { { UINT32_C(0x0C112CB8), UINT32_C(0x00691E2E), UINT32_C(0x01DBEB00), - UINT32_C(0x077CCE8A), UINT32_C(0x03E91FE4), UINT32_C(0x0690BBBF), - UINT32_C(0x0577CA8A), UINT32_C(0x00B5C974), UINT32_C(0x029377A0), - UINT32_C(0x06FDF488), UINT32_C(0x00872436), UINT32_C(0x0506D32E), - UINT32_C(0x055C17BB), UINT32_C(0x03B00666), UINT32_C(0x0D26AAA8), - UINT32_C(0x03829C3F), UINT32_C(0x08B67A64), UINT32_C(0x0475D296), - UINT32_C(0x027FEFC5) }, - { UINT32_C(0x06814D18), UINT32_C(0x01588692), UINT32_C(0x0D4F0EDD), - UINT32_C(0x007DFA60), UINT32_C(0x042E603A), UINT32_C(0x00885394), - UINT32_C(0x05F797E2), UINT32_C(0x041238B4), UINT32_C(0x052305E5), - UINT32_C(0x0D9515E8), UINT32_C(0x05B10FCD), UINT32_C(0x08F6C6F8), - UINT32_C(0x043FB734), UINT32_C(0x014BE940), UINT32_C(0x0E882EEE), - UINT32_C(0x0077B050), UINT32_C(0x02093150), UINT32_C(0x05A0B712), - UINT32_C(0x06E640E8) } }, - { { UINT32_C(0x0BE77EA4), UINT32_C(0x03634A86), UINT32_C(0x01F8DFF4), - UINT32_C(0x005A0F6B), UINT32_C(0x0D30990A), UINT32_C(0x0712090D), - UINT32_C(0x048C153A), UINT32_C(0x029E8CA3), UINT32_C(0x052B7982), - UINT32_C(0x01355D1B), UINT32_C(0x00109FDB), UINT32_C(0x029EF3CE), - UINT32_C(0x02FA1090), UINT32_C(0x033F025F), UINT32_C(0x03D1969F), - UINT32_C(0x052EDB5F), UINT32_C(0x04D2BEF3), UINT32_C(0x06BF5DE5), - UINT32_C(0x00C8983F) }, - { UINT32_C(0x04B8EB93), UINT32_C(0x0058C176), UINT32_C(0x00A13CB4), - UINT32_C(0x053DF577), UINT32_C(0x0156AEB4), UINT32_C(0x005E3851), - UINT32_C(0x069CEAE2), UINT32_C(0x0030FF4F), UINT32_C(0x001DA227), - UINT32_C(0x05AF81D3), UINT32_C(0x03D80D8D), UINT32_C(0x0A3E8600), - UINT32_C(0x03D228FC), UINT32_C(0x0665245C), UINT32_C(0x09E5CE2E), - UINT32_C(0x03843A9B), UINT32_C(0x02F2D31B), UINT32_C(0x041832DC), - UINT32_C(0x02E66351) } }, - { { UINT32_C(0x05730C8D), UINT32_C(0x06092618), UINT32_C(0x079F5AFA), - UINT32_C(0x06F3E0CF), UINT32_C(0x092BC672), UINT32_C(0x0276DE36), - UINT32_C(0x02D07EDC), UINT32_C(0x0FC6A29F), UINT32_C(0x0486EFA2), - UINT32_C(0x0909E264), UINT32_C(0x056F98E8), UINT32_C(0x08A33777), - UINT32_C(0x007820C7), UINT32_C(0x07E651CF), UINT32_C(0x0928B418), - UINT32_C(0x05EF7EA1), UINT32_C(0x0BE35987), UINT32_C(0x023FE702), - UINT32_C(0x04B874D9) }, - { UINT32_C(0x001A8D36), UINT32_C(0x03FC40DA), UINT32_C(0x00561AB4), - UINT32_C(0x036E4547), UINT32_C(0x0D462FB9), UINT32_C(0x07B2E89D), - UINT32_C(0x0616BF2B), UINT32_C(0x02FA3373), UINT32_C(0x067EE578), - UINT32_C(0x02B81792), UINT32_C(0x03A32F95), UINT32_C(0x019591EC), - UINT32_C(0x047F05AA), UINT32_C(0x058E2F29), UINT32_C(0x04CECEE9), - UINT32_C(0x07DF3632), UINT32_C(0x02BFB16E), UINT32_C(0x03AB1AD0), - UINT32_C(0x0610FCE9) } }, - { { UINT32_C(0x0CE87EAC), UINT32_C(0x00235BF1), UINT32_C(0x0EAE0AF1), - UINT32_C(0x03D89DD3), UINT32_C(0x0B789073), UINT32_C(0x01AC0815), - UINT32_C(0x055721C2), UINT32_C(0x0B2BAD77), UINT32_C(0x05787CF1), - UINT32_C(0x00C70041), UINT32_C(0x00EEE049), UINT32_C(0x0D01B922), - UINT32_C(0x022A24F8), UINT32_C(0x0317FAC7), UINT32_C(0x0D5F402C), - UINT32_C(0x0439541B), UINT32_C(0x07D56CC2), UINT32_C(0x00EB80BF), - UINT32_C(0x00E40AA6) }, - { UINT32_C(0x0A01F6F0), UINT32_C(0x020DA18A), UINT32_C(0x073C68C0), - UINT32_C(0x05338AFA), UINT32_C(0x0DDC8CB0), UINT32_C(0x001C0CED), - UINT32_C(0x07A82BBC), UINT32_C(0x081BF5E1), UINT32_C(0x00B876DD), - UINT32_C(0x09864ED3), UINT32_C(0x07F89153), UINT32_C(0x0A066C82), - UINT32_C(0x042461BC), UINT32_C(0x07592D13), UINT32_C(0x02DBFA28), - UINT32_C(0x0371D64F), UINT32_C(0x0326B139), UINT32_C(0x0545030E), - UINT32_C(0x03B02EDD) } }, - { { UINT32_C(0x0C8AA41D), UINT32_C(0x02999435), UINT32_C(0x011470BE), - UINT32_C(0x02448ABD), UINT32_C(0x0C3A559A), UINT32_C(0x03DE4EDA), - UINT32_C(0x0267ACAB), UINT32_C(0x05B64BAF), UINT32_C(0x06167A36), - UINT32_C(0x080925DF), UINT32_C(0x0748EB2E), UINT32_C(0x0262E572), - UINT32_C(0x06655A71), UINT32_C(0x02DC7E31), UINT32_C(0x009FA448), - UINT32_C(0x05991E95), UINT32_C(0x0FA3D04A), UINT32_C(0x0484BE25), - UINT32_C(0x0438E396) }, - { UINT32_C(0x044C41BB), UINT32_C(0x02EFDFC2), UINT32_C(0x0F459DA9), - UINT32_C(0x04A94A2D), UINT32_C(0x03F47C03), UINT32_C(0x07FA71AF), - UINT32_C(0x03DC178C), UINT32_C(0x0129963B), UINT32_C(0x021E1FD4), - UINT32_C(0x0E7487EB), UINT32_C(0x00C3DDB0), UINT32_C(0x06EE0434), - UINT32_C(0x06D2712F), UINT32_C(0x07842656), UINT32_C(0x013F8F26), - UINT32_C(0x01F9766F), UINT32_C(0x061BD12C), UINT32_C(0x02B96EB7), - UINT32_C(0x01F8FA20) } }, - { { UINT32_C(0x0FB80E07), UINT32_C(0x050B08F2), UINT32_C(0x064554C9), - UINT32_C(0x078E1F81), UINT32_C(0x09ED8841), UINT32_C(0x0596ADC2), - UINT32_C(0x034DF164), UINT32_C(0x020E6E12), UINT32_C(0x018EDA4D), - UINT32_C(0x0174E31B), UINT32_C(0x03B107F1), UINT32_C(0x010EC155), - UINT32_C(0x07FA899A), UINT32_C(0x0717505D), UINT32_C(0x05819825), - UINT32_C(0x0542EC55), UINT32_C(0x038DD6D7), UINT32_C(0x0497E5A0), - UINT32_C(0x03081495) }, - { UINT32_C(0x064986F4), UINT32_C(0x03BD600B), UINT32_C(0x04B78E0D), - UINT32_C(0x0098465F), UINT32_C(0x0E7E78C0), UINT32_C(0x0127CC0E), - UINT32_C(0x07A3BC64), UINT32_C(0x001DBF18), UINT32_C(0x06A78B45), - UINT32_C(0x0D3A5A6B), UINT32_C(0x0682C6C2), UINT32_C(0x0B8EE95B), - UINT32_C(0x066E64B3), UINT32_C(0x04178CB0), UINT32_C(0x0FC2F66E), - UINT32_C(0x04EABB3C), UINT32_C(0x084AF2DE), UINT32_C(0x04C297C1), - UINT32_C(0x0136B06E) } }, - { { UINT32_C(0x07DF6D6E), UINT32_C(0x01F00ED6), UINT32_C(0x02705D3E), - UINT32_C(0x038023D6), UINT32_C(0x0A85D53D), UINT32_C(0x01C4664A), - UINT32_C(0x0610B36C), UINT32_C(0x02BAE274), UINT32_C(0x03566DBB), - UINT32_C(0x0854659C), UINT32_C(0x00F106D4), UINT32_C(0x09D0A630), - UINT32_C(0x01B5D98A), UINT32_C(0x01B27CA8), UINT32_C(0x0F254343), - UINT32_C(0x075491B9), UINT32_C(0x025D2274), UINT32_C(0x04F17B63), - UINT32_C(0x06865DA3) }, - { UINT32_C(0x0D4C1CFE), UINT32_C(0x0612B559), UINT32_C(0x0D29CCC2), - UINT32_C(0x06835607), UINT32_C(0x0E442A4F), UINT32_C(0x003F2EA3), - UINT32_C(0x04DA7E80), UINT32_C(0x079ABF17), UINT32_C(0x062A7A50), - UINT32_C(0x0FE31E03), UINT32_C(0x044D195D), UINT32_C(0x01A9DC51), - UINT32_C(0x05B8C361), UINT32_C(0x06390D3D), UINT32_C(0x0544BD42), - UINT32_C(0x02DB7A09), UINT32_C(0x0367E705), UINT32_C(0x01B34C53), - UINT32_C(0x055F8181) } }, - { { UINT32_C(0x0F3F00C1), UINT32_C(0x04C36A17), UINT32_C(0x0CB05A60), - UINT32_C(0x05742C4B), UINT32_C(0x029DC7BA), UINT32_C(0x00946765), - UINT32_C(0x01F6280B), UINT32_C(0x0A250657), UINT32_C(0x057853BE), - UINT32_C(0x027C17D4), UINT32_C(0x061E6EE7), UINT32_C(0x068934C0), - UINT32_C(0x0225275D), UINT32_C(0x004E706A), UINT32_C(0x08A0E33D), - UINT32_C(0x02EFB382), UINT32_C(0x0231B332), UINT32_C(0x045E20A6), - UINT32_C(0x076538EE) }, - { UINT32_C(0x072461C9), UINT32_C(0x071D932B), UINT32_C(0x099D4C01), - UINT32_C(0x0401E666), UINT32_C(0x07DB6FB0), UINT32_C(0x049F43E4), - UINT32_C(0x056167EA), UINT32_C(0x0D49C41D), UINT32_C(0x05F10CA9), - UINT32_C(0x080EC5BB), UINT32_C(0x05C98C31), UINT32_C(0x01E1F452), - UINT32_C(0x07E42338), UINT32_C(0x04049AA9), UINT32_C(0x032E5588), - UINT32_C(0x01E28C9C), UINT32_C(0x04BCDC8D), UINT32_C(0x04309C54), - UINT32_C(0x02042514) } }, - }, - { - { { UINT32_C(0x02648196), UINT32_C(0x01BF352B), UINT32_C(0x0FCEC15F), - UINT32_C(0x02D3A085), UINT32_C(0x011002A5), UINT32_C(0x026E7651), - UINT32_C(0x021C2A73), UINT32_C(0x0E3392B7), UINT32_C(0x01A26456), - UINT32_C(0x00E05940), UINT32_C(0x05C6D0D8), UINT32_C(0x085D0F62), - UINT32_C(0x03B743E5), UINT32_C(0x05B2C76F), UINT32_C(0x0B270AB3), - UINT32_C(0x076B0EF8), UINT32_C(0x0E5EF80C), UINT32_C(0x0751E040), - UINT32_C(0x0769C73A) }, - { UINT32_C(0x0D9BC7BB), UINT32_C(0x01B398D4), UINT32_C(0x094E3D5E), - UINT32_C(0x0679261C), UINT32_C(0x0F579BC0), UINT32_C(0x0087234F), - UINT32_C(0x01C48CDA), UINT32_C(0x01065BB9), UINT32_C(0x04A8A1F3), - UINT32_C(0x097D469B), UINT32_C(0x046FC17A), UINT32_C(0x00CAE969), - UINT32_C(0x02E690B5), UINT32_C(0x0187C437), UINT32_C(0x000FCD13), - UINT32_C(0x07C0FA30), UINT32_C(0x02F0D63C), UINT32_C(0x0583AE53), - UINT32_C(0x036A77FE) } }, - { { UINT32_C(0x01DE62A2), UINT32_C(0x03B6F417), UINT32_C(0x08D8470C), - UINT32_C(0x041AB290), UINT32_C(0x0D3155E4), UINT32_C(0x043123A7), - UINT32_C(0x06EC3DAC), UINT32_C(0x09575F29), UINT32_C(0x05CC8C01), - UINT32_C(0x028CF2E0), UINT32_C(0x00BB01F9), UINT32_C(0x01E4C554), - UINT32_C(0x07B3F1F5), UINT32_C(0x00E4DC2E), UINT32_C(0x0F6F4AA9), - UINT32_C(0x03F7C702), UINT32_C(0x0EC18583), UINT32_C(0x02949031), - UINT32_C(0x05C16F04) }, - { UINT32_C(0x03BFC242), UINT32_C(0x06AF3468), UINT32_C(0x0509C734), - UINT32_C(0x002581C3), UINT32_C(0x0CD6F167), UINT32_C(0x068B6408), - UINT32_C(0x07D05F00), UINT32_C(0x0D520CDF), UINT32_C(0x02C463E5), - UINT32_C(0x003D2B75), UINT32_C(0x02640D09), UINT32_C(0x0C38D324), - UINT32_C(0x016E198B), UINT32_C(0x01BF3B79), UINT32_C(0x08EFB3AE), - UINT32_C(0x01B11ADD), UINT32_C(0x0428FEBD), UINT32_C(0x0288A4BC), - UINT32_C(0x02ED3D8D) } }, - { { UINT32_C(0x0FE3927A), UINT32_C(0x004463DC), UINT32_C(0x0A23634B), - UINT32_C(0x02C96252), UINT32_C(0x088ACC38), UINT32_C(0x003687F2), - UINT32_C(0x07070A41), UINT32_C(0x0A3D6F58), UINT32_C(0x02ACC6F9), - UINT32_C(0x07A117B7), UINT32_C(0x04BF3041), UINT32_C(0x006C3D57), - UINT32_C(0x05E2A443), UINT32_C(0x00D534BB), UINT32_C(0x01838CCA), - UINT32_C(0x07E9698D), UINT32_C(0x0463E2DC), UINT32_C(0x05A8243F), - UINT32_C(0x02BC2618) }, - { UINT32_C(0x0EBC6638), UINT32_C(0x04B3F3FB), UINT32_C(0x0A7F699B), - UINT32_C(0x070541A8), UINT32_C(0x00275BF7), UINT32_C(0x0335548D), - UINT32_C(0x00C681F5), UINT32_C(0x0AE9575E), UINT32_C(0x02032835), - UINT32_C(0x027F35BF), UINT32_C(0x00A83998), UINT32_C(0x04869978), - UINT32_C(0x04F819CA), UINT32_C(0x075D1DAF), UINT32_C(0x0B79E387), - UINT32_C(0x033A57AB), UINT32_C(0x057298F2), UINT32_C(0x0583C4E3), - UINT32_C(0x067E752D) } }, - { { UINT32_C(0x06B4D0F2), UINT32_C(0x059C637E), UINT32_C(0x0515A54F), - UINT32_C(0x01CB93DA), UINT32_C(0x0AF87FEF), UINT32_C(0x07247119), - UINT32_C(0x0368E1D8), UINT32_C(0x0287508B), UINT32_C(0x04E3B00B), - UINT32_C(0x03EDF00C), UINT32_C(0x0060EB2B), UINT32_C(0x009B64B7), - UINT32_C(0x0059A064), UINT32_C(0x02C48CC2), UINT32_C(0x0D938166), - UINT32_C(0x039A77EF), UINT32_C(0x04F26973), UINT32_C(0x015B1DA7), - UINT32_C(0x048D6DB3) }, - { UINT32_C(0x011EBBDB), UINT32_C(0x06BC0045), UINT32_C(0x0275B56E), - UINT32_C(0x03B89420), UINT32_C(0x013420FC), UINT32_C(0x076F18E5), - UINT32_C(0x00A74F63), UINT32_C(0x0E0F64B7), UINT32_C(0x00503282), - UINT32_C(0x094735D1), UINT32_C(0x013CC6D6), UINT32_C(0x0E5C0E1C), - UINT32_C(0x015BA8D6), UINT32_C(0x07D45F0A), UINT32_C(0x0A29FE38), - UINT32_C(0x0029F319), UINT32_C(0x03AC2D85), UINT32_C(0x027ECAF3), - UINT32_C(0x029D9051) } }, - { { UINT32_C(0x0EA400A9), UINT32_C(0x0158306B), UINT32_C(0x015222F8), - UINT32_C(0x07A029A5), UINT32_C(0x01BD2907), UINT32_C(0x0570C0F6), - UINT32_C(0x0751FAE1), UINT32_C(0x07964BF7), UINT32_C(0x009AA3B7), - UINT32_C(0x03DF8285), UINT32_C(0x005D2075), UINT32_C(0x0DDBE6E5), - UINT32_C(0x04FB407B), UINT32_C(0x05ABE7D8), UINT32_C(0x0C49401A), - UINT32_C(0x04BA9696), UINT32_C(0x03CCE450), UINT32_C(0x04636480), - UINT32_C(0x03F1ABE9) }, - { UINT32_C(0x03EA1F68), UINT32_C(0x0676F7FA), UINT32_C(0x078995D6), - UINT32_C(0x01690C80), UINT32_C(0x0DDD1529), UINT32_C(0x007F78C9), - UINT32_C(0x0408771E), UINT32_C(0x0513A792), UINT32_C(0x003B85AB), - UINT32_C(0x016D7EB5), UINT32_C(0x05E5699C), UINT32_C(0x0BECEE12), - UINT32_C(0x00107C5D), UINT32_C(0x00E4EB89), UINT32_C(0x02F4C652), - UINT32_C(0x04E39F7A), UINT32_C(0x034AED07), UINT32_C(0x0212550E), - UINT32_C(0x0188E07E) } }, - { { UINT32_C(0x0FBBA24C), UINT32_C(0x01E20A63), UINT32_C(0x0FA95AAC), - UINT32_C(0x01C44416), UINT32_C(0x0F08DC76), UINT32_C(0x043CBDF1), - UINT32_C(0x012ABC29), UINT32_C(0x0F6C4233), UINT32_C(0x06107D90), - UINT32_C(0x002CBE36), UINT32_C(0x05234963), UINT32_C(0x059E8B8F), - UINT32_C(0x06167695), UINT32_C(0x04B21ABA), UINT32_C(0x094ABDA3), - UINT32_C(0x01B5AF79), UINT32_C(0x00351EF1), UINT32_C(0x03FE1EFE), - UINT32_C(0x03E83BD1) }, - { UINT32_C(0x04ADEFE3), UINT32_C(0x028AF72F), UINT32_C(0x09E0C0D6), - UINT32_C(0x0104ED8F), UINT32_C(0x0AE0148F), UINT32_C(0x02B05ACD), - UINT32_C(0x066B1ED0), UINT32_C(0x0A3C6BFA), UINT32_C(0x032BBFF9), - UINT32_C(0x0F66AD88), UINT32_C(0x04A9A376), UINT32_C(0x0AF0D447), - UINT32_C(0x047BD087), UINT32_C(0x005F677C), UINT32_C(0x014088B0), - UINT32_C(0x00EDD8EE), UINT32_C(0x0598516D), UINT32_C(0x03FE1205), - UINT32_C(0x073098DE) } }, - { { UINT32_C(0x02841A85), UINT32_C(0x0451A0F7), UINT32_C(0x076BCBFC), - UINT32_C(0x027E002B), UINT32_C(0x04ACD1B5), UINT32_C(0x03AADBAC), - UINT32_C(0x011F71FA), UINT32_C(0x0E1089CF), UINT32_C(0x058740CA), - UINT32_C(0x06DB26BB), UINT32_C(0x02494970), UINT32_C(0x07CCD9E0), - UINT32_C(0x05749062), UINT32_C(0x061E24EF), UINT32_C(0x0BA44927), - UINT32_C(0x01396A99), UINT32_C(0x0C2129A5), UINT32_C(0x06C4E538), - UINT32_C(0x02D308F2) }, - { UINT32_C(0x0E7B0D82), UINT32_C(0x0295DE15), UINT32_C(0x059C10B0), - UINT32_C(0x0240D76A), UINT32_C(0x0AA33AC3), UINT32_C(0x02D5D368), - UINT32_C(0x05DF8706), UINT32_C(0x0A4B7001), UINT32_C(0x031DBF6C), - UINT32_C(0x0BC72CD8), UINT32_C(0x046962A7), UINT32_C(0x0D13BB53), - UINT32_C(0x039B98C0), UINT32_C(0x05AA84ED), UINT32_C(0x058D2735), - UINT32_C(0x0508AB59), UINT32_C(0x085DF0E3), UINT32_C(0x06AA60D9), - UINT32_C(0x0192578B) } }, - { { UINT32_C(0x052517BF), UINT32_C(0x07C0E587), UINT32_C(0x038A5531), - UINT32_C(0x03EE1FF1), UINT32_C(0x062AB6E8), UINT32_C(0x06EF4CCB), - UINT32_C(0x00A09F25), UINT32_C(0x0DBE8342), UINT32_C(0x01D7E02F), - UINT32_C(0x094C49AE), UINT32_C(0x01445CE4), UINT32_C(0x0F435B7F), - UINT32_C(0x07CDF16E), UINT32_C(0x009B8491), UINT32_C(0x0B24E6F7), - UINT32_C(0x01648959), UINT32_C(0x00615CA9), UINT32_C(0x014879FC), - UINT32_C(0x015CCCCE) }, - { UINT32_C(0x0BB6E5C0), UINT32_C(0x072270A8), UINT32_C(0x02BC713E), - UINT32_C(0x0194AF0E), UINT32_C(0x0745C682), UINT32_C(0x00066C6F), - UINT32_C(0x03D36CF5), UINT32_C(0x0593CBB1), UINT32_C(0x05AE790D), - UINT32_C(0x06B1FF53), UINT32_C(0x0620A507), UINT32_C(0x0CB462BF), - UINT32_C(0x068C215C), UINT32_C(0x06AB108C), UINT32_C(0x0B7E3900), - UINT32_C(0x03D88910), UINT32_C(0x0539E087), UINT32_C(0x04AE3141), - UINT32_C(0x035ED7D6) } }, - { { UINT32_C(0x0254F3D7), UINT32_C(0x06792204), UINT32_C(0x0230569F), - UINT32_C(0x03D3FDA9), UINT32_C(0x0B84DD99), UINT32_C(0x07725C4C), - UINT32_C(0x06B0E7C3), UINT32_C(0x0B78D3DF), UINT32_C(0x078AC360), - UINT32_C(0x06CAB919), UINT32_C(0x02F4F70A), UINT32_C(0x013A8BD5), - UINT32_C(0x021D73E0), UINT32_C(0x044B1B4D), UINT32_C(0x0E88A7D4), - UINT32_C(0x05BAA6EC), UINT32_C(0x0526DE60), UINT32_C(0x01D8806A), - UINT32_C(0x04244303) }, - { UINT32_C(0x0108C612), UINT32_C(0x0395A34F), UINT32_C(0x0339198F), - UINT32_C(0x01F179EC), UINT32_C(0x0708D6F3), UINT32_C(0x01DF5235), - UINT32_C(0x0232C546), UINT32_C(0x030C41B0), UINT32_C(0x015FE8CF), - UINT32_C(0x0F21BBB4), UINT32_C(0x0323FD77), UINT32_C(0x06DD81ED), - UINT32_C(0x04136906), UINT32_C(0x054B66A1), UINT32_C(0x0CBBD05A), - UINT32_C(0x0336CEE8), UINT32_C(0x0FCF1FFD), UINT32_C(0x041BBD8F), - UINT32_C(0x07AB12C9) } }, - { { UINT32_C(0x0BBE227D), UINT32_C(0x05858F23), UINT32_C(0x04BF491E), - UINT32_C(0x05728183), UINT32_C(0x079C714E), UINT32_C(0x022A1FCF), - UINT32_C(0x01EF871B), UINT32_C(0x09EDB7B8), UINT32_C(0x01D525A3), - UINT32_C(0x0A87DA27), UINT32_C(0x043F0A4E), UINT32_C(0x09B1CDD1), - UINT32_C(0x00B92721), UINT32_C(0x00B6CCD6), UINT32_C(0x0D63DB15), - UINT32_C(0x023CE576), UINT32_C(0x0C4080E4), UINT32_C(0x033F2061), - UINT32_C(0x031AA1D9) }, - { UINT32_C(0x07EC3A20), UINT32_C(0x01C69A3A), UINT32_C(0x001C25C7), - UINT32_C(0x0210B9C8), UINT32_C(0x08BDFFA8), UINT32_C(0x02E8214B), - UINT32_C(0x017C3E9B), UINT32_C(0x084D91D9), UINT32_C(0x038B3D24), - UINT32_C(0x0EC9081E), UINT32_C(0x026E58E8), UINT32_C(0x032908AE), - UINT32_C(0x02B2F37D), UINT32_C(0x058B11CB), UINT32_C(0x07538C24), - UINT32_C(0x06945091), UINT32_C(0x0F538568), UINT32_C(0x064897F5), - UINT32_C(0x03110AAF) } }, - { { UINT32_C(0x093E7BB1), UINT32_C(0x026B09F0), UINT32_C(0x0763D63D), - UINT32_C(0x01CAD134), UINT32_C(0x053290E7), UINT32_C(0x03190F55), - UINT32_C(0x05929346), UINT32_C(0x090E1278), UINT32_C(0x01D360D4), - UINT32_C(0x0AE8B6AE), UINT32_C(0x036A79E4), UINT32_C(0x08B891A0), - UINT32_C(0x0448F896), UINT32_C(0x02316FA4), UINT32_C(0x0B3F9158), - UINT32_C(0x045DAD8C), UINT32_C(0x073BD91F), UINT32_C(0x0407FC71), - UINT32_C(0x0403F724) }, - { UINT32_C(0x0C0213B3), UINT32_C(0x04667E35), UINT32_C(0x0E2CEB9C), - UINT32_C(0x064EC72A), UINT32_C(0x0A339F01), UINT32_C(0x01E44700), - UINT32_C(0x029951E3), UINT32_C(0x0F9E1903), UINT32_C(0x0760075A), - UINT32_C(0x0B3FB167), UINT32_C(0x015349C6), UINT32_C(0x04915326), - UINT32_C(0x06972404), UINT32_C(0x03D0B541), UINT32_C(0x0FFB253E), - UINT32_C(0x0670C067), UINT32_C(0x017EDCC3), UINT32_C(0x06348A30), - UINT32_C(0x0755DC54) } }, - { { UINT32_C(0x0D72BA02), UINT32_C(0x07FF1EEA), UINT32_C(0x0066BDAD), - UINT32_C(0x039D956A), UINT32_C(0x04E892D7), UINT32_C(0x052419F2), - UINT32_C(0x034B725A), UINT32_C(0x095A35DA), UINT32_C(0x05559103), - UINT32_C(0x018A8F9F), UINT32_C(0x04FC3975), UINT32_C(0x0D1740D2), - UINT32_C(0x0375B900), UINT32_C(0x0761403F), UINT32_C(0x0B953A5F), - UINT32_C(0x04F2FF71), UINT32_C(0x0E1B0B58), UINT32_C(0x07D8573F), - UINT32_C(0x053E8C3E) }, - { UINT32_C(0x055A3B73), UINT32_C(0x04EBD845), UINT32_C(0x0D3A5D27), - UINT32_C(0x03216043), UINT32_C(0x0A2D5A11), UINT32_C(0x03D32430), - UINT32_C(0x063F87FD), UINT32_C(0x0DBF84E0), UINT32_C(0x04C9934A), - UINT32_C(0x08BE9480), UINT32_C(0x02F6DE30), UINT32_C(0x052DB294), - UINT32_C(0x03230313), UINT32_C(0x04592516), UINT32_C(0x0B992B10), - UINT32_C(0x03125EE2), UINT32_C(0x0445BCF9), UINT32_C(0x07349143), - UINT32_C(0x05A112C7) } }, - { { UINT32_C(0x0EA0B318), UINT32_C(0x03F1B159), UINT32_C(0x0487E52E), - UINT32_C(0x05D27B9C), UINT32_C(0x0EBAD615), UINT32_C(0x0459C5D9), - UINT32_C(0x073079D5), UINT32_C(0x078FD2D4), UINT32_C(0x006B7643), - UINT32_C(0x0A73DC2C), UINT32_C(0x041938CF), UINT32_C(0x098897E0), - UINT32_C(0x07660928), UINT32_C(0x058BF110), UINT32_C(0x0696BC61), - UINT32_C(0x07DE18FC), UINT32_C(0x0B815951), UINT32_C(0x04662BC8), - UINT32_C(0x054FF046) }, - { UINT32_C(0x052466CC), UINT32_C(0x02C9E253), UINT32_C(0x07D1C495), - UINT32_C(0x024A0473), UINT32_C(0x0E5AEABA), UINT32_C(0x06DFF20F), - UINT32_C(0x03CCEFD9), UINT32_C(0x0F806D4B), UINT32_C(0x0192D911), - UINT32_C(0x06A7E064), UINT32_C(0x0136BD6C), UINT32_C(0x03CF3E59), - UINT32_C(0x036C910C), UINT32_C(0x02852F51), UINT32_C(0x0D2261F6), - UINT32_C(0x07B11789), UINT32_C(0x05D5440C), UINT32_C(0x068EB2BF), - UINT32_C(0x07C9D3D2) } }, - { { UINT32_C(0x03F78C83), UINT32_C(0x026282EB), UINT32_C(0x0E7E58C8), - UINT32_C(0x01460384), UINT32_C(0x07F8288C), UINT32_C(0x004DDB38), - UINT32_C(0x068A22C1), UINT32_C(0x03B4E4B7), UINT32_C(0x046EC7F7), - UINT32_C(0x0F499BF8), UINT32_C(0x00E98F9D), UINT32_C(0x0201835A), - UINT32_C(0x06CDC18D), UINT32_C(0x054E87E0), UINT32_C(0x09E1190B), - UINT32_C(0x07C8570C), UINT32_C(0x0EE788C0), UINT32_C(0x003B8466), - UINT32_C(0x0513D8F7) }, - { UINT32_C(0x082AE76F), UINT32_C(0x0467154F), UINT32_C(0x090D360C), - UINT32_C(0x04725E35), UINT32_C(0x077F0A4A), UINT32_C(0x01658344), - UINT32_C(0x07BFD41E), UINT32_C(0x0816DFE5), UINT32_C(0x01A64B33), - UINT32_C(0x07DEC344), UINT32_C(0x0404AABD), UINT32_C(0x0DD22DB3), - UINT32_C(0x0372E5A1), UINT32_C(0x01DD7525), UINT32_C(0x01C8CACD), - UINT32_C(0x06A4B923), UINT32_C(0x0CD78815), UINT32_C(0x03B62E43), - UINT32_C(0x0182DCE0) } }, - { { UINT32_C(0x04B1FB35), UINT32_C(0x0061A026), UINT32_C(0x099D37D7), - UINT32_C(0x046459E6), UINT32_C(0x0E8A57EF), UINT32_C(0x001BD06E), - UINT32_C(0x04A92B84), UINT32_C(0x06098C4C), UINT32_C(0x0358B593), - UINT32_C(0x0D4DFE1C), UINT32_C(0x063599D3), UINT32_C(0x02DD18DC), - UINT32_C(0x03007901), UINT32_C(0x01E9DD8D), UINT32_C(0x0400CC35), - UINT32_C(0x0778E5F5), UINT32_C(0x05D5B6A3), UINT32_C(0x02FD411C), - UINT32_C(0x02B425A2) }, - { UINT32_C(0x03812C10), UINT32_C(0x03B78EFC), UINT32_C(0x09532CE4), - UINT32_C(0x04F7D4A9), UINT32_C(0x0F7C04C8), UINT32_C(0x0683AE68), - UINT32_C(0x011B6140), UINT32_C(0x0156737D), UINT32_C(0x035A4EB9), - UINT32_C(0x0A0B7443), UINT32_C(0x064319EB), UINT32_C(0x0B315217), - UINT32_C(0x049C0FB2), UINT32_C(0x004E46BC), UINT32_C(0x0318D072), - UINT32_C(0x052D3EA9), UINT32_C(0x06A15FA8), UINT32_C(0x02E0D5AB), - UINT32_C(0x008DD356) } }, - { { UINT32_C(0x0D00894F), UINT32_C(0x0415F67D), UINT32_C(0x0C243D11), - UINT32_C(0x02B8C573), UINT32_C(0x05C886B6), UINT32_C(0x073E2A37), - UINT32_C(0x01B4E4FA), UINT32_C(0x09A09251), UINT32_C(0x020282E5), - UINT32_C(0x0BCA7D2D), UINT32_C(0x066FF292), UINT32_C(0x09926C99), - UINT32_C(0x03617A48), UINT32_C(0x01530215), UINT32_C(0x063E7DBA), - UINT32_C(0x078B1DFB), UINT32_C(0x0C3844B7), UINT32_C(0x03201272), - UINT32_C(0x0778B4FA) }, - { UINT32_C(0x09305F18), UINT32_C(0x04DACE51), UINT32_C(0x0D07FE4D), - UINT32_C(0x04990FE7), UINT32_C(0x07120719), UINT32_C(0x07AE031B), - UINT32_C(0x003430FE), UINT32_C(0x00C1FBD4), UINT32_C(0x036A0A51), - UINT32_C(0x0A6A12BB), UINT32_C(0x072B00FE), UINT32_C(0x0F112F16), - UINT32_C(0x002D898C), UINT32_C(0x00D7F3F0), UINT32_C(0x02CCB574), - UINT32_C(0x076345FF), UINT32_C(0x02C9358F), UINT32_C(0x017BCB4B), - UINT32_C(0x0579734A) } }, - }, - { - { { UINT32_C(0x0F0DB502), UINT32_C(0x007283D0), UINT32_C(0x08EF623D), - UINT32_C(0x03EA8C5E), UINT32_C(0x0A209E1F), UINT32_C(0x03A40740), - UINT32_C(0x02F81888), UINT32_C(0x0722A969), UINT32_C(0x03DCF02A), - UINT32_C(0x0B8BF42D), UINT32_C(0x046BF6EC), UINT32_C(0x04E7DE79), - UINT32_C(0x032FE5DF), UINT32_C(0x01C17AC3), UINT32_C(0x088F43CD), - UINT32_C(0x06D316FF), UINT32_C(0x00B6FB94), UINT32_C(0x03A7A692), - UINT32_C(0x03E132AC) }, - { UINT32_C(0x045CE248), UINT32_C(0x0462F43F), UINT32_C(0x09F103B7), - UINT32_C(0x03CE6503), UINT32_C(0x02C55CD7), UINT32_C(0x01FAC8B9), - UINT32_C(0x07F7D41F), UINT32_C(0x049B3922), UINT32_C(0x0538164A), - UINT32_C(0x0C32168B), UINT32_C(0x021D15D5), UINT32_C(0x0FBE7AB4), - UINT32_C(0x049ABD36), UINT32_C(0x06689278), UINT32_C(0x090906E0), - UINT32_C(0x02853127), UINT32_C(0x032C40D9), UINT32_C(0x0284E722), - UINT32_C(0x05B9DA3D) } }, - { { UINT32_C(0x08B06389), UINT32_C(0x039D7B29), UINT32_C(0x026E0D8E), - UINT32_C(0x038E31F2), UINT32_C(0x0F482001), UINT32_C(0x046C5627), - UINT32_C(0x0153F461), UINT32_C(0x0FC4C626), UINT32_C(0x035A22C9), - UINT32_C(0x0CB5BCED), UINT32_C(0x032AE85F), UINT32_C(0x097105A2), - UINT32_C(0x0661090D), UINT32_C(0x02190C38), UINT32_C(0x05F88BB1), - UINT32_C(0x020AFD4B), UINT32_C(0x07693E86), UINT32_C(0x036234B0), - UINT32_C(0x0201EE7C) }, - { UINT32_C(0x05177EBC), UINT32_C(0x07334497), UINT32_C(0x021FB6DB), - UINT32_C(0x00E242A1), UINT32_C(0x06ACC48D), UINT32_C(0x0617860E), - UINT32_C(0x04002467), UINT32_C(0x006684B4), UINT32_C(0x005E7367), - UINT32_C(0x02210321), UINT32_C(0x06AE2E12), UINT32_C(0x0A170483), - UINT32_C(0x06811FED), UINT32_C(0x02AF7598), UINT32_C(0x099B28F0), - UINT32_C(0x04B2EAC3), UINT32_C(0x03144E87), UINT32_C(0x052C741C), - UINT32_C(0x00219EE8) } }, - { { UINT32_C(0x00581DC0), UINT32_C(0x076911B9), UINT32_C(0x03F907DF), - UINT32_C(0x00FD8CCC), UINT32_C(0x0BD0DFDF), UINT32_C(0x0388BBE8), - UINT32_C(0x0549C09A), UINT32_C(0x0387AC55), UINT32_C(0x07AF40E6), - UINT32_C(0x0981B7A5), UINT32_C(0x05ADE4BE), UINT32_C(0x052D5C55), - UINT32_C(0x076A04D2), UINT32_C(0x032751B9), UINT32_C(0x0BCE279F), - UINT32_C(0x034D2A39), UINT32_C(0x0AEDCDAE), UINT32_C(0x00365DC7), - UINT32_C(0x03453CBF) }, - { UINT32_C(0x0FAB453E), UINT32_C(0x011CF084), UINT32_C(0x09E21C47), - UINT32_C(0x06CF3197), UINT32_C(0x00831296), UINT32_C(0x057F4CE5), - UINT32_C(0x020F8EE8), UINT32_C(0x05B31872), UINT32_C(0x0779598D), - UINT32_C(0x07C7AC32), UINT32_C(0x05B64DC4), UINT32_C(0x0E058DB2), - UINT32_C(0x060142F5), UINT32_C(0x0757FAC8), UINT32_C(0x0320EFE8), - UINT32_C(0x03D158EA), UINT32_C(0x025240D2), UINT32_C(0x0116989D), - UINT32_C(0x04BFB887) } }, - { { UINT32_C(0x0DB8A57B), UINT32_C(0x0056DCD3), UINT32_C(0x0355B904), - UINT32_C(0x03D5725A), UINT32_C(0x007C7371), UINT32_C(0x00CF4193), - UINT32_C(0x020AD78C), UINT32_C(0x0305EFAF), UINT32_C(0x03715E8F), - UINT32_C(0x04E06800), UINT32_C(0x0464FE0B), UINT32_C(0x041671C5), - UINT32_C(0x07289FAC), UINT32_C(0x045EC338), UINT32_C(0x049BEE4D), - UINT32_C(0x06F62A0E), UINT32_C(0x04025E36), UINT32_C(0x05D25CE9), - UINT32_C(0x07C568B5) }, - { UINT32_C(0x0D4BD6B6), UINT32_C(0x00933993), UINT32_C(0x0B7EEBBA), - UINT32_C(0x0281309E), UINT32_C(0x065E8268), UINT32_C(0x035579CF), - UINT32_C(0x05550C9A), UINT32_C(0x0D7980B4), UINT32_C(0x0531F076), - UINT32_C(0x0CD2F37E), UINT32_C(0x03059FC3), UINT32_C(0x00281179), - UINT32_C(0x019AAC99), UINT32_C(0x017555A7), UINT32_C(0x0FF849A4), - UINT32_C(0x04EE5361), UINT32_C(0x08C87DDE), UINT32_C(0x004920CB), - UINT32_C(0x0472AE6B) } }, - { { UINT32_C(0x05AD0B4E), UINT32_C(0x0000D01D), UINT32_C(0x0A1C822E), - UINT32_C(0x004A7A0A), UINT32_C(0x0AA08F1E), UINT32_C(0x05917BCC), - UINT32_C(0x073D4A38), UINT32_C(0x06389FF3), UINT32_C(0x047A94F0), - UINT32_C(0x06710D9B), UINT32_C(0x0752964E), UINT32_C(0x030EF732), - UINT32_C(0x01AE9023), UINT32_C(0x0752E2B4), UINT32_C(0x0343C25C), - UINT32_C(0x04C0A3C3), UINT32_C(0x0B4EFABB), UINT32_C(0x079ACB07), - UINT32_C(0x05BEE507) }, - { UINT32_C(0x03494AD9), UINT32_C(0x05EA99AF), UINT32_C(0x0389480B), - UINT32_C(0x05160DCE), UINT32_C(0x010C3CBB), UINT32_C(0x04B92C2A), - UINT32_C(0x05F2D771), UINT32_C(0x0A57A2FD), UINT32_C(0x007C232D), - UINT32_C(0x0ECF6652), UINT32_C(0x06762C3E), UINT32_C(0x0531B5E7), - UINT32_C(0x03E82FC8), UINT32_C(0x01820A9D), UINT32_C(0x010298C1), - UINT32_C(0x040BB915), UINT32_C(0x06C4DE5F), UINT32_C(0x00F95873), - UINT32_C(0x00D564BB) } }, - { { UINT32_C(0x06647B76), UINT32_C(0x05951386), UINT32_C(0x01C3CEEE), - UINT32_C(0x05B4A2A9), UINT32_C(0x00C0D10D), UINT32_C(0x07198ABC), - UINT32_C(0x0344EBA4), UINT32_C(0x01102AAD), UINT32_C(0x00A6BD8E), - UINT32_C(0x041FD3B9), UINT32_C(0x072FD40E), UINT32_C(0x04DF271A), - UINT32_C(0x07951CEE), UINT32_C(0x0434A805), UINT32_C(0x03CBC676), - UINT32_C(0x07E6DD9D), UINT32_C(0x037A89AF), UINT32_C(0x01076ABD), - UINT32_C(0x00509445) }, - { UINT32_C(0x0D8A2C33), UINT32_C(0x05E083E6), UINT32_C(0x05C0317D), - UINT32_C(0x0602A2EA), UINT32_C(0x00A16254), UINT32_C(0x065050EB), - UINT32_C(0x014C68D6), UINT32_C(0x0EA8DF00), UINT32_C(0x002096BA), - UINT32_C(0x00D2E7B4), UINT32_C(0x03580F1C), UINT32_C(0x0237FA0E), - UINT32_C(0x01C7F56A), UINT32_C(0x054A6A4F), UINT32_C(0x03E879F4), - UINT32_C(0x008B47F5), UINT32_C(0x0EDF35FC), UINT32_C(0x01F3F7F0), - UINT32_C(0x03E78806) } }, - { { UINT32_C(0x038F6A40), UINT32_C(0x05B8DCB9), UINT32_C(0x07D27CDC), - UINT32_C(0x03392DA1), UINT32_C(0x066611C2), UINT32_C(0x066344AA), - UINT32_C(0x05F431C8), UINT32_C(0x07255E87), UINT32_C(0x0135642A), - UINT32_C(0x051CFCBA), UINT32_C(0x045D25F5), UINT32_C(0x08BB7E3A), - UINT32_C(0x022605AB), UINT32_C(0x00C874AA), UINT32_C(0x0195652F), - UINT32_C(0x00E16A23), UINT32_C(0x0D18A297), UINT32_C(0x024B6188), - UINT32_C(0x025A9403) }, - { UINT32_C(0x04F1EAD3), UINT32_C(0x03669651), UINT32_C(0x0E87093B), - UINT32_C(0x05F1CF35), UINT32_C(0x019B74E6), UINT32_C(0x0177BF8B), - UINT32_C(0x036B76B9), UINT32_C(0x0B817B29), UINT32_C(0x009C77FA), - UINT32_C(0x0202860C), UINT32_C(0x01D1AB54), UINT32_C(0x0B180712), - UINT32_C(0x06B274AA), UINT32_C(0x0121DBED), UINT32_C(0x0AEA446B), - UINT32_C(0x044661E9), UINT32_C(0x0C3EE1D4), UINT32_C(0x045027EE), - UINT32_C(0x014C275F) } }, - { { UINT32_C(0x004023FD), UINT32_C(0x01669241), UINT32_C(0x0693C19B), - UINT32_C(0x0058FB3D), UINT32_C(0x0756B182), UINT32_C(0x075D0BEC), - UINT32_C(0x07A393EF), UINT32_C(0x0B75B610), UINT32_C(0x07D0B5FD), - UINT32_C(0x060DEE19), UINT32_C(0x02373BD5), UINT32_C(0x0A1D84BA), - UINT32_C(0x07E8F3AA), UINT32_C(0x01D80791), UINT32_C(0x09D535D0), - UINT32_C(0x01AB79C2), UINT32_C(0x0D7911BC), UINT32_C(0x03496555), - UINT32_C(0x0370FC52) }, - { UINT32_C(0x0CA626DD), UINT32_C(0x018A8079), UINT32_C(0x02E35F36), - UINT32_C(0x00EF1C67), UINT32_C(0x0942648A), UINT32_C(0x05578B93), - UINT32_C(0x07DDB397), UINT32_C(0x095E9BED), UINT32_C(0x07DEB648), - UINT32_C(0x020D82EB), UINT32_C(0x02384172), UINT32_C(0x0988C739), - UINT32_C(0x035C1ACA), UINT32_C(0x053C61ED), UINT32_C(0x036A12D0), - UINT32_C(0x070600B9), UINT32_C(0x05505FED), UINT32_C(0x04D77717), - UINT32_C(0x04E32DD7) } }, - { { UINT32_C(0x0F32AB3F), UINT32_C(0x03271637), UINT32_C(0x01E6E3C1), - UINT32_C(0x04B433DF), UINT32_C(0x0313D761), UINT32_C(0x01F05C43), - UINT32_C(0x01B6E232), UINT32_C(0x0B782E36), UINT32_C(0x0142A283), - UINT32_C(0x06A37377), UINT32_C(0x063B9255), UINT32_C(0x05FF47C8), - UINT32_C(0x02270CEE), UINT32_C(0x04B3AC67), UINT32_C(0x07D72B62), - UINT32_C(0x006133F9), UINT32_C(0x0BFDFB85), UINT32_C(0x04FE3C0B), - UINT32_C(0x0406E239) }, - { UINT32_C(0x0737D38E), UINT32_C(0x07FBCD12), UINT32_C(0x00F51FBD), - UINT32_C(0x02A182A2), UINT32_C(0x062DA827), UINT32_C(0x01D9AB6A), - UINT32_C(0x0539AEBA), UINT32_C(0x0AB608B0), UINT32_C(0x0226B3BB), - UINT32_C(0x0ED7323F), UINT32_C(0x04ADDB11), UINT32_C(0x05B1E5DF), - UINT32_C(0x013ECB65), UINT32_C(0x0282983F), UINT32_C(0x02BDD0BD), - UINT32_C(0x07F0D675), UINT32_C(0x0C80C17E), UINT32_C(0x06B40353), - UINT32_C(0x01D570D9) } }, - { { UINT32_C(0x0D4D4113), UINT32_C(0x0371ACBF), UINT32_C(0x076D0600), - UINT32_C(0x06867748), UINT32_C(0x0267DC5C), UINT32_C(0x04199EE8), - UINT32_C(0x015FF11F), UINT32_C(0x01DBB00A), UINT32_C(0x03C8E489), - UINT32_C(0x0218373A), UINT32_C(0x00180AE9), UINT32_C(0x0A2CAFBC), - UINT32_C(0x016437D1), UINT32_C(0x058A25D0), UINT32_C(0x0AB57613), - UINT32_C(0x07DF8B7E), UINT32_C(0x0985AF6A), UINT32_C(0x04CCAE37), - UINT32_C(0x0300D01F) }, - { UINT32_C(0x092A3113), UINT32_C(0x05B20515), UINT32_C(0x0F0E530A), - UINT32_C(0x0605CBBF), UINT32_C(0x05FD19B3), UINT32_C(0x01593B38), - UINT32_C(0x003D988A), UINT32_C(0x03D76657), UINT32_C(0x017E79DC), - UINT32_C(0x02EC918C), UINT32_C(0x069A3B0F), UINT32_C(0x06FB78CA), - UINT32_C(0x07B0B30F), UINT32_C(0x0224A884), UINT32_C(0x0FF6CD50), - UINT32_C(0x07D9D639), UINT32_C(0x0D753C54), UINT32_C(0x04ED3D38), - UINT32_C(0x01E9C727) } }, - { { UINT32_C(0x0201CD59), UINT32_C(0x01D5BE35), UINT32_C(0x0B2E0772), - UINT32_C(0x04E8E2C3), UINT32_C(0x06C76E20), UINT32_C(0x01464A0E), - UINT32_C(0x056C1CE9), UINT32_C(0x04E3B528), UINT32_C(0x037AAFAB), - UINT32_C(0x06CE134F), UINT32_C(0x06158AF6), UINT32_C(0x02AF338B), - UINT32_C(0x025085B6), UINT32_C(0x07AABBFC), UINT32_C(0x0670F3BE), - UINT32_C(0x0108503F), UINT32_C(0x0DC85D51), UINT32_C(0x07F4439A), - UINT32_C(0x046E6FC9) }, - { UINT32_C(0x08FFB263), UINT32_C(0x01FF6045), UINT32_C(0x0C4E1676), - UINT32_C(0x038E4F62), UINT32_C(0x06DD24CD), UINT32_C(0x0142D912), - UINT32_C(0x015AAC36), UINT32_C(0x0DF58E09), UINT32_C(0x038F3D3B), - UINT32_C(0x014D0412), UINT32_C(0x0123F0AF), UINT32_C(0x0021ED27), - UINT32_C(0x0004843B), UINT32_C(0x05BF4326), UINT32_C(0x05A672B0), - UINT32_C(0x02B6453D), UINT32_C(0x0C7F1450), UINT32_C(0x04A895A4), - UINT32_C(0x061C3DF9) } }, - { { UINT32_C(0x0E593E49), UINT32_C(0x07ABFF21), UINT32_C(0x076E69C7), - UINT32_C(0x05C81656), UINT32_C(0x0858D39E), UINT32_C(0x041FC1FA), - UINT32_C(0x03599A84), UINT32_C(0x0ECF483C), UINT32_C(0x0190C4E8), - UINT32_C(0x08EA24D2), UINT32_C(0x03536BE7), UINT32_C(0x0E3746C4), - UINT32_C(0x0632F6BA), UINT32_C(0x05CFBDCC), UINT32_C(0x060097CB), - UINT32_C(0x04B0546F), UINT32_C(0x0AB5C45F), UINT32_C(0x04F8975E), - UINT32_C(0x04C5D61F) }, - { UINT32_C(0x062B46F6), UINT32_C(0x07516E20), UINT32_C(0x0C1F955C), - UINT32_C(0x001F66A2), UINT32_C(0x0ED0D917), UINT32_C(0x0406AF99), - UINT32_C(0x069CF83E), UINT32_C(0x0D4D8A00), UINT32_C(0x03D763C5), - UINT32_C(0x0E1FD9A7), UINT32_C(0x0056211F), UINT32_C(0x07531A2F), - UINT32_C(0x00973B69), UINT32_C(0x021DCD32), UINT32_C(0x09D0AC99), - UINT32_C(0x0549BFEA), UINT32_C(0x0305E319), UINT32_C(0x01342656), - UINT32_C(0x001B80FB) } }, - { { UINT32_C(0x031FFCBB), UINT32_C(0x06BC2475), UINT32_C(0x090EA8B2), - UINT32_C(0x0716EDFB), UINT32_C(0x0418E2AE), UINT32_C(0x0381C978), - UINT32_C(0x05591029), UINT32_C(0x09BD26C6), UINT32_C(0x0460D4D5), - UINT32_C(0x07DAA20D), UINT32_C(0x01560E68), UINT32_C(0x04AAAB23), - UINT32_C(0x01EA985C), UINT32_C(0x0631896F), UINT32_C(0x0FD13830), - UINT32_C(0x0416257F), UINT32_C(0x069B78E7), UINT32_C(0x0016004F), - UINT32_C(0x07B5E05F) }, - { UINT32_C(0x0749B010), UINT32_C(0x0716A42F), UINT32_C(0x0DEDE224), - UINT32_C(0x06E403DB), UINT32_C(0x01FC6739), UINT32_C(0x07F5928B), - UINT32_C(0x04FF09AE), UINT32_C(0x096D2235), UINT32_C(0x032412BF), - UINT32_C(0x0635ABB1), UINT32_C(0x0480F063), UINT32_C(0x0BA557CC), - UINT32_C(0x05C0FEF3), UINT32_C(0x01C7CB5C), UINT32_C(0x09482C2A), - UINT32_C(0x003CF65B), UINT32_C(0x0F39C07C), UINT32_C(0x00902580), - UINT32_C(0x053F7D95) } }, - { { UINT32_C(0x00C6A752), UINT32_C(0x0600187B), UINT32_C(0x031FD29E), - UINT32_C(0x07202D01), UINT32_C(0x08706FD9), UINT32_C(0x003A8DA7), - UINT32_C(0x02BC4807), UINT32_C(0x0108B8E2), UINT32_C(0x03DCB4C3), - UINT32_C(0x00E5D109), UINT32_C(0x0133EBE8), UINT32_C(0x0DBC9FDB), - UINT32_C(0x037A84B4), UINT32_C(0x000D902A), UINT32_C(0x0B159D44), - UINT32_C(0x0385B949), UINT32_C(0x0BB24FD6), UINT32_C(0x05FFC44B), - UINT32_C(0x0402B0EA) }, - { UINT32_C(0x0AFA8C2B), UINT32_C(0x03A224AC), UINT32_C(0x08FD7C67), - UINT32_C(0x072E1371), UINT32_C(0x01FA5FB1), UINT32_C(0x060D59B5), - UINT32_C(0x004D1058), UINT32_C(0x0193E727), UINT32_C(0x0093B083), - UINT32_C(0x0ABA0999), UINT32_C(0x07F25ECC), UINT32_C(0x0E8D4648), - UINT32_C(0x045B908B), UINT32_C(0x02C916E0), UINT32_C(0x052F14F8), - UINT32_C(0x00430404), UINT32_C(0x0B8E9A2B), UINT32_C(0x00F4BF45), - UINT32_C(0x03F0A1D1) } }, - { { UINT32_C(0x0CEE5802), UINT32_C(0x00880798), UINT32_C(0x01C63FFC), - UINT32_C(0x071B8526), UINT32_C(0x0C1068FB), UINT32_C(0x052F9DB3), - UINT32_C(0x01DDC849), UINT32_C(0x0E84AF14), UINT32_C(0x06CD446D), - UINT32_C(0x0A9F92C6), UINT32_C(0x01676037), UINT32_C(0x02A0264C), - UINT32_C(0x0467C53C), UINT32_C(0x051C4EE1), UINT32_C(0x01F47FF0), - UINT32_C(0x022246B4), UINT32_C(0x07D42402), UINT32_C(0x0287119F), - UINT32_C(0x04434D4E) }, - { UINT32_C(0x018DA0C0), UINT32_C(0x042E86EE), UINT32_C(0x08509770), - UINT32_C(0x04EDAEB9), UINT32_C(0x0A4009B5), UINT32_C(0x0335CB55), - UINT32_C(0x064D21EC), UINT32_C(0x0647F463), UINT32_C(0x07A167F4), - UINT32_C(0x023FB0E4), UINT32_C(0x062A970D), UINT32_C(0x00205267), - UINT32_C(0x036D3513), UINT32_C(0x07ABD182), UINT32_C(0x0B51FDBA), - UINT32_C(0x077B5CD0), UINT32_C(0x0896BFE4), UINT32_C(0x0300338E), - UINT32_C(0x06FF9581) } }, - { { UINT32_C(0x054184BF), UINT32_C(0x02DCF217), UINT32_C(0x0880D0D9), - UINT32_C(0x019760C7), UINT32_C(0x0662BD25), UINT32_C(0x06A962DD), - UINT32_C(0x04C69173), UINT32_C(0x019D4A19), UINT32_C(0x05AD5A5F), - UINT32_C(0x0E23BF0B), UINT32_C(0x07D3C575), UINT32_C(0x0BCDA9CF), - UINT32_C(0x019497F7), UINT32_C(0x01914517), UINT32_C(0x027F0C56), - UINT32_C(0x048ED5F5), UINT32_C(0x078B0933), UINT32_C(0x01A7EB30), - UINT32_C(0x066D17B3) }, - { UINT32_C(0x00A95EDC), UINT32_C(0x0386D25E), UINT32_C(0x039DE915), - UINT32_C(0x076A16CE), UINT32_C(0x05DCE4A7), UINT32_C(0x07C40607), - UINT32_C(0x06F1B7C2), UINT32_C(0x0A817858), UINT32_C(0x0147CB22), - UINT32_C(0x0D109609), UINT32_C(0x0454D2C5), UINT32_C(0x0D788CF4), - UINT32_C(0x03DCA054), UINT32_C(0x02A7B716), UINT32_C(0x05C66166), - UINT32_C(0x01AC2B32), UINT32_C(0x0D0C246B), UINT32_C(0x02E38AD2), - UINT32_C(0x039CDC10) } }, + if (!ecPrivKey || !signature || !digest || !kb || + !ecPrivKey->privateValue.data || + !signature->data || !digest->data || + ecPrivKey->ecParams.name != ECCurve_NIST_P521) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } -}; - -/*- - * Finite field inversion. - * Computed with exponentiation via FLT. - * Autogenerated: ecp/secp521r1/fe_inv.op3 - * custom repunit addition chain - * NB: this is not a real fiat-crypto function, just named that way for consistency. - */ -static void -fiat_secp521r1_inv(fe_t output, const fe_t t1) -{ - int i; - /* temporary variables */ - fe_t acc, t128, t16, t2, t256, t32, t4, t512, t516, t518, t519, t64, t8; - - fiat_secp521r1_carry_square(acc, t1); - fiat_secp521r1_carry_mul(t2, acc, t1); - fiat_secp521r1_carry_square(acc, t2); - fiat_secp521r1_carry_square(acc, acc); - fiat_secp521r1_carry_mul(t4, acc, t2); - fiat_secp521r1_carry_square(acc, t4); - for (i = 0; i < 3; i++) - fiat_secp521r1_carry_square(acc, acc); - fiat_secp521r1_carry_mul(t8, acc, t4); - fiat_secp521r1_carry_square(acc, t8); - for (i = 0; i < 7; i++) - fiat_secp521r1_carry_square(acc, acc); - fiat_secp521r1_carry_mul(t16, acc, t8); - fiat_secp521r1_carry_square(acc, t16); - for (i = 0; i < 15; i++) - fiat_secp521r1_carry_square(acc, acc); - fiat_secp521r1_carry_mul(t32, acc, t16); - fiat_secp521r1_carry_square(acc, t32); - for (i = 0; i < 31; i++) - fiat_secp521r1_carry_square(acc, acc); - fiat_secp521r1_carry_mul(t64, acc, t32); - fiat_secp521r1_carry_square(acc, t64); - for (i = 0; i < 63; i++) - fiat_secp521r1_carry_square(acc, acc); - fiat_secp521r1_carry_mul(t128, acc, t64); - fiat_secp521r1_carry_square(acc, t128); - for (i = 0; i < 127; i++) - fiat_secp521r1_carry_square(acc, acc); - fiat_secp521r1_carry_mul(t256, acc, t128); - fiat_secp521r1_carry_square(acc, t256); - for (i = 0; i < 255; i++) - fiat_secp521r1_carry_square(acc, acc); - fiat_secp521r1_carry_mul(t512, acc, t256); - fiat_secp521r1_carry_square(acc, t512); - for (i = 0; i < 3; i++) - fiat_secp521r1_carry_square(acc, acc); - fiat_secp521r1_carry_mul(t516, acc, t4); - fiat_secp521r1_carry_square(acc, t516); - fiat_secp521r1_carry_square(acc, acc); - fiat_secp521r1_carry_mul(t518, acc, t2); - fiat_secp521r1_carry_square(acc, t518); - fiat_secp521r1_carry_mul(t519, acc, t1); - fiat_secp521r1_carry_square(acc, t519); - fiat_secp521r1_carry_square(acc, acc); - fiat_secp521r1_carry_mul(output, acc, t1); -} - -/*- - * Q := 2P, both projective, Q and P same pointers OK - * Autogenerated: op3/dbl_proj.op3 - * https://eprint.iacr.org/2015/1060 Alg 6 - * ASSERT: a = -3 - */ -static void -point_double(pt_prj_t *Q, const pt_prj_t *P) -{ - /* temporary variables */ - fe_t t0, t1, t2, t3, t4; - /* constants */ - const limb_t *b = const_b; - /* set pointers for legacy curve arith */ - const limb_t *X = P->X; - const limb_t *Y = P->Y; - const limb_t *Z = P->Z; - limb_t *X3 = Q->X; - limb_t *Y3 = Q->Y; - limb_t *Z3 = Q->Z; - - /* the curve arith formula */ - fiat_secp521r1_carry_square(t0, X); - fiat_secp521r1_carry_square(t1, Y); - fiat_secp521r1_carry_square(t2, Z); - fiat_secp521r1_carry_mul(t3, X, Y); - fiat_secp521r1_carry_add(t3, t3, t3); - fiat_secp521r1_carry_mul(t4, Y, Z); - fiat_secp521r1_carry_mul(Z3, X, Z); - fiat_secp521r1_carry_add(Z3, Z3, Z3); - fiat_secp521r1_carry_mul(Y3, b, t2); - fiat_secp521r1_carry_sub(Y3, Y3, Z3); - fiat_secp521r1_carry_add(X3, Y3, Y3); - fiat_secp521r1_carry_add(Y3, X3, Y3); - fiat_secp521r1_carry_sub(X3, t1, Y3); - fiat_secp521r1_carry_add(Y3, t1, Y3); - fiat_secp521r1_carry_mul(Y3, X3, Y3); - fiat_secp521r1_carry_mul(X3, X3, t3); - fiat_secp521r1_carry_add(t3, t2, t2); - fiat_secp521r1_carry_add(t2, t2, t3); - fiat_secp521r1_carry_mul(Z3, b, Z3); - fiat_secp521r1_carry_sub(Z3, Z3, t2); - fiat_secp521r1_carry_sub(Z3, Z3, t0); - fiat_secp521r1_carry_add(t3, Z3, Z3); - fiat_secp521r1_carry_add(Z3, Z3, t3); - fiat_secp521r1_carry_add(t3, t0, t0); - fiat_secp521r1_carry_add(t0, t3, t0); - fiat_secp521r1_carry_sub(t0, t0, t2); - fiat_secp521r1_carry_mul(t0, t0, Z3); - fiat_secp521r1_carry_add(Y3, Y3, t0); - fiat_secp521r1_carry_add(t0, t4, t4); - fiat_secp521r1_carry_mul(Z3, t0, Z3); - fiat_secp521r1_carry_sub(X3, X3, Z3); - fiat_secp521r1_carry_mul(Z3, t0, t1); - fiat_secp521r1_carry_add(Z3, Z3, Z3); - fiat_secp521r1_carry_add(Z3, Z3, Z3); -} - -/*- - * out1 = (arg1 == 0) ? 0 : nz - * NB: this is not a "mod p equiv" 0, but literal 0 - * NB: this is not a real fiat-crypto function, just named that way for consistency. - */ -static void -fiat_secp521r1_nonzero(limb_t *out1, const fe_t arg1) -{ - limb_t x1 = 0; - int i; - - for (i = 0; i < LIMB_CNT; i++) - x1 |= arg1[i]; - *out1 = x1; -} -/*- - * R := Q + P where R and Q are projective, P affine. - * R and Q same pointers OK - * R and P same pointers not OK - * Autogenerated: op3/add_mixed.op3 - * https://eprint.iacr.org/2015/1060 Alg 5 - * ASSERT: a = -3 - */ -static void -point_add_mixed(pt_prj_t *R, const pt_prj_t *Q, const pt_aff_t *P) -{ - /* temporary variables */ - fe_t t0, t1, t2, t3, t4; - /* constants */ - const limb_t *b = const_b; - /* set pointers for legacy curve arith */ - const limb_t *X1 = Q->X; - const limb_t *Y1 = Q->Y; - const limb_t *Z1 = Q->Z; - const limb_t *X2 = P->X; - const limb_t *Y2 = P->Y; - fe_t X3; - fe_t Y3; - fe_t Z3; - limb_t nz; - - /* check P for affine inf */ - fiat_secp521r1_nonzero(&nz, P->Y); - - /* the curve arith formula */ - fiat_secp521r1_carry_mul(t0, X1, X2); - fiat_secp521r1_carry_mul(t1, Y1, Y2); - fiat_secp521r1_carry_add(t3, X2, Y2); - fiat_secp521r1_carry_add(t4, X1, Y1); - fiat_secp521r1_carry_mul(t3, t3, t4); - fiat_secp521r1_carry_add(t4, t0, t1); - fiat_secp521r1_carry_sub(t3, t3, t4); - fiat_secp521r1_carry_mul(t4, Y2, Z1); - fiat_secp521r1_carry_add(t4, t4, Y1); - fiat_secp521r1_carry_mul(Y3, X2, Z1); - fiat_secp521r1_carry_add(Y3, Y3, X1); - fiat_secp521r1_carry_mul(Z3, b, Z1); - fiat_secp521r1_carry_sub(X3, Y3, Z3); - fiat_secp521r1_carry_add(Z3, X3, X3); - fiat_secp521r1_carry_add(X3, X3, Z3); - fiat_secp521r1_carry_sub(Z3, t1, X3); - fiat_secp521r1_carry_add(X3, t1, X3); - fiat_secp521r1_carry_mul(Y3, b, Y3); - fiat_secp521r1_carry_add(t1, Z1, Z1); - fiat_secp521r1_carry_add(t2, t1, Z1); - fiat_secp521r1_carry_sub(Y3, Y3, t2); - fiat_secp521r1_carry_sub(Y3, Y3, t0); - fiat_secp521r1_carry_add(t1, Y3, Y3); - fiat_secp521r1_carry_add(Y3, t1, Y3); - fiat_secp521r1_carry_add(t1, t0, t0); - fiat_secp521r1_carry_add(t0, t1, t0); - fiat_secp521r1_carry_sub(t0, t0, t2); - fiat_secp521r1_carry_mul(t1, t4, Y3); - fiat_secp521r1_carry_mul(t2, t0, Y3); - fiat_secp521r1_carry_mul(Y3, X3, Z3); - fiat_secp521r1_carry_add(Y3, Y3, t2); - fiat_secp521r1_carry_mul(X3, t3, X3); - fiat_secp521r1_carry_sub(X3, X3, t1); - fiat_secp521r1_carry_mul(Z3, t4, Z3); - fiat_secp521r1_carry_mul(t1, t3, t0); - fiat_secp521r1_carry_add(Z3, Z3, t1); - - /* if P is inf, throw all that away and take Q */ - fiat_secp521r1_selectznz(R->X, nz, Q->X, X3); - fiat_secp521r1_selectznz(R->Y, nz, Q->Y, Y3); - fiat_secp521r1_selectznz(R->Z, nz, Q->Z, Z3); -} - -/*- - * R := Q + P all projective. - * R and Q same pointers OK - * R and P same pointers not OK - * Autogenerated: op3/add_proj.op3 - * https://eprint.iacr.org/2015/1060 Alg 4 - * ASSERT: a = -3 - */ -static void -point_add_proj(pt_prj_t *R, const pt_prj_t *Q, const pt_prj_t *P) -{ - /* temporary variables */ - fe_t t0, t1, t2, t3, t4, t5; - /* constants */ - const limb_t *b = const_b; - /* set pointers for legacy curve arith */ - const limb_t *X1 = Q->X; - const limb_t *Y1 = Q->Y; - const limb_t *Z1 = Q->Z; - const limb_t *X2 = P->X; - const limb_t *Y2 = P->Y; - const limb_t *Z2 = P->Z; - limb_t *X3 = R->X; - limb_t *Y3 = R->Y; - limb_t *Z3 = R->Z; - - /* the curve arith formula */ - fiat_secp521r1_carry_mul(t0, X1, X2); - fiat_secp521r1_carry_mul(t1, Y1, Y2); - fiat_secp521r1_carry_mul(t2, Z1, Z2); - fiat_secp521r1_carry_add(t3, X1, Y1); - fiat_secp521r1_carry_add(t4, X2, Y2); - fiat_secp521r1_carry_mul(t3, t3, t4); - fiat_secp521r1_carry_add(t4, t0, t1); - fiat_secp521r1_carry_sub(t3, t3, t4); - fiat_secp521r1_carry_add(t4, Y1, Z1); - fiat_secp521r1_carry_add(t5, Y2, Z2); - fiat_secp521r1_carry_mul(t4, t4, t5); - fiat_secp521r1_carry_add(t5, t1, t2); - fiat_secp521r1_carry_sub(t4, t4, t5); - fiat_secp521r1_carry_add(X3, X1, Z1); - fiat_secp521r1_carry_add(Y3, X2, Z2); - fiat_secp521r1_carry_mul(X3, X3, Y3); - fiat_secp521r1_carry_add(Y3, t0, t2); - fiat_secp521r1_carry_sub(Y3, X3, Y3); - fiat_secp521r1_carry_mul(Z3, b, t2); - fiat_secp521r1_carry_sub(X3, Y3, Z3); - fiat_secp521r1_carry_add(Z3, X3, X3); - fiat_secp521r1_carry_add(X3, X3, Z3); - fiat_secp521r1_carry_sub(Z3, t1, X3); - fiat_secp521r1_carry_add(X3, t1, X3); - fiat_secp521r1_carry_mul(Y3, b, Y3); - fiat_secp521r1_carry_add(t1, t2, t2); - fiat_secp521r1_carry_add(t2, t1, t2); - fiat_secp521r1_carry_sub(Y3, Y3, t2); - fiat_secp521r1_carry_sub(Y3, Y3, t0); - fiat_secp521r1_carry_add(t1, Y3, Y3); - fiat_secp521r1_carry_add(Y3, t1, Y3); - fiat_secp521r1_carry_add(t1, t0, t0); - fiat_secp521r1_carry_add(t0, t1, t0); - fiat_secp521r1_carry_sub(t0, t0, t2); - fiat_secp521r1_carry_mul(t1, t4, Y3); - fiat_secp521r1_carry_mul(t2, t0, Y3); - fiat_secp521r1_carry_mul(Y3, X3, Z3); - fiat_secp521r1_carry_add(Y3, Y3, t2); - fiat_secp521r1_carry_mul(X3, t3, X3); - fiat_secp521r1_carry_sub(X3, X3, t1); - fiat_secp521r1_carry_mul(Z3, t4, Z3); - fiat_secp521r1_carry_mul(t1, t3, t0); - fiat_secp521r1_carry_add(Z3, Z3, t1); -} - -/* constants */ -#define RADIX 5 -#define DRADIX (1 << RADIX) -#define DRADIX_WNAF ((DRADIX) << 1) - -/*- - * precomp for wnaf scalar multiplication: - * precomp[0] = 1P - * precomp[1] = 3P - * precomp[2] = 5P - * precomp[3] = 7P - * precomp[4] = 9P - * ... - */ -static void -precomp_wnaf(pt_prj_t precomp[DRADIX / 2], const pt_aff_t *P) -{ - int i; - - fe_copy(precomp[0].X, P->X); - fe_copy(precomp[0].Y, P->Y); - fe_copy(precomp[0].Z, const_one); - point_double(&precomp[DRADIX / 2 - 1], &precomp[0]); - - for (i = 1; i < DRADIX / 2; i++) - point_add_proj(&precomp[i], &precomp[DRADIX / 2 - 1], &precomp[i - 1]); -} - -/* fetch a scalar bit */ -static int -scalar_get_bit(const unsigned char in[66], int idx) -{ - int widx, rshift; - - widx = idx >> 3; - rshift = idx & 0x7; - - if (idx < 0 || widx >= 66) - return 0; - - return (in[widx] >> rshift) & 0x1; -} - -/*- - * Compute "regular" wnaf representation of a scalar. - * See "Exponent Recoding and Regular Exponentiation Algorithms", - * Tunstall et al., AfricaCrypt 2009, Alg 6. - * It forces an odd scalar and outputs digits in - * {\pm 1, \pm 3, \pm 5, \pm 7, \pm 9, ...} - * i.e. signed odd digits with _no zeroes_ -- that makes it "regular". - */ -static void -scalar_rwnaf(int8_t out[106], const unsigned char in[66]) -{ - int i; - int8_t window, d; - - window = (in[0] & (DRADIX_WNAF - 1)) | 1; - for (i = 0; i < 105; i++) { - d = (window & (DRADIX_WNAF - 1)) - DRADIX; - out[i] = d; - window = (window - d) >> RADIX; - window += scalar_get_bit(in, (i + 1) * RADIX + 1) << 1; - window += scalar_get_bit(in, (i + 1) * RADIX + 2) << 2; - window += scalar_get_bit(in, (i + 1) * RADIX + 3) << 3; - window += scalar_get_bit(in, (i + 1) * RADIX + 4) << 4; - window += scalar_get_bit(in, (i + 1) * RADIX + 5) << 5; + if (kblen == 0 || digest->len == 0 || signature->len < 132) { + PORT_SetError(SEC_ERROR_INPUT_LEN); + return SECFailure; } - out[i] = window; -} - -/*- - * Compute "textbook" wnaf representation of a scalar. - * NB: not constant time - */ -static void -scalar_wnaf(int8_t out[529], const unsigned char in[66]) -{ - int i; - int8_t window, d; - window = in[0] & (DRADIX_WNAF - 1); - for (i = 0; i < 529; i++) { - d = 0; - if ((window & 1) && ((d = window & (DRADIX_WNAF - 1)) & DRADIX)) - d -= DRADIX_WNAF; - out[i] = d; - window = (window - d) >> 1; - window += scalar_get_bit(in, i + 1 + RADIX) << RADIX; + // Private keys should be 66 bytes, but some software trims leading zeros, + // and some software produces 67 byte keys with a leading zero. We'll + // accept these variants. + uint8_t padded_key_data[66] = { 0 }; + uint8_t *key; + SECItem *privKey = &ecPrivKey->privateValue; + if (privKey->len == 66) { + key = privKey->data; + } else if (privKey->len == 67 && privKey->data[0] == 0) { + key = privKey->data + 1; + } else if (privKey->len < 66) { + memcpy(padded_key_data + 66 - privKey->len, privKey->data, privKey->len); + key = padded_key_data; + } else { + PORT_SetError(SEC_ERROR_INPUT_LEN); + return SECFailure; } -} - -/*- - * Simultaneous scalar multiplication: interleaved "textbook" wnaf. - * NB: not constant time - */ -static void -var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[66], - const unsigned char b[66], const pt_aff_t *P) -{ - int i, d, is_neg, is_inf = 1, flipped = 0; - int8_t anaf[529] = { 0 }; - int8_t bnaf[529] = { 0 }; - pt_prj_t Q = { { 0 }, { 0 }, { 0 } }; - pt_prj_t precomp[DRADIX / 2]; - - precomp_wnaf(precomp, P); - scalar_wnaf(anaf, a); - scalar_wnaf(bnaf, b); - for (i = 528; i >= 0; i--) { - if (!is_inf) - point_double(&Q, &Q); - if ((d = bnaf[i])) { - if ((is_neg = d < 0) != flipped) { - fiat_secp521r1_carry_opp(Q.Y, Q.Y); - flipped ^= 1; - } - d = (is_neg) ? (-d - 1) >> 1 : (d - 1) >> 1; - if (is_inf) { - /* initialize accumulator */ - fe_copy(Q.X, &precomp[d].X); - fe_copy(Q.Y, &precomp[d].Y); - fe_copy(Q.Z, &precomp[d].Z); - is_inf = 0; - } else - point_add_proj(&Q, &Q, &precomp[d]); - } - if ((d = anaf[i])) { - if ((is_neg = d < 0) != flipped) { - fiat_secp521r1_carry_opp(Q.Y, Q.Y); - flipped ^= 1; - } - d = (is_neg) ? (-d - 1) >> 1 : (d - 1) >> 1; - if (is_inf) { - /* initialize accumulator */ - fe_copy(Q.X, &lut_cmb[0][d].X); - fe_copy(Q.Y, &lut_cmb[0][d].Y); - fe_copy(Q.Z, const_one); - is_inf = 0; - } else - point_add_mixed(&Q, &Q, &lut_cmb[0][d]); + uint8_t hash[66] = { 0 }; + if (digest->len < 66) { + memcpy(hash + 66 - digest->len, digest->data, digest->len); + } else { + // SEC 1 takes the most significant ceil(log(n)) bits of hash output when the hash output is longer than log(n). + hash[0] = digest->data[0] >> 7; + for (size_t i = 1; i < 66; i++) { + hash[i] = (digest->data[i - 1] << 1) | (digest->data[i] >> 7); } } - if (is_inf) { - /* initialize accumulator to inf: all-zero scalars */ - fe_set_zero(Q.X); - fe_copy(Q.Y, const_one); - fe_set_zero(Q.Z); + uint8_t nonce[66] = { 0 }; + if (kblen < 66) { + memcpy(nonce + 66 - kblen, kb, kblen); + } else { + memcpy(nonce, kb, 66); } - if (flipped) { - /* correct sign */ - fiat_secp521r1_carry_opp(Q.Y, Q.Y); + bool b = Hacl_P521_ecdsa_sign_p521_without_hash( + signature->data, 66, hash, key, nonce); + if (!b) { + PORT_SetError(SEC_ERROR_BAD_KEY); + res = SECFailure; + return res; } - /* convert to affine -- NB depends on coordinate system */ - fiat_secp521r1_inv(Q.Z, Q.Z); - fiat_secp521r1_carry_mul(out->X, Q.X, Q.Z); - fiat_secp521r1_carry_mul(out->Y, Q.Y, Q.Z); + signature->len = 132; + return res; } -/*- - * Variable point scalar multiplication with "regular" wnaf. - * Here "regular" means _no zeroes_, so the sequence of - * EC arithmetic ops is fixed. +/* + * ECDSA Signature Verification for P-521 */ -static void -var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[66], - const pt_aff_t *P) -{ - int i, j, d, diff, is_neg; - int8_t rnaf[106] = { 0 }; - pt_prj_t Q = { { 0 }, { 0 }, { 0 } }, lut = { { 0 }, { 0 }, { 0 } }; - pt_prj_t precomp[DRADIX / 2]; - - precomp_wnaf(precomp, P); - scalar_rwnaf(rnaf, scalar); -#if defined(_MSC_VER) - /* result still unsigned: yes we know */ -#pragma warning(push) -#pragma warning(disable : 4146) -#endif +SECStatus +ec_secp521r1_verify_digest(ECPublicKey *key, const SECItem *signature, + const SECItem *digest) +{ + SECStatus res = SECSuccess; - /* initialize accumulator to high digit */ - d = (rnaf[105] - 1) >> 1; - for (j = 0; j < DRADIX / 2; j++) { - diff = (1 - (-(d ^ j) >> (8 * sizeof(int) - 1))) & 1; - fiat_secp521r1_selectznz(Q.X, diff, Q.X, precomp[j].X); - fiat_secp521r1_selectznz(Q.Y, diff, Q.Y, precomp[j].Y); - fiat_secp521r1_selectznz(Q.Z, diff, Q.Z, precomp[j].Z); + if (!key || !signature || !digest || + !key->publicValue.data || + !signature->data || !digest->data || + key->ecParams.name != ECCurve_NIST_P521) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + res = SECFailure; + return res; } - for (i = 104; i >= 0; i--) { - for (j = 0; j < RADIX; j++) - point_double(&Q, &Q); - d = rnaf[i]; - /* is_neg = (d < 0) ? 1 : 0 */ - is_neg = (d >> (8 * sizeof(int) - 1)) & 1; - /* d = abs(d) */ - d = (d ^ -is_neg) + is_neg; - d = (d - 1) >> 1; - for (j = 0; j < DRADIX / 2; j++) { - diff = (1 - (-(d ^ j) >> (8 * sizeof(int) - 1))) & 1; - fiat_secp521r1_selectznz(lut.X, diff, lut.X, precomp[j].X); - fiat_secp521r1_selectznz(lut.Y, diff, lut.Y, precomp[j].Y); - fiat_secp521r1_selectznz(lut.Z, diff, lut.Z, precomp[j].Z); - } - /* negate lut point if digit is negative */ - fiat_secp521r1_carry_opp(out->Y, lut.Y); - fiat_secp521r1_selectznz(lut.Y, is_neg, lut.Y, out->Y); - point_add_proj(&Q, &Q, &lut); + if (signature->len == 0 || signature->len % 2 != 0 || + signature->len > 132 || digest->len == 0 || + key->publicValue.len != 133) { + PORT_SetError(SEC_ERROR_INPUT_LEN); + res = SECFailure; + return res; } -#if defined(_MSC_VER) -#pragma warning(pop) -#endif - - /* conditionally subtract P if the scalar was even */ - fe_copy(lut.X, precomp[0].X); - fiat_secp521r1_carry_opp(lut.Y, precomp[0].Y); - fe_copy(lut.Z, precomp[0].Z); - point_add_proj(&lut, &lut, &Q); - fiat_secp521r1_selectznz(Q.X, scalar[0] & 1, lut.X, Q.X); - fiat_secp521r1_selectznz(Q.Y, scalar[0] & 1, lut.Y, Q.Y); - fiat_secp521r1_selectznz(Q.Z, scalar[0] & 1, lut.Z, Q.Z); - - /* convert to affine -- NB depends on coordinate system */ - fiat_secp521r1_inv(Q.Z, Q.Z); - fiat_secp521r1_carry_mul(out->X, Q.X, Q.Z); - fiat_secp521r1_carry_mul(out->Y, Q.Y, Q.Z); -} - -/*- - * Fixed scalar multiplication: comb with interleaving. - */ -static void -fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[66]) -{ - int i, j, k, d, diff, is_neg = 0; - int8_t rnaf[106] = { 0 }; - pt_prj_t Q = { { 0 }, { 0 }, { 0 } }, R = { { 0 }, { 0 }, { 0 } }; - pt_aff_t lut = { { 0 }, { 0 } }; + if (key->publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) { + PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM); + res = SECFailure; + return res; + } - scalar_rwnaf(rnaf, scalar); + // Signatures should be 132 bytes, but some software produces short signatures. + // Pad components with zeros if necessary. + uint8_t paddedSigData[132] = { 0 }; + uint8_t *sig; + if (signature->len != 132) { + size_t split = signature->len / 2; - /* initalize accumulator to inf */ - fe_set_zero(Q.X); - fe_copy(Q.Y, const_one); - fe_set_zero(Q.Z); + memcpy(paddedSigData + 66 - split, signature->data, split); + memcpy(paddedSigData + 132 - split, signature->data + split, split); -#if defined(_MSC_VER) - /* result still unsigned: yes we know */ -#pragma warning(push) -#pragma warning(disable : 4146) -#endif + sig = paddedSigData; + } else { + sig = signature->data; + } - for (i = 8; i >= 0; i--) { - for (j = 0; i != 8 && j < RADIX; j++) - point_double(&Q, &Q); - for (j = 0; j < 13; j++) { - if (j * 9 + i > 105) - continue; - d = rnaf[j * 9 + i]; - /* is_neg = (d < 0) ? 1 : 0 */ - is_neg = (d >> (8 * sizeof(int) - 1)) & 1; - /* d = abs(d) */ - d = (d ^ -is_neg) + is_neg; - d = (d - 1) >> 1; - for (k = 0; k < DRADIX / 2; k++) { - diff = (1 - (-(d ^ k) >> (8 * sizeof(int) - 1))) & 1; - fiat_secp521r1_selectznz(lut.X, diff, lut.X, lut_cmb[j][k].X); - fiat_secp521r1_selectznz(lut.Y, diff, lut.Y, lut_cmb[j][k].Y); - } - /* negate lut point if digit is negative */ - fiat_secp521r1_carry_opp(out->Y, lut.Y); - fiat_secp521r1_selectznz(lut.Y, is_neg, lut.Y, out->Y); - point_add_mixed(&Q, &Q, &lut); + uint8_t hash[66] = { 0 }; + if (digest->len < 66) { + memcpy(hash + 66 - digest->len, digest->data, digest->len); + } else { + // SEC 1 takes the most significant ceil(log(n)) bits of hash output when the hash output is longer than log(n). + hash[0] = digest->data[0] >> 7; + for (size_t i = 1; i < 66; i++) { + hash[i] = (digest->data[i - 1] << 1) | (digest->data[i] >> 7); } } -#if defined(_MSC_VER) -#pragma warning(pop) -#endif - - /* conditionally subtract P if the scalar was even */ - fe_copy(lut.X, lut_cmb[0][0].X); - fiat_secp521r1_carry_opp(lut.Y, lut_cmb[0][0].Y); - point_add_mixed(&R, &Q, &lut); - fiat_secp521r1_selectznz(Q.X, scalar[0] & 1, R.X, Q.X); - fiat_secp521r1_selectznz(Q.Y, scalar[0] & 1, R.Y, Q.Y); - fiat_secp521r1_selectznz(Q.Z, scalar[0] & 1, R.Z, Q.Z); - - /* convert to affine -- NB depends on coordinate system */ - fiat_secp521r1_inv(Q.Z, Q.Z); - fiat_secp521r1_carry_mul(out->X, Q.X, Q.Z); - fiat_secp521r1_carry_mul(out->Y, Q.Y, Q.Z); -} - -/*- - * Wrapper: simultaneous scalar mutiplication. - * outx, outy := a * G + b * P - * where P = (inx, iny). - * Everything is LE byte ordering. - */ -void -point_mul_two_secp521r1(unsigned char outx[66], unsigned char outy[66], - const unsigned char a[66], - const unsigned char b[66], - const unsigned char inx[66], - const unsigned char iny[66]) -{ - pt_aff_t P; - - fiat_secp521r1_from_bytes(P.X, inx); - fiat_secp521r1_from_bytes(P.Y, iny); - /* simultaneous scalar multiplication */ - var_smul_wnaf_two(&P, a, b, &P); - - fiat_secp521r1_to_bytes(outx, P.X); - fiat_secp521r1_to_bytes(outy, P.Y); -} - -/*- - * Wrapper: fixed scalar mutiplication. - * outx, outy := scalar * G - * Everything is LE byte ordering. - */ -void -point_mul_g_secp521r1(unsigned char outx[66], unsigned char outy[66], - const unsigned char scalar[66]) -{ - pt_aff_t P; - - /* fixed scmul function */ - fixed_smul_cmb(&P, scalar); - fiat_secp521r1_to_bytes(outx, P.X); - fiat_secp521r1_to_bytes(outy, P.Y); -} - -/*- - * Wrapper: variable point scalar mutiplication. - * outx, outy := scalar * P - * where P = (inx, iny). - * Everything is LE byte ordering. - */ -void -point_mul_secp521r1(unsigned char outx[66], unsigned char outy[66], - const unsigned char scalar[66], - const unsigned char inx[66], - const unsigned char iny[66]) -{ - pt_aff_t P; + bool b = Hacl_P521_ecdsa_verif_without_hash( + 66, hash, key->publicValue.data + 1, sig, sig + 66); + if (!b) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + res = SECFailure; + return res; + } - fiat_secp521r1_from_bytes(P.X, inx); - fiat_secp521r1_from_bytes(P.Y, iny); - /* var scmul function */ - var_smul_rwnaf(&P, scalar, &P); - fiat_secp521r1_to_bytes(outx, P.X); - fiat_secp521r1_to_bytes(outy, P.Y); + return res; } - -#endif /* __SIZEOF_INT128__ */ diff --git a/nss/lib/freebl/ecl/ecp_secp521r1_wrap.c b/nss/lib/freebl/ecl/ecp_secp521r1_wrap.c deleted file mode 100644 index b767624..0000000 --- a/nss/lib/freebl/ecl/ecp_secp521r1_wrap.c +++ /dev/null @@ -1,255 +0,0 @@ -/*- - * MIT License - * - - * Copyright (c) 2020 Luis Rivera-Zamarripa, Jesús-Javier Chi-Domínguez, Billy Bob Brumley - * - - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - - * The above copyright notice and this permission notice shall be included in all - * copies or substantial portions of the Software. - * - - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -#undef RADIX -#include "ecp.h" -#include "ecp_secp521r1.h" -#include "mpi-priv.h" -#include "mplogic.h" - -/*- - * reverse bytes -- total hack - */ -#define MP_BE2LE(a) \ - do { \ - unsigned char z_bswap; \ - z_bswap = a[0]; \ - a[0] = a[65]; \ - a[65] = z_bswap; \ - z_bswap = a[1]; \ - a[1] = a[64]; \ - a[64] = z_bswap; \ - z_bswap = a[2]; \ - a[2] = a[63]; \ - a[63] = z_bswap; \ - z_bswap = a[3]; \ - a[3] = a[62]; \ - a[62] = z_bswap; \ - z_bswap = a[4]; \ - a[4] = a[61]; \ - a[61] = z_bswap; \ - z_bswap = a[5]; \ - a[5] = a[60]; \ - a[60] = z_bswap; \ - z_bswap = a[6]; \ - a[6] = a[59]; \ - a[59] = z_bswap; \ - z_bswap = a[7]; \ - a[7] = a[58]; \ - a[58] = z_bswap; \ - z_bswap = a[8]; \ - a[8] = a[57]; \ - a[57] = z_bswap; \ - z_bswap = a[9]; \ - a[9] = a[56]; \ - a[56] = z_bswap; \ - z_bswap = a[10]; \ - a[10] = a[55]; \ - a[55] = z_bswap; \ - z_bswap = a[11]; \ - a[11] = a[54]; \ - a[54] = z_bswap; \ - z_bswap = a[12]; \ - a[12] = a[53]; \ - a[53] = z_bswap; \ - z_bswap = a[13]; \ - a[13] = a[52]; \ - a[52] = z_bswap; \ - z_bswap = a[14]; \ - a[14] = a[51]; \ - a[51] = z_bswap; \ - z_bswap = a[15]; \ - a[15] = a[50]; \ - a[50] = z_bswap; \ - z_bswap = a[16]; \ - a[16] = a[49]; \ - a[49] = z_bswap; \ - z_bswap = a[17]; \ - a[17] = a[48]; \ - a[48] = z_bswap; \ - z_bswap = a[18]; \ - a[18] = a[47]; \ - a[47] = z_bswap; \ - z_bswap = a[19]; \ - a[19] = a[46]; \ - a[46] = z_bswap; \ - z_bswap = a[20]; \ - a[20] = a[45]; \ - a[45] = z_bswap; \ - z_bswap = a[21]; \ - a[21] = a[44]; \ - a[44] = z_bswap; \ - z_bswap = a[22]; \ - a[22] = a[43]; \ - a[43] = z_bswap; \ - z_bswap = a[23]; \ - a[23] = a[42]; \ - a[42] = z_bswap; \ - z_bswap = a[24]; \ - a[24] = a[41]; \ - a[41] = z_bswap; \ - z_bswap = a[25]; \ - a[25] = a[40]; \ - a[40] = z_bswap; \ - z_bswap = a[26]; \ - a[26] = a[39]; \ - a[39] = z_bswap; \ - z_bswap = a[27]; \ - a[27] = a[38]; \ - a[38] = z_bswap; \ - z_bswap = a[28]; \ - a[28] = a[37]; \ - a[37] = z_bswap; \ - z_bswap = a[29]; \ - a[29] = a[36]; \ - a[36] = z_bswap; \ - z_bswap = a[30]; \ - a[30] = a[35]; \ - a[35] = z_bswap; \ - z_bswap = a[31]; \ - a[31] = a[34]; \ - a[34] = z_bswap; \ - z_bswap = a[32]; \ - a[32] = a[33]; \ - a[33] = z_bswap; \ - } while (0) - -static mp_err -point_mul_g_secp521r1_wrap(const mp_int *n, mp_int *out_x, - mp_int *out_y, const ECGroup *group) -{ - unsigned char b_x[66]; - unsigned char b_y[66]; - unsigned char b_n[66]; - mp_err res; - - ARGCHK(n != NULL && out_x != NULL && out_y != NULL, MP_BADARG); - - /* fail on out of range scalars */ - if (mpl_significant_bits(n) > 521 || mp_cmp_z(n) != MP_GT) - return MP_RANGE; - - MP_CHECKOK(mp_to_fixlen_octets(n, b_n, 66)); - MP_BE2LE(b_n); - point_mul_g_secp521r1(b_x, b_y, b_n); - MP_BE2LE(b_x); - MP_BE2LE(b_y); - MP_CHECKOK(mp_read_unsigned_octets(out_x, b_x, 66)); - MP_CHECKOK(mp_read_unsigned_octets(out_y, b_y, 66)); - -CLEANUP: - return res; -} - -static mp_err -point_mul_secp521r1_wrap(const mp_int *n, const mp_int *in_x, - const mp_int *in_y, mp_int *out_x, - mp_int *out_y, const ECGroup *group) -{ - unsigned char b_x[66]; - unsigned char b_y[66]; - unsigned char b_n[66]; - mp_err res; - - ARGCHK(n != NULL && in_x != NULL && in_y != NULL && out_x != NULL && - out_y != NULL, - MP_BADARG); - - /* fail on out of range scalars */ - if (mpl_significant_bits(n) > 521 || mp_cmp_z(n) != MP_GT) - return MP_RANGE; - - MP_CHECKOK(mp_to_fixlen_octets(n, b_n, 66)); - MP_CHECKOK(mp_to_fixlen_octets(in_x, b_x, 66)); - MP_CHECKOK(mp_to_fixlen_octets(in_y, b_y, 66)); - MP_BE2LE(b_x); - MP_BE2LE(b_y); - MP_BE2LE(b_n); - point_mul_secp521r1(b_x, b_y, b_n, b_x, b_y); - MP_BE2LE(b_x); - MP_BE2LE(b_y); - MP_CHECKOK(mp_read_unsigned_octets(out_x, b_x, 66)); - MP_CHECKOK(mp_read_unsigned_octets(out_y, b_y, 66)); - -CLEANUP: - return res; -} - -static mp_err -point_mul_two_secp521r1_wrap(const mp_int *n1, const mp_int *n2, - const mp_int *in_x, - const mp_int *in_y, mp_int *out_x, - mp_int *out_y, - const ECGroup *group) -{ - unsigned char b_x[66]; - unsigned char b_y[66]; - unsigned char b_n1[66]; - unsigned char b_n2[66]; - mp_err res; - - /* If n2 == NULL or 0, this is just a base-point multiplication. */ - if (n2 == NULL || mp_cmp_z(n2) == MP_EQ) - return point_mul_g_secp521r1_wrap(n1, out_x, out_y, group); - - /* If n1 == NULL or 0, this is just an arbitary-point multiplication. */ - if (n1 == NULL || mp_cmp_z(n1) == MP_EQ) - return point_mul_secp521r1_wrap(n2, in_x, in_y, out_x, out_y, group); - - ARGCHK(in_x != NULL && in_y != NULL && out_x != NULL && out_y != NULL, - MP_BADARG); - - /* fail on out of range scalars */ - if (mpl_significant_bits(n1) > 521 || mp_cmp_z(n1) != MP_GT || - mpl_significant_bits(n2) > 521 || mp_cmp_z(n2) != MP_GT) - return MP_RANGE; - - MP_CHECKOK(mp_to_fixlen_octets(n1, b_n1, 66)); - MP_CHECKOK(mp_to_fixlen_octets(n2, b_n2, 66)); - MP_CHECKOK(mp_to_fixlen_octets(in_x, b_x, 66)); - MP_CHECKOK(mp_to_fixlen_octets(in_y, b_y, 66)); - MP_BE2LE(b_x); - MP_BE2LE(b_y); - MP_BE2LE(b_n1); - MP_BE2LE(b_n2); - point_mul_two_secp521r1(b_x, b_y, b_n1, b_n2, b_x, b_y); - MP_BE2LE(b_x); - MP_BE2LE(b_y); - MP_CHECKOK(mp_read_unsigned_octets(out_x, b_x, 66)); - MP_CHECKOK(mp_read_unsigned_octets(out_y, b_y, 66)); - -CLEANUP: - return res; -} - -mp_err -ec_group_set_secp521r1(ECGroup *group, ECCurveName name) -{ - if (name == ECCurve_NIST_P521) { - group->base_point_mul = &point_mul_g_secp521r1_wrap; - group->point_mul = &point_mul_secp521r1_wrap; - group->points_mul = &point_mul_two_secp521r1_wrap; - } - return MP_OKAY; -} diff --git a/nss/lib/freebl/fipsfreebl.c b/nss/lib/freebl/fipsfreebl.c index e532a63..8dac8e3 100644 --- a/nss/lib/freebl/fipsfreebl.c +++ b/nss/lib/freebl/fipsfreebl.c @@ -1601,7 +1601,7 @@ freebl_fips_EC_PowerUpSelfTest() NULL, ec_params_named, /* arena, type */ /* fieldID */ - { 256, ec_field_GFp, /* size and type */ + { 256, ec_field_plain, /* size and type */ { { siBuffer, (unsigned char *)p256_prime, sizeof(p256_prime) } }, /* u.prime */ 0, 0, diff --git a/nss/lib/freebl/freebl_base.gypi b/nss/lib/freebl/freebl_base.gypi index 2a6bd5e..3a33d94 100644 --- a/nss/lib/freebl/freebl_base.gypi +++ b/nss/lib/freebl/freebl_base.gypi @@ -21,27 +21,10 @@ 'dsa.c', 'ec.c', 'ecdecode.c', - 'ecl/ec_naf.c', - 'ecl/ecl.c', - 'ecl/ecl_gf.c', - 'ecl/ecl_mult.c', 'ecl/ecp_25519.c', - 'ecl/ecp_256.c', - 'ecl/ecp_256_32.c', - 'ecl/ecp_384.c', - 'ecl/ecp_521.c', - 'ecl/ecp_aff.c', - 'ecl/ecp_jac.c', - 'ecl/ecp_jm.c', - 'ecl/ecp_mont.c', 'ecl/ecp_secp256r1.c', 'ecl/ecp_secp384r1.c', - 'ecl/ecp_secp384r1_wrap.c', 'ecl/ecp_secp521r1.c', - 'ecl/ecp_secp521r1_wrap.c', - 'verified/Hacl_P256.c', - 'verified/Hacl_P384.c', - 'verified/Hacl_P521.c', 'fipsfreebl.c', 'blinit.c', 'freeblver.c', @@ -71,6 +54,9 @@ 'tlsprfalg.c', 'secmpi.c', 'verified/Hacl_Hash_SHA3.c', + 'verified/Hacl_P256.c', + 'verified/Hacl_P384.c', + 'verified/Hacl_P521.c', 'sha3.c', 'shake.c', 'verified/Hacl_Curve25519_51.c', diff --git a/nss/lib/freebl/manifest.mn b/nss/lib/freebl/manifest.mn index a0e43ae..a6027f8 100644 --- a/nss/lib/freebl/manifest.mn +++ b/nss/lib/freebl/manifest.mn @@ -108,12 +108,8 @@ MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h MPI_SRCS = mpprime.c mpmontg.c mplogic.c mpi.c mp_gf2m.c -ECL_HDRS = ecl-exp.h ecl.h ecp.h ecl-priv.h -ECL_SRCS = ecl.c ecl_mult.c ecl_gf.c \ - ecp_aff.c ecp_jac.c ecp_mont.c \ - ec_naf.c ecp_jm.c ecp_256.c ecp_384.c ecp_521.c \ - ecp_256_32.c ecp_25519.c ecp_secp256r1.c ecp_secp384r1.c ecp_secp521r1.c \ - ecp_secp384r1_wrap.c ecp_secp521r1_wrap.c +ECL_HDRS = ecl-exp.h ecl.h ecl-priv.h +ECL_SRCS = ecp_25519.c ecp_secp256r1.c ecp_secp384r1.c ecp_secp521r1.c SHA_SRCS = sha_fast.c MPCPU_SRCS = mpcpucache.c VERIFIED_SRCS = $(NULL) diff --git a/nss/lib/freebl/verified/Hacl_P384.c b/nss/lib/freebl/verified/Hacl_P384.c index bd06958..188c364 100644 --- a/nss/lib/freebl/verified/Hacl_P384.c +++ b/nss/lib/freebl/verified/Hacl_P384.c @@ -30,43 +30,127 @@ static inline uint64_t bn_is_eq_mask(uint64_t *x, uint64_t *y) { - uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + uint64_t mask = 0xFFFFFFFFFFFFFFFFULL; KRML_MAYBE_FOR6(i, - (uint32_t)0U, - (uint32_t)6U, - (uint32_t)1U, + 0U, + 6U, + 1U, uint64_t uu____0 = FStar_UInt64_eq_mask(x[i], y[i]); mask = uu____0 & mask;); uint64_t mask1 = mask; return mask1; } +static inline void +bn_cmovznz(uint64_t *a, uint64_t b, uint64_t *c, uint64_t *d) +{ + uint64_t mask = ~FStar_UInt64_eq_mask(b, 0ULL); + KRML_MAYBE_FOR6(i, + 0U, + 6U, + 1U, + uint64_t *os = a; + uint64_t uu____0 = c[i]; + uint64_t x = uu____0 ^ (mask & (d[i] ^ uu____0)); + os[i] = x;); +} + +static inline void +bn_add_mod(uint64_t *a, uint64_t *b, uint64_t *c, uint64_t *d) +{ + uint64_t c10 = 0ULL; + { + uint64_t t1 = c[4U * 0U]; + uint64_t t20 = d[4U * 0U]; + uint64_t *res_i0 = a + 4U * 0U; + c10 = Lib_IntTypes_Intrinsics_add_carry_u64(c10, t1, t20, res_i0); + uint64_t t10 = c[4U * 0U + 1U]; + uint64_t t21 = d[4U * 0U + 1U]; + uint64_t *res_i1 = a + 4U * 0U + 1U; + c10 = Lib_IntTypes_Intrinsics_add_carry_u64(c10, t10, t21, res_i1); + uint64_t t11 = c[4U * 0U + 2U]; + uint64_t t22 = d[4U * 0U + 2U]; + uint64_t *res_i2 = a + 4U * 0U + 2U; + c10 = Lib_IntTypes_Intrinsics_add_carry_u64(c10, t11, t22, res_i2); + uint64_t t12 = c[4U * 0U + 3U]; + uint64_t t2 = d[4U * 0U + 3U]; + uint64_t *res_i = a + 4U * 0U + 3U; + c10 = Lib_IntTypes_Intrinsics_add_carry_u64(c10, t12, t2, res_i); + } + KRML_MAYBE_FOR2(i, + 4U, + 6U, + 1U, + uint64_t t1 = c[i]; + uint64_t t2 = d[i]; + uint64_t *res_i = a + i; + c10 = Lib_IntTypes_Intrinsics_add_carry_u64(c10, t1, t2, res_i);); + uint64_t c0 = c10; + uint64_t tmp[6U] = { 0U }; + uint64_t c1 = 0ULL; + { + uint64_t t1 = a[4U * 0U]; + uint64_t t20 = b[4U * 0U]; + uint64_t *res_i0 = tmp + 4U * 0U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t20, res_i0); + uint64_t t10 = a[4U * 0U + 1U]; + uint64_t t21 = b[4U * 0U + 1U]; + uint64_t *res_i1 = tmp + 4U * 0U + 1U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t10, t21, res_i1); + uint64_t t11 = a[4U * 0U + 2U]; + uint64_t t22 = b[4U * 0U + 2U]; + uint64_t *res_i2 = tmp + 4U * 0U + 2U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t11, t22, res_i2); + uint64_t t12 = a[4U * 0U + 3U]; + uint64_t t2 = b[4U * 0U + 3U]; + uint64_t *res_i = tmp + 4U * 0U + 3U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t12, t2, res_i); + } + KRML_MAYBE_FOR2(i, + 4U, + 6U, + 1U, + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = tmp + i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t2, res_i);); + uint64_t c11 = c1; + uint64_t c2 = c0 - c11; + KRML_MAYBE_FOR6(i, + 0U, + 6U, + 1U, + uint64_t *os = a; + uint64_t x = (c2 & a[i]) | (~c2 & tmp[i]); + os[i] = x;); +} + static inline uint64_t bn_sub(uint64_t *a, uint64_t *b, uint64_t *c) { - uint64_t c1 = (uint64_t)0U; + uint64_t c1 = 0ULL; { - uint64_t t1 = b[(uint32_t)4U * (uint32_t)0U]; - uint64_t t20 = c[(uint32_t)4U * (uint32_t)0U]; - uint64_t *res_i0 = a + (uint32_t)4U * (uint32_t)0U; + uint64_t t1 = b[4U * 0U]; + uint64_t t20 = c[4U * 0U]; + uint64_t *res_i0 = a + 4U * 0U; c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t20, res_i0); - uint64_t t10 = b[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; - uint64_t t21 = c[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; - uint64_t *res_i1 = a + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; + uint64_t t10 = b[4U * 0U + 1U]; + uint64_t t21 = c[4U * 0U + 1U]; + uint64_t *res_i1 = a + 4U * 0U + 1U; c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t10, t21, res_i1); - uint64_t t11 = b[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; - uint64_t t22 = c[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; - uint64_t *res_i2 = a + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; + uint64_t t11 = b[4U * 0U + 2U]; + uint64_t t22 = c[4U * 0U + 2U]; + uint64_t *res_i2 = a + 4U * 0U + 2U; c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t11, t22, res_i2); - uint64_t t12 = b[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; - uint64_t t2 = c[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; - uint64_t *res_i = a + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; + uint64_t t12 = b[4U * 0U + 3U]; + uint64_t t2 = c[4U * 0U + 3U]; + uint64_t *res_i = a + 4U * 0U + 3U; c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t12, t2, res_i); } KRML_MAYBE_FOR2(i, - (uint32_t)4U, - (uint32_t)6U, - (uint32_t)1U, + 4U, + 6U, + 1U, uint64_t t1 = b[i]; uint64_t t2 = c[i]; uint64_t *res_i = a + i; @@ -76,27 +160,1255 @@ bn_sub(uint64_t *a, uint64_t *b, uint64_t *c) } static inline void +bn_sub_mod(uint64_t *a, uint64_t *b, uint64_t *c, uint64_t *d) +{ + uint64_t c10 = 0ULL; + { + uint64_t t1 = c[4U * 0U]; + uint64_t t20 = d[4U * 0U]; + uint64_t *res_i0 = a + 4U * 0U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c10, t1, t20, res_i0); + uint64_t t10 = c[4U * 0U + 1U]; + uint64_t t21 = d[4U * 0U + 1U]; + uint64_t *res_i1 = a + 4U * 0U + 1U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c10, t10, t21, res_i1); + uint64_t t11 = c[4U * 0U + 2U]; + uint64_t t22 = d[4U * 0U + 2U]; + uint64_t *res_i2 = a + 4U * 0U + 2U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c10, t11, t22, res_i2); + uint64_t t12 = c[4U * 0U + 3U]; + uint64_t t2 = d[4U * 0U + 3U]; + uint64_t *res_i = a + 4U * 0U + 3U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c10, t12, t2, res_i); + } + KRML_MAYBE_FOR2(i, + 4U, + 6U, + 1U, + uint64_t t1 = c[i]; + uint64_t t2 = d[i]; + uint64_t *res_i = a + i; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c10, t1, t2, res_i);); + uint64_t c0 = c10; + uint64_t tmp[6U] = { 0U }; + uint64_t c1 = 0ULL; + { + uint64_t t1 = a[4U * 0U]; + uint64_t t20 = b[4U * 0U]; + uint64_t *res_i0 = tmp + 4U * 0U; + c1 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, t1, t20, res_i0); + uint64_t t10 = a[4U * 0U + 1U]; + uint64_t t21 = b[4U * 0U + 1U]; + uint64_t *res_i1 = tmp + 4U * 0U + 1U; + c1 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, t10, t21, res_i1); + uint64_t t11 = a[4U * 0U + 2U]; + uint64_t t22 = b[4U * 0U + 2U]; + uint64_t *res_i2 = tmp + 4U * 0U + 2U; + c1 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, t11, t22, res_i2); + uint64_t t12 = a[4U * 0U + 3U]; + uint64_t t2 = b[4U * 0U + 3U]; + uint64_t *res_i = tmp + 4U * 0U + 3U; + c1 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, t12, t2, res_i); + } + KRML_MAYBE_FOR2(i, + 4U, + 6U, + 1U, + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = tmp + i; + c1 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, t1, t2, res_i);); + uint64_t c11 = c1; + KRML_MAYBE_UNUSED_VAR(c11); + uint64_t c2 = 0ULL - c0; + KRML_MAYBE_FOR6(i, + 0U, + 6U, + 1U, + uint64_t *os = a; + uint64_t x = (c2 & tmp[i]) | (~c2 & a[i]); + os[i] = x;); +} + +static inline void +bn_mul(uint64_t *a, uint64_t *b, uint64_t *c) +{ + memset(a, 0U, 12U * sizeof(uint64_t)); + KRML_MAYBE_FOR6( + i0, + 0U, + 6U, + 1U, + uint64_t bj = c[i0]; + uint64_t *res_j = a + i0; + uint64_t c1 = 0ULL; + { + uint64_t a_i = b[4U * 0U]; + uint64_t *res_i0 = res_j + 4U * 0U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c1, res_i0); + uint64_t a_i0 = b[4U * 0U + 1U]; + uint64_t *res_i1 = res_j + 4U * 0U + 1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, bj, c1, res_i1); + uint64_t a_i1 = b[4U * 0U + 2U]; + uint64_t *res_i2 = res_j + 4U * 0U + 2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, bj, c1, res_i2); + uint64_t a_i2 = b[4U * 0U + 3U]; + uint64_t *res_i = res_j + 4U * 0U + 3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, bj, c1, res_i); + } KRML_MAYBE_FOR2(i, + 4U, + 6U, + 1U, + uint64_t a_i = b[i]; + uint64_t *res_i = res_j + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c1, res_i);); + uint64_t r = c1; + a[6U + i0] = r;); +} + +static inline void +bn_sqr(uint64_t *a, uint64_t *b) +{ + memset(a, 0U, 12U * sizeof(uint64_t)); + KRML_MAYBE_FOR6( + i0, + 0U, + 6U, + 1U, + uint64_t *ab = b; + uint64_t a_j = b[i0]; + uint64_t *res_j = a + i0; + uint64_t c = 0ULL; + for (uint32_t i = 0U; i < i0 / 4U; i++) { + uint64_t a_i = ab[4U * i]; + uint64_t *res_i0 = res_j + 4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c, res_i0); + uint64_t a_i0 = ab[4U * i + 1U]; + uint64_t *res_i1 = res_j + 4U * i + 1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, a_j, c, res_i1); + uint64_t a_i1 = ab[4U * i + 2U]; + uint64_t *res_i2 = res_j + 4U * i + 2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, a_j, c, res_i2); + uint64_t a_i2 = ab[4U * i + 3U]; + uint64_t *res_i = res_j + 4U * i + 3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, a_j, c, res_i); + } for (uint32_t i = i0 / 4U * 4U; i < i0; i++) { + uint64_t a_i = ab[i]; + uint64_t *res_i = res_j + i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c, res_i); + } uint64_t r = c; + a[i0 + i0] = r;); + uint64_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u64(12U, a, a, a); + KRML_MAYBE_UNUSED_VAR(c0); + uint64_t tmp[12U] = { 0U }; + KRML_MAYBE_FOR6(i, + 0U, + 6U, + 1U, + FStar_UInt128_uint128 res = FStar_UInt128_mul_wide(b[i], b[i]); + uint64_t hi = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, 64U)); + uint64_t lo = FStar_UInt128_uint128_to_uint64(res); + tmp[2U * i] = lo; + tmp[2U * i + 1U] = hi;); + uint64_t c1 = Hacl_Bignum_Addition_bn_add_eq_len_u64(12U, a, tmp, a); + KRML_MAYBE_UNUSED_VAR(c1); +} + +static inline void +bn_to_bytes_be(uint8_t *a, uint64_t *b) +{ + uint8_t tmp[48U] = { 0U }; + KRML_MAYBE_UNUSED_VAR(tmp); + KRML_MAYBE_FOR6(i, 0U, 6U, 1U, store64_be(a + i * 8U, b[6U - i - 1U]);); +} + +static inline void bn_from_bytes_be(uint64_t *a, uint8_t *b) { KRML_MAYBE_FOR6(i, - (uint32_t)0U, - (uint32_t)6U, - (uint32_t)1U, + 0U, + 6U, + 1U, uint64_t *os = a; - uint64_t u = load64_be(b + ((uint32_t)6U - i - (uint32_t)1U) * (uint32_t)8U); + uint64_t u = load64_be(b + (6U - i - 1U) * 8U); uint64_t x = u; os[i] = x;); } static inline void +p384_make_prime(uint64_t *n) +{ + n[0U] = 0x00000000ffffffffULL; + n[1U] = 0xffffffff00000000ULL; + n[2U] = 0xfffffffffffffffeULL; + n[3U] = 0xffffffffffffffffULL; + n[4U] = 0xffffffffffffffffULL; + n[5U] = 0xffffffffffffffffULL; +} + +static inline void p384_make_order(uint64_t *n) { - n[0U] = (uint64_t)0xecec196accc52973U; - n[1U] = (uint64_t)0x581a0db248b0a77aU; - n[2U] = (uint64_t)0xc7634d81f4372ddfU; - n[3U] = (uint64_t)0xffffffffffffffffU; - n[4U] = (uint64_t)0xffffffffffffffffU; - n[5U] = (uint64_t)0xffffffffffffffffU; + n[0U] = 0xecec196accc52973ULL; + n[1U] = 0x581a0db248b0a77aULL; + n[2U] = 0xc7634d81f4372ddfULL; + n[3U] = 0xffffffffffffffffULL; + n[4U] = 0xffffffffffffffffULL; + n[5U] = 0xffffffffffffffffULL; +} + +static inline void +p384_make_a_coeff(uint64_t *a) +{ + a[0U] = 0x00000003fffffffcULL; + a[1U] = 0xfffffffc00000000ULL; + a[2U] = 0xfffffffffffffffbULL; + a[3U] = 0xffffffffffffffffULL; + a[4U] = 0xffffffffffffffffULL; + a[5U] = 0xffffffffffffffffULL; +} + +static inline void +p384_make_b_coeff(uint64_t *b) +{ + b[0U] = 0x081188719d412dccULL; + b[1U] = 0xf729add87a4c32ecULL; + b[2U] = 0x77f2209b1920022eULL; + b[3U] = 0xe3374bee94938ae2ULL; + b[4U] = 0xb62b21f41f022094ULL; + b[5U] = 0xcd08114b604fbff9ULL; +} + +static inline void +p384_make_g_x(uint64_t *n) +{ + n[0U] = 0x3dd0756649c0b528ULL; + n[1U] = 0x20e378e2a0d6ce38ULL; + n[2U] = 0x879c3afc541b4d6eULL; + n[3U] = 0x6454868459a30effULL; + n[4U] = 0x812ff723614ede2bULL; + n[5U] = 0x4d3aadc2299e1513ULL; +} + +static inline void +p384_make_g_y(uint64_t *n) +{ + n[0U] = 0x23043dad4b03a4feULL; + n[1U] = 0xa1bfa8bf7bb4a9acULL; + n[2U] = 0x8bade7562e83b050ULL; + n[3U] = 0xc6c3521968f4ffd9ULL; + n[4U] = 0xdd8002263969a840ULL; + n[5U] = 0x2b78abc25a15c5e9ULL; +} + +static inline void +p384_make_fmont_R2(uint64_t *n) +{ + n[0U] = 0xfffffffe00000001ULL; + n[1U] = 0x0000000200000000ULL; + n[2U] = 0xfffffffe00000000ULL; + n[3U] = 0x0000000200000000ULL; + n[4U] = 0x0000000000000001ULL; + n[5U] = 0x0ULL; +} + +static inline void +p384_make_fzero(uint64_t *n) +{ + memset(n, 0U, 6U * sizeof(uint64_t)); + n[0U] = 0ULL; +} + +static inline void +p384_make_fone(uint64_t *n) +{ + n[0U] = 0xffffffff00000001ULL; + n[1U] = 0x00000000ffffffffULL; + n[2U] = 0x1ULL; + n[3U] = 0x0ULL; + n[4U] = 0x0ULL; + n[5U] = 0x0ULL; +} + +static inline void +p384_make_qone(uint64_t *f) +{ + f[0U] = 0x1313e695333ad68dULL; + f[1U] = 0xa7e5f24db74f5885ULL; + f[2U] = 0x389cb27e0bc8d220ULL; + f[3U] = 0x0ULL; + f[4U] = 0x0ULL; + f[5U] = 0x0ULL; +} + +static inline void +fmont_reduction(uint64_t *res, uint64_t *x) +{ + uint64_t n[6U] = { 0U }; + p384_make_prime(n); + uint64_t c0 = 0ULL; + KRML_MAYBE_FOR6( + i0, + 0U, + 6U, + 1U, + uint64_t qj = 4294967297ULL * x[i0]; + uint64_t *res_j0 = x + i0; + uint64_t c = 0ULL; + { + uint64_t a_i = n[4U * 0U]; + uint64_t *res_i0 = res_j0 + 4U * 0U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i0); + uint64_t a_i0 = n[4U * 0U + 1U]; + uint64_t *res_i1 = res_j0 + 4U * 0U + 1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c, res_i1); + uint64_t a_i1 = n[4U * 0U + 2U]; + uint64_t *res_i2 = res_j0 + 4U * 0U + 2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c, res_i2); + uint64_t a_i2 = n[4U * 0U + 3U]; + uint64_t *res_i = res_j0 + 4U * 0U + 3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c, res_i); + } KRML_MAYBE_FOR2(i, + 4U, + 6U, + 1U, + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i);); + uint64_t r = c; + uint64_t c1 = r; + uint64_t *resb = x + 6U + i0; + uint64_t res_j = x[6U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c1, res_j, resb);); + memcpy(res, x + 6U, 6U * sizeof(uint64_t)); + uint64_t c00 = c0; + uint64_t tmp[6U] = { 0U }; + uint64_t c = 0ULL; + { + uint64_t t1 = res[4U * 0U]; + uint64_t t20 = n[4U * 0U]; + uint64_t *res_i0 = tmp + 4U * 0U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); + uint64_t t10 = res[4U * 0U + 1U]; + uint64_t t21 = n[4U * 0U + 1U]; + uint64_t *res_i1 = tmp + 4U * 0U + 1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); + uint64_t t11 = res[4U * 0U + 2U]; + uint64_t t22 = n[4U * 0U + 2U]; + uint64_t *res_i2 = tmp + 4U * 0U + 2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); + uint64_t t12 = res[4U * 0U + 3U]; + uint64_t t2 = n[4U * 0U + 3U]; + uint64_t *res_i = tmp + 4U * 0U + 3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); + } + KRML_MAYBE_FOR2(i, + 4U, + 6U, + 1U, + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t2, res_i);); + uint64_t c1 = c; + uint64_t c2 = c00 - c1; + KRML_MAYBE_FOR6(i, + 0U, + 6U, + 1U, + uint64_t *os = res; + uint64_t x1 = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x1;); +} + +static inline void +qmont_reduction(uint64_t *res, uint64_t *x) +{ + uint64_t n[6U] = { 0U }; + p384_make_order(n); + uint64_t c0 = 0ULL; + KRML_MAYBE_FOR6( + i0, + 0U, + 6U, + 1U, + uint64_t qj = 7986114184663260229ULL * x[i0]; + uint64_t *res_j0 = x + i0; + uint64_t c = 0ULL; + { + uint64_t a_i = n[4U * 0U]; + uint64_t *res_i0 = res_j0 + 4U * 0U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i0); + uint64_t a_i0 = n[4U * 0U + 1U]; + uint64_t *res_i1 = res_j0 + 4U * 0U + 1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c, res_i1); + uint64_t a_i1 = n[4U * 0U + 2U]; + uint64_t *res_i2 = res_j0 + 4U * 0U + 2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c, res_i2); + uint64_t a_i2 = n[4U * 0U + 3U]; + uint64_t *res_i = res_j0 + 4U * 0U + 3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c, res_i); + } KRML_MAYBE_FOR2(i, + 4U, + 6U, + 1U, + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i);); + uint64_t r = c; + uint64_t c1 = r; + uint64_t *resb = x + 6U + i0; + uint64_t res_j = x[6U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c1, res_j, resb);); + memcpy(res, x + 6U, 6U * sizeof(uint64_t)); + uint64_t c00 = c0; + uint64_t tmp[6U] = { 0U }; + uint64_t c = 0ULL; + { + uint64_t t1 = res[4U * 0U]; + uint64_t t20 = n[4U * 0U]; + uint64_t *res_i0 = tmp + 4U * 0U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); + uint64_t t10 = res[4U * 0U + 1U]; + uint64_t t21 = n[4U * 0U + 1U]; + uint64_t *res_i1 = tmp + 4U * 0U + 1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); + uint64_t t11 = res[4U * 0U + 2U]; + uint64_t t22 = n[4U * 0U + 2U]; + uint64_t *res_i2 = tmp + 4U * 0U + 2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); + uint64_t t12 = res[4U * 0U + 3U]; + uint64_t t2 = n[4U * 0U + 3U]; + uint64_t *res_i = tmp + 4U * 0U + 3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); + } + KRML_MAYBE_FOR2(i, + 4U, + 6U, + 1U, + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t2, res_i);); + uint64_t c1 = c; + uint64_t c2 = c00 - c1; + KRML_MAYBE_FOR6(i, + 0U, + 6U, + 1U, + uint64_t *os = res; + uint64_t x1 = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x1;); +} + +static inline uint64_t +bn_is_lt_prime_mask(uint64_t *f) +{ + uint64_t tmp[6U] = { 0U }; + p384_make_prime(tmp); + uint64_t c = bn_sub(tmp, f, tmp); + uint64_t m = FStar_UInt64_gte_mask(c, 0ULL) & ~FStar_UInt64_eq_mask(c, 0ULL); + return m; +} + +static inline void +fadd0(uint64_t *a, uint64_t *b, uint64_t *c) +{ + uint64_t n[6U] = { 0U }; + p384_make_prime(n); + bn_add_mod(a, n, b, c); +} + +static inline void +fsub0(uint64_t *a, uint64_t *b, uint64_t *c) +{ + uint64_t n[6U] = { 0U }; + p384_make_prime(n); + bn_sub_mod(a, n, b, c); +} + +static inline void +fmul0(uint64_t *a, uint64_t *b, uint64_t *c) +{ + uint64_t tmp[12U] = { 0U }; + bn_mul(tmp, b, c); + fmont_reduction(a, tmp); +} + +static inline void +fsqr0(uint64_t *a, uint64_t *b) +{ + uint64_t tmp[12U] = { 0U }; + bn_sqr(tmp, b); + fmont_reduction(a, tmp); +} + +static inline void +from_mont(uint64_t *a, uint64_t *b) +{ + uint64_t tmp[12U] = { 0U }; + memcpy(tmp, b, 6U * sizeof(uint64_t)); + fmont_reduction(a, tmp); +} + +static inline void +to_mont(uint64_t *a, uint64_t *b) +{ + uint64_t r2modn[6U] = { 0U }; + p384_make_fmont_R2(r2modn); + uint64_t tmp[12U] = { 0U }; + bn_mul(tmp, b, r2modn); + fmont_reduction(a, tmp); +} + +static inline void +fexp_consttime(uint64_t *out, uint64_t *a, uint64_t *b) +{ + uint64_t table[192U] = { 0U }; + uint64_t tmp[6U] = { 0U }; + uint64_t *t0 = table; + uint64_t *t1 = table + 6U; + p384_make_fone(t0); + memcpy(t1, a, 6U * sizeof(uint64_t)); + KRML_MAYBE_FOR15(i, + 0U, + 15U, + 1U, + uint64_t *t11 = table + (i + 1U) * 6U; + fsqr0(tmp, t11); + memcpy(table + (2U * i + 2U) * 6U, tmp, 6U * sizeof(uint64_t)); + uint64_t *t2 = table + (2U * i + 2U) * 6U; + fmul0(tmp, a, t2); + memcpy(table + (2U * i + 3U) * 6U, tmp, 6U * sizeof(uint64_t));); + uint32_t i0 = 380U; + uint64_t bits_c = Hacl_Bignum_Lib_bn_get_bits_u64(6U, b, i0, 5U); + memcpy(out, (uint64_t *)table, 6U * sizeof(uint64_t)); + for (uint32_t i1 = 0U; i1 < 31U; i1++) { + uint64_t c = FStar_UInt64_eq_mask(bits_c, (uint64_t)(i1 + 1U)); + const uint64_t *res_j = table + (i1 + 1U) * 6U; + KRML_MAYBE_FOR6(i, + 0U, + 6U, + 1U, + uint64_t *os = out; + uint64_t x = (c & res_j[i]) | (~c & out[i]); + os[i] = x;); + } + uint64_t tmp0[6U] = { 0U }; + for (uint32_t i1 = 0U; i1 < 76U; i1++) { + KRML_MAYBE_FOR5(i, 0U, 5U, 1U, fsqr0(out, out);); + uint32_t k = 380U - 5U * i1 - 5U; + uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64(6U, b, k, 5U); + memcpy(tmp0, (uint64_t *)table, 6U * sizeof(uint64_t)); + for (uint32_t i2 = 0U; i2 < 31U; i2++) { + uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i2 + 1U)); + const uint64_t *res_j = table + (i2 + 1U) * 6U; + KRML_MAYBE_FOR6(i, + 0U, + 6U, + 1U, + uint64_t *os = tmp0; + uint64_t x = (c & res_j[i]) | (~c & tmp0[i]); + os[i] = x;); + } + fmul0(out, out, tmp0); + } +} + +static inline void +p384_finv(uint64_t *res, uint64_t *a) +{ + uint64_t b[6U] = { 0U }; + b[0U] = 0x00000000fffffffdULL; + b[1U] = 0xffffffff00000000ULL; + b[2U] = 0xfffffffffffffffeULL; + b[3U] = 0xffffffffffffffffULL; + b[4U] = 0xffffffffffffffffULL; + b[5U] = 0xffffffffffffffffULL; + fexp_consttime(res, a, b); +} + +static inline void +p384_fsqrt(uint64_t *res, uint64_t *a) +{ + uint64_t b[6U] = { 0U }; + b[0U] = 0x0000000040000000ULL; + b[1U] = 0xbfffffffc0000000ULL; + b[2U] = 0xffffffffffffffffULL; + b[3U] = 0xffffffffffffffffULL; + b[4U] = 0xffffffffffffffffULL; + b[5U] = 0x3fffffffffffffffULL; + fexp_consttime(res, a, b); +} + +static inline uint64_t +load_qelem_conditional(uint64_t *a, uint8_t *b) +{ + bn_from_bytes_be(a, b); + uint64_t tmp[6U] = { 0U }; + p384_make_order(tmp); + uint64_t c = bn_sub(tmp, a, tmp); + uint64_t is_lt_order = FStar_UInt64_gte_mask(c, 0ULL) & ~FStar_UInt64_eq_mask(c, 0ULL); + uint64_t bn_zero[6U] = { 0U }; + uint64_t res = bn_is_eq_mask(a, bn_zero); + uint64_t is_eq_zero = res; + uint64_t is_b_valid = is_lt_order & ~is_eq_zero; + uint64_t oneq[6U] = { 0U }; + memset(oneq, 0U, 6U * sizeof(uint64_t)); + oneq[0U] = 1ULL; + KRML_MAYBE_FOR6(i, + 0U, + 6U, + 1U, + uint64_t *os = a; + uint64_t uu____0 = oneq[i]; + uint64_t x = uu____0 ^ (is_b_valid & (a[i] ^ uu____0)); + os[i] = x;); + return is_b_valid; +} + +static inline void +qmod_short(uint64_t *a, uint64_t *b) +{ + uint64_t tmp[6U] = { 0U }; + p384_make_order(tmp); + uint64_t c = bn_sub(tmp, b, tmp); + bn_cmovznz(a, c, tmp, b); +} + +static inline void +qadd(uint64_t *a, uint64_t *b, uint64_t *c) +{ + uint64_t n[6U] = { 0U }; + p384_make_order(n); + bn_add_mod(a, n, b, c); +} + +static inline void +qmul(uint64_t *a, uint64_t *b, uint64_t *c) +{ + uint64_t tmp[12U] = { 0U }; + bn_mul(tmp, b, c); + qmont_reduction(a, tmp); +} + +static inline void +qsqr(uint64_t *a, uint64_t *b) +{ + uint64_t tmp[12U] = { 0U }; + bn_sqr(tmp, b); + qmont_reduction(a, tmp); +} + +static inline void +from_qmont(uint64_t *a, uint64_t *b) +{ + uint64_t tmp[12U] = { 0U }; + memcpy(tmp, b, 6U * sizeof(uint64_t)); + qmont_reduction(a, tmp); +} + +static inline void +qexp_consttime(uint64_t *out, uint64_t *a, uint64_t *b) +{ + uint64_t table[192U] = { 0U }; + uint64_t tmp[6U] = { 0U }; + uint64_t *t0 = table; + uint64_t *t1 = table + 6U; + p384_make_qone(t0); + memcpy(t1, a, 6U * sizeof(uint64_t)); + KRML_MAYBE_FOR15(i, + 0U, + 15U, + 1U, + uint64_t *t11 = table + (i + 1U) * 6U; + qsqr(tmp, t11); + memcpy(table + (2U * i + 2U) * 6U, tmp, 6U * sizeof(uint64_t)); + uint64_t *t2 = table + (2U * i + 2U) * 6U; + qmul(tmp, a, t2); + memcpy(table + (2U * i + 3U) * 6U, tmp, 6U * sizeof(uint64_t));); + uint32_t i0 = 380U; + uint64_t bits_c = Hacl_Bignum_Lib_bn_get_bits_u64(6U, b, i0, 5U); + memcpy(out, (uint64_t *)table, 6U * sizeof(uint64_t)); + for (uint32_t i1 = 0U; i1 < 31U; i1++) { + uint64_t c = FStar_UInt64_eq_mask(bits_c, (uint64_t)(i1 + 1U)); + const uint64_t *res_j = table + (i1 + 1U) * 6U; + KRML_MAYBE_FOR6(i, + 0U, + 6U, + 1U, + uint64_t *os = out; + uint64_t x = (c & res_j[i]) | (~c & out[i]); + os[i] = x;); + } + uint64_t tmp0[6U] = { 0U }; + for (uint32_t i1 = 0U; i1 < 76U; i1++) { + KRML_MAYBE_FOR5(i, 0U, 5U, 1U, qsqr(out, out);); + uint32_t k = 380U - 5U * i1 - 5U; + uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64(6U, b, k, 5U); + memcpy(tmp0, (uint64_t *)table, 6U * sizeof(uint64_t)); + for (uint32_t i2 = 0U; i2 < 31U; i2++) { + uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i2 + 1U)); + const uint64_t *res_j = table + (i2 + 1U) * 6U; + KRML_MAYBE_FOR6(i, + 0U, + 6U, + 1U, + uint64_t *os = tmp0; + uint64_t x = (c & res_j[i]) | (~c & tmp0[i]); + os[i] = x;); + } + qmul(out, out, tmp0); + } +} + +static inline void +p384_qinv(uint64_t *res, uint64_t *a) +{ + uint64_t b[6U] = { 0U }; + b[0U] = 0xecec196accc52971ULL; + b[1U] = 0x581a0db248b0a77aULL; + b[2U] = 0xc7634d81f4372ddfULL; + b[3U] = 0xffffffffffffffffULL; + b[4U] = 0xffffffffffffffffULL; + b[5U] = 0xffffffffffffffffULL; + qexp_consttime(res, a, b); +} + +static inline void +point_add(uint64_t *x, uint64_t *y, uint64_t *xy) +{ + uint64_t tmp[54U] = { 0U }; + uint64_t *t0 = tmp; + uint64_t *t1 = tmp + 36U; + uint64_t *x3 = t1; + uint64_t *y3 = t1 + 6U; + uint64_t *z3 = t1 + 12U; + uint64_t *t01 = t0; + uint64_t *t11 = t0 + 6U; + uint64_t *t2 = t0 + 12U; + uint64_t *t3 = t0 + 18U; + uint64_t *t4 = t0 + 24U; + uint64_t *t5 = t0 + 30U; + uint64_t *x1 = x; + uint64_t *y1 = x + 6U; + uint64_t *z10 = x + 12U; + uint64_t *x20 = y; + uint64_t *y20 = y + 6U; + uint64_t *z20 = y + 12U; + fmul0(t01, x1, x20); + fmul0(t11, y1, y20); + fmul0(t2, z10, z20); + fadd0(t3, x1, y1); + fadd0(t4, x20, y20); + fmul0(t3, t3, t4); + fadd0(t4, t01, t11); + uint64_t *y10 = x + 6U; + uint64_t *z11 = x + 12U; + uint64_t *y2 = y + 6U; + uint64_t *z21 = y + 12U; + fsub0(t3, t3, t4); + fadd0(t4, y10, z11); + fadd0(t5, y2, z21); + fmul0(t4, t4, t5); + fadd0(t5, t11, t2); + fsub0(t4, t4, t5); + uint64_t *x10 = x; + uint64_t *z1 = x + 12U; + uint64_t *x2 = y; + uint64_t *z2 = y + 12U; + fadd0(x3, x10, z1); + fadd0(y3, x2, z2); + fmul0(x3, x3, y3); + fadd0(y3, t01, t2); + fsub0(y3, x3, y3); + uint64_t b_coeff[6U] = { 0U }; + p384_make_b_coeff(b_coeff); + fmul0(z3, b_coeff, t2); + fsub0(x3, y3, z3); + fadd0(z3, x3, x3); + fadd0(x3, x3, z3); + fsub0(z3, t11, x3); + fadd0(x3, t11, x3); + uint64_t b_coeff0[6U] = { 0U }; + p384_make_b_coeff(b_coeff0); + fmul0(y3, b_coeff0, y3); + fadd0(t11, t2, t2); + fadd0(t2, t11, t2); + fsub0(y3, y3, t2); + fsub0(y3, y3, t01); + fadd0(t11, y3, y3); + fadd0(y3, t11, y3); + fadd0(t11, t01, t01); + fadd0(t01, t11, t01); + fsub0(t01, t01, t2); + fmul0(t11, t4, y3); + fmul0(t2, t01, y3); + fmul0(y3, x3, z3); + fadd0(y3, y3, t2); + fmul0(x3, t3, x3); + fsub0(x3, x3, t11); + fmul0(z3, t4, z3); + fmul0(t11, t3, t01); + fadd0(z3, z3, t11); + memcpy(xy, t1, 18U * sizeof(uint64_t)); +} + +static inline void +point_double(uint64_t *x, uint64_t *xx) +{ + uint64_t tmp[30U] = { 0U }; + uint64_t *x1 = x; + uint64_t *z = x + 12U; + uint64_t *x3 = xx; + uint64_t *y3 = xx + 6U; + uint64_t *z3 = xx + 12U; + uint64_t *t0 = tmp; + uint64_t *t1 = tmp + 6U; + uint64_t *t2 = tmp + 12U; + uint64_t *t3 = tmp + 18U; + uint64_t *t4 = tmp + 24U; + uint64_t *x2 = x; + uint64_t *y = x + 6U; + uint64_t *z1 = x + 12U; + fsqr0(t0, x2); + fsqr0(t1, y); + fsqr0(t2, z1); + fmul0(t3, x2, y); + fadd0(t3, t3, t3); + fmul0(t4, y, z1); + fmul0(z3, x1, z); + fadd0(z3, z3, z3); + uint64_t b_coeff[6U] = { 0U }; + p384_make_b_coeff(b_coeff); + fmul0(y3, b_coeff, t2); + fsub0(y3, y3, z3); + fadd0(x3, y3, y3); + fadd0(y3, x3, y3); + fsub0(x3, t1, y3); + fadd0(y3, t1, y3); + fmul0(y3, x3, y3); + fmul0(x3, x3, t3); + fadd0(t3, t2, t2); + fadd0(t2, t2, t3); + uint64_t b_coeff0[6U] = { 0U }; + p384_make_b_coeff(b_coeff0); + fmul0(z3, b_coeff0, z3); + fsub0(z3, z3, t2); + fsub0(z3, z3, t0); + fadd0(t3, z3, z3); + fadd0(z3, z3, t3); + fadd0(t3, t0, t0); + fadd0(t0, t3, t0); + fsub0(t0, t0, t2); + fmul0(t0, t0, z3); + fadd0(y3, y3, t0); + fadd0(t0, t4, t4); + fmul0(z3, t0, z3); + fsub0(x3, x3, z3); + fmul0(z3, t0, t1); + fadd0(z3, z3, z3); + fadd0(z3, z3, z3); +} + +static inline void +point_zero(uint64_t *one) +{ + uint64_t *x = one; + uint64_t *y = one + 6U; + uint64_t *z = one + 12U; + p384_make_fzero(x); + p384_make_fone(y); + p384_make_fzero(z); +} + +static inline void +point_mul(uint64_t *res, uint64_t *scalar, uint64_t *p) +{ + uint64_t table[288U] = { 0U }; + uint64_t tmp[18U] = { 0U }; + uint64_t *t0 = table; + uint64_t *t1 = table + 18U; + point_zero(t0); + memcpy(t1, p, 18U * sizeof(uint64_t)); + KRML_MAYBE_FOR7(i, + 0U, + 7U, + 1U, + uint64_t *t11 = table + (i + 1U) * 18U; + point_double(t11, tmp); + memcpy(table + (2U * i + 2U) * 18U, tmp, 18U * sizeof(uint64_t)); + uint64_t *t2 = table + (2U * i + 2U) * 18U; + point_add(p, t2, tmp); + memcpy(table + (2U * i + 3U) * 18U, tmp, 18U * sizeof(uint64_t));); + point_zero(res); + uint64_t tmp0[18U] = { 0U }; + for (uint32_t i0 = 0U; i0 < 96U; i0++) { + KRML_MAYBE_FOR4(i, 0U, 4U, 1U, point_double(res, res);); + uint32_t k = 384U - 4U * i0 - 4U; + uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64(6U, scalar, k, 4U); + memcpy(tmp0, (uint64_t *)table, 18U * sizeof(uint64_t)); + KRML_MAYBE_FOR15( + i1, + 0U, + 15U, + 1U, + uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i1 + 1U)); + const uint64_t *res_j = table + (i1 + 1U) * 18U; + for (uint32_t i = 0U; i < 18U; i++) { + uint64_t *os = tmp0; + uint64_t x = (c & res_j[i]) | (~c & tmp0[i]); + os[i] = x; + }); + point_add(res, tmp0, res); + } +} + +static inline void +point_mul_g(uint64_t *res, uint64_t *scalar) +{ + uint64_t g[18U] = { 0U }; + uint64_t *x = g; + uint64_t *y = g + 6U; + uint64_t *z = g + 12U; + p384_make_g_x(x); + p384_make_g_y(y); + p384_make_fone(z); + point_mul(res, scalar, g); +} + +static inline void +point_mul_double_g(uint64_t *res, uint64_t *scalar1, uint64_t *scalar2, uint64_t *p) +{ + uint64_t tmp[18U] = { 0U }; + point_mul_g(tmp, scalar1); + point_mul(res, scalar2, p); + point_add(res, tmp, res); +} + +static inline bool +ecdsa_sign_msg_as_qelem( + uint8_t *signature, + uint64_t *m_q, + uint8_t *private_key, + uint8_t *nonce) +{ + uint64_t rsdk_q[24U] = { 0U }; + uint64_t *r_q = rsdk_q; + uint64_t *s_q = rsdk_q + 6U; + uint64_t *d_a = rsdk_q + 12U; + uint64_t *k_q = rsdk_q + 18U; + uint64_t is_sk_valid = load_qelem_conditional(d_a, private_key); + uint64_t is_nonce_valid = load_qelem_conditional(k_q, nonce); + uint64_t are_sk_nonce_valid = is_sk_valid & is_nonce_valid; + uint64_t p[18U] = { 0U }; + point_mul_g(p, k_q); + uint64_t zinv[6U] = { 0U }; + uint64_t *px = p; + uint64_t *pz = p + 12U; + p384_finv(zinv, pz); + fmul0(r_q, px, zinv); + from_mont(r_q, r_q); + qmod_short(r_q, r_q); + uint64_t kinv[6U] = { 0U }; + p384_qinv(kinv, k_q); + qmul(s_q, r_q, d_a); + from_qmont(m_q, m_q); + qadd(s_q, m_q, s_q); + qmul(s_q, kinv, s_q); + bn_to_bytes_be(signature, r_q); + bn_to_bytes_be(signature + 48U, s_q); + uint64_t bn_zero0[6U] = { 0U }; + uint64_t res = bn_is_eq_mask(r_q, bn_zero0); + uint64_t is_r_zero = res; + uint64_t bn_zero[6U] = { 0U }; + uint64_t res0 = bn_is_eq_mask(s_q, bn_zero); + uint64_t is_s_zero = res0; + uint64_t m = are_sk_nonce_valid & (~is_r_zero & ~is_s_zero); + bool res1 = m == 0xFFFFFFFFFFFFFFFFULL; + return res1; +} + +static inline bool +ecdsa_verify_msg_as_qelem( + uint64_t *m_q, + uint8_t *public_key, + uint8_t *signature_r, + uint8_t *signature_s) +{ + uint64_t tmp[42U] = { 0U }; + uint64_t *pk = tmp; + uint64_t *r_q = tmp + 18U; + uint64_t *s_q = tmp + 24U; + uint64_t *u1 = tmp + 30U; + uint64_t *u2 = tmp + 36U; + uint64_t p_aff[12U] = { 0U }; + uint8_t *p_x = public_key; + uint8_t *p_y = public_key + 48U; + uint64_t *bn_p_x = p_aff; + uint64_t *bn_p_y = p_aff + 6U; + bn_from_bytes_be(bn_p_x, p_x); + bn_from_bytes_be(bn_p_y, p_y); + uint64_t *px0 = p_aff; + uint64_t *py0 = p_aff + 6U; + uint64_t lessX = bn_is_lt_prime_mask(px0); + uint64_t lessY = bn_is_lt_prime_mask(py0); + uint64_t res0 = lessX & lessY; + bool is_xy_valid = res0 == 0xFFFFFFFFFFFFFFFFULL; + bool res; + if (!is_xy_valid) { + res = false; + } else { + uint64_t rp[6U] = { 0U }; + uint64_t tx[6U] = { 0U }; + uint64_t ty[6U] = { 0U }; + uint64_t *px = p_aff; + uint64_t *py = p_aff + 6U; + to_mont(tx, px); + to_mont(ty, py); + uint64_t tmp1[6U] = { 0U }; + fsqr0(rp, tx); + fmul0(rp, rp, tx); + p384_make_a_coeff(tmp1); + fmul0(tmp1, tmp1, tx); + fadd0(rp, tmp1, rp); + p384_make_b_coeff(tmp1); + fadd0(rp, tmp1, rp); + fsqr0(ty, ty); + uint64_t r = bn_is_eq_mask(ty, rp); + uint64_t r0 = r; + bool r1 = r0 == 0xFFFFFFFFFFFFFFFFULL; + res = r1; + } + if (res) { + uint64_t *px = p_aff; + uint64_t *py = p_aff + 6U; + uint64_t *rx = pk; + uint64_t *ry = pk + 6U; + uint64_t *rz = pk + 12U; + to_mont(rx, px); + to_mont(ry, py); + p384_make_fone(rz); + } + bool is_pk_valid = res; + bn_from_bytes_be(r_q, signature_r); + bn_from_bytes_be(s_q, signature_s); + uint64_t tmp10[6U] = { 0U }; + p384_make_order(tmp10); + uint64_t c = bn_sub(tmp10, r_q, tmp10); + uint64_t is_lt_order = FStar_UInt64_gte_mask(c, 0ULL) & ~FStar_UInt64_eq_mask(c, 0ULL); + uint64_t bn_zero0[6U] = { 0U }; + uint64_t res1 = bn_is_eq_mask(r_q, bn_zero0); + uint64_t is_eq_zero = res1; + uint64_t is_r_valid = is_lt_order & ~is_eq_zero; + uint64_t tmp11[6U] = { 0U }; + p384_make_order(tmp11); + uint64_t c0 = bn_sub(tmp11, s_q, tmp11); + uint64_t is_lt_order0 = FStar_UInt64_gte_mask(c0, 0ULL) & ~FStar_UInt64_eq_mask(c0, 0ULL); + uint64_t bn_zero1[6U] = { 0U }; + uint64_t res2 = bn_is_eq_mask(s_q, bn_zero1); + uint64_t is_eq_zero0 = res2; + uint64_t is_s_valid = is_lt_order0 & ~is_eq_zero0; + bool is_rs_valid = is_r_valid == 0xFFFFFFFFFFFFFFFFULL && is_s_valid == 0xFFFFFFFFFFFFFFFFULL; + if (!(is_pk_valid && is_rs_valid)) { + return false; + } + uint64_t sinv[6U] = { 0U }; + p384_qinv(sinv, s_q); + uint64_t tmp1[6U] = { 0U }; + from_qmont(tmp1, m_q); + qmul(u1, sinv, tmp1); + uint64_t tmp12[6U] = { 0U }; + from_qmont(tmp12, r_q); + qmul(u2, sinv, tmp12); + uint64_t res3[18U] = { 0U }; + point_mul_double_g(res3, u1, u2, pk); + uint64_t *pz0 = res3 + 12U; + uint64_t bn_zero[6U] = { 0U }; + uint64_t res10 = bn_is_eq_mask(pz0, bn_zero); + uint64_t m = res10; + if (m == 0xFFFFFFFFFFFFFFFFULL) { + return false; + } + uint64_t x[6U] = { 0U }; + uint64_t zinv[6U] = { 0U }; + uint64_t *px = res3; + uint64_t *pz = res3 + 12U; + p384_finv(zinv, pz); + fmul0(x, px, zinv); + from_mont(x, x); + qmod_short(x, x); + uint64_t m0 = bn_is_eq_mask(x, r_q); + bool res11 = m0 == 0xFFFFFFFFFFFFFFFFULL; + return res11; +} + +/******************************************************************************* + + Verified C library for ECDSA and ECDH functions over the P-384 NIST curve. + + This module implements signing and verification, key validation, conversions + between various point representations, and ECDH key agreement. + +*******************************************************************************/ + +/*****************/ +/* ECDSA signing */ +/*****************/ + +/** +Create an ECDSA signature WITHOUT hashing first. + + This function is intended to receive a hash of the input. + For convenience, we recommend using one of the hash-and-sign combined functions above. + + The argument `msg` MUST be at least 48 bytes (i.e. `msg_len >= 48`). + + NOTE: The equivalent functions in OpenSSL and Fiat-Crypto both accept inputs + smaller than 48 bytes. These libraries left-pad the input with enough zeroes to + reach the minimum 48 byte size. Clients who need behavior identical to OpenSSL + need to perform the left-padding themselves. + + The function returns `true` for successful creation of an ECDSA signature and `false` otherwise. + + The outparam `signature` (R || S) points to 96 bytes of valid memory, i.e., uint8_t[96]. + The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. + The arguments `private_key` and `nonce` point to 48 bytes of valid memory, i.e., uint8_t[48]. + + The function also checks whether `private_key` and `nonce` are valid values: + • 0 < `private_key` < the order of the curve + • 0 < `nonce` < the order of the curve +*/ +bool +Hacl_P384_ecdsa_sign_p384_without_hash( + uint8_t *signature, + uint32_t msg_len, + uint8_t *msg, + uint8_t *private_key, + uint8_t *nonce) +{ + uint64_t m_q[6U] = { 0U }; + uint8_t mHash[48U] = { 0U }; + memcpy(mHash, msg, 48U * sizeof(uint8_t)); + KRML_MAYBE_UNUSED_VAR(msg_len); + uint8_t *mHash48 = mHash; + bn_from_bytes_be(m_q, mHash48); + qmod_short(m_q, m_q); + bool res = ecdsa_sign_msg_as_qelem(signature, m_q, private_key, nonce); + return res; +} + +/**********************/ +/* ECDSA verification */ +/**********************/ + +/** +Verify an ECDSA signature WITHOUT hashing first. + + This function is intended to receive a hash of the input. + For convenience, we recommend using one of the hash-and-verify combined functions above. + + The argument `msg` MUST be at least 48 bytes (i.e. `msg_len >= 48`). + + The function returns `true` if the signature is valid and `false` otherwise. + + The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. + The argument `public_key` (x || y) points to 96 bytes of valid memory, i.e., uint8_t[96]. + The arguments `signature_r` and `signature_s` point to 48 bytes of valid memory, i.e., uint8_t[48]. + + The function also checks whether `public_key` is valid +*/ +bool +Hacl_P384_ecdsa_verif_without_hash( + uint32_t msg_len, + uint8_t *msg, + uint8_t *public_key, + uint8_t *signature_r, + uint8_t *signature_s) +{ + uint64_t m_q[6U] = { 0U }; + uint8_t mHash[48U] = { 0U }; + memcpy(mHash, msg, 48U * sizeof(uint8_t)); + KRML_MAYBE_UNUSED_VAR(msg_len); + uint8_t *mHash48 = mHash; + bn_from_bytes_be(m_q, mHash48); + qmod_short(m_q, m_q); + bool res = ecdsa_verify_msg_as_qelem(m_q, public_key, signature_r, signature_s); + return res; +} + +/******************/ +/* Key validation */ +/******************/ + +/** +Public key validation. + + The function returns `true` if a public key is valid and `false` otherwise. + + The argument `public_key` points to 96 bytes of valid memory, i.e., uint8_t[96]. + + The public key (x || y) is valid (with respect to SP 800-56A): + • the public key is not the “point at infinity”, represented as O. + • the affine x and y coordinates of the point represented by the public key are + in the range [0, p – 1] where p is the prime defining the finite field. + • y^2 = x^3 + ax + b where a and b are the coefficients of the curve equation. + The last extract is taken from: https://neilmadden.blog/2017/05/17/so-how-do-you-validate-nist-ecdh-public-keys/ +*/ +bool +Hacl_P384_validate_public_key(uint8_t *public_key) +{ + uint64_t point_jac[18U] = { 0U }; + uint64_t p_aff[12U] = { 0U }; + uint8_t *p_x = public_key; + uint8_t *p_y = public_key + 48U; + uint64_t *bn_p_x = p_aff; + uint64_t *bn_p_y = p_aff + 6U; + bn_from_bytes_be(bn_p_x, p_x); + bn_from_bytes_be(bn_p_y, p_y); + uint64_t *px0 = p_aff; + uint64_t *py0 = p_aff + 6U; + uint64_t lessX = bn_is_lt_prime_mask(px0); + uint64_t lessY = bn_is_lt_prime_mask(py0); + uint64_t res0 = lessX & lessY; + bool is_xy_valid = res0 == 0xFFFFFFFFFFFFFFFFULL; + bool res; + if (!is_xy_valid) { + res = false; + } else { + uint64_t rp[6U] = { 0U }; + uint64_t tx[6U] = { 0U }; + uint64_t ty[6U] = { 0U }; + uint64_t *px = p_aff; + uint64_t *py = p_aff + 6U; + to_mont(tx, px); + to_mont(ty, py); + uint64_t tmp[6U] = { 0U }; + fsqr0(rp, tx); + fmul0(rp, rp, tx); + p384_make_a_coeff(tmp); + fmul0(tmp, tmp, tx); + fadd0(rp, tmp, rp); + p384_make_b_coeff(tmp); + fadd0(rp, tmp, rp); + fsqr0(ty, ty); + uint64_t r = bn_is_eq_mask(ty, rp); + uint64_t r0 = r; + bool r1 = r0 == 0xFFFFFFFFFFFFFFFFULL; + res = r1; + } + if (res) { + uint64_t *px = p_aff; + uint64_t *py = p_aff + 6U; + uint64_t *rx = point_jac; + uint64_t *ry = point_jac + 6U; + uint64_t *rz = point_jac + 12U; + to_mont(rx, px); + to_mont(ry, py); + p384_make_fone(rz); + } + bool res1 = res; + return res1; } /** @@ -117,10 +1429,280 @@ Hacl_P384_validate_private_key(uint8_t *private_key) uint64_t tmp[6U] = { 0U }; p384_make_order(tmp); uint64_t c = bn_sub(tmp, bn_sk, tmp); - uint64_t is_lt_order = (uint64_t)0U - c; + uint64_t is_lt_order = FStar_UInt64_gte_mask(c, 0ULL) & ~FStar_UInt64_eq_mask(c, 0ULL); uint64_t bn_zero[6U] = { 0U }; uint64_t res = bn_is_eq_mask(bn_sk, bn_zero); uint64_t is_eq_zero = res; uint64_t res0 = is_lt_order & ~is_eq_zero; - return res0 == (uint64_t)0xFFFFFFFFFFFFFFFFU; + return res0 == 0xFFFFFFFFFFFFFFFFULL; +} + +/******************************************************************************* + Parsing and Serializing public keys. + + A public key is a point (x, y) on the P-384 NIST curve. + + The point can be represented in the following three ways. + • raw = [ x || y ], 96 bytes + • uncompressed = [ 0x04 || x || y ], 97 bytes + • compressed = [ (0x02 for even `y` and 0x03 for odd `y`) || x ], 33 bytes + +*******************************************************************************/ + +/** +Convert a public key from uncompressed to its raw form. + + The function returns `true` for successful conversion of a public key and `false` otherwise. + + The outparam `pk_raw` points to 96 bytes of valid memory, i.e., uint8_t[96]. + The argument `pk` points to 97 bytes of valid memory, i.e., uint8_t[97]. + + The function DOESN'T check whether (x, y) is a valid point. +*/ +bool +Hacl_P384_uncompressed_to_raw(uint8_t *pk, uint8_t *pk_raw) +{ + uint8_t pk0 = pk[0U]; + if (pk0 != 0x04U) { + return false; + } + memcpy(pk_raw, pk + 1U, 96U * sizeof(uint8_t)); + return true; +} + +/** +Convert a public key from compressed to its raw form. + + The function returns `true` for successful conversion of a public key and `false` otherwise. + + The outparam `pk_raw` points to 96 bytes of valid memory, i.e., uint8_t[96]. + The argument `pk` points to 33 bytes of valid memory, i.e., uint8_t[33]. + + The function also checks whether (x, y) is a valid point. +*/ +bool +Hacl_P384_compressed_to_raw(uint8_t *pk, uint8_t *pk_raw) +{ + uint64_t xa[6U] = { 0U }; + uint64_t ya[6U] = { 0U }; + uint8_t *pk_xb = pk + 1U; + uint8_t s0 = pk[0U]; + uint8_t s01 = s0; + bool b; + if (!(s01 == 0x02U || s01 == 0x03U)) { + b = false; + } else { + uint8_t *xb = pk + 1U; + bn_from_bytes_be(xa, xb); + uint64_t is_x_valid = bn_is_lt_prime_mask(xa); + bool is_x_valid1 = is_x_valid == 0xFFFFFFFFFFFFFFFFULL; + bool is_y_odd = s01 == 0x03U; + if (!is_x_valid1) { + b = false; + } else { + uint64_t y2M[6U] = { 0U }; + uint64_t xM[6U] = { 0U }; + uint64_t yM[6U] = { 0U }; + to_mont(xM, xa); + uint64_t tmp[6U] = { 0U }; + fsqr0(y2M, xM); + fmul0(y2M, y2M, xM); + p384_make_a_coeff(tmp); + fmul0(tmp, tmp, xM); + fadd0(y2M, tmp, y2M); + p384_make_b_coeff(tmp); + fadd0(y2M, tmp, y2M); + p384_fsqrt(yM, y2M); + from_mont(ya, yM); + fsqr0(yM, yM); + uint64_t r = bn_is_eq_mask(yM, y2M); + uint64_t r0 = r; + bool is_y_valid = r0 == 0xFFFFFFFFFFFFFFFFULL; + bool is_y_valid0 = is_y_valid; + if (!is_y_valid0) { + b = false; + } else { + uint64_t is_y_odd1 = ya[0U] & 1ULL; + bool is_y_odd2 = is_y_odd1 == 1ULL; + uint64_t zero[6U] = { 0U }; + if (is_y_odd2 != is_y_odd) { + fsub0(ya, zero, ya); + } + b = true; + } + } + } + if (b) { + memcpy(pk_raw, pk_xb, 48U * sizeof(uint8_t)); + bn_to_bytes_be(pk_raw + 48U, ya); + } + return b; +} + +/** +Convert a public key from raw to its uncompressed form. + + The outparam `pk` points to 97 bytes of valid memory, i.e., uint8_t[97]. + The argument `pk_raw` points to 96 bytes of valid memory, i.e., uint8_t[96]. + + The function DOESN'T check whether (x, y) is a valid point. +*/ +void +Hacl_P384_raw_to_uncompressed(uint8_t *pk_raw, uint8_t *pk) +{ + pk[0U] = 0x04U; + memcpy(pk + 1U, pk_raw, 96U * sizeof(uint8_t)); +} + +/** +Convert a public key from raw to its compressed form. + + The outparam `pk` points to 33 bytes of valid memory, i.e., uint8_t[33]. + The argument `pk_raw` points to 96 bytes of valid memory, i.e., uint8_t[96]. + + The function DOESN'T check whether (x, y) is a valid point. +*/ +void +Hacl_P384_raw_to_compressed(uint8_t *pk_raw, uint8_t *pk) +{ + uint8_t *pk_x = pk_raw; + uint8_t *pk_y = pk_raw + 48U; + uint64_t bn_f[6U] = { 0U }; + bn_from_bytes_be(bn_f, pk_y); + uint64_t is_odd_f = bn_f[0U] & 1ULL; + pk[0U] = (uint32_t)(uint8_t)is_odd_f + 0x02U; + memcpy(pk + 1U, pk_x, 48U * sizeof(uint8_t)); +} + +/******************/ +/* ECDH agreement */ +/******************/ + +/** +Compute the public key from the private key. + + The function returns `true` if a private key is valid and `false` otherwise. + + The outparam `public_key` points to 96 bytes of valid memory, i.e., uint8_t[96]. + The argument `private_key` points to 48 bytes of valid memory, i.e., uint8_t[48]. + + The private key is valid: + • 0 < `private_key` < the order of the curve. +*/ +bool +Hacl_P384_dh_initiator(uint8_t *public_key, uint8_t *private_key) +{ + uint64_t tmp[24U] = { 0U }; + uint64_t *sk = tmp; + uint64_t *pk = tmp + 6U; + uint64_t is_sk_valid = load_qelem_conditional(sk, private_key); + point_mul_g(pk, sk); + uint64_t aff_p[12U] = { 0U }; + uint64_t zinv[6U] = { 0U }; + uint64_t *px = pk; + uint64_t *py0 = pk + 6U; + uint64_t *pz = pk + 12U; + uint64_t *x = aff_p; + uint64_t *y = aff_p + 6U; + p384_finv(zinv, pz); + fmul0(x, px, zinv); + fmul0(y, py0, zinv); + from_mont(x, x); + from_mont(y, y); + uint64_t *px0 = aff_p; + uint64_t *py = aff_p + 6U; + bn_to_bytes_be(public_key, px0); + bn_to_bytes_be(public_key + 48U, py); + return is_sk_valid == 0xFFFFFFFFFFFFFFFFULL; +} + +/** +Execute the diffie-hellmann key exchange. + + The function returns `true` for successful creation of an ECDH shared secret and + `false` otherwise. + + The outparam `shared_secret` points to 96 bytes of valid memory, i.e., uint8_t[96]. + The argument `their_pubkey` points to 96 bytes of valid memory, i.e., uint8_t[96]. + The argument `private_key` points to 48 bytes of valid memory, i.e., uint8_t[48]. + + The function also checks whether `private_key` and `their_pubkey` are valid. +*/ +bool +Hacl_P384_dh_responder(uint8_t *shared_secret, uint8_t *their_pubkey, uint8_t *private_key) +{ + uint64_t tmp[192U] = { 0U }; + uint64_t *sk = tmp; + uint64_t *pk = tmp + 6U; + uint64_t p_aff[12U] = { 0U }; + uint8_t *p_x = their_pubkey; + uint8_t *p_y = their_pubkey + 48U; + uint64_t *bn_p_x = p_aff; + uint64_t *bn_p_y = p_aff + 6U; + bn_from_bytes_be(bn_p_x, p_x); + bn_from_bytes_be(bn_p_y, p_y); + uint64_t *px0 = p_aff; + uint64_t *py0 = p_aff + 6U; + uint64_t lessX = bn_is_lt_prime_mask(px0); + uint64_t lessY = bn_is_lt_prime_mask(py0); + uint64_t res0 = lessX & lessY; + bool is_xy_valid = res0 == 0xFFFFFFFFFFFFFFFFULL; + bool res; + if (!is_xy_valid) { + res = false; + } else { + uint64_t rp[6U] = { 0U }; + uint64_t tx[6U] = { 0U }; + uint64_t ty[6U] = { 0U }; + uint64_t *px = p_aff; + uint64_t *py = p_aff + 6U; + to_mont(tx, px); + to_mont(ty, py); + uint64_t tmp1[6U] = { 0U }; + fsqr0(rp, tx); + fmul0(rp, rp, tx); + p384_make_a_coeff(tmp1); + fmul0(tmp1, tmp1, tx); + fadd0(rp, tmp1, rp); + p384_make_b_coeff(tmp1); + fadd0(rp, tmp1, rp); + fsqr0(ty, ty); + uint64_t r = bn_is_eq_mask(ty, rp); + uint64_t r0 = r; + bool r1 = r0 == 0xFFFFFFFFFFFFFFFFULL; + res = r1; + } + if (res) { + uint64_t *px = p_aff; + uint64_t *py = p_aff + 6U; + uint64_t *rx = pk; + uint64_t *ry = pk + 6U; + uint64_t *rz = pk + 12U; + to_mont(rx, px); + to_mont(ry, py); + p384_make_fone(rz); + } + bool is_pk_valid = res; + uint64_t is_sk_valid = load_qelem_conditional(sk, private_key); + uint64_t ss_proj[18U] = { 0U }; + if (is_pk_valid) { + point_mul(ss_proj, sk, pk); + uint64_t aff_p[12U] = { 0U }; + uint64_t zinv[6U] = { 0U }; + uint64_t *px = ss_proj; + uint64_t *py1 = ss_proj + 6U; + uint64_t *pz = ss_proj + 12U; + uint64_t *x = aff_p; + uint64_t *y = aff_p + 6U; + p384_finv(zinv, pz); + fmul0(x, px, zinv); + fmul0(y, py1, zinv); + from_mont(x, x); + from_mont(y, y); + uint64_t *px1 = aff_p; + uint64_t *py = aff_p + 6U; + bn_to_bytes_be(shared_secret, px1); + bn_to_bytes_be(shared_secret + 48U, py); + } + return is_sk_valid == 0xFFFFFFFFFFFFFFFFULL && is_pk_valid; } diff --git a/nss/lib/freebl/verified/Hacl_P384.h b/nss/lib/freebl/verified/Hacl_P384.h index 4109947..e411f02 100644 --- a/nss/lib/freebl/verified/Hacl_P384.h +++ b/nss/lib/freebl/verified/Hacl_P384.h @@ -44,11 +44,90 @@ extern "C" { *******************************************************************************/ +/*****************/ +/* ECDSA signing */ +/*****************/ + +/** +Create an ECDSA signature WITHOUT hashing first. + + This function is intended to receive a hash of the input. + For convenience, we recommend using one of the hash-and-sign combined functions above. + + The argument `msg` MUST be at least 32 bytes (i.e. `msg_len >= 32`). + + NOTE: The equivalent functions in OpenSSL and Fiat-Crypto both accept inputs + smaller than 32 bytes. These libraries left-pad the input with enough zeroes to + reach the minimum 32 byte size. Clients who need behavior identical to OpenSSL + need to perform the left-padding themselves. + + The function returns `true` for successful creation of an ECDSA signature and `false` otherwise. + + The outparam `signature` (R || S) points to 64 bytes of valid memory, i.e., uint8_t[64]. + The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. + The arguments `private_key` and `nonce` point to 32 bytes of valid memory, i.e., uint8_t[32]. + + The function also checks whether `private_key` and `nonce` are valid values: + • 0 < `private_key` < the order of the curve + • 0 < `nonce` < the order of the curve +*/ +bool +Hacl_P384_ecdsa_sign_p384_without_hash( + uint8_t *signature, + uint32_t msg_len, + uint8_t *msg, + uint8_t *private_key, + uint8_t *nonce); + +/**********************/ +/* ECDSA verification */ +/**********************/ + +/** +Verify an ECDSA signature WITHOUT hashing first. + + This function is intended to receive a hash of the input. + For convenience, we recommend using one of the hash-and-verify combined functions above. + + The argument `msg` MUST be at least 32 bytes (i.e. `msg_len >= 32`). + + The function returns `true` if the signature is valid and `false` otherwise. + + The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. + The argument `public_key` (x || y) points to 64 bytes of valid memory, i.e., uint8_t[64]. + The arguments `signature_r` and `signature_s` point to 32 bytes of valid memory, i.e., uint8_t[32]. + + The function also checks whether `public_key` is valid +*/ +bool +Hacl_P384_ecdsa_verif_without_hash( + uint32_t msg_len, + uint8_t *msg, + uint8_t *public_key, + uint8_t *signature_r, + uint8_t *signature_s); + /******************/ /* Key validation */ /******************/ /** +Public key validation. + + The function returns `true` if a public key is valid and `false` otherwise. + + The argument `public_key` points to 64 bytes of valid memory, i.e., uint8_t[64]. + + The public key (x || y) is valid (with respect to SP 800-56A): + • the public key is not the “point at infinity”, represented as O. + • the affine x and y coordinates of the point represented by the public key are + in the range [0, p – 1] where p is the prime defining the finite field. + • y^2 = x^3 + ax + b where a and b are the coefficients of the curve equation. + The last extract is taken from: https://neilmadden.blog/2017/05/17/so-how-do-you-validate-nist-ecdh-public-keys/ +*/ +bool Hacl_P384_validate_public_key(uint8_t *public_key); + +/** Private key validation. The function returns `true` if a private key is valid and `false` otherwise. @@ -60,6 +139,94 @@ Private key validation. */ bool Hacl_P384_validate_private_key(uint8_t *private_key); +/******************************************************************************* + Parsing and Serializing public keys. + + A public key is a point (x, y) on the P-384 NIST curve. + + The point can be represented in the following three ways. + • raw = [ x || y ], 64 bytes + • uncompressed = [ 0x04 || x || y ], 65 bytes + • compressed = [ (0x02 for even `y` and 0x03 for odd `y`) || x ], 33 bytes + +*******************************************************************************/ + +/** +Convert a public key from uncompressed to its raw form. + + The function returns `true` for successful conversion of a public key and `false` otherwise. + + The outparam `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. + The argument `pk` points to 65 bytes of valid memory, i.e., uint8_t[65]. + + The function DOESN'T check whether (x, y) is a valid point. +*/ +bool Hacl_P384_uncompressed_to_raw(uint8_t *pk, uint8_t *pk_raw); + +/** +Convert a public key from compressed to its raw form. + + The function returns `true` for successful conversion of a public key and `false` otherwise. + + The outparam `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. + The argument `pk` points to 33 bytes of valid memory, i.e., uint8_t[33]. + + The function also checks whether (x, y) is a valid point. +*/ +bool Hacl_P384_compressed_to_raw(uint8_t *pk, uint8_t *pk_raw); + +/** +Convert a public key from raw to its uncompressed form. + + The outparam `pk` points to 65 bytes of valid memory, i.e., uint8_t[65]. + The argument `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. + + The function DOESN'T check whether (x, y) is a valid point. +*/ +void Hacl_P384_raw_to_uncompressed(uint8_t *pk_raw, uint8_t *pk); + +/** +Convert a public key from raw to its compressed form. + + The outparam `pk` points to 33 bytes of valid memory, i.e., uint8_t[33]. + The argument `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. + + The function DOESN'T check whether (x, y) is a valid point. +*/ +void Hacl_P384_raw_to_compressed(uint8_t *pk_raw, uint8_t *pk); + +/******************/ +/* ECDH agreement */ +/******************/ + +/** +Compute the public key from the private key. + + The function returns `true` if a private key is valid and `false` otherwise. + + The outparam `public_key` points to 64 bytes of valid memory, i.e., uint8_t[64]. + The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. + + The private key is valid: + • 0 < `private_key` < the order of the curve. +*/ +bool Hacl_P384_dh_initiator(uint8_t *public_key, uint8_t *private_key); + +/** +Execute the diffie-hellmann key exchange. + + The function returns `true` for successful creation of an ECDH shared secret and + `false` otherwise. + + The outparam `shared_secret` points to 64 bytes of valid memory, i.e., uint8_t[64]. + The argument `their_pubkey` points to 64 bytes of valid memory, i.e., uint8_t[64]. + The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. + + The function also checks whether `private_key` and `their_pubkey` are valid. +*/ +bool +Hacl_P384_dh_responder(uint8_t *shared_secret, uint8_t *their_pubkey, uint8_t *private_key); + #if defined(__cplusplus) } #endif diff --git a/nss/lib/freebl/verified/Hacl_P521.c b/nss/lib/freebl/verified/Hacl_P521.c index 481a64b..50fb5f6 100644 --- a/nss/lib/freebl/verified/Hacl_P521.c +++ b/nss/lib/freebl/verified/Hacl_P521.c @@ -30,45 +30,129 @@ static inline uint64_t bn_is_eq_mask(uint64_t *x, uint64_t *y) { - uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + uint64_t mask = 0xFFFFFFFFFFFFFFFFULL; KRML_MAYBE_FOR9(i, - (uint32_t)0U, - (uint32_t)9U, - (uint32_t)1U, + 0U, + 9U, + 1U, uint64_t uu____0 = FStar_UInt64_eq_mask(x[i], y[i]); mask = uu____0 & mask;); uint64_t mask1 = mask; return mask1; } +static inline void +bn_cmovznz(uint64_t *a, uint64_t b, uint64_t *c, uint64_t *d) +{ + uint64_t mask = ~FStar_UInt64_eq_mask(b, 0ULL); + KRML_MAYBE_FOR9(i, + 0U, + 9U, + 1U, + uint64_t *os = a; + uint64_t uu____0 = c[i]; + uint64_t x = uu____0 ^ (mask & (d[i] ^ uu____0)); + os[i] = x;); +} + +static inline void +bn_add_mod(uint64_t *a, uint64_t *b, uint64_t *c, uint64_t *d) +{ + uint64_t c10 = 0ULL; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t t1 = c[4U * i]; + uint64_t t20 = d[4U * i]; + uint64_t *res_i0 = a + 4U * i; + c10 = Lib_IntTypes_Intrinsics_add_carry_u64(c10, t1, t20, res_i0); + uint64_t t10 = c[4U * i + 1U]; + uint64_t t21 = d[4U * i + 1U]; + uint64_t *res_i1 = a + 4U * i + 1U; + c10 = Lib_IntTypes_Intrinsics_add_carry_u64(c10, t10, t21, res_i1); + uint64_t t11 = c[4U * i + 2U]; + uint64_t t22 = d[4U * i + 2U]; + uint64_t *res_i2 = a + 4U * i + 2U; + c10 = Lib_IntTypes_Intrinsics_add_carry_u64(c10, t11, t22, res_i2); + uint64_t t12 = c[4U * i + 3U]; + uint64_t t2 = d[4U * i + 3U]; + uint64_t *res_i = a + 4U * i + 3U; + c10 = Lib_IntTypes_Intrinsics_add_carry_u64(c10, t12, t2, res_i);); + { + uint64_t t1 = c[8U]; + uint64_t t2 = d[8U]; + uint64_t *res_i = a + 8U; + c10 = Lib_IntTypes_Intrinsics_add_carry_u64(c10, t1, t2, res_i); + } + uint64_t c0 = c10; + uint64_t tmp[9U] = { 0U }; + uint64_t c1 = 0ULL; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t t1 = a[4U * i]; + uint64_t t20 = b[4U * i]; + uint64_t *res_i0 = tmp + 4U * i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t20, res_i0); + uint64_t t10 = a[4U * i + 1U]; + uint64_t t21 = b[4U * i + 1U]; + uint64_t *res_i1 = tmp + 4U * i + 1U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t10, t21, res_i1); + uint64_t t11 = a[4U * i + 2U]; + uint64_t t22 = b[4U * i + 2U]; + uint64_t *res_i2 = tmp + 4U * i + 2U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t11, t22, res_i2); + uint64_t t12 = a[4U * i + 3U]; + uint64_t t2 = b[4U * i + 3U]; + uint64_t *res_i = tmp + 4U * i + 3U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t12, t2, res_i);); + { + uint64_t t1 = a[8U]; + uint64_t t2 = b[8U]; + uint64_t *res_i = tmp + 8U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t2, res_i); + } + uint64_t c11 = c1; + uint64_t c2 = c0 - c11; + KRML_MAYBE_FOR9(i, + 0U, + 9U, + 1U, + uint64_t *os = a; + uint64_t x = (c2 & a[i]) | (~c2 & tmp[i]); + os[i] = x;); +} + static inline uint64_t bn_sub(uint64_t *a, uint64_t *b, uint64_t *c) { - uint64_t c1 = (uint64_t)0U; + uint64_t c1 = 0ULL; KRML_MAYBE_FOR2(i, - (uint32_t)0U, - (uint32_t)2U, - (uint32_t)1U, - uint64_t t1 = b[(uint32_t)4U * i]; - uint64_t t20 = c[(uint32_t)4U * i]; - uint64_t *res_i0 = a + (uint32_t)4U * i; + 0U, + 2U, + 1U, + uint64_t t1 = b[4U * i]; + uint64_t t20 = c[4U * i]; + uint64_t *res_i0 = a + 4U * i; c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t20, res_i0); - uint64_t t10 = b[(uint32_t)4U * i + (uint32_t)1U]; - uint64_t t21 = c[(uint32_t)4U * i + (uint32_t)1U]; - uint64_t *res_i1 = a + (uint32_t)4U * i + (uint32_t)1U; + uint64_t t10 = b[4U * i + 1U]; + uint64_t t21 = c[4U * i + 1U]; + uint64_t *res_i1 = a + 4U * i + 1U; c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t10, t21, res_i1); - uint64_t t11 = b[(uint32_t)4U * i + (uint32_t)2U]; - uint64_t t22 = c[(uint32_t)4U * i + (uint32_t)2U]; - uint64_t *res_i2 = a + (uint32_t)4U * i + (uint32_t)2U; + uint64_t t11 = b[4U * i + 2U]; + uint64_t t22 = c[4U * i + 2U]; + uint64_t *res_i2 = a + 4U * i + 2U; c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t11, t22, res_i2); - uint64_t t12 = b[(uint32_t)4U * i + (uint32_t)3U]; - uint64_t t2 = c[(uint32_t)4U * i + (uint32_t)3U]; - uint64_t *res_i = a + (uint32_t)4U * i + (uint32_t)3U; + uint64_t t12 = b[4U * i + 3U]; + uint64_t t2 = c[4U * i + 3U]; + uint64_t *res_i = a + 4U * i + 3U; c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t12, t2, res_i);); { uint64_t t1 = b[8U]; uint64_t t2 = c[8U]; - uint64_t *res_i = a + (uint32_t)8U; + uint64_t *res_i = a + 8U; c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t2, res_i); } uint64_t c10 = c1; @@ -76,32 +160,1347 @@ bn_sub(uint64_t *a, uint64_t *b, uint64_t *c) } static inline void +bn_sub_mod(uint64_t *a, uint64_t *b, uint64_t *c, uint64_t *d) +{ + uint64_t c10 = 0ULL; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t t1 = c[4U * i]; + uint64_t t20 = d[4U * i]; + uint64_t *res_i0 = a + 4U * i; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c10, t1, t20, res_i0); + uint64_t t10 = c[4U * i + 1U]; + uint64_t t21 = d[4U * i + 1U]; + uint64_t *res_i1 = a + 4U * i + 1U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c10, t10, t21, res_i1); + uint64_t t11 = c[4U * i + 2U]; + uint64_t t22 = d[4U * i + 2U]; + uint64_t *res_i2 = a + 4U * i + 2U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c10, t11, t22, res_i2); + uint64_t t12 = c[4U * i + 3U]; + uint64_t t2 = d[4U * i + 3U]; + uint64_t *res_i = a + 4U * i + 3U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c10, t12, t2, res_i);); + { + uint64_t t1 = c[8U]; + uint64_t t2 = d[8U]; + uint64_t *res_i = a + 8U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c10, t1, t2, res_i); + } + uint64_t c0 = c10; + uint64_t tmp[9U] = { 0U }; + uint64_t c1 = 0ULL; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t t1 = a[4U * i]; + uint64_t t20 = b[4U * i]; + uint64_t *res_i0 = tmp + 4U * i; + c1 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, t1, t20, res_i0); + uint64_t t10 = a[4U * i + 1U]; + uint64_t t21 = b[4U * i + 1U]; + uint64_t *res_i1 = tmp + 4U * i + 1U; + c1 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, t10, t21, res_i1); + uint64_t t11 = a[4U * i + 2U]; + uint64_t t22 = b[4U * i + 2U]; + uint64_t *res_i2 = tmp + 4U * i + 2U; + c1 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, t11, t22, res_i2); + uint64_t t12 = a[4U * i + 3U]; + uint64_t t2 = b[4U * i + 3U]; + uint64_t *res_i = tmp + 4U * i + 3U; + c1 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, t12, t2, res_i);); + { + uint64_t t1 = a[8U]; + uint64_t t2 = b[8U]; + uint64_t *res_i = tmp + 8U; + c1 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, t1, t2, res_i); + } + uint64_t c11 = c1; + KRML_MAYBE_UNUSED_VAR(c11); + uint64_t c2 = 0ULL - c0; + KRML_MAYBE_FOR9(i, + 0U, + 9U, + 1U, + uint64_t *os = a; + uint64_t x = (c2 & tmp[i]) | (~c2 & a[i]); + os[i] = x;); +} + +static inline void +bn_mul(uint64_t *a, uint64_t *b, uint64_t *c) +{ + memset(a, 0U, 18U * sizeof(uint64_t)); + KRML_MAYBE_FOR9( + i0, + 0U, + 9U, + 1U, + uint64_t bj = c[i0]; + uint64_t *res_j = a + i0; + uint64_t c1 = 0ULL; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t a_i = b[4U * i]; + uint64_t *res_i0 = res_j + 4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c1, res_i0); + uint64_t a_i0 = b[4U * i + 1U]; + uint64_t *res_i1 = res_j + 4U * i + 1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, bj, c1, res_i1); + uint64_t a_i1 = b[4U * i + 2U]; + uint64_t *res_i2 = res_j + 4U * i + 2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, bj, c1, res_i2); + uint64_t a_i2 = b[4U * i + 3U]; + uint64_t *res_i = res_j + 4U * i + 3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, bj, c1, res_i);); + { + uint64_t a_i = b[8U]; + uint64_t *res_i = res_j + 8U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c1, res_i); + } uint64_t r = c1; + a[9U + i0] = r;); +} + +static inline void +bn_sqr(uint64_t *a, uint64_t *b) +{ + memset(a, 0U, 18U * sizeof(uint64_t)); + KRML_MAYBE_FOR9( + i0, + 0U, + 9U, + 1U, + uint64_t *ab = b; + uint64_t a_j = b[i0]; + uint64_t *res_j = a + i0; + uint64_t c = 0ULL; + for (uint32_t i = 0U; i < i0 / 4U; i++) { + uint64_t a_i = ab[4U * i]; + uint64_t *res_i0 = res_j + 4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c, res_i0); + uint64_t a_i0 = ab[4U * i + 1U]; + uint64_t *res_i1 = res_j + 4U * i + 1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, a_j, c, res_i1); + uint64_t a_i1 = ab[4U * i + 2U]; + uint64_t *res_i2 = res_j + 4U * i + 2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, a_j, c, res_i2); + uint64_t a_i2 = ab[4U * i + 3U]; + uint64_t *res_i = res_j + 4U * i + 3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, a_j, c, res_i); + } for (uint32_t i = i0 / 4U * 4U; i < i0; i++) { + uint64_t a_i = ab[i]; + uint64_t *res_i = res_j + i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c, res_i); + } uint64_t r = c; + a[i0 + i0] = r;); + uint64_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u64(18U, a, a, a); + KRML_MAYBE_UNUSED_VAR(c0); + uint64_t tmp[18U] = { 0U }; + KRML_MAYBE_FOR9(i, + 0U, + 9U, + 1U, + FStar_UInt128_uint128 res = FStar_UInt128_mul_wide(b[i], b[i]); + uint64_t hi = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, 64U)); + uint64_t lo = FStar_UInt128_uint128_to_uint64(res); + tmp[2U * i] = lo; + tmp[2U * i + 1U] = hi;); + uint64_t c1 = Hacl_Bignum_Addition_bn_add_eq_len_u64(18U, a, tmp, a); + KRML_MAYBE_UNUSED_VAR(c1); +} + +static inline void +bn_to_bytes_be(uint8_t *a, uint64_t *b) +{ + uint8_t tmp[72U] = { 0U }; + KRML_MAYBE_FOR9(i, 0U, 9U, 1U, store64_be(tmp + i * 8U, b[9U - i - 1U]);); + memcpy(a, tmp + 6U, 66U * sizeof(uint8_t)); +} + +static inline void bn_from_bytes_be(uint64_t *a, uint8_t *b) { uint8_t tmp[72U] = { 0U }; - memcpy(tmp + (uint32_t)6U, b, (uint32_t)66U * sizeof(uint8_t)); + memcpy(tmp + 6U, b, 66U * sizeof(uint8_t)); KRML_MAYBE_FOR9(i, - (uint32_t)0U, - (uint32_t)9U, - (uint32_t)1U, + 0U, + 9U, + 1U, uint64_t *os = a; - uint64_t u = load64_be(tmp + ((uint32_t)9U - i - (uint32_t)1U) * (uint32_t)8U); + uint64_t u = load64_be(tmp + (9U - i - 1U) * 8U); uint64_t x = u; os[i] = x;); } static inline void +p521_make_prime(uint64_t *n) +{ + n[0U] = 0xffffffffffffffffULL; + n[1U] = 0xffffffffffffffffULL; + n[2U] = 0xffffffffffffffffULL; + n[3U] = 0xffffffffffffffffULL; + n[4U] = 0xffffffffffffffffULL; + n[5U] = 0xffffffffffffffffULL; + n[6U] = 0xffffffffffffffffULL; + n[7U] = 0xffffffffffffffffULL; + n[8U] = 0x1ffULL; +} + +static inline void p521_make_order(uint64_t *n) { - n[0U] = (uint64_t)0xbb6fb71e91386409U; - n[1U] = (uint64_t)0x3bb5c9b8899c47aeU; - n[2U] = (uint64_t)0x7fcc0148f709a5d0U; - n[3U] = (uint64_t)0x51868783bf2f966bU; - n[4U] = (uint64_t)0xfffffffffffffffaU; - n[5U] = (uint64_t)0xffffffffffffffffU; - n[6U] = (uint64_t)0xffffffffffffffffU; - n[7U] = (uint64_t)0xffffffffffffffffU; - n[8U] = (uint64_t)0x1ffU; + n[0U] = 0xbb6fb71e91386409ULL; + n[1U] = 0x3bb5c9b8899c47aeULL; + n[2U] = 0x7fcc0148f709a5d0ULL; + n[3U] = 0x51868783bf2f966bULL; + n[4U] = 0xfffffffffffffffaULL; + n[5U] = 0xffffffffffffffffULL; + n[6U] = 0xffffffffffffffffULL; + n[7U] = 0xffffffffffffffffULL; + n[8U] = 0x1ffULL; +} + +static inline void +p521_make_a_coeff(uint64_t *a) +{ + a[0U] = 0xfe7fffffffffffffULL; + a[1U] = 0xffffffffffffffffULL; + a[2U] = 0xffffffffffffffffULL; + a[3U] = 0xffffffffffffffffULL; + a[4U] = 0xffffffffffffffffULL; + a[5U] = 0xffffffffffffffffULL; + a[6U] = 0xffffffffffffffffULL; + a[7U] = 0xffffffffffffffffULL; + a[8U] = 0x01ffULL; +} + +static inline void +p521_make_b_coeff(uint64_t *b) +{ + b[0U] = 0x8014654fae586387ULL; + b[1U] = 0x78f7a28fea35a81fULL; + b[2U] = 0x839ab9efc41e961aULL; + b[3U] = 0xbd8b29605e9dd8dfULL; + b[4U] = 0xf0ab0c9ca8f63f49ULL; + b[5U] = 0xf9dc5a44c8c77884ULL; + b[6U] = 0x77516d392dccd98aULL; + b[7U] = 0x0fc94d10d05b42a0ULL; + b[8U] = 0x4dULL; +} + +static inline void +p521_make_g_x(uint64_t *n) +{ + n[0U] = 0xb331a16381adc101ULL; + n[1U] = 0x4dfcbf3f18e172deULL; + n[2U] = 0x6f19a459e0c2b521ULL; + n[3U] = 0x947f0ee093d17fd4ULL; + n[4U] = 0xdd50a5af3bf7f3acULL; + n[5U] = 0x90fc1457b035a69eULL; + n[6U] = 0x214e32409c829fdaULL; + n[7U] = 0xe6cf1f65b311cadaULL; + n[8U] = 0x74ULL; +} + +static inline void +p521_make_g_y(uint64_t *n) +{ + n[0U] = 0x28460e4a5a9e268eULL; + n[1U] = 0x20445f4a3b4fe8b3ULL; + n[2U] = 0xb09a9e3843513961ULL; + n[3U] = 0x2062a85c809fd683ULL; + n[4U] = 0x164bf7394caf7a13ULL; + n[5U] = 0x340bd7de8b939f33ULL; + n[6U] = 0xeccc7aa224abcda2ULL; + n[7U] = 0x022e452fda163e8dULL; + n[8U] = 0x1e0ULL; +} + +static inline void +p521_make_fmont_R2(uint64_t *n) +{ + n[0U] = 0x0ULL; + n[1U] = 0x400000000000ULL; + n[2U] = 0x0ULL; + n[3U] = 0x0ULL; + n[4U] = 0x0ULL; + n[5U] = 0x0ULL; + n[6U] = 0x0ULL; + n[7U] = 0x0ULL; + n[8U] = 0x0ULL; +} + +static inline void +p521_make_fzero(uint64_t *n) +{ + memset(n, 0U, 9U * sizeof(uint64_t)); + n[0U] = 0ULL; +} + +static inline void +p521_make_fone(uint64_t *n) +{ + n[0U] = 0x80000000000000ULL; + n[1U] = 0x0ULL; + n[2U] = 0x0ULL; + n[3U] = 0x0ULL; + n[4U] = 0x0ULL; + n[5U] = 0x0ULL; + n[6U] = 0x0ULL; + n[7U] = 0x0ULL; + n[8U] = 0x0ULL; +} + +static inline void +p521_make_qone(uint64_t *f) +{ + f[0U] = 0xfb80000000000000ULL; + f[1U] = 0x28a2482470b763cdULL; + f[2U] = 0x17e2251b23bb31dcULL; + f[3U] = 0xca4019ff5b847b2dULL; + f[4U] = 0x2d73cbc3e206834ULL; + f[5U] = 0x0ULL; + f[6U] = 0x0ULL; + f[7U] = 0x0ULL; + f[8U] = 0x0ULL; +} + +static inline void +fmont_reduction(uint64_t *res, uint64_t *x) +{ + uint64_t n[9U] = { 0U }; + p521_make_prime(n); + uint64_t c0 = 0ULL; + KRML_MAYBE_FOR9( + i0, + 0U, + 9U, + 1U, + uint64_t qj = 1ULL * x[i0]; + uint64_t *res_j0 = x + i0; + uint64_t c = 0ULL; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t a_i = n[4U * i]; + uint64_t *res_i0 = res_j0 + 4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i0); + uint64_t a_i0 = n[4U * i + 1U]; + uint64_t *res_i1 = res_j0 + 4U * i + 1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c, res_i1); + uint64_t a_i1 = n[4U * i + 2U]; + uint64_t *res_i2 = res_j0 + 4U * i + 2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c, res_i2); + uint64_t a_i2 = n[4U * i + 3U]; + uint64_t *res_i = res_j0 + 4U * i + 3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c, res_i);); + { + uint64_t a_i = n[8U]; + uint64_t *res_i = res_j0 + 8U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i); + } uint64_t r = c; + uint64_t c1 = r; + uint64_t *resb = x + 9U + i0; + uint64_t res_j = x[9U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c1, res_j, resb);); + memcpy(res, x + 9U, 9U * sizeof(uint64_t)); + uint64_t c00 = c0; + uint64_t tmp[9U] = { 0U }; + uint64_t c = 0ULL; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t t1 = res[4U * i]; + uint64_t t20 = n[4U * i]; + uint64_t *res_i0 = tmp + 4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); + uint64_t t10 = res[4U * i + 1U]; + uint64_t t21 = n[4U * i + 1U]; + uint64_t *res_i1 = tmp + 4U * i + 1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); + uint64_t t11 = res[4U * i + 2U]; + uint64_t t22 = n[4U * i + 2U]; + uint64_t *res_i2 = tmp + 4U * i + 2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); + uint64_t t12 = res[4U * i + 3U]; + uint64_t t2 = n[4U * i + 3U]; + uint64_t *res_i = tmp + 4U * i + 3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i);); + { + uint64_t t1 = res[8U]; + uint64_t t2 = n[8U]; + uint64_t *res_i = tmp + 8U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t2, res_i); + } + uint64_t c1 = c; + uint64_t c2 = c00 - c1; + KRML_MAYBE_FOR9(i, + 0U, + 9U, + 1U, + uint64_t *os = res; + uint64_t x1 = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x1;); +} + +static inline void +qmont_reduction(uint64_t *res, uint64_t *x) +{ + uint64_t n[9U] = { 0U }; + p521_make_order(n); + uint64_t c0 = 0ULL; + KRML_MAYBE_FOR9( + i0, + 0U, + 9U, + 1U, + uint64_t qj = 2103001588584519111ULL * x[i0]; + uint64_t *res_j0 = x + i0; + uint64_t c = 0ULL; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t a_i = n[4U * i]; + uint64_t *res_i0 = res_j0 + 4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i0); + uint64_t a_i0 = n[4U * i + 1U]; + uint64_t *res_i1 = res_j0 + 4U * i + 1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c, res_i1); + uint64_t a_i1 = n[4U * i + 2U]; + uint64_t *res_i2 = res_j0 + 4U * i + 2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c, res_i2); + uint64_t a_i2 = n[4U * i + 3U]; + uint64_t *res_i = res_j0 + 4U * i + 3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c, res_i);); + { + uint64_t a_i = n[8U]; + uint64_t *res_i = res_j0 + 8U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i); + } uint64_t r = c; + uint64_t c1 = r; + uint64_t *resb = x + 9U + i0; + uint64_t res_j = x[9U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c1, res_j, resb);); + memcpy(res, x + 9U, 9U * sizeof(uint64_t)); + uint64_t c00 = c0; + uint64_t tmp[9U] = { 0U }; + uint64_t c = 0ULL; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t t1 = res[4U * i]; + uint64_t t20 = n[4U * i]; + uint64_t *res_i0 = tmp + 4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); + uint64_t t10 = res[4U * i + 1U]; + uint64_t t21 = n[4U * i + 1U]; + uint64_t *res_i1 = tmp + 4U * i + 1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); + uint64_t t11 = res[4U * i + 2U]; + uint64_t t22 = n[4U * i + 2U]; + uint64_t *res_i2 = tmp + 4U * i + 2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); + uint64_t t12 = res[4U * i + 3U]; + uint64_t t2 = n[4U * i + 3U]; + uint64_t *res_i = tmp + 4U * i + 3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i);); + { + uint64_t t1 = res[8U]; + uint64_t t2 = n[8U]; + uint64_t *res_i = tmp + 8U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t2, res_i); + } + uint64_t c1 = c; + uint64_t c2 = c00 - c1; + KRML_MAYBE_FOR9(i, + 0U, + 9U, + 1U, + uint64_t *os = res; + uint64_t x1 = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x1;); +} + +static inline uint64_t +bn_is_lt_prime_mask(uint64_t *f) +{ + uint64_t tmp[9U] = { 0U }; + p521_make_prime(tmp); + uint64_t c = bn_sub(tmp, f, tmp); + uint64_t m = FStar_UInt64_gte_mask(c, 0ULL) & ~FStar_UInt64_eq_mask(c, 0ULL); + return m; +} + +static inline void +fadd0(uint64_t *a, uint64_t *b, uint64_t *c) +{ + uint64_t n[9U] = { 0U }; + p521_make_prime(n); + bn_add_mod(a, n, b, c); +} + +static inline void +fsub0(uint64_t *a, uint64_t *b, uint64_t *c) +{ + uint64_t n[9U] = { 0U }; + p521_make_prime(n); + bn_sub_mod(a, n, b, c); +} + +static inline void +fmul0(uint64_t *a, uint64_t *b, uint64_t *c) +{ + uint64_t tmp[18U] = { 0U }; + bn_mul(tmp, b, c); + fmont_reduction(a, tmp); +} + +static inline void +fsqr0(uint64_t *a, uint64_t *b) +{ + uint64_t tmp[18U] = { 0U }; + bn_sqr(tmp, b); + fmont_reduction(a, tmp); +} + +static inline void +from_mont(uint64_t *a, uint64_t *b) +{ + uint64_t tmp[18U] = { 0U }; + memcpy(tmp, b, 9U * sizeof(uint64_t)); + fmont_reduction(a, tmp); +} + +static inline void +to_mont(uint64_t *a, uint64_t *b) +{ + uint64_t r2modn[9U] = { 0U }; + p521_make_fmont_R2(r2modn); + uint64_t tmp[18U] = { 0U }; + bn_mul(tmp, b, r2modn); + fmont_reduction(a, tmp); +} + +static inline void +p521_finv(uint64_t *res, uint64_t *a) +{ + uint64_t b[9U] = { 0U }; + b[0U] = 0xfffffffffffffffdULL; + b[1U] = 0xffffffffffffffffULL; + b[2U] = 0xffffffffffffffffULL; + b[3U] = 0xffffffffffffffffULL; + b[4U] = 0xffffffffffffffffULL; + b[5U] = 0xffffffffffffffffULL; + b[6U] = 0xffffffffffffffffULL; + b[7U] = 0xffffffffffffffffULL; + b[8U] = 0x1ffULL; + uint64_t tmp[9U] = { 0U }; + memcpy(tmp, a, 9U * sizeof(uint64_t)); + uint64_t table[288U] = { 0U }; + uint64_t tmp1[9U] = { 0U }; + uint64_t *t0 = table; + uint64_t *t1 = table + 9U; + p521_make_fone(t0); + memcpy(t1, tmp, 9U * sizeof(uint64_t)); + KRML_MAYBE_FOR15(i, + 0U, + 15U, + 1U, + uint64_t *t11 = table + (i + 1U) * 9U; + fsqr0(tmp1, t11); + memcpy(table + (2U * i + 2U) * 9U, tmp1, 9U * sizeof(uint64_t)); + uint64_t *t2 = table + (2U * i + 2U) * 9U; + fmul0(tmp1, tmp, t2); + memcpy(table + (2U * i + 3U) * 9U, tmp1, 9U * sizeof(uint64_t));); + uint32_t i0 = 520U; + uint64_t bits_c = Hacl_Bignum_Lib_bn_get_bits_u64(9U, b, i0, 5U); + memcpy(res, (uint64_t *)table, 9U * sizeof(uint64_t)); + for (uint32_t i1 = 0U; i1 < 31U; i1++) { + uint64_t c = FStar_UInt64_eq_mask(bits_c, (uint64_t)(i1 + 1U)); + const uint64_t *res_j = table + (i1 + 1U) * 9U; + KRML_MAYBE_FOR9(i, + 0U, + 9U, + 1U, + uint64_t *os = res; + uint64_t x = (c & res_j[i]) | (~c & res[i]); + os[i] = x;); + } + uint64_t tmp10[9U] = { 0U }; + for (uint32_t i1 = 0U; i1 < 104U; i1++) { + KRML_MAYBE_FOR5(i, 0U, 5U, 1U, fsqr0(res, res);); + uint32_t k = 520U - 5U * i1 - 5U; + uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64(9U, b, k, 5U); + memcpy(tmp10, (uint64_t *)table, 9U * sizeof(uint64_t)); + for (uint32_t i2 = 0U; i2 < 31U; i2++) { + uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i2 + 1U)); + const uint64_t *res_j = table + (i2 + 1U) * 9U; + KRML_MAYBE_FOR9(i, + 0U, + 9U, + 1U, + uint64_t *os = tmp10; + uint64_t x = (c & res_j[i]) | (~c & tmp10[i]); + os[i] = x;); + } + fmul0(res, res, tmp10); + } +} + +static inline void +p521_fsqrt(uint64_t *res, uint64_t *a) +{ + uint64_t b[9U] = { 0U }; + b[0U] = 0x0ULL; + b[1U] = 0x0ULL; + b[2U] = 0x0ULL; + b[3U] = 0x0ULL; + b[4U] = 0x0ULL; + b[5U] = 0x0ULL; + b[6U] = 0x0ULL; + b[7U] = 0x0ULL; + b[8U] = 0x80ULL; + uint64_t tmp[9U] = { 0U }; + memcpy(tmp, a, 9U * sizeof(uint64_t)); + uint64_t table[288U] = { 0U }; + uint64_t tmp1[9U] = { 0U }; + uint64_t *t0 = table; + uint64_t *t1 = table + 9U; + p521_make_fone(t0); + memcpy(t1, tmp, 9U * sizeof(uint64_t)); + KRML_MAYBE_FOR15(i, + 0U, + 15U, + 1U, + uint64_t *t11 = table + (i + 1U) * 9U; + fsqr0(tmp1, t11); + memcpy(table + (2U * i + 2U) * 9U, tmp1, 9U * sizeof(uint64_t)); + uint64_t *t2 = table + (2U * i + 2U) * 9U; + fmul0(tmp1, tmp, t2); + memcpy(table + (2U * i + 3U) * 9U, tmp1, 9U * sizeof(uint64_t));); + uint32_t i0 = 520U; + uint64_t bits_c = Hacl_Bignum_Lib_bn_get_bits_u64(9U, b, i0, 5U); + memcpy(res, (uint64_t *)table, 9U * sizeof(uint64_t)); + for (uint32_t i1 = 0U; i1 < 31U; i1++) { + uint64_t c = FStar_UInt64_eq_mask(bits_c, (uint64_t)(i1 + 1U)); + const uint64_t *res_j = table + (i1 + 1U) * 9U; + KRML_MAYBE_FOR9(i, + 0U, + 9U, + 1U, + uint64_t *os = res; + uint64_t x = (c & res_j[i]) | (~c & res[i]); + os[i] = x;); + } + uint64_t tmp10[9U] = { 0U }; + for (uint32_t i1 = 0U; i1 < 104U; i1++) { + KRML_MAYBE_FOR5(i, 0U, 5U, 1U, fsqr0(res, res);); + uint32_t k = 520U - 5U * i1 - 5U; + uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64(9U, b, k, 5U); + memcpy(tmp10, (uint64_t *)table, 9U * sizeof(uint64_t)); + for (uint32_t i2 = 0U; i2 < 31U; i2++) { + uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i2 + 1U)); + const uint64_t *res_j = table + (i2 + 1U) * 9U; + KRML_MAYBE_FOR9(i, + 0U, + 9U, + 1U, + uint64_t *os = tmp10; + uint64_t x = (c & res_j[i]) | (~c & tmp10[i]); + os[i] = x;); + } + fmul0(res, res, tmp10); + } +} + +static inline uint64_t +load_qelem_conditional(uint64_t *a, uint8_t *b) +{ + bn_from_bytes_be(a, b); + uint64_t tmp[9U] = { 0U }; + p521_make_order(tmp); + uint64_t c = bn_sub(tmp, a, tmp); + uint64_t is_lt_order = FStar_UInt64_gte_mask(c, 0ULL) & ~FStar_UInt64_eq_mask(c, 0ULL); + uint64_t bn_zero[9U] = { 0U }; + uint64_t res = bn_is_eq_mask(a, bn_zero); + uint64_t is_eq_zero = res; + uint64_t is_b_valid = is_lt_order & ~is_eq_zero; + uint64_t oneq[9U] = { 0U }; + memset(oneq, 0U, 9U * sizeof(uint64_t)); + oneq[0U] = 1ULL; + KRML_MAYBE_FOR9(i, + 0U, + 9U, + 1U, + uint64_t *os = a; + uint64_t uu____0 = oneq[i]; + uint64_t x = uu____0 ^ (is_b_valid & (a[i] ^ uu____0)); + os[i] = x;); + return is_b_valid; +} + +static inline void +qmod_short(uint64_t *a, uint64_t *b) +{ + uint64_t tmp[9U] = { 0U }; + p521_make_order(tmp); + uint64_t c = bn_sub(tmp, b, tmp); + bn_cmovznz(a, c, tmp, b); +} + +static inline void +qadd(uint64_t *a, uint64_t *b, uint64_t *c) +{ + uint64_t n[9U] = { 0U }; + p521_make_order(n); + bn_add_mod(a, n, b, c); +} + +static inline void +qmul(uint64_t *a, uint64_t *b, uint64_t *c) +{ + uint64_t tmp[18U] = { 0U }; + bn_mul(tmp, b, c); + qmont_reduction(a, tmp); +} + +static inline void +qsqr(uint64_t *a, uint64_t *b) +{ + uint64_t tmp[18U] = { 0U }; + bn_sqr(tmp, b); + qmont_reduction(a, tmp); +} + +static inline void +from_qmont(uint64_t *a, uint64_t *b) +{ + uint64_t tmp[18U] = { 0U }; + memcpy(tmp, b, 9U * sizeof(uint64_t)); + qmont_reduction(a, tmp); +} + +static inline void +p521_qinv(uint64_t *res, uint64_t *a) +{ + uint64_t b[9U] = { 0U }; + b[0U] = 0xbb6fb71e91386407ULL; + b[1U] = 0x3bb5c9b8899c47aeULL; + b[2U] = 0x7fcc0148f709a5d0ULL; + b[3U] = 0x51868783bf2f966bULL; + b[4U] = 0xfffffffffffffffaULL; + b[5U] = 0xffffffffffffffffULL; + b[6U] = 0xffffffffffffffffULL; + b[7U] = 0xffffffffffffffffULL; + b[8U] = 0x1ffULL; + uint64_t tmp[9U] = { 0U }; + memcpy(tmp, a, 9U * sizeof(uint64_t)); + uint64_t table[288U] = { 0U }; + uint64_t tmp1[9U] = { 0U }; + uint64_t *t0 = table; + uint64_t *t1 = table + 9U; + p521_make_qone(t0); + memcpy(t1, tmp, 9U * sizeof(uint64_t)); + KRML_MAYBE_FOR15(i, + 0U, + 15U, + 1U, + uint64_t *t11 = table + (i + 1U) * 9U; + qsqr(tmp1, t11); + memcpy(table + (2U * i + 2U) * 9U, tmp1, 9U * sizeof(uint64_t)); + uint64_t *t2 = table + (2U * i + 2U) * 9U; + qmul(tmp1, tmp, t2); + memcpy(table + (2U * i + 3U) * 9U, tmp1, 9U * sizeof(uint64_t));); + uint32_t i0 = 520U; + uint64_t bits_c = Hacl_Bignum_Lib_bn_get_bits_u64(9U, b, i0, 5U); + memcpy(res, (uint64_t *)table, 9U * sizeof(uint64_t)); + for (uint32_t i1 = 0U; i1 < 31U; i1++) { + uint64_t c = FStar_UInt64_eq_mask(bits_c, (uint64_t)(i1 + 1U)); + const uint64_t *res_j = table + (i1 + 1U) * 9U; + KRML_MAYBE_FOR9(i, + 0U, + 9U, + 1U, + uint64_t *os = res; + uint64_t x = (c & res_j[i]) | (~c & res[i]); + os[i] = x;); + } + uint64_t tmp10[9U] = { 0U }; + for (uint32_t i1 = 0U; i1 < 104U; i1++) { + KRML_MAYBE_FOR5(i, 0U, 5U, 1U, qsqr(res, res);); + uint32_t k = 520U - 5U * i1 - 5U; + uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64(9U, b, k, 5U); + memcpy(tmp10, (uint64_t *)table, 9U * sizeof(uint64_t)); + for (uint32_t i2 = 0U; i2 < 31U; i2++) { + uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i2 + 1U)); + const uint64_t *res_j = table + (i2 + 1U) * 9U; + KRML_MAYBE_FOR9(i, + 0U, + 9U, + 1U, + uint64_t *os = tmp10; + uint64_t x = (c & res_j[i]) | (~c & tmp10[i]); + os[i] = x;); + } + qmul(res, res, tmp10); + } +} + +static inline void +point_add(uint64_t *x, uint64_t *y, uint64_t *xy) +{ + uint64_t tmp[81U] = { 0U }; + uint64_t *t0 = tmp; + uint64_t *t1 = tmp + 54U; + uint64_t *x3 = t1; + uint64_t *y3 = t1 + 9U; + uint64_t *z3 = t1 + 18U; + uint64_t *t01 = t0; + uint64_t *t11 = t0 + 9U; + uint64_t *t2 = t0 + 18U; + uint64_t *t3 = t0 + 27U; + uint64_t *t4 = t0 + 36U; + uint64_t *t5 = t0 + 45U; + uint64_t *x1 = x; + uint64_t *y1 = x + 9U; + uint64_t *z10 = x + 18U; + uint64_t *x20 = y; + uint64_t *y20 = y + 9U; + uint64_t *z20 = y + 18U; + fmul0(t01, x1, x20); + fmul0(t11, y1, y20); + fmul0(t2, z10, z20); + fadd0(t3, x1, y1); + fadd0(t4, x20, y20); + fmul0(t3, t3, t4); + fadd0(t4, t01, t11); + uint64_t *y10 = x + 9U; + uint64_t *z11 = x + 18U; + uint64_t *y2 = y + 9U; + uint64_t *z21 = y + 18U; + fsub0(t3, t3, t4); + fadd0(t4, y10, z11); + fadd0(t5, y2, z21); + fmul0(t4, t4, t5); + fadd0(t5, t11, t2); + fsub0(t4, t4, t5); + uint64_t *x10 = x; + uint64_t *z1 = x + 18U; + uint64_t *x2 = y; + uint64_t *z2 = y + 18U; + fadd0(x3, x10, z1); + fadd0(y3, x2, z2); + fmul0(x3, x3, y3); + fadd0(y3, t01, t2); + fsub0(y3, x3, y3); + uint64_t b_coeff[9U] = { 0U }; + p521_make_b_coeff(b_coeff); + fmul0(z3, b_coeff, t2); + fsub0(x3, y3, z3); + fadd0(z3, x3, x3); + fadd0(x3, x3, z3); + fsub0(z3, t11, x3); + fadd0(x3, t11, x3); + uint64_t b_coeff0[9U] = { 0U }; + p521_make_b_coeff(b_coeff0); + fmul0(y3, b_coeff0, y3); + fadd0(t11, t2, t2); + fadd0(t2, t11, t2); + fsub0(y3, y3, t2); + fsub0(y3, y3, t01); + fadd0(t11, y3, y3); + fadd0(y3, t11, y3); + fadd0(t11, t01, t01); + fadd0(t01, t11, t01); + fsub0(t01, t01, t2); + fmul0(t11, t4, y3); + fmul0(t2, t01, y3); + fmul0(y3, x3, z3); + fadd0(y3, y3, t2); + fmul0(x3, t3, x3); + fsub0(x3, x3, t11); + fmul0(z3, t4, z3); + fmul0(t11, t3, t01); + fadd0(z3, z3, t11); + memcpy(xy, t1, 27U * sizeof(uint64_t)); +} + +static inline void +point_double(uint64_t *x, uint64_t *xx) +{ + uint64_t tmp[45U] = { 0U }; + uint64_t *x1 = x; + uint64_t *z = x + 18U; + uint64_t *x3 = xx; + uint64_t *y3 = xx + 9U; + uint64_t *z3 = xx + 18U; + uint64_t *t0 = tmp; + uint64_t *t1 = tmp + 9U; + uint64_t *t2 = tmp + 18U; + uint64_t *t3 = tmp + 27U; + uint64_t *t4 = tmp + 36U; + uint64_t *x2 = x; + uint64_t *y = x + 9U; + uint64_t *z1 = x + 18U; + fsqr0(t0, x2); + fsqr0(t1, y); + fsqr0(t2, z1); + fmul0(t3, x2, y); + fadd0(t3, t3, t3); + fmul0(t4, y, z1); + fmul0(z3, x1, z); + fadd0(z3, z3, z3); + uint64_t b_coeff[9U] = { 0U }; + p521_make_b_coeff(b_coeff); + fmul0(y3, b_coeff, t2); + fsub0(y3, y3, z3); + fadd0(x3, y3, y3); + fadd0(y3, x3, y3); + fsub0(x3, t1, y3); + fadd0(y3, t1, y3); + fmul0(y3, x3, y3); + fmul0(x3, x3, t3); + fadd0(t3, t2, t2); + fadd0(t2, t2, t3); + uint64_t b_coeff0[9U] = { 0U }; + p521_make_b_coeff(b_coeff0); + fmul0(z3, b_coeff0, z3); + fsub0(z3, z3, t2); + fsub0(z3, z3, t0); + fadd0(t3, z3, z3); + fadd0(z3, z3, t3); + fadd0(t3, t0, t0); + fadd0(t0, t3, t0); + fsub0(t0, t0, t2); + fmul0(t0, t0, z3); + fadd0(y3, y3, t0); + fadd0(t0, t4, t4); + fmul0(z3, t0, z3); + fsub0(x3, x3, z3); + fmul0(z3, t0, t1); + fadd0(z3, z3, z3); + fadd0(z3, z3, z3); +} + +static inline void +point_zero(uint64_t *one) +{ + uint64_t *x = one; + uint64_t *y = one + 9U; + uint64_t *z = one + 18U; + p521_make_fzero(x); + p521_make_fone(y); + p521_make_fzero(z); +} + +static inline void +point_mul(uint64_t *res, uint64_t *scalar, uint64_t *p) +{ + uint64_t table[432U] = { 0U }; + uint64_t tmp[27U] = { 0U }; + uint64_t *t0 = table; + uint64_t *t1 = table + 27U; + point_zero(t0); + memcpy(t1, p, 27U * sizeof(uint64_t)); + KRML_MAYBE_FOR7(i, + 0U, + 7U, + 1U, + uint64_t *t11 = table + (i + 1U) * 27U; + point_double(t11, tmp); + memcpy(table + (2U * i + 2U) * 27U, tmp, 27U * sizeof(uint64_t)); + uint64_t *t2 = table + (2U * i + 2U) * 27U; + point_add(p, t2, tmp); + memcpy(table + (2U * i + 3U) * 27U, tmp, 27U * sizeof(uint64_t));); + uint32_t i0 = 520U; + uint64_t bits_c = Hacl_Bignum_Lib_bn_get_bits_u64(9U, scalar, i0, 4U); + memcpy(res, (uint64_t *)table, 27U * sizeof(uint64_t)); + KRML_MAYBE_FOR15( + i1, + 0U, + 15U, + 1U, + uint64_t c = FStar_UInt64_eq_mask(bits_c, (uint64_t)(i1 + 1U)); + const uint64_t *res_j = table + (i1 + 1U) * 27U; + for (uint32_t i = 0U; i < 27U; i++) { + uint64_t *os = res; + uint64_t x = (c & res_j[i]) | (~c & res[i]); + os[i] = x; + }); + uint64_t tmp0[27U] = { 0U }; + for (uint32_t i1 = 0U; i1 < 130U; i1++) { + KRML_MAYBE_FOR4(i, 0U, 4U, 1U, point_double(res, res);); + uint32_t k = 520U - 4U * i1 - 4U; + uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64(9U, scalar, k, 4U); + memcpy(tmp0, (uint64_t *)table, 27U * sizeof(uint64_t)); + KRML_MAYBE_FOR15( + i2, + 0U, + 15U, + 1U, + uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i2 + 1U)); + const uint64_t *res_j = table + (i2 + 1U) * 27U; + for (uint32_t i = 0U; i < 27U; i++) { + uint64_t *os = tmp0; + uint64_t x = (c & res_j[i]) | (~c & tmp0[i]); + os[i] = x; + }); + point_add(res, tmp0, res); + } +} + +static inline void +point_mul_g(uint64_t *res, uint64_t *scalar) +{ + uint64_t g[27U] = { 0U }; + uint64_t *x = g; + uint64_t *y = g + 9U; + uint64_t *z = g + 18U; + p521_make_g_x(x); + p521_make_g_y(y); + p521_make_fone(z); + point_mul(res, scalar, g); +} + +static inline void +point_mul_double_g(uint64_t *res, uint64_t *scalar1, uint64_t *scalar2, uint64_t *p) +{ + uint64_t tmp[27U] = { 0U }; + point_mul_g(tmp, scalar1); + point_mul(res, scalar2, p); + point_add(res, tmp, res); +} + +static inline bool +ecdsa_sign_msg_as_qelem( + uint8_t *signature, + uint64_t *m_q, + uint8_t *private_key, + uint8_t *nonce) +{ + uint64_t rsdk_q[36U] = { 0U }; + uint64_t *r_q = rsdk_q; + uint64_t *s_q = rsdk_q + 9U; + uint64_t *d_a = rsdk_q + 18U; + uint64_t *k_q = rsdk_q + 27U; + uint64_t is_sk_valid = load_qelem_conditional(d_a, private_key); + uint64_t is_nonce_valid = load_qelem_conditional(k_q, nonce); + uint64_t are_sk_nonce_valid = is_sk_valid & is_nonce_valid; + uint64_t p[27U] = { 0U }; + point_mul_g(p, k_q); + uint64_t zinv[9U] = { 0U }; + uint64_t *px = p; + uint64_t *pz = p + 18U; + p521_finv(zinv, pz); + fmul0(r_q, px, zinv); + from_mont(r_q, r_q); + qmod_short(r_q, r_q); + uint64_t kinv[9U] = { 0U }; + p521_qinv(kinv, k_q); + qmul(s_q, r_q, d_a); + from_qmont(m_q, m_q); + qadd(s_q, m_q, s_q); + qmul(s_q, kinv, s_q); + bn_to_bytes_be(signature, r_q); + bn_to_bytes_be(signature + 66U, s_q); + uint64_t bn_zero0[9U] = { 0U }; + uint64_t res = bn_is_eq_mask(r_q, bn_zero0); + uint64_t is_r_zero = res; + uint64_t bn_zero[9U] = { 0U }; + uint64_t res0 = bn_is_eq_mask(s_q, bn_zero); + uint64_t is_s_zero = res0; + uint64_t m = are_sk_nonce_valid & (~is_r_zero & ~is_s_zero); + bool res1 = m == 0xFFFFFFFFFFFFFFFFULL; + return res1; +} + +static inline bool +ecdsa_verify_msg_as_qelem( + uint64_t *m_q, + uint8_t *public_key, + uint8_t *signature_r, + uint8_t *signature_s) +{ + uint64_t tmp[63U] = { 0U }; + uint64_t *pk = tmp; + uint64_t *r_q = tmp + 27U; + uint64_t *s_q = tmp + 36U; + uint64_t *u1 = tmp + 45U; + uint64_t *u2 = tmp + 54U; + uint64_t p_aff[18U] = { 0U }; + uint8_t *p_x = public_key; + uint8_t *p_y = public_key + 66U; + uint64_t *bn_p_x = p_aff; + uint64_t *bn_p_y = p_aff + 9U; + bn_from_bytes_be(bn_p_x, p_x); + bn_from_bytes_be(bn_p_y, p_y); + uint64_t *px0 = p_aff; + uint64_t *py0 = p_aff + 9U; + uint64_t lessX = bn_is_lt_prime_mask(px0); + uint64_t lessY = bn_is_lt_prime_mask(py0); + uint64_t res0 = lessX & lessY; + bool is_xy_valid = res0 == 0xFFFFFFFFFFFFFFFFULL; + bool res; + if (!is_xy_valid) { + res = false; + } else { + uint64_t rp[9U] = { 0U }; + uint64_t tx[9U] = { 0U }; + uint64_t ty[9U] = { 0U }; + uint64_t *px = p_aff; + uint64_t *py = p_aff + 9U; + to_mont(tx, px); + to_mont(ty, py); + uint64_t tmp1[9U] = { 0U }; + fsqr0(rp, tx); + fmul0(rp, rp, tx); + p521_make_a_coeff(tmp1); + fmul0(tmp1, tmp1, tx); + fadd0(rp, tmp1, rp); + p521_make_b_coeff(tmp1); + fadd0(rp, tmp1, rp); + fsqr0(ty, ty); + uint64_t r = bn_is_eq_mask(ty, rp); + uint64_t r0 = r; + bool r1 = r0 == 0xFFFFFFFFFFFFFFFFULL; + res = r1; + } + if (res) { + uint64_t *px = p_aff; + uint64_t *py = p_aff + 9U; + uint64_t *rx = pk; + uint64_t *ry = pk + 9U; + uint64_t *rz = pk + 18U; + to_mont(rx, px); + to_mont(ry, py); + p521_make_fone(rz); + } + bool is_pk_valid = res; + bn_from_bytes_be(r_q, signature_r); + bn_from_bytes_be(s_q, signature_s); + uint64_t tmp10[9U] = { 0U }; + p521_make_order(tmp10); + uint64_t c = bn_sub(tmp10, r_q, tmp10); + uint64_t is_lt_order = FStar_UInt64_gte_mask(c, 0ULL) & ~FStar_UInt64_eq_mask(c, 0ULL); + uint64_t bn_zero0[9U] = { 0U }; + uint64_t res1 = bn_is_eq_mask(r_q, bn_zero0); + uint64_t is_eq_zero = res1; + uint64_t is_r_valid = is_lt_order & ~is_eq_zero; + uint64_t tmp11[9U] = { 0U }; + p521_make_order(tmp11); + uint64_t c0 = bn_sub(tmp11, s_q, tmp11); + uint64_t is_lt_order0 = FStar_UInt64_gte_mask(c0, 0ULL) & ~FStar_UInt64_eq_mask(c0, 0ULL); + uint64_t bn_zero1[9U] = { 0U }; + uint64_t res2 = bn_is_eq_mask(s_q, bn_zero1); + uint64_t is_eq_zero0 = res2; + uint64_t is_s_valid = is_lt_order0 & ~is_eq_zero0; + bool is_rs_valid = is_r_valid == 0xFFFFFFFFFFFFFFFFULL && is_s_valid == 0xFFFFFFFFFFFFFFFFULL; + if (!(is_pk_valid && is_rs_valid)) { + return false; + } + uint64_t sinv[9U] = { 0U }; + p521_qinv(sinv, s_q); + uint64_t tmp1[9U] = { 0U }; + from_qmont(tmp1, m_q); + qmul(u1, sinv, tmp1); + uint64_t tmp12[9U] = { 0U }; + from_qmont(tmp12, r_q); + qmul(u2, sinv, tmp12); + uint64_t res3[27U] = { 0U }; + point_mul_double_g(res3, u1, u2, pk); + uint64_t *pz0 = res3 + 18U; + uint64_t bn_zero[9U] = { 0U }; + uint64_t res10 = bn_is_eq_mask(pz0, bn_zero); + uint64_t m = res10; + if (m == 0xFFFFFFFFFFFFFFFFULL) { + return false; + } + uint64_t x[9U] = { 0U }; + uint64_t zinv[9U] = { 0U }; + uint64_t *px = res3; + uint64_t *pz = res3 + 18U; + p521_finv(zinv, pz); + fmul0(x, px, zinv); + from_mont(x, x); + qmod_short(x, x); + uint64_t m0 = bn_is_eq_mask(x, r_q); + bool res11 = m0 == 0xFFFFFFFFFFFFFFFFULL; + return res11; +} + +/******************************************************************************* + + Verified C library for ECDSA and ECDH functions over the P-521 NIST curve. + + This module implements signing and verification, key validation, conversions + between various point representations, and ECDH key agreement. + +*******************************************************************************/ + +/*****************/ +/* ECDSA signing */ +/*****************/ + +/** +Create an ECDSA signature WITHOUT hashing first. + + This function is intended to receive a hash of the input. + For convenience, we recommend using one of the hash-and-sign combined functions above. + + The argument `msg` MUST be at least 66 bytes (i.e. `msg_len >= 66`). + + NOTE: The equivalent functions in OpenSSL and Fiat-Crypto both accept inputs + smaller than 66 bytes. These libraries left-pad the input with enough zeroes to + reach the minimum 66 byte size. Clients who need behavior identical to OpenSSL + need to perform the left-padding themselves. + + The function returns `true` for successful creation of an ECDSA signature and `false` otherwise. + + The outparam `signature` (R || S) points to 132 bytes of valid memory, i.e., uint8_t[132]. + The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. + The arguments `private_key` and `nonce` point to 66 bytes of valid memory, i.e., uint8_t[66]. + + The function also checks whether `private_key` and `nonce` are valid values: + • 0 < `private_key` < the order of the curve + • 0 < `nonce` < the order of the curve +*/ +bool +Hacl_P521_ecdsa_sign_p521_without_hash( + uint8_t *signature, + uint32_t msg_len, + uint8_t *msg, + uint8_t *private_key, + uint8_t *nonce) +{ + uint64_t m_q[9U] = { 0U }; + uint8_t mHash[66U] = { 0U }; + memcpy(mHash, msg, 66U * sizeof(uint8_t)); + KRML_MAYBE_UNUSED_VAR(msg_len); + bn_from_bytes_be(m_q, mHash); + qmod_short(m_q, m_q); + bool res = ecdsa_sign_msg_as_qelem(signature, m_q, private_key, nonce); + return res; +} + +/**********************/ +/* ECDSA verification */ +/**********************/ + +/** +Verify an ECDSA signature WITHOUT hashing first. + + This function is intended to receive a hash of the input. + For convenience, we recommend using one of the hash-and-verify combined functions above. + + The argument `msg` MUST be at least 66 bytes (i.e. `msg_len >= 66`). + + The function returns `true` if the signature is valid and `false` otherwise. + + The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. + The argument `public_key` (x || y) points to 132 bytes of valid memory, i.e., uint8_t[132]. + The arguments `signature_r` and `signature_s` point to 66 bytes of valid memory, i.e., uint8_t[66]. + + The function also checks whether `public_key` is valid +*/ +bool +Hacl_P521_ecdsa_verif_without_hash( + uint32_t msg_len, + uint8_t *msg, + uint8_t *public_key, + uint8_t *signature_r, + uint8_t *signature_s) +{ + uint64_t m_q[9U] = { 0U }; + uint8_t mHash[66U] = { 0U }; + memcpy(mHash, msg, 66U * sizeof(uint8_t)); + KRML_MAYBE_UNUSED_VAR(msg_len); + bn_from_bytes_be(m_q, mHash); + qmod_short(m_q, m_q); + bool res = ecdsa_verify_msg_as_qelem(m_q, public_key, signature_r, signature_s); + return res; +} + +/******************/ +/* Key validation */ +/******************/ + +/** +Public key validation. + + The function returns `true` if a public key is valid and `false` otherwise. + + The argument `public_key` points to 132 bytes of valid memory, i.e., uint8_t[132]. + + The public key (x || y) is valid (with respect to SP 800-56A): + • the public key is not the “point at infinity”, represented as O. + • the affine x and y coordinates of the point represented by the public key are + in the range [0, p – 1] where p is the prime defining the finite field. + • y^2 = x^3 + ax + b where a and b are the coefficients of the curve equation. + The last extract is taken from: https://neilmadden.blog/2017/05/17/so-how-do-you-validate-nist-ecdh-public-keys/ +*/ +bool +Hacl_P521_validate_public_key(uint8_t *public_key) +{ + uint64_t point_jac[27U] = { 0U }; + uint64_t p_aff[18U] = { 0U }; + uint8_t *p_x = public_key; + uint8_t *p_y = public_key + 66U; + uint64_t *bn_p_x = p_aff; + uint64_t *bn_p_y = p_aff + 9U; + bn_from_bytes_be(bn_p_x, p_x); + bn_from_bytes_be(bn_p_y, p_y); + uint64_t *px0 = p_aff; + uint64_t *py0 = p_aff + 9U; + uint64_t lessX = bn_is_lt_prime_mask(px0); + uint64_t lessY = bn_is_lt_prime_mask(py0); + uint64_t res0 = lessX & lessY; + bool is_xy_valid = res0 == 0xFFFFFFFFFFFFFFFFULL; + bool res; + if (!is_xy_valid) { + res = false; + } else { + uint64_t rp[9U] = { 0U }; + uint64_t tx[9U] = { 0U }; + uint64_t ty[9U] = { 0U }; + uint64_t *px = p_aff; + uint64_t *py = p_aff + 9U; + to_mont(tx, px); + to_mont(ty, py); + uint64_t tmp[9U] = { 0U }; + fsqr0(rp, tx); + fmul0(rp, rp, tx); + p521_make_a_coeff(tmp); + fmul0(tmp, tmp, tx); + fadd0(rp, tmp, rp); + p521_make_b_coeff(tmp); + fadd0(rp, tmp, rp); + fsqr0(ty, ty); + uint64_t r = bn_is_eq_mask(ty, rp); + uint64_t r0 = r; + bool r1 = r0 == 0xFFFFFFFFFFFFFFFFULL; + res = r1; + } + if (res) { + uint64_t *px = p_aff; + uint64_t *py = p_aff + 9U; + uint64_t *rx = point_jac; + uint64_t *ry = point_jac + 9U; + uint64_t *rz = point_jac + 18U; + to_mont(rx, px); + to_mont(ry, py); + p521_make_fone(rz); + } + bool res1 = res; + return res1; } /** @@ -122,10 +1521,280 @@ Hacl_P521_validate_private_key(uint8_t *private_key) uint64_t tmp[9U] = { 0U }; p521_make_order(tmp); uint64_t c = bn_sub(tmp, bn_sk, tmp); - uint64_t is_lt_order = (uint64_t)0U - c; + uint64_t is_lt_order = FStar_UInt64_gte_mask(c, 0ULL) & ~FStar_UInt64_eq_mask(c, 0ULL); uint64_t bn_zero[9U] = { 0U }; uint64_t res = bn_is_eq_mask(bn_sk, bn_zero); uint64_t is_eq_zero = res; uint64_t res0 = is_lt_order & ~is_eq_zero; - return res0 == (uint64_t)0xFFFFFFFFFFFFFFFFU; + return res0 == 0xFFFFFFFFFFFFFFFFULL; +} + +/******************************************************************************* + Parsing and Serializing public keys. + + A public key is a point (x, y) on the P-521 NIST curve. + + The point can be represented in the following three ways. + • raw = [ x || y ], 132 bytes + • uncompressed = [ 0x04 || x || y ], 133 bytes + • compressed = [ (0x02 for even `y` and 0x03 for odd `y`) || x ], 33 bytes + +*******************************************************************************/ + +/** +Convert a public key from uncompressed to its raw form. + + The function returns `true` for successful conversion of a public key and `false` otherwise. + + The outparam `pk_raw` points to 132 bytes of valid memory, i.e., uint8_t[132]. + The argument `pk` points to 133 bytes of valid memory, i.e., uint8_t[133]. + + The function DOESN'T check whether (x, y) is a valid point. +*/ +bool +Hacl_P521_uncompressed_to_raw(uint8_t *pk, uint8_t *pk_raw) +{ + uint8_t pk0 = pk[0U]; + if (pk0 != 0x04U) { + return false; + } + memcpy(pk_raw, pk + 1U, 132U * sizeof(uint8_t)); + return true; +} + +/** +Convert a public key from compressed to its raw form. + + The function returns `true` for successful conversion of a public key and `false` otherwise. + + The outparam `pk_raw` points to 132 bytes of valid memory, i.e., uint8_t[132]. + The argument `pk` points to 33 bytes of valid memory, i.e., uint8_t[33]. + + The function also checks whether (x, y) is a valid point. +*/ +bool +Hacl_P521_compressed_to_raw(uint8_t *pk, uint8_t *pk_raw) +{ + uint64_t xa[9U] = { 0U }; + uint64_t ya[9U] = { 0U }; + uint8_t *pk_xb = pk + 1U; + uint8_t s0 = pk[0U]; + uint8_t s01 = s0; + bool b; + if (!(s01 == 0x02U || s01 == 0x03U)) { + b = false; + } else { + uint8_t *xb = pk + 1U; + bn_from_bytes_be(xa, xb); + uint64_t is_x_valid = bn_is_lt_prime_mask(xa); + bool is_x_valid1 = is_x_valid == 0xFFFFFFFFFFFFFFFFULL; + bool is_y_odd = s01 == 0x03U; + if (!is_x_valid1) { + b = false; + } else { + uint64_t y2M[9U] = { 0U }; + uint64_t xM[9U] = { 0U }; + uint64_t yM[9U] = { 0U }; + to_mont(xM, xa); + uint64_t tmp[9U] = { 0U }; + fsqr0(y2M, xM); + fmul0(y2M, y2M, xM); + p521_make_a_coeff(tmp); + fmul0(tmp, tmp, xM); + fadd0(y2M, tmp, y2M); + p521_make_b_coeff(tmp); + fadd0(y2M, tmp, y2M); + p521_fsqrt(yM, y2M); + from_mont(ya, yM); + fsqr0(yM, yM); + uint64_t r = bn_is_eq_mask(yM, y2M); + uint64_t r0 = r; + bool is_y_valid = r0 == 0xFFFFFFFFFFFFFFFFULL; + bool is_y_valid0 = is_y_valid; + if (!is_y_valid0) { + b = false; + } else { + uint64_t is_y_odd1 = ya[0U] & 1ULL; + bool is_y_odd2 = is_y_odd1 == 1ULL; + uint64_t zero[9U] = { 0U }; + if (is_y_odd2 != is_y_odd) { + fsub0(ya, zero, ya); + } + b = true; + } + } + } + if (b) { + memcpy(pk_raw, pk_xb, 66U * sizeof(uint8_t)); + bn_to_bytes_be(pk_raw + 66U, ya); + } + return b; +} + +/** +Convert a public key from raw to its uncompressed form. + + The outparam `pk` points to 133 bytes of valid memory, i.e., uint8_t[133]. + The argument `pk_raw` points to 132 bytes of valid memory, i.e., uint8_t[132]. + + The function DOESN'T check whether (x, y) is a valid point. +*/ +void +Hacl_P521_raw_to_uncompressed(uint8_t *pk_raw, uint8_t *pk) +{ + pk[0U] = 0x04U; + memcpy(pk + 1U, pk_raw, 132U * sizeof(uint8_t)); +} + +/** +Convert a public key from raw to its compressed form. + + The outparam `pk` points to 33 bytes of valid memory, i.e., uint8_t[33]. + The argument `pk_raw` points to 132 bytes of valid memory, i.e., uint8_t[132]. + + The function DOESN'T check whether (x, y) is a valid point. +*/ +void +Hacl_P521_raw_to_compressed(uint8_t *pk_raw, uint8_t *pk) +{ + uint8_t *pk_x = pk_raw; + uint8_t *pk_y = pk_raw + 66U; + uint64_t bn_f[9U] = { 0U }; + bn_from_bytes_be(bn_f, pk_y); + uint64_t is_odd_f = bn_f[0U] & 1ULL; + pk[0U] = (uint32_t)(uint8_t)is_odd_f + 0x02U; + memcpy(pk + 1U, pk_x, 66U * sizeof(uint8_t)); +} + +/******************/ +/* ECDH agreement */ +/******************/ + +/** +Compute the public key from the private key. + + The function returns `true` if a private key is valid and `false` otherwise. + + The outparam `public_key` points to 132 bytes of valid memory, i.e., uint8_t[132]. + The argument `private_key` points to 66 bytes of valid memory, i.e., uint8_t[66]. + + The private key is valid: + • 0 < `private_key` < the order of the curve. +*/ +bool +Hacl_P521_dh_initiator(uint8_t *public_key, uint8_t *private_key) +{ + uint64_t tmp[36U] = { 0U }; + uint64_t *sk = tmp; + uint64_t *pk = tmp + 9U; + uint64_t is_sk_valid = load_qelem_conditional(sk, private_key); + point_mul_g(pk, sk); + uint64_t aff_p[18U] = { 0U }; + uint64_t zinv[9U] = { 0U }; + uint64_t *px = pk; + uint64_t *py0 = pk + 9U; + uint64_t *pz = pk + 18U; + uint64_t *x = aff_p; + uint64_t *y = aff_p + 9U; + p521_finv(zinv, pz); + fmul0(x, px, zinv); + fmul0(y, py0, zinv); + from_mont(x, x); + from_mont(y, y); + uint64_t *px0 = aff_p; + uint64_t *py = aff_p + 9U; + bn_to_bytes_be(public_key, px0); + bn_to_bytes_be(public_key + 66U, py); + return is_sk_valid == 0xFFFFFFFFFFFFFFFFULL; +} + +/** +Execute the diffie-hellmann key exchange. + + The function returns `true` for successful creation of an ECDH shared secret and + `false` otherwise. + + The outparam `shared_secret` points to 132 bytes of valid memory, i.e., uint8_t[132]. + The argument `their_pubkey` points to 132 bytes of valid memory, i.e., uint8_t[132]. + The argument `private_key` points to 66 bytes of valid memory, i.e., uint8_t[66]. + + The function also checks whether `private_key` and `their_pubkey` are valid. +*/ +bool +Hacl_P521_dh_responder(uint8_t *shared_secret, uint8_t *their_pubkey, uint8_t *private_key) +{ + uint64_t tmp[264U] = { 0U }; + uint64_t *sk = tmp; + uint64_t *pk = tmp + 9U; + uint64_t p_aff[18U] = { 0U }; + uint8_t *p_x = their_pubkey; + uint8_t *p_y = their_pubkey + 66U; + uint64_t *bn_p_x = p_aff; + uint64_t *bn_p_y = p_aff + 9U; + bn_from_bytes_be(bn_p_x, p_x); + bn_from_bytes_be(bn_p_y, p_y); + uint64_t *px0 = p_aff; + uint64_t *py0 = p_aff + 9U; + uint64_t lessX = bn_is_lt_prime_mask(px0); + uint64_t lessY = bn_is_lt_prime_mask(py0); + uint64_t res0 = lessX & lessY; + bool is_xy_valid = res0 == 0xFFFFFFFFFFFFFFFFULL; + bool res; + if (!is_xy_valid) { + res = false; + } else { + uint64_t rp[9U] = { 0U }; + uint64_t tx[9U] = { 0U }; + uint64_t ty[9U] = { 0U }; + uint64_t *px = p_aff; + uint64_t *py = p_aff + 9U; + to_mont(tx, px); + to_mont(ty, py); + uint64_t tmp1[9U] = { 0U }; + fsqr0(rp, tx); + fmul0(rp, rp, tx); + p521_make_a_coeff(tmp1); + fmul0(tmp1, tmp1, tx); + fadd0(rp, tmp1, rp); + p521_make_b_coeff(tmp1); + fadd0(rp, tmp1, rp); + fsqr0(ty, ty); + uint64_t r = bn_is_eq_mask(ty, rp); + uint64_t r0 = r; + bool r1 = r0 == 0xFFFFFFFFFFFFFFFFULL; + res = r1; + } + if (res) { + uint64_t *px = p_aff; + uint64_t *py = p_aff + 9U; + uint64_t *rx = pk; + uint64_t *ry = pk + 9U; + uint64_t *rz = pk + 18U; + to_mont(rx, px); + to_mont(ry, py); + p521_make_fone(rz); + } + bool is_pk_valid = res; + uint64_t is_sk_valid = load_qelem_conditional(sk, private_key); + uint64_t ss_proj[27U] = { 0U }; + if (is_pk_valid) { + point_mul(ss_proj, sk, pk); + uint64_t aff_p[18U] = { 0U }; + uint64_t zinv[9U] = { 0U }; + uint64_t *px = ss_proj; + uint64_t *py1 = ss_proj + 9U; + uint64_t *pz = ss_proj + 18U; + uint64_t *x = aff_p; + uint64_t *y = aff_p + 9U; + p521_finv(zinv, pz); + fmul0(x, px, zinv); + fmul0(y, py1, zinv); + from_mont(x, x); + from_mont(y, y); + uint64_t *px1 = aff_p; + uint64_t *py = aff_p + 9U; + bn_to_bytes_be(shared_secret, px1); + bn_to_bytes_be(shared_secret + 66U, py); + } + return is_sk_valid == 0xFFFFFFFFFFFFFFFFULL && is_pk_valid; } diff --git a/nss/lib/freebl/verified/Hacl_P521.h b/nss/lib/freebl/verified/Hacl_P521.h index d7afebd..aaf601a 100644 --- a/nss/lib/freebl/verified/Hacl_P521.h +++ b/nss/lib/freebl/verified/Hacl_P521.h @@ -35,11 +35,99 @@ extern "C" { #include "lib_intrinsics.h" +/******************************************************************************* + + Verified C library for ECDSA and ECDH functions over the P-521 NIST curve. + + This module implements signing and verification, key validation, conversions + between various point representations, and ECDH key agreement. + +*******************************************************************************/ + +/*****************/ +/* ECDSA signing */ +/*****************/ + +/** +Create an ECDSA signature WITHOUT hashing first. + + This function is intended to receive a hash of the input. + For convenience, we recommend using one of the hash-and-sign combined functions above. + + The argument `msg` MUST be at least 66 bytes (i.e. `msg_len >= 66`). + + NOTE: The equivalent functions in OpenSSL and Fiat-Crypto both accept inputs + smaller than 66 bytes. These libraries left-pad the input with enough zeroes to + reach the minimum 66 byte size. Clients who need behavior identical to OpenSSL + need to perform the left-padding themselves. + + The function returns `true` for successful creation of an ECDSA signature and `false` otherwise. + + The outparam `signature` (R || S) points to 132 bytes of valid memory, i.e., uint8_t[132]. + The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. + The arguments `private_key` and `nonce` point to 66 bytes of valid memory, i.e., uint8_t[66]. + + The function also checks whether `private_key` and `nonce` are valid values: + • 0 < `private_key` < the order of the curve + • 0 < `nonce` < the order of the curve +*/ +bool +Hacl_P521_ecdsa_sign_p521_without_hash( + uint8_t *signature, + uint32_t msg_len, + uint8_t *msg, + uint8_t *private_key, + uint8_t *nonce); + +/**********************/ +/* ECDSA verification */ +/**********************/ + +/** +Verify an ECDSA signature WITHOUT hashing first. + + This function is intended to receive a hash of the input. + For convenience, we recommend using one of the hash-and-verify combined functions above. + + The argument `msg` MUST be at least 66 bytes (i.e. `msg_len >= 66`). + + The function returns `true` if the signature is valid and `false` otherwise. + + The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. + The argument `public_key` (x || y) points to 132 bytes of valid memory, i.e., uint8_t[132]. + The arguments `signature_r` and `signature_s` point to 66 bytes of valid memory, i.e., uint8_t[66]. + + The function also checks whether `public_key` is valid +*/ +bool +Hacl_P521_ecdsa_verif_without_hash( + uint32_t msg_len, + uint8_t *msg, + uint8_t *public_key, + uint8_t *signature_r, + uint8_t *signature_s); + /******************/ /* Key validation */ /******************/ /** +Public key validation. + + The function returns `true` if a public key is valid and `false` otherwise. + + The argument `public_key` points to 132 bytes of valid memory, i.e., uint8_t[132]. + + The public key (x || y) is valid (with respect to SP 800-56A): + • the public key is not the “point at infinity”, represented as O. + • the affine x and y coordinates of the point represented by the public key are + in the range [0, p – 1] where p is the prime defining the finite field. + • y^2 = x^3 + ax + b where a and b are the coefficients of the curve equation. + The last extract is taken from: https://neilmadden.blog/2017/05/17/so-how-do-you-validate-nist-ecdh-public-keys/ +*/ +bool Hacl_P521_validate_public_key(uint8_t *public_key); + +/** Private key validation. The function returns `true` if a private key is valid and `false` otherwise. @@ -51,6 +139,94 @@ Private key validation. */ bool Hacl_P521_validate_private_key(uint8_t *private_key); +/******************************************************************************* + Parsing and Serializing public keys. + + A public key is a point (x, y) on the P-521 NIST curve. + + The point can be represented in the following three ways. + • raw = [ x || y ], 132 bytes + • uncompressed = [ 0x04 || x || y ], 133 bytes + • compressed = [ (0x02 for even `y` and 0x03 for odd `y`) || x ], 33 bytes + +*******************************************************************************/ + +/** +Convert a public key from uncompressed to its raw form. + + The function returns `true` for successful conversion of a public key and `false` otherwise. + + The outparam `pk_raw` points to 132 bytes of valid memory, i.e., uint8_t[132]. + The argument `pk` points to 133 bytes of valid memory, i.e., uint8_t[133]. + + The function DOESN'T check whether (x, y) is a valid point. +*/ +bool Hacl_P521_uncompressed_to_raw(uint8_t *pk, uint8_t *pk_raw); + +/** +Convert a public key from compressed to its raw form. + + The function returns `true` for successful conversion of a public key and `false` otherwise. + + The outparam `pk_raw` points to 132 bytes of valid memory, i.e., uint8_t[132]. + The argument `pk` points to 33 bytes of valid memory, i.e., uint8_t[33]. + + The function also checks whether (x, y) is a valid point. +*/ +bool Hacl_P521_compressed_to_raw(uint8_t *pk, uint8_t *pk_raw); + +/** +Convert a public key from raw to its uncompressed form. + + The outparam `pk` points to 133 bytes of valid memory, i.e., uint8_t[133]. + The argument `pk_raw` points to 132 bytes of valid memory, i.e., uint8_t[132]. + + The function DOESN'T check whether (x, y) is a valid point. +*/ +void Hacl_P521_raw_to_uncompressed(uint8_t *pk_raw, uint8_t *pk); + +/** +Convert a public key from raw to its compressed form. + + The outparam `pk` points to 33 bytes of valid memory, i.e., uint8_t[33]. + The argument `pk_raw` points to 132 bytes of valid memory, i.e., uint8_t[132]. + + The function DOESN'T check whether (x, y) is a valid point. +*/ +void Hacl_P521_raw_to_compressed(uint8_t *pk_raw, uint8_t *pk); + +/******************/ +/* ECDH agreement */ +/******************/ + +/** +Compute the public key from the private key. + + The function returns `true` if a private key is valid and `false` otherwise. + + The outparam `public_key` points to 132 bytes of valid memory, i.e., uint8_t[132]. + The argument `private_key` points to 66 bytes of valid memory, i.e., uint8_t[66]. + + The private key is valid: + • 0 < `private_key` < the order of the curve. +*/ +bool Hacl_P521_dh_initiator(uint8_t *public_key, uint8_t *private_key); + +/** +Execute the diffie-hellmann key exchange. + + The function returns `true` for successful creation of an ECDH shared secret and + `false` otherwise. + + The outparam `shared_secret` points to 132 bytes of valid memory, i.e., uint8_t[132]. + The argument `their_pubkey` points to 132 bytes of valid memory, i.e., uint8_t[132]. + The argument `private_key` points to 66 bytes of valid memory, i.e., uint8_t[66]. + + The function also checks whether `private_key` and `their_pubkey` are valid. +*/ +bool +Hacl_P521_dh_responder(uint8_t *shared_secret, uint8_t *their_pubkey, uint8_t *private_key); + #if defined(__cplusplus) } #endif diff --git a/nss/lib/freebl/verified/karamel/include/krml/internal/target.h b/nss/lib/freebl/verified/karamel/include/krml/internal/target.h index 198d65f..675c91a 100644 --- a/nss/lib/freebl/verified/karamel/include/krml/internal/target.h +++ b/nss/lib/freebl/verified/karamel/include/krml/internal/target.h @@ -57,6 +57,10 @@ #define KRML_HOST_IGNORE(x) (void)(x) #endif +#ifndef KRML_MAYBE_UNUSED_VAR +#define KRML_MAYBE_UNUSED_VAR(x) KRML_HOST_IGNORE(x) +#endif + #ifndef KRML_MAYBE_UNUSED #if defined(__GNUC__) #define KRML_MAYBE_UNUSED __attribute__((unused)) diff --git a/nss/lib/mozpkix/include/pkix-test/pkixtestutil.h b/nss/lib/mozpkix/include/pkix-test/pkixtestutil.h index b100f7f..2b82bf1 100644 --- a/nss/lib/mozpkix/include/pkix-test/pkixtestutil.h +++ b/nss/lib/mozpkix/include/pkix-test/pkixtestutil.h @@ -409,6 +409,8 @@ class OCSPResponseContext final { OCSPResponseExtension* singleExtensions; // ResponseData extensions. OCSPResponseExtension* responseExtensions; + const ByteString* trailingResponseData; // optional; trailing data to include + // at the end of the ResponseData. bool includeEmptyExtensions; // If true, include the extension wrapper // regardless of if there are any actual // extensions. diff --git a/nss/lib/mozpkix/lib/pkixcheck.cpp b/nss/lib/mozpkix/lib/pkixcheck.cpp index 9b255b3..8b7e1bf 100644 --- a/nss/lib/mozpkix/lib/pkixcheck.cpp +++ b/nss/lib/mozpkix/lib/pkixcheck.cpp @@ -131,9 +131,11 @@ CheckIssuer(Input encodedIssuer) { // "The issuer field MUST contain a non-empty distinguished name (DN)." Reader issuer(encodedIssuer); - Input encodedRDNs; - ExpectTagAndGetValue(issuer, der::SEQUENCE, encodedRDNs); - Reader rdns(encodedRDNs); + Reader rdns; + Result rv = der::ExpectTagAndGetValueAtEnd(issuer, der::SEQUENCE, rdns); + if (rv != Success) { + return rv; + } // Check that the issuer name contains at least one RDN // (Note: this does not check related grammar rules, such as there being one // or more AVAs in each RDN, or the values in AVAs not being empty strings) @@ -420,7 +422,7 @@ CheckKeyUsage(EndEntityOrCA endEntityOrCA, const Input* encodedKeyUsage, Reader input(*encodedKeyUsage); Reader value; - if (der::ExpectTagAndGetValue(input, der::BIT_STRING, value) != Success) { + if (der::ExpectTagAndGetValueAtEnd(input, der::BIT_STRING, value) != Success) { return Result::ERROR_INADEQUATE_KEY_USAGE; } @@ -914,7 +916,7 @@ TLSFeaturesSatisfiedInternal(const Input* requiredTLSFeatures, const static uint8_t status_request_bytes[] = { status_request }; Reader input(*requiredTLSFeatures); - return der::NestedOf(input, der::SEQUENCE, der::INTEGER, + Result rv = der::NestedOf(input, der::SEQUENCE, der::INTEGER, der::EmptyAllowed::No, [&](Reader& r) { if (!r.MatchRest(status_request_bytes)) { return Result::ERROR_REQUIRED_TLS_FEATURE_MISSING; @@ -926,6 +928,10 @@ TLSFeaturesSatisfiedInternal(const Input* requiredTLSFeatures, return Result::Success; }); + if (rv != Success) { + return rv; + } + return der::End(input); } Result diff --git a/nss/lib/mozpkix/lib/pkixocsp.cpp b/nss/lib/mozpkix/lib/pkixocsp.cpp index d725e55..fc6d172 100644 --- a/nss/lib/mozpkix/lib/pkixocsp.cpp +++ b/nss/lib/mozpkix/lib/pkixocsp.cpp @@ -520,9 +520,14 @@ ResponseData(Reader& input, Context& context, return rv; } - return der::OptionalExtensions(input, - der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1, - ExtensionNotUnderstood); + rv = der::OptionalExtensions(input, + der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1, + ExtensionNotUnderstood); + if (rv != Success) { + return rv; + } + + return der::End(input); } // SingleResponse ::= SEQUENCE { diff --git a/nss/lib/mozpkix/test-lib/pkixtestutil.cpp b/nss/lib/mozpkix/test-lib/pkixtestutil.cpp index 306f7a0..a294ad2 100644 --- a/nss/lib/mozpkix/test-lib/pkixtestutil.cpp +++ b/nss/lib/mozpkix/test-lib/pkixtestutil.cpp @@ -163,6 +163,7 @@ OCSPResponseContext::OCSPResponseContext(const CertID& aCertID, time_t time) , producedAt(time) , singleExtensions(nullptr) , responseExtensions(nullptr) + , trailingResponseData(nullptr) , includeEmptyExtensions(false) , signatureAlgorithm(sha256WithRSAEncryption()) , badSignature(false) @@ -958,6 +959,9 @@ ResponseData(OCSPResponseContext& context) value.append(producedAtEncoded); value.append(responses); value.append(responseExtensions); + if (context.trailingResponseData) { + value.append(*(context.trailingResponseData)); + } return TLV(der::SEQUENCE, value); } diff --git a/nss/lib/nss/nss.def b/nss/lib/nss/nss.def index e3ace27..7c9bdda 100644 --- a/nss/lib/nss/nss.def +++ b/nss/lib/nss/nss.def @@ -1256,3 +1256,17 @@ SECMOD_LockedModuleHasRemovableSlots; ;+ local: ;+ *; ;+}; +;+NSS_3.101 { # NSS 3.101 release +;+ global: +HASH_GetHashOidTagByHMACOidTag; +PK11_GetMaxKeyLength; +PK11_ReadDistrustAfterAttribute; +SEC_GetMgfTypeByOidTag; +SEC_PKCS5GetCryptoFromAlgTag; +SEC_PKCS5GetHashAlgorithm; +SEC_PKCS5GetHashFromAlgTag; +SECKEY_EnforceKeySize; +SECKEY_PrivateKeyStrengthInBits; +;+ local: +;+ *; +;+}; diff --git a/nss/lib/nss/nss.h b/nss/lib/nss/nss.h index d88116f..258457a 100644 --- a/nss/lib/nss/nss.h +++ b/nss/lib/nss/nss.h @@ -22,9 +22,9 @@ * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]" */ -#define NSS_VERSION "3.100" _NSS_CUSTOMIZED +#define NSS_VERSION "3.101" _NSS_CUSTOMIZED #define NSS_VMAJOR 3 -#define NSS_VMINOR 100 +#define NSS_VMINOR 101 #define NSS_VPATCH 0 #define NSS_VBUILD 0 #define NSS_BETA PR_FALSE @@ -307,8 +307,8 @@ SECStatus NSS_UnregisterShutdown(NSS_ShutdownFunc sFunc, void *appData); * NSS_KEY_SIZE_POLICY_FLAGS sets and clears all the flags to the input * value * On get it returns all the flags - * NSS_KEY_SIZE_POLICY_SET_FLAGS sets only the flags=1 in theinput value and - * does not affect the other flags + * NSS_KEY_SIZE_POLICY_SET_FLAGS sets only the flags=1 in the input value + * and does not affect the other flags * On get it returns all the flags * NSS_KEY_SIZE_POLICY_CLEAR_FLAGS clears only the flags=1 in the input * value and does not affect the other flags @@ -321,6 +321,8 @@ SECStatus NSS_UnregisterShutdown(NSS_ShutdownFunc sFunc, void *appData); #define NSS_KEY_SIZE_POLICY_SSL_FLAG 1 #define NSS_KEY_SIZE_POLICY_VERIFY_FLAG 2 #define NSS_KEY_SIZE_POLICY_SIGN_FLAG 4 +#define NSS_KEY_SIZE_POLICY_SMIME_FLAG 8 +#define NSS_KEY_SIZE_POLICY_ALL_FLAGS 0x0f #define NSS_ECC_MIN_KEY_SIZE 0x011 diff --git a/nss/lib/nss/nssinit.c b/nss/lib/nss/nssinit.c index fd0684f..e324a67 100644 --- a/nss/lib/nss/nssinit.c +++ b/nss/lib/nss/nssinit.c @@ -764,9 +764,9 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix, if (pkixError != NULL) { goto loser; } else { - char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY"); + char *ev = PR_GetEnvSecure("NSS_DISABLE_PKIX_VERIFY"); if (ev && ev[0]) { - CERT_SetUsePKIXForValidation(PR_TRUE); + CERT_SetUsePKIXForValidation(PR_FALSE); } } #endif /* NSS_DISABLE_LIBPKIX */ diff --git a/nss/lib/nss/nssoptions.c b/nss/lib/nss/nssoptions.c index cc637ff..7eae6b1 100644 --- a/nss/lib/nss/nssoptions.c +++ b/nss/lib/nss/nssoptions.c @@ -40,7 +40,7 @@ static struct nssOps nss_ops = { 0xffff, PR_FALSE, 0, - NSS_KEY_SIZE_POLICY_SSL_FLAG, + NSS_KEY_SIZE_POLICY_ALL_FLAGS, SSL_ECC_MIN_CURVE_BITS }; diff --git a/nss/lib/nss/utilwrap.c b/nss/lib/nss/utilwrap.c index 48e147d..2ba689a 100644 --- a/nss/lib/nss/utilwrap.c +++ b/nss/lib/nss/utilwrap.c @@ -16,6 +16,7 @@ #include "nssrwlk.h" #include "cert.h" #include "prerror.h" +#include "nsshash.h" /* wrappers for implementation in libnssutil3 */ #undef ATOB_AsciiToData @@ -127,6 +128,10 @@ #undef SGN_CopyDigestInfo #undef SGN_CreateDigestInfo #undef SGN_DestroyDigestInfo +#undef HASH_GetHashTypeByOidTag +#undef HASH_GetHashOidTagByHashType +#undef HASH_GetHashOidTagByHMACOidTag +#undef HASH_GetHMACOidTagByHashOidTag void * PORT_Alloc(size_t bytes) @@ -844,6 +849,30 @@ __nss_InitLock(PZLock **ppLock, nssILockType ltype) return SECFailure; } +HASH_HashType +HASH_GetHashTypeByOidTag(SECOidTag hashOid) +{ + return HASH_GetHashTypeByOidTag_Util(hashOid); +} + +SECOidTag +HASH_GetHashOidTagByHashType(HASH_HashType type) +{ + return HASH_GetHashOidTagByHashType_Util(type); +} + +SECOidTag +HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid) +{ + return HASH_GetHashOidTagByHMACOidTag_Util(hmacOid); +} + +SECOidTag +HASH_GetHMACOidTagByHashOidTag(SECOidTag hashOid) +{ + return HASH_GetHMACOidTagByHashOidTag_Util(hashOid); +} + /* templates duplicated in libnss3 and libnssutil3 */ #undef NSS_Get_SEC_AnyTemplate diff --git a/nss/lib/pk11wrap/pk11nobj.c b/nss/lib/pk11wrap/pk11nobj.c index 586ed80..4e34663 100644 --- a/nss/lib/pk11wrap/pk11nobj.c +++ b/nss/lib/pk11wrap/pk11nobj.c @@ -550,6 +550,34 @@ SEC_DeletePermCRL(CERTSignedCrl *crl) return (status == PR_SUCCESS) ? SECSuccess : SECFailure; } +/* search with email with and without NULL + * The sql database accepts the email with a NULL as it's written, + * the dbm database strips the NULL on write so won't match if + * it's there on find */ +static CK_OBJECT_HANDLE +pk11_FindSMimeObjectByTemplate(PK11SlotInfo *slot, + CK_ATTRIBUTE *theTemplate, size_t tsize) +{ + CK_OBJECT_HANDLE smimeh = CK_INVALID_HANDLE; + CK_ATTRIBUTE *last; + + PORT_Assert(tsize != 0); + + smimeh = pk11_FindObjectByTemplate(slot, theTemplate, (int)tsize); + if (smimeh != CK_INVALID_HANDLE) { + return smimeh; + } + last = &theTemplate[tsize - 1]; + if ((last->type == CKA_NSS_EMAIL) && (last->ulValueLen != 0)) { + CK_ULONG save_len = last->ulValueLen; + last->ulValueLen--; + smimeh = pk11_FindObjectByTemplate(slot, theTemplate, (int)tsize); + last->ulValueLen = save_len; /* restore the original */ + return smimeh; + } + return CK_INVALID_HANDLE; +} + /* * return the certificate associated with a derCert */ @@ -559,8 +587,8 @@ PK11_FindSMimeProfile(PK11SlotInfo **slot, char *emailAddr, { CK_OBJECT_CLASS smimeClass = CKO_NSS_SMIME; CK_ATTRIBUTE theTemplate[] = { - { CKA_SUBJECT, NULL, 0 }, { CKA_CLASS, NULL, 0 }, + { CKA_SUBJECT, NULL, 0 }, { CKA_NSS_EMAIL, NULL, 0 }, }; CK_ATTRIBUTE smimeData[] = { @@ -579,15 +607,15 @@ PK11_FindSMimeProfile(PK11SlotInfo **slot, char *emailAddr, return NULL; } - PK11_SETATTRS(attrs, CKA_SUBJECT, name->data, name->len); - attrs++; PK11_SETATTRS(attrs, CKA_CLASS, &smimeClass, sizeof(smimeClass)); attrs++; - PK11_SETATTRS(attrs, CKA_NSS_EMAIL, emailAddr, strlen(emailAddr)); + PK11_SETATTRS(attrs, CKA_SUBJECT, name->data, name->len); + attrs++; + PK11_SETATTRS(attrs, CKA_NSS_EMAIL, emailAddr, strlen(emailAddr) + 1); attrs++; if (*slot) { - smimeh = pk11_FindObjectByTemplate(*slot, theTemplate, tsize); + smimeh = pk11_FindSMimeObjectByTemplate(*slot, theTemplate, tsize); } else { PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE, NULL); @@ -598,7 +626,7 @@ PK11_FindSMimeProfile(PK11SlotInfo **slot, char *emailAddr, } /* loop through all the slots */ for (le = list->head; le; le = le->next) { - smimeh = pk11_FindObjectByTemplate(le->slot, theTemplate, tsize); + smimeh = pk11_FindSMimeObjectByTemplate(le->slot, theTemplate, tsize); if (smimeh != CK_INVALID_HANDLE) { *slot = PK11_ReferenceSlot(le->slot); break; diff --git a/nss/lib/pk11wrap/pk11obj.c b/nss/lib/pk11wrap/pk11obj.c index 5759408..4415273 100644 --- a/nss/lib/pk11wrap/pk11obj.c +++ b/nss/lib/pk11wrap/pk11obj.c @@ -8,6 +8,7 @@ #include <stddef.h> #include "seccomon.h" +#include "secder.h" #include "secmod.h" #include "secmodi.h" #include "secmodti.h" @@ -1807,6 +1808,55 @@ PK11_ReadRawAttributes(PLArenaPool *arena, PK11ObjectType objType, void *objSpec return SECSuccess; } +SECStatus +PK11_ReadDistrustAfterAttribute(PK11SlotInfo *slot, + CK_OBJECT_HANDLE object, + CK_ATTRIBUTE_TYPE type, + /* out */ PRBool *distrusted, + /* out */ PRTime *time) +{ + if (!slot || !distrusted || !time) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + if (type != CKA_NSS_SERVER_DISTRUST_AFTER && type != CKA_NSS_EMAIL_DISTRUST_AFTER) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + // The CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER + // attributes have either a 13 byte UTCTime value or a 1 byte value + // (equal to 0) indicating that no distrust after date is set. + unsigned char buf[13] = { 0 }; + CK_ATTRIBUTE attr = { .type = type, .pValue = buf, .ulValueLen = sizeof buf }; + CK_RV crv; + + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session, object, &attr, 1); + PK11_ExitSlotMonitor(slot); + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + return SECFailure; + } + + if (attr.ulValueLen == 1 && buf[0] == 0) { + // The distrust after date is not set. + *distrusted = PR_FALSE; + return SECSuccess; + } + + if (attr.ulValueLen != sizeof buf) { + // Ensure the date is encoded in the expected 13 byte format. + PORT_SetError(SEC_ERROR_INVALID_TIME); + return SECFailure; + } + + *distrusted = PR_TRUE; + SECItem item = { siUTCTime, buf, sizeof buf }; + return DER_UTCTimeToTime(time, &item); +} + /* * return the object handle that matches the template */ diff --git a/nss/lib/pk11wrap/pk11pars.c b/nss/lib/pk11wrap/pk11pars.c index 45b4a59..4fc1601 100644 --- a/nss/lib/pk11wrap/pk11pars.c +++ b/nss/lib/pk11wrap/pk11pars.c @@ -329,52 +329,98 @@ static const oidValDef curveOptList[] = { static const oidValDef hashOptList[] = { /* Hashes */ { CIPHER_NAME("MD2"), SEC_OID_MD2, - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME | + NSS_USE_ALG_IN_PKCS12 }, { CIPHER_NAME("MD4"), SEC_OID_MD4, - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME | + NSS_USE_ALG_IN_PKCS12 }, { CIPHER_NAME("MD5"), SEC_OID_MD5, - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME | + NSS_USE_ALG_IN_PKCS12 }, { CIPHER_NAME("SHA1"), SEC_OID_SHA1, - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME | + NSS_USE_ALG_IN_PKCS12 }, { CIPHER_NAME("SHA224"), SEC_OID_SHA224, - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME | + NSS_USE_ALG_IN_PKCS12 }, { CIPHER_NAME("SHA256"), SEC_OID_SHA256, - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME | + NSS_USE_ALG_IN_PKCS12 }, { CIPHER_NAME("SHA384"), SEC_OID_SHA384, - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME | + NSS_USE_ALG_IN_PKCS12 }, { CIPHER_NAME("SHA512"), SEC_OID_SHA512, - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE } + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME | + NSS_USE_ALG_IN_PKCS12 }, + { CIPHER_NAME("SHA3-224"), SEC_OID_SHA3_224, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME | + NSS_USE_ALG_IN_PKCS12 }, + { CIPHER_NAME("SHA3-256"), SEC_OID_SHA3_256, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME | + NSS_USE_ALG_IN_PKCS12 }, + { CIPHER_NAME("SHA3-384"), SEC_OID_SHA3_384, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME | + NSS_USE_ALG_IN_PKCS12 }, + { CIPHER_NAME("SHA3-512"), SEC_OID_SHA3_512, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME | + NSS_USE_ALG_IN_PKCS12 } }; static const oidValDef macOptList[] = { /* MACs */ - { CIPHER_NAME("HMAC-SHA1"), SEC_OID_HMAC_SHA1, NSS_USE_ALG_IN_SSL }, - { CIPHER_NAME("HMAC-SHA224"), SEC_OID_HMAC_SHA224, NSS_USE_ALG_IN_SSL }, - { CIPHER_NAME("HMAC-SHA256"), SEC_OID_HMAC_SHA256, NSS_USE_ALG_IN_SSL }, - { CIPHER_NAME("HMAC-SHA384"), SEC_OID_HMAC_SHA384, NSS_USE_ALG_IN_SSL }, - { CIPHER_NAME("HMAC-SHA512"), SEC_OID_HMAC_SHA512, NSS_USE_ALG_IN_SSL }, - { CIPHER_NAME("HMAC-MD5"), SEC_OID_HMAC_MD5, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("HMAC-MD5"), SEC_OID_HMAC_MD5, + NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_PKCS12 }, + { CIPHER_NAME("HMAC-SHA1"), SEC_OID_HMAC_SHA1, + NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_PKCS12 }, + { CIPHER_NAME("HMAC-SHA224"), SEC_OID_HMAC_SHA224, + NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_PKCS12 }, + { CIPHER_NAME("HMAC-SHA256"), SEC_OID_HMAC_SHA256, + NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_PKCS12 }, + { CIPHER_NAME("HMAC-SHA384"), SEC_OID_HMAC_SHA384, + NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_PKCS12 }, + { CIPHER_NAME("HMAC-SHA512"), SEC_OID_HMAC_SHA512, + NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_PKCS12 }, + { CIPHER_NAME("HMAC-SHA3-224"), SEC_OID_HMAC_SHA3_224, + NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_PKCS12 }, + { CIPHER_NAME("HMAC-SHA3-256"), SEC_OID_HMAC_SHA3_256, + NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_PKCS12 }, + { CIPHER_NAME("HMAC-SHA3-384"), SEC_OID_HMAC_SHA3_384, + NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_PKCS12 }, + { CIPHER_NAME("HMAC-SHA3-512"), SEC_OID_HMAC_SHA3_512, + NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_PKCS12 }, }; static const oidValDef cipherOptList[] = { /* Ciphers */ - { CIPHER_NAME("AES128-CBC"), SEC_OID_AES_128_CBC, NSS_USE_ALG_IN_SSL }, - { CIPHER_NAME("AES192-CBC"), SEC_OID_AES_192_CBC, NSS_USE_ALG_IN_SSL }, - { CIPHER_NAME("AES256-CBC"), SEC_OID_AES_256_CBC, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("AES128-CBC"), SEC_OID_AES_128_CBC, + NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SMIME | NSS_USE_ALG_IN_PKCS12 }, + { CIPHER_NAME("AES192-CBC"), SEC_OID_AES_192_CBC, + NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SMIME | NSS_USE_ALG_IN_PKCS12 }, + { CIPHER_NAME("AES256-CBC"), SEC_OID_AES_256_CBC, + NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SMIME | NSS_USE_ALG_IN_PKCS12 }, { CIPHER_NAME("AES128-GCM"), SEC_OID_AES_128_GCM, NSS_USE_ALG_IN_SSL }, { CIPHER_NAME("AES192-GCM"), SEC_OID_AES_192_GCM, NSS_USE_ALG_IN_SSL }, { CIPHER_NAME("AES256-GCM"), SEC_OID_AES_256_GCM, NSS_USE_ALG_IN_SSL }, - { CIPHER_NAME("CAMELLIA128-CBC"), SEC_OID_CAMELLIA_128_CBC, NSS_USE_ALG_IN_SSL }, - { CIPHER_NAME("CAMELLIA192-CBC"), SEC_OID_CAMELLIA_192_CBC, NSS_USE_ALG_IN_SSL }, - { CIPHER_NAME("CAMELLIA256-CBC"), SEC_OID_CAMELLIA_256_CBC, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("CAMELLIA128-CBC"), SEC_OID_CAMELLIA_128_CBC, + NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SMIME | NSS_USE_ALG_IN_PKCS12 }, + { CIPHER_NAME("CAMELLIA192-CBC"), SEC_OID_CAMELLIA_192_CBC, + NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SMIME | NSS_USE_ALG_IN_PKCS12 }, + { CIPHER_NAME("CAMELLIA256-CBC"), SEC_OID_CAMELLIA_256_CBC, + NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SMIME | NSS_USE_ALG_IN_PKCS12 }, { CIPHER_NAME("CHACHA20-POLY1305"), SEC_OID_CHACHA20_POLY1305, NSS_USE_ALG_IN_SSL }, - { CIPHER_NAME("SEED-CBC"), SEC_OID_SEED_CBC, NSS_USE_ALG_IN_SSL }, - { CIPHER_NAME("DES-EDE3-CBC"), SEC_OID_DES_EDE3_CBC, NSS_USE_ALG_IN_SSL }, - { CIPHER_NAME("DES-40-CBC"), SEC_OID_DES_40_CBC, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("SEED-CBC"), SEC_OID_SEED_CBC, + NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SMIME | NSS_USE_ALG_IN_PKCS12 }, + { CIPHER_NAME("DES-EDE3-CBC"), SEC_OID_DES_EDE3_CBC, + NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SMIME | NSS_USE_ALG_IN_PKCS12 }, + { CIPHER_NAME("DES-40-CBC"), SEC_OID_DES_40_CBC, + NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SMIME | NSS_USE_ALG_IN_PKCS12 }, { CIPHER_NAME("DES-CBC"), SEC_OID_DES_CBC, NSS_USE_ALG_IN_SSL }, { CIPHER_NAME("NULL-CIPHER"), SEC_OID_NULL_CIPHER, NSS_USE_ALG_IN_SSL }, - { CIPHER_NAME("RC2"), SEC_OID_RC2_CBC, NSS_USE_ALG_IN_SSL }, - { CIPHER_NAME("RC4"), SEC_OID_RC4, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("RC2"), SEC_OID_RC2_CBC, NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_PKCS12 }, + { CIPHER_NAME("RC2-40-CBC"), SEC_OID_RC2_40_CBC, NSS_USE_ALG_IN_SMIME }, + { CIPHER_NAME("RC2-64-CBC"), SEC_OID_RC2_64_CBC, NSS_USE_ALG_IN_SMIME }, + { CIPHER_NAME("RC2-128-CBC"), SEC_OID_RC2_128_CBC, NSS_USE_ALG_IN_SMIME }, + { CIPHER_NAME("RC4"), SEC_OID_RC4, NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_PKCS12 }, { CIPHER_NAME("IDEA"), SEC_OID_IDEA_CBC, NSS_USE_ALG_IN_SSL }, }; @@ -392,6 +438,14 @@ static const oidValDef kxOptList[] = { { CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX }, }; +static const oidValDef smimeKxOptList[] = { + /* Key exchange */ + { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION, NSS_USE_ALG_IN_SMIME_KX }, + { CIPHER_NAME("RSA-OAEP"), SEC_OID_PKCS1_RSA_OAEP_ENCRYPTION, NSS_USE_ALG_IN_SMIME_KX }, + { CIPHER_NAME("ECDH"), SEC_OID_ECDH_KEA, NSS_USE_ALG_IN_SMIME_KX }, + { CIPHER_NAME("DH"), SEC_OID_X942_DIFFIE_HELMAN_KEY, NSS_USE_ALG_IN_SMIME_KX }, +}; + static const oidValDef signOptList[] = { /* Signatures */ { CIPHER_NAME("DSA"), SEC_OID_ANSIX9_DSA_SIGNATURE, @@ -418,7 +472,8 @@ static const algListsDef algOptLists[] = { { hashOptList, PR_ARRAY_SIZE(hashOptList), "HASH", PR_FALSE }, { macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE }, { cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE }, - { kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE }, + { kxOptList, PR_ARRAY_SIZE(kxOptList), "SSL-KX", PR_FALSE }, + { smimeKxOptList, PR_ARRAY_SIZE(smimeKxOptList), "SMIME-KX", PR_TRUE }, { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_FALSE }, }; @@ -441,6 +496,8 @@ static const optionFreeDef keySizeFlagsList[] = { { CIPHER_NAME("KEY-SIZE-SSL"), NSS_KEY_SIZE_POLICY_SSL_FLAG }, { CIPHER_NAME("KEY-SIZE-SIGN"), NSS_KEY_SIZE_POLICY_SIGN_FLAG }, { CIPHER_NAME("KEY-SIZE-VERIFY"), NSS_KEY_SIZE_POLICY_VERIFY_FLAG }, + { CIPHER_NAME("KEY-SIZE-SMIME"), NSS_KEY_SIZE_POLICY_SMIME_FLAG }, + { CIPHER_NAME("KEY-SIZE-ALL"), NSS_KEY_SIZE_POLICY_ALL_FLAGS }, }; static const optionFreeDef freeOptList[] = { @@ -464,21 +521,46 @@ static const policyFlagDef policyFlagList[] = { { CIPHER_NAME("SSL"), NSS_USE_ALG_IN_SSL }, { CIPHER_NAME("SSL-KEY-EXCHANGE"), NSS_USE_ALG_IN_SSL_KX }, /* add other key exhanges in the future */ - { CIPHER_NAME("KEY-EXCHANGE"), NSS_USE_ALG_IN_SSL_KX }, + { CIPHER_NAME("KEY-EXCHANGE"), NSS_USE_ALG_IN_KEY_EXCHANGE }, { CIPHER_NAME("CERT-SIGNATURE"), NSS_USE_ALG_IN_CERT_SIGNATURE }, - { CIPHER_NAME("CMS-SIGNATURE"), NSS_USE_ALG_IN_CMS_SIGNATURE }, + { CIPHER_NAME("CMS-SIGNATURE"), NSS_USE_ALG_IN_SMIME_SIGNATURE }, + { CIPHER_NAME("SMIME-SIGNATURE"), NSS_USE_ALG_IN_SMIME_SIGNATURE }, { CIPHER_NAME("ALL-SIGNATURE"), NSS_USE_ALG_IN_SIGNATURE }, + { CIPHER_NAME("PKCS12"), NSS_USE_ALG_IN_PKCS12 }, + /* only use in allow */ + { CIPHER_NAME("PKCS12-LEGACY"), NSS_USE_ALG_IN_PKCS12_DECRYPT }, + /* only use in disallow */ + { CIPHER_NAME("PKCS12-ENCRYPT"), NSS_USE_ALG_IN_PKCS12_ENCRYPT }, + { CIPHER_NAME("SMIME"), NSS_USE_ALG_IN_SMIME }, + /* only use in allow, enable */ + { CIPHER_NAME("SMIME-LEGACY"), NSS_USE_ALG_IN_SMIME_LEGACY }, + /* only use in disallow, disable */ + { CIPHER_NAME("SMIME-ENCRYPT"), NSS_USE_ALG_IN_SMIME_ENCRYPT }, + { CIPHER_NAME("SMIME-KEY-EXCHANGE"), NSS_USE_ALG_IN_SMIME_KX }, + /* only use in allow */ + { CIPHER_NAME("SMIME-KEY-EXCHANGE-LEGACY"), NSS_USE_ALG_IN_SMIME_KX_LEGACY }, + /* only use in disallow */ + { CIPHER_NAME("SMIME-KEY-EXCHANGE-ENCRYPT"), NSS_USE_ALG_IN_SMIME_KX_ENCRYPT }, /* sign turns off all signatures, but doesn't change the - * allowance for specific sigantures... for example: - * disallow=sha256/all allow=sha256/signature doesn't allow - * cert-sigantures, where disallow=sha256/all allow=sha256/all-signature - * does. - * however, disallow=sha356/signature and disallow=sha256/all-siganture are - * equivalent in effect */ + * allowance for specific signatures... for example: + * disallow=sha256/all allow=sha256/signature + * doesn't allow cert-signatures or sime-signatures, where + * disallow=sha256/all allow=sha256/all-signature + * does. however, + * disallow=sha256/signature + * and + * disallow=sha256/all-signature + * are equivalent in effect */ { CIPHER_NAME("SIGNATURE"), NSS_USE_ALG_IN_ANY_SIGNATURE }, + /* enable/allow algorithms for legacy (read/verify)operations */ + { CIPHER_NAME("LEGACY"), NSS_USE_ALG_IN_PKCS12_DECRYPT | + NSS_USE_ALG_IN_SMIME_LEGACY | + NSS_USE_ALG_IN_SMIME_KX_LEGACY }, /* enable/disable everything */ { CIPHER_NAME("ALL"), NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SSL_KX | - NSS_USE_ALG_IN_SIGNATURE }, + NSS_USE_ALG_IN_PKCS12 | NSS_USE_ALG_IN_SMIME | + NSS_USE_ALG_IN_SIGNATURE | + NSS_USE_ALG_IN_SMIME_KX }, { CIPHER_NAME("NONE"), 0 } }; @@ -560,6 +642,9 @@ secmod_getPolicyOptValue(const char *policyValue, int policyValueLength, *result = val; return SECSuccess; } + if (policyValueLength == 0) { + return SECFailure; + } /* handle any ssl strings */ for (i = 0; i < PR_ARRAY_SIZE(sslOptList); i++) { if (policyValueLength == sslOptList[i].name_size && @@ -572,7 +657,7 @@ secmod_getPolicyOptValue(const char *policyValue, int policyValueLength, /* handle key_size flags. Each flag represents a bit, which * gets or'd together. They can be separated by , | or + */ val = 0; - while (*policyValue) { + while (policyValueLength > 0) { PRBool found = PR_FALSE; for (i = 0; i < PR_ARRAY_SIZE(keySizeFlagsList); i++) { if (PORT_Strncasecmp(keySizeFlagsList[i].name, policyValue, @@ -580,6 +665,7 @@ secmod_getPolicyOptValue(const char *policyValue, int policyValueLength, val |= keySizeFlagsList[i].option; found = PR_TRUE; policyValue += keySizeFlagsList[i].name_size; + policyValueLength -= keySizeFlagsList[i].name_size; break; } } @@ -588,6 +674,7 @@ secmod_getPolicyOptValue(const char *policyValue, int policyValueLength, } if (*policyValue == ',' || *policyValue == '|' || *policyValue == '+') { policyValue++; + policyValueLength--; } } *result = val; @@ -607,6 +694,59 @@ typedef enum { NSS_ENABLE } NSSPolicyOperation; +/* Enable/Disable only apply to SSL cipher suites and S/MIME symetric algorithms. + * Enable/Disable is implemented by clearing the DEFAULT_NOT_VALID + * flag, then setting the NSS_USE_DEFAULT_SSL_ENABLE and + * NSS_USE_DEFAULT_SMIME_ENABLE flags to the correct value. The ssl + * policy code will then sort out what to set based on ciphers and + * cipher suite values and the smime policy code will sort + * out which ciphers to include in capabilities based on these values */ +static SECStatus +secmod_setDefault(SECOidTag oid, NSSPolicyOperation operation, + PRUint32 value) +{ + SECStatus rv = SECSuccess; + PRUint32 policy; + PRUint32 useDefault = 0; + PRUint32 set = 0; + /* we always clear the default not valid flag as this operation will + * make the defaults valid */ + PRUint32 clear = NSS_USE_DEFAULT_NOT_VALID; + + /* what values are we trying to change */ + /* if either SSL or SSL_KX is set, enable SSL */ + if (value & (NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SSL_KX)) { + useDefault |= NSS_USE_DEFAULT_SSL_ENABLE; + } + /* only bulk ciphers are configured as enable in S/MIME, only + * enable them if both SMIME bits are set */ + if ((value & NSS_USE_ALG_IN_SMIME) == NSS_USE_ALG_IN_SMIME) { + useDefault |= NSS_USE_DEFAULT_SMIME_ENABLE; + } + + /* on disable we clear, on enable we set */ + if (operation == NSS_DISABLE) { + clear |= useDefault; + } else { + /* we also turn the cipher on by policy if we enable it, + * so include the policy bits */ + set |= value | useDefault; + } + + /* if we haven't set the not valid flag yet, then we need to + * clear any of the other bits we aren't actually setting as well. + */ + rv = NSS_GetAlgorithmPolicy(oid, &policy); + if (rv != SECSuccess) { + return rv; + } + if (policy & NSS_USE_DEFAULT_NOT_VALID) { + clear |= ((NSS_USE_DEFAULT_SSL_ENABLE | NSS_USE_DEFAULT_SMIME_ENABLE) & + ~set); + } + return NSS_SetAlgorithmPolicy(oid, set, clear); +} + /* apply the operator specific policy */ SECStatus secmod_setPolicyOperation(SECOidTag oid, NSSPolicyOperation operation, @@ -622,25 +762,9 @@ secmod_setPolicyOperation(SECOidTag oid, NSSPolicyOperation operation, /* set the requested policy bits */ rv = NSS_SetAlgorithmPolicy(oid, value, 0); break; - /* enable/disable only apply to SSL cipher suites (future S/MIME). - * Enable/disable is implemented by clearing the DEFAULT_NOT_VALID - * flag, then setting the NSS_USE_DEFAULT_SSL_ENABLE flag to the - * correct value. The ssl policy code will then sort out what to - * set based on ciphers and cipher suite values.*/ case NSS_DISABLE: - if (value & (NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SSL_KX)) { - /* clear not valid and enable */ - rv = NSS_SetAlgorithmPolicy(oid, 0, - NSS_USE_DEFAULT_NOT_VALID | - NSS_USE_DEFAULT_SSL_ENABLE); - } - break; case NSS_ENABLE: - if (value & (NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SSL_KX)) { - /* set enable, clear not valid. NOTE: enable implies allow! */ - rv = NSS_SetAlgorithmPolicy(oid, value | NSS_USE_DEFAULT_SSL_ENABLE, - NSS_USE_DEFAULT_NOT_VALID); - } + rv = secmod_setDefault(oid, operation, value); break; default: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); @@ -819,7 +943,7 @@ secmod_sanityCheckCryptoPolicy(void) if ((algOpt->val & NSS_USE_ALG_IN_SSL_KX) && (value & NSS_USE_ALG_IN_SSL_KX)) { ++num_kx_enabled; anyEnabled = PR_TRUE; - fprintf(stderr, "NSS-POLICY-INFO: %s is enabled for KX\n", algOpt->name); + fprintf(stderr, "NSS-POLICY-INFO: %s is enabled for SSL-KX\n", algOpt->name); } if ((algOpt->val & NSS_USE_ALG_IN_SSL) && (value & NSS_USE_ALG_IN_SSL)) { ++num_ssl_enabled; diff --git a/nss/lib/pk11wrap/pk11pbe.c b/nss/lib/pk11wrap/pk11pbe.c index dfe4dee..99875c2 100644 --- a/nss/lib/pk11wrap/pk11pbe.c +++ b/nss/lib/pk11wrap/pk11pbe.c @@ -134,6 +134,37 @@ sec_pkcs5GetCryptoFromAlgTag(SECOidTag algorithm) } /* + * only gets the tag from PKCS5v1 or PKCS12pbe. + * PKCS5v2 requires the algid to get the full thing + */ +SECOidTag +SEC_PKCS5GetHashFromAlgTag(SECOidTag algtag) +{ + switch (algtag) { + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC: + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC: + case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC: + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4: + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4: + return SEC_OID_SHA1; + case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC: + return SEC_OID_MD5; + case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC: + return SEC_OID_MD2; + default: + break; + } + return SEC_OID_UNKNOWN; +} + +/* * get a new PKCS5 V2 Parameter from the algorithm id. * if arena is passed in, use it, otherwise create a new arena. */ @@ -181,6 +212,69 @@ sec_pkcs5_v2_destroy_v2_param(sec_pkcs5V2Parameter *param) /* maps crypto algorithm from PBE algorithm. */ SECOidTag +SEC_PKCS5GetHashAlgorithm(SECAlgorithmID *algid) +{ + + SECOidTag pbeAlg; + SECOidTag hashAlg = SEC_OID_UNKNOWN; + PLArenaPool *arena = NULL; + + if (algid == NULL) + return SEC_OID_UNKNOWN; + + pbeAlg = SECOID_GetAlgorithmTag(algid); + /* if we are using a PKCS 5v2 algorithm, get the hash from the parameters */ + if ((pbeAlg == SEC_OID_PKCS5_PBES2) || + (pbeAlg == SEC_OID_PKCS5_PBMAC1)) { + SEC_PKCS5PBEParameter p5_param; + sec_pkcs5V2Parameter *pbeV2_param; + SECOidTag kdfAlg; + SECStatus rv; + + arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); + if (arena == NULL) { + goto loser; + } + + pbeV2_param = sec_pkcs5_v2_get_v2_param(arena, algid); + if (pbeV2_param == NULL) { + goto loser; + } + + kdfAlg = SECOID_GetAlgorithmTag(&pbeV2_param->pbeAlgId); + /* sanity check, they should all be PBKDF2 here */ + if (kdfAlg != SEC_OID_PKCS5_PBKDF2) { + goto loser; + } + + PORT_Memset(&p5_param, 0, sizeof(p5_param)); + rv = SEC_ASN1DecodeItem(arena, &p5_param, + SEC_PKCS5V2PBEParameterTemplate, + &pbeV2_param->pbeAlgId.parameters); + if (rv != SECSuccess) { + goto loser; + } + /* if the prf does not exist, it defaults to SHA1 */ + hashAlg = SEC_OID_SHA1; + if (p5_param.pPrfAlgId && + p5_param.pPrfAlgId->algorithm.data != 0) { + hashAlg = HASH_GetHashOidTagByHMACOidTag( + SECOID_GetAlgorithmTag(p5_param.pPrfAlgId)); + } + } else { + return SEC_PKCS5GetHashFromAlgTag(pbeAlg); + } +loser: + if (arena != NULL) { + PORT_FreeArena(arena, PR_FALSE); + } + + return hashAlg; +} + +/* maps crypto algorithm from PBE algorithm. + */ +SECOidTag SEC_PKCS5GetCryptoAlgorithm(SECAlgorithmID *algid) { @@ -207,6 +301,21 @@ SEC_PKCS5GetCryptoAlgorithm(SECAlgorithmID *algid) return cipherAlg; } +/* + * only gets the tag from PKCS5v1 or PKCS12pbe. + * PKCS5v2 requires the algid to get the full thing + */ +SECOidTag +SEC_PKCS5GetCryptoFromAlgTag(SECOidTag algtag) +{ + SECOidTag cipherAlg; + cipherAlg = sec_pkcs5GetCryptoFromAlgTag(algtag); + if (cipherAlg == SEC_OID_PKCS5_PBKDF2) { + return SEC_OID_UNKNOWN; + } + return cipherAlg; +} + /* check to see if an oid is a pbe algorithm */ PRBool @@ -782,7 +891,7 @@ pbe_PK11AlgidToParam(SECAlgorithmID *algid, SECItem *mech) unsigned char *pSalt = NULL; CK_ULONG iterations; int paramLen = 0; - int iv_len; + int iv_len = -1; arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); if (arena == NULL) { diff --git a/nss/lib/pk11wrap/pk11priv.h b/nss/lib/pk11wrap/pk11priv.h index faf9ad2..a8e1b1d 100644 --- a/nss/lib/pk11wrap/pk11priv.h +++ b/nss/lib/pk11wrap/pk11priv.h @@ -37,7 +37,6 @@ SECStatus PK11_DeleteSlotFromList(PK11SlotList *list, PK11SlotListElement *le); PK11SlotListElement *PK11_FindSlotElement(PK11SlotList *list, PK11SlotInfo *slot); PK11SlotInfo *PK11_FindSlotBySerial(char *serial); -int PK11_GetMaxKeyLength(CK_MECHANISM_TYPE type); /************************************************************ * Generic Slot Management diff --git a/nss/lib/pk11wrap/pk11pub.h b/nss/lib/pk11wrap/pk11pub.h index b199b6e..a6a720d 100644 --- a/nss/lib/pk11wrap/pk11pub.h +++ b/nss/lib/pk11wrap/pk11pub.h @@ -241,6 +241,7 @@ int PK11_GetIVLength(CK_MECHANISM_TYPE type); SECItem *PK11_ParamFromIV(CK_MECHANISM_TYPE type, SECItem *iv); unsigned char *PK11_IVFromParam(CK_MECHANISM_TYPE type, SECItem *param, int *len); SECItem *PK11_BlockData(SECItem *data, unsigned long size); +int PK11_GetMaxKeyLength(CK_MECHANISM_TYPE type); /* PKCS #11 to DER mapping functions */ SECItem *PK11_ParamFromAlgid(SECAlgorithmID *algid); @@ -1023,6 +1024,24 @@ SECStatus PK11_WriteRawAttribute(PK11ObjectType type, void *object, CK_OBJECT_HANDLE PK11_GetObjectHandle(PK11ObjectType objType, void *objSpec, PK11SlotInfo **slotp); +/* PK11_ReadDistrustAfterAttribute reads either the + * CKA_NSS_SERVER_DISTRUST_AFTER or the CKA_NSS_EMAIL_DISTRUST_AFTER attribute + * from the specified object. The "CK_ATTRIBUTE_TYPE type" input must be one of + * these. If this function returns SECSuccess, then an attribute of the + * requested type was found and it was either: + * (1) a single zero byte (indicating no distrust after date), or + * (2) a valid 13 byte UTCTime. + * In case (1), the value *distrusted is set to PR_FALSE and the value *time + * is undefined. In case (2), the value *distrusted is set to PR_TRUE and the + * value *time is set by DER_UTCTimeToTime(). Neither *distrusted nor *time + * is defined if this function returns SECFailure. + */ +SECStatus PK11_ReadDistrustAfterAttribute(PK11SlotInfo *slot, + CK_OBJECT_HANDLE object, + CK_ATTRIBUTE_TYPE type, + /* out */ PRBool *distrusted, + /* out */ PRTime *time); + /* * PK11_GetAllSlotsForCert returns all the slots that a given certificate * exists on, since it's possible for a cert to exist on more than one diff --git a/nss/lib/pk11wrap/secpkcs5.h b/nss/lib/pk11wrap/secpkcs5.h index 5785676..38178be 100644 --- a/nss/lib/pk11wrap/secpkcs5.h +++ b/nss/lib/pk11wrap/secpkcs5.h @@ -35,6 +35,16 @@ SECItem * SEC_PKCS5GetIV(SECAlgorithmID *algid, SECItem *pwitem, PRBool faulty3DES); SECOidTag SEC_PKCS5GetCryptoAlgorithm(SECAlgorithmID *algid); +SECOidTag SEC_PKCS5GetHashAlgorithm(SECAlgorithmID *algid); + +/* the next 2 maps a PKCS #12 PBE or PKCS #5v1 PBE oid to it's encryption algorithm + * and hash algorithms. + * All other values map to SEC_OID_UNKNOWN. In most cases you want + * to use SEC_PKCS5GetCryptoAlgorithm() with a full SECAlgorithmID which + * can handle PKCS #5v2 */ +SECOidTag SEC_PKCS5GetCryptoFromAlgTag(SECOidTag algTag); +SECOidTag SEC_PKCS5GetHashFromAlgTag(SECOidTag algTag); + PRBool SEC_PKCS5IsAlgorithmPBEAlg(SECAlgorithmID *algid); PRBool SEC_PKCS5IsAlgorithmPBEAlgTag(SECOidTag algTag); SECOidTag SEC_PKCS5GetPBEAlgorithm(SECOidTag algTag, int keyLen); diff --git a/nss/lib/pkcs12/p12d.c b/nss/lib/pkcs12/p12d.c index 615b123..1596689 100644 --- a/nss/lib/pkcs12/p12d.c +++ b/nss/lib/pkcs12/p12d.c @@ -241,6 +241,7 @@ sec_pkcs12_decoder_decryption_allowed(SECAlgorithmID *algid, PRBool decryptionAllowed = SEC_PKCS12DecryptionAllowed(algid); if (!decryptionAllowed) { + PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM); return PR_FALSE; } @@ -1325,17 +1326,14 @@ sec_pkcs12_decoder_verify_mac(SEC_PKCS12DecoderContext *p12dcx) { PK11Context *pk11cx = NULL; PK11SymKey *symKey = NULL; - SECItem *params = NULL; unsigned char *buf; SECStatus rv = SECFailure; SECStatus lrv; unsigned int bufLen; - int iteration; int bytesRead; - SECOidTag algtag; SECItem hmacRes; SECItem ignore = { 0 }; - CK_MECHANISM_TYPE integrityMech; + CK_MECHANISM_TYPE hmacMech; if (!p12dcx || p12dcx->error) { PORT_SetError(SEC_ERROR_INVALID_ARGS); @@ -1350,28 +1348,15 @@ sec_pkcs12_decoder_verify_mac(SEC_PKCS12DecoderContext *p12dcx) #endif /* generate hmac key */ - if (p12dcx->macData.iter.data) { - iteration = (int)DER_GetInteger(&p12dcx->macData.iter); - } else { - iteration = 1; - } - - params = PK11_CreatePBEParams(&p12dcx->macData.macSalt, p12dcx->pwitem, - iteration); - - algtag = SECOID_GetAlgorithmTag(&p12dcx->macData.safeMac.digestAlgorithm); - integrityMech = sec_pkcs12_algtag_to_keygen_mech(algtag); - if (integrityMech == CKM_INVALID_MECHANISM) { + symKey = sec_pkcs12_integrity_key(p12dcx->slot, &p12dcx->macData, + p12dcx->pwitem, &hmacMech, PR_TRUE, + p12dcx->wincx); + if (symKey == NULL) { goto loser; } - symKey = PK11_KeyGen(NULL, integrityMech, params, 0, NULL); - PK11_DestroyPBEParams(params); - params = NULL; - if (!symKey) - goto loser; + /* init hmac */ - pk11cx = PK11_CreateContextBySymKey(sec_pkcs12_algtag_to_mech(algtag), - CKA_SIGN, symKey, &ignore); + pk11cx = PK11_CreateContextBySymKey(hmacMech, CKA_SIGN, symKey, &ignore); if (!pk11cx) { goto loser; } @@ -1440,9 +1425,6 @@ loser: if (pk11cx) { PK11_DestroyContext(pk11cx, PR_TRUE); } - if (params) { - PK11_DestroyPBEParams(params); - } if (symKey) { PK11_FreeSymKey(symKey); } @@ -2471,6 +2453,12 @@ sec_pkcs12_add_key(sec_PKCS12SafeBag *key, SECKEYPublicKey *pubKey, &key->safeBagContent.pkcs8ShroudedKeyBag->algorithm; SECOidTag algorithm = SECOID_GetAlgorithmTag(algid); + if (!SEC_PKCS12DecryptionAllowed(algid)) { + key->error = SEC_ERROR_BAD_EXPORT_ALGORITHM; + key->problem = PR_TRUE; + return SECFailure; + } + if (forceUnicode) { if (SECITEM_CopyItem(NULL, &pwitem, key->pwitem) != SECSuccess) { key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY; diff --git a/nss/lib/pkcs12/p12e.c b/nss/lib/pkcs12/p12e.c index 2b86546..9ed3886 100644 --- a/nss/lib/pkcs12/p12e.c +++ b/nss/lib/pkcs12/p12e.c @@ -373,8 +373,7 @@ SEC_PKCS12CreatePasswordPrivSafe(SEC_PKCS12ExportContext *p12ctxt, sizeof(SEC_PKCS12SafeInfo)); if (!safeInfo) { PORT_SetError(SEC_ERROR_NO_MEMORY); - PORT_ArenaRelease(p12ctxt->arena, mark); - return NULL; + goto loser; } safeInfo->itemCount = 0; @@ -386,8 +385,19 @@ SEC_PKCS12CreatePasswordPrivSafe(SEC_PKCS12ExportContext *p12ctxt, * hash algorithm to set our password PRF. If we haven't set it, just * let the low level code pick it */ if (p12ctxt->integrityEnabled && p12ctxt->pwdIntegrity) { - prfAlg = HASH_GetHMACOidTagByHashOidTag( - p12ctxt->integrityInfo.pwdInfo.algorithm); + SECOidTag integrityAlg = p12ctxt->integrityInfo.pwdInfo.algorithm; + prfAlg = integrityAlg; + /* verify that integrityAlg is an HMAC */ + if (HASH_GetHashOidTagByHMACOidTag(integrityAlg) == SEC_OID_UNKNOWN) { + /* it's not, find the hmac */ + prfAlg = HASH_GetHMACOidTagByHashOidTag(integrityAlg); + /* if prfAlg is SEC_OID_UNKNOWN at this point we'll + * default to SEC_OID_HMAC_SHA1 in the low level pbe code. */ + } + } + if (!SEC_PKCS12CipherAllowed(privAlg, prfAlg)) { + PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM); + goto loser; } safeInfo->cinfo = SEC_PKCS7CreateEncryptedDataWithPBEV2(SEC_OID_PKCS5_PBES2, privAlg, @@ -396,6 +406,10 @@ SEC_PKCS12CreatePasswordPrivSafe(SEC_PKCS12ExportContext *p12ctxt, p12ctxt->pwfn, p12ctxt->pwfnarg); } else { + if (!SEC_PKCS12CipherAllowed(privAlg, SEC_OID_UNKNOWN)) { + PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM); + goto loser; + } safeInfo->cinfo = SEC_PKCS7CreateEncryptedData(privAlg, 0, p12ctxt->pwfn, p12ctxt->pwfnarg); } @@ -1233,8 +1247,20 @@ SEC_PKCS12AddKeyForCert(SEC_PKCS12ExportContext *p12ctxt, SEC_PKCS12SafeInfo *sa * hash algorithm to set our password PRF. If we haven't set it, just * let the low level code pick it */ if (p12ctxt->integrityEnabled && p12ctxt->pwdIntegrity) { - prfAlg = HASH_GetHMACOidTagByHashOidTag( - p12ctxt->integrityInfo.pwdInfo.algorithm); + SECOidTag integrityAlg = p12ctxt->integrityInfo.pwdInfo.algorithm; + prfAlg = integrityAlg; + /* verify that integrityAlg is an HMAC */ + if (HASH_GetHashOidTagByHMACOidTag(integrityAlg) == SEC_OID_UNKNOWN) { + /* it's not, find the hmac */ + prfAlg = HASH_GetHMACOidTagByHashOidTag(integrityAlg); + /* if prfAlg is SEC_OID_UNKNOWN at this point we'll + * default to SEC_OID_HMAC_SHA1 in the low level pbe code. */ + } + } + + if (!SEC_PKCS12CipherAllowed(algorithm, prfAlg)) { + PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM); + goto loser; } /* we want to make sure to take the key out of the key slot */ @@ -1512,7 +1538,7 @@ sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp) SECItem ignore = { 0 }; void *mark; SECItem *salt = NULL; - SECItem *params = NULL; + SECItem pwd = { siBuffer, NULL, 0 }; if (!p12exp || !p12exp->safeInfos) { return NULL; @@ -1577,10 +1603,11 @@ sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp) /* init password pased integrity mode */ if (p12exp->integrityEnabled) { - SECItem pwd = { siBuffer, NULL, 0 }; PK11SymKey *symKey; - CK_MECHANISM_TYPE integrityMechType; CK_MECHANISM_TYPE hmacMechType; + SECOidTag hmacAlgTag; + SECOidTag hashAlgTag; + salt = sec_pkcs12_generate_salt(); /* zero out macData and set values */ @@ -1605,36 +1632,67 @@ sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp) PR_TRUE, PR_TRUE)) { goto loser; } - /* - * This code only works with PKCS #12 Mac using PKCS #5 v1 - * PBA keygens. PKCS #5 v2 support will require a change to - * the PKCS #12 spec. - */ - params = PK11_CreatePBEParams(salt, &pwd, - NSS_PBE_DEFAULT_ITERATION_COUNT); - SECITEM_ZfreeItem(salt, PR_TRUE); - salt = NULL; - SECITEM_ZfreeItem(&pwd, PR_FALSE); - /* get the PBA Mechanism to generate the key */ - integrityMechType = sec_pkcs12_algtag_to_keygen_mech( - p12exp->integrityInfo.pwdInfo.algorithm); - if (integrityMechType == CKM_INVALID_MECHANISM) { + /* create the digest info */ + hmacAlgTag = p12exp->integrityInfo.pwdInfo.algorithm; + hashAlgTag = HASH_GetHashOidTagByHMACOidTag(hmacAlgTag); + if (hashAlgTag != SEC_OID_UNKNOWN) { + /* if the application asks for hmac explicitly, then use + * pkcs5v2 mac1 encoding */ + SECAlgorithmID *algID; + int keyLength; + + keyLength = HASH_ResultLenByOidTag(hashAlgTag); + if (keyLength == 0) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return NULL; + } + /* create PB_MAC1 params */ + algID = PK11_CreatePBEV2AlgorithmID(SEC_OID_PKCS5_PBMAC1, + hmacAlgTag, + hmacAlgTag, keyLength, + NSS_PBE_DEFAULT_ITERATION_COUNT, + &p12enc->mac.macSalt); + if (algID == NULL) { + goto loser; + } + rv = SECOID_CopyAlgorithmID(p12enc->arena, + &p12enc->mac.safeMac.digestAlgorithm, + algID); + SECOID_DestroyAlgorithmID(algID, PR_TRUE); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + } else if (HASH_GetHashTypeByOidTag(hmacAlgTag) != HASH_AlgNULL) { + /* encode the algid now for sec_pkcs12_integrity_key to use */ + /* this must be a valid hash function, SECOID_SetAlgorithmID + * knows to encode the hash algid with an explicit + * null parameter */ + rv = SECOID_SetAlgorithmID(p12enc->arena, + &p12enc->mac.safeMac.digestAlgorithm, + hmacAlgTag, NULL); + if (rv != SECSuccess) { + goto loser; + } + } else { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); goto loser; } - /* generate the key */ - symKey = PK11_KeyGen(NULL, integrityMechType, params, 20, NULL); - PK11_DestroyPBEParams(params); + /* generate HMAC key */ + SECITEM_ZfreeItem(salt, PR_TRUE); + salt = NULL; + symKey = sec_pkcs12_integrity_key(p12exp->slot, &p12enc->mac, + &pwd, &hmacMechType, PR_FALSE, + p12exp->wincx); + SECITEM_ZfreeItem(&pwd, PR_FALSE); + if (!symKey) { goto loser; } /* initialize HMAC */ - /* Get the HMAC mechanism from the hash OID */ - hmacMechType = sec_pkcs12_algtag_to_mech( - p12exp->integrityInfo.pwdInfo.algorithm); - p12enc->hmacCx = PK11_CreateContextBySymKey(hmacMechType, CKA_SIGN, symKey, &ignore); @@ -1659,13 +1717,14 @@ sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp) loser: sec_pkcs12_encoder_destroy_context(p12enc); - if (p12exp->arena != NULL) + if (p12exp->arena != NULL) { PORT_ArenaRelease(p12exp->arena, mark); + } if (salt) { SECITEM_ZfreeItem(salt, PR_TRUE); } - if (params) { - PK11_DestroyPBEParams(params); + if (pwd.data) { + SECITEM_ZfreeItem(&pwd, PR_FALSE); } return NULL; @@ -1879,18 +1938,10 @@ sec_Pkcs12FinishMac(sec_PKCS12EncoderContext *p12ecx) goto loser; } - /* create the digest info */ - di = SGN_CreateDigestInfo(p12ecx->p12exp->integrityInfo.pwdInfo.algorithm, - hmacData, hmacLen); - if (!di) { - PORT_SetError(SEC_ERROR_NO_MEMORY); - rv = SECFailure; - goto loser; - } - - rv = SGN_CopyDigestInfo(p12ecx->arena, &p12ecx->mac.safeMac, di); + /* finish the digest info, algorithm ID is already set */ + rv = SECITEM_MakeItem(p12ecx->arena, &p12ecx->mac.safeMac.digest, + hmacData, hmacLen); if (rv != SECSuccess) { - PORT_SetError(SEC_ERROR_NO_MEMORY); goto loser; } diff --git a/nss/lib/pkcs12/p12local.c b/nss/lib/pkcs12/p12local.c index f644486..98a54a6 100644 --- a/nss/lib/pkcs12/p12local.c +++ b/nss/lib/pkcs12/p12local.c @@ -14,6 +14,9 @@ #include "pk11func.h" #include "p12local.h" #include "p12.h" +#include "nsshash.h" +#include "secpkcs5.h" +#include "p12plcy.h" #define SALT_LENGTH 16 @@ -23,25 +26,8 @@ SEC_ASN1_MKSUB(sgn_DigestInfoTemplate) CK_MECHANISM_TYPE sec_pkcs12_algtag_to_mech(SECOidTag algtag) { - switch (algtag) { - case SEC_OID_MD2: - return CKM_MD2_HMAC; - case SEC_OID_MD5: - return CKM_MD5_HMAC; - case SEC_OID_SHA1: - return CKM_SHA_1_HMAC; - case SEC_OID_SHA224: - return CKM_SHA224_HMAC; - case SEC_OID_SHA256: - return CKM_SHA256_HMAC; - case SEC_OID_SHA384: - return CKM_SHA384_HMAC; - case SEC_OID_SHA512: - return CKM_SHA512_HMAC; - default: - break; - } - return CKM_INVALID_MECHANISM; + SECOidTag hmacAlg = HASH_GetHMACOidTagByHashOidTag(algtag); + return PK11_AlgtagToMechanism(hmacAlg); } CK_MECHANISM_TYPE @@ -75,6 +61,91 @@ sec_pkcs12_algtag_to_keygen_mech(SECOidTag algtag) return CKM_INVALID_MECHANISM; } +PK11SymKey * +sec_pkcs12_integrity_key(PK11SlotInfo *slot, sec_PKCS12MacData *macData, + SECItem *pwitem, CK_MECHANISM_TYPE *hmacMech, + PRBool isDecrypt, void *pwarg) +{ + int iteration; + CK_MECHANISM_TYPE integrityMech; + PK11SymKey *symKey = NULL; + SECItem *params = NULL; + SECAlgorithmID *prfAlgid = &macData->safeMac.digestAlgorithm; + SECOidTag algtag = SECOID_GetAlgorithmTag(prfAlgid); + + /* handle PBE v2 case */ + if (algtag == SEC_OID_PKCS5_PBMAC1) { + SECOidTag hmacAlg; + SECItem utf8Pw; + int keyLen; + + hmacAlg = SEC_PKCS5GetCryptoAlgorithm(prfAlgid); + /* make sure we are using an hmac */ + if (HASH_GetHashOidTagByHMACOidTag(hmacAlg) == SEC_OID_UNKNOWN) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return NULL; + } + if (!SEC_PKCS12IntegrityHashAllowed(hmacAlg, isDecrypt)) { + PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM); + return NULL; + } + /* make sure the length is valid, as well as decoding the length + * from prfAlgid, SEC_PKCS5GetLength does some + * fallbacks, which evenutally gets the max length of the key if + * the decode fails. All HMAC keys have a max length of 128 bytes + * in softoken, so if we get a keyLen of 128 we know we hit an error. */ + keyLen = SEC_PKCS5GetKeyLength(prfAlgid); + if ((keyLen == 0) || (keyLen == 128)) { + PORT_SetError(SEC_ERROR_BAD_DER); + return NULL; + } + *hmacMech = PK11_AlgtagToMechanism(hmacAlg); + /* pkcs12v2 hmac uses UTF8 rather than unicode */ + if (!sec_pkcs12_convert_item_to_unicode(NULL, &utf8Pw, pwitem, + PR_TRUE, PR_FALSE, PR_FALSE)) { + return NULL; + } + symKey = PK11_PBEKeyGen(slot, prfAlgid, &utf8Pw, PR_FALSE, pwarg); + SECITEM_ZfreeItem(&utf8Pw, PR_FALSE); + return symKey; + } + + /* handle Legacy case */ + if (!SEC_PKCS12IntegrityHashAllowed(algtag, isDecrypt)) { + PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM); + return NULL; + } + integrityMech = sec_pkcs12_algtag_to_keygen_mech(algtag); + *hmacMech = sec_pkcs12_algtag_to_mech(algtag); + if (integrityMech == CKM_INVALID_MECHANISM) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + goto loser; + } + if (macData->iter.data) { + iteration = (int)DER_GetInteger(&macData->iter); + } else { + iteration = 1; + } + + params = PK11_CreatePBEParams(&macData->macSalt, pwitem, iteration); + if (params == NULL) { + goto loser; + } + + symKey = PK11_KeyGen(slot, integrityMech, params, 0, pwarg); + PK11_DestroyPBEParams(params); + params = NULL; + if (!symKey) + goto loser; + return symKey; + +loser: + if (params) { + PK11_DestroyPBEParams(params); + } + return NULL; +} + /* helper functions */ /* returns proper bag type template based upon object type tag */ const SEC_ASN1Template * diff --git a/nss/lib/pkcs12/p12local.h b/nss/lib/pkcs12/p12local.h index 99068e2..8207578 100644 --- a/nss/lib/pkcs12/p12local.h +++ b/nss/lib/pkcs12/p12local.h @@ -26,6 +26,12 @@ extern SECItem *sec_pkcs12_generate_key_from_password(SECOidTag algorithm, SECItem *salt, SECItem *password); extern SECItem *sec_pkcs12_generate_mac(SECItem *key, SECItem *msg, PRBool old_method); +PK11SymKey *sec_pkcs12_integrity_key(PK11SlotInfo *slot, + sec_PKCS12MacData *macData, + SECItem *pwitem, + CK_MECHANISM_TYPE *hmacMech, + PRBool isDecrypt, + void *pwarg); extern SGNDigestInfo *sec_pkcs12_compute_thumbprint(SECItem *der_cert); extern SECItem *sec_pkcs12_create_virtual_password(SECItem *password, SECItem *salt, PRBool swapUnicodeBytes); diff --git a/nss/lib/pkcs12/p12plcy.c b/nss/lib/pkcs12/p12plcy.c index 5c1754d..2b6bfda 100644 --- a/nss/lib/pkcs12/p12plcy.c +++ b/nss/lib/pkcs12/p12plcy.c @@ -7,6 +7,7 @@ #include "secport.h" #include "secpkcs5.h" #include "secerr.h" +#include "sechash.h" #define PKCS12_NULL 0x0000 @@ -34,7 +35,7 @@ static pkcs12SuiteMap pkcs12SuiteMaps[] = { /* determine if algid is an algorithm which is allowed */ static PRBool -sec_PKCS12Allowed(SECOidTag alg) +sec_PKCS12Allowed(SECOidTag alg, PRUint32 needed) { PRUint32 policy; SECStatus rv; @@ -43,22 +44,59 @@ sec_PKCS12Allowed(SECOidTag alg) if (rv != SECSuccess) { return PR_FALSE; } - if (policy & NSS_USE_ALG_IN_PKCS12) { + if ((policy & needed) == needed) { return PR_TRUE; } return PR_FALSE; } PRBool +SEC_PKCS12CipherAllowed(SECOidTag pbeAlg, SECOidTag hmacAlg) +{ + SECOidTag cipherAlg = SEC_PKCS5GetCryptoFromAlgTag(pbeAlg); + SECOidTag hashAlg = SEC_PKCS5GetHashFromAlgTag(pbeAlg); + if (cipherAlg == SEC_OID_UNKNOWN) { + /* not a traditional PBE (PKCS5v1 or PKCS12) + * Our PKCS #12 code accepts ciphers algs here + * which get turned into PKCS 5v2 algids. In + * this case we already have the cipher alg */ + cipherAlg = pbeAlg; + hashAlg = HASH_GetHashOidTagByHMACOidTag(hmacAlg); + } + if ((cipherAlg == SEC_OID_UNKNOWN) || (hashAlg == SEC_OID_UNKNOWN)) { + return PR_FALSE; + } + if (!sec_PKCS12Allowed(cipherAlg, NSS_USE_ALG_IN_PKCS12)) { + return PR_FALSE; + } + return sec_PKCS12Allowed(hashAlg, NSS_USE_ALG_IN_PKCS12); +} + +PRBool SEC_PKCS12DecryptionAllowed(SECAlgorithmID *algid) { - SECOidTag algId; + SECOidTag algtag; - algId = SEC_PKCS5GetCryptoAlgorithm(algid); - if (algId == SEC_OID_UNKNOWN) { + algtag = SEC_PKCS5GetCryptoAlgorithm(algid); + if (algtag == SEC_OID_UNKNOWN) { return PR_FALSE; } - return sec_PKCS12Allowed(algId); + + if (!sec_PKCS12Allowed(algtag, NSS_USE_ALG_IN_PKCS12_DECRYPT)) { + return PR_FALSE; + } + + algtag = SEC_PKCS5GetHashAlgorithm(algid); + if (algtag == SEC_OID_UNKNOWN) { + return PR_FALSE; + } + return sec_PKCS12Allowed(algtag, NSS_USE_ALG_IN_PKCS12_DECRYPT); +} + +PRBool +SEC_PKCS12IntegrityHashAllowed(SECOidTag hashAlg, PRBool verify) +{ + return sec_PKCS12Allowed(hashAlg, verify ? NSS_USE_ALG_IN_PKCS12_DECRYPT : NSS_USE_ALG_IN_PKCS12); } /* is any encryption allowed? */ @@ -70,7 +108,7 @@ SEC_PKCS12IsEncryptionAllowed(void) for (i = 0; pkcs12SuiteMaps[i].algTag != SEC_OID_UNKNOWN; i++) { /* we're going to return true here if any of the traditional * algorithms are enabled */ - if (sec_PKCS12Allowed(pkcs12SuiteMaps[i].algTag)) { + if (sec_PKCS12Allowed(pkcs12SuiteMaps[i].algTag, NSS_USE_ALG_IN_PKCS12)) { return PR_TRUE; } } diff --git a/nss/lib/pkcs12/p12plcy.h b/nss/lib/pkcs12/p12plcy.h index d3f818d..063d80d 100644 --- a/nss/lib/pkcs12/p12plcy.h +++ b/nss/lib/pkcs12/p12plcy.h @@ -9,9 +9,22 @@ SEC_BEGIN_PROTOS -/* for the algid specified, can we decrypt it ? */ +/* is this encryption algorithm allowed in PKCS #12 by policy? */ +/* pbeAlg is either a full PBE for pkcsv5v1 and pkcs12pbe; or + * a cipher alg for pkcs5v2, + * hmacAlg is an HMAC algorith. Must be included for pkcs5v2 + * and is ignored if pbeAlg is pkcs5v2 or pkcs12pbe */ +extern PRBool SEC_PKCS12CipherAllowed(SECOidTag pbeAlg, SECOidTag hmacAlg); + +/* for the algid specified, can we decrypt it ? + * both encryption and hash used in the hmac must be enabled. + * legacy/decrypt is sufficient */ extern PRBool SEC_PKCS12DecryptionAllowed(SECAlgorithmID *algid); +/* for integrity, we mark if we are signing or verifying in the call. Oid + * is the hash oid */ +extern PRBool SEC_PKCS12IntegrityHashAllowed(SECOidTag hashAlg, PRBool verify); + /* is encryption allowed? */ extern PRBool SEC_PKCS12IsEncryptionAllowed(void); diff --git a/nss/lib/smime/cmsdigest.c b/nss/lib/smime/cmsdigest.c index 1eb88f0..a59fd77 100644 --- a/nss/lib/smime/cmsdigest.c +++ b/nss/lib/smime/cmsdigest.c @@ -15,6 +15,7 @@ #include "pk11func.h" #include "prtime.h" #include "secerr.h" +#include "smime.h" /* #define CMS_FIND_LEAK_MULTIPLE 1 */ #ifdef CMS_FIND_LEAK_MULTIPLE @@ -79,6 +80,9 @@ NSS_CMSDigestContext_StartMultiple(SECAlgorithmID **digestalgs) const SECHashObject *digobj; void *digcx; + if (!NSS_SMIMEUtil_SigningAllowed(digestalgs[i])) { + goto loser; + } digobj = NSS_CMSUtil_GetHashObjByAlgID(digestalgs[i]); /* * Skip any algorithm we do not even recognize; obviously, @@ -104,7 +108,16 @@ NSS_CMSDigestContext_StartMultiple(SECAlgorithmID **digestalgs) return cmsdigcx; loser: - /* no digest objects have been created, or need to be destroyed. */ + /* free any earlier digest objects that may have bee allocated. */ + for (i = 0; i < digcnt; i++) { + digestPair *pair = &cmsdigcx->digPairs[i]; + if (pair->digobj) { + (*pair->digobj->destroy)(pair->digcx, PR_TRUE); +#ifdef CMS_FIND_LEAK_MULTIPLE + --global_num_digests; +#endif + } + } if (pool) { PORT_FreeArena(pool, PR_FALSE); } diff --git a/nss/lib/smime/cmsencdata.c b/nss/lib/smime/cmsencdata.c index f2a2746..f407b4d 100644 --- a/nss/lib/smime/cmsencdata.c +++ b/nss/lib/smime/cmsencdata.c @@ -16,6 +16,7 @@ #include "prtime.h" #include "secerr.h" #include "secpkcs5.h" +#include "smime.h" /* * NSS_CMSEncryptedData_Create - create an empty encryptedData object. @@ -117,6 +118,7 @@ NSS_CMSEncryptedData_Encode_BeforeStart(NSSCMSEncryptedData *encd) PK11SymKey *bulkkey = NULL; SECItem *dummy; NSSCMSContentInfo *cinfo = &(encd->contentInfo); + SECAlgorithmID *algid = NULL; if (NSS_CMSArray_IsEmpty((void **)encd->unprotectedAttr)) version = NSS_CMS_ENCRYPTED_DATA_VERSION; @@ -128,10 +130,11 @@ NSS_CMSEncryptedData_Encode_BeforeStart(NSSCMSEncryptedData *encd) return SECFailure; /* now get content encryption key (bulk key) by using our cmsg callback */ - if (encd->cmsg->decrypt_key_cb) - bulkkey = (*encd->cmsg->decrypt_key_cb)(encd->cmsg->decrypt_key_cb_arg, - NSS_CMSContentInfo_GetContentEncAlg(cinfo)); - if (bulkkey == NULL) + if (encd->cmsg->decrypt_key_cb) { + algid = NSS_CMSContentInfo_GetContentEncAlg(cinfo); + bulkkey = (*encd->cmsg->decrypt_key_cb)(encd->cmsg->decrypt_key_cb_arg, algid); + } + if ((bulkkey == NULL) || (algid == NULL)) return SECFailure; /* store the bulk key in the contentInfo so that the encoder can find it */ @@ -148,34 +151,47 @@ SECStatus NSS_CMSEncryptedData_Encode_BeforeData(NSSCMSEncryptedData *encd) { NSSCMSContentInfo *cinfo; - PK11SymKey *bulkkey; + PK11SymKey *bulkkey = NULL; SECAlgorithmID *algid; - SECStatus rv; + SECStatus rv = SECFailure; cinfo = &(encd->contentInfo); /* find bulkkey and algorithm - must have been set by NSS_CMSEncryptedData_Encode_BeforeStart */ bulkkey = NSS_CMSContentInfo_GetBulkKey(cinfo); - if (bulkkey == NULL) - return SECFailure; + if (bulkkey == NULL) { + goto loser; + } + algid = NSS_CMSContentInfo_GetContentEncAlg(cinfo); - if (algid == NULL) - return SECFailure; + if (algid == NULL) { + goto loser; + } rv = NSS_CMSContentInfo_Private_Init(cinfo); if (rv != SECSuccess) { - return SECFailure; + goto loser; + } + + if (!NSS_SMIMEUtil_EncryptionAllowed(algid, bulkkey)) { + goto loser; } + /* this may modify algid (with IVs generated in a token). * it is therefore essential that algid is a pointer to the "real" contentEncAlg, * not just to a copy */ cinfo->privateInfo->ciphcx = NSS_CMSCipherContext_StartEncrypt(encd->cmsg->poolp, bulkkey, algid); - PK11_FreeSymKey(bulkkey); if (cinfo->privateInfo->ciphcx == NULL) - return SECFailure; + goto loser; - return SECSuccess; + rv = SECSuccess; + +loser: + if (bulkkey) { + PK11_FreeSymKey(bulkkey); + } + return rv; } /* @@ -224,16 +240,19 @@ NSS_CMSEncryptedData_Decode_BeforeData(NSSCMSEncryptedData *encd) } rv = SECFailure; + if (!NSS_SMIMEUtil_DecryptionAllowed(bulkalg, bulkkey)) { + goto loser; + } + cinfo->privateInfo->ciphcx = NSS_CMSCipherContext_StartDecrypt(bulkkey, bulkalg); if (cinfo->privateInfo->ciphcx == NULL) goto loser; /* error has been set by NSS_CMSCipherContext_StartDecrypt */ - - /* we are done with (this) bulkkey now. */ - PK11_FreeSymKey(bulkkey); - rv = SECSuccess; loser: + if (bulkkey) { + PK11_FreeSymKey(bulkkey); + } return rv; } diff --git a/nss/lib/smime/cmspubkey.c b/nss/lib/smime/cmspubkey.c index 0c494c3..5ff8306 100644 --- a/nss/lib/smime/cmspubkey.c +++ b/nss/lib/smime/cmspubkey.c @@ -17,6 +17,7 @@ #include "secerr.h" #include "secder.h" #include "prerr.h" +#include "sechash.h" /* ====== RSA ======================================================================= */ @@ -154,7 +155,7 @@ NSS_CMSUtil_DecryptSymKey_RSA_OAEP(SECKEYPrivateKey *privkey, SECItem *parameter CK_RSA_PKCS_OAEP_PARAMS oaep_params; RSA_OAEP_CMS_params encoded_params; SECAlgorithmID mgf1hashAlg; - SECOidTag mgfAlgtag, mgf1hashAlgtag, pSourcetag; + SECOidTag mgfAlgtag, pSourcetag; SECItem encoding_params, params; PK11SymKey *bulkkey = NULL; SECStatus rv; @@ -181,6 +182,7 @@ NSS_CMSUtil_DecryptSymKey_RSA_OAEP(SECKEYPrivateKey *privkey, SECItem *parameter if (parameters->len == 2) { /* For some reason SEC_ASN1DecodeItem cannot process parameters if it is an emtpy SEQUENCE */ /* Just check that this is a properly encoded empty SEQUENCE */ + /* TODO: Investigate if there a better way to handle this as part of decoding. */ if ((parameters->data[0] != 0x30) || (parameters->data[1] != 0)) { return NULL; } @@ -206,38 +208,9 @@ NSS_CMSUtil_DecryptSymKey_RSA_OAEP(SECKEYPrivateKey *privkey, SECItem *parameter if (rv != SECSuccess) { goto loser; } - mgf1hashAlgtag = SECOID_GetAlgorithmTag(&mgf1hashAlg); - switch (mgf1hashAlgtag) { - case SEC_OID_SHA1: - oaep_params.mgf = CKG_MGF1_SHA1; - break; - case SEC_OID_SHA224: - oaep_params.mgf = CKG_MGF1_SHA224; - break; - case SEC_OID_SHA256: - oaep_params.mgf = CKG_MGF1_SHA256; - break; - case SEC_OID_SHA384: - oaep_params.mgf = CKG_MGF1_SHA384; - break; - case SEC_OID_SHA512: - oaep_params.mgf = CKG_MGF1_SHA512; - break; - case SEC_OID_SHA3_224: - oaep_params.mgf = CKG_MGF1_SHA3_224; - break; - case SEC_OID_SHA3_256: - oaep_params.mgf = CKG_MGF1_SHA3_256; - break; - case SEC_OID_SHA3_384: - oaep_params.mgf = CKG_MGF1_SHA3_384; - break; - case SEC_OID_SHA3_512: - oaep_params.mgf = CKG_MGF1_SHA3_512; - break; - default: - goto loser; - break; + oaep_params.mgf = SEC_GetMgfTypeByOidTag(SECOID_GetAlgorithmTag(&mgf1hashAlg)); + if (!oaep_params.mgf) { + goto loser; } } if (encoded_params.pSourceFunc != NULL) { diff --git a/nss/lib/smime/cmsrecinfo.c b/nss/lib/smime/cmsrecinfo.c index e3b383b..ab3b80e 100644 --- a/nss/lib/smime/cmsrecinfo.c +++ b/nss/lib/smime/cmsrecinfo.c @@ -15,6 +15,7 @@ #include "secoid.h" #include "pk11func.h" #include "secerr.h" +#include "smime.h" PRBool nss_cmsrecipientinfo_usessubjectkeyid(NSSCMSRecipientInfo *ri) @@ -477,6 +478,11 @@ NSS_CMSRecipientInfo_WrapBulkKey(NSSCMSRecipientInfo *ri, PK11SymKey *bulkkey, /* or should we look if it's been set already ? */ certalgtag = SECOID_GetAlgorithmTag(&spki->algorithm); + if (!NSS_SMIMEUtil_KeyEncodingAllowed(&spki->algorithm, cert, extra ? extra->pubKey : NULL)) { + PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM); + rv = SECFailure; + goto loser; + } switch (certalgtag) { case SEC_OID_PKCS1_RSA_ENCRYPTION: /* wrap the symkey */ @@ -543,6 +549,7 @@ NSS_CMSRecipientInfo_WrapBulkKey(NSSCMSRecipientInfo *ri, PK11SymKey *bulkkey, PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); rv = SECFailure; } +loser: if (freeSpki) SECKEY_DestroySubjectPublicKeyInfo(freeSpki); @@ -554,9 +561,10 @@ NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCMSRecipientInfo *ri, int subIndex, CERTCertificate *cert, SECKEYPrivateKey *privkey, SECOidTag bulkalgtag) { PK11SymKey *bulkkey = NULL; + SECAlgorithmID *algid; SECOidTag encalgtag; - SECItem *enckey, *ukm, *parameters; - NSSCMSOriginatorIdentifierOrKey *oiok; + SECItem *enckey = NULL, *ukm = NULL, *parameters = NULL; + NSSCMSOriginatorIdentifierOrKey *oiok = NULL; int error; void *wincx = NULL; @@ -565,62 +573,76 @@ NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCMSRecipientInfo *ri, int subIndex, switch (ri->recipientInfoType) { case NSSCMSRecipientInfoID_KeyTrans: - encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyTransRecipientInfo.keyEncAlg)); + algid = &(ri->ri.keyTransRecipientInfo.keyEncAlg); + parameters = &(ri->ri.keyTransRecipientInfo.keyEncAlg.parameters); enckey = &(ri->ri.keyTransRecipientInfo.encKey); /* ignore subIndex */ - switch (encalgtag) { - case SEC_OID_PKCS1_RSA_ENCRYPTION: - /* RSA encryption algorithm: */ - /* get the symmetric (bulk) key by unwrapping it using our private key */ - bulkkey = NSS_CMSUtil_DecryptSymKey_RSA(privkey, enckey, bulkalgtag); - break; - case SEC_OID_PKCS1_RSA_OAEP_ENCRYPTION: - /* RSA OAEP encryption algorithm: */ - /* get the symmetric (bulk) key by unwrapping it using our private key */ - parameters = &(ri->ri.keyTransRecipientInfo.keyEncAlg.parameters); - bulkkey = NSS_CMSUtil_DecryptSymKey_RSA_OAEP(privkey, parameters, enckey, bulkalgtag); - break; - default: - error = SEC_ERROR_UNSUPPORTED_KEYALG; - goto loser; - } break; case NSSCMSRecipientInfoID_KeyAgree: - encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyAgreeRecipientInfo.keyEncAlg)); + algid = &(ri->ri.keyAgreeRecipientInfo.keyEncAlg); + parameters = &(ri->ri.keyAgreeRecipientInfo.keyEncAlg.parameters); enckey = &(ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[subIndex]->encKey); oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey); ukm = &(ri->ri.keyAgreeRecipientInfo.ukm); - switch (encalgtag) { - case SEC_OID_DHSINGLEPASS_STDDH_SHA1KDF_SCHEME: - case SEC_OID_DHSINGLEPASS_STDDH_SHA224KDF_SCHEME: - case SEC_OID_DHSINGLEPASS_STDDH_SHA256KDF_SCHEME: - case SEC_OID_DHSINGLEPASS_STDDH_SHA384KDF_SCHEME: - case SEC_OID_DHSINGLEPASS_STDDH_SHA512KDF_SCHEME: - case SEC_OID_DHSINGLEPASS_COFACTORDH_SHA1KDF_SCHEME: - case SEC_OID_DHSINGLEPASS_COFACTORDH_SHA224KDF_SCHEME: - case SEC_OID_DHSINGLEPASS_COFACTORDH_SHA256KDF_SCHEME: - case SEC_OID_DHSINGLEPASS_COFACTORDH_SHA384KDF_SCHEME: - case SEC_OID_DHSINGLEPASS_COFACTORDH_SHA512KDF_SCHEME: - if (ri->cmsg) { - wincx = ri->cmsg->pwfn_arg; - } - bulkkey = NSS_CMSUtil_DecryptSymKey_ECDH(privkey, enckey, - &(ri->ri.keyAgreeRecipientInfo.keyEncAlg), - bulkalgtag, ukm, oiok, wincx); - break; - - default: - error = SEC_ERROR_UNSUPPORTED_KEYALG; - goto loser; - } break; case NSSCMSRecipientInfoID_KEK: - encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.kekRecipientInfo.keyEncAlg)); + algid = &(ri->ri.kekRecipientInfo.keyEncAlg); + parameters = &(ri->ri.kekRecipientInfo.keyEncAlg.parameters); enckey = &(ri->ri.kekRecipientInfo.encKey); /* not supported yet */ + default: error = SEC_ERROR_UNSUPPORTED_KEYALG; goto loser; break; } + if (!NSS_SMIMEUtil_KeyDecodingAllowed(algid, privkey)) { + error = SEC_ERROR_BAD_EXPORT_ALGORITHM; + goto loser; + } + encalgtag = SECOID_GetAlgorithmTag(algid); + switch (encalgtag) { + case SEC_OID_PKCS1_RSA_ENCRYPTION: + /* RSA encryption algorithm: */ + if (ri->recipientInfoType != NSSCMSRecipientInfoID_KeyTrans) { + error = SEC_ERROR_UNSUPPORTED_KEYALG; + goto loser; + } + /* get the symmetric (bulk) key by unwrapping it using our private key */ + bulkkey = NSS_CMSUtil_DecryptSymKey_RSA(privkey, enckey, bulkalgtag); + break; + case SEC_OID_PKCS1_RSA_OAEP_ENCRYPTION: + /* RSA OAEP encryption algorithm: */ + if (ri->recipientInfoType != NSSCMSRecipientInfoID_KeyTrans) { + error = SEC_ERROR_UNSUPPORTED_KEYALG; + goto loser; + } + /* get the symmetric (bulk) key by unwrapping it using our private key */ + bulkkey = NSS_CMSUtil_DecryptSymKey_RSA_OAEP(privkey, parameters, enckey, + bulkalgtag); + break; + case SEC_OID_DHSINGLEPASS_STDDH_SHA1KDF_SCHEME: + case SEC_OID_DHSINGLEPASS_STDDH_SHA224KDF_SCHEME: + case SEC_OID_DHSINGLEPASS_STDDH_SHA256KDF_SCHEME: + case SEC_OID_DHSINGLEPASS_STDDH_SHA384KDF_SCHEME: + case SEC_OID_DHSINGLEPASS_STDDH_SHA512KDF_SCHEME: + case SEC_OID_DHSINGLEPASS_COFACTORDH_SHA1KDF_SCHEME: + case SEC_OID_DHSINGLEPASS_COFACTORDH_SHA224KDF_SCHEME: + case SEC_OID_DHSINGLEPASS_COFACTORDH_SHA256KDF_SCHEME: + case SEC_OID_DHSINGLEPASS_COFACTORDH_SHA384KDF_SCHEME: + case SEC_OID_DHSINGLEPASS_COFACTORDH_SHA512KDF_SCHEME: + if (ri->recipientInfoType != NSSCMSRecipientInfoID_KeyAgree) { + error = SEC_ERROR_UNSUPPORTED_KEYALG; + goto loser; + } + if (ri->cmsg) { + wincx = ri->cmsg->pwfn_arg; + } + bulkkey = NSS_CMSUtil_DecryptSymKey_ECDH(privkey, enckey, algid, + bulkalgtag, ukm, oiok, wincx); + break; + default: + error = SEC_ERROR_UNSUPPORTED_KEYALG; + goto loser; + } /* XXXX continue here */ return bulkkey; diff --git a/nss/lib/smime/cmssiginfo.c b/nss/lib/smime/cmssiginfo.c index ed966f8..f7c27b9 100644 --- a/nss/lib/smime/cmssiginfo.c +++ b/nss/lib/smime/cmssiginfo.c @@ -222,6 +222,11 @@ NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, cmsSignAlgTag, NULL) != SECSuccess) goto loser; + if (!NSS_SMIMEUtil_SigningAllowed(&signerinfo->digestEncAlg)) { + PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM); + goto loser; + } + if (signerinfo->authAttr != NULL) { SECItem encoded_attrs; @@ -378,6 +383,10 @@ NSS_CMSSignerInfo_Verify(NSSCMSSignerInfo *signerinfo, vs = NSSCMSVS_SignatureAlgorithmUnknown; goto loser; } + if (!NSS_SMIMEUtil_SigningAllowed(&signerinfo->digestEncAlg)) { + vs = NSSCMSVS_SignatureAlgorithmUnsupported; + goto loser; + } if (!NSS_CMSArray_IsEmpty((void **)signerinfo->authAttr)) { if (contentType) { diff --git a/nss/lib/smime/smime.def b/nss/lib/smime/smime.def index d5cff92..b522aaf 100644 --- a/nss/lib/smime/smime.def +++ b/nss/lib/smime/smime.def @@ -297,3 +297,10 @@ NSS_CMSRecipient_IsSupported; ;+ local: ;+ *; ;+}; +;+NSS_3.101 { # NSS 3.101 release +;+ global: +SEC_PKCS12CipherAllowed; +SEC_PKCS12IntegrityHashAllowed; +;+ local: +;+ *; +;+}; diff --git a/nss/lib/smime/smime.h b/nss/lib/smime/smime.h index e534ef0..23b0870 100644 --- a/nss/lib/smime/smime.h +++ b/nss/lib/smime/smime.h @@ -24,13 +24,18 @@ SEC_BEGIN_PROTOS * the preferences are being reset, and the old preferences are * discarded. * - * XXX This is for a particular user, and right now the storage is - * XXX local, static. The preference should be stored elsewhere to allow - * XXX for multiple uses of one library? How does SSL handle this; - * XXX it has something similar? + * This is for a particular user, and right now the storage is + * local, static. SSL uses the same technique, but keeps a copy in + * the ssl session, which can be changed to affect that particular + * ssl session. SSL also allows model sessions, which can be used + * to clone SSL configuration information to child sessions. A future + * version of this function could take a S/MIME content structure and + * affect only the given S/MIME operation. This function would still + * affect the default values. * - * - The "which" values are defined in ciferfam.h (the SMIME_* values, - * for example SMIME_DES_CBC_56). + * - The "which" still understands values which are defined in + * ciferfam.h (the SMIME_* values, for example SMIME_DES_CBC_56), + * but the preferred usage is to handle values based on algtags. * - If "on" is non-zero then the named cipher is enabled, otherwise * it is disabled. (It is not necessary to call the function for * ciphers that are disabled, however, as that is the default.) @@ -45,15 +50,20 @@ SEC_BEGIN_PROTOS extern SECStatus NSS_SMIMEUtil_EnableCipher(long which, int on); /* + * returns the current state of a particulare encryption algorithm + */ +PRBool NSS_SMIMEUtil_EncryptionEnabled(int which); + +/* * Initialize the local recording of the S/MIME policy. - * This function is called to allow/disallow a particular cipher. + * This function is called to allow/disallow a particular cipher by + * policy. It uses the underlying NSS policy system. This can be used + * to allow new algorithms that can then be turned by + * NSS_SMIMEUtil_EnableCipher. * - * XXX This is for the current module, I think, so local, static storage - * XXX is okay. Is that correct, or could multiple uses of the same - * XXX library expect to operate under different policies? - * - * - The "which" values are defined in ciferfam.h (the SMIME_* values, - * for example SMIME_DES_CBC_56). + * - The "which" still understands values which are defined in + * ciferfam.h (the SMIME_* values, for example SMIME_DES_CBC_56), + * but the preferred usage is to handle values based on algtags. * - If "on" is non-zero then the named cipher is enabled, otherwise * it is disabled. */ @@ -66,6 +76,12 @@ extern SECStatus NSS_SMIMEUtils_AllowCipher(long which, int on); extern PRBool NSS_SMIMEUtil_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key); /* + * Does the current policy allow S/MIME encryption of this particular + * algorithm and key size? + */ +extern PRBool NSS_SMIMEUtil_EncryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key); + +/* * Does the current policy allow *any* S/MIME encryption (or decryption)? * * This tells whether or not *any* S/MIME encryption can be done, @@ -86,6 +102,46 @@ extern PRBool NSS_SMIMEUtil_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey extern PRBool NSS_SMIMEUtil_EncryptionPossible(void); /* + * Does the current policy allow S/MIME signing with this particular + * algorithm? + */ +extern PRBool NSS_SMIMEUtil_SigningAllowed(SECAlgorithmID *algid); + +/* + * Does the current policy allow S/MIME Key exchange (encrypt) of this particular + * algorithm and keysize? + */ +extern PRBool NSS_SMIMEUtil_KeyEncodingAllowed(SECAlgorithmID *algtag, + CERTCertificate *cert, SECKEYPublicKey *key); + +/* + * Does the current policy allow S/MIME Key exchange (decrypt) of this particular + * algorithm and keysize? + */ +extern PRBool NSS_SMIMEUtil_KeyDecodingAllowed(SECAlgorithmID *algtag, + SECKEYPrivateKey *key); + +/* + * NSS_SMIME_EncryptionPossible - check if any encryption is allowed + * + * This tells whether or not *any* S/MIME encryption can be done, + * according to policy. Callers may use this to do nicer user interface + * (say, greying out a checkbox so a user does not even try to encrypt + * a message when they are not allowed to) or for any reason they want + * to check whether S/MIME encryption (or decryption, for that matter) + * may be done. + * + * It takes no arguments. The return value is a simple boolean: + * PR_TRUE means encryption (or decryption) is *possible* + * (but may still fail due to other reasons, like because we cannot + * find all the necessary certs, etc.; PR_TRUE is *not* a guarantee) + * PR_FALSE means encryption (or decryption) is not permitted + * + * There are no errors from this routine. + */ +extern PRBool NSS_SMIMEUtil_EncryptionPossible(void); + +/* * NSS_SMIMEUtil_CreateSMIMECapabilities - get S/MIME capabilities attr value * * scans the list of allowed and enabled ciphers and construct a PKCS9-compliant diff --git a/nss/lib/smime/smimemessage.c b/nss/lib/smime/smimemessage.c index 3073ab2..dc315b1 100644 --- a/nss/lib/smime/smimemessage.c +++ b/nss/lib/smime/smimemessage.c @@ -131,7 +131,7 @@ NSS_SMIMEMessage_CreateSigned(CERTCertificate *scert, { NSSCMSMessage *cmsg; NSSCMSSignedData *sigd; - NSSCMSSignerInfo *signerinfo; + NSSCMSSignerInfo *signerinfo = NULL; /* See note in header comment above about digestalg. */ /* Doesn't explain this. PORT_Assert (digestalgtag == SEC_OID_SHA1); */ @@ -160,6 +160,8 @@ NSS_SMIMEMessage_CreateSigned(CERTCertificate *scert, /* now add the signerinfo to the signeddata */ if (NSS_CMSSignedData_AddSignerInfo(sigd, signerinfo) != SECSuccess) goto loser; + /* sigd (and therefore cmsg) has adopted signerinfo */ + signerinfo = NULL; /* include the signing cert and its entire chain */ /* note that there are no checks for duplicate certs in place, as all the */ @@ -178,6 +180,8 @@ NSS_SMIMEMessage_CreateSigned(CERTCertificate *scert, loser: if (cmsg) NSS_CMSMessage_Destroy(cmsg); + if (signerinfo) + NSS_CMSSignerInfo_Destroy(signerinfo); return NULL; } #endif diff --git a/nss/lib/smime/smimeutil.c b/nss/lib/smime/smimeutil.c index 2056195..2cf8bbb 100644 --- a/nss/lib/smime/smimeutil.c +++ b/nss/lib/smime/smimeutil.c @@ -12,26 +12,19 @@ #include "ciferfam.h" /* for CIPHER_FAMILY symbols */ #include "secasn1.h" #include "secitem.h" +#include "sechash.h" #include "cert.h" #include "keyhi.h" #include "secerr.h" #include "cms.h" #include "nss.h" +#include "prerror.h" +#include "prinit.h" SEC_ASN1_MKSUB(CERT_IssuerAndSNTemplate) SEC_ASN1_MKSUB(SEC_OctetStringTemplate) SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate) -/* various integer's ASN.1 encoding */ -static unsigned char asn1_int40[] = { SEC_ASN1_INTEGER, 0x01, 0x28 }; -static unsigned char asn1_int64[] = { SEC_ASN1_INTEGER, 0x01, 0x40 }; -static unsigned char asn1_int128[] = { SEC_ASN1_INTEGER, 0x02, 0x00, 0x80 }; - -/* RC2 algorithm parameters (used in smime_cipher_map) */ -static SECItem param_int40 = { siBuffer, asn1_int40, sizeof(asn1_int40) }; -static SECItem param_int64 = { siBuffer, asn1_int64, sizeof(asn1_int64) }; -static SECItem param_int128 = { siBuffer, asn1_int128, sizeof(asn1_int128) }; - /* * XXX Would like the "parameters" field to be a SECItem *, but the * encoder is having trouble with optional pointers to an ANY. Maybe @@ -97,75 +90,569 @@ static const SEC_ASN1Template smime_encryptionkeypref_template[] = { { 0 } }; +/* table of implemented key exchange algorithms. As we add algorithms, + * update this table */ +static const SECOidTag implemented_key_encipherment[] = { + SEC_OID_PKCS1_RSA_ENCRYPTION, + SEC_OID_DHSINGLEPASS_STDDH_SHA1KDF_SCHEME, + SEC_OID_DHSINGLEPASS_STDDH_SHA224KDF_SCHEME, + SEC_OID_DHSINGLEPASS_STDDH_SHA256KDF_SCHEME, + SEC_OID_DHSINGLEPASS_STDDH_SHA384KDF_SCHEME, + SEC_OID_DHSINGLEPASS_STDDH_SHA512KDF_SCHEME, + SEC_OID_DHSINGLEPASS_COFACTORDH_SHA1KDF_SCHEME, + SEC_OID_DHSINGLEPASS_COFACTORDH_SHA224KDF_SCHEME, + SEC_OID_DHSINGLEPASS_COFACTORDH_SHA256KDF_SCHEME, + SEC_OID_DHSINGLEPASS_COFACTORDH_SHA384KDF_SCHEME, + SEC_OID_DHSINGLEPASS_COFACTORDH_SHA512KDF_SCHEME, +}; +static const int implemented_key_encipherment_len = + PR_ARRAY_SIZE(implemented_key_encipherment); + /* smime_cipher_map - map of SMIME symmetric "ciphers" to algtag & parameters */ typedef struct { unsigned long cipher; - SECOidTag algtag; - SECItem *parms; - PRBool enabled; /* in the user's preferences */ - PRBool allowed; /* per export policy */ -} smime_cipher_map_entry; - -/* global: list of supported SMIME symmetric ciphers, ordered roughly by increasing strength */ -static smime_cipher_map_entry smime_cipher_map[] = { - /* cipher, algtag, parms, enabled, allowed */ + SECOidTag policytag; +} smime_legacy_map_entry; + +/* legacy array of S/MIME values to map old SMIME entries to modern + * algtags. */ +static const smime_legacy_map_entry smime_legacy_map[] = { + /* cipher, algtag, policy */ /* --------------------------------------- */ - { SMIME_RC2_CBC_40, SEC_OID_RC2_CBC, ¶m_int40, PR_TRUE, PR_TRUE }, - { SMIME_DES_CBC_56, SEC_OID_DES_CBC, NULL, PR_TRUE, PR_TRUE }, - { SMIME_RC2_CBC_64, SEC_OID_RC2_CBC, ¶m_int64, PR_TRUE, PR_TRUE }, - { SMIME_RC2_CBC_128, SEC_OID_RC2_CBC, ¶m_int128, PR_TRUE, PR_TRUE }, - { SMIME_DES_EDE3_168, SEC_OID_DES_EDE3_CBC, NULL, PR_TRUE, PR_TRUE }, - { SMIME_AES_CBC_128, SEC_OID_AES_128_CBC, NULL, PR_TRUE, PR_TRUE }, - { SMIME_AES_CBC_256, SEC_OID_AES_256_CBC, NULL, PR_TRUE, PR_TRUE } + { SMIME_RC2_CBC_40, SEC_OID_RC2_40_CBC }, + { SMIME_DES_CBC_56, SEC_OID_DES_CBC }, + { SMIME_RC2_CBC_64, SEC_OID_RC2_64_CBC }, + { SMIME_RC2_CBC_128, SEC_OID_RC2_128_CBC }, + { SMIME_DES_EDE3_168, SEC_OID_DES_EDE3_CBC }, + { SMIME_AES_CBC_128, SEC_OID_AES_128_CBC }, + { SMIME_AES_CBC_256, SEC_OID_AES_256_CBC }, }; -static const int smime_cipher_map_count = sizeof(smime_cipher_map) / sizeof(smime_cipher_map_entry); +static const int smime_legacy_map_count = PR_ARRAY_SIZE(smime_legacy_map); -/* - * smime_mapi_by_cipher - find index into smime_cipher_map by cipher - */ static int -smime_mapi_by_cipher(unsigned long cipher) +smime_legacy_pref(SECOidTag algtag) { int i; - for (i = 0; i < smime_cipher_map_count; i++) { - if (smime_cipher_map[i].cipher == cipher) - return i; /* bingo */ + for (i = 0; i < smime_legacy_map_count; i++) { + if (smime_legacy_map[i].policytag == algtag) + return i; } - return -1; /* should not happen if we're consistent, right? */ + return -1; } /* - * NSS_SMIME_EnableCipher - this function locally records the user's preference + * smime_legacy_to policy - find policy algtag from a legacy input */ -SECStatus -NSS_SMIMEUtil_EnableCipher(unsigned long which, PRBool on) +static SECOidTag +smime_legacy_to_policy(unsigned long which) +{ + int i; + + for (i = 0; i < smime_legacy_map_count; i++) { + if (smime_legacy_map[i].cipher == which) + return smime_legacy_map[i].policytag; + } + return SEC_OID_UNKNOWN; +} + +/* map the old legacy values to modern oids. If the value isn't a recognized + * legacy value, assume it's a SECOidTag and continue. This allows us to use + * the old query and set interfaces with modern oids. */ +SECOidTag +smime_legacy_to_oid(unsigned long which) { unsigned long mask; - int mapi; + /* NOTE: all the legacy values and a CIPHER_FAMILYID of 0x00010000, + * (CIPHER_FAMILYID_MASK is 0xffff0000). SECOidTags start at 0 and + * increase monotonically, so as long as there is less than 16K of + * tags, we can distinguish between values intended to be SMIME ciphers + * and values intended to be SECOidTags */ mask = which & CIPHER_FAMILYID_MASK; + if (mask == CIPHER_FAMILYID_SMIME) { + return smime_legacy_to_policy(which); + } + return (SECOidTag)which; +} - PORT_Assert(mask == CIPHER_FAMILYID_SMIME); - if (mask != CIPHER_FAMILYID_SMIME) - /* XXX set an error! */ +/* SEC_OID_RC2_CBC is actually 3 ciphers with different key lengths. All modern + * symmetric ciphers include the key length with the oid. To handle policy for + * the different keylengths, we include fake oids that let us map the policy based + * on key length */ +static SECOidTag +smime_get_policy_tag_from_key_length(SECOidTag algtag, unsigned long keybits) +{ + if (algtag == SEC_OID_RC2_CBC) { + switch (keybits) { + case 40: + return SEC_OID_RC2_40_CBC; + case 64: + return SEC_OID_RC2_64_CBC; + case 128: + return SEC_OID_RC2_128_CBC; + default: + break; + } + return SEC_OID_UNKNOWN; + } + return algtag; +} + +PRBool +smime_allowed_by_policy(SECOidTag algtag, PRUint32 neededPolicy) +{ + PRUint32 policyFlags; + + /* some S/MIME algs map to the same underlying KEA mechanism, + * collaps them here */ + if ((neededPolicy & (NSS_USE_ALG_IN_SMIME_KX | NSS_USE_ALG_IN_SMIME_KX_LEGACY)) != 0) { + CK_MECHANISM_TYPE mechType = PK11_AlgtagToMechanism(algtag); + switch (mechType) { + case CKM_ECDH1_DERIVE: + case CKM_ECDH1_COFACTOR_DERIVE: + algtag = SEC_OID_ECDH_KEA; + break; + } + } + + if ((NSS_GetAlgorithmPolicy(algtag, &policyFlags) == SECFailure) || + ((policyFlags & neededPolicy) != neededPolicy)) { + PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM); + return PR_FALSE; + } + return PR_TRUE; +} + +/* + * We'll need this for the fake policy oids for RC2, but the + * rest of these should be moved to pk11wrap for generic + * algtag to key size values. We already need this for + * sec_pkcs5v2_key_length_by oid. + */ +static int +smime_keysize_by_cipher(SECOidTag algtag) +{ + int keysize; + + switch (algtag) { + case SEC_OID_RC2_40_CBC: + keysize = 40; + break; + case SEC_OID_RC2_64_CBC: + keysize = 64; + break; + case SEC_OID_RC2_128_CBC: + case SEC_OID_AES_128_CBC: + case SEC_OID_CAMELLIA_128_CBC: + keysize = 128; + break; + case SEC_OID_AES_192_CBC: + case SEC_OID_CAMELLIA_192_CBC: + keysize = 192; + break; + case SEC_OID_AES_256_CBC: + case SEC_OID_CAMELLIA_256_CBC: + keysize = 256; + break; + default: + keysize = 0; + break; + } + + return keysize; +} + +static int +smime_max_keysize_by_cipher(SECOidTag algtag) +{ + int keysize = smime_keysize_by_cipher(algtag); + + if (keysize == 0) { + CK_MECHANISM_TYPE mech = PK11_AlgtagToMechanism(algtag); + return PK11_GetMaxKeyLength(mech) * PR_BITS_PER_BYTE; + } + return keysize; +} + +SECOidTag +smime_get_alg_from_policy(SECOidTag policy) +{ + switch (policy) { + case SEC_OID_RC2_40_CBC: + case SEC_OID_RC2_64_CBC: + case SEC_OID_RC2_128_CBC: + return SEC_OID_RC2_CBC; + default: + break; + } + return policy; +} + +typedef struct SMIMEListStr { + SECOidTag *tags; + size_t space_len; + size_t array_len; +} SMIMEList; + +static SMIMEList *smime_algorithm_list = NULL; +static PZLock *algorithm_list_lock = NULL; +static PRCallOnceType smime_init_arg = { 0 }; + +/* return the number of algorithms in the list */ +size_t +smime_list_length(const SMIMEList *list) +{ + if ((list == NULL) || (list->tags == NULL)) { + return 0; + } + return list->array_len; +} + +/* find the index of the algtag in the list. If the algtag isn't on the list, + * return the size of the list */ +size_t +smime_list_index_find(const SMIMEList *list, SECOidTag algtag) +{ + int i; + if ((list == NULL) || (list->tags == NULL)) { + return 0; + } + for (i = 0; i < list->array_len; i++) { + if (algtag == list->tags[i]) { + return i; + } + } + return list->array_len; +} + +#define SMIME_CHUNK_COUNT 10 +/* initialize and grow the list if necessary */ +static SECStatus +smime_list_grow(SMIMEList **list) +{ + /* first make sure the inital list is created */ + if (*list == NULL) { + *list = PORT_ZNew(SMIMEList); + if (*list == NULL) { + return SECFailure; + } + } + /* make sure the tag array is intialized */ + if ((*list)->tags == NULL) { + (*list)->tags = PORT_ZNewArray(SECOidTag, SMIME_CHUNK_COUNT); + if ((*list)->tags == NULL) { + return SECFailure; + } + (*list)->space_len = SMIME_CHUNK_COUNT; + } + /* grow the tag array if necessary */ + if ((*list)->array_len == (*list)->space_len) { + SECOidTag *new_space; + size_t new_len = (*list)->space_len + SMIME_CHUNK_COUNT; + new_space = (SECOidTag *)PORT_Realloc((*list)->tags, + new_len * sizeof(SECOidTag)); + if (new_space) { + return SECFailure; + } + (*list)->tags = new_space; + (*list)->space_len = new_len; + } + return SECSuccess; +} + +/* add a new algtag to the list. if the algtag is already on the list, + * do nothing */ +static SECStatus +smime_list_add(SMIMEList **list, SECOidTag algtag) +{ + SECStatus rv; + size_t array_len = smime_list_length(*list); + size_t c_index = smime_list_index_find(*list, algtag); + + if (array_len != c_index) { + /* already on the list */ + return SECSuccess; + } + + /* go the list if necessary */ + rv = smime_list_grow(list); + if (rv != SECSuccess) { + return rv; + } + (*list)->tags[(*list)->array_len++] = algtag; + return SECSuccess; +} + +static SECStatus +smime_list_remove(SMIMEList *list, SECOidTag algtag) +{ + size_t c_index, i; + size_t cipher_count = smime_list_length(list); + + if (cipher_count == 0) { + return SECSuccess; + } + c_index = smime_list_index_find(list, algtag); + if (c_index == cipher_count) { + /* already removed from the list */ + return SECSuccess; + } + for (i = c_index; i < cipher_count - 1; i++) { + list->tags[i] = list->tags[i + 1]; + } + list->array_len--; + list->tags[i] = 0; + return SECSuccess; +} + +static SECOidTag +smime_list_fetch_by_index(const SMIMEList *list, size_t c_index) +{ + size_t cipher_count = smime_list_length(list); + + if (c_index >= cipher_count) { + return SEC_OID_UNKNOWN; + } + /* we know this is safe because list cipher_count is non-zero (if it were + * any value of c_index will cause the above if to trigger */ + return list->tags[c_index]; +} + +static void +smime_free_list(SMIMEList **list) +{ + if (*list) { + if ((*list)->tags) { + PORT_Free((*list)->tags); + } + PORT_Free(*list); + } + *list = NULL; +} + +static void +smime_lock_algorithm_list(void) +{ + PORT_Assert(algorithm_list_lock); + if (algorithm_list_lock) { + PZ_Lock(algorithm_list_lock); + } + return; +} + +static void +smime_unlock_algorithm_list(void) +{ + PORT_Assert(algorithm_list_lock); + if (algorithm_list_lock) { + PZ_Unlock(algorithm_list_lock); + } + return; +} + +static SECStatus +smime_shutdown(void *appData, void *nssData) +{ + if (algorithm_list_lock) { + PZ_DestroyLock(algorithm_list_lock); + algorithm_list_lock = NULL; + } + smime_free_list(&smime_algorithm_list); + memset(&smime_init_arg, 0, sizeof(smime_init_arg)); + return SECSuccess; +} + +static PRStatus +smime_init_once(void *arg) +{ + SECOidTag *tags = NULL; + SECStatus rv; + int tagCount; + int i; + int *error = (int *)arg; + int *lengths = NULL; + int *legacy_prefs = NULL; + + rv = NSS_RegisterShutdown(smime_shutdown, NULL); + if (rv != SECSuccess) { + *error = PORT_GetError(); + return PR_FAILURE; + } + algorithm_list_lock = PZ_NewLock(nssILockCache); + if (algorithm_list_lock == NULL) { + *error = PORT_GetError(); + return PR_FAILURE; + } + + /* At initialization time, we need to set up the defaults. We first + * look to see if the system or application has set up certain algorithms + * by policy. If they have set up values by policy we'll only allow those + * algorithms. We'll then look to see if any algorithms are enabled by + * the application. */ + rv = NSS_GetAlgorithmPolicyAll(NSS_USE_ALG_IN_SMIME_LEGACY, + NSS_USE_ALG_IN_SMIME_LEGACY, + &tags, &tagCount); + if (tags) { + PORT_Free(tags); + tags = NULL; + } + if ((rv != SECSuccess) || (tagCount == 0)) { + /* No algorithms have been enabled by policy (either by the system + * or by the application, we then will use the traditional default + * algorithms from the policy map */ + for (i = smime_legacy_map_count - 1; i >= 0; i--) { + SECOidTag policytag = smime_legacy_map[i].policytag; + /* this enables the algorithm by policy. We need this or + * the policy code will reject attempts to use it */ + NSS_SetAlgorithmPolicy(policytag, NSS_USE_ALG_IN_SMIME, 0); + /* We also need to enable the algorithm. This is usually unde + * application control once the defaults are set up, so the + * application can turn off a policy that is already on, but + * not turn on a policy that is already off */ + smime_list_add(&smime_algorithm_list, policytag); + } + return PR_SUCCESS; + } + /* We have a system supplied policy, do we also have + * system supplied defaults? If we do we will only actually + * turn on the algorithms that have been specified. */ + rv = NSS_GetAlgorithmPolicyAll(NSS_USE_DEFAULT_NOT_VALID | + NSS_USE_DEFAULT_SMIME_ENABLE, + NSS_USE_DEFAULT_SMIME_ENABLE, + &tags, &tagCount); + /* if none found, enable the default algorithms */ + if ((rv != SECSuccess) || (tagCount == 0)) { + if (tags) { + PORT_Free(tags); + tags = NULL; + } + for (i = smime_legacy_map_count - 1; i >= 0; i--) { + SECOidTag policytag = smime_legacy_map[i].policytag; + /* we only enable the default algorithm, we don't change + * it's policy, which the system has already set. NOTE: + * what 'enable' means in the S/MIME sense is we advertise + * that we can do the given algorithm in our smime capabilities. */ + smime_list_add(&smime_algorithm_list, policytag); + } + return PR_SUCCESS; + } + + /* Sort tags by key strength here */ + lengths = PORT_ZNewArray(int, tagCount); + if (lengths == NULL) { + *error = PORT_GetError(); + goto loser; + } + legacy_prefs = PORT_ZNewArray(int, tagCount); + if (lengths == NULL) { + *error = PORT_GetError(); + goto loser; + } + /* Sort the tags array, highest preference at index 0 */ + for (i = 0; i < tagCount; i++) { + int len = smime_max_keysize_by_cipher(tags[i]); + int lpref = smime_legacy_pref(tags[i]); + SECOidTag current = tags[i]; + PRBool shift = PR_FALSE; + int j; + /* Determine best position for tags[i]. + * For each position j, check if tags [i] has a higher preference. + * If yes, store tags[i] at position j, and move all following + * entries one position to the back of the array. + */ + for (j = 0; j < i; j++) { + int tlen = lengths[j]; + int tpref = legacy_prefs[j]; + SECOidTag ttag = tags[j]; + /* we prefer ciphers with bigger keysizes, then + * we prefer ciphers in our historical list, + * then we prefer ciphers that show up first + * from the oid table */ + if (shift || (len > tlen) || ((len == tlen) && (lpref > tpref))) { + tags[j] = current; + lengths[j] = len; + legacy_prefs[j] = lpref; + current = ttag; + len = tlen; + lpref = tpref; + shift = PR_TRUE; + } + } + tags[i] = current; + lengths[i] = len; + legacy_prefs[i] = lpref; + } + + /* put them in the enable list */ + for (i = 0; i < tagCount; i++) { + smime_list_add(&smime_algorithm_list, tags[i]); + } + PORT_Free(lengths); + PORT_Free(legacy_prefs); + PORT_Free(tags); + return PR_SUCCESS; +loser: + if (lengths) + PORT_Free(lengths); + if (legacy_prefs) + PORT_Free(legacy_prefs); + if (tags) + PORT_Free(tags); + return PR_FAILURE; +} + +static SECStatus +smime_init(void) +{ + static PRBool smime_policy_initted = PR_FALSE; + static int error = 0; + PRStatus nrv; + + /* has NSS been initialized? */ + if (!NSS_IsInitialized()) { + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); return SECFailure; + } + if (smime_policy_initted) { + return SECSuccess; + } + nrv = PR_CallOnceWithArg(&smime_init_arg, smime_init_once, &error); + if (nrv == PR_SUCCESS) { + smime_policy_initted = PR_TRUE; + return SECSuccess; + } + PORT_SetError(error); + return SECFailure; +} - mapi = smime_mapi_by_cipher(which); - if (mapi < 0) - /* XXX set an error */ +/* + * NSS_SMIME_EnableCipher - this function locally records the user's preference + */ +SECStatus +NSS_SMIMEUtil_EnableCipher(unsigned long which, PRBool on) +{ + SECOidTag algtag; + + SECStatus rv = smime_init(); + if (rv != SECSuccess) { return SECFailure; + } - /* do we try to turn on a forbidden cipher? */ - if (!smime_cipher_map[mapi].allowed && on) { + algtag = smime_legacy_to_oid(which); + if (!smime_allowed_by_policy(algtag, NSS_USE_ALG_IN_SMIME)) { PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM); return SECFailure; } - if (smime_cipher_map[mapi].enabled != on) - smime_cipher_map[mapi].enabled = on; - - return SECSuccess; + smime_lock_algorithm_list(); + if (on) { + rv = smime_list_add(&smime_algorithm_list, algtag); + } else { + rv = smime_list_remove(smime_algorithm_list, algtag); + } + smime_unlock_algorithm_list(); + return rv; } /* @@ -174,99 +661,131 @@ NSS_SMIMEUtil_EnableCipher(unsigned long which, PRBool on) SECStatus NSS_SMIMEUtil_AllowCipher(unsigned long which, PRBool on) { - unsigned long mask; - int mapi; + SECOidTag algtag = smime_legacy_to_oid(which); + PRUint32 set = on ? NSS_USE_ALG_IN_SMIME : 0; + PRUint32 clear = on ? 0 : NSS_USE_ALG_IN_SMIME; + /* make sure we are inited before setting, so + * the defaults are correct */ + SECStatus rv = smime_init(); + if (rv != SECSuccess) { + return SECFailure; + } - mask = which & CIPHER_FAMILYID_MASK; + return NSS_SetAlgorithmPolicy(algtag, set, clear); +} - PORT_Assert(mask == CIPHER_FAMILYID_SMIME); - if (mask != CIPHER_FAMILYID_SMIME) - /* XXX set an error! */ +PRBool +NSS_SMIMEUtil_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key) +{ + SECOidTag algtag; + /* make sure we are inited before checking policy, so + * the defaults are correct */ + SECStatus rv = smime_init(); + if (rv != SECSuccess) { return SECFailure; + } - mapi = smime_mapi_by_cipher(which); - if (mapi < 0) - /* XXX set an error */ - return SECFailure; + algtag = smime_get_policy_tag_from_key_length(SECOID_GetAlgorithmTag(algid), + PK11_GetKeyStrength(key, algid)); + return smime_allowed_by_policy(algtag, NSS_USE_ALG_IN_SMIME_LEGACY); +} - if (smime_cipher_map[mapi].allowed != on) - smime_cipher_map[mapi].allowed = on; +PRBool +NSS_SMIMEUtil_EncryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key) +{ + SECOidTag algtag; + /* make sure we are inited before checking policy, so + * the defaults are correct */ + SECStatus rv = smime_init(); + if (rv != SECSuccess) { + return SECFailure; + } - return SECSuccess; + algtag = smime_get_policy_tag_from_key_length(SECOID_GetAlgorithmTag(algid), + PK11_GetKeyStrength(key, algid)); + return smime_allowed_by_policy(algtag, NSS_USE_ALG_IN_SMIME); } -/* - * Based on the given algorithm (including its parameters, in some cases!) - * and the given key (may or may not be inspected, depending on the - * algorithm), find the appropriate policy algorithm specification - * and return it. If no match can be made, -1 is returned. - */ -static SECStatus -nss_smime_get_cipher_for_alg_and_key(SECAlgorithmID *algid, PK11SymKey *key, - unsigned long *cipher) +PRBool +NSS_SMIMEUtil_SigningAllowed(SECAlgorithmID *algid) { SECOidTag algtag; - unsigned int keylen_bits; - unsigned long c; + /* we don't adjust SIGNATURE policy based on defaults, so no need + * to call smime_init() */ algtag = SECOID_GetAlgorithmTag(algid); - switch (algtag) { - case SEC_OID_RC2_CBC: - keylen_bits = PK11_GetKeyStrength(key, algid); - switch (keylen_bits) { - case 40: - c = SMIME_RC2_CBC_40; - break; - case 64: - c = SMIME_RC2_CBC_64; - break; - case 128: - c = SMIME_RC2_CBC_128; - break; - default: - return SECFailure; - } - break; - case SEC_OID_DES_CBC: - c = SMIME_DES_CBC_56; - break; - case SEC_OID_DES_EDE3_CBC: - c = SMIME_DES_EDE3_168; - break; - case SEC_OID_AES_128_CBC: - c = SMIME_AES_CBC_128; - break; - case SEC_OID_AES_256_CBC: - c = SMIME_AES_CBC_256; - break; - default: - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - return SECFailure; - } - *cipher = c; - return SECSuccess; + return smime_allowed_by_policy(algtag, NSS_USE_ALG_IN_SMIME_SIGNATURE); } static PRBool -nss_smime_cipher_allowed(unsigned long which) +nss_smime_enforce_key_size(void) { - int mapi; + PRInt32 optFlags; - mapi = smime_mapi_by_cipher(which); - if (mapi < 0) - return PR_FALSE; - return smime_cipher_map[mapi].allowed; + if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) { + if (optFlags & NSS_KEY_SIZE_POLICY_SMIME_FLAG) { + return PR_TRUE; + } + } + return PR_FALSE; } PRBool -NSS_SMIMEUtil_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key) +NSS_SMIMEUtil_KeyEncodingAllowed(SECAlgorithmID *algid, CERTCertificate *cert, + SECKEYPublicKey *key) { - unsigned long which; - - if (nss_smime_get_cipher_for_alg_and_key(algid, key, &which) != SECSuccess) - return PR_FALSE; + SECOidTag algtag; + /* we don't adjust KEA policy based on defaults, so no need + * to call smime_init() */ + + /* if required, make sure the key lengths are enforced */ + if (nss_smime_enforce_key_size()) { + SECStatus rv; + PRBool freeKey = PR_FALSE; + + if (!key) { + /* either the public key or the cert must be supplied. If the + * key wasn't supplied, get it from the certificate */ + if (!cert) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return PR_FALSE; + } + key = CERT_ExtractPublicKey(cert); + freeKey = PR_TRUE; + } + rv = SECKEY_EnforceKeySize(key->keyType, + SECKEY_PublicKeyStrengthInBits(key), + SEC_ERROR_BAD_EXPORT_ALGORITHM); + if (freeKey) { + SECKEY_DestroyPublicKey(key); + } + if (rv != SECSuccess) { + return PR_FALSE; + } + } + algtag = SECOID_GetAlgorithmTag(algid); + return smime_allowed_by_policy(algtag, NSS_USE_ALG_IN_SMIME_KX); +} - return nss_smime_cipher_allowed(which); +PRBool +NSS_SMIMEUtil_KeyDecodingAllowed(SECAlgorithmID *algid, SECKEYPrivateKey *key) +{ + SECOidTag algtag; + /* we don't adjust KEA policy based on defaults, so no need + * to call smime_init() */ + + /* if required, make sure the key lengths are enforced */ + if (nss_smime_enforce_key_size()) { + SECStatus rv; + rv = SECKEY_EnforceKeySize(key->keyType, + SECKEY_PrivateKeyStrengthInBits(key), + SEC_ERROR_BAD_EXPORT_ALGORITHM); + if (rv != SECSuccess) { + return PR_FALSE; + } + } + algtag = SECOID_GetAlgorithmTag(algid); + return smime_allowed_by_policy(algtag, NSS_USE_ALG_IN_SMIME_KX_LEGACY); } /* @@ -290,89 +809,142 @@ NSS_SMIMEUtil_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key) PRBool NSS_SMIMEUtil_EncryptionPossible(void) { - int i; + SECStatus rv = smime_init(); + size_t len; + if (rv != SECSuccess) { + return SECFailure; + } + smime_lock_algorithm_list(); + len = smime_list_length(smime_algorithm_list); + smime_unlock_algorithm_list(); + return len != 0 ? PR_TRUE : PR_FALSE; +} - for (i = 0; i < smime_cipher_map_count; i++) { - if (smime_cipher_map[i].allowed) - return PR_TRUE; +PRBool +NSS_SMIMEUtil_EncryptionEnabled(int which) +{ + SECOidTag algtag; + size_t c_index, len; + + SECStatus rv = smime_init(); + if (rv != SECSuccess) { + return SECFailure; } - return PR_FALSE; + + algtag = smime_legacy_to_oid(which); + + smime_lock_algorithm_list(); + len = smime_list_length(smime_algorithm_list); + c_index = smime_list_index_find(smime_algorithm_list, algtag); + smime_unlock_algorithm_list(); + + if (len >= c_index) { + return PR_FALSE; + } + + return smime_allowed_by_policy(algtag, NSS_USE_ALG_IN_SMIME); } -static int +static SECOidTag nss_SMIME_FindCipherForSMIMECap(NSSSMIMECapability *cap) { - int i; SECOidTag capIDTag; /* we need the OIDTag here */ capIDTag = SECOID_FindOIDTag(&(cap->capabilityID)); - /* go over all the SMIME ciphers we know and see if we find a match */ - for (i = 0; i < smime_cipher_map_count; i++) { - if (smime_cipher_map[i].algtag != capIDTag) - continue; - /* - * XXX If SECITEM_CompareItem allowed NULLs as arguments (comparing - * 2 NULLs as equal and NULL and non-NULL as not equal), we could - * use that here instead of all of the following comparison code. - */ - if (!smime_cipher_map[i].parms) { - if (!cap->parameters.data || !cap->parameters.len) - break; /* both empty: bingo */ - if (cap->parameters.len == 2 && - cap->parameters.data[0] == SEC_ASN1_NULL && - cap->parameters.data[1] == 0) - break; /* DER NULL == NULL, bingo */ - } else if (cap->parameters.data != NULL && - cap->parameters.len == smime_cipher_map[i].parms->len && - PORT_Memcmp(cap->parameters.data, smime_cipher_map[i].parms->data, - cap->parameters.len) == 0) { - break; /* both not empty, same length & equal content: bingo */ + /* RC2 used a generic oid and encoded the key length in the + * parameters */ + if (capIDTag == SEC_OID_RC2_CBC) { + SECStatus rv; + unsigned long key_bits; + SECItem keyItem = { siBuffer, NULL, 0 }; + + rv = SEC_ASN1DecodeItem(NULL, &keyItem, + SEC_ASN1_GET(SEC_IntegerTemplate), &cap->parameters); + if (rv != SECSuccess) { + return SEC_OID_UNKNOWN; + } + rv = SEC_ASN1DecodeInteger(&keyItem, &key_bits); + SECITEM_FreeItem(&keyItem, PR_FALSE); + if (rv != SECSuccess) { + return SEC_OID_UNKNOWN; } + return smime_get_policy_tag_from_key_length(capIDTag, key_bits); } - if (i == smime_cipher_map_count) - return 0; /* no match found */ - return smime_cipher_map[i].cipher; /* match found, point to cipher */ + /* everything else uses a null parameter */ + if (!cap->parameters.data || !cap->parameters.len) { + return capIDTag; + } + if (cap->parameters.len == 2 && + cap->parameters.data[0] == SEC_ASN1_NULL && + cap->parameters.data[1] == 0) { + return capIDTag; + } + return SEC_OID_UNKNOWN; } /* * smime_choose_cipher - choose a cipher that works for all the recipients * - * "scert" - sender's certificate * "rcerts" - recipient's certificates */ -static long -smime_choose_cipher(CERTCertificate *scert, CERTCertificate **rcerts) +static SECOidTag +smime_choose_cipher(CERTCertificate **rcerts) { - PLArenaPool *poolp; - long cipher; - long chosen_cipher; + PLArenaPool *poolp = NULL; + SECOidTag chosen_cipher = SEC_OID_UNKNOWN; + size_t cipher_count; + SECOidTag cipher; int *cipher_abilities; int *cipher_votes; - int weak_mapi; - int strong_mapi; - int aes128_mapi; - int aes256_mapi; - int rcount, mapi, max, i; + size_t weak_index; + size_t strong_index; + size_t aes128_index; + size_t aes256_index; + size_t c_index; + int rcount, max; + + smime_lock_algorithm_list(); + cipher_count = smime_list_length(smime_algorithm_list); + if (cipher_count == 0) { + goto done; + } - chosen_cipher = SMIME_RC2_CBC_40; /* the default, LCD */ - weak_mapi = smime_mapi_by_cipher(chosen_cipher); - aes128_mapi = smime_mapi_by_cipher(SMIME_AES_CBC_128); - aes256_mapi = smime_mapi_by_cipher(SMIME_AES_CBC_256); + chosen_cipher = SEC_OID_RC2_40_CBC; /* the default, LCD */ + weak_index = smime_list_index_find(smime_algorithm_list, chosen_cipher); + strong_index = smime_list_index_find(smime_algorithm_list, SEC_OID_DES_EDE3_CBC); + aes128_index = smime_list_index_find(smime_algorithm_list, SEC_OID_AES_128_CBC); + aes256_index = smime_list_index_find(smime_algorithm_list, SEC_OID_AES_256_CBC); + /* make sure the default selected cipher is enabled */ + if (weak_index == cipher_count) { + chosen_cipher = SEC_OID_DES_EDE3_CBC; + if (strong_index == cipher_count) { + chosen_cipher = SEC_OID_AES_128_CBC; + if (aes128_index == cipher_count) { + chosen_cipher = SEC_OID_AES_256_CBC; + if (aes256_index == cipher_count) { + /* none of the standard algorithms are enabled, If the + * recipients don't explicitly include a better cipher + * then fail */ + chosen_cipher = SEC_OID_UNKNOWN; + } + } + } + } poolp = PORT_NewArena(1024); /* XXX what is right value? */ if (poolp == NULL) goto done; - cipher_abilities = (int *)PORT_ArenaZAlloc(poolp, smime_cipher_map_count * sizeof(int)); - cipher_votes = (int *)PORT_ArenaZAlloc(poolp, smime_cipher_map_count * sizeof(int)); - if (cipher_votes == NULL || cipher_abilities == NULL) + cipher_abilities = PORT_ArenaZNewArray(poolp, int, cipher_count + 1); + cipher_votes = PORT_ArenaZNewArray(poolp, int, cipher_count + 1); + if (cipher_votes == NULL || cipher_abilities == NULL) { goto done; + } /* Make triple-DES the strong cipher. */ - strong_mapi = smime_mapi_by_cipher(SMIME_DES_EDE3_168); /* walk all the recipient's certs */ for (rcount = 0; rcerts[rcount] != NULL; rcount++) { @@ -381,9 +953,9 @@ smime_choose_cipher(CERTCertificate *scert, CERTCertificate **rcerts) int pref; /* the first cipher that matches in the user's SMIME profile gets - * "smime_cipher_map_count" votes; the next one gets "smime_cipher_map_count" - 1 + * "cipher_count" votes; the next one gets "cipher_count" - 1 * and so on. If every cipher matches, the last one gets 1 (one) vote */ - pref = smime_cipher_map_count; + pref = cipher_count; /* find recipient's SMIME profile */ profile = CERT_FindSMimeProfile(rcerts[rcount]); @@ -395,14 +967,15 @@ smime_choose_cipher(CERTCertificate *scert, CERTCertificate **rcerts) if (SEC_QuickDERDecodeItem(poolp, &caps, NSSSMIMECapabilitiesTemplate, profile) == SECSuccess && caps != NULL) { + int i; /* walk the SMIME capabilities for this recipient */ for (i = 0; caps[i] != NULL; i++) { cipher = nss_SMIME_FindCipherForSMIMECap(caps[i]); - mapi = smime_mapi_by_cipher(cipher); - if (mapi >= 0) { + c_index = smime_list_index_find(smime_algorithm_list, cipher); + if (c_index < cipher_count) { /* found the cipher */ - cipher_abilities[mapi]++; - cipher_votes[mapi] += pref; + cipher_abilities[c_index]++; + cipher_votes[c_index] += pref; --pref; } } @@ -444,17 +1017,19 @@ smime_choose_cipher(CERTCertificate *scert, CERTCertificate **rcerts) * security strength so that symmetric key is not weak link. */ /* RC2-40 is not compatible with elliptic curve keys. */ - chosen_cipher = SMIME_DES_EDE3_168; + if (chosen_cipher == SEC_OID_RC2_40_CBC) { + chosen_cipher = SEC_OID_AES_128_CBC; + } if (pklen_bits > 256) { - cipher_abilities[aes256_mapi]++; - cipher_votes[aes256_mapi] += pref; + cipher_abilities[aes256_index]++; + cipher_votes[aes256_index] += pref; pref--; } - cipher_abilities[aes128_mapi]++; - cipher_votes[aes128_mapi] += pref; + cipher_abilities[aes128_index]++; + cipher_votes[aes128_index] += pref; pref--; - cipher_abilities[strong_mapi]++; - cipher_votes[strong_mapi] += pref; + cipher_abilities[strong_index]++; + cipher_votes[strong_index] += pref; pref--; } else { if (pklen_bits > 3072) { @@ -463,8 +1038,8 @@ smime_choose_cipher(CERTCertificate *scert, CERTCertificate **rcerts) * bits provide more than 128 bits of security strength. * So, AES 256 should be used to provide comparable * security. */ - cipher_abilities[aes256_mapi]++; - cipher_votes[aes256_mapi] += pref; + cipher_abilities[aes256_index]++; + cipher_votes[aes256_index] += pref; pref--; } if (pklen_bits > 1023) { @@ -472,20 +1047,20 @@ smime_choose_cipher(CERTCertificate *scert, CERTCertificate **rcerts) * that RSA and DSA signature keys SHOULD NOT be less than * 1024 bits. So, cast vote for AES 128 if key length * is at least 1024 bits. */ - cipher_abilities[aes128_mapi]++; - cipher_votes[aes128_mapi] += pref; + cipher_abilities[aes128_index]++; + cipher_votes[aes128_index] += pref; pref--; } if (pklen_bits > 512) { /* cast votes for the strong algorithm */ - cipher_abilities[strong_mapi]++; - cipher_votes[strong_mapi] += pref; + cipher_abilities[strong_index]++; + cipher_votes[strong_index] += pref; pref--; } /* always cast (possibly less) votes for the weak algorithm */ - cipher_abilities[weak_mapi]++; - cipher_votes[weak_mapi] += pref; + cipher_abilities[weak_index]++; + cipher_votes[weak_index] += pref; } } if (profile != NULL) @@ -494,24 +1069,27 @@ smime_choose_cipher(CERTCertificate *scert, CERTCertificate **rcerts) /* find cipher that is agreeable by all recipients and that has the most votes */ max = 0; - for (mapi = 0; mapi < smime_cipher_map_count; mapi++) { + for (c_index = 0; c_index < cipher_count; c_index++) { /* if not all of the recipients can do this, forget it */ - if (cipher_abilities[mapi] != rcount) + if (cipher_abilities[c_index] != rcount) continue; - /* if cipher is not enabled or not allowed by policy, forget it */ - if (!smime_cipher_map[mapi].enabled || !smime_cipher_map[mapi].allowed) + cipher = smime_list_fetch_by_index(smime_algorithm_list, c_index); + /* if cipher is allowed by policy, forget it */ + if (!smime_allowed_by_policy(cipher, NSS_USE_ALG_IN_SMIME)) { continue; + } /* now see if this one has more votes than the last best one */ - if (cipher_votes[mapi] >= max) { + if (cipher_votes[c_index] >= max) { /* if equal number of votes, prefer the ones further down in the list */ /* with the expectation that these are higher rated ciphers */ - chosen_cipher = smime_cipher_map[mapi].cipher; - max = cipher_votes[mapi]; + chosen_cipher = cipher; + max = cipher_votes[c_index]; } } /* if no common cipher was found, chosen_cipher stays at the default */ done: + smime_unlock_algorithm_list(); if (poolp != NULL) PORT_FreeArena(poolp, PR_FALSE); @@ -519,46 +1097,6 @@ done: } /* - * XXX This is a hack for now to satisfy our current interface. - * Eventually, with more parameters needing to be specified, just - * looking up the keysize is not going to be sufficient. - */ -static int -smime_keysize_by_cipher(unsigned long which) -{ - int keysize; - - switch (which) { - case SMIME_RC2_CBC_40: - keysize = 40; - break; - case SMIME_RC2_CBC_64: - keysize = 64; - break; - case SMIME_RC2_CBC_128: - case SMIME_AES_CBC_128: - keysize = 128; - break; - case SMIME_AES_CBC_256: - keysize = 256; - break; - case SMIME_DES_CBC_56: - case SMIME_DES_EDE3_168: - /* - * These are special; since the key size is fixed, we actually - * want to *avoid* specifying a key size. - */ - keysize = 0; - break; - default: - keysize = -1; - break; - } - - return keysize; -} - -/* * NSS_SMIMEUtil_FindBulkAlgForRecipients - find bulk algorithm suitable for all recipients * * it would be great for UI purposes if there would be a way to find out which recipients @@ -568,19 +1106,69 @@ SECStatus NSS_SMIMEUtil_FindBulkAlgForRecipients(CERTCertificate **rcerts, SECOidTag *bulkalgtag, int *keysize) { - unsigned long cipher; - int mapi; + SECOidTag cipher; - cipher = smime_choose_cipher(NULL, rcerts); - mapi = smime_mapi_by_cipher(cipher); + SECStatus rv = smime_init(); + if (rv != SECSuccess) { + return SECFailure; + } - *bulkalgtag = smime_cipher_map[mapi].algtag; - *keysize = smime_keysize_by_cipher(smime_cipher_map[mapi].cipher); + cipher = smime_choose_cipher(rcerts); + if (cipher == SEC_OID_UNKNOWN) { + PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM); + return SECFailure; + } + + *bulkalgtag = smime_get_alg_from_policy(cipher); + *keysize = smime_keysize_by_cipher(cipher); return SECSuccess; } /* + * Create a new Capability from an oid tag + */ +static NSSSMIMECapability * +smime_create_capability(SECOidTag cipher) +{ + NSSSMIMECapability *cap = NULL; + SECOidData *oiddata = NULL; + SECItem *dummy = NULL; + + oiddata = SECOID_FindOIDByTag(smime_get_alg_from_policy(cipher)); + if (oiddata == NULL) { + return NULL; + } + + cap = PORT_ZNew(NSSSMIMECapability); + if (cap == NULL) { + return NULL; + } + + cap->capabilityID.data = oiddata->oid.data; + cap->capabilityID.len = oiddata->oid.len; + if (cipher == SEC_OID_RC2_CBC) { + SECItem keyItem = { siBuffer, NULL, 0 }; + unsigned long keybits = smime_get_alg_from_policy(cipher); + dummy = SEC_ASN1EncodeInteger(NULL, &keyItem, keybits); + if (dummy == NULL) { + PORT_Free(cap); + return NULL; + } + dummy = SEC_ASN1EncodeItem(NULL, &cap->parameters, + &keyItem, SEC_ASN1_GET(SEC_IntegerTemplate)); + SECITEM_FreeItem(&keyItem, PR_FALSE); + if (dummy == NULL) { + PORT_Free(cap); + return NULL; + } + } else { + cap->parameters.data = NULL; + cap->parameters.len = 0; + } + return cap; +} +/* * NSS_SMIMEUtil_CreateSMIMECapabilities - get S/MIME capabilities for this instance of NSS * * scans the list of allowed and enabled ciphers and construct a PKCS9-compliant @@ -595,58 +1183,115 @@ NSS_SMIMEUtil_FindBulkAlgForRecipients(CERTCertificate **rcerts, SECStatus NSS_SMIMEUtil_CreateSMIMECapabilities(PLArenaPool *poolp, SECItem *dest) { - NSSSMIMECapability *cap; - NSSSMIMECapability **smime_capabilities; - smime_cipher_map_entry *map; - SECOidData *oiddata; - SECItem *dummy; + NSSSMIMECapability *cap = NULL; + NSSSMIMECapability **smime_capabilities = NULL; + SECItem *dummy = NULL; int i, capIndex; + int cap_count; + int cipher_count; + int hash_count; + + SECStatus rv = smime_init(); + if (rv != SECSuccess) { + return SECFailure; + } + /* First get the hash count */ + for (i = HASH_AlgNULL + 1;; i++) { + if (HASH_GetHashOidTagByHashType(i) == SEC_OID_UNKNOWN) { + break; + } + } + hash_count = i - 1; + + smime_lock_algorithm_list(); + /* now get the cipher count */ + cipher_count = smime_list_length(smime_algorithm_list); + if (cipher_count == 0) { + smime_unlock_algorithm_list(); + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return SECFailure; + } + + cap_count = cipher_count + hash_count + implemented_key_encipherment_len; - /* if we have an old NSSSMIMECapability array, we'll reuse it (has the right size) */ - /* smime_cipher_map_count + 1 is an upper bound - we might end up with less */ - smime_capabilities = (NSSSMIMECapability **)PORT_ZAlloc((smime_cipher_map_count + 1) * sizeof(NSSSMIMECapability *)); - if (smime_capabilities == NULL) + /* cipher_count + 1 is an upper bound - we might end up with less */ + smime_capabilities = PORT_ZNewArray(NSSSMIMECapability *, cap_count + 1); + if (smime_capabilities == NULL) { + smime_unlock_algorithm_list(); return SECFailure; + } capIndex = 0; /* Add all the symmetric ciphers - * We walk the cipher list backwards, as it is ordered by increasing strength, + * We walk the cipher list, as it is ordered by decreasing strength, * we prefer the stronger cipher over a weaker one, and we have to list the * preferred algorithm first */ - for (i = smime_cipher_map_count - 1; i >= 0; i--) { - /* Find the corresponding entry in the cipher map. */ - map = &(smime_cipher_map[i]); - if (!map->enabled) + for (i = 0; i < cipher_count; i++) { + SECOidTag cipher = smime_list_fetch_by_index(smime_algorithm_list, i); + + /* is it allowed by policy? */ + if (!smime_allowed_by_policy(cipher, NSS_USE_ALG_IN_SMIME)) { continue; + } + cipher = smime_get_alg_from_policy(cipher); + cap = smime_create_capability(cipher); + if (cap == NULL) + break; + smime_capabilities[capIndex++] = cap; + } + /* add signature algorithms = hash algs. + * probably also need to figure how what + * actual signatures we support in secvfy + * as well. We currently don't look a these + * when choosing hash and signature (hash is + * chosen by the application and signature + * type is chosen by the signing cert/key) */ + smime_unlock_algorithm_list(); + for (i = HASH_AlgNULL + 1; i < hash_count + 1; i++) { + SECOidTag hash_alg = HASH_GetHashOidTagByHashType(i); + + if (!smime_allowed_by_policy(hash_alg, + NSS_USE_ALG_IN_SMIME_SIGNATURE | NSS_USE_ALG_IN_SIGNATURE)) { + continue; + } + cap = smime_create_capability(hash_alg); /* get next SMIME capability */ - cap = (NSSSMIMECapability *)PORT_ZAlloc(sizeof(NSSSMIMECapability)); if (cap == NULL) break; smime_capabilities[capIndex++] = cap; + } - oiddata = SECOID_FindOIDByTag(map->algtag); - if (oiddata == NULL) - break; + /* add key encipherment algorithms . These are static + * to the s/mime library, so we can just use the table. + * new kea algs should be implemented. We don't use these + * because the senders key pretty much selects what time + * of kea we are going to implement */ + for (i = 0; i < implemented_key_encipherment_len; i++) { + SECOidTag kea_alg = implemented_key_encipherment[i]; - cap->capabilityID.data = oiddata->oid.data; - cap->capabilityID.len = oiddata->oid.len; - cap->parameters.data = map->parms ? map->parms->data : NULL; - cap->parameters.len = map->parms ? map->parms->len : 0; - cap->cipher = smime_cipher_map[i].cipher; + if (!smime_allowed_by_policy(kea_alg, NSS_USE_ALG_IN_SMIME_KX)) { + continue; + } + cap = smime_create_capability(kea_alg); + /* get next SMIME capability */ + if (cap == NULL) + break; + smime_capabilities[capIndex++] = cap; } - /* XXX add signature algorithms */ - /* XXX add key encipherment algorithms */ - smime_capabilities[capIndex] = NULL; /* last one - now encode */ dummy = SEC_ASN1EncodeItem(poolp, dest, &smime_capabilities, NSSSMIMECapabilitiesTemplate); /* now that we have the proper encoded SMIMECapabilities (or not), * free the work data */ - for (i = 0; smime_capabilities[i] != NULL; i++) + for (i = 0; smime_capabilities[i] != NULL; i++) { + if (smime_capabilities[i]->parameters.data) { + PORT_Free(smime_capabilities[i]->parameters.data); + } PORT_Free(smime_capabilities[i]); + } PORT_Free(smime_capabilities); return (dummy == NULL) ? SECFailure : SECSuccess; diff --git a/nss/lib/softoken/kbkdf.c b/nss/lib/softoken/kbkdf.c index c6021ef..236084c 100644 --- a/nss/lib/softoken/kbkdf.c +++ b/nss/lib/softoken/kbkdf.c @@ -1512,6 +1512,7 @@ sftk_fips_SP800_108_PowerUpSelfTests(void) (output_buffer == NULL) || (PORT_Memcmp(output_buffer, test->expected_key_bytes, buffer_length) != 0)) { PORT_ZFree(output_buffer, buffer_length); + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); return SECFailure; } PORT_ZFree(output_buffer, buffer_length); diff --git a/nss/lib/softoken/pkcs11.c b/nss/lib/softoken/pkcs11.c index 915fa7e..b32c8bc 100644 --- a/nss/lib/softoken/pkcs11.c +++ b/nss/lib/softoken/pkcs11.c @@ -3397,7 +3397,8 @@ sftk_getParameters(CK_C_INITIALIZE_ARGS *init_args, PRBool isFIPS, if (libParams) { /* memory allocated */ if (PR_Read(file_dc, libParams, len) == -1) { - PR_Free(libParams); + PORT_Free(libParams); + libParams = NULL; } else { free_mem = PR_TRUE; libParams[len] = '\0'; @@ -3409,7 +3410,7 @@ sftk_getParameters(CK_C_INITIALIZE_ARGS *init_args, PRBool isFIPS, } } - if (!libParams) + if (libParams == NULL) libParams = LIB_PARAM_DEFAULT; } else { @@ -3426,7 +3427,7 @@ sftk_getParameters(CK_C_INITIALIZE_ARGS *init_args, PRBool isFIPS, crv = CKR_OK; loser: if (free_mem) - PR_Free(libParams); + PORT_Free(libParams); return crv; } @@ -4805,8 +4806,14 @@ NSC_CreateObject(CK_SESSION_HANDLE hSession, if (object == NULL) { return CKR_HOST_MEMORY; } - object->isFIPS = PR_FALSE; /* if we created the object on the fly, - * it's not a FIPS object */ + + /* + * sftk_NewObject will set object->isFIPS to PR_TRUE if the slot is FIPS. + * We don't need to worry about that here, as FC_CreateObject will always + * disallow the import of secret and private keys, regardless of isFIPS + * approval status. Therefore, at this point we know that the key is a + * public key, which is acceptable to be imported in plaintext. + */ /* * load the template values into the object diff --git a/nss/lib/softoken/pkcs11u.c b/nss/lib/softoken/pkcs11u.c index f483060..a3e7140 100644 --- a/nss/lib/softoken/pkcs11u.c +++ b/nss/lib/softoken/pkcs11u.c @@ -963,9 +963,14 @@ sftk_GetObjectFromList(PRBool *hasLocks, PRBool optimizeSpace, } PZ_Unlock(list->lock); if (object) { - object->next = object->prev = NULL; - *hasLocks = PR_TRUE; - return object; + // As a safeguard against misuse of the library, ensure we don't + // hand out live objects that somehow land in the free list. + PORT_Assert(object->refCount == 0); + if (object->refCount == 0) { + object->next = object->prev = NULL; + *hasLocks = PR_TRUE; + return object; + } } } size = isSessionObject ? sizeof(SFTKSessionObject) + hashSize * sizeof(SFTKAttribute *) : sizeof(SFTKTokenObject); @@ -1183,6 +1188,7 @@ void sftk_ReferenceObject(SFTKObject *object) { PZ_Lock(object->refLock); + PORT_Assert(object->refCount > 0); object->refCount++; PZ_Unlock(object->refLock); } diff --git a/nss/lib/softoken/softkver.h b/nss/lib/softoken/softkver.h index 9538045..144b97b 100644 --- a/nss/lib/softoken/softkver.h +++ b/nss/lib/softoken/softkver.h @@ -17,9 +17,9 @@ * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]" */ -#define SOFTOKEN_VERSION "3.100" SOFTOKEN_ECC_STRING +#define SOFTOKEN_VERSION "3.101" SOFTOKEN_ECC_STRING #define SOFTOKEN_VMAJOR 3 -#define SOFTOKEN_VMINOR 100 +#define SOFTOKEN_VMINOR 101 #define SOFTOKEN_VPATCH 0 #define SOFTOKEN_VBUILD 0 #define SOFTOKEN_BETA PR_FALSE diff --git a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h index 973a5db..ed5b97a 100644 --- a/nss/lib/ssl/sslimpl.h +++ b/nss/lib/ssl/sslimpl.h @@ -1962,6 +1962,29 @@ SECStatus SSLExp_AeadDecrypt(const SSLAeadContext *ctx, PRUint64 counter, const PRUint8 *aad, unsigned int aadLen, const PRUint8 *plaintext, unsigned int plaintextLen, PRUint8 *out, unsigned int *outLen, unsigned int maxOut); + +/* The next function is responsible for registering a certificate compression mechanism + to be used for TLS connection. + The caller passes SSLCertificateCompressionAlgorithm algorithm: + + typedef struct SSLCertificateCompressionAlgorithmStr { + SSLCertificateCompressionAlgorithmID id; + const char* name; + SECStatus (*encode)(const SECItem* input, SECItem* output); + SECStatus (*decode)(const SECItem* input, unsigned char* output, size_t outputLen, size_t* usedLen); + } SSLCertificateCompressionAlgorithm; + + Certificate Compression encoding function is responsible for allocating the output buffer itself. + If encoding function fails, the function has the install the appropriate error code and return an error. + + Certificate Compression decoding function operates an output buffer allocated in NSS. + The function returns success or an error code. + If successful, the function sets the number of bytes used to stored the decoded certificate + in the outparam usedLen. If provided buffer is not enough to store the output (or any problem has occured during + decoding of the buffer), the function has the install the appropriate error code and return an error. + Note: usedLen is always <= outputLen. + + */ SECStatus SSLExp_SetCertificateCompressionAlgorithm(PRFileDesc *fd, SSLCertificateCompressionAlgorithm alg); SECStatus SSLExp_HkdfExtract(PRUint16 version, PRUint16 cipherSuite, PK11SymKey *salt, PK11SymKey *ikm, PK11SymKey **keyp); diff --git a/nss/lib/ssl/sslinit.c b/nss/lib/ssl/sslinit.c index 07d57ce..25747b5 100644 --- a/nss/lib/ssl/sslinit.c +++ b/nss/lib/ssl/sslinit.c @@ -7,6 +7,7 @@ #include "prtypes.h" #include "prinit.h" +#include "nss.h" #include "seccomon.h" #include "secerr.h" #include "ssl.h" @@ -17,6 +18,13 @@ static int ssl_isInited = 0; static PRCallOnceType ssl_init = { 0 }; PR_STATIC_ASSERT(sizeof(unsigned long) <= sizeof(PRUint64)); +static SECStatus +ssl_InitShutdown(void *appData, void *nssData) +{ + memset(&ssl_init, 0, sizeof(ssl_init)); + return SECSuccess; +} + PRStatus ssl_InitCallOnce(void *arg) { @@ -37,6 +45,12 @@ ssl_InitCallOnce(void *arg) *error = PORT_GetError(); return PR_FAILURE; } + + rv = NSS_RegisterShutdown(ssl_InitShutdown, NULL); + if (rv != SECSuccess) { + *error = PORT_GetError(); + return PR_FAILURE; + } return PR_SUCCESS; } diff --git a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h index d892731..a2c2cea 100644 --- a/nss/lib/ssl/sslt.h +++ b/nss/lib/ssl/sslt.h @@ -585,13 +585,13 @@ typedef enum { ssl_dhe_group_max } SSLDHEGroupType; -/* RFC 8879: TLS Certificate Compression - 3. Negotiating Certificate Compression +/* RFC 8879: TLS Certificate Compression - 3. Negotiating Certificate Compression ** enum { ** zlib(1), ** brotli(2), ** zstd(3), ** (65535) -** } CertificateCompressionAlgorithm; +** } CertificateCompressionAlgorithm; */ typedef PRUint16 SSLCertificateCompressionAlgorithmID; @@ -599,7 +599,11 @@ typedef struct SSLCertificateCompressionAlgorithmStr { SSLCertificateCompressionAlgorithmID id; const char* name; SECStatus (*encode)(const SECItem* input, SECItem* output); - SECStatus (*decode)(const SECItem* input, SECItem* output, size_t expectedLenDecodedCertificate); + /* outputLen is the length of the output buffer passed by NSS to the decode function. + * Decode should return an error code if the decoding fails or the output buffer is not big enough. + * usedLen is an outparam which indicates the number of bytes the decoder consumed from output. + * Note: usedLen is always <= outputLen. */ + SECStatus (*decode)(const SECItem* input, unsigned char* output, size_t outputLen, size_t* usedLen); } SSLCertificateCompressionAlgorithm; #endif /* __sslt_h_ */ diff --git a/nss/lib/ssl/tls13con.c b/nss/lib/ssl/tls13con.c index 87f6d5b..d7dda94 100644 --- a/nss/lib/ssl/tls13con.c +++ b/nss/lib/ssl/tls13con.c @@ -3580,11 +3580,11 @@ static SECStatus tls13_SendCompressedCertificate(sslSocket *ss, sslBuffer *bufferCertificate) { /* TLS Certificate Compression. RFC 8879 */ - /* As the encoding function takes as input a SECItem, + /* As the encoding function takes as input a SECItem, * we convert bufferCertificate to certificateToEncode. * - * encodedCertificate is used to store the certificate - * after encoding. + * encodedCertificate is used to store the certificate + * after encoding. */ SECItem encodedCertificate = { siBuffer, NULL, 0 }; SECItem certificateToEncode = { siBuffer, NULL, 0 }; @@ -3618,12 +3618,12 @@ tls13_SendCompressedCertificate(sslSocket *ss, sslBuffer *bufferCertificate) } /* The CompressedCertificate message is formed as follows: - * struct { - * CertificateCompressionAlgorithm algorithm; - * uint24 uncompressed_length; - * opaque compressed_certificate_message<1..2^24-1>; - * } CompressedCertificate; - */ + * struct { + * CertificateCompressionAlgorithm algorithm; + * uint24 uncompressed_length; + * opaque compressed_certificate_message<1..2^24-1>; + * } CompressedCertificate; + */ if (encodedCertificate.len < 1) { PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); @@ -3764,7 +3764,7 @@ tls13_SendCertificate(sslSocket *ss) } } - /* If no compression mechanism was established or + /* If no compression mechanism was established or * the compression mechanism supports only decoding, * we continue as before. */ if (ss->xtnData.compressionAlg == 0 || !tls13_FindCompressionAlgAndCheckIfSupportsEncoding(ss)) { @@ -3921,7 +3921,8 @@ tls13_HandleCertificateDecode(sslSocket *ss, PRUint8 *b, PRUint32 length) } PRBool compressionAlgorithmIsSupported = PR_FALSE; - SECStatus (*certificateDecodingFunc)(const SECItem *, SECItem *, size_t) = NULL; + SECStatus (*certificateDecodingFunc)(const SECItem *, + unsigned char *output, size_t outputLen, size_t *usedLen) = NULL; for (int i = 0; i < ss->ssl3.supportedCertCompressionAlgorithmsCount; i++) { if (ss->ssl3.supportedCertCompressionAlgorithms[i].id == compressionAlg) { compressionAlgorithmIsSupported = PR_TRUE; @@ -3946,16 +3947,16 @@ tls13_HandleCertificateDecode(sslSocket *ss, PRUint8 *b, PRUint32 length) SSL_TRC(30, ("%d: TLS13[%d]: %s is decoding the certificate using the %s compression algorithm", SSL_GETPID(), ss->fd, SSL_ROLE(ss), ssl3_mapCertificateCompressionAlgorithmToName(ss, compressionAlg))); - PRUint32 decodedCertificateLen = 0; - rv = ssl3_ConsumeHandshakeNumber(ss, &decodedCertificateLen, 3, &b, &length); + PRUint32 decodedCertLen = 0; + rv = ssl3_ConsumeHandshakeNumber(ss, &decodedCertLen, 3, &b, &length); if (rv != SECSuccess) { return SECFailure; /* alert has been sent */ } /* If the received CompressedCertificate message cannot be decompressed, - * he connection MUST be terminated with the "bad_certificate" alert. + * he connection MUST be terminated with the "bad_certificate" alert. */ - if (decodedCertificateLen == 0) { + if (decodedCertLen == 0) { SSL_TRC(50, ("%d: TLS13[%d]: %s decoded certificate length is incorrect", SSL_GETPID(), ss->fd, SSL_ROLE(ss), ssl3_mapCertificateCompressionAlgorithmToName(ss, compressionAlg))); @@ -3964,26 +3965,28 @@ tls13_HandleCertificateDecode(sslSocket *ss, PRUint8 *b, PRUint32 length) } /* opaque compressed_certificate_message<1..2^24-1>; */ - PRUint32 compressedCertificateMessageLen = 0; - rv = ssl3_ConsumeHandshakeNumber(ss, &compressedCertificateMessageLen, 3, &b, &length); + PRUint32 compressedCertLen = 0; + rv = ssl3_ConsumeHandshakeNumber(ss, &compressedCertLen, 3, &b, &length); if (rv != SECSuccess) { return SECFailure; /* alert has been sent */ } - if (compressedCertificateMessageLen == 0 || compressedCertificateMessageLen != length) { + if (compressedCertLen == 0 || compressedCertLen != length) { FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE, bad_certificate); return SECFailure; } /* Decoding received certificate. */ - SECItem decodedCertificate = { siBuffer, NULL, 0 }; - if (!SECITEM_AllocItem(NULL, &decodedCertificate, decodedCertificateLen)) { - FATAL_ERROR(ss, SEC_ERROR_NO_MEMORY, internal_error); + PRUint8 *decodedCert = PORT_ZAlloc(decodedCertLen); + if (!decodedCert) { return SECFailure; } - SECItem encodedCertAsSecItem = { siBuffer, b, compressedCertificateMessageLen }; - rv = certificateDecodingFunc(&encodedCertAsSecItem, &decodedCertificate, decodedCertificateLen); + size_t actualCertLen = 0; + + SECItem encodedCertAsSecItem = { siBuffer, b, compressedCertLen }; + rv = certificateDecodingFunc(&encodedCertAsSecItem, + decodedCert, decodedCertLen, &actualCertLen); if (rv != SECSuccess) { SSL_TRC(50, ("%d: TLS13[%d]: %s decoding of the certificate has failed", @@ -3992,15 +3995,15 @@ tls13_HandleCertificateDecode(sslSocket *ss, PRUint8 *b, PRUint32 length) FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE, bad_certificate); goto loser; } - PRINT_BUF(60, (ss, "consume bytes:", b, compressedCertificateMessageLen)); - *b += compressedCertificateMessageLen; - length -= compressedCertificateMessageLen; + PRINT_BUF(60, (ss, "consume bytes:", b, compressedCertLen)); + *b += compressedCertLen; + length -= compressedCertLen; - /* If, after decompression, the specified length does not match the actual length, - * the party receiving the invalid message MUST abort the connection - * with the "bad_certificate" alert. + /* If, after decompression, the specified length does not match the actual length, + * the party receiving the invalid message MUST abort the connection + * with the "bad_certificate" alert. */ - if (decodedCertificateLen != decodedCertificate.len) { + if (actualCertLen != decodedCertLen) { SSL_TRC(50, ("%d: TLS13[%d]: %s certificate length does not correspond to extension length", SSL_GETPID(), ss->fd, SSL_ROLE(ss), ssl3_mapCertificateCompressionAlgorithmToName(ss, compressionAlg))); @@ -4009,7 +4012,7 @@ tls13_HandleCertificateDecode(sslSocket *ss, PRUint8 *b, PRUint32 length) } PRINT_BUF(50, (NULL, "Decoded certificate", - decodedCertificate.data, decodedCertificate.len)); + decodedCert, decodedCertLen)); /* compressed_certificate_message: The result of applying the indicated * compression algorithm to the encoded Certificate message that @@ -4020,19 +4023,19 @@ tls13_HandleCertificateDecode(sslSocket *ss, PRUint8 *b, PRUint32 length) * the verification have the same security properties as they would have * in TLS normally. */ - rv = tls13_HandleCertificate(ss, decodedCertificate.data, decodedCertificate.len, PR_TRUE); + rv = tls13_HandleCertificate(ss, decodedCert, decodedCertLen, PR_TRUE); if (rv != SECSuccess) { goto loser; } - /* We allow only one compressed certificate to be handled after each - certificate compression advertisement. + /* We allow only one compressed certificate to be handled after each + certificate compression advertisement. See test CertificateCompression_TwoEncodedCertificateRequests. */ ss->xtnData.certificateCompressionAdvertised = PR_FALSE; - SECITEM_FreeItem(&decodedCertificate, PR_FALSE); + PORT_Free(decodedCert); return SECSuccess; loser: - SECITEM_FreeItem(&decodedCertificate, PR_FALSE); + PORT_Free(decodedCert); return SECFailure; } diff --git a/nss/lib/util/exports.gyp b/nss/lib/util/exports.gyp index 7480d1b..ac1f886 100644 --- a/nss/lib/util/exports.gyp +++ b/nss/lib/util/exports.gyp @@ -22,6 +22,7 @@ 'nssilckt.h', 'nssilock.h', 'nsslocks.h', + 'nsshash.h', 'nssrwlk.h', 'nssrwlkt.h', 'nssutil.h', diff --git a/nss/lib/util/manifest.mn b/nss/lib/util/manifest.mn index acff379..cd82410 100644 --- a/nss/lib/util/manifest.mn +++ b/nss/lib/util/manifest.mn @@ -12,6 +12,7 @@ EXPORTS = \ kyber.h \ nssb64.h \ nssb64t.h \ + nsshash.h \ nsslocks.h \ nssilock.h \ nssilckt.h \ @@ -60,6 +61,7 @@ CSRCS = \ errstrs.c \ nssb64d.c \ nssb64e.c \ + nsshash.c \ nssrwlk.c \ nssilock.c \ oidstring.c \ diff --git a/nss/lib/util/nsshash.c b/nss/lib/util/nsshash.c new file mode 100644 index 0000000..0feb207 --- /dev/null +++ b/nss/lib/util/nsshash.c @@ -0,0 +1,186 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "secoidt.h" +#include "secerr.h" +#include "nsshash.h" + +/* put these mapping functions in util, so they can be used everywhere */ +HASH_HashType +HASH_GetHashTypeByOidTag(SECOidTag hashOid) +{ + HASH_HashType ht = HASH_AlgNULL; + + switch (hashOid) { + case SEC_OID_MD2: + ht = HASH_AlgMD2; + break; + case SEC_OID_MD5: + ht = HASH_AlgMD5; + break; + case SEC_OID_SHA1: + ht = HASH_AlgSHA1; + break; + case SEC_OID_SHA224: + ht = HASH_AlgSHA224; + break; + case SEC_OID_SHA256: + ht = HASH_AlgSHA256; + break; + case SEC_OID_SHA384: + ht = HASH_AlgSHA384; + break; + case SEC_OID_SHA512: + ht = HASH_AlgSHA512; + break; + case SEC_OID_SHA3_224: + ht = HASH_AlgSHA3_224; + break; + case SEC_OID_SHA3_256: + ht = HASH_AlgSHA3_256; + break; + case SEC_OID_SHA3_384: + ht = HASH_AlgSHA3_384; + break; + case SEC_OID_SHA3_512: + ht = HASH_AlgSHA3_512; + break; + default: + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + break; + } + return ht; +} + +SECOidTag +HASH_GetHashOidTagByHashType(HASH_HashType type) +{ + SECOidTag oid = SEC_OID_UNKNOWN; + + switch (type) { + case HASH_AlgMD2: + oid = SEC_OID_MD2; + break; + case HASH_AlgMD5: + oid = SEC_OID_MD5; + break; + case HASH_AlgSHA1: + oid = SEC_OID_SHA1; + break; + case HASH_AlgSHA224: + oid = SEC_OID_SHA224; + break; + case HASH_AlgSHA256: + oid = SEC_OID_SHA256; + break; + case HASH_AlgSHA384: + oid = SEC_OID_SHA384; + break; + case HASH_AlgSHA512: + oid = SEC_OID_SHA512; + break; + case HASH_AlgSHA3_224: + oid = SEC_OID_SHA3_224; + break; + case HASH_AlgSHA3_256: + oid = SEC_OID_SHA3_256; + break; + case HASH_AlgSHA3_384: + oid = SEC_OID_SHA3_384; + break; + case HASH_AlgSHA3_512: + oid = SEC_OID_SHA3_512; + break; + default: + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + break; + } + return oid; +} + +SECOidTag +HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid) +{ + SECOidTag hashOid = SEC_OID_UNKNOWN; + + switch (hmacOid) { + /* no oid exists for HMAC_MD2 */ + /* NSS does not define a oid for HMAC_MD4 */ + case SEC_OID_HMAC_SHA1: + hashOid = SEC_OID_SHA1; + break; + case SEC_OID_HMAC_SHA224: + hashOid = SEC_OID_SHA224; + break; + case SEC_OID_HMAC_SHA256: + hashOid = SEC_OID_SHA256; + break; + case SEC_OID_HMAC_SHA384: + hashOid = SEC_OID_SHA384; + break; + case SEC_OID_HMAC_SHA512: + hashOid = SEC_OID_SHA512; + break; + case SEC_OID_HMAC_SHA3_224: + hashOid = SEC_OID_SHA3_224; + break; + case SEC_OID_HMAC_SHA3_256: + hashOid = SEC_OID_SHA3_256; + break; + case SEC_OID_HMAC_SHA3_384: + hashOid = SEC_OID_SHA3_384; + break; + case SEC_OID_HMAC_SHA3_512: + hashOid = SEC_OID_SHA3_512; + break; + default: + hashOid = SEC_OID_UNKNOWN; + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + break; + } + return hashOid; +} + +SECOidTag +HASH_GetHMACOidTagByHashOidTag(SECOidTag hashOid) +{ + SECOidTag hmacOid = SEC_OID_UNKNOWN; + + switch (hashOid) { + /* no oid exists for HMAC_MD2 */ + /* NSS does not define a oid for HMAC_MD4 */ + case SEC_OID_SHA1: + hmacOid = SEC_OID_HMAC_SHA1; + break; + case SEC_OID_SHA224: + hmacOid = SEC_OID_HMAC_SHA224; + break; + case SEC_OID_SHA256: + hmacOid = SEC_OID_HMAC_SHA256; + break; + case SEC_OID_SHA384: + hmacOid = SEC_OID_HMAC_SHA384; + break; + case SEC_OID_SHA512: + hmacOid = SEC_OID_HMAC_SHA512; + break; + case SEC_OID_SHA3_224: + hmacOid = SEC_OID_HMAC_SHA3_224; + break; + case SEC_OID_SHA3_256: + hmacOid = SEC_OID_HMAC_SHA3_256; + break; + case SEC_OID_SHA3_384: + hmacOid = SEC_OID_HMAC_SHA3_384; + break; + case SEC_OID_SHA3_512: + hmacOid = SEC_OID_HMAC_SHA3_512; + break; + default: + hmacOid = SEC_OID_UNKNOWN; + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + break; + } + return hmacOid; +} diff --git a/nss/lib/util/nsshash.h b/nss/lib/util/nsshash.h new file mode 100644 index 0000000..393e134 --- /dev/null +++ b/nss/lib/util/nsshash.h @@ -0,0 +1,20 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef _NSSHASH_H_ +#define _NSSHASH_H_ + +#include "hasht.h" +#include "utilrename.h" + +SEC_BEGIN_PROTOS + +extern HASH_HashType HASH_GetHashTypeByOidTag(SECOidTag hashOid); +extern SECOidTag HASH_GetHashOidTagByHashType(HASH_HashType type); +extern SECOidTag HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid); +extern SECOidTag HASH_GetHMACOidTagByHashOidTag(SECOidTag hashOid); + +SEC_END_PROTOS + +#endif /* _NSSHASHT_H_ */ diff --git a/nss/lib/util/nssutil.def b/nss/lib/util/nssutil.def index 01f362c..f4526e5 100644 --- a/nss/lib/util/nssutil.def +++ b/nss/lib/util/nssutil.def @@ -360,3 +360,15 @@ NSS_GetSystemFIPSEnabled; ;+ local: ;+ *; ;+}; +;+NSSUTIL_3.101 { # NSS Utilities 3.101 release +;+ global: +HASH_GetHashTypeByOidTag_Util; +HASH_GetHashOidTagByHashType_Util; +HASH_GetHashOidTagByHMACOidTag_Util; +HASH_GetHMACOidTagByHashOidTag_Util; +SECOID_GetTotalTags; +NSS_GetAlgorithmPolicyAll; +NSS_SetAlgorithmPolicyAll; +;+ local: +;+ *; +;+}; diff --git a/nss/lib/util/nssutil.h b/nss/lib/util/nssutil.h index d9a0d6b..d8dc859 100644 --- a/nss/lib/util/nssutil.h +++ b/nss/lib/util/nssutil.h @@ -19,9 +19,9 @@ * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]" */ -#define NSSUTIL_VERSION "3.100" +#define NSSUTIL_VERSION "3.101" #define NSSUTIL_VMAJOR 3 -#define NSSUTIL_VMINOR 100 +#define NSSUTIL_VMINOR 101 #define NSSUTIL_VPATCH 0 #define NSSUTIL_VBUILD 0 #define NSSUTIL_BETA PR_FALSE diff --git a/nss/lib/util/secalgid.c b/nss/lib/util/secalgid.c index b3e8e89..288cd35 100644 --- a/nss/lib/util/secalgid.c +++ b/nss/lib/util/secalgid.c @@ -7,6 +7,7 @@ #include "secasn1.h" #include "secitem.h" #include "secerr.h" +#include "nsshash.h" SECOidTag SECOID_GetAlgorithmTag(const SECAlgorithmID *id) @@ -17,6 +18,26 @@ SECOID_GetAlgorithmTag(const SECAlgorithmID *id) return SECOID_FindOIDTag(&(id->algorithm)); } +static PRBool +secoid_IsRSAPKCS1(SECOidTag which) +{ + switch (which) { + case SEC_OID_PKCS1_RSA_ENCRYPTION: + case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: + return PR_TRUE; + default: + break; + } + return PR_FALSE; +} + SECStatus SECOID_SetAlgorithmID(PLArenaPool *arena, SECAlgorithmID *id, SECOidTag which, SECItem *params) @@ -33,29 +54,11 @@ SECOID_SetAlgorithmID(PLArenaPool *arena, SECAlgorithmID *id, SECOidTag which, if (SECITEM_CopyItem(arena, &id->algorithm, &oiddata->oid)) return SECFailure; - switch (which) { - case SEC_OID_MD2: - case SEC_OID_MD4: - case SEC_OID_MD5: - case SEC_OID_SHA1: - case SEC_OID_SHA224: - case SEC_OID_SHA256: - case SEC_OID_SHA384: - case SEC_OID_SHA512: - case SEC_OID_PKCS1_RSA_ENCRYPTION: - case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: - add_null_param = PR_TRUE; - break; - default: - add_null_param = PR_FALSE; - break; + if ((secoid_IsRSAPKCS1(which)) || + (HASH_GetHashTypeByOidTag(which) != HASH_AlgNULL)) { + add_null_param = PR_TRUE; + } else { + add_null_param = PR_FALSE; } if (params) { diff --git a/nss/lib/util/secdig.c b/nss/lib/util/secdig.c index 28377c2..5df6010 100644 --- a/nss/lib/util/secdig.c +++ b/nss/lib/util/secdig.c @@ -6,6 +6,8 @@ #include "secoid.h" #include "secasn1.h" #include "secerr.h" +#include "hasht.h" +#include "nsshash.h" /* * XXX Want to have a SGN_DecodeDigestInfo, like: @@ -38,20 +40,10 @@ SGN_CreateDigestInfo(SECOidTag algorithm, const unsigned char *sig, SECItem *null_param; SECItem dummy_value; - switch (algorithm) { - case SEC_OID_MD2: - case SEC_OID_MD5: - case SEC_OID_SHA1: - case SEC_OID_SHA224: - case SEC_OID_SHA256: - case SEC_OID_SHA384: - case SEC_OID_SHA512: - break; - default: - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - return NULL; + /* make sure we are encoding an actual hash function */ + if (HASH_GetHashTypeByOidTag(algorithm) == HASH_AlgNULL) { + return NULL; } - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { return NULL; diff --git a/nss/lib/util/secitem.c b/nss/lib/util/secitem.c index cd69961..6ba11a5 100644 --- a/nss/lib/util/secitem.c +++ b/nss/lib/util/secitem.c @@ -238,35 +238,20 @@ SECITEM_ArenaDupItem(PLArenaPool *arena, const SECItem *from) SECItem *to; if (from == NULL) { - return (NULL); + return NULL; } - if (arena != NULL) { - to = (SECItem *)PORT_ArenaAlloc(arena, sizeof(SECItem)); - } else { - to = (SECItem *)PORT_Alloc(sizeof(SECItem)); - } + to = SECITEM_AllocItem(arena, NULL, from->len); if (to == NULL) { - return (NULL); - } - - if (arena != NULL) { - to->data = (unsigned char *)PORT_ArenaAlloc(arena, from->len); - } else { - to->data = (unsigned char *)PORT_Alloc(from->len); - } - if (to->data == NULL) { - PORT_Free(to); - return (NULL); + return NULL; } - to->len = from->len; to->type = from->type; if (to->len) { PORT_Memcpy(to->data, from->data, to->len); } - return (to); + return to; } SECStatus diff --git a/nss/lib/util/secoid.c b/nss/lib/util/secoid.c index a2dc5a6..641c5b0 100644 --- a/nss/lib/util/secoid.c +++ b/nss/lib/util/secoid.c @@ -707,7 +707,7 @@ const static SECOidData oids[SEC_OID_TOTAL] = { "DES-EDE", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), OD(isoSHAWithRSASignature, SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE, "ISO SHA with RSA Signature", - CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), + CKM_SHA1_RSA_PKCS, INVALID_CERT_EXTENSION), OD(pkcs1RSAEncryption, SEC_OID_PKCS1_RSA_ENCRYPTION, "PKCS #1 RSA Encryption", CKM_RSA_PKCS, INVALID_CERT_EXTENSION), @@ -1591,19 +1591,19 @@ const static SECOidData oids[SEC_OID_TOTAL] = { INVALID_CERT_EXTENSION), OD(ansix962SignaturewithSHA224Digest, SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE, - "X9.62 ECDSA signature with SHA224", CKM_INVALID_MECHANISM, + "X9.62 ECDSA signature with SHA224", CKM_ECDSA_SHA224, INVALID_CERT_EXTENSION), OD(ansix962SignaturewithSHA256Digest, SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE, - "X9.62 ECDSA signature with SHA256", CKM_INVALID_MECHANISM, + "X9.62 ECDSA signature with SHA256", CKM_ECDSA_SHA256, INVALID_CERT_EXTENSION), OD(ansix962SignaturewithSHA384Digest, SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE, - "X9.62 ECDSA signature with SHA384", CKM_INVALID_MECHANISM, + "X9.62 ECDSA signature with SHA384", CKM_ECDSA_SHA384, INVALID_CERT_EXTENSION), OD(ansix962SignaturewithSHA512Digest, SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE, - "X9.62 ECDSA signature with SHA512", CKM_INVALID_MECHANISM, + "X9.62 ECDSA signature with SHA512", CKM_ECDSA_SHA512, INVALID_CERT_EXTENSION), /* More id-ce and id-pe OIDs from RFC 3280 */ @@ -1639,7 +1639,7 @@ const static SECOidData oids[SEC_OID_TOTAL] = { /* PKCS 5 v2 OIDS */ OD(pkcs5Pbkdf2, SEC_OID_PKCS5_PBKDF2, - "PKCS #5 Password Based Key Dervive Function v2 ", + "PKCS #5 Password Based Key Derive Function v2 ", CKM_PKCS5_PBKD2, INVALID_CERT_EXTENSION), OD(pkcs5Pbes2, SEC_OID_PKCS5_PBES2, "PKCS #5 Password Based Encryption v2 ", @@ -1668,7 +1668,7 @@ const static SECOidData oids[SEC_OID_TOTAL] = { OD(isoSHA1WithRSASignature, SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE, "ISO SHA-1 with RSA Signature", - CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), + CKM_SHA1_RSA_PKCS, INVALID_CERT_EXTENSION), /* SEED algorithm OIDs */ OD(seed_CBC, SEC_OID_SEED_CBC, @@ -1716,11 +1716,11 @@ const static SECOidData oids[SEC_OID_TOTAL] = { OD(nistDSASignaturewithSHA224Digest, SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST, "DSA with SHA-224 Signature", - CKM_INVALID_MECHANISM /* not yet defined */, INVALID_CERT_EXTENSION), + CKM_DSA_SHA224, INVALID_CERT_EXTENSION), OD(nistDSASignaturewithSHA256Digest, SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST, "DSA with SHA-256 Signature", - CKM_INVALID_MECHANISM /* not yet defined */, INVALID_CERT_EXTENSION), + CKM_DSA_SHA256, INVALID_CERT_EXTENSION), OD(msExtendedKeyUsageTrustListSigning, SEC_OID_MS_EXT_KEY_USAGE_CTL_SIGNING, "Microsoft Trust List Signing", @@ -1887,6 +1887,9 @@ const static SECOidData oids[SEC_OID_TOTAL] = { OD(dhSinglePasscofactorDHsha512kdfscheme, SEC_OID_DHSINGLEPASS_COFACTORDH_SHA512KDF_SCHEME, "Eliptic Curve Diffie-Hellman Single Pass Cofactor with SHA512 KDF", CKM_ECDH1_COFACTOR_DERIVE, INVALID_CERT_EXTENSION), + ODE(SEC_OID_RC2_64_CBC, "RC2-64-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION), + ODE(SEC_OID_RC2_128_CBC, "RC2-128-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION), + ODE(SEC_OID_ECDH_KEA, "ECDH", CKM_ECDH1_DERIVE, INVALID_CERT_EXTENSION), }; /* PRIVATE EXTENDED SECOID Table @@ -2015,6 +2018,7 @@ secoid_FindDynamicByTag(SECOidTag tagnum) SECOidTag SECOID_AddEntry(const SECOidData *src) { + dynXOid *ddst; SECOidData *dst; dynXOid **table; SECOidTag ret = SEC_OID_UNKNOWN; @@ -2076,10 +2080,11 @@ SECOID_AddEntry(const SECOidData *src) } /* copy oid structure */ - dst = (SECOidData *)PORT_ArenaZNew(dynOidPool, dynXOid); - if (!dst) { + ddst = PORT_ArenaZNew(dynOidPool, dynXOid); + if (!ddst) { goto done; } + dst = &ddst->data; rv = SECITEM_CopyItem(dynOidPool, &dst->oid, &src->oid); if (rv != SECSuccess) { goto done; @@ -2091,10 +2096,12 @@ SECOID_AddEntry(const SECOidData *src) dst->offset = (SECOidTag)(used + SEC_OID_TOTAL); dst->mechanism = src->mechanism; dst->supportedExtension = src->supportedExtension; + /* disable S/MIME for new oids by default */ + ddst->priv.notPolicyFlags = NSS_USE_ALG_IN_SMIME; rv = secoid_HashDynamicOiddata(dst); if (rv == SECSuccess) { - table[used++] = (dynXOid *)dst; + table[used++] = ddst; dynOidEntriesUsed = used; ret = dst->offset; } @@ -2113,7 +2120,8 @@ secoid_HashNumber(const void *key) return (PLHashNumber)((char *)key - (char *)NULL); } -#define DEF_FLAGS (NSS_USE_ALG_IN_CERT_SIGNATURE | NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SSL_KX) +#define DEF_FLAGS (NSS_USE_ALG_IN_CERT_SIGNATURE | NSS_USE_ALG_IN_SSL_KX | \ + NSS_USE_ALG_IN_SMIME | NSS_USE_ALG_IN_PKCS12) static void handleHashAlgSupport(char *envVal) { @@ -2165,14 +2173,14 @@ SECOID_Init(void) if (!PR_GetEnvSecure("NSS_ALLOW_WEAK_SIGNATURE_ALG")) { /* initialize any policy flags that are disabled by default */ - xOids[SEC_OID_MD2].notPolicyFlags = ~0; - xOids[SEC_OID_MD4].notPolicyFlags = ~0; - xOids[SEC_OID_MD5].notPolicyFlags = ~0; + xOids[SEC_OID_MD2].notPolicyFlags = ~NSS_USE_ALG_IN_PKCS12_DECRYPT; + xOids[SEC_OID_MD4].notPolicyFlags = ~NSS_USE_ALG_IN_PKCS12_DECRYPT; + xOids[SEC_OID_MD5].notPolicyFlags = ~NSS_USE_ALG_IN_PKCS12_DECRYPT; xOids[SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION].notPolicyFlags = ~0; xOids[SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION].notPolicyFlags = ~0; xOids[SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION].notPolicyFlags = ~0; - xOids[SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC].notPolicyFlags = ~0; - xOids[SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC].notPolicyFlags = ~0; + xOids[SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC].notPolicyFlags = ~NSS_USE_ALG_IN_PKCS12_DECRYPT; + xOids[SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC].notPolicyFlags = ~NSS_USE_ALG_IN_PKCS12_DECRYPT; } /* turn off NSS_USE_POLICY_IN_SSL by default */ @@ -2222,6 +2230,10 @@ SECOID_Init(void) } PORT_Assert(i == SEC_OID_TOTAL); + /* finally, clear S/MIME from the policy oids. If no one turns on any + * S/MIME policies after this, then S/MIME will enable the traditional + * algs when it initializes */ + (void)NSS_SetAlgorithmPolicyAll(0, NSS_USE_ALG_IN_SMIME); return (SECSuccess); } @@ -2309,6 +2321,24 @@ SECOID_FindOIDTagDescription(SECOidTag tagnum) return oidData ? oidData->desc : 0; } +/* return the total tags, including dymamic tags. NOTE: there is + * a race between getting this value and adding new tags, but that + * race is only a race against seeing the newly added tags, total + * tags only ever grows, so it's safe to use the output of this in + * loops. */ +SECOidTag +SECOID_GetTotalTags(void) +{ + SECOidTag total; + + /* get the lock to make sure we don't catch and inconsistant value + * for dynOidEntriesUsed. */ + NSSRWLock_LockRead(dynOidLock); + total = SEC_OID_TOTAL + dynOidEntriesUsed; + NSSRWLock_UnlockRead(dynOidLock); + return total; +} + /* --------- opaque extended OID table accessor functions ---------------*/ /* * Any of these functions may return SECSuccess or SECFailure with the error @@ -2374,6 +2404,76 @@ NSS_SetAlgorithmPolicy(SECOidTag tag, PRUint32 setBits, PRUint32 clearBits) return SECSuccess; } +/* set or clear a particular policy algorithm for all oids */ +SECStatus +NSS_SetAlgorithmPolicyAll(PRUint32 setBits, PRUint32 clearBits) +{ + SECOidTag tag; + /* call this once,not once per loop */ + SECOidTag lastTag = SECOID_GetTotalTags(); + + for (tag = SEC_OID_UNKNOWN; tag < lastTag; tag++) { + SECStatus rv = NSS_SetAlgorithmPolicy(tag, setBits, clearBits); + /* there are only 2 reasons SetAlgorithmPolicy can fail: + * 1) we passed an invalid tag, or 2) policy is locked. + * The first case should not happen because we are only looping + * through known good tags. In the second case, we will always fail, + * so there is no point continuing our loop */ + if (rv != SECSuccess) { + return rv; + } + } + return SECSuccess; +} + +/* return all the tags whose valueBits match the mask. */ +SECStatus +NSS_GetAlgorithmPolicyAll(PRUint32 maskBits, PRUint32 valueBits, + SECOidTag **outTags, int *outTagCount) +{ + SECOidTag *tags; + SECOidTag tag; + /* call this once,not once per loop */ + SECOidTag lastTag = SECOID_GetTotalTags(); + int tagCount, tableSize; + + tags = *outTags = NULL; + tableSize = tagCount = *outTagCount = 0; + + for (tag = SEC_OID_UNKNOWN; tag < lastTag; tag++) { + PRUint32 policy; + SECStatus rv = NSS_GetAlgorithmPolicy(tag, &policy); + if (rv != SECSuccess) { + goto loser; + } + if ((policy & maskBits) == valueBits) { + /* add found tag to the table, grow it if necessary */ + if (tagCount >= tableSize) { + int newTableSize = tableSize + 16; + SECOidTag *newTags; + newTags = (SECOidTag *)PORT_Realloc(tags, + newTableSize * + sizeof(SECOidTag)); + if (newTags == NULL) { + goto loser; + } + tags = newTags; + tableSize = newTableSize; + } + tags[tagCount++] = tag; + } + } + *outTags = tags; + *outTagCount = tagCount; + return SECSuccess; +loser: + if (tags) { + PORT_Free(tags); + } + /* failing function already called PORT_SetError() */ + return SECFailure; +} + /* Get the state of nss_policy_locked */ PRBool NSS_IsPolicyLocked(void) diff --git a/nss/lib/util/secoid.h b/nss/lib/util/secoid.h index 20d4cf5..173ce1d 100644 --- a/nss/lib/util/secoid.h +++ b/nss/lib/util/secoid.h @@ -62,6 +62,15 @@ extern SECStatus SECOID_CopyAlgorithmID(PLArenaPool *arena, SECAlgorithmID *dest extern SECOidTag SECOID_GetAlgorithmTag(const SECAlgorithmID *aid); /* +** Get the number of valid tags in the current system. This includes dynamic +** tags. This value can grow but never shrink. This is more reliable than using +** SEC_OID_TOTAL because 1) it includes dynamic tags, and 2) it includes any +** new tags the nss library has added since the last time the application +** was compilied. +*/ +extern SECOidTag SECOID_GetTotalTags(void); + +/* ** Destroy an algorithm-id object. ** "aid" the certificate-request to destroy ** "freeit" if PR_TRUE then free the object as well as its sub-objects @@ -135,6 +144,17 @@ extern SECStatus NSS_GetAlgorithmPolicy(SECOidTag tag, PRUint32 *pValue); extern SECStatus NSS_SetAlgorithmPolicy(SECOidTag tag, PRUint32 setBits, PRUint32 clearBits); +/* Set all the tags to a particular policy (like to clear all S/MIME bits */ +extern SECStatus +NSS_SetAlgorithmPolicyAll(PRUint32 setBits, PRUint32 clearBits); + +/* Get all the tags with a particular policy. The policy must match the exact + * value after applying the mask. Caller is responsible for + * freeing the tag array with PORT_Free() */ +extern SECStatus +NSS_GetAlgorithmPolicyAll(PRUint32 maskBits, PRUint32 valueBits, + SECOidTag **outTags, int *outTagCount); + /* Lock the policy so NSS_SetAlgorithmPolicy (and other policy functions) * No longer function */ void diff --git a/nss/lib/util/secoidt.h b/nss/lib/util/secoidt.h index 24fb880..f76462e 100644 --- a/nss/lib/util/secoidt.h +++ b/nss/lib/util/secoidt.h @@ -527,6 +527,9 @@ typedef enum { SEC_OID_DHSINGLEPASS_COFACTORDH_SHA256KDF_SCHEME = 382, SEC_OID_DHSINGLEPASS_COFACTORDH_SHA384KDF_SCHEME = 383, SEC_OID_DHSINGLEPASS_COFACTORDH_SHA512KDF_SCHEME = 384, + SEC_OID_RC2_64_CBC = 385, + SEC_OID_RC2_128_CBC = 386, + SEC_OID_ECDH_KEA = 387, SEC_OID_TOTAL } SECOidTag; @@ -559,21 +562,44 @@ struct SECOidDataStr { * These are algorithm policy Flags, used with functions * NSS_SetAlgorithmPolicy & NSS_GetAlgorithmPolicy. */ -#define NSS_USE_ALG_IN_CERT_SIGNATURE 0x00000001 /* CRLs and OCSP, too */ -#define NSS_USE_ALG_IN_CMS_SIGNATURE 0x00000002 /* used in S/MIME */ -#define NSS_USE_ALG_IN_SSL_KX 0x00000004 /* used in SSL key exchange */ -#define NSS_USE_ALG_IN_SSL 0x00000008 /* used in SSL record protocol */ -#define NSS_USE_POLICY_IN_SSL 0x00000010 /* enable policy in SSL protocol */ -#define NSS_USE_ALG_IN_ANY_SIGNATURE 0x00000020 /* used in any signature */ -#define NSS_USE_ALG_IN_PKCS12 0x00000040 /* used in pkcs12 */ -#define NSS_USE_DEFAULT_NOT_VALID 0x80000000 /* clear to make the default flag valid */ -#define NSS_USE_DEFAULT_SSL_ENABLE 0x40000000 /* default cipher suite setting 1=enable */ - -/* Combo policy bites */ -#define NSS_USE_ALG_RESERVED 0x3fffffc0 /* may be used in future */ +#define NSS_USE_ALG_IN_CERT_SIGNATURE 0x00000001 /* CRLs and OCSP, too */ +#define NSS_USE_ALG_IN_SMIME_SIGNATURE 0x00000002 /* used in S/MIME */ +#define NSS_USE_ALG_IN_SSL_KX 0x00000004 /* used in SSL key exchange */ +#define NSS_USE_ALG_IN_SSL 0x00000008 /* used in SSL record protocol */ +#define NSS_USE_POLICY_IN_SSL 0x00000010 /* enable policy in SSL protocol */ +#define NSS_USE_ALG_IN_ANY_SIGNATURE 0x00000020 /* used in any signature */ +#define NSS_USE_ALG_IN_PKCS12_DECRYPT 0x00000040 /* used to decrypt pkcs12 */ +#define NSS_USE_ALG_IN_PKCS12_ENCRYPT 0x00000080 /* used encrypt pkcs12 */ +#define NSS_USE_ALG_IN_SMIME_LEGACY 0x00000100 /* used to decrypt smime */ +#define NSS_USE_ALG_IN_SMIME_ENCRYPT 0x00000200 /* used to decrypt smime */ +#define NSS_USE_ALG_IN_SMIME_KX_LEGACY 0x00000400 /* used to decrypt smime */ +#define NSS_USE_ALG_IN_SMIME_KX_ENCRYPT 0x00000800 /* used to decrypt smime */ +/* these flags are used by the automatic policy scheme to set the default values + * for enabling and disabling ciphers. Applications should use the enable/disable + * calls directly. */ +#define NSS_USE_DEFAULT_NOT_VALID 0x80000000 /* clear to make the default flag valid */ +#define NSS_USE_DEFAULT_SSL_ENABLE 0x40000000 /* default cipher suite setting 1=enable */ +/* S/MIME Enable sets the list of algorithms we advertise and which algorithms + * we will encrypt/decrypt with. We will decrypt anything that's allowable */ +#define NSS_USE_DEFAULT_SMIME_ENABLE 0x20000000 /* default cipher suite setting 1=enable */ + +/* Combo policy bits */ +#define NSS_USE_ALG_RESERVED 0x1ffff000 /* may be used in future */ +/* both encrypt and decrypt PKCS 12 */ +#define NSS_USE_ALG_IN_PKCS12 (NSS_USE_ALG_IN_PKCS12_DECRYPT | \ + NSS_USE_ALG_IN_PKCS12_ENCRYPT) +/* both encrypt and decrypt SMIME */ +#define NSS_USE_ALG_IN_SMIME (NSS_USE_ALG_IN_SMIME_LEGACY | \ + NSS_USE_ALG_IN_SMIME_ENCRYPT) +/* both encrypt and decrypt key exchange */ +#define NSS_USE_ALG_IN_SMIME_KX (NSS_USE_ALG_IN_SMIME_KX_LEGACY | \ + NSS_USE_ALG_IN_SMIME_KX_ENCRYPT) +/* All the key exchange bits */ +#define NSS_USE_ALG_IN_KEY_EXCHANGE (NSS_USE_ALG_IN_SMIME_KX | \ + NSS_USE_ALG_IN_SSL_KX) /* Alias of all the signature values. */ -#define NSS_USE_ALG_IN_SIGNATURE (NSS_USE_ALG_IN_CERT_SIGNATURE | \ - NSS_USE_ALG_IN_CMS_SIGNATURE | \ +#define NSS_USE_ALG_IN_SIGNATURE (NSS_USE_ALG_IN_CERT_SIGNATURE | \ + NSS_USE_ALG_IN_SMIME_SIGNATURE | \ NSS_USE_ALG_IN_ANY_SIGNATURE) /* all the bits needed for a certificate signature * and only the bits needed for a certificate signature */ @@ -581,8 +607,12 @@ struct SECOidDataStr { NSS_USE_ALG_IN_ANY_SIGNATURE) /* all the bits needed for an SMIME signature * and only the bits needed for an SMIME signature */ -#define NSS_USE_CMS_SIGNATURE_OK (NSS_USE_ALG_IN_CMS_SIGNATURE | \ - NSS_USE_ALG_IN_ANY_SIGNATURE) +#define NSS_USE_SMIME_SIGNATURE_OK (NSS_USE_ALG_IN_SMIME_SIGNATURE | \ + NSS_USE_ALG_IN_ANY_SIGNATURE) + +/* legacy names */ +#define NSS_USE_ALG_IN_CMS_SIGNATURE NSS_USE_ALG_IN_SMIME_SIGNATURE +#define NSS_USE_ALG_CMS_SIGNATURE_OK NSS_USE_ALG_SMIME_SIGNATURE_OK /* Code MUST NOT SET or CLEAR reserved bits, and must NOT depend on them * being all zeros or having any other known value. The reserved bits diff --git a/nss/lib/util/util.gyp b/nss/lib/util/util.gyp index 74eaef4..ad16bd7 100644 --- a/nss/lib/util/util.gyp +++ b/nss/lib/util/util.gyp @@ -17,6 +17,7 @@ 'errstrs.c', 'nssb64d.c', 'nssb64e.c', + 'nsshash.c', 'nssilock.c', 'nssrwlk.c', 'oidstring.c', @@ -57,4 +58,4 @@ 'variables': { 'module': 'nss' } -}
\ No newline at end of file +} diff --git a/nss/lib/util/utilrename.h b/nss/lib/util/utilrename.h index 19ddba6..b4bb564 100644 --- a/nss/lib/util/utilrename.h +++ b/nss/lib/util/utilrename.h @@ -122,6 +122,10 @@ #define SGN_CopyDigestInfo SGN_CopyDigestInfo_Util #define SGN_CreateDigestInfo SGN_CreateDigestInfo_Util #define SGN_DestroyDigestInfo SGN_DestroyDigestInfo_Util +#define HASH_GetHashTypeByOidTag HASH_GetHashTypeByOidTag_Util +#define HASH_GetHashOidTagByHashType HASH_GetHashOidTagByHashType_Util +#define HASH_GetHashOidTagByHMACOidTag HASH_GetHashOidTagByHMACOidTag_Util +#define HASH_GetHMACOidTagByHashOidTag HASH_GetHMACOidTagByHashOidTag_Util /* templates moved from libnss3 */ #define NSS_Get_SEC_AnyTemplate NSS_Get_SEC_AnyTemplate_Util diff --git a/nss/tests/acvp/fuzzed/ecdsa.json b/nss/tests/acvp/fuzzed/ecdsa.json index ebe1cc9..c252092 100644 --- a/nss/tests/acvp/fuzzed/ecdsa.json +++ b/nss/tests/acvp/fuzzed/ecdsa.json @@ -1877,15 +1877,6 @@ "tcId" : 52 }, { - "dA" : "eaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaea3d5b726beaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaea00000000000030000000000000000000000000000030000000000000000000000000000000000000004e00eaeaeaeaeaeaeaea4e4e4e4e4e5e6d6d6e00034e000000", - "message" : "", - "qx" : "00", - "qy" : "00", - "r" : "00", - "s" : "00", - "tcId" : 58 - }, - { "dA" : "0c09c5d65d", "message" : "00000000000000000000000000000000000000000038000000000000000000000000000000000004000000000000000000000000000000000000", "qx" : "00", @@ -1895,24 +1886,6 @@ "tcId" : 68 }, { - "dA" : "00000000000001050000000000000000000000004e00002b2c692c062e0200302c312a00000000000000000000000000000000002f4e4e675e6d6d3d5b726b13000000000000000000000022", - "message" : "", - "qx" : "00", - "qy" : "00", - "r" : "00", - "s" : "80", - "tcId" : 71 - }, - { - "dA" : "ea000000000099000000000000000000000030000000000000000000000000000000000000000000000000000000000000000000000000eaeaeaeaeaeaeaea00000000009900000000000000000000003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004e0000000000000000000000002f4e4e5e6d6d3d5b7269136dff", - "message" : "", - "qx" : "00", - "qy" : "00", - "r" : "00", - "s" : "00", - "tcId" : 84 - }, - { "dA" : "8db8d6d2", "message" : "0000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000011327c11332b34000000000000000000000000000000000000000000000000", "qx" : "00", @@ -1974,15 +1947,6 @@ "r" : "00", "s" : "00", "tcId" : 239 - }, - { - "dA" : "00000000000000000000000000000000000000000000000000000000000000000000000000000011327c11332b3400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004e000000000000", - "message" : "", - "qx" : "00", - "qy" : "00", - "r" : "00", - "s" : "00", - "tcId" : 252 } ], "tgId" : 0 @@ -2048,15 +2012,6 @@ "testType" : "GDT", "tests" : [ { - "dA" : "00", - "message" : "", - "qx" : "00", - "qy" : "00", - "r" : "00", - "s" : "2c69062dcb3d2c322c312a00000000000000000000000000000000000000", - "tcId" : 6 - }, - { "dA" : "6d6dff", "message" : "", "qx" : "00", @@ -2075,15 +2030,6 @@ "tcId" : 20 }, { - "dA" : "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", - "message" : "", - "qx" : "00", - "qy" : "00", - "r" : "00", - "s" : "00", - "tcId" : 78 - }, - { "dA" : "44", "message" : "0000000000000000000000000000000000000000000000000000000000000000000000004408402c2c2c000000403a000000000000000000002c2b2c6906cb3d2c312c312a0000000000000000000000000000000010", "qx" : "00", @@ -2102,15 +2048,6 @@ "tcId" : 106 }, { - "dA" : "2dc5958212a1f66df70000000000000000000000000000000000000000000000000000000000000000000000400000000000000000000000000000000000000000000000aec907657d2d29ef4dd89c851039c095117de0a54fda283a97028bcf190d0151000000000000000000fe00000000000000003f000000fe00000000020000000000", - "message" : "", - "qx" : "00", - "qy" : "00", - "r" : "00", - "s" : "00", - "tcId" : 121 - }, - { "dA" : "000000000000000044082c2c2c14d73c00", "message" : "", "qx" : "00", @@ -2129,24 +2066,6 @@ "tcId" : 136 }, { - "dA" : "00", - "message" : "", - "qx" : "00", - "qy" : "00", - "r" : "00", - "s" : "00", - "tcId" : 177 - }, - { - "dA" : "00", - "message" : "", - "qx" : "00", - "qy" : "00", - "r" : "00", - "s" : "2c6906cb3d2c312c312a00000000000000000000000000000000000000000000000000002a00000000", - "tcId" : 178 - }, - { "dA" : "002d000000d12f2f", "message" : "", "qx" : "00", @@ -2165,24 +2084,6 @@ "testType" : "GDT", "tests" : [ { - "dA" : "00", - "message" : "ffffffffffffffffffffff0000000000000000000000000000000000000000000000000000fcffffff04000000000000000000000000004400002b00", - "qx" : "303e9600000000000000000000000013d2302b2c442d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002d0000", - "qy" : "00", - "r" : "00", - "s" : "00", - "tcId" : 12 - }, - { - "dA" : "000000", - "message" : "", - "qx" : "00", - "qy" : "00", - "r" : "00", - "s" : "00", - "tcId" : 226 - }, - { "dA" : "ff", "message" : "0000", "qx" : "00", @@ -2201,15 +2102,6 @@ "testType" : "GDT", "tests" : [ { - "dA" : "000000000000000000", - "message" : "675343", - "qx" : "00", - "qy" : "000000000000000000", - "r" : "2c", - "s" : "00", - "tcId" : 13 - }, - { "dA" : "000000000008000000", "message" : "", "qx" : "00", @@ -2235,15 +2127,6 @@ "r" : "00", "s" : "00", "tcId" : 15 - }, - { - "dA" : "1515151515eaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaea00000000009900000000005d000000000035010000000000000000000000000000000000004e00eaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaeaea0000000000004e0030000000000000000000002f", - "message" : "", - "qx" : "00", - "qy" : "00", - "r" : "00", - "s" : "00", - "tcId" : 79 } ], "tgId" : 5 @@ -2325,17 +2208,7 @@ "curve" : "P-384", "hashAlg" : "SHA2-512", "testType" : "GDT", - "tests" : [ - { - "dA" : "00", - "message" : "00000000000000000000000000000000000000000000000000000004000000000000000000", - "qx" : "0000ff", - "qy" : "1470fba9303e96000000fe00000000000029", - "r" : "000000000000000000000000000000000000000000", - "s" : "00", - "tcId" : 170 - } - ], + "tests" : [], "tgId" : 10 } ], @@ -3280,22 +3153,10 @@ "testPassed" : true }, { - "tcId" : 58, - "testPassed" : true - }, - { "tcId" : 68, "testPassed" : true }, { - "tcId" : 71, - "testPassed" : true - }, - { - "tcId" : 84, - "testPassed" : true - }, - { "tcId" : 122, "testPassed" : true }, @@ -3322,10 +3183,6 @@ { "tcId" : 239, "testPassed" : true - }, - { - "tcId" : 252, - "testPassed" : true } ], "tgId" : 0 @@ -3358,10 +3215,6 @@ { "tests" : [ { - "tcId" : 6, - "testPassed" : true - }, - { "tcId" : 14, "testPassed" : true }, @@ -3370,10 +3223,6 @@ "testPassed" : true }, { - "tcId" : 78, - "testPassed" : true - }, - { "tcId" : 83, "testPassed" : true }, @@ -3382,10 +3231,6 @@ "testPassed" : true }, { - "tcId" : 121, - "testPassed" : true - }, - { "tcId" : 135, "testPassed" : true }, @@ -3394,14 +3239,6 @@ "testPassed" : true }, { - "tcId" : 177, - "testPassed" : true - }, - { - "tcId" : 178, - "testPassed" : true - }, - { "tcId" : 237, "testPassed" : true } @@ -3411,10 +3248,6 @@ { "tests" : [ { - "tcId" : 12, - "testPassed" : true - }, - { "tcId" : 226, "testPassed" : true }, @@ -3428,10 +3261,6 @@ { "tests" : [ { - "tcId" : 13, - "testPassed" : true - }, - { "tcId" : 227, "testPassed" : true } @@ -3443,10 +3272,6 @@ { "tcId" : 15, "testPassed" : true - }, - { - "tcId" : 79, - "testPassed" : true } ], "tgId" : 5 diff --git a/nss/tests/all.sh b/nss/tests/all.sh index 3213484..948513a 100755 --- a/nss/tests/all.sh +++ b/nss/tests/all.sh @@ -143,6 +143,9 @@ run_cycle_standard() { TEST_MODE=STANDARD + NSS_DISABLE_LIBPKIX_VERIFY="1" + export NSS_DISABLE_LIBPKIX_VERIFY + TESTS="${ALL_TESTS}" TESTS_SKIP="libpkix pkits" @@ -150,6 +153,8 @@ run_cycle_standard() export NSS_DEFAULT_DB_TYPE run_tests + + unset NSS_DISABLE_LIBPKIX_VERIFY } ############################ run_cycle_pkix ############################ @@ -167,9 +172,6 @@ run_cycle_pkix() mkdir -p "${HOSTDIR}" init_directories - NSS_ENABLE_PKIX_VERIFY="1" - export NSS_ENABLE_PKIX_VERIFY - TESTS="${ALL_TESTS}" TESTS_SKIP="cipher dbtests sdr crmf smime merge multinit" diff --git a/nss/tests/chains/chains.sh b/nss/tests/chains/chains.sh index e13ae52..38a98a9 100755 --- a/nss/tests/chains/chains.sh +++ b/nss/tests/chains/chains.sh @@ -1323,4 +1323,12 @@ chains_stop_httpserv chains_run_httpserv get-unknown chains_main chains_stop_httpserv +export NSS_COMBO_SIGNATURES=signonly +chains_run_httpserv random +chains_main +chains_stop_httpserv +export NSS_COMBO_SIGNATURES=vfynonly +chains_run_httpserv random +chains_main +chains_stop_httpserv chains_cleanup diff --git a/nss/tests/common/init.sh b/nss/tests/common/init.sh index 561c725..0a085ab 100644 --- a/nss/tests/common/init.sh +++ b/nss/tests/common/init.sh @@ -140,8 +140,8 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then echo "NSS_SSL_RUN=\"${NSS_SSL_RUN}\"" echo "NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE}" echo "export NSS_DEFAULT_DB_TYPE" - echo "NSS_ENABLE_PKIX_VERIFY=${NSS_ENABLE_PKIX_VERIFY}" - echo "export NSS_ENABLE_PKIX_VERIFY" + echo "NSS_DISABLE_PKIX_VERIFY=${NSS_DISABLE_PKIX_VERIFY}" + echo "export NSS_DISABLE_PKIX_VERIFY" echo "init_directories" } @@ -322,7 +322,48 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then fi } + save_pkcs11() + { + outdir="$1" + cp ${outdir}/pkcs11.txt ${outdir}/pkcs11.txt.sav + } + + restore_pkcs11() + { + outdir="$1" + cp ${outdir}/pkcs11.txt.sav ${outdir}/pkcs11.txt + } + # create a new pkcs11.txt with and explict policy. overwrites + # the existing pkcs11 + setup_policy() + { + policy="$1" + outdir="$2" + OUTFILE="${outdir}/pkcs11.txt" + cat > "$OUTFILE" << ++EOF++ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='./client' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) +++EOF++ + echo "config=${policy}" >> "$OUTFILE" + echo "" >> "$OUTFILE" + echo "library=${DIST}/${OBJDIR}/lib/libnssckbi.so" >> "$OUTFILE" + cat >> "$OUTFILE" << ++EOF++ +name=RootCerts +NSS=trustOrder=100 +++EOF++ + + echo "******************************Testing $outdir with: " + cat "$OUTFILE" + echo "******************************" + } + + ignore_blank_lines() + { + LC_ALL=C egrep -v '^[[:space:]]*(#|$)' "$1" + } #directory name init SCRIPTNAME=init.sh diff --git a/nss/tests/policy/crypto-policy.txt b/nss/tests/policy/crypto-policy.txt index 03515ff..a57b577 100644 --- a/nss/tests/policy/crypto-policy.txt +++ b/nss/tests/policy/crypto-policy.txt @@ -5,6 +5,8 @@ # 0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Standard policy 0 disallow=ALL_allow=HMAC-SHA1:HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=tls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Legacy policy +0 disallow=ALL_enable=HMAC-SHA1:HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=tls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Legacy enable policy +0 disallow=ALL_enable=HMAC-SHA1:HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc/smime,pkcs12:camellia256-cbc/smime:aes128-gcm/ssl:aes128-cbc/smime,pkcs12:camellia128-cbc/smime:des-ede3-cbc/smime:rc4/ssl:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=tls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Legacy enable with protocol restrictions policy 0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Reduced policy 0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072:KEY-SIZE-FLAGS=KEY-SIZE-SSL,KEY-SIZE-SIGN,KEY-SIZE-VERIFY NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Valid key size 2 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072:KEY-SIZE-FLAGS=UNKNOWN,KEY-SIZE-SIGN,KEY-SIZE-VERIFY NSS-POLICY-FAIL.*unknown.* Invalid key size diff --git a/nss/tests/policy/policy.sh b/nss/tests/policy/policy.sh index 51f7cc9..0443867 100755 --- a/nss/tests/policy/policy.sh +++ b/nss/tests/policy/policy.sh @@ -34,11 +34,6 @@ policy_cleanup() . common/cleanup.sh } -ignore_blank_lines() -{ - LC_ALL=C egrep -v '^[[:space:]]*(#|$)' "$1" -} - policy_run_tests() { html_head "CRYPTO-POLICY" diff --git a/nss/tests/smime/smime.sh b/nss/tests/smime/smime.sh index 940d7ad..29b1885 100755 --- a/nss/tests/smime/smime.sh +++ b/nss/tests/smime/smime.sh @@ -74,6 +74,7 @@ smime_init() mkdir -p ${SMIMEDIR} cd ${SMIMEDIR} cp ${QADIR}/smime/alice.txt ${SMIMEDIR} + SMIMEPOLICY=${QADIR}/smime/smimepolicy.txt mkdir tb cp ${QADIR}/smime/interop-openssl/*.p12 ${SMIMEDIR}/tb @@ -744,6 +745,7 @@ smime_main() smime_data_tb() { ${BINDIR}/pk12util -d ${P_R_ALICEDIR} -o tb/Alice.p12 -n Alice -K nss -W nss + ${BINDIR}/pk12util -d ${P_R_ALICEDIR} -o tb/Alice-ec.p12 -n Alice-ec -K nss -W nss ${BINDIR}/pk12util -d ${P_R_BOBDIR} -o tb/Bob.p12 -n Bob -K nss -W nss ${BINDIR}/pk12util -d ${P_R_DAVEDIR} -o tb/Dave.p12 -n Dave -K nss -W nss ${BINDIR}/pk12util -d ${P_R_EVEDIR} -o tb/Eve.p12 -n Eve -K nss -W nss @@ -751,6 +753,108 @@ smime_data_tb() cat ${P_R_CADIR}/TestCA.ca.cert | sed 's/\r$//' | ${BINDIR}/btoa -w c >> ${CAOUT} } +################## smime_setup_policy_directory ######################## +# set up a clean directory for the policy test +######################################################################## +smime_setup_policy_directory() +{ + dir=$1 + name=$2 + policy=$3 + policy=`echo ${policy} | sed -e 's;_; ;g'` + + rm -rf ${dir} ; mkdir ${dir} + ${BINDIR}/certutil -N -d ${dir} -f ${R_PWFILE} + ${BINDIR}/certutil -A -n "TestCA" -t "TC,TC,TC" -f ${R_PWFILE} -d ${dir} -i ${P_R_CADIR}/TestCA.ca.cert + ${BINDIR}/pk12util -d ${dir} -i tb/${name}.p12 -K nss -W nss > /dev/null + setup_policy "$policy" ${dir} +} + +############################## smime_policy ############################## +# local shell function to perform SMIME Policy tests +######################################################################## +smime_policy() +{ + testname="" + recipient_dir=tb/recipient + sender_dir=tb/sender + source=alice.txt + sign=${recipient_dir}/message.sig + verify=${sender_dir}/message.vfy + encrypt=${sender_dir}/message.enc + envelope=${sender_dir}/message.env + decrypt=${recipient_dir}/message.dec + + ignore_blank_lines ${SMIMEPOLICY} | \ + while read sign_ret verify_ret encrypt_ret decrypt_ret hash recipient_email recipient_name recipient_policy sender_name sender_policy algorithm testname + do + echo "$SCRIPTNAME: S/MIME Policy Test {${testname}} ---------------" + smime_setup_policy_directory ${recipient_dir} ${recipient_name} ${recipient_policy} + smime_setup_policy_directory ${sender_dir} ${sender_name} ${sender_policy} + + # first the recipient signs a message + echo "$SCRIPTNAME: Signing policy message {${testname}} ---------------" + echo "cmsutil -S -G -P -N ${recipient_name} -H ${hash} -i ${source} -d ${recipient_dir} -p nss -o ${sign}" + ${PROFTOOL} ${BINDIR}/cmsutil -S -G -P -N ${recipient_name} -H ${hash} -i ${source} -d ${recipient_dir} -p nss -o ${sign} + ret=$? + html_msg $ret ${sign_ret} "Signing policy message (${testname})" "." + + if [ ${sign_ret} -ne 0 ]; then + continue; + fi + + # next the sender imports the certs in the signed message + echo "$SCRIPTNAME: Verify policy message {${testname}} ---------------" + echo "cmsutil -D -k -i ${sign} -d ${sender_dir} -o ${verify}" + ${PROFTOOL} ${BINDIR}/cmsutil -D -k -i ${sign} -d ${sender_dir} -o ${verify} + ret=$? + html_msg $ret ${verify_ret} "Verify policy message (${testname})" "." + + if [ ${verify_ret} -ne 0 ]; then + continue; + fi + + echo "diff ${source} ${verify}" + diff ${source} ${verify} + html_msg $? 0 "Compare policy signed data (${testname})" "." + + # the sender encrypts a message + echo "$SCRIPTNAME: Encrypt policy message (${testname}) --------" + echo "cmsutil -C -i ${source} -d ${sender_dir} -e ${envelope} \\" + echo " -r \"${recipient_email}\" -o ${encrypt}" + ${PROFTOOL} ${BINDIR}/cmsutil -C -i ${source} -d ${sender_dir} \ + -e ${envelope} -r "${recipient_email}" -o ${encrypt} + ret=$? + html_msg $ret ${encrypt_ret} "Encrypted policy message (${testname})" "." + + if [ ${encrypt_ret} -ne 0 ]; then + continue; + fi + + # verify the message was encrypted with the algorithm + encryption=$(${BINDIR}/pp -t pkcs7 -i ${encrypt} | grep "Content Encryption Algorithm" | sed -e 's;^.*Content Encryption Algorithm: ;;') + if [ "${encryption}" != "${algorithm}" ]; then + html_failed "Encryption algorithm (${encryption}) doe not match expected algorithm (${algorithm}) in policy test ({$testname})" + fi + + # the recipient decrypts the message + echo "$SCRIPTNAME: Decrypt policy message (${testname}) --------" + echo "cmsutil -D -i ${encrypt} -d ${recipient_dir} -e ${envelope} -p nss \\" + echo " -o ${decrypt}" + ${PROFTOOL} ${BINDIR}/cmsutil -D -i ${encrypt} -d ${recipient_dir} -e ${envelope} -p nss -o ${decrypt} + + ret=$? + html_msg $ret ${decrypt_ret} "Decrypted policy message (${testname})" "." + + if [ ${decrypt_ret} -eq 0 ]; then + echo "diff ${source} ${decrypt}" + diff ${source} ${decrypt} + html_msg $? 0 "Compare policy encrypted data (${testname})" "." + fi + + done +} + ############################## smime_cleanup ########################### # local shell function to finish this script (no exit since it might be # sourced) @@ -768,5 +872,8 @@ smime_init smime_main smime_data_tb smime_p7 +if [ "${TEST_MODE}" = "SHARED_DB" ] ; then + smime_policy +fi smime_cleanup diff --git a/nss/tests/smime/smimepolicy.txt b/nss/tests/smime/smimepolicy.txt new file mode 100644 index 0000000..6ba7ac4 --- /dev/null +++ b/nss/tests/smime/smimepolicy.txt @@ -0,0 +1,91 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License: v. 2.0. If a copy of the MPL was not distributed with this +# file: You can obtain one at http://mozilla.org/MPL/2.0/. +# +# This file enables policy testing +# +# The policy string is set to the config= line in the pkcs11.txt +# it currently has 2 keywords: +# +# disallow= turn off the use of this algorithm by policy. (implies disable) +# allow= allow this algorithm to by used if selected by policy. +# disable= turn off the use of this algorithm even if allowed by policy +# (application can override) +# enable= turn off this algorithm by default (implies allow) +# flags= policy-lock: can't change policy with NSS_SetAlgorithmPolicy: +# NSS_SetOption: or SSL_SetCipherPolicy +# ssl-lock: can't change the cipher suite settings with the application. +# +# The syntax is disallow=algorithm{/uses}:algorithm{/uses} +# where {} signifies an optional element +# +# Signatures: +# DSA +# RSA-PKCS +# RSA-PSS +# ECDSA +# Hashes: +# MD2 +# MD4 +# MD5 +# SHA1 +# SHA224 +# SHA256 +# SHA384 +# SHA512 +# SHA3_224 +# SHA3_256 +# SHA3_384 +# SHA3_512 +# Ciphers: +# AES128-CBC +# AES192-CBC +# AES256-CBC +# CAMELLIA128-CBC +# CAMELLIA192-CBC +# CAMELLIA256-CBC +# SEED-CBC +# DES-EDE3-CBC +# RC2-40-CBC +# RC2-64-CBC +# RC2-128-CBC +# Key exchange +# RSA-PKCS +# RSA-OAEP +# DH +# ECDH +# Include all of the above: +# ALL +#----------------------------------------------- +# Uses are: +# smime +# smime-legacy +# smime-key-exchange +# key-exchange (includes smime-key-exchange) +# cert-signature +# smime-signature (=cms-signature) +# all-signature (includes cert-signature) +# signature (all signatures off: some signature allowed based on other option) +# all (includes all of the above) +# +# NOTE: the certificates used in validation are rsa-pkcs1/sha256 signed. +# +# Sign Vfy Enc Dec hash rec_email rec_name rec_policy snd_name snd_policy alg Test Name + 0 0 0 0 SHA256 dave@example.com Dave enable=hmac-sha1 Alice enable=hmac-sha1 AES-256-CBC Use default policy and enable + 0 0 0 0 SHA512 bob@example.com Bob enable=aes256-cbc Alice enable=aes256-cbc AES-256-CBC Only enable aes-256 + 0 0 0 0 SHA512 bob@example.com Bob enable=camellia256-cbc Alice enable=camellia256-cbc CAMELLIA-256-CBC Only enable camellia + 0 0 1 x SHA1 bob@example.com Bob allow=aes128-cbc:aes192-cbc:aes256-cbc:camellia128-cbc:camellia192-cbc:camellia256-cbc:des-ede3-cbc:rc2-40-cbc:rc2-64-cbc:rc2-128-cbc Alice enable=camellia256-cbc NONE-FAILURE Bob allows all: enables default, alice allows and enables camellia + 0 0 0 1 SHA384 bob@example.com Bob enable=camellia256-cbc Alice allow=aes128-cbc:aes192-cbc:aes256-cbc:camellia128-cbc:camellia192-cbc:camellia256-cbc:des-ede3-cbc:rc2-40-cbc:rc2-64-cbc:rc2-128-cbc RC2-CBC Alice allows all: enables default, bob allows and enables camellia + 0 0 1 x SHA384 bob@example.com Bob enable=aes256-cbc Alice enable=camellia256-cbc NONE-FAILURE Bob Only enables aes Alice Only enables camellia + 0 0 0 0 SHA384 bob@example.com Bob enable=camellia256-cbc Alice enable=aes128-cbc:aes192-cbc:aes256-cbc:camellia128-cbc:camellia192-cbc:camellia256-cbc:des-ede3-cbc:rc2-40-cbc:rc2-64-cbc:rc2-128-cbc CAMELLIA-256-CBC Alice enable all explicit, bob allows and enables camellia + 0 0 0 0 SHA1 bob@example.com Bob enable=aes128-cbc:aes192-cbc:aes256-cbc:camellia128-cbc:camellia192-cbc:camellia256-cbc:des-ede3-cbc:rc2-40-cbc:rc2-64-cbc:rc2-128-cbc Alice enable=camellia256-cbc CAMELLIA-256-CBC Bob enables all explicit, alice allows and enables camellia + 0 0 0 1 SHA256 dave@example.com Dave disallow=rsa-pkcs/smime-key-exchange Alice enable=hmac-sha1 AES-256-CBC turn off RSA key exchange (decrypt) + 1 x x x SHA-1 dave@example.com Dave disallow=sha1/smime-signature Alice enable=hmac-sha1 NONE-FAILURE turn off sha-1 for S/MIME (generate sig) + 0 1 x x SHA-1 dave@example.com Dave enable=hmac-sha1 Alice disallow=sha1/smime-signature NONE-FAILURE turn off sha-1 for S/MIME (verify sig) + 0 0 1 x SHA256 dave@example.com Dave enable-hmac-sha1 Alice disallow=rsa-pkcs/smime-key-exchange NONE-FAILURE turn off RSA key exchange (encrypt) + 0 0 1 x SHA256 dave@example.com Dave enable-hmac-sha1 Alice disallow=rsa-pkcs/smime-key-exchange_allow=rsa-pkcs/smime-key-echange_legacy NONE_FAILURE turn off RSA key exchange for encrypt only (try to encrypt) + 0 0 0 0 SHA256 dave@example.com Dave disallow=rsa-pkcs/smime-key-exchange-encrypt Alice enable=hmac-sha1 AES-256-CBC turn off RSA key exchange for encrypt only (try to decrypt) + 1 x x x SHA256 dave@example.com Dave allow=rsa-min=3000 Alice allow=all NONE-FAILED Enforce all key size policy on Sender + 0 1 x x SHA256 dave@example.com Dave allow=all Alice allow=rsa-min=3000 NONE-FAILED Enforce all key size policy on Recipient + 0 0 1 x SHA256 dave@example.com Dave allow=all Alice allow=key-size-flags=key-size-smime:rsa-min=3000 NONE-FAILED Enforce KEA key size policy on Recipient + 0 0 0 1 SHA256 dave@example.com Dave allow=key-size-flags=key-size-smime:rsa-min=3000 Alice allow=all AES-256-CBC Enforce KEA key size policy on Sender diff --git a/nss/tests/ssl/ssl.sh b/nss/tests/ssl/ssl.sh index 0fa24a2..b027972 100755 --- a/nss/tests/ssl/ssl.sh +++ b/nss/tests/ssl/ssl.sh @@ -293,11 +293,6 @@ start_selfserv() echo "selfserv with PID ${PID} started at `date`" } -ignore_blank_lines() -{ - LC_ALL=C egrep -v '^[[:space:]]*(#|$)' "$1" -} - ############################## ssl_cov ################################# # local shell function to perform SSL Cipher Coverage tests ######################################################################## @@ -821,33 +816,6 @@ ssl_crl_ssl() html "</TABLE><BR>" } -############################# setup_policy ############################# -# local shell function to create policy configuration -######################################################################## -setup_policy() -{ - policy="$1" - outdir="$2" - OUTFILE="${outdir}/pkcs11.txt" - cat > "$OUTFILE" << ++EOF++ -library= -name=NSS Internal PKCS #11 Module -parameters=configdir='./client' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' -NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) -++EOF++ - echo "config=${policy}" >> "$OUTFILE" - echo "" >> "$OUTFILE" - echo "library=${DIST}/${OBJDIR}/lib/libnssckbi.so" >> "$OUTFILE" - cat >> "$OUTFILE" << ++EOF++ -name=RootCerts -NSS=trustOrder=100 -++EOF++ - - echo "******************************Testing with: " - cat "$OUTFILE" - echo "******************************" -} - ############################## ssl_policy ############################## # local shell function to perform SSL Policy tests ######################################################################## @@ -864,7 +832,7 @@ ssl_policy() fi echo "Saving pkcs11.txt" - cp ${P_R_CLIENTDIR}/pkcs11.txt ${P_R_CLIENTDIR}/pkcs11.txt.sav + save_pkcs11 ${P_R_CLIENTDIR} start_selfserv $CIPHER_SUITES @@ -907,7 +875,7 @@ ssl_policy() html_msg $ret ${value} "${testname}" \ "produced a returncode of $ret, expected is ${value}" done - cp ${P_R_CLIENTDIR}/pkcs11.txt.sav ${P_R_CLIENTDIR}/pkcs11.txt + restore_pkcs11 ${P_R_CLIENTDIR} kill_selfserv html "</TABLE><BR>" @@ -994,9 +962,8 @@ ssl_policy_pkix_ocsp() #verbose="-v" html_head "Check that OCSP doesn't break if we disable sha1 $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" - PKIX_SAVE=${NSS_ENABLE_PKIX_VERIFY-"unset"} - NSS_ENABLE_PKIX_VERIFY="1" - export NSS_ENABLE_PKIX_VERIFY + PKIX_SAVE=${NSS_DISABLE_LIBPKIX_VERIFY-"unset"} + unset NSS_DISABLE_LIBPKIX_VERIFY testname="" @@ -1021,12 +988,10 @@ ssl_policy_pkix_ocsp() html_msg $RET $RET_EXP "${testname}" \ "produced a returncode of $RET, expected is $RET_EXP" - if [ "${PKIX_SAVE}" = "unset" ]; then - unset NSS_ENABLE_PKIX_VERIFY - else - NSS_ENABLE_PKIX_VERIFY=${PKIX_SAVE} - export NSS_ENABLE_PKIX_VERIFY + if [ "{PKIX_SAVE}" != "unset" ]; then + export NSS_DISABLE_LIBPKIX_VERIFY=${PKIX_SAVE} fi + cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt html "</TABLE><BR>" diff --git a/nss/tests/tools/PKCS5WithImplicitKDF.p12 b/nss/tests/tools/PKCS5WithImplicitKDF.p12 Binary files differnew file mode 100644 index 0000000..105f918 --- /dev/null +++ b/nss/tests/tools/PKCS5WithImplicitKDF.p12 diff --git a/nss/tests/tools/pbmac1-invalid-bad-iter.p12 b/nss/tests/tools/pbmac1-invalid-bad-iter.p12 Binary files differnew file mode 100644 index 0000000..9957d47 --- /dev/null +++ b/nss/tests/tools/pbmac1-invalid-bad-iter.p12 diff --git a/nss/tests/tools/pbmac1-invalid-bad-salt.p12 b/nss/tests/tools/pbmac1-invalid-bad-salt.p12 Binary files differnew file mode 100644 index 0000000..fef1e51 --- /dev/null +++ b/nss/tests/tools/pbmac1-invalid-bad-salt.p12 diff --git a/nss/tests/tools/pbmac1-invalid-no-length.p12 b/nss/tests/tools/pbmac1-invalid-no-length.p12 Binary files differnew file mode 100644 index 0000000..35ebe05 --- /dev/null +++ b/nss/tests/tools/pbmac1-invalid-no-length.p12 diff --git a/nss/tests/tools/pbmac1-valid-sha256-sha512.p12 b/nss/tests/tools/pbmac1-valid-sha256-sha512.p12 Binary files differnew file mode 100644 index 0000000..e8d4899 --- /dev/null +++ b/nss/tests/tools/pbmac1-valid-sha256-sha512.p12 diff --git a/nss/tests/tools/pbmac1-valid-sha256.p12 b/nss/tests/tools/pbmac1-valid-sha256.p12 Binary files differnew file mode 100644 index 0000000..b8c8c2d --- /dev/null +++ b/nss/tests/tools/pbmac1-valid-sha256.p12 diff --git a/nss/tests/tools/pbmac1-valid-sha512.p12 b/nss/tests/tools/pbmac1-valid-sha512.p12 Binary files differnew file mode 100644 index 0000000..64e1434 --- /dev/null +++ b/nss/tests/tools/pbmac1-valid-sha512.p12 diff --git a/nss/tests/tools/pkcs12policy.txt b/nss/tests/tools/pkcs12policy.txt new file mode 100644 index 0000000..ac6e87c --- /dev/null +++ b/nss/tests/tools/pkcs12policy.txt @@ -0,0 +1,111 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License: v. 2.0. If a copy of the MPL was not distributed with this +# file: You can obtain one at http://mozilla.org/MPL/2.0/. +# +# This file enables policy testing +# +# The policy string is set to the config= line in the pkcs11.txt +# it currently has 2 keywords: +# +# disallow= turn off the use of this algorithm by policy. (implies disable) +# allow= allow this algorithm to by used if selected by policy. +# disable= turn off the use of this algorithm even if allowed by policy +# (application can override) +# enable= turn off this algorithm by default (implies allow) +# flags= policy-lock: can't change policy with NSS_SetAlgorithmPolicy: +# NSS_SetOption: or SSL_SetCipherPolicy +# ssl-lock: can't change the cipher suite settings with the application. +# +# The syntax is disallow=algorithm{/uses}:algorithm{/uses} +# where {} signifies an optional element +# +# Signatures: +# DSA +# RSA-PKCS +# RSA-PSS +# ECDSA +# Hashes: +# MD2 +# MD4 +# MD5 +# SHA1 +# SHA224 +# SHA256 +# SHA384 +# SHA512 +# SHA3_224 +# SHA3_256 +# SHA3_384 +# SHA3_512 +# Ciphers: +# AES128-CBC +# AES192-CBC +# AES256-CBC +# CAMELLIA128-CBC +# CAMELLIA192-CBC +# CAMELLIA256-CBC +# SEED-CBC +# DES-EDE3-CBC +# RC2-40-CBC +# RC2-64-CBC +# RC2-128-CBC +# Key exchange +# RSA-PKCS +# RSA-OAEP +# DH +# ECDH +# Include all of the above: +# ALL +#----------------------------------------------- +# Uses are: +# pkcs12 +# pkcs12-legacy +# legacy +# all (includes all of the above) +# +# error codes from pk12util: +# +# KEY-ENCRYPT-FAILED 28 (PK12UERR_ADDCERTKEY) +# CERT-ENCRYPT-FAILED 27 (PK12UERR_CERTKEYSAFE) +# INTEGRITY-ENCRYPT_FAILED 29 (PK12UERR_ENCODE) +# KEY-DECRYPT-FAILED 19 (PK12UERR_DECODEIMPTBAGS) +# CERT-DECRYPT-FAILED 18 (PK12UERR_DECODEVALIBAGS) +# INTEGRITY-DECRYPT_FAILED 17 (PK12UERR_DECODEVERIFY) +# +# The tests below uses the error codes when if forces policy failures +# on particular operations. +# +#exp imp exp_policy imp_policy key_cipher cert_cipher hash Test Name + 0 0 allow=tls allow=tls AES-128-CBC AES-128-CBC SHA-256 Use default policy and enable + 0 0 allow=all allow=all AES-128-CBC AES-128-CBC SHA-256 allow all + 27 x disallow=all_allow=all/legacy disallow_all_allow=all/legacy AES-128-CBC AES-128-CBC SHA-256 Only allow legacy read (write) + 0 0 allow=all disallow=all_allow=all/legacy AES-128-CBC AES-128-CBC SHA-256 Only allow legacy read (read) + 28 x disallow=aes128-cbc disallow_all_allow=all/legacy AES-128-CBC AES-256-CBC SHA-256 Disallow AES-128-CBC, key_encrypt=AES-128-CBC (write) + 0 19 allow=all disallow=aes128-cbc AES-128-CBC AES-256-CBC SHA-256 Disallow AES-128-CBC, key_decrypt=AES-128-CBC (read) + 27 x disallow=aes128-cbc disallow_all_allow=all/legacy AES-256-CBC AES-128-CBC SHA-256 Disallow AES-128-CBC, cert_encrypt=AES-128-CBC (write cert) + 0 18 allow=all disallow=aes128-cbc AES-256-CBC AES-128-CBC SHA-256 Disallow AES-128-CBC, cert_decrypt=AES-128-CBC (read cert) + 0 0 allow=all allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC4 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC SHA-1 allow all, RC4 and RC2 + 28 x disallow=rc4 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC4 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC SHA-1 disallow rc4 (write), RC4 and RC2 + 27 x disallow=rc2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC4 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC SHA-1 disallow rc2 (write), RC4 and RC2 + 0 19 allow_all disallow=rc4 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC4 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC SHA-1 disallow rc4 (read), RC4 and RC2 + 0 18 allow_all disallow=rc2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC4 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC SHA-1 disallow rc2 (read), RC4 and RC2 +# integrity policy check the various has based controls. +# NOTE: md4, md2, and md5 are turned off by policy by default for encrypting +# (decrypting is fine). To be enabled, you must allow=all or allow=mdX on the +# encryption side. These tests purposefully tests that the default fails to encrypt +# but succeeds when decrypting. + 27 x allow=tls allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Use default policy with multiple hashes + 0 0 allow=all allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all encrypt, use default decrypt with multiple hashes + 0 0 allow=all allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all with multiple hashes + 28 x disallow=sha1_allow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on write + 27 x disallow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on write + 29 x disallow=sha256_allow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on write + 0 19 allow=all disallow=sha1 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read + 0 18 allow=all disallow=md2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read + 0 17 allow=all disallow=sha256 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read + 0 0 allow=all disallow=md2/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read + 0 0 allow=all disallow=sha1/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read + 0 0 allow=all disallow=sha256/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read + 0 0 allow=all allow=all AES-128-CBC AES-128-CBC HMAC_SHA-256 + 29 x disallow=hmac-sha256 allow=all AES-128-CBC AES-128-CBC HMAC_SHA-256 + 0 18 allow=all disallow=hmac-sha256 AES-128-CBC AES-128-CBC HMAC_SHA-256 diff --git a/nss/tests/tools/tools.sh b/nss/tests/tools/tools.sh index 15a41e3..4808951 100755 --- a/nss/tests/tools/tools.sh +++ b/nss/tests/tools/tools.sh @@ -64,7 +64,8 @@ AES-256-CBC,CAMELLIA-128-CBC,CAMELLIA-192-CBC,CAMELLIA-256-CBC" export PBE_CIPHERS="${PKCS5v1_PBE_CIPHERS},${PKCS12_PBE_CIPHERS},${PKCS5v2_PBE_CIPHERS}" export PBE_CIPHERS_CLASSES="${pkcs5pbeWithSha1AndDEScbc},\ ${pkcs12v2pbeWithSha1AndTripleDESCBC},AES-256-CBC,default" - export PBE_HASH="SHA-1,SHA-224,SHA-256,SHA-384,SHA-512,default" + export PBE_HASH="SHA-1,SHA-256,SHA-512,HMAC SHA-256,HMAC SHA-512,default" + export PBE_HASH_CLASSES="SHA-1,SHA-256,SHA-384,HMAC SHA-256,default" ############################## tools_init ############################## # local shell function to initialize this script @@ -97,6 +98,8 @@ tools_init() COPYDIR=${TOOLSDIR}/copydir SIGNDIR=${TOOLSDIR}/signdir + PKCS12POLICY=${QADIR}/tools/pkcs12policy.txt + R_TOOLSDIR=../tools R_COPYDIR=../tools/copydir R_SIGNDIR=../tools/signdir @@ -117,6 +120,13 @@ tools_init() cp ${QADIR}/tools/TestOldCA.p12 ${TOOLSDIR}/data cp ${QADIR}/tools/TestOldAES128CA.p12 ${TOOLSDIR}/data cp ${QADIR}/tools/TestRSAPSS.p12 ${TOOLSDIR}/data + cp ${QADIR}/tools/PKCS5WithImplicitKDF.p12 ${TOOLSDIR}/data + cp ${QADIR}/tools/pbmac1-valid-sha256.p12 ${TOOLSDIR}/data + cp ${QADIR}/tools/pbmac1-valid-sha256-sha512.p12 ${TOOLSDIR}/data + cp ${QADIR}/tools/pbmac1-valid-sha512.p12 ${TOOLSDIR}/data + cp ${QADIR}/tools/pbmac1-invalid-bad-iter.p12 ${TOOLSDIR}/data + cp ${QADIR}/tools/pbmac1-invalid-bad-salt.p12 ${TOOLSDIR}/data + cp ${QADIR}/tools/pbmac1-invalid-no-length.p12 ${TOOLSDIR}/data cd ${TOOLSDIR} } @@ -140,12 +150,16 @@ list_p12_file() ######################################################################## import_p12_file() { - echo "$SCRIPTNAME: Importing Alice's pk12 ${1} file" - echo "pk12util -i ${1} -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" - - ${BINDIR}/pk12util -i ${1} -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 + echo "$SCRIPTNAME: Importing Alice's pk12 ${1} file to ${3}" + # remove the previous key so we actually decrypt the new key + # without this, pkcs12 will skip the key import. + echo "certutil -F -d ${3} -n ${2} -f ${R_PWFILE}" + certutil -F -d ${3} -n ${2} -f ${R_PWFILE} + echo "pk12util -i ${1} -d ${3} -k ${R_PWFILE} -w ${R_PWFILE}" + + ${BINDIR}/pk12util -i ${1} -d ${3} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 ret=$? - html_msg $ret 0 "Importing ${1} (pk12util -i)" + html_msg $ret ${4} "Importing ${1} (pk12util -i)" check_tmpfile } @@ -161,6 +175,7 @@ export_p12_file() # $4 key encryption cipher or "default" # $5 certificate encryption cipher or "default" # $6 hash algorithm or "default" + # $7 expected return value KEY_CIPHER_OPT="-c" KEY_CIPHER="${4}" CERT_CIPHER_OPT="-C" @@ -192,9 +207,11 @@ export_p12_file() ${CERT_CIPHER_OPT} "${CERT_CIPHER}" \ ${HASH_ALG_OPT} "${HASH_ALG}" 2>&1 ret=$? - html_msg $ret 0 "Exporting with [${4}:${5}:${6}] (pk12util -o)" + html_msg $ret ${7} "Exporting with [${4}:${5}:${6}] (pk12util -o)" check_tmpfile - verify_p12 "${1}" "${4}" "${5}" "${6}" + if [ ${7} -eq 0 ]; then + verify_p12 "${1}" "${4}" "${5}" "${6}" + fi return $ret } @@ -205,9 +222,55 @@ export_p12_file() ######################################################################## export_list_import() { - export_p12_file Alice.p12 Alice "${P_R_ALICEDIR}" "${@}" + export_p12_file Alice.p12 Alice "${P_R_ALICEDIR}" "${@}" 0 list_p12_file Alice.p12 - import_p12_file Alice.p12 + import_p12_file Alice.p12 Alice "${P_R_COPYDIR}" 0 +} + +######################################################################## +# Exports key and cert to a p12 file, the key encryption cipher, +# the cert encryption cipher, and/or the hash algorithm are specified. +# expected results as well. These may purposefully fail for unallowed +# policies +######################################################################## +export_import_policy() +{ + export_ret=${1} + import_ret=${2} + export_dir=${3} + import_dir=${4} + shift 4 + export_p12_file Alice.p12 Alice "${export_dir}" "${@}" ${export_ret} + if [ ${export_ret} -eq 0 ]; then + import_p12_file Alice.p12 Alice "${import_dir}" ${import_ret} + fi +} + +tools_p12_policy() +{ + export_dir=${P_R_ALICEDIR} + import_dir=${P_R_COPYDIR} + # make sure we are using generic default policy. + unset NSS_ALLOW_WEAK_SIGNATURE_ALG + + save_pkcs11 ${export_dir} + save_pkcs11 ${import_dir} + ignore_blank_lines ${PKCS12POLICY} | \ + while read export_ret import_ret export_policy import_policy key_cipher cert_cipher hash testname + do + echo "$SCRIPTNAME: PKCS12 Policy Test {${testname}} ---------------" + export_policy=`echo ${export_policy} | sed -e 's;_; ;g'` + import_policy=`echo ${import_policy} | sed -e 's;_; ;g'` + key_cipher=`echo ${key_cipher} | sed -e 's;_; ;g'` + cert_cipher=`echo ${cert_cipher} | sed -e 's;_; ;g'` + hash=`echo ${hash} | sed -e 's;_; ;g'` + setup_policy "${export_policy}" ${export_dir} + setup_policy "${import_policy}" ${import_dir} + + export_import_policy ${export_ret} ${import_ret} ${export_dir} ${import_dir} "${key_cipher}" "${cert_cipher}" "${hash}" + done + restore_pkcs11 ${export_dir} + restore_pkcs11 ${import_dir} } ######################################################################## @@ -217,6 +280,7 @@ export_list_import() tools_p12_export_list_import_all_pkcs5pbe_ciphers() { local saveIFS="${IFS}" + export NSS_ALLOW_WEAK_SIGNATURE_ALG=1 IFS=, for key_cipher in ${PKCS5v1_PBE_CIPHERS} default; do for cert_cipher in ${PKCS5v1_PBE_CIPHERS} default none; do @@ -235,6 +299,7 @@ tools_p12_export_list_import_all_pkcs5pbe_ciphers() tools_p12_export_list_import_all_pkcs5v2_ciphers() { local saveIFS="${IFS}" + export NSS_ALLOW_WEAK_SIGNATURE_ALG=1 IFS=, for key_cipher in ${PKCS5v2_PBE_CIPHERS} default; do for cert_cipher in ${PKCS5v2_PBE_CIPHERS} default none; do @@ -254,6 +319,7 @@ tools_p12_export_list_import_all_pkcs12v2pbe_ciphers() { local saveIFS="${IFS}" IFS=, + export NSS_ALLOW_WEAK_SIGNATURE_ALG=1 for key_cipher in ${PKCS12_PBE_CIPHERS} ${PKCS5v1_PBE_CIPHERS} default; do for cert_cipher in ${PKCS12_PBE_CIPHERS} ${PKCS5v1_PBE_CIPHERS} default none; do for hash in ${PBE_HASH}; do @@ -278,6 +344,7 @@ tools_p12_export_list_import_most_ciphers() { local saveIFS="${IFS}" IFS=, + export NSS_ALLOW_WEAK_SIGNATURE_ALG=1 for cipher in ${PBE_CIPHERS}; do for class in ${PBE_CIPHERS_CLASSES}; do # we'll test the case of cipher == class below the for loop @@ -287,10 +354,10 @@ tools_p12_export_list_import_most_ciphers() fi done export_list_import "${cipher}" "none" "SHA-224" - export_list_import "${cipher}" "${cipher}" "SHA-384" + export_list_import "${cipher}" "${cipher}" "HMAC SHA-512" done for class in ${PBE_CIPHERS_CLASSES}; do - for hash in ${PBE_HASH}; do + for hash in ${PBE_HASH_CLASSES}; do export_list_import "${class}" "${class}" "${hash}" done done @@ -427,6 +494,13 @@ tools_p12_import_old_files() ret=$? html_msg $ret 0 "Importing PKCS#12 file created with NSS 3.29.5 (PBES2 with incorrect AES-128-CBC algorithm ID)" check_tmpfile + + echo "pk12util -i PKCS5WithImplicitKDF.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W pasword" + ${BINDIR}/pk12util -i ${TOOLSDIR}/data/PKCS5WithImplicitKDF.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W password 2>&1 + ret=$? + html_msg $ret 0 "Importing PKCS#12 file with and implicit KDF value" + check_tmpfile + } tools_p12_import_rsa_pss_private_key() @@ -446,6 +520,48 @@ tools_p12_import_rsa_pss_private_key() return $ret } +tools_p12_import_pbmac1_samples() +{ + echo "$SCRIPTNAME: Importing private key pbmac1 PKCS#12 file --------------" + echo "${BINDIR}/pk12util -i ${TOOLSDIR}/data/pbmac1-valid-sha256.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'" + ${BINDIR}/pk12util -i ${TOOLSDIR}/data/pbmac1-valid-sha256.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1 + ret=$? + html_msg $ret 0 "Importing private key pbmac1 hmac-sha-256 from PKCS#12 file" + check_tmpfile + + echo "${BINDIR}/pk12util -i ${TOOLSDIR}/data/pbmac1-valid-sha256-sha512.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'" + ${BINDIR}/pk12util -i ${TOOLSDIR}/data/pbmac1-valid-sha256-sha512.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1 + ret=$? + html_msg $ret 0 "Importing private key pbmac1 hmac-sha-256 and hmac-sha-512 prf from PKCS#12 file" + check_tmpfile + + echo "${BINDIR}/pk12util -i ${TOOLSDIR}/data/pbmac1-valid-sha512.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'" + ${BINDIR}/pk12util -i ${TOOLSDIR}/data/pbmac1-valid-sha512.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1 + ret=$? + html_msg $ret 0 "Importing private key pbmac1 hmac-sha-512 from PKCS#12 file" + check_tmpfile + + echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-iter.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'" + ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-iter.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1 + ret=$? + html_msg $ret 19 "Fail to list private key with bad iterator" + check_tmpfile + + echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-salt.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'" + ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-salt.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1 + ret=$? + echo "Fail to list private key with bad salt val=$ret" + html_msg $ret 19 "Fail to import private key with bad salt" + check_tmpfile + + echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-no-length.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'" + ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-no-length.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1 + ret=$? + echo "Fail to import private key with no length val=$ret" + html_msg $ret 19 "Fail to import private key with no length" + check_tmpfile +} + ############################## tools_p12 ############################### # local shell function to test basic functionality of pk12util ######################################################################## @@ -467,8 +583,10 @@ tools_p12() tools_p12_export_with_none_ciphers tools_p12_export_with_invalid_ciphers tools_p12_import_old_files + tools_p12_import_pbmac1_samples if [ "${TEST_MODE}" = "SHARED_DB" ] ; then tools_p12_import_rsa_pss_private_key + tools_p12_policy fi } @@ -548,8 +666,14 @@ verify_p12() fi # check the Mac if [[ "${line}" =~ "Mac Digest Algorithm ID: ".* ]]; then + STATE="MAC" MAC="${line##Mac Digest Algorithm ID: }" - if [ "${MAC}" != "${HASH}" ]; then + if [[ "${HASH}" =~ "HMAC ".* ]]; then + if [[ ! "${MAC}" =~ "PKCS #5 Password Based Authentication v1"\ * ]]; then + HASH_FAIL=1 + echo "--MAC mismatch: expected \"PKCS #5 Password Based Authentication v1\" found \"${MAC}\"" + fi + elif [ "${MAC}" != "${HASH}" ]; then HASH_FAIL=1 echo "--Mac Hash mismatch: expected \"${HASH}\" found \"${MAC}\"" fi @@ -557,7 +681,7 @@ verify_p12() # check the KDF if [[ "${line}" =~ "KDF algorithm: ".* ]]; then KDF="${line##KDF algorithm: }" - if [ "${KDF}" != "HMAC ${HASH}" ]; then + if [ "${KDF}" != "HMAC ${HASH}" -a "${KDF}" != "${HASH}" ]; then HASH_FAIL=1 echo "--KDF Hash mismatch: expected \"HMAC ${HASH}\" found \"${KDF}\"" fi @@ -567,7 +691,7 @@ verify_p12() # Strip the [Content ]EncryptionAlgorithm ENCRYPTION="${line##Content }" ENCRYPTION="${ENCRYPTION##Encryption Algorithm: }" - # If that algorithm id is PKCS #5 V2, then skip forward looking + # If that algorithm id is PKCS #5 v2, then skip forward looking # for the Cipher: field. if [[ "${ENCRYPTION}" =~ "PKCS #5 Password Based Encryption v2"\ * ]]; then continue; @@ -587,9 +711,13 @@ verify_p12() echo "--Cert encryption mismatch: expected \"${CERT_ENCRYPTION}\" found \"${ENCRYPTION}\"" fi ;; + "MAC") + HASH_FAIL=1 + echo "--unexpected encryption algorithm in MAC found \"${ENCRYPTION}\"" + ;; esac fi - # handle the PKCS 5 case + # handle the PKCS 5 v2 case if [[ "${line}" =~ "Cipher: ".* ]]; then ENCRYPTION="${line#Cipher: }" case ${STATE} in @@ -607,6 +735,13 @@ verify_p12() echo "--Cert encryption mismatch: expected \"${CERT_ENCRYPTION}\" found \"${ENCRYPTION}\"" fi ;; + "MAC") + # handle the PKCS 5 v2 MAC case + if [ "${HASH}" != "${ENCRYPTION}" ]; then + HASH_FAIL=1 + echo "--MAC HMAC mismatch: expected \"${HASH}\" found \"${ENCRYPTION}\"" + fi + ;; esac fi done < ${TMP} |